The Nip17 invoice DMs and the fhir rest api for connecting traditional outside medical facilities require nsec for signing and decrypting respectively. As it stands currently the practice key sits on the server in two different files. This weighs heavy on my mind and needs fixing.
My solution is a to create a separate "billing bot" keypair and a "FHIR API" keypair. These are purpose-limited identities:
-Billing bot keypair: only used to send NIP-17 invoice DMs. The key only has permission to send messages, not decrypt clinical data.
-FHIR API keypair: gets its own ECDH grants (kind 1013) just like a staff member would. It can decrypt patient data through the shared secret, but if compromised, you revoke its grants and rotate — same as firing a staff member.
The practice nsec stays offline. The risks after an exposure or server compromise goes from everything to just billing messages or read-only FHIR access depending on which key leaks.
reidsomethings
npub17g…74jl3
2026-03-07 15:22:59 UTC
Author Public Key
npub17g8pf3n3wcu24lhuf5wd22ct4vtsa3tpsmz7ncm680uqx4khqz9sh74jl3Published at
2026-03-07 15:22:59 UTCEvent JSON
{
"id": "313eeda69bb8769f7546e791b9be35dbd0b5e8b0aaa675571fe592c368f8287f",
"pubkey": "f20e14c6717638aafefc4d1cd52b0bab170ec56186c5e9e37a3bf80356d7008b",
"created_at": 1772896979,
"kind": 1,
"tags": [],
"content": "The Nip17 invoice DMs and the fhir rest api for connecting traditional outside medical facilities require nsec for signing and decrypting respectively. As it stands currently the practice key sits on the server in two different files. This weighs heavy on my mind and needs fixing.\nMy solution is a to create a separate \"billing bot\" keypair and a \"FHIR API\" keypair. These are purpose-limited identities:\n\n-Billing bot keypair: only used to send NIP-17 invoice DMs. The key only has permission to send messages, not decrypt clinical data.\n\n-FHIR API keypair: gets its own ECDH grants (kind 1013) just like a staff member would. It can decrypt patient data through the shared secret, but if compromised, you revoke its grants and rotate — same as firing a staff member.\n\nThe practice nsec stays offline. The risks after an exposure or server compromise goes from everything to just billing messages or read-only FHIR access depending on which key leaks.",
"sig": "cbcc69720dd25bde0fe1df366c5263af9351ff99b2c27837957cb60b3e555139d462b44bb3fc52165840f37ed28765fa6a8d7ca9444f5dad67c708d34cc7e485"
}