Thanks for your reply! Please feel free to email me if you want to talk about this more (email is in profile). To reply to your points:
1) I mainly noticed the permalink leading to the "forum" domain instead of the page the user is currently on (like Disqus does).
2) The easiest way would be for me to receive an API key from you beforehand, and send you the user's email if you need that (e.g. to email them), or just a random-looking user ID, along with HMAC((email/id, timestamp), API key). This way you can replay the HMAC and prove that I know the API key I'm authenticating this user with. The timestamp is there to prevent replay attacks later on (e.g. to expire the signature after X minutes).
3) Ah, I got confused because I closed the page at some point and came back, and was getting some errors I don't remember now but that were confusing me at the time. When I realized I can just continue the flow, it worked, but yes, I would have liked it to be a bit more straightforward. I tried to log in with Twitter but you wanted write permissions, so I didn't.
4) Hmm, the way Disqus does it is by linking to https://<theblog>.com/<post>#commentid and then using JS to scroll to the element pointed to by the hash. I don't think message passing is required?
In any case, your system was the most visually pleasing and easy to compose with of the five I've tried, so I'd be quite eager to implement it in a side-project I'm working now. It's at a very early stage, but I'd be glad to give you feedback and pay for the product down the line (although I don't anticipate the project ever making any money or having many users, so I probably won't be able to pay much).
1) I mainly noticed the permalink leading to the "forum" domain instead of the page the user is currently on (like Disqus does).
2) The easiest way would be for me to receive an API key from you beforehand, and send you the user's email if you need that (e.g. to email them), or just a random-looking user ID, along with HMAC((email/id, timestamp), API key). This way you can replay the HMAC and prove that I know the API key I'm authenticating this user with. The timestamp is there to prevent replay attacks later on (e.g. to expire the signature after X minutes).
3) Ah, I got confused because I closed the page at some point and came back, and was getting some errors I don't remember now but that were confusing me at the time. When I realized I can just continue the flow, it worked, but yes, I would have liked it to be a bit more straightforward. I tried to log in with Twitter but you wanted write permissions, so I didn't.
4) Hmm, the way Disqus does it is by linking to https://<theblog>.com/<post>#commentid and then using JS to scroll to the element pointed to by the hash. I don't think message passing is required?
In any case, your system was the most visually pleasing and easy to compose with of the five I've tried, so I'd be quite eager to implement it in a side-project I'm working now. It's at a very early stage, but I'd be glad to give you feedback and pay for the product down the line (although I don't anticipate the project ever making any money or having many users, so I probably won't be able to pay much).