Open Source · Self-hosted · NIP-46

Your Nostr keys belong in a bunker

Stop pasting your private keys into every app. Bunker46 keeps your nsec keys encrypted on your own server and signs remotely via NIP-46. Your keys never leave the bunker, only signatures do.

Get Started Live Demo →
Bunker46 Dashboard

The Problem

Every Nostr app asks for your nsec. Clipboard malware can swap keys instantly. Your attack surface grows with every app you touch. One compromise means total loss of your identity.

The Solution

Your private key stays securely encrypted inside the bunker. Apps connect via NIP-46 and receive only the signatures they need. Full control, zero key exposure.

Enterprise-grade security, self-hosted simplicity

Everything you need to keep your Nostr identity safe, running on your own infrastructure.

Encryption at Rest

Private keys encrypted with AES-256-GCM. Passwords hashed with Argon2. Your nsec is never stored in plaintext.

2FA & WebAuthn

TOTP two-factor authentication and WebAuthn/Passkeys support. Secure your bunker with hardware keys or biometrics.

Fine-grained Permissions

Per-connection method and event kind restrictions. Control exactly what each app is allowed to sign.

Full NIP-46 Support

All RPC methods: sign_event, ping, nip04/nip44 encrypt/decrypt, switch_relays. Both bunker:// and nostrconnect:// URIs.

NIP-44 Encryption

All relay communication encrypted with NIP-44. Auth challenges supported for out-of-band verification.

Docker Deploy

Spin up with Docker Compose in minutes. Non-root containers, PostgreSQL backend, optional Redis for live updates.

See it in action

A clean, modern interface for managing your Nostr keys and connections.

Login Screen

Secure login with 2FA and WebAuthn support

Dashboard

Real-time dashboard with signing activity

Connections

Manage app connections and permissions

Keys Management

Encrypted key storage with bunker:// URIs

How it works

Three steps to secure your Nostr identity. No key exposure, no compromises.

1

Deploy Your Bunker

Clone the repo and run docker compose up. Your bunker is ready in minutes with PostgreSQL, encrypted storage, and a modern Vue 3 dashboard.

2

Import Your Keys

Add your nsec keys through the web interface. They're immediately encrypted with AES-256-GCM. Set up 2FA or WebAuthn for extra protection.

3

Connect Your Apps

Generate a bunker:// or nostrconnect:// URI. Paste it into any NIP-46 compatible client. Your keys never leave the server.

Built with modern tools

A clean, maintainable codebase with security-first defaults.

โšก

Frontend

Vue 3, Vite, Tailwind CSS, shadcn-vue

๐Ÿ—๏ธ

Backend

NestJS 11, Fastify, Prisma ORM

๐Ÿ—„๏ธ

Database

PostgreSQL 17, Redis (optional)

๐Ÿ”

Auth

JWT + Argon2, TOTP, WebAuthn

๐Ÿงช

Testing

Vitest, Playwright, ESLint Security

๐Ÿณ

Infrastructure

Docker, Docker Compose, pnpm

๐Ÿงฉ

Need NIP-07 in your browser?

The Bunker46 browser extension provides window.nostr without storing keys locally. Every signing request is forwarded to your bunker via NIP-46.

Get the Extension →