nips/97.md

NIP-97
======

Login with Nostr
----------------

`draft` `optional`

This NIP defines a flow for applications to request from a user that they control a private key for. This enables logging into applications (such as paid relay/media hosting services) without having to use other flows which may be annoying to use or not available. (DM codes, NIP-07 extensions)

## Login URI

A login URI is defined of the format `nostr+login:<domain>:<challenge>` where `domain` MUST be a valid DNS domain or .onion service. The `challenge` MUST only consist of `A-Z a-z 0-9 _ - .`.

This login URI can be presented as a clickable link, a QR code or a copyable string.

## Login process

A client that wishes to log in to a service SHOULD display the domain associated with the service to the end user before allowing them to log in to prevent services showing a login string for another service.

After the user approves the login, the client should send a POST request to `/.well-known/nostr/nip97` to the `domain` with the `i` query parameter set to the `challenge` and a valid NIP-98 authentication header present.

The response MUST be a JSON object, with the format:
```json
{
  "status": <"success" or "error">,
  "message": <OPTIONAL string message to show user in the case of an error>
}
```

HTTPS should always be used except for `.onion` services, which should be contacted using HTTP.

Clients MAY or MAY NOT decide to implement support for `.onion` services.
NIP-97 2024-02-12 15:30:31 -05:00			`NIP-97`
			`======`

reword 2024-02-17 18:19:10 -05:00			`Login with Nostr`
			`----------------`
NIP-97 2024-02-12 15:30:31 -05:00
			`draft` `optional`

reword 2024-02-17 18:19:10 -05:00			`This NIP defines a flow for applications to request from a user that they control a private key for. This enables logging into applications (such as paid relay/media hosting services) without having to use other flows which may be annoying to use or not available. (DM codes, NIP-07 extensions)`
NIP-97 2024-02-12 15:30:31 -05:00
			`## Login URI`

reword 2024-02-17 18:19:10 -05:00			A login URI is defined of the format `nostr+login:<domain>:<challenge>` where `domain` MUST be a valid DNS domain or .onion service. The `challenge` MUST only consist of `A-Z a-z 0-9 _ - .`.
NIP-97 2024-02-12 15:30:31 -05:00
			`This login URI can be presented as a clickable link, a QR code or a copyable string.`

			`## Login process`

			`A client that wishes to log in to a service SHOULD display the domain associated with the service to the end user before allowing them to log in to prevent services showing a login string for another service.`

switch NIP-97 URL to /.well-known/nostr/nip97 2024-03-01 09:36:13 -05:00			After the user approves the login, the client should send a POST request to `/.well-known/nostr/nip97` to the `domain` with the `i` query parameter set to the `challenge` and a valid NIP-98 authentication header present.
reword 2024-02-17 18:19:10 -05:00
			`The response MUST be a JSON object, with the format:`
			```json
			`{`
			`"status": <"success" or "error">,`
			`"message": <OPTIONAL string message to show user in the case of an error>`
			`}`
			```
NIP-97 2024-02-12 15:30:31 -05:00
			HTTPS should always be used except for `.onion` services, which should be contacted using HTTP.

			Clients MAY or MAY NOT decide to implement support for `.onion` services.