Overview
Decentralized authentication system built on Nostr protocol, eliminating traditional passwords. Provides secure authentication through cryptographic signatures and supports dual verification methods for complete user coverage.
Authentication Methods
1. With Browser Extension (Nostr Extension)
User accesses protected application
Automatic signing pop-up (via Alby, nos2x, etc.)
User signs the nonce challenge
Backend (N8N) verifies signature matches public key
JWT issued β access granted
2. Without Extension (DM Authenticator)
User copies nonce text (pre-configured with secret)
Sends message as DM to Nostr authenticator
Backend detects DM in real-time
Verifies message came from correct private key
JWT issued β access granted
3. WebAuthn Integration (Coming Soon)
Hardware security key support (YubiKey, etc.)
Biometric authentication (fingerprint, Face ID)
FIDO2 compliance for enterprise compatibility
Platform authenticator support (Windows Hello, Touch ID)
Privacy & Anonymity Architecture
Zero-Knowledge Authentication
The system is designed with privacy-first principles where the backend has minimal access to sensitive information:
What the Backend NEVER sees:
β Private keys (stay in browser extension/mobile app)
β Passwords (system is passwordless)
β User behavior patterns
β Application-specific data
β Personal identifiable information (PII)
β Email addresses or phone numbers
What the Backend ONLY verifies:
β
Cryptographic signature validity
β
Public key (npub) matches signature
β
Session expiration timestamps
β
Optional: npub whitelist membership
Privacy Benefits:
Client-Side Signing: All cryptographic operations happen locally (browser/mobile)
No Data Collection: Backend doesn't log user activity or analytics
Pseudonymous Identity: Only Nostr public keys used (no real names required)
Decentralized: No central authority controls authentication
Ephemeral Sessions: JWT tokens expire, no permanent user database
Protected Applications Isolated: Backend never proxies application data
What Protected Applications Receive:
JWT token with npub (public key only)
No access to signing capabilities
No private key exposure
Applications can optionally validate JWT independently
This architecture ensures that even if the backend is compromised, attackers gain access to no sensitive user data or credentials.
Technical Architecture
Components:
Nginx Proxy Manager: Reverse proxy + SSL termination
N8N Backend: Dual verification (JWT signature + active session)
Nostr Protocol: Decentralized authentication infrastructure
JWT Tokens: Stateless auth cookies (HttpOnly, Secure, SameSite=Lax)
Mobile Signer: Native app for mobile authentication (in development)
Security Flow:
User β Request to protected application
Nginx checks JWT cookie (if exists)
Internal request to N8N /webhook/auth/verify
N8N validates: JWT signature + active session (defense-in-depth)
Valid β Proxy to application | Invalid β Redirect to login
Cookie Architecture:
Wildcard domains: Works on any domain (.yourdomain.com)
SSO capability: Single sign-on across all subdomains
JWT payload: 361 bytes, expires 1h (configurable)
Refresh tokens: Support for long-lived sessions
Self-Service Configuration Portal
Automated Setup Interface
The system includes a web-based configuration generator that streamlines deployment:
Client Setup:
Deployment Type Selection: Pre-configured templates for Nginx Proxy Manager, Apache, Caddy, etc.
Login Theme Customization: 6 admin-selectable themes (Dark, Light, Blue, Purple, Green, Orange)
Auto-Generated Client ID: Unique identifier per application
Backend URL Configuration: Points to your N8N instance
Server Configuration:
Auth Service URL: Your authentication frontend
Protected Path: Specific URLs requiring authentication
Session Duration: Configurable expiry (default 1 hour)
Authorization Rules:
npub Whitelist: Optional restriction to specific Nostr public keys
Empty = anyone can authenticate
Filled = only listed npubs allowed
One-Click Config Generation:
System generates complete Nginx configuration based on your selections
Copy-paste ready for immediate deployment
All security headers and optimizations included
No manual editing required
Mobile Application (In Development)
Nostr Signer Mobile App
Native mobile authenticator for on-the-go authentication:
Features:
QR Code Scanning: Quick authentication via QR code
Push Notifications: Real-time authentication requests
Biometric Security: Fingerprint/Face ID to approve signatures
Multi-Account Support: Manage multiple Nostr identities
Offline Signing: Sign authentication requests without internet
Use Cases:
Desktop authentication via mobile device
Secure signing without exposing private keys to browser
Enterprise environments requiring hardware-backed keys
Air-gapped security for high-value accounts
Target Audience & Use Cases
Who Should Use This System?
1. Privacy-Conscious Organizations
Companies that value user privacy and GDPR compliance
Organizations wanting to eliminate password breach risks
Businesses reducing PII collection liability
Services targeting privacy-aware demographics
2. Self-Hosters & Homelab Enthusiasts
Individuals protecting personal services (NAS, media servers, dashboards)
Multi-service deployments needing unified authentication
Users wanting control over their authentication infrastructure
Eliminating password fatigue across dozens of self-hosted apps
3. Nostr Ecosystem Projects
Nostr relays requiring authenticated access
Nostr-native applications and services
Communities building on decentralized infrastructure
Projects leveraging existing Nostr identities
4. Small-to-Medium Businesses (SMBs)
Companies without IT security teams for password management
Businesses reducing operational costs (no password reset helpdesk)
Teams needing quick deployment without complex infrastructure
Organizations protecting customer-facing portals
5. Developers & SaaS Providers
Multi-tenant applications with domain-per-customer architecture
API gateways requiring authentication
Development/staging environments protection
Internal tools and admin panels
Why Choose Nostr Auth Over Alternatives?
vs. Traditional Username/Password:
β
Zero password breach risk (no passwords to steal)
β
No password reset workflows (saves support time/costs)
β
No password storage liability (GDPR/compliance)
β
Eliminates weak password problems
vs. OAuth2 (Google/Facebook Login):
β
No vendor lock-in (independent identity)
β
No user tracking by third parties
β
Works without internet dependency on IdP
β
Full control over authentication flow
β
No data sharing agreements required
vs. Enterprise SSO (Okta/Auth0):
β
Zero monthly subscription costs
β
No per-user pricing models
β
Simpler infrastructure (no central auth server)
β
Open-source and auditable
β
Deploy in minutes vs. weeks
vs. Self-Hosted Keycloak/Authentik:
β
Lower resource requirements (no database)
β
Simpler maintenance (fewer components)
β
Faster deployment (copy-paste config)
β
Better privacy (no user database)
β
Inherently decentralized
Ideal Deployment Scenarios:
Scenario 1: Multi-Service Homelab
Problem: User runs 20 self-hosted services, each with different login
Solution: Single Nostr identity authenticates across all services via wildcard cookie domain
Scenario 2: SaaS with Custom Domains
Problem: Each customer gets customer.saas.com subdomain, needs isolated auth
Solution: Self-service portal generates configs, customer deploys in minutes
Scenario 3: Privacy-First Startup
Problem: Want authentication without collecting emails/passwords (GDPR nightmare)
Solution: Users authenticate with existing Nostr identity, zero PII collected
Scenario 4: Development Team Internal Tools
Problem: 10+ internal dashboards need protection, don't want another auth system
Solution: Team members use Nostr keys, unified access across all tools
Scenario 5: Community Platform
Problem: Want only verified community members accessing resources
Solution: npub whitelist restricts access to approved members only
When NOT to Use This System:
β Mainstream Consumer Apps - Users without Nostr familiarity (requires education)
β Regulated Financial Services - May require traditional audit trails (coming with WebAuthn)
β Legacy System Integration - If you need LDAP/SAML compatibility
β Non-Technical User Base - If users struggle with browser extensions
However, the DM authentication method and upcoming WebAuthn support significantly expand accessibility beyond technical users.
Key Features
β
Passwordless: Zero passwords to remember or manage
β
Privacy-First: Backend never sees private keys or PII
β
Dual Authentication: Support both with/without browser extension
β
Multi-Domain Ready: Works on any domain - just configure variables
β
Self-Service Setup: Web portal generates config automatically
β
Defense-in-Depth: Dual verification (JWT + N8N session)
β
Production Hardened: Security headers, optimized timeouts, IPv6 disabled
β
Fast Performance: ~40ms response time
β
Decentralized: No dependency on centralized IdP
β
Zero Data Collection: No analytics, tracking, or PII storage
β
Mobile Ready: Native app for smartphone authentication
β
WebAuthn Support: Hardware keys & biometrics (coming soon)
Production Status
Tested: Multiple production deployments
Performance: 40ms total response time
Security: OWASP headers, HttpOnly cookies, SameSite=Lax
Reliability: Dual verification (JWT + session check)
Scalability: Template ready for instant deployment
Privacy: Zero-knowledge backend architecture
Rapid Deployment
Via Web Portal (Recommended):
Access configuration portal
Select deployment type (Nginx Proxy Manager)
Choose login theme
Configure server URLs
Set session duration
Add npub whitelist (optional)
Copy generated config β paste in Proxy Host β Advanced tab
Test authentication
Deployment time: < 3 minutes per domain
Manual Configuration:
Copy template config
Edit 6 variables: $client_id, $redirect_uri, $n8n_callback, $cookie_domain, $auth_service, $n8n_verify
Change proxy_pass to application port
nginx -t && nginx -s reload
Test authentication
Advantages vs. Traditional Solutions
vs. OAuth2 Proxy:
β
Multi-domain native (no multiple containers)
β
Dual authentication method (extension + DM)
β
Decentralized (no central IdP dependency)
β
Self-service configuration portal
β
Better privacy (no user tracking)
vs. Keycloak/Auth0:
β
Zero infrastructure overhead
β
No user database required
β
Privacy by design
β
Lower operational costs
β
Simpler deployment
vs. Traditional Passwords:
β
Zero phishing risk
β
Zero password breaches
β
Superior UX (click-to-sign)
β
No password reset flows
β
No password storage liability
Roadmap
Current (Production Ready):
β
Browser extension authentication
β
DM authenticator fallback
β
Self-service configuration portal
β
Multi-domain support
β
JWT + session dual verification
β
Zero-knowledge backend architecture
In Development:
π§ Mobile signer application
π§ QR code authentication
π§ Push notification support
Planned:
π WebAuthn integration (FIDO2/U2F)
π Hardware security key support
π Biometric authentication
π Rate limiting & DDoS protection
π Admin dashboard for session management
π Audit logging (optional, privacy-preserving)
Conclusion: Production-ready, scalable system with dual authentication methods ensuring 100% user coverage. Self-service configuration portal enables rapid deployment across unlimited domains. Privacy-first architecture ensures backend never accesses sensitive user data. Ideal for privacy-conscious organizations, self-hosters, Nostr ecosystem, SMBs, and developers seeking secure, passwordless authentication without vendor lock-in or PII collection liability.
