A lightweight NIP-46 relay for Nostr remote signing. Use it with self-hosted signers like nsec.app, Signet, or any NIP-46 compatible application.
Based on Bunklay from dezh-tech.
- NIP-46 only - Accepts only kind 24133 and 24135 events
- In-memory by default - Signing messages never touch disk; bounded, self-evicting buffer (default: 10 minutes)
- Memory-aware - Respects a configured
GOMEMLIMIT, or auto-detects the host/cgroup limit and sets one, so it stays within bounds even on a 1 GB box - Timestamp validation - Rejects events outside time window
- Lightweight - Single binary, minimal dependencies
- Optional persistence - Set
STORAGE_BACKEND=badgerfor an embedded on-disk store that survives restarts
go build -o nip46-relay .
./nip46-relayRelay runs on http://localhost:3334 by default.
docker compose up -dCopy .env.example to .env and customize:
cp .env.example .env| Variable | Default | Description |
|---|---|---|
RELAY_NAME |
NIP-46 Relay |
Display name in NIP-11 info |
RELAY_DESCRIPTION |
A NIP-46 remote signing relay |
Relay description |
RELAY_URL |
Public WebSocket URL (e.g., wss://nip46.example.com) |
|
RELAY_PUBKEY |
Operator pubkey (hex format) | |
RELAY_CONTACT |
Contact info | |
RELAY_ICON |
URL to relay icon | |
RELAY_BANNER |
URL to relay banner | |
RELAY_PORT |
:3334 |
Port to listen on |
WORKING_DIR |
./nip46-relay-data |
Data directory (only used when STORAGE_BACKEND=badger) |
KEEP_IN_MINUTES |
10 |
Event retention time |
ACCEPT_WINDOW_IN_MINUTES |
1 |
Timestamp validation window |
RATE_LIMIT_PER_MINUTE |
100 |
Max events per minute per pubkey |
STORAGE_BACKEND |
memory |
memory (ephemeral, no disk) or badger (persists across restarts) |
MAX_MEMORY_MB |
0 |
In-memory store byte budget in MB; 0 auto-detects (~50% of the effective memory limit) |
Install as a system service for auto-start and restart on failure:
# From ~/nip46-relay
cp .env.example .env
nano .env # configure
# Edit service file to match your username/path
nano nip46-relay.service
# Install service
sudo cp nip46-relay.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable nip46-relay
sudo systemctl start nip46-relay
# Check status
sudo systemctl status nip46-relay
sudo journalctl -u nip46-relay -fCreate or edit your Caddyfile:
nip46.example.com {
reverse_proxy localhost:3334
}Reload Caddy:
sudo systemctl reload caddyCaddy automatically provisions TLS certificates and handles WebSocket upgrades.
NIP-46 enables remote signing where a client app requests signatures from a remote signer (like a hardware device or mobile app). This relay acts as the communication channel:
- Client publishes encrypted request (kind 24133) tagged to signer's pubkey
- Relay stores and forwards to signer
- Signer publishes encrypted response tagged to client's pubkey
- Relay stores and forwards to client
All messages are NIP-44 encrypted end-to-end. The relay only sees opaque blobs.