Docs

Bunker (NIP-46)

Connect to a remote signing service for enhanced security and automation.

What is a Bunker?

A bunker (defined in NIP-46) is a remote signing service that holds your private key and signs requests on your behalf. Instead of your key living in your browser or CLI, it stays securely on a separate server or device.

Think of it like a hardware wallet for your Nostr identity - the key never leaves the secure environment, and all signing requests go through it.

When to Use a Bunker

CI/CD Pipelines

Run builds that need secrets without embedding your nsec in environment variables.

Enhanced Security

Keep your key on a hardened server or air-gapped device.

Mobile Signing

Use your phone as a signing device for desktop sessions.

Team Access

Multiple team members can sign with a shared identity (with proper controls).

Choosing a Bunker Strategy

The right bunker depends on your use case. Here's our recommendation matrix:

SolutionBest ForSetup TimePlatform
nak bunker RecommendedTeams, CI/CD, self-hosted2 minmacOS, Linux, Windows
nsec.appPersonal use, cross-platform1 minWeb, iOS, Android
AmberMobile-first users5 minAndroid only

Recommended for Teams & Enterprise

For organizations using Redshift Teams or Enterprise SSO, we recommend nak bunker deployed on your own infrastructure. It provides:

  • Self-hosted with no external dependencies
  • Persistent configuration across restarts
  • Authorized client pubkeys for team access
  • Run in secure enclaves for compliance requirements
Jump to Setup Guide →

Bunker URI Format

Bunker connections use a special URI format:

bunker://<signer-pubkey>?relay=<relay-url>&secret=<connection-secret>

# Example:
bunker://3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d?relay=wss://relay.nsecbunker.com&secret=abc123

The URI contains:

  • signer-pubkey - The public key of the bunker that will sign for you
  • relay - The relay used for communication between client and bunker
  • secret - A shared secret to authenticate the connection

Connecting to a Bunker

Web Admin

  1. Go to /admin
  2. Click "Connect"
  3. Select "Bunker URL (NIP-46)"
  4. Paste your bunker URI
  5. Click "Connect"
  6. Approve the connection in your bunker app (if required)

CLI 

# Interactive
redshift login
# Select "Use bunker URL"
# Paste your bunker URI

# Direct
redshift login --bunker "bunker://..."

# NostrConnect flow (scan QR with bunker app)
redshift login --connect

# Environment variable (for CI/CD)
export REDSHIFT_BUNKER="bunker://..."
redshift secrets list

Bunker Options

nak bunker (Teams & CI/CD)

Best for: Teams, CI/CD pipelines, self-hosted infrastructure Recommended

The "nostr army knife" CLI includes a production-ready bunker server with no external dependencies.

Why nak bunker for Teams?

  • Self-contained - No external services to rely on, fully self-hosted
  • Persistent configuration - Survives restarts with --persist
  • Authorized clients - Whitelist specific pubkeys with -k flag
  • Actively maintained - Core Nostr infrastructure by fiatjaf
  • Enterprise-ready - Deploy in secure enclaves for compliance

Installation 

# Install via Go
go install github.com/fiatjaf/nak@latest

# Or download pre-built binary from releases:
# https://github.com/fiatjaf/nak/releases

# Verify installation
nak --version

Quick Start 

# Generate a new key (or use existing)
nak key generate > ~/.redshift-bunker-key

# Start bunker with your key
nak bunker --sec $(cat ~/.redshift-bunker-key) relay.damus.io nos.lol

# Output includes your bunker:// URL:
# bunker://f59911b5...?relay=wss://relay.damus.io&secret=XuuiMbcL

# Connect Redshift using that URL
redshift login --bunker "bunker://f59911b5..."

Teams Setup (Persistent)

For production team use, enable persistence and authorize specific client pubkeys:

# First-time setup: create persistent bunker with authorized clients
nak bunker --persist \
  --sec ncryptsec1... \
  -k <alice-pubkey> \
  -k <bob-pubkey> \
  -k <ci-runner-pubkey> \
  relay.damus.io nos.lol

# Subsequent runs: just use --persist
nak bunker --persist

# The bunker remembers:
# - Your encrypted secret key
# - Authorized client pubkeys
# - Relay configuration

Enterprise Deployment

For Redshift Enterprise with compliance requirements:

# Run as a systemd service
# /etc/systemd/system/redshift-bunker.service
[Unit]
Description=Redshift NIP-46 Bunker
After=network.target

[Service]
Type=simple
User=redshift
ExecStart=/usr/local/bin/nak bunker --persist
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

For SSO integration, the bunker can be deployed in:

  • AWS Nitro Enclaves
  • Azure Confidential Computing
  • Air-gapped infrastructure

Contact us for Enterprise SSO bridge configuration (Okta/AzureAD → Nostr identity mapping).

github.com/fiatjaf/nak →

nsec.app (Cross-Platform, No Setup)

Best for: Personal use, mobile users, zero setup

A hosted non-custodial key storage with remote signing. Works everywhere.

  1. Visit nsec.app
  2. Create an account or import your existing nsec
  3. Use the NostrConnect flow in Redshift:
# Generate a nostrconnect:// URI
redshift login --connect

# Paste the URI into nsec.app to authorize
nsec.app →

Amber (Android Mobile Signer)

Best for: Android users who want phone-as-bunker

Your phone becomes the signing device. No server required.

  1. Download Amber from GitHub or F-Droid
  2. Import or create your Nostr identity
  3. Scan the nostrconnect:// QR code from Redshift
# Generate QR code for Amber to scan
redshift login --connect
github.com/greenart7c3/Amber →

nsecbunkerd (Advanced Self-Hosting)

Advanced: External services unavailable

The hosted admin interface (app.nsecbunker.com) is currently offline. Use CLI-only administration or consider nak bunker instead.

nsecbunkerd is a Docker-based bunker daemon with multi-user features. It can still be self-hosted and administered via CLI, but the web admin interface is unavailable.

# Clone and configure
git clone https://github.com/kind-0/nsecbunkerd.git
cd nsecbunkerd
cp .env.example .env
# Edit .env: Add your npub to ADMIN_NPUBS

# Start with Docker
docker compose up -d

# CLI administration (web admin unavailable)
docker compose exec nsecbunkerd npm run nsecbunkerd -- add --name "my-key"
docker compose exec nsecbunkerd cat /app/config/connection.txt
github.com/kind-0/nsecbunkerd →

CI/CD Integration

Bunkers are ideal for CI/CD because you don't need to store your nsec in CI secrets:

# GitHub Actions example
name: Deploy
on: push

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install Redshift
        run: curl -fsSL https://redshift.dev/install | sh
        
      - name: Deploy with secrets
        env:
          REDSHIFT_BUNKER: ${{ secrets.REDSHIFT_BUNKER }}
        run: |
          redshift setup --project my-app --environment production
          redshift run -- npm run deploy

For CI/CD, you'll need a bunker running on persistent infrastructure (not ephemeral CI runners). Options include:

  • Self-hosted nak bunker - Run on a small VM or container in your infrastructure
  • nsec.app - Hosted service, authorize your CI runner's client pubkey
  • Amber on a dedicated device - Physical device for high-security environments

Pro Tip: Teams CI/CD

For Redshift Teams, deploy a dedicated nak bunker with your CI runner's pubkey pre-authorized using the -k flag. This enables fully automated deployments without manual approval steps.

How It Works

The NIP-46 flow:

  1. Redshift generates a temporary local key pair for the session
  2. It connects to the bunker via the specified relay
  3. When signing is needed, Redshift sends an encrypted request to the bunker
  4. The bunker decrypts the request, signs the event, and sends back the signature
  5. Redshift receives the signature and publishes the event

All communication is encrypted end-to-end. The relay cannot read the signing requests or responses.

Security Considerations

  • Bunker security is critical - A compromised bunker means a compromised identity
  • Use HTTPS relays - Ensure the relay connection is encrypted
  • Rotate secrets - Periodically regenerate bunker connection secrets
  • Monitor usage - Watch for unexpected signing requests
  • Limit permissions - Configure the bunker to only allow necessary operations

Enterprise Security

For Redshift Enterprise, deploy nak bunker in a hardened environment (AWS Nitro Enclaves, Azure Confidential Computing, or air-gapped infrastructure). The --persist flag stores encrypted keys locally - combine with HSM-backed storage where compliance requires it.

Troubleshooting

"Failed to connect to bunker"

  • Check that the bunker service is running
  • Verify the relay URL is correct and accessible
  • Ensure the connection secret matches

"Connection timed out"

  • The bunker may require manual approval - check your bunker app
  • Network issues between client and relay
  • Bunker server may be overloaded

"Signing request rejected"

  • The bunker may have permission restrictions
  • Manual approval was denied
  • Rate limiting triggered