···63636464OAuth follows the ATProto OAuth profile: PAR is required, redirect URIs are
6565validated against client metadata, permission-set includes must resolve, tokens
6666-enforce granular repo/blob/rpc/account/identity scopes, and revocation affects
6767-resource-server checks.
6666+enforce granular repo/blob/rpc/account/identity scopes, DPoP-bound OAuth access
6767+tokens must present matching proof headers on resource requests, and revocation
6868+affects resource-server checks.
68696970Password sessions and app passwords match the reference PDS account model.
7071Session JWTs are accepted only when their JTI is present in the active session
+4
docs/operations.md
···7777- `ZDS_RECOVERY_DID_KEY`: optional recovery `did:key` returned before the PDS
7878 rotation key in recommended DID credentials.
7979- `ZDS_JWT_SECRET`: stable secret for access and refresh JWTs.
8080+- `ZDS_DPOP_SECRET`: stable secret for stateless DPoP nonce generation. If
8181+ unset, ZDS uses `ZDS_JWT_SECRET`. A separate value is recommended for
8282+ production. Multi-node deployments must configure every node with the same
8383+ effective DPoP secret so each node accepts the same nonce window.
8084- `ZDS_HANDLE_DOMAINS`: comma-separated domains advertised by
8185 `describeServer`.
8286- `ZDS_MAIL_PROVIDER`: email delivery provider. Default: `comail`. Supported: