Oddbean new post about login | logout Wait. What kind of client doesn't validate the signature of events before even mentioning their existence to the user? IMO if an event isn't compliant with the proper JSON format and also correctly signed, then the client should reject it at the lowest level possible and pretend it never received it at all.