draft optional author:melvincarvalho
| Status | Implemented in JSS |
|---|---|
| Draft | ✅ Yes (v0.0.22+) |
This SLIP describes HTTP authentication using Schnorr signatures, compatible with Nostr NIP-98. It enables passwordless, multi-user authentication using secp256k1 keypairs.
Users authenticate by signing an HTTP Auth event (kind 27235) with their Nostr private key. The signed event is base64-encoded and sent in the Authorization header. Servers verify the signature and extract the user’s identity as did:nostr:<pubkey>.
The authentication event follows NIP-98:
{
"id": "<sha256 hash of serialized event>",
"pubkey": "<64-char lowercase hex public key>",
"created_at": 1234567890,
"kind": 27235,
"tags": [
["u", "https://example.com/resource"],
["method", "GET"]
],
"content": "",
"sig": "<schnorr signature>"
}
| Tag | Description |
|---|---|
u |
The absolute URL being accessed |
method |
The HTTP method (GET, PUT, DELETE, etc.) |
| Tag | Description |
|---|---|
payload |
SHA256 hash of request body (for PUT/POST) |
The signed event is base64-encoded and sent as:
Authorization: Nostr <base64-encoded-event>
Servers MUST:
event.id matches SHA256 of serialized eventevent.sig is valid Schnorr signature for event.pubkeycreated_at is within acceptable window (e.g., 60 seconds)u tag matches the requested URLmethod tag matches the HTTP methodOn success, the authenticated identity is: did:nostr:<event.pubkey>
Request:
GET /alice/profile HTTP/1.1
Host: example.com
Authorization: Nostr eyJpZCI6IjEyMzQ...
Decoded event:
{
"id": "1234abcd...",
"pubkey": "f0af1228a863772c0661ca0dd2586c58668de52ca9f71973404e7b9b1f5edc4d",
"created_at": 1703123456,
"kind": 27235,
"tags": [
["u", "https://example.com/alice/profile"],
["method", "GET"]
],
"content": "",
"sig": "abcd1234..."
}
Authenticated identity: did:nostr:f0af1228a863772c0661ca0dd2586c58668de52ca9f71973404e7b9b1f5edc4d
created_atsrc/auth/nostr.jsnip98.getToken()