From b20f3716478380089ba19df87fb2c492e39946a2 Mon Sep 17 00:00:00 2001
From: Ricardo <rick@rmendes.net>
Date: Wed, 28 Jan 2026 15:12:08 +0100
Subject: [PATCH] fix: use webmentions proxy in client-side fetcher

Prevents direct calls to webmention.io API which may fail without token

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 js/webmentions.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/js/webmentions.js b/js/webmentions.js
index 5381dfe..9b50fd2 100644
--- a/js/webmentions.js
+++ b/js/webmentions.js
@@ -1,6 +1,6 @@
 /**
  * Client-side webmention fetcher
- * Supplements build-time cached webmentions with real-time data from webmention.io
+ * Supplements build-time cached webmentions with real-time data from proxy API
  */
 
 (function () {
@@ -18,7 +18,8 @@
   if (sessionStorage.getItem(cacheKey)) return;
   sessionStorage.setItem(cacheKey, '1');
 
-  const apiUrl = `https://webmention.io/api/mentions.jf2?target=${encodeURIComponent(target)}&per-page=100`;
+  // Use server-side proxy to keep webmention.io token secure
+  const apiUrl = `/webmentions-api/api/mentions?target=${encodeURIComponent(target)}&per-page=100`;
 
   fetch(apiUrl)
     .then((res) => res.json())