#[fluffy]but I’m thinking that Publ *could* go “okay this thing is asking for an access_token against this identity with this authorization code, I’ll look up that identity’s authorization_endpoint and token_endpoint and use that to validate the code”