This guide outlines the key management system and API administration practices for the Nostr Auth Middleware. For a comprehensive understanding of how this fits into the larger architecture, please refer to our Architecture Guide.
- Key Types
- Environment-Specific Key Management
- Key Rotation
- API Administration
- Security Best Practices
- Troubleshooting
The key management system is designed according to our core architectural principles:
- Service Isolation: Key management is handled independently from application logic
- Security-First Design: All key management code is open source and auditable
- Clear Boundaries: Keys are managed only within this service's scope
- Transparent Security: Implementation can be reviewed and verified by third parties
┌─────────────────┐
│ Client App │
└────────┬────────┘
│
▼
┌─────────────────┐
│ Key Management │◄── You are here
│ System │
└────────┬────────┘
│
▼
┌─────────────────┐
│ App Platform │
└─────────────────┘
- Private Key: Used to sign server events and challenges
- Public Key: Shared with clients for server verification
- Format: 32-byte hex strings (64 characters)
- Storage:
- Development: Local files
- Production: Supabase secure storage
- Purpose: Signs JWT tokens for authenticated sessions
- Format: Random 32-byte hex string
- Rotation: Every 30 days (configurable)
- Purpose: Authenticate service-to-service communication
- Format:
nostr_[environment]_[service]_[timestamp] - Validation: SHA-256 hash stored in configuration
The middleware now uses standardized cryptographic operations from our official packages:
@humanjavaenterprises/nostr-crypto-utils: Core cryptographic operations@humanjavaenterprises/nostr-nsec-seedphrase-library: Seedphrase-based key management
These packages ensure:
- Consistent cryptographic implementations across all Nostr projects
- Standardized key generation and management
- Improved security through well-tested, audited code
- Better maintainability and updates
In development mode, the middleware uses seedphrase-based key generation for predictable testing environments:
import { generateKeyPair } from '@humanjavaenterprises/nostr-crypto-utils';
import { generateFromSeed } from '@humanjavaenterprises/nostr-nsec-seedphrase-library';
// Development mode uses deterministic key generation
const keyPair = process.env.NODE_ENV === 'development'
? generateFromSeed('development-seed-phrase')
: generateKeyPair();# Key Storage Location
./local/keys/
├── private.key
├── public.key
└── jwt.secret
# Generate new development keys
./scripts/generate-keys.sh --env development
# Validate keys
./scripts/validate-keys.sh --env development# Key Storage: Supabase Secure Storage
Table: service_keys
Columns:
- key_id (UUID)
- key_type (ENUM: 'private', 'public', 'jwt')
- key_value (encrypted)
- created_at (timestamp)
- expires_at (timestamp)
- is_active (boolean)
# Generate new production keys
sudo ./scripts/generate-keys.sh --env production
# Rotate production keys
sudo ./scripts/rotate-keys.sh --env productionThe system automatically handles key rotation to maintain security:
-
JWT Secret Rotation
# Scheduled rotation (via cron) 0 0 1 * * /opt/nostr-platform/auth/scripts/rotate-jwt.sh # Manual rotation sudo ./scripts/rotate-jwt.sh --force
-
Server Key Rotation
# Scheduled rotation (quarterly) 0 0 1 */3 * /opt/nostr-platform/auth/scripts/rotate-server-keys.sh # Manual rotation sudo ./scripts/rotate-server-keys.sh --force
-
API Key Rotation
# Generate new API key sudo ./scripts/generate-api-key.sh --service [service_name] # Revoke old API key sudo ./scripts/revoke-api-key.sh --key [key_id]
- Generate new keys
- Update active keys in configuration
- Maintain old keys for grace period
- Remove expired keys
- Log rotation event
-
Register New Service
# Register service sudo ./scripts/register-service.sh \ --name "service-name" \ --domain "service.domain.com" \ --env production
-
Generate API Key
# Generate and assign key sudo ./scripts/generate-api-key.sh \ --service "service-name" \ --expiry 90
-
Monitor API Usage
# View API metrics ./scripts/view-metrics.sh --service "service-name" # View access logs sudo tail -f /var/log/nostr-platform/auth/api-access.log
// Default limits per service
{
"rateLimit": {
"window": 3600, // 1 hour
"maxRequests": 1000
},
"quotas": {
"daily": 10000,
"monthly": 250000
}
}-
Key Storage
- Never store keys in version control
- Use environment variables for local development
- Use secure key storage (Supabase) in production
- Implement proper access controls
- Follow service isolation principles
-
Access Control
- Limit key access to authorized personnel
- Use role-based access control
- Log all key access attempts
- Regular access audits
- Maintain clear security boundaries
-
Monitoring
- Monitor failed authentication attempts
- Alert on suspicious activity
- Regular security audits
- Automated vulnerability scanning
- Independent security reviews
-
Backup and Recovery
# Backup keys sudo ./scripts/backup-keys.sh --env production # Verify backup sudo ./scripts/verify-backup.sh --latest # Restore from backup sudo ./scripts/restore-keys.sh --backup [backup_id]
-
Key Validation Failures
# Check key integrity ./scripts/validate-keys.sh --env [environment] # View key status ./scripts/key-status.sh --env [environment]
-
API Authentication Issues
# Test API key ./scripts/test-api-key.sh --key [api_key] # View recent auth failures sudo tail -f /var/log/nostr-platform/auth/auth-failures.log
-
Key Rotation Problems
# Check rotation status ./scripts/rotation-status.sh # Force sync keys sudo ./scripts/sync-keys.sh --force
-
Key Compromise Response
# Initiate emergency key rotation sudo ./scripts/emergency-rotate.sh --all # Revoke compromised keys sudo ./scripts/revoke-keys.sh --compromised
-
Service Recovery
# Restore service with new keys sudo ./scripts/service-recovery.sh --service [service_name]
For additional assistance or emergency support, contact the security team at [email protected].