While you're worrying about crafting the best possible way to log in with your Nostr keypair on different apps without leaking your key or comprosing your security or anything, Bluesky is just doing the username/password combo and now https://whtwnd.com/ has my username and password in raw format, which they use to get a JWT from a Bluesky server which they pass on in future API calls to publish stuff. Not even OAuth.