Back to Blog
nostrtutorialsecurity

Using NIP-07 Browser Extensions: A Complete Guide

November 5, 2024 5 min read | By Redshift Team
Share:

NIP-07 defines a standard way for web applications to request signatures from browser extensions. This means you can use Redshift's web admin without ever typing your private key into a website.

What is NIP-07?

NIP-07 is a Nostr Implementation Possibility that defines a window.nostr API for browser extensions. When a web app needs to sign an event (like encrypting your secrets), it asks the extension to sign instead of handling your private key directly.

If you've used SSH keys, the mental model is similar -- your key lives in one place, and applications ask it to sign things on their behalf. The key itself never gets handed over.

Why Use a NIP-07 Extension?

The short answer: your private key stays out of websites entirely. Without an extension, you'd paste your nsec into every Nostr app you use. One phishing site or one XSS vulnerability and it's gone. With NIP-07, the extension holds the key and the website just gets the signature it asked for. You also get a confirmation prompt for each request, so nothing happens without you approving it.

On a practical level, it's also just faster. Install the extension once, and every Nostr app recognizes you instantly. No passwords, no login forms.

Popular NIP-07 Extensions

Alby (the one we recommend)

Alby started as a Bitcoin Lightning wallet and grew into the most full-featured NIP-07 extension available. It supports Chrome, Firefox, and Safari, handles multiple Nostr accounts, and is actively maintained and open source. The Lightning integration is nice if you use it, but honestly the Nostr key management alone makes it worth installing.

It's what we use internally and what most of the Nostr ecosystem has standardized around. If you're not sure which to pick, pick Alby.

nos2x

nos2x is fiatjaf's original NIP-07 implementation. Chrome only, no wallet, no extras -- it just signs Nostr events and gets out of the way. If you want the smallest possible extension and don't care about Lightning or multi-account support, nos2x is fine. It hasn't seen as much active development lately though, which is worth considering.

Flamingo

A newer option focused on mobile-friendly design. We haven't tested it extensively with Redshift, so your mileage may vary.

Setting Up Alby (Recommended)

  1. Install the extension: Visit getalby.com and install for your browser
  2. Create or import identity: You can generate a new Nostr keypair or import an existing nsec
  3. Set a password: Alby encrypts your key locally with this password
  4. Pin the extension: Click the puzzle icon in your browser and pin Alby for easy access

Using NIP-07 with Redshift

Once you have a NIP-07 extension installed:

  1. Visit redshiftapp.com/admin
  2. Click "Sign in with Extension"
  3. Approve the connection request in your extension popup
  4. You're authenticated—no password or nsec required

When you save secrets, Redshift asks the extension to encrypt them. You'll see a popup for each encryption request (or you can configure auto-approve for trusted sites).

A Few Things to Be Aware Of

NIP-07 extensions handle three types of requests: reading your public key (harmless -- it's public), signing events, and encrypting/decrypting content. Redshift needs all three. When you first connect, the extension will ask you to approve each type. Take a second to actually read those prompts rather than clicking through them.

Once you trust a site, you can configure your extension to auto-approve its requests. Alby makes this easy in its settings. We'd recommend doing this for redshiftapp.com since you'll be triggering encryption requests frequently when managing secrets, and clicking "approve" fifty times gets old fast.

One thing that catches people: your extension stores keys in your browser's local storage. Clear your browser data, switch to a new machine, or uninstall the extension without exporting your nsec first, and you've locked yourself out. Export your nsec from the extension settings and back it up somewhere safe -- a password manager, an encrypted note, whatever works for you. Do this before you need it, not after.

Common Issues

"Redshift says no extension found"

This is almost always a page load timing issue. The extension injects window.nostr on page load, so if you installed it without refreshing, Redshift doesn't know it's there. Refresh the page. If that doesn't work, check that the extension is actually enabled (it's easy to accidentally disable it) and make sure you're not using a browser it doesn't support -- nos2x is Chrome-only, for instance.

"I click approve but nothing happens" / signing seems stuck

The approval popup might be hiding behind your browser window, or your popup blocker might be eating it. Click the extension icon directly to see if there are pending requests queued up. If the extension seems completely unresponsive, a browser restart usually fixes it. This happens more often than you'd think after browser updates.

CLI Authentication

NIP-07 is web-only. For CLI authentication, you'll need to either:

  • Enter your nsec directly (stored in system keychain)
  • Use a Nostr Bunker for remote signing

See our authentication documentation for all options.

Ready to try Redshift?

Own your secrets with decentralized, censorship-resistant secret management.

Get Started Free Read the Docs
Back to all posts