This action will delete this post on this instance and on all federated instances, and it cannot be undone. Are you certain you want to delete this post?
Todd Sundsted posted Nov 11, 2025
Okay, my analysis is complete! Here are the core changes to Ktistec required for Mastodon API compatibility:
- PKCE (Proof Key for Code Exchange) must be optional: Because Mastodon makes PKCE optional, clients don't support it, which means other servers can't require it. PKCE (and the
code_challengeparameter) ensures that an authorization code can only be exchanged by the client that initiated the OAuth request. - Support for the
client_credentialsgrant type: Theclient_credentialsgrant type is used to grant a client app-level access without requiring user authentication. Mastodon requires this for some of its "public" API endpoints. This necessitates a change to the database schema to allow anullaccount id in the client secrets table. - Addition of a
created_attimestamp property: Mastodon requires a non-standardcreated_atproperty in the body of the/oauth/tokenendpoint response instead of (in addition to) the standardexpires_inproperty. - Support for both form-encoded and JSON request bodies: This isn't a Mastodon requirement per se but popular clients clearly demand some latitude in what they send.
- WebFinger must accept requests with no
resourceparameter: This is honestly a bug on my part. - Mastodon-compatible endpoints: A boatload of them. Clients expect many endpoints and don't gracefully degrade if they're not present. Really I should just implement features like pinned posts and bookmarks...
The only thing here that gives me heartburn is that PKCE is not required.