@steve @reiver that's interesting.

It's something a client can quickly detect with an OPTIONS request.

Inbox read access seems important but not essential.

I can think of a lot of write-only client applications that don't need read access to the inbox. Like a video game that shares in-game achievements, or a follow button widget.

@steve @reiver @smallcircles that's interesting!

I think the whole reason we have OAuth is so you don't have to put your password into a third-party app. Basic Auth sounds like trouble!

For the pre-authed token, aka "personal access tokens", I use those a lot for different APIs, but I think they're usually just treated as Bearer tokens? So they'd fit here.

@evan @reiver Maybe we need a read-only and write-only subprofiles? But what about an C2S server that doesn't allow reading the inbox nor posting to the outbox (like Mastodon) but still satisfies the MUST requirements in the profile?

@steve @reiver You have more faith in the compelling powers of MUST than I do.

https://cosocial.ca/@evan/116403967622366259

@evan @reiver Speaking for myself, I'm not interested in compelling powers. I think MUST is valuable not because it forces developers to behave, but because it defines the behavioral contract we can test, reason about, and build on (with interoperability guarantees).

@steve @reiver I also think it's perfectly reasonable for Mastodon to move iteratively closer to this basic profile. Supporting CIMD or dynamic client registration would be great. CORS for actors, objects and collections would be nice, too.