Problem
The current login UI presents three auth methods with mixed prominence:
- NIP-07 extension — primary button when detected.
- Private key (nsec) paste — equally visible secondary option.
- External signer (NIP-46) — a text link below the primary buttons, visually de-prioritized.
This ordering promotes the least safe option (paste your raw private key into a browser page) over the safest options (external signer, either via extension or remote). Users unfamiliar with Nostr default to the most prominent affordance, which is also the one that puts their key at permanent risk.
Proposed structure
A three-tier hierarchy that matches safety / recommended practice:
Primary CTA (full-width green): `Sign in with your signer`
- If NIP-07 is present, uses it directly — same experience as today.
- Otherwise opens a modal with two tabs:
- Scan QR — existing universal pairing flow.
- Paste bunker URI — existing bunker paste flow.
- On iOS (no NIP-07) the primary goes straight to that modal — no hidden link.
Secondary button (outline): `Create new account`
- Generates a key, stores it, runs the existing wallet welcome.
- Ideally coupled with the at-rest encryption work in `docs/wallet/NIP-44-Wallet-Storage-Hardening.md`.
Tertiary text link (below the secondary button): `Advanced: import private key`
- Keeps the nsec-paste flow reachable but behind a deliberate click.
- Good place to surface the warning copy ("Your key will be stored in this browser — prefer an external signer if you can").
Benefits
- Default path is always safe (external signer or fresh account).
- iOS and web see the same primary affordance instead of iOS having a different form entirely.
- The riskiest path (nsec paste) still exists for power users but doesn't mislead newcomers.
- Matches NIP-46 first-class positioning without hiding NIP-07 for users who have it.
Out of scope
- At-rest encryption of imported nsec. Tracked separately via the wallet-storage hardening work.
- Bunker-URI timeout tuning. See the companion issue.
- Changes to the signing code paths — this is a UI/UX rearrangement only.
Acceptance
- Landing on `/login` with no extension installed shows a single primary "Sign in with your signer" button (or the scan/paste modal as the default next step) before any nsec-related affordance.
- The nsec-import flow is only reachable via an "Advanced" disclosure.
- iOS and web forms converge on the same hierarchy; duplicate buttons in `LoginFormIOS.svelte` and `/routes/login/+page.svelte` collapse into shared components where possible.
- No change in observed behavior for users who paste a bunker URI or scan a QR today — same flows, just more prominent.
Problem
The current login UI presents three auth methods with mixed prominence:
This ordering promotes the least safe option (paste your raw private key into a browser page) over the safest options (external signer, either via extension or remote). Users unfamiliar with Nostr default to the most prominent affordance, which is also the one that puts their key at permanent risk.
Proposed structure
A three-tier hierarchy that matches safety / recommended practice:
Primary CTA (full-width green): `Sign in with your signer`
Secondary button (outline): `Create new account`
Tertiary text link (below the secondary button): `Advanced: import private key`
Benefits
Out of scope
Acceptance