anna on Nostr: ok how does this idea sound: to have kinda like auth_fetch but for clients. when you ...
ok how does this idea sound:
to have kinda like auth_fetch but for clients. when you log in a client you generate a key that goes to your home server. when you make a client<>server ap request, you include that key, and the receiving server can validate that against your home server, using an activitypub extension.
this would still allow servers to block servers, and it would avoid allowing malicious servers querying data using the client api, as well as being compliant with base ap
the only negative is that if your server *hard* requires this auth for every ap query, you won't have anonymous access, but then it's a trade off between hard blocking servers and allowing un-logged in users
hmmmm
to have kinda like auth_fetch but for clients. when you log in a client you generate a key that goes to your home server. when you make a client<>server ap request, you include that key, and the receiving server can validate that against your home server, using an activitypub extension.
this would still allow servers to block servers, and it would avoid allowing malicious servers querying data using the client api, as well as being compliant with base ap
the only negative is that if your server *hard* requires this auth for every ap query, you won't have anonymous access, but then it's a trade off between hard blocking servers and allowing un-logged in users
hmmmm