• Authentication & Identity Basics
  • Authentication & identity: the short version
    • Nostr-first login (NIP-07)
    • OAuth-first login (email or GitHub)
    • Anonymous access
    • Account linking and profile priority
    • Admin controls

§Authentication & Identity Basics

§Authentication & identity: the short version

pleb.school supports multiple sign-in paths so you can serve both Nostr-native users and newcomers. Every account can still interact with Nostr.

§Nostr-first login (NIP-07)

• Users sign in with a NIP-07 browser extension
• Authentication uses NIP-98 signed events (kind 27235)
• The platform never sees the private key
• Nostr profile data is the source of truth

§OAuth-first login (email or GitHub)

• Email uses magic links; GitHub uses OAuth
• The platform creates a Nostr keypair for protocol access
• Private keys are encrypted at rest with PRIVKEY_ENCRYPTION_KEY
• The platform profile is authoritative unless a Nostr account is linked

§Anonymous access

• Users can try the app with a server-generated keypair
• A reconnect token keeps the session across browser restarts
• Rate limits protect against abuse

§Account linking and profile priority

• Users can link Nostr, GitHub, and email into one account
• Linking Nostr upgrades the account to Nostr-first
• Profile fields show source badges so users understand what is authoritative

§Admin controls

Authentication providers are configured in config/auth.json:

• Enable or disable Nostr, email, GitHub, anonymous
• Customize sign-in copy and icons
• GitHub requires GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET

This flexible identity model reduces onboarding friction without sacrificing self-custody.