I generally understand npub , nprofile, and nsec ... but if I'm not supposed to put my nsec into any client apps, how do I sign without putting my nsec into a client app?
The Nostr Getting Started Docs seems confused themselves. On the same page, you'll find these two paragraphs:
To be able to construct the signature, clients will need your private key. Native apps will generally have a place where you can paste your private key when first opening them. From the private key they can derive your public key too.
and then later ...
Should I enter my private key in the client?
Generally, it's better not to enter your private key into any client. Most clients that ask for private keys do their absolute best to keep your key secure but given the nature of software, there are always breaches, exploits, and bugs that could potentially expose your private key.
Remember, your private key is your identity in Nostr, so if it is compromised you'll lose your followers and will have to start from scratch rebuilding your identity.
Most web clients allows you to enter your nsec or use a nip07 signer extension like alby that signs the events for you.
reply
Yes, it’s complicated.
This is my approach:
  • use a browser signing extension (Alby, nos2x, Flamingo) on your desktop for Nostr webapps
  • use Nostore on iOS as a Safari extension for Nostr webapps
I try to use webapps as much as possible (build with open webtechnology). For native apps filling in your ‘nsec’ is the way with the least friction for now.
reply
21 sats \ 1 reply \ @Eobard 5 Feb
deleted by author
reply
Ah yes, indeed! In forgot that one. I still need to test Amber out on my Android device.
reply
you can use the alby extension
but yes if you need to sign then something must have access to your nsec
reply
You should use nos2x extension to sign in or sign the event, for example. There is more alternatives like nsecbunker.
reply