Community

NIPs

NIP-55: Android Signer Application

NIP-55 lets Android clients ask a local signer app to return a pubkey, sign events and encrypt or decrypt payloads without the client handling the user's private key.

NIP-55: Android Signer Application visual
NIPs Under the hood Events, NIPs, relay behavior and the shared formats apps can trust.
Back to Nostr
NIPs Open NIP map Deep guidesConcepts, NIP pages and source checks BrowseClose
Identity and signingdraftoptionalAndroid signer

NIP-55: Android Signer Application

NIP55Statusdraft / optionalTransportAndroid intents, content resolver, web callbacksCore methodsget_public_key, sign_event, nip44_encrypt, nip44_decryptKey ruleclient stores signer package nameVisible appsAmber, Amethyst integration

Android clients need to not all become key vaults

NIP-55 is the on-device cousin of NIP-46. The problem is the same: a Nostr client wants to act as the user, but it must not have to hold the user's private key. On Android, the solution can be local. A signer app owns the key. Other apps ask it to sign.

That changes mobile UX. A user can install a signer, approve a client, remember permissions for safe background use and keep the key out of experimental clients. Web pages can also use the signer through Android intent-style flows, with warnings about clipboard and callback behavior.

Amber is the obvious public example. It holds the nsec and lets other Android clients request signatures, while Amethyst and other clients can integrate with that signer model.

Intents, content resolver, package names and remembered permissions

NIP-55 defines three communication methods: Android intents, content resolver and web. Intents open the signer so the user can approve or reject. Content resolver can run in the background, but only for permissions the user has previously chosen to remember. Web returns results through a callback URL or clipboard-style behavior.

The connection starts with get_public_key. The signer returns the user pubkey and its Android package name. The client needs to store both and address future requests to that package name rather than repeatedly rediscovering the signer.

Methods include sign_event, NIP-04 and NIP-44 encrypt/decrypt calls, and public-key retrieval. Permissions can be scoped by method and, for signing, by event kind. This is where the user gets a real chance to approve narrowly instead of trusting a whole app forever.

greenart7c3 shaped the Android signer path in public

greenart7c3 added the visible Android signer NIP in November 2023 and has remained central in later changes. The file picked up package-name handling, permissions, intent flags, web method changes, rejected permission checks, content resolver guidance and return-field fixes.

In 2025 and 2026, the file was sharpened around how to initiate a connection, how to use get_public_key with content resolver and how to simplify the spec. This history is useful because Android signing is not abstract protocol theory. It is Android platform behavior, user prompts and permission storage.

A NIP-55 page needs to therefore be practical. The standard succeeds only if clients and signers make the approval surface understandable.

First visible addition2023-11 by greenart7c3Recent simplificationPR #2363 in 2026Open Git history

Amber proves the signer idea in daily Android use

Amber's project page and repository describe it as a Nostr event signer for Android, supporting NIP-55 and NIP-46 style signing. It is important because it turns the NIP into something a user can install and a client can call.

A client implementing NIP-55 needs to detect a signer through the nostrsigner scheme, request only the permissions it needs, keep the returned package name, and distinguish rejected, missing and approved permissions. A signer needs to show the event kind, app identity and requested method before asking for approval.

The dangerous anti-pattern is a client that treats the signer as an invisible signing daemon. The whole point is that the user can understand and control signing.

IntentsVisible approval flow for Android clients.
Content resolverBackground replies only for remembered permissions.
WebBrowser-facing flow with callback or clipboard caveats.
Permission scopeMethod and event-kind restrictions matter.

Local signing can still be confusing

A local signer reduces key exposure, but it can still train users to approve blindly. Poor prompts, unclear package names or remembered permissions that are too broad weaken the benefit.

Web flows carry extra risk because callback and clipboard paths can leak or confuse results. The NIP includes warnings because the Android platform gives options, not automatic safety.

Read NIP-55 in the wild

NIP-55 brings Android into the signer story. It lets Android apps request signing from a dedicated signer application instead of embedding the private key everywhere.

The trust boundary is app-to-app communication. You need to see which app asks, what it asks to sign and which signer responds. A mobile permission prompt is not enough if the event itself is opaque.

What changes when you actually use it

For you, NIP-55: Android Signer Application is felt when identity stops being a username and becomes authority. A client, signer, name, proof or auth event may look like account plumbing, but it decides who can publish, approve, connect, recover or be recognized. Read NIP-46 beside it so you can tell the difference between a convenient identity surface and the key material that actually controls the account.

What changes for builders and operators

For builders, NIP-55: Android Signer Application means making authority visible before action. A signer prompt, name proof, delegation, encrypted key, external identity or HTTP auth event needs plain language around scope, expiry, destination and recovery. If a person has to guess what they are authorizing, the protocol has already lost the trust battle.

What the official file makes concrete

The official file is organized around Rationale, Terminology, Communication methods, Setup, Initiating a connection, Methods, Using Intents, Using Content Resolver. Inspect kind 1, draft, com.example.signer, nostrsigner, AndroidManifest.xml, user-pubkey, package name, type because these are the pieces most likely to surface as product behavior. Read it beside NIP-46 before treating it as isolated.

NIP-55: Android Signer Application is an authority path, not decoration. A name, key, signer, delegation or auth event decides who can act as you.

Where it breaks

The failure mode in NIP-55: Android Signer Application is authority drift. A name resolves to an old key, a signer approves too broadly, an auth event gets replayed, a delegation lasts too long or a private key backup gives false comfort. The product has to keep control boundaries visible after onboarding, not only during setup.

Where this appears outside the markdown

In the ecosystem, NIP-55: Android Signer Application usually appears at the doorway: account setup, profile recognition, signer approval, cross-platform proof, remote signing, HTTP auth or recovery. That doorway needs unusually clear language because identity mistakes are sticky. Once a key, signer or proof is trusted in the wrong place, every later feature inherits the confusion.

The nearby-standard trap

The nearby-standard trap in NIP-55: Android Signer Application is confusing recognition with control. A name, signer, URI, encrypted key, delegation or auth signature may all sit near identity, but they answer different questions. Read NIP-46 and ask one thing each time: who can act, who can verify, and what can be revoked?

Language that keeps the feature honest

Good product copy for NIP-55: Android Signer Application names the authority. It says whether you are sharing a public key, approving a signature, trusting a domain, exporting an encrypted secret, delegating power or authenticating to a service. Small labels matter because identity mistakes do not feel small after they happen.

What this page does not promise

NIP-55: Android Signer Application does not make identity effortless or risk-free. It can help keys, names, signers, delegation or authentication become portable, but it cannot decide who you trust, how you back up secrets or whether a domain, app or signer deserves authority. Read NIP-46 as a control map before handing any interface the power to sign, verify or speak for you.

Read it as a field test

Start NIP-55: Android Signer Application with the moment of authority: signing, naming, delegation, authentication, encryption or recovery. Then ask which key or service can act. The source terms kind 1, draft, com.example.signer, nostrsigner, AndroidManifest.xml, user-pubkey are useful because they turn vague identity language into concrete control points. Without that, a friendly login screen can hide the most important security decision.

Where the standard earns trust

The source links give you places to test the interpretation in public: Amber GitHub repository, OpenSats Amber page, Amethyst GitHub repository, Android intents documentation. Use those links to move from the spec to live libraries, mirrors, pull requests, guides or products.

Official NIP-55 source is the anchor for exact wording, and NIP-55 commit history shows how that wording moved over time. The strongest secondary clues here are Amber GitHub repository, OpenSats Amber page, Amethyst GitHub repository. Treat this evidence chain as part of the article, not as footnotes. A NIP page becomes useful when you can move from claim to source to working behavior without guessing.

Keep the chain visible for NIP-55: Android Signer Application: first the human promise, then kind 1, draft, com.example.signer, nostrsigner, AndroidManifest.xml, user-pubkey, then the implementation record, then the real-world failure case. That order keeps NIP-55 useful without turning it into marketing copy or protocol trivia.

Three questions to carry forward

  • Who gains authority when this NIP is used: your key, a signer, a domain, a delegated key, a wallet or a web service?
  • Can you revoke, rotate, back up or inspect that authority before something goes wrong?
  • Does the interface separate public recognition from private signing power in language you can act on?

What to verify before you rely on it

  • Find kind 1, draft, com.example.signer, nostrsigner, AndroidManifest.xml in the official file and check where the UI exposes the same concept.
  • Read NIP-46 as context before treating NIP-55 as a complete product story.
  • Open at least one implementation, mirror, pull request or library source from the source links before trusting that the idea is mature.
  • Test the unhappy path: missing relays, stale metadata, invalid signatures, blocked events, expired state, revoked permissions or unavailable media.
  • Write the user-facing copy in plain language. If a standard changes authority, privacy, money, moderation or recovery, say that before the click.

Direct sources

Use these sources for NIP-55: Android Signer Application in that order: Official NIP-55 source for the current wording; NIP-55 commit history for the change record; Amber GitHub repository, OpenSats Amber page, Amethyst GitHub repository for public context. The article gives you the consequence in plain language, but the source trail is where exact fields, status notes, unresolved debates and implementation proof stay checkable.

Back to the NIP hub
NIPs route visual cue 1
NIPs route visual cue 2
NIPs route visual cue 3
NIPs route visual cue 4
NIPs route visual cue 5