Currently the only thing it is sent that it can act on is the resource value. If that is also supposed to function as sort of a root URL of resources it gives access to, is it correct to assume the token endpoint can be discovered at that exact URL? (See first open Q.)

• @Zegnat ended up setting the resource as their root domain, which made it impossible to go get a token with the token endpoint only discoverable from the /martijn/ path. This was because of the assumption that resource was like realm in that it could be anything, but that stopped the ticket endpoint @dshanske was writing from ever redeeming. Short discussion in chat.. @jamietanna agrees with @Zegnat 's point about it being in the initial POST to the ticket endpoint, and matching the identity URL of the user who is providing access
• @jamietanna wondered if that was something that can be fixed by providing a specific iss/issuer value along with the resource in the POST to the ticket endpoint and added this to their proof of concept. Namely, should the iss matching the issuer of the token (i.e. the IndieAuth server's URL)
• It was pointed out that by putting the token endpoint header on a resource URL, you may be indicating there is something there. For example, you choose to have your private pages return 404. Then how does the ticket endpoint discover the token endpoint?