A modern NIP-46 remote signer for Nostr. Manages multiple keys securely with a web dashboard for administration. This project was originally forked from nsecbunkerd, but has since received an extensive rewrite and now shares very little code with it.
Signet separates the signing back end from the front end, and ships with a web UI. A companion Android app is available on ZapStore. Other platforms are possible and on the roadmap.
git clone https://github.com/Letdown2491/signet
cd signet
pnpm install
# If you plan to run the daemon with the web dashboard
docker compose up --build
# Or if you plan to run the daemon with the Android app
docker compose up --build signet- Daemon + REST API will run on
http://localhost:3000 - Web dashboard will run on
http://localhost:4174. The web dashboard is not required if you plan to manage Signet using the Android app.
The daemon displays your local network IP address on startup. If a single IP is detected, it also shows a QR code you can scan with the Android app for quick setup.
If you prefer to add keys directly through the CLI:
docker compose run --rm signet add --name main-keyUpgrading: Pull the latest changes, rebuild, and restart. Database migrations run automatically on daemon startup.
Build and run the daemon:
cd apps/signet
pnpm run build
pnpm run prisma:migrate
pnpm run lfgFor long-running deployments, use a process supervisor (systemd, PM2, etc.) to ensure automatic restarts on crash. See docs/DEPLOYMENT.md for examples.
Build and run the UI (in a separate terminal):
cd apps/signet-ui
pnpm run build
pnpm run startOr from the monorepo root:
pnpm run build:daemon && pnpm run build:ui
pnpm run start:daemon # terminal 1
pnpm run start:ui # terminal 2The UI server proxies API requests to the daemon, so you only need to expose port 4174. See docs/DEPLOYMENT.md for remote access configuration.
Upgrading: Pull the latest changes, rebuild, and restart. Database migrations run automatically on daemon startup.
Config is auto-generated on first boot at ~/.signet-config/signet.json.
See docs/CONFIGURATION.md for all options.
There are two ways to connect a Nostr app to Signet:
bunker:// (Signet initiates)
- Go to the Keys page and select a key
- Click "Generate bunker URI" to get a one-time connection link
- Paste the bunker URI into your Nostr app's remote signer settings
- The app connects automatically
nostrconnect:// (App initiates)
- In your Nostr app, look for "Connect via remote signer" or similar
- The app displays a nostrconnect:// URI or QR code
- In Signet, click + on the Apps page (or scan QR on Android)
- Paste the nostrconnect:// URI and choose a key and trust level
- Click Connect to complete the handshake
Both methods result in the same secure connection. Use whichever your app supports.
Keys are encrypted with AES-256-GCM (PBKDF2, 600k iterations). API endpoints require JWT auth with CORS and rate limiting. An optional Inactivity Lock (Dead Man's Switch) automatically locks all keys and suspends all apps if not reset within a configurable timeframe. Additional, an optional admin npub can be set to allow sending DM commands (NIP-04/NIP-17) to Signet without access to any UI.
DO NOT run the daemon on a public machine. We recommend private network access only. Tailscale is preferred and documented in docs/DEPLOYMENT.md.
See docs/SECURITY.md for the full security model.
- Configuration Reference - All config options
- Deployment Guide - Tailscale, reverse proxies, etc.
- Security Model - Security architecture and threat model
- Kill Switch Guide - Emergency remote control via Nostr DMs
- API Reference - REST API endpoints
- Android App - Setup and building the mobile app