The identity layer gap
Bitcoin fixed money. That was the hard part. Twenty-one million. Proof-of-work. No central issuer. A pleb with a Raspberry Pi, a hardware wallet, and a miner running off a panel in the garage can, today, hold savings that no bank, no state, no PayPal risk team can confiscate. That is a civilizational change, and it is already done.
But look at the rest of the stack. Where do you post? Who verifies you are you? Who decides what your followers see? Who can deplatform you tomorrow morning because an ad buyer complained? The money is sovereign. The identity layer is still rented from Meta, X, Google, and Reddit — the same companies whose terms of service are a moving target and whose moderation is a black box.
That is the gap Nostr fills. It is the identity layer decentralized — one more layer peeled off the corporate server rack and handed back to the pleb.
What Nostr is
Nostr stands for Notes and Other Stuff Transmitted by Relays. It was proposed by fiatjaf in 2020 as a deliberately minimal protocol — a handful of pages of spec, no blockchain, no token, no foundation gatekeeping development. Fiatjaf’s design philosophy was to ship the smallest possible thing that could not be captured: public-key identities, dumb relay servers, and signed JSON events. Everything else — clients, zaps, long-form articles, marketplaces, DMs — is built on top of that tiny kernel.
That minimalism is the point. Bitcoin is a hard-money protocol because the base layer is small and boring. Nostr is a hard-identity protocol for the same reason.
The architecture in 90 seconds
There are three moving parts.
Keypairs are your identity. You generate a secp256k1 keypair — the same curve Bitcoin uses. Your public key (shared as npub1...) is your username, your avatar, your follower list, and your reputation rolled into one. Your private key (nsec1...) is what you sign with. If you lose nsec, you lose the account. If you leak nsec, someone else becomes you. Treat it exactly like you treat a seed phrase.
Relays are dumb pipes. A relay is a WebSocket server that accepts signed events and hands them back to anyone who asks. It does not know your password. It does not have an account system. You connect, you publish an event signed by your key, and the relay stores it and forwards it to subscribers. Most users speak to five or ten relays at once. If one goes down or censors you, the other nine still have your notes.
Clients are interchangeable UI. Damus, Amethyst, Primal, Coracle, Snort, Nostrudel — these are all just front-ends that sign events with your key and subscribe to a set of relays. Change clients tomorrow and your followers, your posts, and your identity come with you, because none of them live in the client. They live in the key, in the relays, and in the signatures.
That is the entire architecture. Three moving parts. No accounts. No passwords. No servers you have to beg for access to.
Why this matters for the pleb
No deplatforming. There is no customer-service team to appeal to, because there is no customer-service team. Your identity is a key. No entity can revoke a key it never issued.
No single point of failure. Every popular client connects to many relays. Kill one, the others keep serving. Censor a topic on one relay, mirror it to a friendlier one. This is not theoretical: Nostr users have already watched specific relays drop specific content, shrugged, and kept posting through the rest of the network.
Identity portability. Your npub is yours across every Nostr client, forever. You do not “have an account on Damus.” You have a key, and Damus happens to be one of many apps that can read it. Move to Amethyst next week, your follower graph comes with you.
Interop with Bitcoin. Same curve. Same mental model. Same adversarial assumptions. The Venn diagram of “people who can already handle a seed phrase” and “people who can handle an nsec” is basically a circle, which is why Bitcoiners have been the earliest and largest demographic on the network.
This is what we mean when we say one more layer decentralized. Money was the first layer. Identity is the next.
Getting started: generate a keypair, pick a client
You have two honest paths. The fastest is to install a client and let it generate the key for you. The most sovereign is to generate the key in a dedicated signer app and hand the public key to clients that request it.
Mobile clients. On iOS, Damus (by Will Casarin) is the canonical Nostr client — fast, native, and opinionated. On Android, Amethyst (by Vitor Pamplona) is the deep-end power-user client with support for nearly every NIP worth knowing. Both are free and open source. Both let you generate a keypair in-app on first launch.
Web clients. Primal is the slickest onboarding experience for a new user and ships a built-in Lightning wallet. Coracle (by Jon Staab) leans into community curation and relay-aware browsing. Snort and Nostrudel round out the web-client options for anyone who prefers not to install native apps.
Desktop and signer apps. Nos2x and Alby browser extensions hold your key outside the client, so the client asks the extension to sign each event — the same pattern as a hardware wallet signing a Bitcoin transaction. For plebs who already trust their browser extension security model, this is the better pattern.
Back up nsec. Whatever path you pick, the moment you see the private key, write it down and put it somewhere you would put a seed phrase. A Nostr key has no recovery flow. There is nobody to call. This is the same model as Bitcoin self-custody, and it cuts both ways: nobody can freeze you, but nobody can un-freeze you either.
NIPs worth knowing
Nostr’s spec is a living set of documents called NIPs — Nostr Implementation Possibilities — each numbered and versioned. You do not need to read all of them. A handful carry most of the weight.
NIP-01 — Core protocol. Event structure, signatures, the request/response dance between client and relay. If you only read one NIP, read this one. Everything else builds on it.
NIP-05 — Verification. Maps a human-readable handle like pleb@d-central.tech to an npub. It is not a CA system and it does not grant authority. It is a “yes, this key controls this domain” check, served by a static JSON file at /.well-known/nostr.json. Good enough for 95 percent of “is this the real person” questions, and it is trivial to self-host.
NIP-57 — Zaps. The big one. Specifies how a Lightning payment can be attached to a Nostr event, how the receipt is published back to the network, and how clients should render it. Zaps are the monetization primitive the open web has been missing since 1998. We will go deep on this in a companion post.
NIP-44 — Encrypted DMs. Versioned encryption for direct messages, replacing the older NIP-04. If you care about private chats on Nostr, make sure your client supports NIP-44.
NIP-11 — Relay metadata. How a relay describes itself — operator contact, supported NIPs, paid-vs-free status. Relevant the moment you start running your own relay.
You will see NIP numbers dropped casually in the wild. They are just a shorthand for “which feature are we talking about right now.”
Cross-client identity
This is the part that trips up people coming from Web2. You do not pick a Nostr client the way you pick Instagram versus TikTok. You pick a keypair, and then you pick — and later change — whichever client presents that keypair best.
Install Damus, onboard, post a note. Pull out your tablet and install Amethyst. Paste the same nsec (or connect via Amber, Amethyst’s remote signer). Same followers. Same feed. Same notes. Uninstall Damus six months later because a new iOS client shipped. Your identity does not move; the window through which you view it does.
This is what portability feels like. It is the opposite of “export your data to a ZIP file and cry.”
Pairing with Bitcoin: Zaps, and where this series is going
The killer feature for Bitcoiners is that identity is already a signing key, so identity composes naturally with Lightning. A note can carry a Lightning address. A click becomes a zap. A zap becomes a signed receipt event, which becomes a public reputation artifact. No ad tech. No platform cut. No KYC. No “monetization partner program.” A tip is a tip.
We are going to build the rest of the pleb’s Nostr stack across this series.
- Next up: Run Your Own Nostr Relay — strfry, nostr-rs-relay, and a production-grade self-hosted setup on a VPS or an Umbrel box.
- After that: Zaps Explained — the NIP-57 flow, wallets that do it well, and why value-for-value is the only monetization model that survives contact with state-level adversaries.
If you want the wider context, the Pleb’s Sovereign Stack Manifesto lays out why identity, money, compute, and energy all belong on the same side of the sovereignty line. Nostr is the identity pillar. The Sovereignty hub is the map.
The money is already sovereign. The identity layer is a short install away. Go generate a key.
