#aaronpkIf the app wants to know who signed in and looks at the "me" in the code exchange response, then it does need to check that the domain matches what was entered at first, otherwise someone can make a fake IndieAuth endpoint and sign in to apps as arbitrary users