I've once thought the "secret" was a secret and could be rel...

3bf0c63fcb934634...

npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6

hex

5bbbffa9a98620eba2704f9cb2b55c63f2bb8d92d7dcd47aec8c495a9a5610cf

nevent

nevent1qqs9hwll4x5cvg8t5fcyl89jk4wx8u4m3kfd0hx50tkgcj26nftppncprpmhxue69uhhyetvv9ujuem4d36kwatvw5hx6mm9qgsrhuxx8l9ex335q7he0f09aej04zpazpl0ne2cgukyawd24mayt8gfwwp6e

Kind-1 (TextNote)

2026-01-22T13:47:44Z

↳ 回复 Leo Wandersleb (npub1gm7tuvr9atc6u7q3gevjfeyfyvmrlul4y67k7u7hcxztz67ceexs078rf6)

Where are all the bunker devs? I tried to use zapstore/zsp with Amber but it didn't work because zsp treats the secret of the bunker url as an api key...

I've once thought the "secret" was a secret and could be relied upon as an authorization token, but I realized that couldn't be it since most clients only called "connect" once with the secret, so it is de facto a nonce, the NIP should make this explicit. Someone please send a PR editing it.

On the other hand for https://viewsource.win/fiatjaf.com/promenade I didn't use a secret at all, instead the bunker URI has a random pubkey in it that isn't the actual user pubkey, so it can be used and reused as an authorization token, i.e. anyone with the bunker URI can connect. I think this is fine for most cases too.

原始 JSON

{
  "kind": 1,
  "id": "5bbbffa9a98620eba2704f9cb2b55c63f2bb8d92d7dcd47aec8c495a9a5610cf",
  "pubkey": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d",
  "created_at": 1769089664,
  "tags": [
    [
      "e",
      "66d23bee7a16f0908a49c3d8203276facff781f9baac66d335f2231f24b787f7",
      "wss://search.nos.today/",
      "root",
      "46fcbe3065eaf1ae7811465924e48923363ff3f526bd6f73d7c184b16bd8ce4d"
    ],
    [
      "p",
      "0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd"
    ],
    [
      "p",
      "7579076d9aff0a4cfdefa7e2045f2486c7e5d8bc63bfc6b45397233e1bbfcb19"
    ],
    [
      "p",
      "8c8838bf8f36b861370bebc2acde8d175f2bd91f087dbb445edf7327931dd990"
    ],
    [
      "p",
      "b22b06b051fd5232966a9344a634d956c3dc33a7f5ecdcad9ed11ddc4120a7f2"
    ],
    [
      "p",
      "46fcbe3065eaf1ae7811465924e48923363ff3f526bd6f73d7c184b16bd8ce4d"
    ]
  ],
  "content": "I've once thought the \"secret\" was a secret and could be relied upon as an authorization token, but I realized that couldn't be it since most clients only called \"connect\" once with the secret, so it is de facto a nonce, the NIP should make this explicit. Someone please send a PR editing it.\n\nOn the other hand for https://viewsource.win/fiatjaf.com/promenade I didn't use a secret at all, instead the bunker URI has a random pubkey in it that isn't the actual user pubkey, so it can be used and reused as an authorization token, i.e. anyone with the bunker URI can connect. I think this is fine for most cases too.",
  "sig": "d0bc91563e13e5fc07776b4149365c0b591d975589e81b9287a79de9186dc9edf06db937b4eff9b10ae570c73d9de076e8f9c7d4c11cdaa286dcccf4dde03444"
}