@PurpCat @Flaky Basically, every ActivityPub instance uses HTTP signatures provided by other instances to verify that new messages actually come from said instances, this is normal since otherwise anyone with a copy of curl could forge them. Signed fetches extend this to GET requests for objects/activities as well which is retarded since once the message leaves your instance, you have no control over it anyway: people can just go to your instance if API isn't locked, and if it is, go to the neighboring one.