NIP-71
======

Restricted Events
-----------------------------------

`draft` `optional`

When the `"+"` tag is present, that means the event is "restricted".

A restricted event is an event which requires [NIP-42 Authentication of Clients to Relays](https://github.com/nostr-protocol/nips/blob/master/42.md) in order to request. These events can only be requested by:

- the author of the event
- a user tagged in the event
- a user who has [NIP-43 Delegated Authentication](https://github.com/nostr-protocol/nips/blob/master/43.md) from the author

## Use Cases

- limiting metadata leakage of private chats
- limiting access to content to only paid subscribers
- limiting metadata leakage of personal events (like a journal or private calendar)

## Requesting

In order to `REQ` for a restricted event, the filter MUST have (a) attibute `"restricted": true` to specify the filter is requesting restricted events AND
(b) either `"authors"` attribute or `"#p"` attribute to establish the pubkey that authentication should be validated for.

If (b) is missing from the filter, the request is invalid and the relay should response with `CLOSED` message with prefix `"invalid"`.

If the filter does not contain the `"restricted": true` attribute, the relay MUST behave as if it does not store any restricted events. Specifically, the relay MUST NOT:

- respond with `CLOSED` and `"auth-required"` prefix
- request authentication
- return any restricted events

in response to a request. Even if there are restricted events that qualify for the filter, if the filter doesn't not have attribute `"restricted": true` the relay should behave as if those events are not stored on the relay.

## Access

A user has permission to request any restricted event for which they are the author by:

- authenticating as the author
- authenticating with a delegated authentication token of mode 0-Login from the author


A user has permission to request any restricted event in which their pubkey is tagged by:

- authenticating as the tagged pubkey
- authenticating with a delegated authentication token of mode 0-Login from the tagged pubkey

A user has permission to request any restricted event they have been granted access to by the delegated authentication tokens of mode 1-Restricted Event Permission they authenticate with. The filter used MUST BE narrower in scope than the filter condition of the delegated authentication token.