2020-05-28 UTC
# Zegnat [fluffy]: yeah, we would love to limit the moving parts. But there are just so many actors. The resource you are requesting can only trust tokens originating from a trusted token endpoint (ie. their own), while you need the requestee’s website to attest that it really is them making the request through an endpoint they trust to verify identity (ie. their authorization endpoint)