👉 Try Nostr Authenticator in action Test the passwordless login flow at https://it.botrift.com . Connect using your npub or NIP address and authenticate by signing from a browser extension or by replying to the challenge via a Nostr DM. No passwords. No accounts. No leaks. This is how passwordless login should work.

No passwords. No accounts. Authenticate by signing securely with the Nostr Authenticator app on your phone. This is how passwordless login should work.

Overview Decentralized authentication system built on Nostr protocol, eliminating traditional passwords. Provides secure authentication through cryptographic signatures and supports dual verification methods for complete user coverage. Authentication Methods 1. With Browser Extension (Nostr Extension) User accesses protected application Automatic signing pop-up (via Alby, nos2x, etc.) User signs the nonce challenge Backend (N8N) verifies signature matches public key JWT issued → access granted 2. Without Extension (DM Authenticator) User copies nonce text (pre-configured with secret) Sends message as DM to Nostr authenticator Backend detects DM in real-time Verifies message came from correct private key JWT issued → access granted 3. WebAuthn Integration (Coming Soon) Hardware security key support (YubiKey, etc.) Biometric authentication (fingerprint, Face ID) FIDO2 compliance for enterprise compatibility Platform authenticator support (Windows Hello, Touch ID) Privacy & Anonymity Architecture Zero-Knowledge Authentication The system is designed with privacy-first principles where the backend has minimal access to sensitive information: What the Backend NEVER sees: ❌ Private keys (stay in browser extension/mobile app) ❌ Passwords (system is passwordless) ❌ User behavior patterns ❌ Application-specific data ❌ Personal identifiable information (PII) ❌ Email addresses or phone numbers What the Backend ONLY verifies: ✅ Cryptographic signature validity ✅ Public key (npub) matches signature ✅ Session expiration timestamps ✅ Optional: npub whitelist membership Privacy Benefits: Client-Side Signing: All cryptographic operations happen locally (browser/mobile) No Data Collection: Backend doesn't log user activity or analytics Pseudonymous Identity: Only Nostr public keys used (no real names required) Decentralized: No central authority controls authentication Ephemeral Sessions: JWT tokens expire, no permanent user database Protected Applications Isolated: Backend never proxies application data What Protected Applications Receive: JWT token with npub (public key only) No access to signing capabilities No private key exposure Applications can optionally validate JWT independently This architecture ensures that even if the backend is compromised, attackers gain access to no sensitive user data or credentials. Technical Architecture Components: Nginx Proxy Manager: Reverse proxy + SSL termination N8N Backend: Dual verification (JWT signature + active session) Nostr Protocol: Decentralized authentication infrastructure JWT Tokens: Stateless auth cookies (HttpOnly, Secure, SameSite=Lax) Mobile Signer: Native app for mobile authentication (in development) Security Flow: User → Request to protected application Nginx checks JWT cookie (if exists) Internal request to N8N /webhook/auth/verify N8N validates: JWT signature + active session (defense-in-depth) Valid → Proxy to application | Invalid → Redirect to login Cookie Architecture: Wildcard domains: Works on any domain (.yourdomain.com) SSO capability: Single sign-on across all subdomains JWT payload: 361 bytes, expires 1h (configurable) Refresh tokens: Support for long-lived sessions Self-Service Configuration Portal Automated Setup Interface The system includes a web-based configuration generator that streamlines deployment: Client Setup: Deployment Type Selection: Pre-configured templates for Nginx Proxy Manager, Apache, Caddy, etc. Login Theme Customization: 6 admin-selectable themes (Dark, Light, Blue, Purple, Green, Orange) Auto-Generated Client ID: Unique identifier per application Backend URL Configuration: Points to your N8N instance Server Configuration: Auth Service URL: Your authentication frontend Protected Path: Specific URLs requiring authentication Session Duration: Configurable expiry (default 1 hour) Authorization Rules: npub Whitelist: Optional restriction to specific Nostr public keys Empty = anyone can authenticate Filled = only listed allowed One-Click Config Generation: System generates complete Nginx configuration based on your selections Copy-paste ready for immediate deployment All security headers and optimizations included No manual editing required Mobile Application (In Development) Nostr Signer Mobile App Native mobile authenticator for on-the-go authentication: Features: QR Code Scanning: Quick authentication via QR code Push Notifications: Real-time authentication requests Biometric Security: Fingerprint/Face ID to approve signatures Multi-Account Support: Manage multiple Nostr identities Offline Signing: Sign authentication requests without internet Use Cases: Desktop authentication via mobile device Secure signing without exposing private keys to browser Enterprise environments requiring hardware-backed keys Air-gapped security for high-value accounts Target Audience & Use Cases Who Should Use This System? 1. Privacy-Conscious Organizations Companies that value user privacy and GDPR compliance Organizations wanting to eliminate password breach risks Businesses reducing PII collection liability Services targeting privacy-aware demographics 2. Self-Hosters & Homelab Enthusiasts Individuals protecting personal services (NAS, media servers, dashboards) Multi-service deployments needing unified authentication Users wanting control over their authentication infrastructure Eliminating password fatigue across dozens of self-hosted apps 3. Nostr Ecosystem Projects Nostr relays requiring authenticated access Nostr-native applications and services Communities building on decentralized infrastructure Projects leveraging existing Nostr identities 4. Small-to-Medium Businesses (SMBs) Companies without IT security teams for password management Businesses reducing operational costs (no password reset helpdesk) Teams needing quick deployment without complex infrastructure Organizations protecting customer-facing portals 5. Developers & SaaS Providers Multi-tenant applications with domain-per-customer architecture API gateways requiring authentication Development/staging environments protection Internal tools and admin panels Why Choose Nostr Auth Over Alternatives? vs. Traditional Username/Password: ✅ Zero password breach risk (no passwords to steal) ✅ No password reset workflows (saves support time/costs) ✅ No password storage liability (GDPR/compliance) ✅ Eliminates weak password problems vs. OAuth2 (Google/Facebook Login): ✅ No vendor lock-in (independent identity) ✅ No user tracking by third parties ✅ Works without internet dependency on IdP ✅ Full control over authentication flow ✅ No data sharing agreements required vs. Enterprise SSO (Okta/Auth0): ✅ Zero monthly subscription costs ✅ No per-user pricing models ✅ Simpler infrastructure (no central auth server) ✅ Open-source and auditable ✅ Deploy in minutes vs. weeks vs. Self-Hosted Keycloak/Authentik: ✅ Lower resource requirements (no database) ✅ Simpler maintenance (fewer components) ✅ Faster deployment (copy-paste config) ✅ Better privacy (no user database) ✅ Inherently decentralized Ideal Deployment Scenarios: Scenario 1: Multi-Service Homelab Problem: User runs 20 self-hosted services, each with different login Solution: Single Nostr identity authenticates across all services via wildcard cookie domain Scenario 2: SaaS with Custom Domains Problem: Each customer gets customer.saas.com subdomain, needs isolated auth Solution: Self-service portal generates configs, customer deploys in minutes Scenario 3: Privacy-First Startup Problem: Want authentication without collecting emails/passwords (GDPR nightmare) Solution: Users authenticate with existing Nostr identity, zero PII collected Scenario 4: Development Team Internal Tools Problem: 10+ internal dashboards need protection, don't want another auth system Solution: Team members use Nostr keys, unified access across all tools Scenario 5: Community Platform Problem: Want only verified community members accessing resources Solution: npub whitelist restricts access to approved members only When NOT to Use This System: ❌ Mainstream Consumer Apps - Users without Nostr familiarity (requires education) ❌ Regulated Financial Services - May require traditional audit trails (coming with WebAuthn) ❌ Legacy System Integration - If you need LDAP/SAML compatibility ❌ Non-Technical User Base - If users struggle with browser extensions However, the DM authentication method and upcoming WebAuthn support significantly expand accessibility beyond technical users. Key Features ✅ Passwordless: Zero passwords to remember or manage ✅ Privacy-First: Backend never sees private keys or PII ✅ Dual Authentication: Support both with/without browser extension ✅ Multi-Domain Ready: Works on any domain - just configure variables ✅ Self-Service Setup: Web portal generates config automatically ✅ Defense-in-Depth: Dual verification (JWT + N8N session) ✅ Production Hardened: Security headers, optimized timeouts, IPv6 disabled ✅ Fast Performance: ~40ms response time ✅ Decentralized: No dependency on centralized IdP ✅ Zero Data Collection: No analytics, tracking, or PII storage ✅ Mobile Ready: Native app for smartphone authentication ✅ WebAuthn Support: Hardware keys & biometrics (coming soon) Production Status Tested: Multiple production deployments Performance: 40ms total response time Security: OWASP headers, HttpOnly cookies, SameSite=Lax Reliability: Dual verification (JWT + session check) Scalability: Template ready for instant deployment Privacy: Zero-knowledge backend architecture Rapid Deployment Via Web Portal (Recommended): Access configuration portal Select deployment type (Nginx Proxy Manager) Choose login theme Configure server URLs Set session duration Add npub whitelist (optional) Copy generated config → paste in Proxy Host → Advanced tab Test authentication Deployment time: < 3 minutes per domain Manual Configuration: Copy template config Edit 6 variables: $client_id, $redirect_uri, $n8n_callback, $cookie_domain, $auth_service, $n8n_verify Change proxy_pass to application port nginx -t && nginx -s reload Test authentication Advantages vs. Traditional Solutions vs. OAuth2 Proxy: ✅ Multi-domain native (no multiple containers) ✅ Dual authentication method (extension + DM) ✅ Decentralized (no central IdP dependency) ✅ Self-service configuration portal ✅ Better privacy (no user tracking) vs. Keycloak/Auth0: ✅ Zero infrastructure overhead ✅ No user database required ✅ Privacy by design ✅ Lower operational costs ✅ Simpler deployment vs. Traditional Passwords: ✅ Zero phishing risk ✅ Zero password breaches ✅ Superior UX (click-to-sign) ✅ No password reset flows ✅ No password storage liability Roadmap Current (Production Ready): ✅ Browser extension authentication ✅ DM authenticator fallback ✅ Self-service configuration portal ✅ Multi-domain support ✅ JWT + session dual verification ✅ Zero-knowledge backend architecture In Development: 🚧 Mobile signer application 🚧 QR code authentication 🚧 Push notification support Planned: 📋 WebAuthn integration (FIDO2/U2F) 📋 Hardware security key support 📋 Biometric authentication 📋 Rate limiting & DDoS protection 📋 Admin dashboard for session management 📋 Audit logging (optional, privacy-preserving) Conclusion: Production-ready, scalable system with dual authentication methods ensuring 100% user coverage. Self-service configuration portal enables rapid deployment across unlimited domains. Privacy-first architecture ensures backend never accesses sensitive user data. Ideal for privacy-conscious organizations, self-hosters, Nostr ecosystem, SMBs, and developers seeking secure, passwordless authentication without vendor lock-in or PII collection liability.