From 5f1fbe8422338ad9c7c6e30eaf365fe718b7920a Mon Sep 17 00:00:00 2001
From: alemi <me@alemi.dev>
Date: Thu, 29 Feb 2024 00:10:45 +0100
Subject: [PATCH] docs: how to auth

---
 README.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9314e75..03412fb 100644
--- a/README.md
+++ b/README.md
@@ -19,4 +19,13 @@ simple and easy!
 ## usage
 right now it's super crude: you must pass `<HOMESERVER> <AUTH_TOKEN> <YOUR_USER_ID>` as cli arguments to make it work, but next versions may include session storage and user_id resolution
 
-note that user_id is underlying id, not your fully qualified name!
+note that user_id is your underlying id, not the fully qualified name!
+
+## authentication
+the easy way is to steal an auth token from your browser (check any request's headers), but the proper way is to follow [Mastodon's](https://docs.joinmastodon.org/client/token/) [Oauth](https://docs.joinmastodon.org/client/authorized/) [flow](https://docs.joinmastodon.org/api/oauth-scopes/)
+
+ 1. if you already have an application (client_id and client_secret) skip this, otherwise register one agains `/api/v1/apps`
+ 2. request access by visiting `/oauth/authorize` from a logged-in browser passing your application's client_id
+ 3. with the received code, POST again against `/oauth/token` but from your application, requesting a proper auth token from your given auth code
+
+and done! received `access_token` is ready to use