Hosted onrise-tools.hyper.mediavia theHypermedia Protocol

Nostr Bunkers
Primal is a Nostr Client
Amber is a Bunker Android App
https://nostrapps.com/amber

Here’s a clear and accurate explanation of how Nostr "Bunkers" work, written for someone who already understands keys, clients, and relays but wants a deeper view of the architecture.

What is a Nostr Bunker?

A Nostr Bunker is essentially a remote signing service that:

    protects your master private key by keeping it offline / out of your daily devices

    exposes a signing API so your clients can request signatures

    signs messages on your behalf without ever giving your key to the client

    lets you safely use Nostr from multiple devices without importing your sensitive key everywhere

Think of it like a hardware wallet, but remote, programmable, and Nostr-native.

Why Bunkers Exist

Nostr has a usability problem:

To post from different devices, users often copy their nsec (private key) around—this is dangerous.

Bunkers fix this by:

    letting your clients authenticate using ephemeral session keys

    keeping your main key inside a secure signing enclave/server

    allowing controlled delegation

How It Works (Step-by-Step)

1. You run or trust a Bunker server

A Bunker is usually:

    a small server you run

    or a hosted service

    or even a hardware device running the bunker protocol

It stores your nsec, ideally in an HSM or encrypted vault.

2. Your client connects using an ephemeral key

The client does not send your nsec.
Instead, it generates an ephemeral keypair (nsecsession) and authenticates to the bunker.

Think:

Client Key (temporary) → Auth Request → Bunker

The bunker decides whether to allow this temporary key to act on your behalf.

3. The bunker issues a delegation token

If approved, the bunker signs a Nostr delegation tag (kind 1, kind 0, etc.) saying:

“This temporary key is allowed to post events for me, under these conditions.”

Conditions can include:

    what kinds of events can be signed

    expiration time

    rate limits

    relay restrictions

This uses the official NIP-26 Delegation spec.

4. Client signs with the ephemeral key, not with your master key

After delegation, your device never touches the master key.

Your posts/events look like they come from your main pubkey because:

    the ephemeral key signs the event

    the event includes the delegation tag proving authority

    relays accept it as valid

5. Bunker signs only when absolutely required

Certain events must be signed directly by the root key, e.g.:

    metadata changes (profile updates)

    contact lists

    certain high-trust events

For those, the client sends a sign request to the bunker, and the bunker:

    checks permissions

    signs

    returns the signature

At no point does the client receive the private key.

Security Model

What the bunker protects you from

    losing your master key on a compromised device

    exposing your nsec when logging into apps or websites

    malware stealing your identity

    multi-device sign-in without key duplication

What you must trust

    the bunker won’t sign malicious things

    the bunker won’t leak your master key

    the bunker won’t go offline (you lose signing ability)

Users often run their own bunkers on:

    home servers

    VPS

    Tor hidden services

    hardware wallets implementing Nostr signing

What Problems Bunkers Solve

    Multi-device Nostr without copying your nsec

    Safer login to web-based clients

    Revocable client sessions

    Granular control over what gets signed

    Foundation for enterprise and group accounts

In Short

A Nostr Bunker is a secure remote signer that holds your master key, issues delegation rights, and enables safe multi-device usage without ever exposing your private key.

Do you like what you are reading? Subscribe to receive updates.

Unsubscribe anytime