From 73a3083c50654168e5bc87220cd0431ff9e135fb Mon Sep 17 00:00:00 2001
From: Peter Sanchez <peter@netlandish.com>
Date: Mon, 6 Jan 2025 16:22:55 -0600
Subject: [PATCH] Rearranging a few paragraphs to a more correct section

---
 oauth.md | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/oauth.md b/oauth.md
index 4f29d1c..149e2a8 100644
--- a/oauth.md
+++ b/oauth.md
@@ -93,7 +93,7 @@ interpret them; they are passed verbatim to our OAuth 2.0 endpoints.
 The authorization endpoint (see [section 4.1.1][RFC 6749:4.1.1]) is
 `https://linktaco.com/oauth2/authorize`. Note that LinkTaco differs from the
 specification in that it REQUIRES the scope parameter to be provided; per
-[section 3.3][RFC 6749:3.3] meta.sr.ht interprets the absence of the scope
+[section 3.3][RFC 6749:3.3] LinkTaco interprets the absence of the scope
 parameter as an invalid scope and will cause the request to fail.
 
 ### The OAuth 2.0 consent page
@@ -276,22 +276,7 @@ The `expires` date is in Unix epoch format.
 You can now use this token for [Authenticating API
 requests](#authenticating-api-requests).
 
-# Authenticating API requests
-
-Authenticating your API request is simple once you have an access token. You
-just need to set the `Authorization` header to `Bearer your-access-token`. For
-example:
-
-```sh
-oauth_token=your oauth token
-curl \
-  --oauth2-bearer "$oauth_token" \
-  -H 'Content-Type: application/json' \
-  -d '{"query": "{ version { major, minor, patch } }"}' \
-  https://api.linktaco.com/query
-```
-
-## Refreshing access tokens
+### Refreshing access tokens
 
 You can refresh an access token programmatically to avoid service disruptions.
 To refresh a token simply follow the same steps in "Obtaining an access token"
@@ -304,19 +289,34 @@ Upon a successful refresh you will receive the same response json as when
 obtaining a new token. You should then update your own database with the new
 access token, refresh token, and expiration date.
 
-## Rotating your client secret
+### Rotating your client secret
 
 On the security tab of your OAuth 2.0 client's dashboard (which can be accessed
 from the [OAuth clients page][oauth clients]), you can rotate your client
 secret, in the event that it is compromised.
 
-## Revoking access tokens
+### Revoking access tokens
 
 On the security tab of your OAuth 2.0 client's dashboard (which can be accessed
 from the [OAuth clients page][oauth clients]), you can revoke all issued access
 tokens at once, in the event some or all of them are compromised. Users will
 have to repeat the authorization flow.
 
+# Authenticating API requests
+
+Authenticating your API request is simple once you have an access token. You
+just need to set the `Authorization` header to `Bearer your-access-token`. For
+example:
+
+```sh
+oauth_token=your oauth token
+curl \
+  --oauth2-bearer "$oauth_token" \
+  -H 'Content-Type: application/json' \
+  -d '{"query": "{ version { major, minor, patch } }"}' \
+  https://api.linktaco.com/query
+```
+
 # Documentation Attribution
 
 Our GraphQL setup is heavily based on the [SourceHut][srht] GraphQL services.
-- 
2.45.3