···31311. The `rpc:` scope system can validate the audience (see `docs/atproto-auth.md`)
32322. Other ATProto services and clients can discover the API's service endpoint
33333434+### Why `did.json` has no `verificationMethod`
3535+3636+A `verificationMethod` declares a public key so others can verify signatures made by the DID owner. It is required for signing authorities — PDSes, user identities — but this app is not one.
3737+3838+`public/.well-known/did.json` has a single purpose: advertising the `#blog-api` service endpoint so the PDS can resolve `did:web:<domain>` and confirm the service reference is valid when evaluating the `rpc:` OAuth scope. The API Lambda verifies service JWTs by resolving the *user's* DID (to get the user's atproto signing key) — not the app's DID. Lemma never signs anything that would require a counterparty to look up its public key, so no `verificationMethod` is needed.
3939+3440`public/.well-known/did.json` already exists in the repo with `YOUR_DOMAIN` placeholders. Run `make -C infra setup-aws-domain DOMAIN_NAME=yourdomain.com` to update it (along with `public/oauth-client-metadata.json`) for your domain before building.
35413642Use the CloudFront API URL (`ApiUrl` output of the cloudfront stack, or `api.<domain>` after Route 53 is set up) rather than the raw API Gateway URL. If CloudFront is not deployed, use `https://<api-gateway-id>.execute-api.<region>.amazonaws.com/prod` instead.