ian-h-chamberlain.com
This seemed too complicated to do right off the bat but should definitely happen instead of relying on app (or regular!) password login.
It's possible that some of the crypto builtin for OAuth could be used for sending/receiving yos but it will probably be simpler to not use that since I'm starting with password auth