Every login requires a server-issued challenge that is:
Single-use
Short-lived (about 2 minutes)
Bound to this domain
Verified against signed event time
Safety Notes
Never paste private key material (nsec) into any
form.
Sign only events that include this site domain/origin and expected
action tags.
Use the challenge expiry as a hard limit.
Device Approval (Delegation)
You can choose:
One-time login: no delegated device key.
Approve this device for N days: creates a local
session keypair (P_sess/S_sess) in your browser, default 30
days (range 1-90).
Delegation is signed by your account key (P_user) and
includes domain + expiry.
During the delegation window, the browser can authenticate with
S_sess without repeated prompts.
If you enable Require direct signer approval for sensitive
actions, delegated sessions are not accepted for mutating admin
actions, and a direct signer flow is required.
Logout and Revocation
Logout clears local session key material and
invalidates the server session.
Log out everywhere requires a fresh signature from
P_user and revokes all active device delegations.