We need domain ownership proof based authentication

DNS.live does this for its free web and DNS hosting [1]. All you need to do is sign any post&#x2F;api call with the private key associated with the address in control of your handshake tld.<p>An example is on github [2][3].<p>[1] <a href="https:&#x2F;&#x2F;dns.live&#x2F;hosting.html" rel="nofollow">https:&#x2F;&#x2F;dns.live&#x2F;hosting.html</a><p>[2] Server: <a href="https:&#x2F;&#x2F;github.com&#x2F;dnslive&#x2F;dnslive-webserv" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dnslive&#x2F;dnslive-webserv</a><p>[3] Client: <a href="https:&#x2F;&#x2F;github.com&#x2F;dnslive&#x2F;dnslive-webhost" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dnslive&#x2F;dnslive-webhost</a>

There is IndieAuth, which adapts OAuth 2 to work with URLs as identities (and being OAuth, can even do authorization): <a href="https:&#x2F;&#x2F;aaronparecki.com&#x2F;2018&#x2F;07&#x2F;07&#x2F;7&#x2F;oauth-for-the-open-web" rel="nofollow">https:&#x2F;&#x2F;aaronparecki.com&#x2F;2018&#x2F;07&#x2F;07&#x2F;7&#x2F;oauth-for-the-open-web</a><p><a href="https:&#x2F;&#x2F;indieauth.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;indieauth.net&#x2F;</a>