There's a federated identity spec and implementation: https://github.com/gitsocial-org/gitsocial/blob/main/documen.... For GH/GL, just an api call to verify signature, for custom domains, it's .well-known/gitmsg-id.json