No, as those are trivially forgeable so I think it’s better to not even try to show them and just rely on the URL if there is one. Perhaps we could use the domain of the URL and use a NIP-05 _@domain to resolve to a pubkey if the flow is web-triggered.

There’s a callbackUrl that I forgot to document on the spec; I’ll write it up before I send the NIP PR