Alternative authentication methods like session cookies

[valpackett]

Currently, the spec prohibits any form of authentication other than Authorization and form body:

Micropub requests MUST be authenticated by including a Bearer Token in either the HTTP header or a form-encoded body parameter as described in the OAuth Bearer Token RFC

(side note: "the HTTP header" — missing "Authorization"?)

So using Micropub with cookie authentication (i.e. when you're logged into your own site and you use some JavaScript on the page — like micro-panel — to send Micropub requests) technically violates the current spec.

[aaronpk]

That's correct. Allowing cookie authentication opens up a bunch of cans of worms that I would really rather not deal with. In the case of your Micropub client on the same domain as your site, you don't really need a spec to tell you how to authenticate, so I don't think there's a problem really.