It involves generation of session keys by the app, and use of those temporary keys to talk to the signer (nsec.app) over some relay.

Bunker url is just a pointer to your npub and a relay over which app can talk to signer. But bunker url can also contain secret that has pre-approved permissions attached to it by the signer. Nsec.app doesn't support that atm.