diff --git a/signupflow.md b/signupflow.md
new file mode 100644
index 0000000..6308c98
--- /dev/null
+++ b/signupflow.md
@@ -0,0 +1,48 @@
+# Signup Flow
+
+We need a flow that avoids any copy pasting of nsecs, and allows regular key rotation.  The principle then is that all system nsecs are generated locally, and never leave the device.
+
+Admin (bootstrap) flow:
+
+```mermaid
+sequenceDiagram
+    autoNumber
+    participant d as DVM
+    participant r as Relay
+    participant e as Electron App
+    actor u as User Signature
+    
+    Note over d: Admin npubs +<br> secret + relays<br>are hardcoded 
+    d->>r: Publish X1 <br> with secret
+    u->>e: Admin signs in 
+    Note over e: Add new Organisation
+    Note over e: Add relay(s) <br>+ secret
+
+    r-->>e: Kind X1 rec'd 
+    Note over e: DVM npub <br> known
+    Note over e: Prepare kind X2<br> event 
+    u<<->>e: Sign X2
+    e->>r: Publish X2
+    r-->>d: Kind X2 rec'd 
+    Note over d: Admin client app<br>registered in DB
+    d->>r: Publish X3
+    r-->>e: Kind X3 rec'd 
+    Note over e: DVM npub <br> confirmed
+    e->>u: Notify User
+    Note over e: Prepare X4 <br> replaceable event<br>with DVM npub
+    u<<->>e: Sign X4
+    e->>r: Publish X4
+    
+```
+
+|Kind|Type|Purpose|
+|---|---|---|
+|X1|Encrypted to admin, ephemeral|Discovery of DVM npub by Admins|
+|X2|Encrypted to dvm, ephemeral|Register admin client|
+|X3|Encrypted to client, ephemeral|Confirm admin client registration|
+|X4|Public, Replaceable|Discovery of DVM npub by end users|
+
+
+
+
+