Well, seems like NIP-98 lacks some features needed for something like Blossom? Blossom wants to be server agnostic so it doesn't want to include the URL of the server it's uploading to in the auth event.

Also, why does NIP-98 use the "created_at" field instead of the NIP-40 expiry tag for limiting the valdiity of the auth event?

Would be nice if the two could be formed into one to keep things simple.