fix: Use authorization endpoint for IndieAuth code verification (v0.9.4)

IndieAuth authentication-only flows should redeem the code at the
authorization endpoint, not the token endpoint. The token endpoint
is only for authorization flows that need access tokens.

- Remove grant_type parameter (only needed for token flows)
- Change endpoint from /token to /authorize
- Update debug logging to reflect code verification flow

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

starpunk/auth.py

@@ -407,16 +407,20 @@ def handle_callback(code: str, state: str, iss: Optional[str] = None) -> Optiona
 
     current_app.logger.debug(f"Auth: Issuer verified: {iss}")
 
-    # Prepare token exchange request with PKCE verifier
+    # Prepare code verification request with PKCE verifier
+    # Note: For authentication-only flows (identity verification), we use the
+    # authorization endpoint, not the token endpoint. grant_type is not needed.
+    # See IndieAuth spec: authorization endpoint for authentication,
+    # token endpoint for access tokens.
     token_exchange_data = {
-        "grant_type": "authorization_code",
         "code": code,
         "client_id": current_app.config["SITE_URL"],
         "redirect_uri": f"{current_app.config['SITE_URL']}auth/callback",
         "code_verifier": code_verifier,  # PKCE verification
     }
 
-    token_url = f"{current_app.config['INDIELOGIN_URL']}/token"
+    # Use authorization endpoint for authentication-only flow (identity verification)
+    token_url = f"{current_app.config['INDIELOGIN_URL']}/authorize"
 
     # Log the request (code_verifier will be redacted)
     _log_http_request(
@@ -427,7 +431,7 @@ def handle_callback(code: str, state: str, iss: Optional[str] = None) -> Optiona
 
     # Log detailed httpx request info for debugging
     current_app.logger.debug(
-        "Auth: Sending token exchange request:\n"
+        "Auth: Sending code verification request to authorization endpoint:\n"
         "  Method: POST\n"
         "  URL: %s\n"
         "  Data: code=%s, client_id=%s, redirect_uri=%s, code_verifier=%s",
@@ -438,7 +442,7 @@ def handle_callback(code: str, state: str, iss: Optional[str] = None) -> Optiona
         _redact_token(code_verifier),
     )
 
-    # Exchange code for identity (CORRECT ENDPOINT: /token)
+    # Exchange code for identity at authorization endpoint (authentication-only flow)
     try:
         response = httpx.post(
             token_url,
@@ -448,7 +452,7 @@ def handle_callback(code: str, state: str, iss: Optional[str] = None) -> Optiona
 
         # Log detailed httpx response info for debugging
         current_app.logger.debug(
-            "Auth: Received token exchange response:\n"
+            "Auth: Received code verification response:\n"
             "  Status: %d\n"
             "  Headers: %s\n"
             "  Body: %s",