NIP-46

Nostr Connect

final security

NIP-46 allows your private key to remain on a secure device while using Nostr from other applications. A 'bunker' holds your keys and signs events remotely, never exposing your nsec.

Author
fiatjaf
Last Updated
31 January 2026
Official Spec
View on GitHub →

NIP-46: Nostr Connect

Status: Final Author: fiatjaf Category: Security

Overview

Nostr Connect enables remote signing - your private key stays on a secure device (the “bunker”) while you use Nostr applications from any device.

Instead of pasting your nsec into every app:

  1. Your bunker holds your private key securely
  2. Apps send signing requests via relay
  3. Bunker signs and returns the signed event
  4. Your key never leaves the bunker

This dramatically improves security, especially for high-value accounts.

Why Nostr Connect Matters

The Problem

Every time you paste your nsec into a web app, you’re trusting that app completely. If it’s malicious (or compromised), your identity is stolen.

The Solution

With Nostr Connect:

  • Key isolation - Private key never leaves your secure device
  • Request approval - Review what you’re signing
  • Revocable access - Disconnect apps without changing keys
  • Multi-device - Use Nostr anywhere, sign from one place

How It Works

Connection Flow

1. Bunker generates connection URL
2. User enters URL in Nostr app
3. App connects to bunker via relay
4. User approves connection
5. App sends signing requests as needed
6. Bunker signs and returns events

Connection URL Format

bunker://bunker_pubkey?relay=wss://relay.example.com&secret=shared_secret

Or using nostrconnect URI:

nostrconnect://app_pubkey?relay=wss://relay.example.com&metadata={...}

Bunker Implementations

Desktop/Server

NamePlatformFeatures
nsecBunkerServerFull featured, multi-user
GossipDesktopBuilt-in bunker mode

Mobile

NamePlatformFeatures
AmberAndroidMobile signer app
KeystacheiOSiOS signing app

Browser Extensions

Browser extensions like Alby and nos2x provide similar functionality by storing keys locally and signing for web apps.

Setting Up a Bunker

Using Amber (Android)

  1. Install Amber from F-Droid or GitHub
  2. Import or generate your keys
  3. Grant connection to apps by scanning QR
  4. Approve signing requests as needed

Using nsecBunker (Server)

  1. Install nsecBunker on a secure server
  2. Configure with your nsec
  3. Set access policies
  4. Connect apps using generated URLs

Security Model

What Bunker Protects

  • Key exposure - nsec never leaves the bunker
  • Phishing - You verify what you’re signing
  • Compromised apps - App can’t access key directly
  • Multi-device risk - Single secure signing location

What Bunker Does NOT Protect

  • Bunker compromise - Secure your bunker device
  • Approved malicious content - You must review requests
  • Metadata - Signing patterns may be observable

Supported Methods

Bunkers respond to these request types:

MethodDescription
connectEstablish connection
sign_eventSign a Nostr event
get_public_keyReturn user’s public key
nip04_encryptEncrypt using NIP-04
nip04_decryptDecrypt using NIP-04
nip44_encryptEncrypt using NIP-44
nip44_decryptDecrypt using NIP-44

Request/Response Format

Signing Request (App → Bunker)

{
  "id": "request_id",
  "method": "sign_event",
  "params": [
    "{unsigned_event_json}"
  ]
}

Response (Bunker → App)

{
  "id": "request_id",
  "result": "{signed_event_json}"
}

Error Response

{
  "id": "request_id",
  "error": "User rejected request"
}

Client Support

Apps with NIP-46 Support

ClientSupport Level
CoracleFull
noStrudelFull
GossipFull (also bunker)
SnortPartial
HablaFull

Connecting to an App

  1. App displays connection request (often QR code)
  2. Scan with bunker app (Amber, etc.)
  3. Review and approve connection
  4. App now sends signing requests via relay

Best Practices

For Users

  1. Use dedicated device for bunker (old phone, etc.)
  2. Review signing requests before approving
  3. Limit app permissions where possible
  4. Regular audits of connected apps
  5. Revoke unused connections

For Developers

  1. Request minimal permissions
  2. Batch signing requests when possible
  3. Handle timeouts gracefully
  4. Support multiple bunkers/signers
  5. Clear error messages for signing failures

Use Cases

High-Security Accounts

  • Verified identities
  • Popular creators
  • Business accounts
  • Anyone with valuable reputation

Multi-Device Usage

  • Use Nostr on work computer
  • Sign from personal phone
  • No key exposure at work

Shared Access

  • Team accounts
  • Bot accounts with human oversight
  • Family/group accounts
  • NIP-01 - Basic protocol (events being signed)
  • NIP-44 - Encryption (for bunker communication)
  • NIP-47 - Wallet Connect (similar remote pattern)

Common Questions

Is NIP-46 the same as browser extensions?

Similar concept but different approach. Browser extensions store keys locally per device. NIP-46 bunkers are separate applications (often on different devices) communicating via relays.

Can I use both?

Yes! You can use a browser extension on your main computer and NIP-46 bunker for mobile/other devices.

What if the relay goes down?

The bunker connection requires the relay. Use reliable relays and consider supporting multiple relays for redundancy.

How fast is signing?

Usually sub-second for connected bunkers. There may be slight latency compared to local signing.

Summary

Nostr Connect provides enterprise-grade key security for Nostr:

  • Never paste your nsec into untrusted apps
  • Sign from a secure device you control
  • Review every action before approving
  • Revoke access without changing identity

For any account you care about, consider using a bunker.

Last updated: January 2026 Official specification: GitHub

Client Support

This NIP is supported by the following clients:

nsecbunker amber gossip nostrudel coracle
View all clients →

Related NIPs

NIP-01 NIP-44
← Browse All NIPs