Blogging platform with advanced tools for arts and sciences.
6

Configure Feed

Select the types of activity you want to include in your feed.

Update docs

lemma (Jun 3, 2026, 3:24 PM -0500) 11ce8574 fcbb4cf2

+6
+6
docs/api-auth.md
··· 31 31 1. The `rpc:` scope system can validate the audience (see `docs/atproto-auth.md`) 32 32 2. Other ATProto services and clients can discover the API's service endpoint 33 33 34 + ### Why `did.json` has no `verificationMethod` 35 + 36 + A `verificationMethod` declares a public key so others can verify signatures made by the DID owner. It is required for signing authorities — PDSes, user identities — but this app is not one. 37 + 38 + `public/.well-known/did.json` has a single purpose: advertising the `#blog-api` service endpoint so the PDS can resolve `did:web:<domain>` and confirm the service reference is valid when evaluating the `rpc:` OAuth scope. The API Lambda verifies service JWTs by resolving the *user's* DID (to get the user's atproto signing key) — not the app's DID. Lemma never signs anything that would require a counterparty to look up its public key, so no `verificationMethod` is needed. 39 + 34 40 `public/.well-known/did.json` already exists in the repo with `YOUR_DOMAIN` placeholders. Run `make -C infra setup-aws-domain DOMAIN_NAME=yourdomain.com` to update it (along with `public/oauth-client-metadata.json`) for your domain before building. 35 41 36 42 Use the CloudFront API URL (`ApiUrl` output of the cloudfront stack, or `api.<domain>` after Route 53 is set up) rather than the raw API Gateway URL. If CloudFront is not deployed, use `https://<api-gateway-id>.execute-api.<region>.amazonaws.com/prod` instead.