macOS: Click the NostrKey icon in Safari's toolbar
iOS: Tap the share button, then tap NostrKey
Visit any Nostr web app
Approve permission requests as they appear
Permission Prompts
Unlike Chrome (which grants extensions access to all sites automatically), Safari asks you to approve each new website individually. When you visit a Nostr app for the first time, Safari will show a prompt with three options:
Allow for One Day — temporary access, expires after 24 hours
Always Allow on This Website — permanent access for this site only
Always Allow on Every Website — permanent access for all sites (recommended)
We recommend "Always Allow on Every Website." This sounds broad, but NostrKey has its own permission system — every time a site tries to read your public key or sign an event, you still get an in-app approval prompt. Safari's setting only controls whether the extension loads on a page; it does not bypass NostrKey's own security.
This is usually caused by Safari's per-site permission setting. Open Safari → Settings → Extensions → NostrKey and set "Allow on" to Always Allow on Every Website.
On iOS: Settings → Safari → Extensions → NostrKey → set to "All Websites".
After changing the setting, reload the page.
Firefox
Planned
Firefox support is on our roadmap. Follow our GitHub repository for updates.
⚙️ Getting Started
First-Time Setup
Click the NostrKey icon in your browser toolbar
Click Settings or Full Settings to open the configuration page
Create a profile — New Local for a local key, or New Bunker for remote signing
Add your key, configure relays, and visit a Nostr web app — you're ready
⚠️ Never Share Your Private Key: NostrKey will never ask for it outside the extension
🖥️ App Settings
These settings apply to the entire extension, across all profiles.
Master Password
Encrypts all your private keys at rest with a single password. Found in Settings → Security.
Set Password — encrypts all existing keys immediately
Change Password — re-encrypts keys with a new password
Remove Password — decrypts keys and stores them as plaintext
There is no password recovery. If you lose your master password, you lose access to your keys. Always keep a backup of your nsec before enabling encryption.
Cross-Device Sync
Toggle in Settings → Sync across devices. When enabled, profile data syncs via your browser account.
Chrome: syncs via your Google account
Safari: syncs via iCloud (Safari 16+)
Sync is best-effort with a 100KB budget — very large vaults may only partially sync
Sensitive data (master password hash, bunker sessions) is never synced
nostr: Protocol Handler
Redirect nostr: links to a web client. Found in Settings → nostr: Links.
Use the njump.me preset, or set a custom URL template
Leave empty to disable
Frame Protection
Toggle Block cross-origin frames in Settings to prevent other sites from embedding pages that could access NostrKey.
Encrypted Vault
Store encrypted markdown documents on Nostr relays via NIP-78. Access from Vault tab → Open Vault.
Requires a master password to be set
Documents are encrypted with your profile's key before publishing to relays
Syncs automatically when relays are configured
API Keys
Store API keys for external services. Access from Vault tab → Manage API Keys.
Requires a master password to be set
Encrypted at rest and optionally synced to relays
Import and export as encrypted JSON backups
Manage Nostr Keys
View, copy, export, and import Nostr account keys. Access from Vault tab → Manage Nostr Keys.
See all profiles with their public keys at a glance
Copy npub or nsec to clipboard
Export a profile as JSON for backup
Import keys from another client by pasting an nsec or JSON
👤 Profile Settings
These settings are specific to each Nostr profile (identity). Switch profiles using the dropdown at the top of Settings.
Keys
Each local profile holds a private key (nsec) and derives a public key (npub).
Paste an existing key — nsec1..., hex, ncryptsec, or BIP39 seed phrase
Generate a new key — a fresh keypair is created automatically for new profiles
Export — as ncryptsec (NIP-49 encrypted), seed phrase (BIP39), QR code, or JSON
Relays
Each profile has its own relay list. Relays are used for vault sync, API key sync, and suggested to Nostr apps via NIP-07.
Add relays from the recommended list or type a custom wss:// URL
Toggle Read and Write independently for each relay
Remove relays that are no longer responding (see Common Issues)
App Permissions
Control what each web app can do with your key. Permissions are per-app, per-profile.
Ask (default) — prompt every time
Allow — always grant this action for this app
Deny — always block this action for this app
Covers: reading your public key, signing events (by kind), encrypting/decrypting messages (NIP-04, NIP-44), and reading your relay list.
nsecBunker (Remote Signing)
Bunker profiles connect to an external NIP-46 signer. Your private key stays on the bunker server and never touches this browser.
Paste a bunker:// URL to connect
Use Ping to verify the connection
Disconnect to end the session
📋 General
Security Best Practices
Enable Master Password: Encrypt your keys at rest
Backup Your Keys: Export and securely store your nsec
Use Bunker for High Security: Keep keys off your device entirely
Review Permissions Regularly: Check which apps have access
Multiple Profiles
NostrKey supports multiple Nostr identities. Each profile has its own key, relays, and permissions. Switch between them using the profile dropdown in the sidebar or Settings.
Clear Data
Found at the bottom of Settings. This permanently deletes all profiles, keys, and data. Make sure you have backups before using this.
🆘 Common Issues
"Extension cannot access this page"
Some browsers restrict extensions on certain pages (like chrome:// or about: pages). This is normal browser security.
"Failed to connect to relay"
Check your internet connection
Verify the relay URL is correct (must start with wss://)
Try a different relay from the recommended list
Stale relays in existing profiles: Public Nostr relays sometimes go offline permanently. If you see WebSocket errors like ERR_NAME_NOT_RESOLVED or Unexpected response code: 404, a relay in your profile's list has gone down. Go to Settings → Relays and delete any relays that are no longer responding. New profiles ship with an updated relay list, but existing profiles keep whatever relays were configured when they were created.
"Invalid key format"
Ensure you're pasting a valid nsec (starts with nsec1) or hex key
Remove any extra spaces or line breaks
For encrypted keys, use the ncryptsec import feature
Data not syncing between devices
Ensure "Sync across devices" is enabled in Settings
Chrome syncs via your Google account — sign into the same account on both devices
Safari syncs via iCloud (Safari 16+) — ensure iCloud is enabled
Sync is best-effort with a 100KB budget — very large vaults may only partially sync
Sensitive data (master password hash, bunker sessions) is never synced
For keys you don't want to sync, use nsecBunker for centralized key management
NostrKey is free and open source, built and maintained by vveerrgg at Humanjava Enterprises Inc. No ads, no tracking, no subscription — just a tool that respects your sovereignty.
If NostrKey is useful to you, consider supporting continued development with a donation via Lightning or Bitcoin.