Aaron Parecki

Client authentication and PKCE have nothing to do with each other. Confidential clients (there is no term "private clients" despite it sounding like the opposite of "public clients") still need...

Thanks, I can confirm this works.

webmention.io is a service to receive (not send) webmentions, and does take some opinionated stances beyond the bare minimum webmention specification so that it is more useful to the people...

You can effectively do this by creating a form on your website that has a target of this webmention endpoint, and you can make a hidden form field with the...

Thank you for this! I've gotten a few requests for these features. Do you have any insight on how this has been working for you after a few months? In...

I believe this recommendation is already described in RFC9728: https://datatracker.ietf.org/doc/html/rfc9728#section-7.4 > If a client expects to interact with multiple resource servers, the client SHOULD request audience-restricted access tokens using [[RFC8707](https://datatracker.ietf.org/doc/html/rfc8707)],...

This is just OAuth phishing. It happens outside of MCP as well. > The end user notices that the consent screen shows the correct scopes for the correct resource server...

What URL are you trying with? Not much I can do unless I know what URL to investigate

The user agent config in the `.env` is currently used when this project makes HTTP requests mainly to GitHub. The IndieAuth request is actually coming from a separate library that...

Yeah I think this is IndieLogin.com doing the older behavior described in the first IndieAuth spec. I'll do a pass on this to update it to the latest spec this...