2017-05-19 UTC
# 
saranix I have to agree here. If the reasoning is "When you send a Webmention, you are sending an unsolicited payload to the receiver. The authorization code is not requested by the receiver, so you cannot guarantee they will be protecting it if they aren't expecting it.", then an assumed unprotected code can easily be exchange for the token with no questions asked by anyone, it really isn't much different