NIP-5D: Nostr Web Applets

NIP-5D defines a postMessage protocol for sandboxed web applications (“napplets”) running in iframes to communicate with a hosting application (“shell”). It extends NIP-5A (Static Websites) with a runtime communication layer that gives web apps access to Nostr functionality without exposing the user’s private key.

How It Works

A shell application loads a napplet in a sandboxed iframe. The napplet communicates with the shell through the browser’s postMessage API using a structured message protocol. The shell provides the napplet with Nostr signing, relay access, and user context through this message channel. The iframe sandbox prevents the napplet from accessing the user’s private key directly, so the shell acts as a gatekeeper for all Nostr operations.

Use Cases

• Interactive Nostr apps: Build apps that read and write Nostr events without requiring users to paste their nsec
• App marketplace: Distribute interactive web applications through Nostr events
• Sandboxed extensions: Add functionality to Nostr clients through third-party napplets

Primary sources:

• NIP-5D PR #2303 - Nostr Web Applets proposal

Mentioned in:

• Newsletter #17

See also:

• NIP-5A (Static Websites)
• NIP-5C (Scrolls)