docs(auth): document intentional session-style NIP-98 model #16

2026-04-16T08:54:59Z

userAdityaa commented

2026-04-16 08:54:59 +00:00

Summary

This PR documents an intentional non-standard NIP-98 design choice for Caravel client-to-backend API authentication. The current behavior is signer-identity + host-affinity based, designed to reduce repeated signing prompts and avoid cookie-based sessions.

Context

Issue #12 raised strict NIP-98 request-intent concerns (exact URL/method/replay protections).
Maintainer clarified current behavior is intentional -> #12 (comment)

### Summary This PR documents an intentional non-standard NIP-98 design choice for Caravel client-to-backend API authentication. The current behavior is signer-identity + host-affinity based, designed to reduce repeated signing prompts and avoid cookie-based sessions. ### Context Issue #12 raised strict NIP-98 request-intent concerns (exact URL/method/replay protections). Maintainer clarified current behavior is intentional -> https://gitea.coracle.social/coracle/caravel/issues/12#issuecomment-2319

hodlbod added 1 commit 2026-04-16 15:40:42 +00:00

docs(auth): document intentional session-style NIP-98 model 0c75ac9ed5

hodlbod force-pushed nip-docs from 57e21cf51d to 0c75ac9ed5

2026-04-16 15:40:42 +00:00

Compare

hodlbod merged commit 145b511f9d into master

2026-04-16 15:40:50 +00:00

hodlbod referenced this issue from a commit

2026-04-16 15:40:52 +00:00

docs(auth): document intentional session-style NIP-98 model (#16)

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coracle/caravel#16

Allow edits from maintainers