@Ton, I assume this means, then, that on your server side you maintain a list of Circles-like lists of IndieAuth IDs and what content-access-level each has?

After that, reading your post again, and your comment, and staring at the flow diagram for awhile, it looks like AutoAuth is simply a way of handing out long-lasting tokens that allow access to restricted content.

So, for example, if my RSS reader passes an AutoAuth token to your RSS endpoint, and you’ve set me up in the “Friends” circle, then I get RSS passed to me that includes content marked as “Friends-only” in your CMS.

Without AutoAuth, I would have to authenticate to your website through my RSS reader every time the feed gets refreshed. Which would be annoying.