I guess bunker://pubkey-in-bunker?relay=x was the original url Pablo came up with, but then he simplified it to just npub of pubkey in bunker (assuming app connects to his relay). And then Pablo invented a token that is nsecbunker specific thing, a pre-approved set of permissions. I would say you could go with bunker:// url, while we figure out a better oauth like ux.