Nsecs are generated by combining the ActivityPub ID with a secret key and then hashing it. It's technically custodial keys I guess, but they're not stored in a database, just computed at runtime and cached for the duration of the session.