I've once thought the "secret" was a secret and could be relied upon as an authorization token, but I realized that couldn't be it since most clients only called "connect" once with the secret, so it is de facto a nonce, the NIP should make this explicit. Someone please send a PR editing it.
On the other hand for https://viewsource.win/fiatjaf.com/promenade I didn't use a secret at all, instead the bunker URI has a random pubkey in it that isn't the actual user pubkey, so it can be used and reused as an authorization token, i.e. anyone with the bunker URI can connect. I think this is fine for most cases too.
fiatjaf
npub180…jh6w6
2026-01-22 13:47:44 UTC
in reply to nevent1q…5acl
Author Public Key
npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6Published at
2026-01-22 13:47:44 UTCEvent JSON
{
"id": "5bbbffa9a98620eba2704f9cb2b55c63f2bb8d92d7dcd47aec8c495a9a5610cf",
"pubkey": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d",
"created_at": 1769089664,
"kind": 1,
"tags": [
[
"e",
"66d23bee7a16f0908a49c3d8203276facff781f9baac66d335f2231f24b787f7",
"wss://search.nos.today/",
"root",
"46fcbe3065eaf1ae7811465924e48923363ff3f526bd6f73d7c184b16bd8ce4d"
],
[
"p",
"0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd"
],
[
"p",
"7579076d9aff0a4cfdefa7e2045f2486c7e5d8bc63bfc6b45397233e1bbfcb19"
],
[
"p",
"8c8838bf8f36b861370bebc2acde8d175f2bd91f087dbb445edf7327931dd990"
],
[
"p",
"b22b06b051fd5232966a9344a634d956c3dc33a7f5ecdcad9ed11ddc4120a7f2"
],
[
"p",
"46fcbe3065eaf1ae7811465924e48923363ff3f526bd6f73d7c184b16bd8ce4d"
]
],
"content": "I've once thought the \"secret\" was a secret and could be relied upon as an authorization token, but I realized that couldn't be it since most clients only called \"connect\" once with the secret, so it is de facto a nonce, the NIP should make this explicit. Someone please send a PR editing it.\n\nOn the other hand for https://viewsource.win/fiatjaf.com/promenade I didn't use a secret at all, instead the bunker URI has a random pubkey in it that isn't the actual user pubkey, so it can be used and reused as an authorization token, i.e. anyone with the bunker URI can connect. I think this is fine for most cases too.",
"sig": "d0bc91563e13e5fc07776b4149365c0b591d975589e81b9287a79de9186dc9edf06db937b4eff9b10ae570c73d9de076e8f9c7d4c11cdaa286dcccf4dde03444"
}