I think maybe prompt the user if it comes from a new relay and then persist that setting somehow?

But if the action was directly triggered by a user a connecting to that relay (or to someone that can only be accessed through that relay) then just respond automatically I guess.

I think for the list of relays you manully produce, it should be like this per relay:

- respond always

- ignore always

- prompt

- auto (let client decide, for instance only auth when kind4 requested etc how some clients have it now)

Also probably the same types of settings shouls be applies for “other relays that happen to be requested” in case of outbox or similar

It would also be great to let user know when and why AUTH is requested by relay. And regarding WHY maybe it makes sense to consider adding it to NIP so that relays could notify why they need auth - is it just a regular hey here is a challenge if you want to AUTH or something critical may be missing without. Maybe relays could add a link to policy (nip-11 seem not to cover this granularly enough)

Also what is important for client auth imo - is to save challenge at let user auth at any given point in time later, to not force user take immediate action and to not break UX because relay sends it before client can react