13 KiB
NIP-29
Relay-based Groups
draft
optional
This NIP defines a standard for the simplest version of groups that can work, with optional extensions that provide read/write protection on both the relay and group level, and metadata such as group information and member lists.
The basic idea is that relays themselves have many characteristics of a group, in that they can enforce read/write policy at will. This mechanism also provides a convenient way to administer multiple sub-groups within a relay, since "canonical" metadata may be published using the pubkey listed in the relay's NIP 11 document.
Table of contents
Relays
Standard nostr relays can already be used as groups without any protocol changes, since every relay stores a unique set of events and may already implement access control. All additional recommendations in this document are optional.
To ensure all messages have the appropriate context and/or are not replicated to other relays, a NIP 70 -
tag MAY be used when posting to a relay (if support is indicated per NIP 11). "Follower" relays intended to back up relay state MAY bypass this restriction, although care should be taken to avoid backing up to relays with less strict access control than the master relay.
Groups
A group is a sub-division of a relay, identified by a short random identifier. Any note may be posted to a group by including an h
tag with the group's identifier as the tag value:
{
"kind": 1,
"content": "Hello",
"tags": [
["h", "<group-id>"]
]
}
A group's policies are inherited from the relay it is hosted on by default (in other words, if you can't access a relay, you can't access any of the groups within the relay), but can be further refined by the relay implementation.
The special _
group id MAY be used to refer to the relay's "lobby", as distinct from events posted to the relay without an h
tag.
Support
Relays may choose to either passively or actively support NIP 29.
By default, relays are not expected to do anything special. Instead, group metadata, member lists, moderation, etc. may be inferred by clients from events published by users.
Relays that actively support NIP 29 are expected to implement group policy and publish canonical metadata events using the host relay's pubkey
. This serves to reduce the complexity of implementing compatible clients by offloading chores like building trustworthy member lists to relays.
If a relay includes 29
in the supported_nips
field of their NIP-11 document, they MUST actively implement NIP 29. Clients may choose whether to implement fallback behavior for standard relays, or they may limit support only to NIP 29 compliant relays.
Group metadata
Group metadata is defined by the following tags:
name
is a short string briefly describing the grouppicture
is an image urlabout
is a longer description of the grouppublic
indicates that events posted to the group can be read by anyoneprivate
indicates that only AUTHed users can read events posted to the groupopen
indicates that anyone can request to join and the request will be automatically grantedclosed
indicates that members must be pre-approved or that requests to join will be manually handled.
Note: it would probably be better to do
["access", "public|private"]
instead of two totally separate tags for the same policy flag.
A group may be created by publishing a kind:9007
event to the host relay. Anyone with relay access can publish a group metadata event. content
MAY be a message to the relay admin.
Group metadata may include tags describing group visibility and access, but groups that exist on relays without NIP 29 support indicated in supported_nips
MUST be considered public
and open
.
{
"kind": 9007,
"content": "",
"tags": [
["h", "<group-id>"],
["name", "Pizza Lovers"],
["picture", "https://pizza.com/pizza.png"],
["about", "a group for people who love pizza"],
["public"],
["open"]
]
}
A group may be edited by publishing a kind:9002
event to the host relay. content
MAY be a message to the relay admin.
{
"kind": 9002,
"content": "",
"tags": [
["h", "<group-id>"],
// ...group metadata tags
]
}
A group may be deleted by publishing a kind:9008
event to the host relay. content
MAY be a message to the relay admin.
{
"kind": 9008,
"content": "",
"tags": [
["h", "<group-id>"],
]
}
On relays that actively implement NIP 29, group creation, edit, and deletion events MUST NOT be served, but MUST instead be interpreted by the relay implementation or admin to result in the creation, deletion, or modification of a kind:39000
group metadata event. This event MUST be published by the host-relay's pubkey
in order to be valid.
{
"kind": 39000,
"content": "",
"tags": [
["d", "<group-id>"],
// ...group metadata tags
]
}
Note: it would probably be better to just have users publish kind 39000s instead of all the 9xxx stuff, since a history isn't really needed, similar to how member lists are treated below.
Access
Note: this section should be moved to a separate NIP, since it's generally useful. An old draft exists here: https://github.com/nostr-protocol/nips/pull/1079
Access control (both read and write) SHOULD be implemented based on the user currently authenticated via NIP 42 AUTH.
Access control queries and requests are implemented using new message types, rather than events, in order to prevent broadcasting of sensitive data by relays that don't implement NIP 29. Any relay, regardless of whether they support NIP 29, MAY implement these verbs using an empty string as the group id.
Users MAY query for their current permissions using the ACCESS
verb with an optional group id
.
Relays MAY respond with zero or more messages using the same ACCESS
verb.
- The first argument MUST be a group id.
- The second argument MUST be a comma-separated list of permissions, either
read
orwrite
. - The third argument MAY be a human-readable message to be displayed to the user.
-> ["ACCESS"]
<- ["ACCESS", "", "read,write"]
<- ["ACCESS", "_", "read,write"]
<- ["ACCESS", "<group1-id>", "read"]
<- ["ACCESS", "<group2-id>", "", "We don't like your kind around here"]
Users MAY request access using a JOIN
message sent ONLY to the relay in question. Relay access requests MUST have a group id
and MAY have a claim
containing an arbitrary string (such as an invite code, zap receipt, cashu token, etc). A message to the relay admin MAY be included.
["JOIN", "<group-id>", "<claim>", "<message>"]
Users MAY also request that their access be revoked using a LEAVE
messsage:
["LEAVE"]
Relays MAY update internal state and member lists, or ignore these messages.
Membership
Group lists
Users MAY track their own group memberships using a NIP 51 kind 10009
event. Tags MAY be either public or encrypted with NIP 44, depending on user/client preference.
Group IDs are identified by group
, with each value being the relay url and the group id joined by a '
. Group id MAY be omitted if bare relay membership is desired.
{
"kind": "10009",
"tags": [
["group", "wss://relay.example.com/"],
["group", "wss://relay.other.com/'a4041f55"],
["group", "wss://relay.other.com/'5d75430e"]
],
}
Note: it may be worth changing this to single-letter tags so that group web of trust can be easily calculated, even if there's no member list. It also might be desirable to split each tag into primary/secondary value, so that
h
tags can be indexed as well, independent of the relay url. Something like this:[["r", "<relay-url>"], ["h", "<group-id>", "<relay-url>"]]
Member lists
A kind 39001
event is a moderator list. To be considered valid, a moderator list MUST be published by the relay's own pubkey.
A kind 39002
event is a member list. Anyone MAY publish one, but clients SHOULD only trust lists published by the relay's own pubkey, or by moderators mentioned in the relay's member list event. Member lists published by regular members MAY be used for convenience in building member list indexes, but should not be trusted or relied upon.
Member and moderator lists should have the following tags:
- A
d
tag matching the group's id. - A
p
tag indicating the person's pubkey and a relay hint.
{
"kind": "39002",
"tags": [
["d", "<group-id>"],
["p", "<pubkey>", "<relay-url>"]
["p", "<pubkey>", "<relay-url>"]
],
}
Relays MAY choose to not to publish this information, restrict what pubkeys can fetch it, or reject any member lists published by users to the relay.
Migration
If a group needs to be moved from one relay to another, this can be done by publishing a kind 9009
, with the following tags:
h
indicates the group id.r
with aold
mark indicates the current relay.r
with anew
mark indicates the relay the group is moving to.
{
"kind": "9009",
"tags": [
["h", "<group-id>"],
["r", "wss://relay.dead.com/", "old"],
["r", "wss://relay.live.com/", "new"]
],
}
These events SHOULD be published to the relay's current relay, and MAY be published more broadly if more durability is desired (for example in the case where the relay goes down permanently before the migration is published).
Anyone MAY publish these events, but migrations not published by the current relay's pubkey should be treated as a relay fork, rather than a migration.
Moderation
Any relay member MAY publish a kind 1984
report to the relay (including a -
tag if desired/supported). These reports MAY be used by the relay admin to delete events or ban users, or by clients to implement any moderation algorithm desired. The relay operator or moderators may also choose to escalate reports without banning content by publishing their own kind 1984
event with the same tags. Reports need not include an h
tag.
Federation
By default, the same group id on different relays does not mean that the same content will exist in both places. However, relays MAY choose to actively federate with others by aggressively replicating content between the two, or cooperating in some other way.
If a group is federated, this should be indicated on the kind:39000
group metadata event using one or more peer
tags indicating another relay url. The peer SHOULD NOT be considered valid unless the designation is mutual.
Clients should take care when supporting simultaneous relay use, since missing context is possible if the federation is not implemented correctly.
Appendix: Use Cases
The concept of a "group" can mean many things to different people, for example:
- Public, moderated groups with low trust in moderators, for example reddit and forums
- Public-read write-protected "broadcast" telegram groups
- Private, non-sensitive "community" groups, for example facebook community groups
- Private, sensitive direct messages or small group chats, like exist on signal
- Hierarchical groups with many sub-groups and granular permissions, like slack or discord
- High-consistency synchronous chat
- Low-consistency asynchronous microblogging
These differences can be quantified across several axes:
- Size, in number of members
- Read and write access, enforced by AUTH or encryption
- Moderation, from strict to laissez faire
- Trust in relays, from complete to none
- Context-dependence, from low to high
This NIP is not suitable for direct messages or small group chats because of its weak privacy guarantees, and because person-oriented use cases don't benefit from the establishment of a single "place". Instead, messaging protocols like NIP 17 bridge the relay network by following user relay selections, duplicating messages and delivering them to user inboxes.
This NIP is not suitable for "private" groups, since access policies are enforced by relays. Some provisions are made here for "closed" groups, which expect some degree of privacy (for example the use of the -
tag, relay-enforced access policies, and signature-stripping), but these should not be relied upon for high-stakes information hiding.
This NIP is not suitable for highly censorship-resistant groups by default, since they rely heavily upon relays to host group content. Simultaneous use across multiple relays is possible, but should be carefully considered. For example, chat rooms or forums require strong consistency to avoid leaving out missing context, whereas long-form content and microblogging use cases require less completeness. Relay groups that are strongly federated can improve consensus.
This NIP can accommodate a wide range of moderation approaches, depending on relay implementation and policy. Clients may also implement their own moderation in addition to moderation implemented by relays, for example based on user mutes or web of trust.