Overview

Decentralized authentication system built on Nostr protocol, eliminating traditional passwords. Provides secure authentication through cryptographic signatures and supports dual verification methods for complete user coverage.

Authentication Methods

1. With Browser Extension (Nostr Extension)

User accesses protected application

Automatic signing pop-up (via Alby, nos2x, etc.)

User signs the nonce challenge

Backend (N8N) verifies signature matches public key

JWT issued → access granted

2. Without Extension (DM Authenticator)

User copies nonce text (pre-configured with secret)

Sends message as DM to Nostr authenticator

Backend detects DM in real-time

Verifies message came from correct private key

JWT issued → access granted

3. WebAuthn Integration (Coming Soon)

Hardware security key support (YubiKey, etc.)

Biometric authentication (fingerprint, Face ID)

FIDO2 compliance for enterprise compatibility

Platform authenticator support (Windows Hello, Touch ID)

Privacy & Anonymity Architecture

Zero-Knowledge Authentication

The system is designed with privacy-first principles where the backend has minimal access to sensitive information:

What the Backend NEVER sees:

❌ Private keys (stay in browser extension/mobile app)

❌ Passwords (system is passwordless)

❌ User behavior patterns

❌ Application-specific data

❌ Personal identifiable information (PII)

❌ Email addresses or phone numbers

What the Backend ONLY verifies:

✅ Cryptographic signature validity

✅ Public key (npub) matches signature

✅ Session expiration timestamps

✅ Optional: npub whitelist membership

Privacy Benefits:

Client-Side Signing: All cryptographic operations happen locally (browser/mobile)

No Data Collection: Backend doesn't log user activity or analytics

Pseudonymous Identity: Only Nostr public keys used (no real names required)

Decentralized: No central authority controls authentication

Ephemeral Sessions: JWT tokens expire, no permanent user database

Protected Applications Isolated: Backend never proxies application data

What Protected Applications Receive:

JWT token with npub (public key only)

No access to signing capabilities

No private key exposure

Applications can optionally validate JWT independently

This architecture ensures that even if the backend is compromised, attackers gain access to no sensitive user data or credentials.

Technical Architecture

Components:

Nginx Proxy Manager: Reverse proxy + SSL termination

N8N Backend: Dual verification (JWT signature + active session)

Nostr Protocol: Decentralized authentication infrastructure

JWT Tokens: Stateless auth cookies (HttpOnly, Secure, SameSite=Lax)

Mobile Signer: Native app for mobile authentication (in development)

Security Flow:

User → Request to protected application

Nginx checks JWT cookie (if exists)

Internal request to N8N /webhook/auth/verify

N8N validates: JWT signature + active session (defense-in-depth)

Valid → Proxy to application | Invalid → Redirect to login

Cookie Architecture:

Wildcard domains: Works on any domain (.yourdomain.com)

SSO capability: Single sign-on across all subdomains

JWT payload: 361 bytes, expires 1h (configurable)

Refresh tokens: Support for long-lived sessions

Self-Service Configuration Portal

Automated Setup Interface

The system includes a web-based configuration generator that streamlines deployment:

Client Setup:

Deployment Type Selection: Pre-configured templates for Nginx Proxy Manager, Apache, Caddy, etc.

Login Theme Customization: 6 admin-selectable themes (Dark, Light, Blue, Purple, Green, Orange)

Auto-Generated Client ID: Unique identifier per application

Backend URL Configuration: Points to your N8N instance

Server Configuration:

Auth Service URL: Your authentication frontend

Protected Path: Specific URLs requiring authentication

Session Duration: Configurable expiry (default 1 hour)

Authorization Rules:

npub Whitelist: Optional restriction to specific Nostr public keys

Empty = anyone can authenticate

Filled = only listed npubs allowed

One-Click Config Generation:

System generates complete Nginx configuration based on your selections

Copy-paste ready for immediate deployment

All security headers and optimizations included

No manual editing required

Mobile Application (In Development)

Nostr Signer Mobile App

Native mobile authenticator for on-the-go authentication:

Features:

QR Code Scanning: Quick authentication via QR code

Push Notifications: Real-time authentication requests

Biometric Security: Fingerprint/Face ID to approve signatures

Multi-Account Support: Manage multiple Nostr identities

Offline Signing: Sign authentication requests without internet

Use Cases:

Desktop authentication via mobile device

Secure signing without exposing private keys to browser

Enterprise environments requiring hardware-backed keys

Air-gapped security for high-value accounts

Target Audience & Use Cases

Who Should Use This System?

1. Privacy-Conscious Organizations

Companies that value user privacy and GDPR compliance

Organizations wanting to eliminate password breach risks

Businesses reducing PII collection liability

Services targeting privacy-aware demographics

2. Self-Hosters & Homelab Enthusiasts

Individuals protecting personal services (NAS, media servers, dashboards)

Multi-service deployments needing unified authentication

Users wanting control over their authentication infrastructure

Eliminating password fatigue across dozens of self-hosted apps

3. Nostr Ecosystem Projects

Nostr relays requiring authenticated access

Nostr-native applications and services

Communities building on decentralized infrastructure

Projects leveraging existing Nostr identities

4. Small-to-Medium Businesses (SMBs)

Companies without IT security teams for password management

Businesses reducing operational costs (no password reset helpdesk)

Teams needing quick deployment without complex infrastructure

Organizations protecting customer-facing portals

5. Developers & SaaS Providers

Multi-tenant applications with domain-per-customer architecture

API gateways requiring authentication

Development/staging environments protection

Internal tools and admin panels

Why Choose Nostr Auth Over Alternatives?

vs. Traditional Username/Password:

✅ Zero password breach risk (no passwords to steal)

✅ No password reset workflows (saves support time/costs)

✅ No password storage liability (GDPR/compliance)

✅ Eliminates weak password problems

vs. OAuth2 (Google/Facebook Login):

✅ No vendor lock-in (independent identity)

✅ No user tracking by third parties

✅ Works without internet dependency on IdP

✅ Full control over authentication flow

✅ No data sharing agreements required

vs. Enterprise SSO (Okta/Auth0):

✅ Zero monthly subscription costs

✅ No per-user pricing models

✅ Simpler infrastructure (no central auth server)

✅ Open-source and auditable

✅ Deploy in minutes vs. weeks

vs. Self-Hosted Keycloak/Authentik:

✅ Lower resource requirements (no database)

✅ Simpler maintenance (fewer components)

✅ Faster deployment (copy-paste config)

✅ Better privacy (no user database)

✅ Inherently decentralized

Ideal Deployment Scenarios:

Scenario 1: Multi-Service Homelab

Problem: User runs 20 self-hosted services, each with different login

Solution: Single Nostr identity authenticates across all services via wildcard cookie domain

Scenario 2: SaaS with Custom Domains

Problem: Each customer gets customer.saas.com subdomain, needs isolated auth

Solution: Self-service portal generates configs, customer deploys in minutes

Scenario 3: Privacy-First Startup

Problem: Want authentication without collecting emails/passwords (GDPR nightmare)

Solution: Users authenticate with existing Nostr identity, zero PII collected

Scenario 4: Development Team Internal Tools

Problem: 10+ internal dashboards need protection, don't want another auth system

Solution: Team members use Nostr keys, unified access across all tools

Scenario 5: Community Platform

Problem: Want only verified community members accessing resources

Solution: npub whitelist restricts access to approved members only

When NOT to Use This System:

❌ Mainstream Consumer Apps - Users without Nostr familiarity (requires education)

❌ Regulated Financial Services - May require traditional audit trails (coming with WebAuthn)

❌ Legacy System Integration - If you need LDAP/SAML compatibility

❌ Non-Technical User Base - If users struggle with browser extensions

However, the DM authentication method and upcoming WebAuthn support significantly expand accessibility beyond technical users.

Key Features

✅ Passwordless: Zero passwords to remember or manage

✅ Privacy-First: Backend never sees private keys or PII

✅ Dual Authentication: Support both with/without browser extension

✅ Multi-Domain Ready: Works on any domain - just configure variables

✅ Self-Service Setup: Web portal generates config automatically

✅ Defense-in-Depth: Dual verification (JWT + N8N session)

✅ Production Hardened: Security headers, optimized timeouts, IPv6 disabled

✅ Fast Performance: ~40ms response time

✅ Decentralized: No dependency on centralized IdP

✅ Zero Data Collection: No analytics, tracking, or PII storage

✅ Mobile Ready: Native app for smartphone authentication

✅ WebAuthn Support: Hardware keys & biometrics (coming soon)

Production Status

Tested: Multiple production deployments

Performance: 40ms total response time

Security: OWASP headers, HttpOnly cookies, SameSite=Lax

Reliability: Dual verification (JWT + session check)

Scalability: Template ready for instant deployment

Privacy: Zero-knowledge backend architecture

Rapid Deployment

Via Web Portal (Recommended):

Access configuration portal

Select deployment type (Nginx Proxy Manager)

Choose login theme

Configure server URLs

Set session duration

Add npub whitelist (optional)

Copy generated config → paste in Proxy Host → Advanced tab

Test authentication

Deployment time: < 3 minutes per domain

Manual Configuration:

Copy template config

Edit 6 variables: $client_id, $redirect_uri, $n8n_callback, $cookie_domain, $auth_service, $n8n_verify

Change proxy_pass to application port

nginx -t && nginx -s reload

Test authentication

Advantages vs. Traditional Solutions

vs. OAuth2 Proxy:

✅ Multi-domain native (no multiple containers)

✅ Dual authentication method (extension + DM)

✅ Decentralized (no central IdP dependency)

✅ Self-service configuration portal

✅ Better privacy (no user tracking)

vs. Keycloak/Auth0:

✅ Zero infrastructure overhead

✅ No user database required

✅ Privacy by design

✅ Lower operational costs

✅ Simpler deployment

vs. Traditional Passwords:

✅ Zero phishing risk

✅ Zero password breaches

✅ Superior UX (click-to-sign)

✅ No password reset flows

✅ No password storage liability

Roadmap

Current (Production Ready):

✅ Browser extension authentication

✅ DM authenticator fallback

✅ Self-service configuration portal

✅ Multi-domain support

✅ JWT + session dual verification

✅ Zero-knowledge backend architecture

In Development:

🚧 Mobile signer application

🚧 QR code authentication

🚧 Push notification support

Planned:

📋 WebAuthn integration (FIDO2/U2F)

📋 Hardware security key support

📋 Biometric authentication

📋 Rate limiting & DDoS protection

📋 Admin dashboard for session management

📋 Audit logging (optional, privacy-preserving)

Conclusion: Production-ready, scalable system with dual authentication methods ensuring 100% user coverage. Self-service configuration portal enables rapid deployment across unlimited domains. Privacy-first architecture ensures backend never accesses sensitive user data. Ideal for privacy-conscious organizations, self-hosters, Nostr ecosystem, SMBs, and developers seeking secure, passwordless authentication without vendor lock-in or PII collection liability.