That sounds like it would be dangerously MITM-able. Then any invite or link in matrix is equivalent to "let me log in as you" on some other random service.
Ah you're right that would be pretty dangerous. I was hoping it'd be possible to avoid sending an OTP token the user has to paste but I suppose that's necessary to bind the two contexts together.
Then I guess I'd have the backend send the user a link with an auth token after joining, that way at least no pasting needs to happen.
Then I guess I'd have the backend send the user a link with an auth token after joining, that way at least no pasting needs to happen.