Conversation

Notices

1. Embed this notice
   Mike P (fentiger@mastodon.social)'s status on Tuesday, 05-Aug-2025 04:10:48 JST Mike P

   • Evan Prodromou
   • Ben Pate 🤘🏻

   @julian @benpate @evan I think FEP-3b86 only really allows for actions that the home server already knows how to carry out; the advantage of FEP-d8c2 is that it allows clients to add functionality of their own; see eg Evan's checkin app, which can post geo-tagged activities even via a server which doesn't natively support them.

   • Embed this notice
     Evan Prodromou (evan@cosocial.ca)'s status on Tuesday, 05-Aug-2025 04:10:47 JST Evan Prodromou

     in reply to

     • Ben Pate 🤘🏻

     @FenTiger @julian @benpate ding ding ding ding ding

   • Embed this notice
     Evan Prodromou (evan@cosocial.ca)'s status on Tuesday, 05-Aug-2025 09:34:40 JST Evan Prodromou

     in reply to

     • Ben Pate 🤘🏻

     @benpate @FenTiger @julian they should just pass them along! If you don't implement a side effect for that activity type, just leave it alone and pass it along to clients.

   • Embed this notice
     Ben Pate 🤘🏻 (benpate@mastodon.social)'s status on Tuesday, 05-Aug-2025 09:34:41 JST Ben Pate 🤘🏻

     in reply to

     • Evan Prodromou

     @FenTiger @julian @evan

     This is a good point, though I'm not clear how different servers would handle outbox requests for activities that they don't support. I'm pretty sure mine would just die.

     My big concern with OAuth tokens is that they require me to give away write access to my Fediverse identity when I "like" or "reply" to something, which could easily be an attack vector.

     We talked about scoping OAuth tokens, but it feels like a lot of moving parts. More details later

   • Embed this notice
     Evan Prodromou (evan@cosocial.ca)'s status on Tuesday, 05-Aug-2025 09:38:16 JST Evan Prodromou

     in reply to

     • Ben Pate 🤘🏻

     @benpate @FenTiger @julian the plan there is to have finer grained scopes for particular activities. And also limiting them by domain: "let this server Like and Reply to objects on its own domain"

     https://codeberg.org/evanp/fep/issues/8

   • Embed this notice
     Evan Prodromou (evan@cosocial.ca)'s status on Tuesday, 05-Aug-2025 09:41:00 JST Evan Prodromou

     in reply to

     • Ben Pate 🤘🏻

     @benpate @FenTiger @julian there's a whole chapter about the API in my book:

     https://evanp.me/activitypub-book/

   • Embed this notice
     Evan Prodromou (evan@cosocial.ca)'s status on Tuesday, 05-Aug-2025 09:45:32 JST Evan Prodromou

     in reply to

     • Ben Pate 🤘🏻

     @benpate @FenTiger @julian also, and this is very important: if you want apps to have a global reputation, so that social pressure can keep them from being abusive, they need to have a universal id across different API servers.