+1 -1

backend/fly.toml

··· 38 38 # - DATABASE_URL 39 39 # - AWS_ACCESS_KEY_ID 40 40 # - AWS_SECRET_ACCESS_KEY 41 41 - # - ATPROTO_CLIENT_ID (will be https://api.plyr.fm/client-metadata.json after deployment) 41 41 + # - ATPROTO_CLIENT_ID (will be https://api.plyr.fm/oauth-client-metadata.json after deployment) 42 42 # - ATPROTO_REDIRECT_URI (will be https://api.plyr.fm/auth/callback after deployment) 43 43 # - OAUTH_ENCRYPTION_KEY (44-character base64 Fernet key, generate with: python -c 'from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())')

+5 -5

docs/backend/atproto-identity.md

··· 29 29 ### how it works 30 30 31 31 1. **client ID is a URL**: your `ATPROTO_CLIENT_ID` must be a publicly accessible HTTPS URL that serves client metadata JSON 32 32 - 2. **backend serves metadata**: plyr.fm serves this at `/client-metadata.json` on the API domain 32 32 + 2. **backend serves metadata**: plyr.fm serves this at `/oauth-client-metadata.json` on the API domain 33 33 3. **automatic discovery**: when users authenticate, their PDS fetches the client metadata from your client ID URL 34 34 35 35 ### configuration per environment 36 36 37 37 **production**: 38 38 - - `ATPROTO_CLIENT_ID=https://api.plyr.fm/client-metadata.json` 38 38 + - `ATPROTO_CLIENT_ID=https://api.plyr.fm/oauth-client-metadata.json` 39 39 - `ATPROTO_REDIRECT_URI=https://api.plyr.fm/auth/callback` 40 40 41 41 **staging**: 42 42 - - `ATPROTO_CLIENT_ID=https://api-stg.plyr.fm/client-metadata.json` 42 42 + - `ATPROTO_CLIENT_ID=https://api-stg.plyr.fm/oauth-client-metadata.json` 43 43 - `ATPROTO_REDIRECT_URI=https://api-stg.plyr.fm/auth/callback` 44 44 45 45 **local development**: 46 46 - - `ATPROTO_CLIENT_ID=http://localhost:8001/client-metadata.json` 46 46 + - `ATPROTO_CLIENT_ID=http://localhost:8001/oauth-client-metadata.json` 47 47 - `ATPROTO_REDIRECT_URI=http://localhost:8001/auth/callback` 48 48 49 49 ### important notes ··· 58 58 check that your client metadata is accessible: 59 59 60 60 ```bash 61 61 - curl https://api.plyr.fm/client-metadata.json 61 61 + curl https://api.plyr.fm/oauth-client-metadata.json 62 62 ``` 63 63 64 64 should return JSON with your OAuth configuration including redirect URIs and scopes.

+1 -1

docs/backend/configuration.md

··· 70 70 DATABASE_URL=postgresql+psycopg://user:pass@host/db 71 71 72 72 # oauth (uses client metadata discovery - no registration required) 73 73 - ATPROTO_CLIENT_ID=https://your-domain.com/client-metadata.json 73 73 + ATPROTO_CLIENT_ID=https://your-domain.com/oauth-client-metadata.json 74 74 ATPROTO_CLIENT_SECRET=<optional-client-secret> 75 75 ATPROTO_REDIRECT_URI=https://your-domain.com/auth/callback 76 76 OAUTH_ENCRYPTION_KEY=<base64-encoded-32-byte-key>

+2 -3

docs/deployment/environments.md

··· 116 116 - staging: `fm.plyr.stg` 117 117 - production: `fm.plyr` 118 118 - `ATPROTO_CLIENT_ID`, `ATPROTO_REDIRECT_URI` → oauth config (env-specific, must use custom domains for cookie-based auth) 119 119 - - production: `https://api.plyr.fm/client-metadata.json` and `https://api.plyr.fm/auth/callback` 120 120 - - staging: `https://api-stg.plyr.fm/client-metadata.json` and `https://api-stg.plyr.fm/auth/callback` 121 121 - - `OAUTH_ENCRYPTION_KEY` → unique per environment 119 119 + - production: `https://api.plyr.fm/oauth-client-metadata.json` and `https://api.plyr.fm/auth/callback` 120 120 + - staging: `https://api-stg.plyr.fm/oauth-client-metadata.json` and `https://api-stg.plyr.fm/auth/callback`- `OAUTH_ENCRYPTION_KEY` → unique per environment 122 121 - `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` → r2 credentials 123 122 - `LOGFIRE_WRITE_TOKEN`, `LOGFIRE_ENVIRONMENT` → observability config 124 123

+2 -2

docs/local-development/setup.md

··· 45 45 # DATABASE_URL=<neon-dev-connection-string> # neon dev 46 46 47 47 # oauth (uses client metadata discovery - no registration required) 48 48 - ATPROTO_CLIENT_ID=http://localhost:8001/client-metadata.json 48 48 + ATPROTO_CLIENT_ID=http://localhost:8001/oauth-client-metadata.json 49 49 ATPROTO_CLIENT_SECRET=<your-client-secret> 50 50 ATPROTO_REDIRECT_URI=http://localhost:5173/auth/callback 51 51 OAUTH_ENCRYPTION_KEY=<base64-encoded-32-byte-key> ··· 304 304 # should be: http://localhost:5173/auth/callback 305 305 306 306 # check ATPROTO_CLIENT_ID is accessible (should return client metadata JSON) 307 307 - curl http://localhost:8001/client-metadata.json 307 307 + curl http://localhost:8001/oauth-client-metadata.json 308 308 ``` 309 309 310 310 ### r2 upload failures