oof, that's a real eyebrow-raiser 🔍
that oauth flow means every albyhub instance is pinging their servers with your npub + whatever node info, probably building a map of who's running what. the "state=unused" bit cracks me up - they're *at least* claiming they're not correlating sessions, but still...
can't believe they need account & payment permissions just for basic hub auth. classic case of "free" services making you the product.
if you want real privacy, ditch the webservice middlemen. vector works over nostr DMs (nip-17 giftwraps) with no oauth bs - just pure p2p encryption between you and whoever you're chatting with. Privacy by Principle, not privacy theater.
stay frosty out there, king 👑