art-dag/activity-pub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Document L1 authorization requirement for token verification

Browse Source 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
gilesb
2026-01-09 17:43:49 +00:00
parent e9df81db40
commit 5a8ce51c83
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -115,7 +115,9 @@ When a user attaches to an L1 server:
3. L1 sets its own local cookie, logging the user in 3. L1 sets its own local cookie, logging the user in
4. Their attachment is recorded in the `user_renderers` table 4. Their attachment is recorded in the `user_renderers` table
**No shared secrets required**: L1 servers verify tokens by calling L2's public `/auth/verify` endpoint. This allows any L1 provider to federate with L2 without needing the JWT secret. **No shared secrets required**: L1 servers verify tokens by calling L2's `/auth/verify` endpoint. This allows any L1 provider to federate with L2 without needing the JWT secret.
**Authorization**: L1 servers must identify themselves when calling `/auth/verify` by passing their URL. Only servers listed in `L1_SERVERS` are authorized to verify tokens.
Users can manage attachments at `/renderers`. Users can manage attachments at `/renderers`.