November 4, 2025

URL me once, shame on you

Article URL →HN comments →

Client ID Metadata Documents

OAuth without the signup? Devs cheer, security folks clutch pearls

TLDR: CIMD lets apps use a URL instead of a pre-registered ID so logins can happen with less setup. The crowd is split between cheering instant, hassle-free auth—especially for AI tools—and warning about domain hijacks and spec churn, since it’s still a draft and could change.

Meet CIMD, the “use a URL as your app’s ID” move that’s rocking the login world. The spec is still an IETF draft, but that didn’t stop the internet from lighting up. Fans say it kills the dreaded pre-registration grind: just host a tiny JSON file at an HTTPS link, use that link as your ID, and the server fetches your info to show users a friendly app name and website. Zero forms, zero waiting, maximum vibes.

But the drama? Oh, it’s sizzling. Security purists warn that “URL-as-identity” is a romance until someone hijacks a domain. Supporters clap back: the server checks that the app’s website comes from the same origin as the metadata URL—built-in impersonation defense—and HTTPS certificates aren’t exactly paper mache. MCP (the Model Context Protocol for plugging AI tools together) is hyped: devs dream of instant auth for CLIs and desktop apps. Enterprise folks smell freedom from managing thousands of registrations. Skeptics roll eyes: “Another draft, another SDK rewrite.” Meanwhile, meme lords dubbed it No-Registration% speedrun and posted mock client IDs like “https://trust.me/pls”. Stytch’s implementation got side-eye (“vendor push?”) and applause (“ship it!”). The mood: split between frictionless future and foots-gun fears, with popcorn firmly in hand.

Key Points

  • CIMD is an IETF Internet-Draft that allows OAuth clients to use a metadata URL as the client_id.
  • Clients host a JSON metadata document at an HTTPS URL and provide that URL during OAuth flows.
  • Authorization servers fetch and validate the metadata and display client_name and client_uri on consent screens.
  • CIMD includes built-in protection against client impersonation via origin checking between CIMD URL and client_uri.
  • Use cases include MCP for dynamic authentication, developer tools, and enterprise SaaS platforms with many integrations.

Hottest takes

“URLs as IDs is cute until someone hijacks your DNS” — rootkit_raccoon
“Finally: OAuth without the Kafka ticketing ritual” — ship_it_friday
“No‑registration speedrun: 0 clicks, 100 regrets” — sarcasmOps

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.