Boundary
Atmosphere stops before app OAuth starts
Your app accepts the signed selection token.
Pass the handle or DID into your OAuth client.
The user authorizes your app with their account host.
Your app stores its own OAuth/session state.
if (!verified.ok) throw new Error(verified.error);
const loginHint = verified.claims.handle || verified.claims.sub;
const oauthUrl = await atprotoOAuthClient.authorizeUrl({
loginHint,
scope: "atproto",
});
return Response.redirect(oauthUrl);ATProto checks still apply
- Resolve and bind the selected account DID for the OAuth flow.
- Verify the authorization server is authoritative for the account.
- Check the token response
submatches the expected DID. - Reject token responses that omit the
atprotoscope. - Do not send your app OAuth access or refresh tokens to Atmosphere.