Community

NIPs

NIP-42: Authentication of clients to relays

NIP-42 gives relays a signed challenge-response login for specific jobs: publishing, reading restricted data, paid access, private relay use and any policy where the relay needs to know which pubkey is behind the current connection.

NIP-42: Authentication of clients to relays visual
NIPs Under the hood Events, NIPs, relay behavior and the shared formats apps can trust.
Back to Nostr
NIPs Open NIP map Deep guidesConcepts, NIP pages and source checks BrowseClose
Relays and discoverydraftoptionalrelay auth

NIP-42: Authentication of clients to relays

NIP42Statusdraft / optional / relayProtocol messageAUTHAuth event kind22242Failure prefixesauth-required, restrictedRecent changemulti-user AUTH in 2025

Public relays are open; useful relays often need a door

Nostr's base protocol lets a client connect to a relay and ask for events or publish events. That openness is part of the charm. It is also not enough for every relay. A paid relay needs to know whether the connected user has paid. A private group relay needs to know whether you is a member. A relay that serves older encrypted direct messages may want to restrict those reads to the participants. A relay with a write policy may allow an authenticated user to publish events that are not signed by the same key used for the access account.

NIP-42 supplies the missing handshake. The relay sends an AUTH challenge. The client signs a short ephemeral event with kind 22242, including the relay URL and the challenge. The relay verifies the signature, checks that the challenge and relay tag match, and treats the pubkey as authenticated for that connection.

That sounds like login, but it is deliberately narrower than an account system. The signed event is not meant to be published or queried. The relay is not asking for a password. It is asking the client to prove control of a Nostr key inside the current websocket session.

AUTH, kind 22242 and machine-readable refusal reasons

The visible protocol change is small: a relay may send ["AUTH", "challenge"]; a client may answer with ["AUTH", signed_event]. The signed event must use kind 22242 and include a relay tag plus a challenge tag. Relays must not broadcast kind 22242 events to normal subscribers.

NIP-42 also standardizes how a relay says no. For rejected subscriptions, the relay can close the subscription with a CLOSED message using auth-required: when authentication has not happened, or restricted: when authentication happened but the key is not allowed. For rejected writes, the relay can use the same prefixes inside OK responses.

The multi-user change matters. A client may send a sequence of AUTH messages from multiple pubkeys, and relays must treat all those pubkeys as authenticated. That fits real software where a client may manage multiple accounts, app keys or delegated workflows in one connection.

A standard simplified by relay reality

The visible history starts in January 2023, when fiatjaf drastically simplified an earlier authentication proposal and moved it toward the challenge-response shape used today. In December 2023, NIP-42 was tied into the newer CLOSED message and machine-readable relay refusal prefixes. That change made it more useful for real clients because the user can see why a read or write failed instead of staring at a silent relay.

In September 2025, Vitor Pamplona's PR #1881 allowed multi-user AUTH. In December 2025, relay tags were updated across several files. The story is therefore not one big cryptographic invention; it is a relay operations NIP being adjusted as private, paid and policy-heavy relays became more normal.

The most practical lesson is that NIP-42 is not about identity branding. It is about connection-level authorization. A relay can still make bad policy decisions, but clients at least have a shared way to prove key control and interpret rejections.

First visible simplification2023-01 by fiatjafMulti-user AUTHPR #1881 in 2025Open Git history

The hard part is not signing; it is timing and user state

Most Nostr libraries can already sign an event. The details that break products are the session details: storing the latest challenge per relay, retrying a request after an auth-required: response, handling several authenticated pubkeys, and showing a human explanation when the relay says restricted:.

Rust-nostr advertises support for NIP-42, and relay implementations such as nostr-rs-relay have had practical issue threads around AUTH acknowledgement and whitelisting behavior. Those discussions matter because a relay can technically authenticate a client while still leaving the UI confused if it does not respond with the expected OK message.

A serious client needs to test three flows: read requires AUTH, write requires AUTH and authenticated key is still not authorized. Those are different user states. Blending them into one generic error makes private relay UX feel broken.

Relay sendsAUTH challenge, either early or when a request needs authentication.
Client signsKind 22242 event with relay and challenge tags.
Relay checksSignature, kind, fresh timestamp, challenge and relay URL.
User-facing riskauth-required and restricted must be shown differently.

Authentication can become hidden centralization

NIP-42 gives relays a clean door. It does not say who deserves a key, how payment is verified, how membership is granted or whether a relay's policy is fair. That is where product and governance questions return.

There is also a privacy tradeoff. Authentication links a pubkey to a relay connection and the requested resource. For some relays that is exactly the point. For sensitive reading patterns, clients need to avoid authenticating casually and needs to explain when a relay is asking for proof of identity.

Read NIP-42 in the wild

NIP-42 gives relays a way to authenticate clients. A relay can challenge a client, and the client can prove control of a Nostr key without sending a password.

This is where access control becomes legible. The client needs to show which relay is asking, what key is signing and why the challenge exists. Otherwise auth feels like another mysterious popup.

What changes when you actually use it

For you, NIP-42: Authentication of clients to relays is felt when a relay accepts, rejects, indexes, hides, charges for or returns events. Relays are not passive pipes. They make policy and infrastructure choices that shape what a client can show. The source terms kind 4, kind 22242, draft, relay, kind: 4, AUTH matter because they are the narrow places where a product can distinguish a relay decision from a network failure.

What changes for builders and operators

For builders and operators, NIP-42: Authentication of clients to relays is observability. Log what the relay accepted, rejected, counted, authenticated or refused. Then show enough of that to users so they can repair configuration instead of assuming Nostr is empty or broken.

What the official file makes concrete

The official file is organized around Motivation, Definitions, New client-relay protocol messages, Canonical authentication event, OK and CLOSED machine-readable prefixes, Protocol flow, auth-required in response to a REQ message, auth-required in response to an EVENT message. Inspect kind 4, kind 22242, draft, relay, kind: 4, AUTH, OK, EVENT because these are the pieces most likely to surface as product behavior.

NIP-42: Authentication of clients to relays belongs to infrastructure, not scenery. Acceptance, indexing, authentication, retention, payment and filtering all shape what you actually see.

Where it breaks

The failure mode in NIP-42: Authentication of clients to relays is blaming the network for one server's policy. A relay may reject an event for payment, spam, size, auth, retention or software reasons. If the client collapses those cases into one empty state, the user loses the ability to act.

Where this appears outside the markdown

In the ecosystem, NIP-42: Authentication of clients to relays lives where users rarely look and operators spend real money: websocket services, relay policies, indexes, rate limits, authentication, monitoring and retention. A good hub page has to make that infrastructure readable because relay behavior decides whether Nostr feels alive, empty, expensive or hostile.

The nearby-standard trap

The nearby-standard trap in NIP-42: Authentication of clients to relays is treating all relay standards as one reliability story. Discovery, authentication, information documents, search, counts, monitoring and management each expose a different slice of relay behavior. Read NIP-01 and the adjacent source links before calling a relay 'good' or 'broken'.

Language that keeps the feature honest

Good product copy for NIP-42: Authentication of clients to relays names the relay decision. It says whether access, payment, indexing, search, storage, rate limit, auth or policy shaped the result. That language gives you something to fix instead of making the network feel mystical.

What this page does not promise

NIP-42: Authentication of clients to relays does not make every relay equal. A relay can be public, paid, local, archival, search-oriented, authenticated, heavily moderated or almost disposable. The standard gives clients and operators a way to communicate one part of that behavior. It does not replace uptime checks, policy reading, payment terms, retention expectations or the practical question of whether your own events can be found later.

Read it as a field test

Start NIP-42: Authentication of clients to relays with the server behavior you can observe: accept, reject, count, search, authenticate, limit, store, delete or report. Then connect it to kind 4, kind 22242, draft, relay, kind: 4, AUTH. A relay NIP becomes readable when it explains what a relay can honestly promise and what still depends on policy, money and operations.

Where the standard earns trust

The source links give you places to test the interpretation in public: NIP-11 Relay Information, rust-nostr supported NIPs, nostr-rs-relay AUTH issue, nostr-rs-relay whitelist issue. Use those links to move from the spec to live libraries, mirrors, pull requests, guides or products.

Official NIP-42 source is the anchor for exact wording, and NIP-42 commit history shows how that wording moved over time. The strongest secondary clues here are NIP-11 Relay Information, rust-nostr supported NIPs, nostr-rs-relay AUTH issue. Treat this evidence chain as part of the article, not as footnotes. A NIP page becomes useful when you can move from claim to source to working behavior without guessing.

Keep the chain visible for NIP-42: Authentication of clients to relays: first the human promise, then kind 4, kind 22242, draft, relay, kind: 4, AUTH, then the implementation record, then the real-world failure case. That order keeps NIP-42 useful without turning it into marketing copy or protocol trivia.

Three questions to carry forward

  • What exact relay behavior is being described: discovery, auth, search, count, information, payment, moderation or management?
  • Can you see whether a failure came from policy, payment, indexing, rate limit, auth or downtime?
  • Does the relay expose enough public information for you to decide whether it belongs in your own relay set?

What to verify before you rely on it

  • Find kind 4, kind 22242, draft, relay, kind: 4 in the official file and check where the UI exposes the same concept.
  • Read NIP-01 and the adjacent source links as context before treating NIP-42 as a complete product story.
  • Open at least one implementation, mirror, pull request or library source from the source links before trusting that the idea is mature.
  • Test the unhappy path: missing relays, stale metadata, invalid signatures, blocked events, expired state, revoked permissions or unavailable media.
  • Write the user-facing copy in plain language. If a standard changes authority, privacy, money, moderation or recovery, say that before the click.

Direct sources

Use these sources for NIP-42: Authentication of clients to relays in that order: Official NIP-42 source for the current wording; NIP-42 commit history for the change record; NIP-11 Relay Information, rust-nostr supported NIPs, nostr-rs-relay AUTH issue for public context. The article gives you the consequence in plain language, but the source trail is where exact fields, status notes, unresolved debates and implementation proof stay checkable.

Back to the NIP hub
NIPs route visual cue 1
NIPs route visual cue 2
NIPs route visual cue 3
NIPs route visual cue 4
NIPs route visual cue 5