Docs

Private Key (nsec)

Authenticate by entering your Nostr private key directly.

Security Warning

Your private key (nsec) provides full access to your Nostr identity and all your secrets. Only enter it on trusted devices. Consider using a browser extension for better security.

When to Use nsec

Entering your nsec directly is useful when:

  • You don't have a browser extension installed
  • You're on a trusted device with no extension support
  • You're testing or developing locally
  • You need quick access without extension setup

Web Admin

To authenticate with nsec in the web admin:

  1. Go to /admin
  2. Click "Connect"
  3. Select "Private Key (nsec)"
  4. Enter your nsec (starts with nsec1...)
  5. Click "Connect"

CLI

To authenticate via command line:

# Interactive login
redshift login
# Select "Enter nsec manually"
# Paste your nsec when prompted

# Direct login (use with caution - visible in shell history)
redshift login --nsec nsec1...

# Via environment variable (safer for scripts)
export REDSHIFT_NSEC=nsec1...
redshift secrets list

Key Formats

Redshift accepts private keys in two formats:

Bech32 (nsec)

The standard Nostr format, starts with nsec1:

nsec1vl029mgpspedva04g90vltkh6fvh240zqtv9k0t9af8935ke9laqsnlfe5

Hex

Raw 64-character hexadecimal:

67dea2ed018072d675f5415ecfaed7d2597555e202d85b3d65ea4e58d2d92ffa

How We Protect Your Key

When you enter your nsec in the web admin, Redshift takes several steps to protect it:

Encrypted Storage

Your nsec is encrypted with a non-extractable AES-256-GCM key before storage. The encryption key lives in IndexedDB and cannot be exported.

Session Storage

The encrypted nsec is stored in sessionStorage, which is automatically cleared when you close the browser tab.

Local Signing

All signing happens locally in your browser. Your decrypted key is only held in memory during signing operations.

Security Best Practices

  • Use a dedicated key - Consider generating a key just for Redshift, separate from your main Nostr identity
  • Avoid public computers - Never enter your nsec on shared or untrusted devices
  • Use incognito mode - For extra caution, use a private browsing window
  • Don't store in plain text - Use a password manager for your nsec backup
  • Clear when done - Click "Disconnect" to clear your session

Generating a New Key

If you need a new Nostr identity for Redshift:

# Using the Redshift CLI
redshift login
# Select "Generate new identity"

# Using nostr-tools (Node.js)
import { generateSecretKey, getPublicKey } from 'nostr-tools/pure'
import { nsecEncode, npubEncode } from 'nostr-tools/nip19'

const sk = generateSecretKey()
const pk = getPublicKey(sk)

console.log('nsec:', nsecEncode(sk))
console.log('npub:', npubEncode(pk))

Critical: Immediately back up your new nsec in a secure location. If you lose it, you permanently lose access to all secrets encrypted with this identity. There is no recovery.

CLI Environment Variables

For automation and CI/CD, you can provide credentials via environment variables:

# Set nsec via environment variable
export REDSHIFT_NSEC="nsec1..."

# Now all commands use this identity
redshift secrets list
redshift run -- npm start

This is more secure than passing --nsec on the command line, which may be visible in shell history or process listings.

Migrating to a Browser Extension

If you've been using nsec directly and want to upgrade to a more secure setup:

  1. Install a browser extension like Alby
  2. Import your existing nsec into the extension
  3. Disconnect from Redshift (click "Disconnect")
  4. Reconnect using the "Browser Extension" option

Your data remains the same since it's tied to your public key, not the authentication method.