@scrwd I think it's just OAuth. When you authorize Pixelfed to use your Mastodon-Account, pixelfed also knows that you're the owner of that account. Basically the same as Login with Twitter and Login with Facebook works.

@pixelfed I think the access rights can still be reduced. It is not directly obvious from the developer section of Mastodon, but you can still request fewer rights than read-only access with the right Parameters for the auth page, when you don't need them for more than login.