Details for private webmentions

[sknebel]

I'm considering writing up some suggestions for using AutoAuth in combination with Webmentions.

As far as I remember, previous attempts at private webmentions included an additional parameter in the request (e.g. a short-lived token). AutoAuth does not need this, but would it make sense to add one?

• + mentions to endpoints that do not support it could immediately be rejected
• ? does it help implementers to make sure to separate private from public responses?
• - it's not needed, and thus adds another possible point of confusion and complexity thats not needed

[Zegnat]

I don’t see a direct use-case for it, but I might just be missing something.

+ mentions to endpoints that do not support it could immediately be rejected

But they wouldn’t, right? Webmention receivers simply ignore keys they do not understand, this is how we can progressively enhance with things like Vouch. Including an additional parameter does literally nothing for receivers that do not know AutoAuth, so they are going to do the verification anyway.

So this would only help the very small intersection of webmention receivers that know what this additional parameter means (i.e. they know about AutoAuth) and have not implemented AutoAuth so they know verification is useless.