First you generate bunker url, then paste it to app, then confirm connection in nsec.app - that's when you can alter requested permissions, and also after the connection is created you can edit the perms.
Server is only used for e2ee sync of keys encrypted with your password. Actual signing is done on the client. It's non custodial.
So each user ends up with the keys on their device?
No, you don't give your password to anyone, you just give users one or more bunker urls, each of those is a separate connection with a separate set of permissions.
And nsec.app on your devices will be woken up by push API when any app wants to access the keys. If all your devices are offline then it won't respond. For business use case I'd suggest trying our hosted version - install it on your office server/umbrel etc with docker and it will be always online.
Do you have docs on the docker setup?
There's only this: https://github.com/nostrband/noauth#running-hosted-version-with-docker
