Oddbean

Tricky… I am not sure if using a nostr key instead of a session token is a good idea, as it would need to be inherently less secure. A session token can be a http only cookie, while a nostr key would need to be accessible to JavaScript in order to be useful, making it vulnerable to XSS. If this leads to the conclusion that a session token shall be used, then a NIP doesn’t make sense either, as it’s not really a nostr centric thing anymore.