What are npub and nsec?
On Nostr you do not have an account with a username and a password. You have a
key pair: a secret key and a public key derived from it. To make those long
strings of bytes easier to handle, they are written in a readable form with a
prefix. The public key becomes your npub, starting with npub1. The secret key
becomes your nsec, starting with nsec1. The prefix is the tell: if you ever
see nsec1 somewhere it should not be, something has gone wrong.
The npub is your name on the network. You share it, people follow it, and they use it to check that a note really came from you. The nsec is the thing that signs those notes. It never needs to leave your control, and it never should.
Why is the nsec so dangerous to leak?
Because the nsec is not a password, it is the identity. A password protects an account that a company can reset for you. The nsec has no company behind it. Whoever holds it can sign as you, post as you, and drain any Lightning setup wired to the profile, and there is nothing to reverse it with. That is the cost of an identity nobody can take from you: nobody can give it back either.
So the rule is simple and strict. The npub is public by design and harmless to share. The nsec is treated like a Bitcoin secret: stored offline, backed up, and handed to a signer that keeps apps from ever touching the raw value. Guard the secret half and the open half can go anywhere it likes.