⁂

@evan in GoActivityPub an invalid signature returns a token "Anonymous" Actor entity that can be verified for permissions against the ACLs of the resource being requested. And in the case of public objects the check succeeds.

Perhaps I got lucky until now mostly relying on my own architecture for both clients and servers...