Podkey is a browser extension that holds a Nostr/did:nostr key on your device and uses it to sign Nostr events (NIP-07) and to authenticate to Solid pods over NIP-98. It is a local signer: your key never leaves your device, and Podkey has no servers, no accounts, and no analytics.
All data is stored locally in the browser's extension storage. Nothing is sent to the Podkey developers or any third party.
| Data | Where | Notes |
|---|---|---|
| Private key | storage.local, encrypted | Stored only as an AES-256-GCM ciphertext, wrapped by a scrypt key derived from your passphrase. The plaintext key is never written to disk. |
| Private key (unlocked) | storage.session, in-memory | After you unlock, the decrypted key is held in memory for the browser session, then cleared when the browser closes. |
| Public key | storage.local | Your did:nostr identity. Not secret. |
| Trusted origins | storage.local | Sites you approved to sign without re-prompting, plus an optional per-site auto-sign preference. Revocable from the popup. |
There is no telemetry, no tracking, no advertising identifiers, and no remote logging. Podkey collects none of your browsing history or page content.
Authorization header.Authorization header is attached only to requests you initiate to a server you have trusted; the data goes to that server, under your control, not to Podkey.storage: to keep the encrypted key, your public key, and your trusted sites locally.<all_urls>): as a NIP-07 signer, Podkey injects a window.nostr provider into pages and, for trusted sites, attaches NIP-98 auth to your own requests. Podkey does not read, collect, or transmit page content or browsing history; host access is used solely to expose the signer and to intercept auth for origins you explicitly approved.Podkey is open source under AGPL-3.0. Questions, issues, or security reports: github.com/JavaScriptSolidServer/podkey/issues.