Oddbean new post about | logout
 Amazing! How does login flow look? Is there a special UI for this? 
 When you login with user/bunker-url, it checks if window.nostr is defined and tries to call window.nostr.getPublicKey(). Otherwise it generates a temporary key like in the old behavior. I didn’t test what happens if the extension does not give permission for getPublicKey(), but if it returns undefined then the old behavior should run.

Thanks for the zap 🙏 
 I see, this makes sense as a prototype but I think it deserves a separate ui - temp keys could be "connect with temporary key" and new flow as "connect with extension" or something like that.  
 I find temporary keys more confusing. I think in case the extension couldn’t be found (or getPublicKey() fails), it should tell the user: “Please approve the encryption key on your bunker app: npub1…”.

Also, unrelated, it would be nice if nsec.app could temporarily pause permissions to an app without deleting it completely, and if the oauth-like popup specified in bold text: “Please enter the passphrase only if you trust this device to keep a copy of your main key!”. 
 Yes it's all very confusing, we already have a dozen ways to login on nostr and no good terminology or conventions. Instead of temp keys we could say "Connect" and "Connect as username-from-extension" if it's present. 
 Another option is to implement the bunker connection in the extension. The website will simply use the NIP07 api (simple “login with extension”) - and the extension will convert the operations to requests to the bunker!
When nsec.app extension? 
 That could work too but nsec.app was specifically created to have a pure web based solution without an extension, so we don't have that on the roadmap atm 
 They will work together. You have nsec.app on your phone and an extension on your laptop’s browser. The extension generates a key for the communication with the bunker, and you approve it once on your phone.

The websites that you browse don’t need to even know that you are using a bunker. They will simply use NIP07. 
 I understand, but our primary use case for nsec.app is to onboard people on the web (on nostr sites) into a web-based key storage, without asking for extension install, so we're focusing on that part. If someone adds nip46 to extension I'm totally fine with that, it's just not our focus. 
 Could you please elaborate on your second point. You can already delete app perms without deleting the app connections to trigger the popup on any further action. And maybe you are right, we should inform the user that if they login to nsec.app on some device then their main key will be downloaded and stored here. We could also include an option to auto-logout (delete key from device) after a while.