Currently, the format of the tokens provided by IndieAuth.com is a signed JWT (JWS) using HS256.

If we were to update this to be RS256, we could allow clients to treat it as a JWS, not an opaque token that needs to be introspected by the token endpoint.

This could allow clients validating tokens as such to do so much more easily, locally, while reducing load on the token endpoint.

Because token revocation is not widespread at this point, it would enable clients to not need to introspect unnecessarily.

This post was filed under replies.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.