Nostr Signer Apps
Signer apps are where Nostr's promise of portable identity becomes a practical safety question. They decide whether a client merely asks for signatures or gets too close to the private key that controls the identity.
Signer apps sit closest to the risk
A signer is not just another utility. It sits near the private key, or at least near the authority to produce valid signatures for a public identity. That makes it one of the most important product categories in Nostr. A client can be replaced. A relay can be changed. A bad signing habit can compromise the identity itself.
The category includes browser extensions, mobile signers, remote signers, bunker-style setups and experiments that connect signing to operating-system keychains or hardware-backed storage. They all answer the same core question: how can a Nostr app prove that the user approved an event without handing the app the raw secret?
This page exists because signer decisions are often hidden behind friendly login buttons. A reader sees connect or sign in with Nostr, but the real question is deeper: who touches the key, what exactly is being signed and can the user understand the request before approving it?
Browser signers
Browser signers use the extension model to expose a signing interface to websites. NIP-07 is the common reference point: a website can talk to window.nostr and request a public key or event signature. The signer performs the sensitive action and returns the result. This lets a web client work without asking the user to paste an nsec into the page.
nos2x is an important early example because it made that pattern practical for web Nostr. Modern products may be more polished, but the principle remains: keep private-key handling out of ordinary websites when possible. A browser signer also gives the user a consistent place to inspect and approve requests across multiple web clients.
The tradeoff is that browser extensions have their own trust model. Users must trust the extension, its updates, its storage model and the browser environment. A browser signer is usually safer than giving every website the raw key, but it is not a magic shield. It is a better boundary that still requires maintenance, transparency and careful UX.
Mobile and app-to-app signers
Mobile signing has different constraints. Android can support app-to-app flows that let a dedicated signer approve events for other apps. Amber is one of the key examples in the Nostr ecosystem because it gives Android users a way to keep signing separate from each client. This matters when a person wants to try multiple clients without importing the same private key everywhere.
Mobile signer UX has to be even clearer than desktop UX because the approval moment is smaller and faster. A prompt that hides too much can become dangerous. A prompt that shows raw protocol data without explanation can become noise. The signer has to tell the user enough: which app is asking, what kind of event is being signed and whether the action is ordinary or sensitive.
Platform limits shape what is possible. A signer pattern that feels natural on Android may not transfer directly to iOS. That is not a failure of the idea; it is part of the product landscape. The Apps hub separates signer profiles by platform because the user's actual device decides which trust boundary is realistic.
Remote signers and bunkers
NIP-46 defines a remote-signing pattern where the client and signer communicate over Nostr itself. The private key can live in a more controlled environment, while the client sends requests and receives signatures. This is attractive for people who want to use web clients without storing keys in the browser or for identities where key exposure would be especially costly.
Bunker46 makes the idea concrete by presenting a bunker-style signer and a browser bridge. The bridge can let a NIP-07-style web app talk to a remote signer through NIP-46. That layered approach shows how standards can compose: the web app sees a familiar browser interface, while the signing authority lives somewhere else.
Remote signing adds its own risk and friction. Pairing, permissions, signer availability, transport security, recovery and trust in the remote environment all matter. The user gains separation but loses some simplicity. A good signer page has to describe both sides honestly.
Hardware and operating-system keys
Some projects explore stronger local protection through operating-system key stores, secure enclaves, hardware tokens or hardware-wallet-adjacent flows. nostr-keyx is one example of experimentation around OS keychain and YubiKey-style protection. These ideas matter because they move Nostr key handling away from plain text and toward systems designed to protect secrets.
This area is still uneven. Hardware support can improve safety but also add setup burden, compatibility limits and recovery complexity. A normal reader may not want that on day one. A journalist, organization, developer, high-profile account or business may need it. The signer category must leave room for both lightweight and serious custody paths.
The larger point is that Nostr identity deserves the same care people already apply to wallets, domain names and publishing keys. A signer is where that care becomes a product.
How to choose a signer
Choose a signer by asking five questions. First, where does the private key live? Second, can I inspect what I am signing? Third, is the project maintained and sourced clearly? Fourth, does it work with the clients I actually use? Fifth, what happens if I lose the device, browser profile or remote signer connection?
A beginner may choose a simple signer that works with a friendly client. A power user may split daily use from high-value identity management. A builder may test several signers to make sure the app does not force unsafe defaults. A venue, media brand or public account may need organizational rules around who can sign what. There is no single universal answer, but there is a universal warning: do not treat the private key as a casual login field.
Signer apps are the trust layer behind the click. The better the signer, the less often a reader has to choose between convenience and identity safety.
Sources worth opening
- NIP-07 - Browser signer interface exposed as window.nostr.
- NIP-46 - Remote signing flow for clients and bunker-style signers.
- fiatjaf/nos2x - Early browser extension pattern for web signing without handing keys to sites.
- Amber - Android signer app for keeping signing outside ordinary clients.
- Bunker46 - Remote signer example built around the NIP-46 model.
- bunker46-extension - Browser bridge connecting NIP-07 websites to a NIP-46 signer.
- nostr-keyx - Signer experiment using operating-system keychain and hardware-backed ideas.





