Derek Ross on Nostr: What is "remote signing" NIP-46 and NIP-55 Nostr key management? #HOWDONOSTR Across ...
What is "remote signing" NIP-46 and NIP-55 Nostr key management? #HOWDONOSTR
Across Nostr's ecosystem, where decentralization and user control are paramount, managing private keys securely should be a top priority. There is no central authority to reset your "password" or help you recover your "account" if your private key is leaked. Once leaked, your "account" is essentially burned and you no longer have control.
Remote signing your social transactions with NIP-46 (Nostr Remote Signing) and NIP-55 (Android Signer Application) provides a safer and more convenient way to interact with Nostr applications without exposing your private key.
By entering your private key into multiple applications, you increase the risk of it being compromised. To protect your key, only trust a minimal number of applications and avoid entering it into more apps than absolutely necessary. Proper private key management with remote signing applications can help here.
What are NIP-46 and NIP-55?
NIP-46 (Nostr Remote Signing) and NIP-55 (Android Signer Application) allow you to use a remote signer—a separate tool or device—to approve actions on your behalf. Instead of entering your private key into every app, you authorize trusted applications to sign messages remotely. This lets you create temporary keys that can sign events on your behalf, without exposing your private key. You can limit what these keys can do, such as only allowing them to post notes but not change your profile.
Using the NIP-46 method, a user would login to a Nostr application with a long string similar to this example:
bunker://<remote-signer-pubkey>?relay=<wss://relay-to-connect-on>&relay=<wss://another-relay-to-connect-on>&secret=<optional-secret-value>
Using the NIP-55 method, a user would simply tap or click a 'Login with Amber' or 'Login with Android Signer' button in their Nostr application. All of the heavy lifting and configuration items are handled by the Android signer.
Why use remote signing?
* Better Security – Your private key stays in a secure location, such as Knox, NAK, or Keycast, rather than being exposed in multiple applications.
* More Control – You decide which apps can sign messages and revoke access anytime.
* Seamless Experience – There is no need to copy and paste private keys between apps. It just works in the background.
How can you use it?
The easiest method is Amber for Android. (A new application named nowser recently launched. I have not tested or used this application. However, it supports Android, iOS, Windows, and Linux.)
* Amber: https://github.com/greenart7c3/Amber or download from zap.store (npub10r8…t2p8)!
* nowser: https://github.com/haorendashu/nowser (Remember, I have not used this application. Please use at your own risk!)
If you're more technical and you have a Bitcoin node or a Nostr relay, you may want to consider running either NAK, Knox, or Keycast. These will require a dedicated computer or server.
* NAK (Nostr Army Knife): https://github.com/fiatjaf/nak (This requires almost no setup. You download a simple program and run it with the command 'nak bunker' and keep the terminal window open or run this on a server.)
* Knox: https://gitlab.com/soapbox-pub/knox (Alex (npub1q3s…d26p) actually wrote a great article on this nostr:naddr1qvzqqqr4gupzqprpljlvcnpnw3pejvkkhrc3y6wvmd7vjuad0fg2ud3dky66gaxaqqykkmn00qkkyet5vyhjuvda)
* Keycast: https://github.com/erskingardner/keycast (JeffG (npub1zuu…c2uc) wrote more about Keycast here:
Examples of Android applications with support:
* Amethyst, Wavlake, Fountain, 0xchat, Coracle, Flotilla, and more!
Examples of iOS applications with support:
...
Examples of Web applications with support:
* Coracle, Nostrudel, Jumble, Snort, Nests, Habla, and more!
Many, many Nostr applications support NIP-46 or NIP-55. However, popular applications such as Damus and Primal do not support these login methods at this time. If your favorite application does not support these login methods, you'll need to ask your app developer and zap them accordingly 😉
Happy remote signing!
Across Nostr's ecosystem, where decentralization and user control are paramount, managing private keys securely should be a top priority. There is no central authority to reset your "password" or help you recover your "account" if your private key is leaked. Once leaked, your "account" is essentially burned and you no longer have control.
Remote signing your social transactions with NIP-46 (Nostr Remote Signing) and NIP-55 (Android Signer Application) provides a safer and more convenient way to interact with Nostr applications without exposing your private key.
By entering your private key into multiple applications, you increase the risk of it being compromised. To protect your key, only trust a minimal number of applications and avoid entering it into more apps than absolutely necessary. Proper private key management with remote signing applications can help here.
What are NIP-46 and NIP-55?
NIP-46 (Nostr Remote Signing) and NIP-55 (Android Signer Application) allow you to use a remote signer—a separate tool or device—to approve actions on your behalf. Instead of entering your private key into every app, you authorize trusted applications to sign messages remotely. This lets you create temporary keys that can sign events on your behalf, without exposing your private key. You can limit what these keys can do, such as only allowing them to post notes but not change your profile.
Using the NIP-46 method, a user would login to a Nostr application with a long string similar to this example:
bunker://<remote-signer-pubkey>?relay=<wss://relay-to-connect-on>&relay=<wss://another-relay-to-connect-on>&secret=<optional-secret-value>
Using the NIP-55 method, a user would simply tap or click a 'Login with Amber' or 'Login with Android Signer' button in their Nostr application. All of the heavy lifting and configuration items are handled by the Android signer.
Why use remote signing?
* Better Security – Your private key stays in a secure location, such as Knox, NAK, or Keycast, rather than being exposed in multiple applications.
* More Control – You decide which apps can sign messages and revoke access anytime.
* Seamless Experience – There is no need to copy and paste private keys between apps. It just works in the background.
How can you use it?
The easiest method is Amber for Android. (A new application named nowser recently launched. I have not tested or used this application. However, it supports Android, iOS, Windows, and Linux.)
* Amber: https://github.com/greenart7c3/Amber or download from zap.store (npub10r8…t2p8)!
* nowser: https://github.com/haorendashu/nowser (Remember, I have not used this application. Please use at your own risk!)
If you're more technical and you have a Bitcoin node or a Nostr relay, you may want to consider running either NAK, Knox, or Keycast. These will require a dedicated computer or server.
* NAK (Nostr Army Knife): https://github.com/fiatjaf/nak (This requires almost no setup. You download a simple program and run it with the command 'nak bunker' and keep the terminal window open or run this on a server.)
* Knox: https://gitlab.com/soapbox-pub/knox (Alex (npub1q3s…d26p) actually wrote a great article on this nostr:naddr1qvzqqqr4gupzqprpljlvcnpnw3pejvkkhrc3y6wvmd7vjuad0fg2ud3dky66gaxaqqykkmn00qkkyet5vyhjuvda)
* Keycast: https://github.com/erskingardner/keycast (JeffG (npub1zuu…c2uc) wrote more about Keycast here:
)quoting note1327…l74jGM Nostr! 🌞
🎁 Announcing Keycast 🔑
A remote signing platform for teams.
https://share.cleanshot.com/y4XbqKpT
Remote signing (NIP-46) has always had a lot of promise. Apps like Amber, nsec.app, and others have made it possible to manage your nostr keys in a way that is safer than browser extensions or pasting your nsec around the internet.
BUT, none of them catered to teams. Groups like thenostrworld (npub1nst…rg5l) and NostReport (npub19md…6vzk) and many many companies out there are just sharing the main account nsec between different people and using it in different apps. A recipe for disaster.
Keycast aims to finally fix this. It allows you to:
- Manage teams of nostr users
- Manage multiple keys that you want to give others access to
- Create authorizations for those keys that grant specific permissions that can be changed, revoked, etc.
- Create your own custom permissions
- Run the signing infrastructure without any extra work
And do it all in a self-sovereign way. Keycast is meant to be run on your server, by you. I think it's tremendously important that this sort of tool doesn't exist as a hosted service (which would basically be a huge key honeypot over time).
The app is both a management web app AND a backend process that manages sub-processes that listen for remote signing requests, check permissions, and sign events.
There is a basic docker setup to start, but my goal is to have this easily deployable to StartOS, Umbrel, Podman, and others.
Code here: https://github.com/erskingardner/keycast
Examples of Android applications with support:
* Amethyst, Wavlake, Fountain, 0xchat, Coracle, Flotilla, and more!
Examples of iOS applications with support:
...
Examples of Web applications with support:
* Coracle, Nostrudel, Jumble, Snort, Nests, Habla, and more!
Many, many Nostr applications support NIP-46 or NIP-55. However, popular applications such as Damus and Primal do not support these login methods at this time. If your favorite application does not support these login methods, you'll need to ask your app developer and zap them accordingly 😉
Happy remote signing!