nips/97.md

1.4 KiB

NIP-97

Login with Nostr

draft optional

This NIP defines a flow for applications to request from a user that they control a private key for. This enables logging into applications (such as paid relay/media hosting services) without having to use other flows which may be annoying to use or not available. (DM codes, NIP-07 extensions)

Login URI

A login URI is defined of the format nostr+login:<domain>:<challenge> where domain MUST be a valid DNS domain or .onion service. The challenge MUST only consist of A-Z a-z 0-9 _ - ..

This login URI can be presented as a clickable link, a QR code or a copyable string.

Login process

A client that wishes to log in to a service SHOULD display the domain associated with the service to the end user before allowing them to log in to prevent services showing a login string for another service.

After the user approves the login, the client should send a POST request to /.well-known/nostr/nip97 to the domain with the i query parameter set to the challenge and a valid NIP-98 authentication header present.

The response MUST be a JSON object, with the format:

{
  "status": <"success" or "error">,
  "message": <OPTIONAL string message to show user in the case of an error>
}

HTTPS should always be used except for .onion services, which should be contacted using HTTP.

Clients MAY or MAY NOT decide to implement support for .onion services.