1. nAuth is intended to be initiated over a potentially insecure channel. The bech32 is best for presenting a QR code or transmitting text that can be easily cut and pasted by a human.
2. The nonce is to prevent session hijacking. I generate a new nonce every time I present a QR and check to see if it’s the same in the reponse.
3. The nonce is really up to the initiator to generate and manage. They can ignore it if they wish but to their peril.
Okay, so nonce is a way to manage your initiations so you can expire them for example without complicating things with signatures for example, which would bloat the nauth.
Did I get that right?
Exactamento. It's basically a challenge and response. If I receive the challenge via a signed/encrypted DM then that is equivalent to the typical challenge and signed response. If you wish, you could add your own timeout, but that would be outside of the protocol spec, more like good practice guidance.
