It is somewhat nuanced, but as defined in the protocol NIPs, Nostr clients have certain functions.
1. They make requests to relays for notes the user wants to see that are stored on those relays.
2. They verify that the signatures attached to the notes received from the relays are valid.
3. They display the notes received from the relays to the user, after signatures have been verified.
4. They write the user's notes to the user's selected relays, after obtaining a signature from the user's private key.
Clients may do more than this, but these are the basic functions of a Nostr client you have installed on your device, or that you access via a website.
Primal apps only do number 4.
Items 1 and 2 are entirely handled by Primal's caching service running on their servers, which means number 3 is replaced by displaying notes received from the caching service, and there is no local verification of signatures at all.
Because you aren't reading directly from relays on Primal, their caching service can be used to censor users, replace their actual note with something else, present notes as having been authored by a user that never authored them, etc. And while Primal's caching service is open source, you don't have a way to verify that what is on the GitHub is actually what they are running on their servers.
Local signature verification is probably the most important function of a Nostr client, and Primal apps don't do it, so you are entirely trusting that what their caching service sends to the app is legit.
Dikaios1517
npub1ku…v3lhe
2025-05-17 00:24:48
in reply to nevent1q…pa76
Author Public Key
npub1kun5628raxpm7usdkj62z2337hr77f3ryrg9cf0vjpyf4jvk9r9smv3lheSeen on
wss://relay.nostr.netPublished at
2025-05-17 00:24:48Event JSON
{
"id": "bf05ee3a407705e75c6d516115c0749c5c1ad133c8d03c63731be9bd932a32c5",
"pubkey": "b7274d28e3e983bf720db4b4a12a31f5c7ef262320d05c25ec90489ac99628cb",
"created_at": 1747441488,
"kind": 1,
"tags": [
[
"e",
"0b087f9209ae39b01187ccbaaa8dc66823bea30b10d89e412cb1599f96b9f596",
"",
"root",
"dc039a4b993abea3988e23f98a69bc5bba427f3dfd5a0e1b95829d0186387f56"
],
[
"e",
"3c3f6a9bd3aa74dbe75ddc0a01b36756172a8c0c6a5ee02949f643b03092b22c",
"wss://wot.brightbolt.net/",
"reply",
"401854bbc0144fcfd101487095d40aeeaedf5d66b2c2c21db5154f7b2327acb8"
],
[
"p",
"dc039a4b993abea3988e23f98a69bc5bba427f3dfd5a0e1b95829d0186387f56"
],
[
"p",
"401854bbc0144fcfd101487095d40aeeaedf5d66b2c2c21db5154f7b2327acb8"
]
],
"content": "It is somewhat nuanced, but as defined in the protocol NIPs, Nostr clients have certain functions.\n\n1. They make requests to relays for notes the user wants to see that are stored on those relays.\n2. They verify that the signatures attached to the notes received from the relays are valid.\n3. They display the notes received from the relays to the user, after signatures have been verified.\n4. They write the user's notes to the user's selected relays, after obtaining a signature from the user's private key.\n\nClients may do more than this, but these are the basic functions of a Nostr client you have installed on your device, or that you access via a website.\n\nPrimal apps only do number 4.\n\nItems 1 and 2 are entirely handled by Primal's caching service running on their servers, which means number 3 is replaced by displaying notes received from the caching service, and there is no local verification of signatures at all.\n\nBecause you aren't reading directly from relays on Primal, their caching service can be used to censor users, replace their actual note with something else, present notes as having been authored by a user that never authored them, etc. And while Primal's caching service is open source, you don't have a way to verify that what is on the GitHub is actually what they are running on their servers.\n\nLocal signature verification is probably the most important function of a Nostr client, and Primal apps don't do it, so you are entirely trusting that what their caching service sends to the app is legit.",
"sig": "1a8fdac117ed9d3dcf7575f3df2f1c974fa9f32ab84d7a607590281ca4de09e91193adc955ff1b6167e769c40fea786d2d2012793e4d54fa95419cbca9446d5d"
}