sequenceDiagram
    participant PLC as PLC / DID Host
    participant ID as Identity / Handle Resolution
    participant Client as Client App
    participant User as User/Browser
    participant AS as Authorization Server<br/>(PDS/Entryway)
    participant CIMD as CIMD Document
    participant RS as Resource Server<br/>(PDS)

    Note over ID: Typically over DNS or HTTP, but could<br/>also be a caching server like slingshot.

    Note over Client,RS: 1. Identity Resolution Phase
    Client->>Client: Start with Handle/DID<br/>or Server URL
    Client->>ID: Resolve Handle → DID
    ID->>Client: 
    Client->>PLC: Fetch DID Document
    PLC->>Client: Retrieve PDS Service from DID Document
    Client->>RS: Fetch OAuth Protected<br/>Resource Metadata<br>from PDS Service
    RS->>Client: Retrieve Authorization<br/>Server URL
    Client->>AS: Fetch Authorization<br/>Server Metadata

    Note over Client,RS: 2. Authorization Request (PAR)
    Client->>Client: Generate PKCE code_verifier<br/>& code_challenge
    Client->>Client: Generate DPoP keypair<br/>& state token
    Client->>AS: POST PAR with:<br/>- code_challenge<br/>- scopes (atproto)<br/>- redirect_uri<br/>- login_hint (optional)<br/>- client_assertion (confidential)
    AS-->>Client: Error: DPoP nonce required
    Client->>AS: Retry PAR with DPoP nonce
    AS-->>Client: Returns request_uri

    Note over Client,RS: 3. User Authorization
    Client->>User: Redirect to Authorization<br/>Endpoint with request_uri
    AS->>AS: Authenticate User
    AS->>CIMD: Fetch Client ID<br>Metadata Document
    CIMD->>AS:
    User->>AS: Approve
    AS->>User: Redirect to redirect_uri<br/>with code, state, iss
    Note over AS: OR
    User->>AS: Deny
    AS->>User: Redirect if redirect_uri is<br>valid for client<br>with error=access_denied

    Note over Client,RS: 4. Token Request, unless error parameter
    User->>Client: Callback with code
    Client->>Client: Verify state matches
    Client->>Client: Verify iss matches AS URL
    Client->>AS: POST Token Request:
    Note over Client,AS: Sends:<br>- code<br/>- code_verifier (PKCE)<br/>- DPoP proof<br/>- client_assertion (confidential)
    AS-->>Client: Token Response
    Note over AS,Client: Returns:<br/>- access_token<br/>- refresh_token<br/>- sub (DID)<br>-Expiry Info
    Client->>Client: Verify sub DID matches<br/>expected account DID

    Note over Client,RS: 5. Resource Access
    Client->>RS: Request Resource with:<br/>- DPoP proof (with auth)<br/>- access_token
    RS-->>Client: Error: DPoP nonce required
    Client->>RS: Retry with DPoP nonce
    RS-->>Client: Returns Resource

    Note over Client,RS: 6. Token Refresh (when expired, or near expiring)
    Client->>AS: POST Token Refresh
    Note over Client,AS: Sends:<br/>- refresh_token<br/>- DPoP proof<br/>- client_assertion (confidential)
    AS-->>Client: Returns new tokens