Nostr archive

NIP-98: HTTP Auth

A Crays archive page for NIP-98, explaining what it does, where it fits in Nostr and why it matters for identity, apps, relays and real-world systems.

NostrCrays archive2026-05-30Archive chapter

NIP-98 defines an ephemeral Nostr event used to authorize HTTP requests.

What it standardizes

It lets Nostr identities authenticate with ordinary HTTP services without a traditional username-password database for every service.

  • Protocol layer. NIP-98 is not a consumer product. It is a convention that clients, relays or adjacent services may choose to support.
  • Interoperability. The value is not that every app looks the same. The value is that different apps can understand the same signed data.
  • Optionality. NIPs are implementation possibilities. Builders should implement the pieces that serve their product, security model and user journey.

Implementation notes

A client signs a short-lived event containing the request URL and method. The server verifies the signature before accepting the request.

  • Client responsibility. Clients need to explain the feature clearly because the user sees an experience, not a spec.
  • Relay responsibility. Relays may support only the parts that fit their storage, moderation, authentication and business model.
  • Indexing responsibility. Search, discovery and context often require extra indexers or opinionated clients on top of the raw protocol.

Crays relevance

Crays can use Nostr-native HTTP auth for services around profiles, content, booking, member areas or API access where signed identity is useful.

  • Crays.net. Profiles, creator pages and social proof need portable identity rather than a closed account table.
  • Crays World. Real venues need local context, member state, reputation and payments that can survive app changes.
  • DAO path. Future governance needs signed identity, membership context and auditable participation signals.

Risks and design discipline

Replay protection, timestamp handling, domain validation and user consent are critical. HTTP auth should be narrow and auditable.

  • Do not overpromise. A NIP gives a shared format. It does not magically solve onboarding, moderation, UX or custody.
  • Keep the private key away. Any feature that increases private-key exposure increases the attack surface.
  • Use plain language. Most users need outcomes: login, pay, publish, vote, prove status, access a venue.

Sources and next reading

This archive is independently written and structured for Crays readers. The links below point to primary references, ecosystem directories and further reading used to shape the topic.

NIP-98HTTP authentication with Nostr events. NIP-01Basic protocol flow, events, signatures and relay messages. Nostr NIPsImplementation possibilities, event kinds and client-relay standards.

Related archive pages

Nostr Login Nostr Developer Tools Nostr for Operators and Venues
Back to the Crays Nostr page