Wallet Security, Recovery and Small Permissions
Wallet safety in Nostr is not one password tip. It is the habit of keeping keys, budgets, relays, mints, backups and app permissions small enough that mistakes stay survivable.
The safest wallet is the one you understand under stress
Wallet security advice often sounds like a lecture. Use strong backups. Do not paste secrets. Verify addresses. Update software. All true, all easy to ignore. Nostr adds a reason to make the advice concrete: wallets are no longer isolated apps. They can connect to social clients, live rooms, commerce pages, creator tools, games and remote services.
That makes permissions more important than slogans. You may not be giving an app your whole wallet, but you may be giving it the right to spend within a budget. You may not be publishing wallet state in plain text, but you may be storing encrypted events on relays. You may not be trusting a bank, but you may be trusting a mint, wallet service or node operator.
The practical rule is boring and powerful: keep the blast radius small.
Use small balances while learning
The first wallet you connect to a new app should not hold meaningful money. Test with small amounts. Send a zap. Receive a zap. Create an invoice. Revoke the connection. Restore the wallet or reconnect it somewhere else. Only then decide whether the product deserves more trust.
This is not because every wallet is suspicious. It is because wallet UX is still young. NWC, Cashu, zaps and Nostr clients are improving quickly, and quick-moving software is exactly where small experiments beat heroic confidence.
Backups are part of the product
A wallet that cannot explain backup is not finished. For a node-connected Lightning wallet, the backup story may involve seed material, channel state, static channel backups, node access and database backups. For a hosted wallet, it may involve account recovery and operator policy. For Cashu, it may involve token proofs, wallet state and mint availability. For NWC, it may involve revoking connection strings rather than recovering them.
Write the recovery path down before you need it. If the product cannot tell you how to recover or exit, keep the balance tiny.
NWC permissions should be disposable
A NWC connection is not meant to become a lifelong secret. Create it for a job, budget it for that job, expire it if possible and revoke it when the job ends. A social client that sends zaps needs a different allowance from a merchant tool that creates invoices. A game needs a tiny budget. A back office integration needs auditability.
If a wallet UI does not show app connections clearly, you are operating partly blind. Good wallet services show connection names, budgets, renewal periods, last activity and revoke controls. That is not extra polish. That is the security interface.
Cashu safety is mint safety plus token safety
With Cashu, the word custody changes shape. You hold bearer tokens, but the mint is still the issuer and redeemer. You need to trust the mint enough for the amount and use case. You also need to protect token proofs and wallet state. If those disappear, the cash-like UX becomes cash-like loss.
Use trusted mints for meaningful amounts, diversify carefully only when you understand the consequences, and treat experimental mints as experimental. Privacy benefits do not cancel operational risk.
Receipts are not accounting by themselves
Zap receipts, NWC transaction lists, wallet histories and Cashu token records each answer different questions. A creator or merchant may need more than one layer: social receipt, wallet record, invoice, settlement state, refund policy and tax record.
This is especially important for Crays-style creator sales and awards. A fun visible signal can start the flow, but any serious sale needs a product record behind it.
A simple safe routine
Use one wallet for experiments and another for meaningful balances. Keep app connections scoped. Review them monthly. Use small budgets for social apps. Keep recovery notes offline. Avoid pasting secrets into websites. Prefer signers and connection flows that keep main keys away from random pages. When a wallet feels unclear, do not fund it yet.
Security becomes humane when it becomes a routine instead of a panic.
Sources worth opening
Open these when you want the specification, product documentation or implementation trail behind the article.
- NIP-47: Nostr Wallet Connect
- Nostr Wallet Connect
- Alby Hub app connections
- Alby SDK
- ZEUS documentation
- LNbits documentation
- Cashu
- Cashu documentation
- Cashu NUTs
