docs(auth): document intentional session-style NIP-98 model (#16)

Co-authored-by: userAdityaa <aditya.chaudhary1558@gmail.com> Co-committed-by: userAdityaa <aditya.chaudhary1558@gmail.com>
2026-04-16 15:40:50 +00:00
parent bac763c925
commit 145b511f9d
5 changed files with 32 additions and 6 deletions
@@ -209,6 +209,9 @@ impl Api {
            return Err(ApiError::Unauthorized(anyhow!("missing u tag")));
        };

+        // Intentional session-style variant of NIP-98 for Caravel API auth.
+        // We validate signer identity plus host affinity, and do not bind to exact
+        // request URL/method or maintain replay state here.
        if !self.host.is_empty() && !got_u.contains(&self.host) {
            return Err(ApiError::Unauthorized(anyhow!(
                "authorization host mismatch"