There is a list for that.
It's not a mega vulnerability, but it's a vulnerability caused by the fact that blossom auth doesn't allow to scope the token to a particular audience.
Nostr Web Tokens allow that, and are indeed very simple, as they are inspired by JSON Web Token which are commonly used for these type of things.
The new blossom Auth spec (BUD-11) will just add the server tag, which is fine and fixes it. In my own framework I'll just support both.
pip / Pip the WoT guy
npub176…7vgup
2026-02-05 13:08:33 UTC
in reply to nevent1q…0drf
Author Public Key
npub176p7sup477k5738qhxx0hk2n0cty2k5je5uvalzvkvwmw4tltmeqw7vgupPublished at
2026-02-05 13:08:33 UTCEvent JSON
{
"id": "e0de9861dadfb1785c3db766774a89381d888ed523327e82fed07bcd6bcd41c3",
"pubkey": "f683e87035f7ad4f44e0b98cfbd9537e16455a92cd38cefc4cb31db7557f5ef2",
"created_at": 1770296913,
"kind": 1,
"tags": [
[
"p",
"266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5"
],
[
"p",
"97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322"
],
[
"p",
"f683e87035f7ad4f44e0b98cfbd9537e16455a92cd38cefc4cb31db7557f5ef2"
],
[
"p",
"4c800257a588a82849d049817c2bdaad984b25a45ad9f6dad66e47d3b47e3b2f",
"wss://relay.primal.net"
],
[
"p",
"97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322",
"wss://nos.lol"
],
[
"e",
"09ea82f5a89af850696eaac300285e6395853f87aead95bbe095187767cbcf1a",
"wss://relay.primal.net",
"reply",
"4c800257a588a82849d049817c2bdaad984b25a45ad9f6dad66e47d3b47e3b2f"
],
[
"e",
"55de1c4e6e053a2f87f040953988d41ca87835f1030cfe8ae45a3afc5c6ee753",
"wss://nos.lol",
"root",
"97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322"
]
],
"content": "There is a list for that.\nIt's not a mega vulnerability, but it's a vulnerability caused by the fact that blossom auth doesn't allow to scope the token to a particular audience.\n\nNostr Web Tokens allow that, and are indeed very simple, as they are inspired by JSON Web Token which are commonly used for these type of things.\n\nThe new blossom Auth spec (BUD-11) will just add the server tag, which is fine and fixes it. In my own framework I'll just support both. \n\n",
"sig": "211ae47f181fdc2c9306575b1bd9b8b72d73439a0de75a7816a11550d74b6294bdb5dc2edd726632056dea2906445d588d6654da633f8c9682da2505fe8b7db2"
}