diff --git a/src/daemon/lib/acl/index.ts b/src/daemon/lib/acl/index.ts
index 2e3559a..f621c98 100644
--- a/src/daemon/lib/acl/index.ts
+++ b/src/daemon/lib/acl/index.ts
@@ -1,4 +1,4 @@
-import { NDKEvent, NostrEvent } from '@nostr-dev-kit/ndk';
+import { NDKEvent, NostrEvent, NIP46Method } from '@nostr-dev-kit/ndk';
 import prisma from '../../../db.js';
 
 /**
@@ -114,7 +114,26 @@ export async function checkIfPubkeyAllowed(
     return undefined;
 }
 
-export type IMethod = "connect" | "sign_event" | "encrypt" | "decrypt" | "ping";
+/**
+ * Sign-time auth method names follow the NIP-46 wire convention as
+ * NDK 3.x's `NDKNip46Backend` passes them through to `pubkeyAllowed`
+ * verbatim (it stopped normalizing `nip04_encrypt`/`nip04_decrypt`
+ * to `encrypt`/`decrypt` somewhere between 2.8.1 and current
+ * upstream).
+ *
+ * lnbits's `_ensure_policy` writes `PolicyRule.method` using the same
+ * wire-name vocabulary (`nip04_encrypt`, `nip04_decrypt`,
+ * `nip44_encrypt`, `nip44_decrypt`, `sign_event`, `get_public_key`,
+ * `connect`, `ping`). With the wire-name vocabulary on both sides,
+ * the post-#11 live-policy join (step 4 of `checkIfPubkeyAllowed`)
+ * naturally matches lnbits's stored rules — no `encrypt → nip04_encrypt`
+ * adapter layer needed.
+ *
+ * Source the type from NDK itself so it can't drift across future
+ * NDK bumps; if NDK adds a new method (e.g. `nip60_*`) we pick it up
+ * for free.
+ */
+export type IMethod = NIP46Method;
 
 export type IAllowScope = {
     kind?: number | 'all';
diff --git a/src/daemon/run.ts b/src/daemon/run.ts
index f664712..9497677 100644
--- a/src/daemon/run.ts
+++ b/src/daemon/run.ts
@@ -1,10 +1,7 @@
 import NDK, { NDKPrivateKeySigner, Nip46PermitCallback, Nip46PermitCallbackParams } from '@nostr-dev-kit/ndk';
 import { nip19, utils as nostrUtils } from 'nostr-tools';
 import { Backend } from './backend/index.js';
-import {
-    IMethod,
-    checkIfPubkeyAllowed,
-} from './lib/acl/index.js';
+import { checkIfPubkeyAllowed } from './lib/acl/index.js';
 import AdminInterface from './admin/index.js';
 import { IConfig } from '../config/index.js';
 import { NDKRpcRequest } from '@nostr-dev-kit/ndk';
@@ -107,7 +104,7 @@ function signingAuthorizationCallback(keyName: string, adminInterface: AdminInte
         }
 
         try {
-            const keyAllowed = await checkIfPubkeyAllowed(keyName, remotePubkey, method as IMethod, payload);
+            const keyAllowed = await checkIfPubkeyAllowed(keyName, remotePubkey, method, payload);
 
             if (keyAllowed === true || keyAllowed === false) {
                 console.log(`🔎 ${nip19.npubEncode(remotePubkey)} is ${keyAllowed ? 'allowed' : 'denied'} to ${method} with key ${keyName}`);