public key verification, so its something like whitelist by user (pub key) who accessed the bouncer? 

I think I have to read the NIP docs