nSealr

Product shape

The practical product is a shared companion plus five signer solutions, not five unrelated experiments. Every shared feature behaves the same across implementations because the contract_id in nSealr/specs defines it once.

nSealr signer architecture Nostr clients send signing requests to the companion, which routes them to one of five signer solutions: Raspberry/Pi stateless QR vault, ESP32 QR vault, ESP32 USB signer, smartcard, or custom persistent-secret hardware wallet. Nostr Client Companion Verifier Raspberry QR Vault ESP32 QR Vault ESP32 USB / NIP-46 Smartcard APDU Custom Wallet

The five signer solutions

A solution is the unit at which feature parity is contracted. See the Signers section for the per-solution capability matrix and live maturity.

  • Raspberry/Pi Stateless QR Vault — air-gapped, RAM-only, SeedSigner-style.
  • ESP32 Stateless QR Vault — air-gapped ESP32-S3 camera + display.
  • ESP32 USB/NIP-46 Signer — daily-use connected signer, real signing gated.
  • JavaCard/NFC Smartcard Signer — display-less APDU custody, external review required.
  • Custom Nostr Hardware Wallet With Persistent Secret — research line for purpose-built hardware.

Companion surfaces

The companion is a single TypeScript monorepo that ships multiple access surfaces over the same secretless platform. Every surface reuses the same validation, transport, and response-verification logic.

SurfacePurpose
nsealr CLIRequest construction, transports, verification, audit export.
npm SDKEmbed the companion in any Nostr client or service.
Browser extensionNIP-07 surface backed by a signer.
Local appDesktop UI for routing and review.
Local serviceBackground daemon for the extension and apps.
NIP-46 bridgeConverts already-decrypted NIP-46 payloads into standard nSealr signing requests.

The companion is never trusted with key custody. It composes requests, moves them over the selected transport, and verifies every successful response against shared fixtures.

Trust boundaries (summary)

LayerTrusted with…Not trusted with…
Clientbuilding requestsprivate keys
Companionrouting & response verificationprivate keys, policy execution
QR vaultRAM-only signingpersistent secret
USB signerpersistent secret (after gates)the universe outside its boundary
Smartcardpersistent secret, APDU signingtrusted event review (display-less)
Custom HWpersistent secret + display review (after gates)claims before evidence

The trust boundaries page and the threat model cover this in depth.

Last updated 2026-05-16