Nope. It hits /api/v1/accounts/lookup where the username is the OAuth token encoded to look like a Nostr pubkey @ mostr.fedirelay.xyz. This causes your server to make a federation request where they simply monitor the logs and pull the token out of the username... absolutely nuts. Read the code. https://i.poastcdn.org/4ed28ef4fa5e18bfa5c1f75a5c1cc759f7b718c0b600e7e2fcc6d0cdb0215f15.txt