Oddbean

I find temporary keys more confusing. I think in case the extension couldn’t be found (or getPublicKey() fails), it should tell the user: “Please approve the encryption key on your bunker app: npub1…”. Also, unrelated, it would be nice if nsec.app could temporarily pause permissions to an app without deleting it completely, and if the oauth-like popup specified in bold text: “Please enter the passphrase only if you trust this device to keep a copy of your main key!”.

Yes it's all very confusing, we already have a dozen ways to login on nostr and no good terminology or conventions. Instead of temp keys we could say "Connect" and "Connect as username-from-extension" if it's present.

Another option is to implement the bunker connection in the extension. The website will simply use the NIP07 api (simple “login with extension”) - and the extension will convert the operations to requests to the bunker! When nsec.app extension?

They will work together. You have nsec.app on your phone and an extension on your laptop’s browser. The extension generates a key for the communication with the bunker, and you approve it once on your phone. The websites that you browse don’t need to even know that you are using a bunker. They will simply use NIP07.

I understand, but our primary use case for nsec.app is to onboard people on the web (on nostr sites) into a web-based key storage, without asking for extension install, so we're focusing on that part. If someone adds nip46 to extension I'm totally fine with that, it's just not our focus.

Could you please elaborate on your second point. You can already delete app perms without deleting the app connections to trigger the popup on any further action. And maybe you are right, we should inform the user that if they login to nsec.app on some device then their main key will be downloaded and stored here. We could also include an option to auto-logout (delete key from device) after a while.