Nostr Onboarding: Keys, Signers, Clients, Relays, and Zaps

I have no ads and no sponsors. None of the companies or developers I mention below funded this work. I actually use all of these tools, products, and services and enjoy them. Value for value if this was helpful.

Nostr Keys

Your Nostr identity is made up of two keys that are necessary to interact with the protocol:

• Npub is your Nostr public key. It is a string of numbers and letters you can share with others so they can find you.

• Nsec is your Nostr secret key. This is private. It is your master credential to access your identity. Whoever holds this key controls your account, your follows, your posts, everything. It should never be shared.

While having a keypair is great for censorship resistance, it is also where the risk lies and why protecting your private key matters so much.

Nostr Signers

There are two ways to obtain both of your keys. You can use a client app to generate your private key, or you can generate it inside a dedicated signer app.

• Clients are applications that allow you to interact with the Nostr protocol, kind of like Facebook, Instagram, or YouTube but for Nostr.
• A signer is an app or tool dedicated to storing your private key and approving signature requests. When you interact with the Nostr protocol, you are always asked to give an app permission to use your private key to sign events on your behalf. This proves those events came from you without anyone else being able to impersonate you.

The best practice is to generate your keys inside a signer app with open source code. The app is specifically dedicated to protecting your key. If you generate your keys inside the signer, they are born in the most restricted environment possible and never need to go anywhere else.

Creating Your Key Pair

This part of the tutorial is going to walk you through how to obtain your key pair on desktop and on mobile, more specifically Android. We are going to follow best privacy and security practices considering known NOSTR attack vectors.

On Desktop

Start by using a VPN. A Virtual Private Network encrypts your internet connection and routes it through a secure server, hiding your real location and IP address from websites and internet service providers. Use a privacy-focused VPN. The two best options are Mullvad and IVPN. Neither asks for your personal information, both accept Bitcoin over Lightning, and both have a strong reputation in the privacy and security space. If you do not have the budget for a VPN right now, you can use the Tor Browser instead.

Nostr is not private by default.

You can read the Nostr attack vectors article on this site for a full breakdown of known vulnerabilities. This guide implements the best practices; that article explains the reasoning behind them.

Before generating your key pair:

• Make sure your browser and computer are up to date
• Make sure your computer has a strong password
• Use a separate browser like Brave, or a dedicated Chrome profile, to isolate Nostr from your personal and work browsing
• Make sure no screenshot software or AI tools are active on your computer, such as Windows Recall

Once you are ready:

1. Search for Nos2x and install the Chrome extension. This signer is fully open source and was created by fiatjaf, the creator of the Nostr protocol itself.
2. Once installed, pin it and click Start Here.
3. Click Generate.
4. Click Save.
5. Click Show Key and write it down.

Just like your Bitcoin seed phrase, keep this offline, away from internet-connected devices. Do not store it in the cloud, do not take screenshots, do not keep it in an email or messaging app. Write it down and store it somewhere safe.

If you prefer, you can restart the process and generate an encrypted version (ncryptsec), which means your key will be protected by a password so that even if someone finds it, they cannot use it without knowing that password. However, ncryptsec is not supported everywhere yet and some clients will only accept a regular unencrypted nsec. For this guide, the standard nsec is used since it is widely recognised today.

On Android

These instructions follow today’s best practices. If you have a GrapheneOS phone, you can use separate profiles to keep everything segmented and isolated. If you have a standard Android phone, the instructions below include Google-based alternatives at each step.

1. Download Orbot, which runs a device-wide VPN over Tor. If you already have Mullvad or IVPN active on your device, skip this step.
2. Download Zap Store from GitHub. Download the latest APK and copy the SHA-256 hash.
3. Verify the APK before installing it. This step confirms the file you downloaded from the Zap Store GitHub repository is authentic and has not been tampered with.
   • On GrapheneOS: Install Accrescent from the default GrapheneOS app store, then install App Verifier from Accrescent. Open App Verifier, click Verify APK File, select the Zap Store APK, then click Verify from Clipboard to check the SHA-256 hash you copied. A success message means the APK is authentic.
   • On a Google phone: You will need to verify the APK using a computer. A tutorial for that process is linked here. Verifying the APK is not mandatory, but it is a best practice to confirm you are installing a non-malicious app.
4. Install Zap Store from the folder where you downloaded it.
5. Install Amber from the Zap Store you just installed.

Once you are in the Amber app:

1. Open Amber and select Generate New Key
2. Add your profile name
3. Click Approve Basic Actions
4. Activate OrBot setup if you are using the device-wide VPN
5. Click Finish
6. Click Back Up

From here you have several backup options. If you are not on GrapheneOS, avoid clicking Copy to Clipboard due to keyboard vulnerabilities on non-GrapheneOS phones. You can also view your seed words. If you are on a standard Android phone, make sure no AI tools or screen capture software is running at this point. Cloud backup is not recommended. Choose the option that works best for your situation, but back up your private key properly.

There is no password reset on Nostr. There is no support team, no recovery emails. If you lose your private key, that identity is gone permanently.

Clients

Clients are the user interfaces that allow you to interact with the Nostr protocol. The protocol itself has no feed, no search bar, no visual layer. The client provides all of that.

• For desktop: Primal and Nostria are both good options. Primal is the better recommendation for beginners coming from traditional social media, especially Twitter. Nostria suits more technical users or those who want additional features.

• For Android: Primal and Amethyst are both solid. Amethyst has Tor support and direct integration with Amber but is less polished visually. Primal has an excellent integrated wallet on mobile and has made strong progress recently. Both are covered below.

Not all clients support connecting to an external signer. Some still require you to paste your private key directly to log in. Any client that requires you to paste your nsec is not recommended. This is a security and privacy vulnerability.

Using Clients on Desktop

In your browser with Nos2x installed:

1. Go to Primal.net
2. Click Get Started, then Advanced Login Options
3. Click Login Now

At this point, Nos2x will pop up. From here forward, whenever any Nostr app needs to sign something on desktop, it sends a request to Nos2x. Nos2x shows you what it is signing, you approve it, and the signed result goes back to the app. Your private key never leaves Nos2x. That is what a signer does. It is the only app that ever sees your nsec, and it acts as gatekeeper for everything else.

Once signed in, click your profile image at the bottom left. This is where you will find your active npub, the public key you can share with others.

Using Clients on Android

1. Download Amethyst from Zap Store or Google Play
2. Open the app and adjust the Tor settings if you want
3. Leave the nsec field empty. You do not need to paste your npub either. Click I Accept the Terms of Use
4. Click Login with Amber
5. Select Approve Basic Actions for now. Do not click “I fully trust” for any application.
6. Click Connect, then for the auto-sign prompt select Never. Click Accept.

You are in.

For iOS coverage and a much more in-depth multi-client tutorial based on three years of experience using Nostr, there is a community-funded video project available at daniella.io/build. It covers multiple clients in depth and can be tailored based on what the community needs, including iOS. Zap the project to fund it and scroll down to let me know exactly what you need.

Setting Up Your Profile

On Desktop

1. From Primal.net, click your profile photo in the bottom left corner
2. Click Edit Profile
3. At minimum: add your name or pseudonym, a photo, and a short bio

If you have your own website, hosting your own profile images is a best practice. Upload your profile picture and banner to your website backend and paste the image URLs into your profile under “More.” That way you have full control over those images. This is optional for new users.

The same goes for NIP-05 verification. This is a badge on your account showing it is verified under a domain name you control. It is not like Twitter’s blue check. It is a way of proving that your account is connected to something external that only you control, such as your own domain name. If your account were ever compromised, you could detach your domain from it immediately, delegitimising the compromised account. Implementing NIP-05 on your own is fairly advanced. It is covered in the community-funded Nostr video.

On Android

1. Click the top-left image to open your profile
2. Click Profile in the menu
3. Click the pencil/writing button
4. Add your display name, username, bio, profile picture, banner image, and more

Understanding Clients, Events, and NIPs

Because your key pair is your identity, you can have multiple clients connected to the same Nostr identity at the same time. Most Nostr users use more than one client regularly, because different clients support different events.

• Every piece of content on Nostr is called an event. Every post, like, zap, and profile update is an event. The kind number associated with each event tells every app what type of content it is and how to handle it.

• NIP stands for Nostr Implementation Possibilities and refers to the agreed standards that make Nostr work across every app. NIPs are the rules, events are the activities that follow those rules, and the kind number is the label on each event that tells every app which rule applies.

For example: Primal supports NIP-88 and kind 1018, which means you can run polls on Primal. Nostria does not support them. If you are using Nostria and someone posts a poll, you will not be able to see it. On the other hand, Nostria supports features that Primal does not. Every client decides independently which NIPs and event kinds to implement.

There are two beginner-friendly reference articles on this site covering the most important NIPs and event kinds for non-technical users in the links above. If you are ever signing an event and want to verify what it is, those articles are the reference.

Relays

Relays are the independent servers that store and distribute Nostr content. They are run by individual operators around the world. When you publish a post, it goes to the relays your client is connected to. When someone wants to read your posts, their client fetches them from those relays.

Because there is no central server, there is no single point of failure. If one relay goes offline, your content still exists on the others, provided your client was connected to multiple relays when you published. Using multiple relays means your content is not lost if one goes down and relays cannot censor you.

As a beginner, you do not need to manage relays manually. Every client comes with a default set that will get you started. Over time, you will want to refine them. For example, you may not see content from people you do not share relays with. A practical starting point: find a few accounts you trust and look at which relays they use. Just keep in mind that some relays are paid, and copying someone else’s list does not automatically give you the benefits of their paid relays.

Configuring Relays on Desktop

In Primal:

1. Go to Settings
2. Click Network
3. Add your relays

Setting Up a Local Relay on Android with Citrine

On Android you can actually host your own relay directly on your phone.

1. Go to Zap Store and search for Citrine. Click Install and Trust, then Install.
2. Open Citrine. It will ask you to select a backup folder. Create a folder called “NOSTR” and select it.
3. Click Download Your Events, then Login with External Signer. An Amber overlay will appear. Click Approve Basic Actions. Your npub will be entered automatically.
4. Click Fetch Events. Citrine will download all events associated with your account: posts, messages, etc.
5. Once done, go to Settings and click Accept Events Signed By. Enter your npub here. You can get your npub from Amber by clicking the profile icon in the bottom right and copying it. This ensures only you can write to your relay.
6. Click Apply Changes.
7. Whenever you want a backup, click Export Database and save it to your NOSTR folder.

Once Citrine is set up, copy your host and write down your port. Then:

1. Open Amethyst
2. Click your profile in the top left
3. Scroll down and click Relays
4. Scroll down and click Add a Relay under Local Relays
5. Enter your relay in this format: ws://[host]:[port]

You have now set up your own local Nostr relay on your phone.

For how to host your own relay from a Bitcoin node and become fully sovereign on Nostr, that is covered in the community-funded video at daniella.io/build. I think GrapheneOS is the most privacy and security-focused phone operating system available right now. There is also a community-funded video on setting it up and everything learned over a year and a half of daily use, also on the build page.

Building Your Feed

Your feed will be empty when you first log in. Nostr has no algorithm choosing content for you. Here is a quick way to make your feed interesting while you get started:

• Follow individual accounts you are actually interested in. Start by searching for people you already want to hear from.
• Search by interest. Go to the search bar and search for a topic, such as gardening. Find a few accounts related to your personal interests and follow them.
• Follow groups using follow packs. Most clients have integrated follow packs, which are curated groups of accounts that generally talk about specific things: health and fitness, journalism, off-grid living, languages, and more. Follow packs with interests similar to yours.

I will make a more in-depth tutorial article and video about this in a few weeks.

Zaps

A zap is a small Bitcoin payment sent over the Lightning network, attached to a post or a profile. Instead of just liking a post, you can zap it and show real appreciation. To send and receive zaps, you need a Lightning wallet with a Lightning address, and that address needs to be connected to your Nostr profile.

Zaps on Desktop

Coinos is the recommended option for desktop.

Once you have your Coinos account:

1. Go to the Nostr settings in your Coinos profile and generate a secret key
2. Copy that secret key
3. In Primal, go to Settings > Connected Wallets
4. Select Nostr Wallet Connect, click Connect, and paste your secret key

This connects your Coinos wallet to the desktop version of your Nostr account.

Zaps on Mobile

The Primal app has a built-in wallet on mobile. It is self-custodial, meaning you hold your own seed words and need to protect them just like your nsec. Write down your seed words and keep them somewhere safe. To not lose your funds, this step is not optional.

Note: the desktop and mobile versions of Primal are not connected to each other. If you are using Primal in the browser, you will need Coinos or another Nostr Wallet Connect solution, as shown above.

Zaps in Amethyst

1. Go to Wallet in Amethyst
2. Click Add NWC Connection
3. From your Coinos account, create a new secret key and paste it here

If this guide was useful zap me at daniella.io/v4v. You can also follow me on Nostr; my active npub is on my about page.