NIP-05 Profile Verification: Complete Guide

Introduction

On traditional social media, “verified checkmarks” are gatekept by platforms. On Nostr, you verify yourself using NIP-05—a DNS-based system that links your identity to a domain you control.

This guide explains what NIP-05 verification is, why it matters, how to set it up, and the different options available.

What is NIP-05?

The Simple Explanation

NIP-05 lets you associate your Nostr public key (npub) with a human-readable internet identifier that looks like an email address.

Example:

• Your npub: npub180cvv83m27afv2pzhd97pl3aw5lu729x0cmnj7zv0edxcnjle67q23pczl
• Your NIP-05: alice@example.com

Purpose:

1. Human-readable identifier: Easier to remember and share
2. Verification: Proves you control the domain
3. Discoverability: Others can find you by your identifier
4. Trust signal: Shows you’ve verified your identity

Visual Indicator: Most clients show a checkmark ✓ next to verified identities.

How It Works (Technical Overview)

Step 1: You add NIP-05 identifier to your Nostr profile:

{
  "kind": 0,
  "content": "{\"nip05\": \"alice@example.com\"}"
}

Step 2: You create a JSON file on example.com:

https://example.com/.well-known/nostr.json?name=alice

Step 3: The JSON file contains your public key:

{
  "names": {
    "alice": "your_hex_pubkey_here"
  }
}

Step 4: Clients verify by:

1. Reading alice@example.com from your profile
2. Fetching https://example.com/.well-known/nostr.json?name=alice
3. Checking if the file contains your public key
4. If match: Verified ✓
5. If no match: Not verified

This proves you control the domain (or have permission from domain owner).

Why NIP-05 Verification Matters

1. Trust and Authenticity

Problem: Anyone can claim to be anyone on Nostr.

Example:

• Real Jack Dorsey: jack@cash.app (verified)
• Impersonator: Just a random npub claiming to be Jack

Verification Helps:

• Real person controls the domain
• Harder to impersonate (can’t fake domain control)
• Users can check domain legitimacy

Not Perfect (more below), but significantly better than unverified.

2. Human-Readable Identifiers

Problem: npub keys are impossible to remember.

npub180cvv83m27afv2pzhd97pl3aw5lu729x0cmnj7zv0edxcnjle67q23pczl

NIP-05 Provides:

alice@example.com

Much easier to:

• Share verbally (“I’m alice at example dot com”)
• Remember
• Type
• Share on business cards

3. Discoverability

Current Limitation: Finding people on Nostr requires knowing their npub.

With NIP-05:

• Search by identifier (alice@example.com)
• Clients can look up the domain
• Find public key automatically

Some clients support NIP-05 search (growing feature).

4. Branding and Professionalism

For Individuals:

• yourname@yourwebsite.com looks professional
• Links your web identity to Nostr identity
• Cohesive online presence

For Businesses:

• support@company.com (official business account)
• ceo@company.com (verified executive)
• Consistent branding

For Communities:

• alice@bitcoiners.com (community membership signal)
• bob@uknostr.com (UK Nostr community)

5. Relay Hints (Advanced)

NIP-05 JSON can include relay hints:

{
  "names": {
    "alice": "pubkey_hex"
  },
  "relays": {
    "pubkey_hex": ["wss://relay1.com", "wss://relay2.com"]
  }
}

Benefit: Clients know where to find your events, improving discoverability.

Setting Up NIP-05 Verification

Prerequisites

You need one of the following:

Option 1: Your own domain

• You own example.com
• You can create files on the server
• You can serve /.well-known/nostr.json

Option 2: Use a NIP-05 provider

• Service provides subdomains or usernames
• They host the JSON file
• You don’t need your own website

Method 1: Self-Hosted (Own Domain)

Best for: People with their own website, maximum control.

Steps:

1. Get Your Hex Public Key

Most clients show both formats. You need the hex (not npub):

npub: npub180cvv83m27afv2pzhd97pl3aw5lu729x0cmnj7zv0edxcnjle67q23pczl
hex: 3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d

Or convert: Use nostr.band/tools (npub → hex)

2. Create JSON File

Create a file at:

https://yourwebsite.com/.well-known/nostr.json

Content:

{
  "names": {
    "yourname": "your_hex_pubkey_here"
  }
}

Example (https://example.com/.well-known/nostr.json):

{
  "names": {
    "alice": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
  }
}

3. Configure Server

Enable CORS (Cross-Origin Resource Sharing):

For Apache (.htaccess):

<IfModule mod_headers.c>
  Header set Access-Control-Allow-Origin "*"
</IfModule>

For Nginx:

location /.well-known/nostr.json {
  add_header Access-Control-Allow-Origin *;
}

Why: Clients request this file from browsers, CORS required.

4. Test the File

Visit in browser:

https://yourwebsite.com/.well-known/nostr.json?name=yourname

Should return your JSON (with your pubkey).

5. Update Your Nostr Profile

In your Nostr client:

• Edit profile
• NIP-05 field: yourname@yourwebsite.com
• Save

6. Wait for Verification

• Clients check periodically (varies by client)
• Should see checkmark ✓ within a few minutes
• Some clients force refresh (check settings)

Done! You’re verified.

Method 2: Use a NIP-05 Provider

Best for: People without a website, ease of use.

How It Works:

• Provider hosts the nostr.json file
• You register a username
• They link your pubkey to their domain
• You get username@provider.com

Popular Providers:

Free Providers:

1. nostrplebs.com (Popular, free tier)

   • Format: username@nostrplebs.com
   • Free basic verification
   • Paid options for custom features

2. iris.to (Iris client integrated)

   • Format: username@iris.to
   • Free
   • Tied to Iris client

3. nostr.directory

   • Format: username@nostr.directory
   • Directory listing + verification

Paid Providers (Custom Domains/Features):

1. nostrplebs.com (Paid tiers)

   • Custom subdomains
   • Additional features
   • ~$5-20/month

2. nostr.com (Premium)

   • Short usernames
   • username@nostr.com
   • Limited availability

3. Community providers

   • Various communities offer verification
   • E.g., username@uknostr.com (hypothetical)
   • Often free for community members

Setup Process (General):

1. Visit provider website
2. Register username
3. Enter your npub (or hex pubkey)
4. Provider creates JSON file linking username to pubkey
5. Update your Nostr profile with username@provider.com
6. Clients verify

Pros:

• ✅ Easy (no technical setup)
• ✅ Fast (5 minutes)
• ✅ No website required

Cons:

• ❌ Less control (provider hosts file)
• ❌ Provider could shut down
• ❌ Not “your” domain (less personal branding)

Method 3: Subdomain on Your Domain

Best for: People with domain but no website, want custom branding.

Example: alice@nostr.yourwebsite.com

Setup:

1. Create subdomain: nostr.yourwebsite.com
2. Host /.well-known/nostr.json on subdomain
3. NIP-05: alice@nostr.yourwebsite.com

Or: Use a provider that supports custom domains

• Point subdomain to their server
• They host JSON file
• You get custom branding

Services Supporting Custom Domains:

• Some NIP-05 providers offer this (check documentation)

Multiple Names (Advanced)

One domain can verify multiple people.

JSON File:

{
  "names": {
    "alice": "alice_hex_pubkey",
    "bob": "bob_hex_pubkey",
    "support": "support_hex_pubkey"
  }
}

Identifiers:

• alice@example.com
• bob@example.com
• support@example.com

Use Cases:

• Team/company accounts
• Family domain
• Community domain

Each person updates their profile with their specific identifier.

Security and Trust Model

What NIP-05 Proves

It Proves:

• ✅ You control the domain (or have permission)
• ✅ The domain owner verified this pubkey
• ✅ Link between domain identity and Nostr identity

It Does NOT Prove:

• ❌ Real-world identity (domain could be fake)
• ❌ Good intentions (scammers can verify)
• ❌ Account security (private key could be compromised)

Trust Depends on Domain Trust

High-Trust Domains:

• jack@cash.app → Cash App is a known company
• fiatjaf@fiatjaf.com → fiatjaf’s personal website
• bbc@bbc.co.uk → Official BBC domain

Low-Trust Domains:

• jack@random-domain123.com → Unknown domain
• bbc@bbc-news-official.xyz → Suspicious domain (not .co.uk)

Your job as a user: Verify the domain itself is legitimate.

Attack: Lookalike Domains

Threat: Scammer registers lookalike domain.

Example:

• Real: alice@example.com
• Fake: alice@examp1e.com (1 instead of l)

Defense:

• Check domain spelling carefully
• Be aware of phishing domains
• Hover over links (check actual domain)

NIP-05 doesn’t prevent this (it’s a domain trust issue, not a protocol issue).

Attack: Compromised Provider

Threat: NIP-05 provider changes your pubkey in their JSON.

Impact:

• Different pubkey now verified under your name
• Impersonation possible

Defense:

• Use reputable providers
• Or: self-host (you control file)
• Regularly verify your setup

Likelihood: Low (damages provider reputation), but possible.

Verification ≠ Endorsement

Important:

• Verification doesn’t mean trustworthy
• Scammers can verify
• It only proves domain control

Trust still requires judgment.

Troubleshooting

”Not Verified” Despite Setup

Possible Causes:

1. CORS not configured

   • File exists but browser can’t access it
   • Check browser console for CORS errors
   • Add CORS headers (see setup above)

2. Wrong format

   • JSON syntax error
   • Wrong hex pubkey (not npub)
   • Wrong name in file vs. profile

3. Wrong URL

   • File must be at /.well-known/nostr.json
   • Case-sensitive
   • Must be HTTPS (not HTTP)

4. Client hasn’t checked yet

   • Some clients check hourly
   • Force refresh (client-specific)
   • Be patient

5. Name parameter required

   • URL must work with ?name=yourname
   • Some servers need explicit configuration

Debugging:

1. Visit https://yoursite.com/.well-known/nostr.json?name=yourname in browser
2. Should return JSON with your pubkey
3. Check browser console for errors (F12 → Console)
4. Verify CORS headers (Network tab)

Verification Works But Checkmark Disappeared

Causes:

1. File removed or changed

   • Domain expired
   • Server misconfiguration
   • Provider shut down

2. Profile updated incorrectly

   • Accidentally removed NIP-05 field
   • Typo in identifier

3. Temporary network issue

   • Client couldn’t fetch file
   • Will re-verify automatically

Fix: Re-check file exists and profile has correct identifier.

Best Practices

Choosing an Identifier

For Personal Use:

• yourname@yourwebsite.com (if you have site)
• yourname@yourname.com (personal domain)
• yourname@reputable-provider.com

For Business:

• companyname@company.com
• support@company.com
• ceo@company.com

For Pseudonymity:

• pseudonym@domain.com (domain matches online identity)
• Consider privacy (domain whois might reveal info)

Domain Choice

Own Domain (Best):

• Maximum control
• Professional
• Permanent (as long as you renew)

Reputable Provider (Good):

• Easy setup
• Established providers
• Check reputation first

Avoid:

• Unknown providers (might disappear)
• Free “sketchy” domains
• Providers with unclear ownership

Backup Verification

If Using Provider:

• Consider setting up own domain as backup
• Diversify (don’t rely on single provider)

If Self-Hosting:

• Keep domain renewed
• Monitor uptime
• Backup server configuration

NIP-05 and Privacy

Public Information

NIP-05 makes public:

• Your username
• Your domain association
• Your public key

This is intentional (verification requires publicity).

Privacy Considerations

If You Want Privacy:

• Don’t use NIP-05 (or use pseudonymous domain)
• Domain whois might reveal real name (use privacy protection)
• Consider separate identities (pseudonymous identity without NIP-05)

Trade-off: Verification vs. privacy

For Most Users: Verification benefits outweigh privacy cost (your npub is already public anyway).

Future of NIP-05

Current Limitations

1. Centralized domain system (DNS)

   • Domains can be seized
   • DNS can be censored
   • Not as decentralized as Nostr itself

2. Limited adoption (discovery)

   • Not all clients support search by NIP-05
   • Growing but not universal

3. No mobile number/email verification (yet)

   • Could integrate other verification methods
   • Future enhancements possible

Potential Improvements

NIP-05 Extensions (proposed or in development):

1. Multi-protocol verification

   • Link Nostr to Twitter, GitHub, etc.
   • Comprehensive identity verification

2. Decentralized name systems

   • ENS (Ethereum Name Service) integration
   • Other blockchain-based naming

3. Enhanced trust signals

   • Web of Trust integration
   • Reputation scores
   • Community verification

Watch this space—NIP-05 is evolving.

Conclusion

NIP-05 verification provides a DNS-based way to verify your Nostr identity, making you more discoverable and trustworthy.

Key Takeaways:

1. Human-readable identifiers: yourname@domain.com beats long npub
2. Trust signal: Proves domain control, aids authenticity
3. Self-hosted or provider: Both options work, trade-offs exist
4. Not perfect: Still requires domain trust, doesn’t prevent all impersonation
5. Worth doing: Significantly improves discoverability and trust

Setup Summary:

• Self-host: Create /.well-known/nostr.json, add CORS, update profile
• Provider: Register, link pubkey, update profile
• Verify: Wait for checkmark ✓

For most users, NIP-05 is highly recommended. It’s the closest thing Nostr has to “verified accounts”—but better, because you verify yourself.

Your domain, your verification, your control.

Further Resources

• NIP-05 Specification - Technical details
• Security Best Practices - Protecting your identity
• Getting Started - New user guide
• nostr.band Tools - npub/hex converter
• nostrplebs.com - Popular NIP-05 provider

Remember: Verification helps discoverability and trust, but your private key security is still paramount. Verified or not, keep your nsec safe! ✅