Yeah, the account creation part where you enter the email and username etc is in-page modal, but then the password stuff must happen on the popup so the client generating the account can’t see it.
It could be done getting absolutely everything in the client but that increases the trust significantly with the client and you also want the nsecBunker domain to have a cookie to authorize new keys without having to login. I’d say that would only make sense if the client and nsecBunker provider are the same entity in that case that would be fine.