Primal is a Nostr Client
Amber is a Bunker Android App https://nostrapps.com/amber
Here’s a clear and accurate explanation of how Nostr "Bunkers" work, written for someone who already understands keys, clients, and relays but wants a deeper view of the architecture.
What is a Nostr Bunker?
A Nostr Bunker is essentially a remote signing service that:
protects your master private key by keeping it offline / out of your daily devices
exposes a signing API so your clients can request signatures
signs messages on your behalf without ever giving your key to the client
lets you safely use Nostr from multiple devices without importing your sensitive key everywhere
Think of it like a hardware wallet, but remote, programmable, and Nostr-native.
Why Bunkers Exist
Nostr has a usability problem:
To post from different devices, users often copy their nsec (private key) around—this is dangerous.
Bunkers fix this by:
letting your clients authenticate using ephemeral session keys
keeping your main key inside a secure signing enclave/server
allowing controlled delegation
How It Works (Step-by-Step)
1. You run or trust a Bunker server
A Bunker is usually:
a small server you run
or a hosted service
or even a hardware device running the bunker protocol
It stores your nsec, ideally in an HSM or encrypted vault.
2. Your client connects using an ephemeral key
The client does not send your nsec. Instead, it generates an ephemeral keypair (nsecsession) and authenticates to the bunker.
Think:
Client Key (temporary) → Auth Request → Bunker
The bunker decides whether to allow this temporary key to act on your behalf.
3. The bunker issues a delegation token
If approved, the bunker signs a Nostr delegation tag (kind 1, kind 0, etc.) saying:
“This temporary key is allowed to post events for me, under these conditions.”
Conditions can include:
what kinds of events can be signed
expiration time
rate limits
relay restrictions
This uses the official NIP-26 Delegation spec.
4. Client signs with the ephemeral key, not with your master key
After delegation, your device never touches the master key.
Your posts/events look like they come from your main pubkey because:
the ephemeral key signs the event
the event includes the delegation tag proving authority
relays accept it as valid
5. Bunker signs only when absolutely required
Certain events must be signed directly by the root key, e.g.:
metadata changes (profile updates)
contact lists
certain high-trust events
For those, the client sends a sign request to the bunker, and the bunker:
checks permissions
signs
returns the signature
At no point does the client receive the private key.
Security Model
What the bunker protects you from
losing your master key on a compromised device
exposing your nsec when logging into apps or websites
malware stealing your identity
multi-device sign-in without key duplication
What you must trust
the bunker won’t sign malicious things
the bunker won’t leak your master key
the bunker won’t go offline (you lose signing ability)
Users often run their own bunkers on:
home servers
VPS
Tor hidden services
hardware wallets implementing Nostr signing
What Problems Bunkers Solve
Multi-device Nostr without copying your nsec
Safer login to web-based clients
Revocable client sessions
Granular control over what gets signed
Foundation for enterprise and group accounts
In Short
A Nostr Bunker is a secure remote signer that holds your master key, issues delegation rights, and enables safe multi-device usage without ever exposing your private key.