Merge c94b54dab1 into 65b1db721d

2026-04-24 11:44:08 +02:00 · 2025-04-15 18:24:49 +01:00
15 changed files with 192 additions and 257 deletions
--- a/assets/scss/_styles_project.scss
+++ b/assets/scss/_styles_project.scss
@ -316,19 +316,13 @@ Custom SCSS for the Matrix spec
  h2 {
    font-weight: $font-weight-bold;
    font-size: 1.3rem;
-    margin: 1.5rem 0 1rem 0;
+    margin: 3rem 0 .5rem 0;
  }
  h3 {
    font-weight: $font-weight-bold;
    font-size: 1.1rem;
-    margin: 1.5rem 0 1rem 0;
+    margin: 1.5rem 0 .75rem 0;
  }
  /* Reduce top margin of h3 if previous sibling is a h2 */
  h2 + h3 {
    margin-top: 1rem;
  }
  hr {
@ -373,6 +367,11 @@ Custom SCSS for the Matrix spec
      }
    }
    // add some space between two tables when they are right next to each other
    & + table {
        margin-top: 4rem;
    }
    caption {
      caption-side: top;
      color: $dark;
@ -444,17 +443,6 @@ Custom SCSS for the Matrix spec
    }
  }
  /* Have consistent spacing around tables and examples */
  table, .highlight {
    margin-top: 0;
    margin-bottom: 2rem;
    /* We don't need the margin on the last child of the .rendered-data block */
    &:last-child {
      margin-bottom: 0;
    } 
  }
  pre {
    border: 0;
    border-left: solid 5px $secondary;
--- a/changelogs/client_server/newsfragments/2083.clarification
+++ b/changelogs/client_server/newsfragments/2083.clarification
@ -1,2 +0,0 @@
 Clarify the format of third-party invites, including the fact that identity
 server public keys can be encoded using standard or URL-safe base64.
--- a/changelogs/identity_service/newsfragments/2083.clarification
+++ b/changelogs/identity_service/newsfragments/2083.clarification
@ -1 +0,0 @@
 Clarify that public keys can be encoded using standard or URL-safe base64.
--- a/changelogs/internal/newsfragments/2081.clarification
+++ b/changelogs/internal/newsfragments/2081.clarification
@ -1 +0,0 @@
 Adjust margins in rendered endpoints.
--- a/changelogs/server_server/newsfragments/2083.clarification
+++ b/changelogs/server_server/newsfragments/2083.clarification
@ -1,2 +0,0 @@
 Clarify the format of third-party invites, including the fact that identity
 server public keys can be encoded using standard or URL-safe base64.
--- a/content/client-server-api/modules/third_party_invites.md
+++ b/content/client-server-api/modules/third_party_invites.md
@ -5,8 +5,8 @@ This module adds in support for inviting new members to a room where
 their Matrix user ID is not known, instead addressing them by a third-party
 identifier such as an email address. There are two flows here; one
 if a Matrix user ID is known for the third-party identifier, and one if
-not. Either way, the client calls [`/invite`](#thirdparty_post_matrixclientv3roomsroomidinvite)
+not. Either way, the client calls [`/invite`](#post_matrixclientv3roomsroomidinvite) with the details of the
-with the details of the third-party identifier.
+third-party identifier.
 The homeserver asks the identity server whether a Matrix user ID is
 known for that identifier:
@ -37,12 +37,10 @@ A client asks a server to invite a user by their third-party identifier.
 #### Server behaviour
-Upon receipt of an [`/invite`](#thirdparty_post_matrixclientv3roomsroomidinvite),
+Upon receipt of an [`/invite`](#post_matrixclientv3roomsroomidinvite), the server is expected to look up the
-the server is expected to look up the third-party identifier with the provided
+third-party identifier with the provided identity server. If the lookup
-identity server by making a call to [`/_matrix/identity/v2/lookup`](/identity-service-api/#post_matrixidentityv2lookup).
+yields a result for a Matrix User ID then the normal invite process can
-If the lookup yields a result for a Matrix User ID then the normal [invite
+be initiated. This process ends up looking like this:
 process](/server-server-api/#inviting-to-a-room) can be initiated. This process
 ends up looking like this:
 ```
    +---------+                         +-------------+                                    +-----------------+
@ -68,11 +66,10 @@ ends up looking like this:
        |                                     |                                                    |
 ```
-However, if the lookup does not yield a bound User ID, the homeserver must store
+However, if the lookup does not yield a bound User ID, the homeserver
-the invite on the identity server with a call to
+must store the invite on the identity server and emit a valid
-[`/_matrix/identity/v2/store-invite`](/identity-service-api/#post_matrixidentityv2store-invite)
+`m.room.third_party_invite` event to the room. This process ends up
-and emit a valid [`m.room.third_party_invite`](#mroomthird_party_invite) event
+looking like this:
 to the room. This process ends up looking like this:
 ```
    +---------+                         +-------------+                                               +-----------------+
@ -104,19 +101,16 @@ to the room. This process ends up looking like this:
        |                                     |                                                               |
 ```
-The third-party user will then need to verify their identity, which results in a
+All homeservers MUST verify the signature in the event's
 request to [`/_matrix/federation/v1/3pid/onbind`](/server-server-api/#put_matrixfederationv13pidonbind)
 from the identity server to the homeserver that bound the third-party identifier
 to a user. The homeserver then exchanges the `m.room.third_party_invite` event
 in the room for a complete [`m.room.member`](#mroommember) event with
 `content.membership: invite` and a `content.third_party_invite` property for the
 user that has bound the third-party identifier. If the invitee is on a different
 homeserver than the inviting user, the invitee's homeserver makes a request to
 [`/_matrix/federation/v1/exchange_third_party_invite/{roomId}`](/server-server-api/#put_matrixfederationv1exchange_third_party_inviteroomid).
 All homeservers MUST verify the signature in the `m.room.member` event's
 `content.third_party_invite.signed` object.
 The third-party user will then need to verify their identity, which
 results in a call from the identity server to the homeserver that bound
 the third-party identifier to a user. The homeserver then exchanges the
 `m.room.third_party_invite` event in the room for a complete
 `m.room.member` event for `membership: invite` for the user that has
 bound the third-party identifier.
 If a homeserver is joining a room for the first time because of an
 `m.room.third_party_invite`, the server which is already participating
 in the room (which is chosen as per the standard server-server
@ -199,8 +193,8 @@ at any time - the completion is not shown in the diagram.
 H1 MUST verify the request from H3 to ensure the `signed` property is
 correct as well as the `key_validity_url` as still being valid. This is
-done by making a request to the identity server's
+done by making a request to the [identity server
-[`/pubkey/isvalid`](/identity-service-api/#get_matrixidentityv2pubkeyisvalid)
+/isvalid](/identity-service-api/#get_matrixidentityv2pubkeyisvalid)
 endpoint, using the provided URL rather than constructing a new one. The
 query string and response for the provided URL must match the Identity
 Service Specification.
--- a/content/server-server-api.md
+++ b/content/server-server-api.md
@ -970,8 +970,9 @@ the event to other servers in the room.
 ## Third-party invites
 {{% boxes/note %}}
-More information about third-party invites is available in the Client-Server API
+More information about third-party invites is available in the
-under the [Third-party invites](/client-server-api/#third-party-invites) module.
+[Client-Server API](/client-server-api) under
 the Third-party Invites module.
 {{% /boxes/note %}}
 When a user wants to invite another user in a room but doesn't know the
@ -984,41 +985,38 @@ API](/identity-service-api).
 ### Cases where an association exists for a third-party identifier
-If the third-party identifier is already bound to a Matrix ID, a [lookup
+If the third-party identifier is already bound to a Matrix ID, a lookup
-request](/identity-service-api/#post_matrixidentityv2lookup) on the identity
+request on the identity server will return it. The invite is then
-server will return it. The invite is then processed by the inviting homeserver
+processed by the inviting homeserver as a standard `m.room.member`
-as a [standard `m.room.member` invite event](#inviting-to-a-room). This is the
+invite event. This is the simplest case.
 simplest case.
 ### Cases where an association doesn't exist for a third-party identifier
 If the third-party identifier isn't bound to any Matrix ID, the inviting
-homeserver will request the identity server to [store an invite](/identity-service-api/#invitation-storage)
+homeserver will request the identity server to store an invite for this
-for this identifier and to deliver it to whoever binds it to its Matrix ID. It
+identifier and to deliver it to whoever binds it to its Matrix ID. It
-will also send an [`m.room.third_party_invite`](/client-server-api/#mroomthird_party_invite)
+will also send an `m.room.third_party_invite` event in the room to
-event in the room to specify a display name, a token and public keys the
+specify a display name, a token and public keys the identity server
-identity server provided as a response to the invite storage request.
+provided as a response to the invite storage request.
-When a third-party identifier with pending invites gets bound to a Matrix ID,
+When a third-party identifier with pending invites gets bound to a
-the identity server will send a request to the [`/3pid/onbind`](#put_matrixfederationv13pidonbind)
+Matrix ID, the identity server will send a POST request to the ID's
-endpoint of the the ID's homeserver as described in the [Invitation
+homeserver as described in the [Invitation
-Storage](/identity-service-api#invitation-storage) section of the Identity
+Storage](/identity-service-api#invitation-storage)
-Service API.
+section of the Identity Service API.
 The following process applies for each invite sent by the identity
 server:
-The invited homeserver will create an [`m.room.member`](/client-server-api/#mroommember)
+The invited homeserver will create an `m.room.member` invite event
-invite event containing a special `third_party_invite` section containing the
+containing a special `third_party_invite` section containing the token
-token and a `signed` object, both provided by the identity server.
+and a signed object, both provided by the identity server.
 If the invited homeserver is in the room the invite came from, it can
 auth the event and send it.
 However, if the invited homeserver isn't in the room the invite came
-from, it will need to request the inviting homeserver to auth the event
+from, it will need to request the room's homeserver to auth the event.
 at the [`/exchange_third_party_invite`](#put_matrixfederationv1exchange_third_party_inviteroomid)
 endpoint.
 {{% http-api spec="server-server" api="third_party_invite" %}}
--- a/data/api/client-server/third_party_membership.yaml
+++ b/data/api/client-server/third_party_membership.yaml
@ -57,6 +57,9 @@ paths:
        - A signature of the token, signed with the identity server's private key
        - The matrix user ID who invited them to the room
        If a token is requested from the identity server, the homeserver will
        append a `m.room.third_party_invite` event to the room.
      operationId: inviteBy3PID
      security:
        - accessTokenQuery: []
@ -69,8 +72,6 @@ paths:
          example: "!d41d8cd:matrix.org"
          schema:
            type: string
            format: mx-room-id
            pattern: "^!"
      requestBody:
        content:
          application/json:
@ -89,9 +90,7 @@ paths:
                  value: {}
        "403":
          description: |-
-            You do not have permission to invite the user to the room. A
+            You do not have permission to invite the user to the room. A meaningful `errcode` and description error text will be returned. Example reasons for rejections are:
            meaningful `errcode` and description error text will be returned.
            Example reasons for rejections are:
            - The invitee has been banned from the room.
            - The invitee is already a member of the room.
--- a/data/api/identity/v2_pubkey.yaml
+++ b/data/api/identity/v2_pubkey.yaml
@ -43,8 +43,7 @@ paths:
                properties:
                  public_key:
                    type: string
-                    description: |-
+                    description: Unpadded Base64 encoded public key.
                      [Unpadded Base64](/appendices/#unpadded-base64)-encoded public key.
                required:
                  - public_key
              examples:
@ -75,8 +74,7 @@ paths:
        - in: query
          name: public_key
          required: true
-          description: |-
+          description: The unpadded base64-encoded public key to check.
            The [unpadded Base64](/appendices/#unpadded-base64)-encoded public key to check.
          example: VXuGitF39UH5iRfvbIknlvlAVKgD1BsLDMvBf0pmp7c
          schema:
            type: string
@ -107,14 +105,7 @@ paths:
        - in: query
          name: public_key
          required: true
-          description: |-
+          description: The unpadded base64-encoded public key to check.
            The [unpadded Base64](/appendices/#unpadded-base64)-encoded public
            key to check.
            This MUST be the exact same encoded string returned in the response
            of the [`/store-invite`](/identity-service-api/#post_matrixidentityv2store-invite)
            endpoint, or found in the corresponding [`m.room.third_party_invite`](/client-server-api/#mroomthird_party_invite)
            event, so it may use the standard or URL-safe alphabets.
          example: VXuGitF39UH5iRfvbIknlvlAVKgD1BsLDMvBf0pmp7c
          schema:
            type: string
--- a/data/api/identity/v2_store_invite.yaml
+++ b/data/api/identity/v2_store_invite.yaml
@ -42,7 +42,7 @@ paths:
        (if present) from the request here.
        Also, the generated ephemeral public key will be listed as valid on
-        requests to [`/_matrix/identity/v2/pubkey/ephemeral/isvalid`](/identity-service-api/#get_matrixidentityv2pubkeyephemeralisvalid).
+        requests to `/_matrix/identity/v2/pubkey/ephemeral/isvalid`.
        Currently, invites may only be issued for 3pids of the `email` medium.
@ -70,14 +70,10 @@ paths:
                room_id:
                  type: string
                  description: The Matrix room ID to which the user is invited
                  format: mx-room-id
                  pattern: "^!"
                  example: "!something:example.org"
                sender:
                  type: string
                  description: The Matrix user ID of the inviting user
                  format: mx-user-id
                  pattern: "^@"
                  example: "@bob:example.com"
                room_alias:
                  type: string
@ -85,16 +81,12 @@ paths:
                    The Matrix room alias for the room to which the user is
                    invited. This should be retrieved from the `m.room.canonical_alias`
                    state event.
                  format: mx-room-alias
                  pattern: "^#"
                  example: "#somewhere:example.org"
                room_avatar_url:
                  type: string
                  description: |-
                    The Content URI for the room to which the user is invited. This should
                    be retrieved from the `m.room.avatar` state event.
                  format: mx-mxc-uri
                  pattern: "^mxc:\\/\\/"
                  example: mxc://example.org/s0meM3dia
                room_join_rules:
                  type: string
@ -116,8 +108,6 @@ paths:
                  type: string
                  description: The Content URI for the avatar of the user ID initiating the
                    invite.
                  format: mx-mxc-uri
                  pattern: "^mxc:\\/\\/"
                  example: mxc://example.org/an0th3rM3dia
                room_type:
                  type: string
@ -156,7 +146,7 @@ paths:
                        public_key:
                          type: string
                          description: |
-                            The public key, encoded using standard or URL-safe [unpadded Base64](/appendices/#unpadded-base64).
+                            The public key, encoded using [unpadded Base64](/appendices/#unpadded-base64).
                        key_validity_url:
                          type: string
                          description: |
--- a/data/api/server-server/third_party_invite.yaml
+++ b/data/api/server-server/third_party_invite.yaml
@ -35,8 +35,6 @@ paths:
          example: "!abc123:matrix.org"
          schema:
            type: string
            format: mx-room-id
            pattern: "^!"
      requestBody:
        content:
          application/json:
@ -52,22 +50,16 @@ paths:
                  description: |-
                    The room ID the event is for. Must match the ID given in
                    the path.
                    format: mx-room-id
                    pattern: "^!"
                  example: "!abc123:matrix.org"
                sender:
                  type: string
                  description: |-
                    The user ID of the user who sent the original `m.room.third_party_invite`
                    event.
                  format: mx-user-id
                  pattern: "^@"
                  example: "@joe:matrix.org"
                state_key:
                  type: string
                  description: The user ID of the invited user
                  format: mx-user-id
                  pattern: "^@"
                  example: "@someone:example.org"
                content:
                  type: object
@ -90,7 +82,45 @@ paths:
                            third-party identifier.
                          example: alice
                        signed:
-                          $ref: ../../event-schemas/schema/components/signed_third_party_invite.yaml
+                          type: object
                          description: |-
                            A block of content which has been signed, which servers can use to
                            verify the event.
                          title: Invite Signatures
                          properties:
                            signatures:
                              type: object
                              title: Signatures
                              additionalProperties:
                                type: object
                                additionalProperties:
                                  type: string
                              description: |-
                                The server signatures for this event.
                                The signature is calculated using the process
                                described at [Signing JSON](/appendices/#signing-json).
                              example:
                                magic.forest:
                                  ed25519:3: fQpGIW1Snz+pwLZu6sTy2aHy/DYWWTspTJRPyNp0PKkymfIsNffysMl6ObMMFdIJhk6g6pwlIqZ54rxo8SLmAg
                            mxid:
                              type: string
                              description: The invited matrix user ID
                              example: "@alice:localhost"
                            token:
                              type: string
                              description: The token used to verify the event
                              example: abc123
                          required:
                            - signatures
                            - mxid
                            - token
                          example:
                            mxid: "@alice:localhost"
                            token: abc123
                            signatures:
                              magic.forest:
                                ed25519:3: fQpGIW1Snz+pwLZu6sTy2aHy/DYWWTspTJRPyNp0PKkymfIsNffysMl6ObMMFdIJhk6g6pwlIqZ54rxo8SLmAg
                      required:
                        - display_name
                        - signed
@ -185,8 +215,6 @@ paths:
                mxid:
                  type: string
                  description: The user that is now bound to the third-party identifier.
                  format: mx-user-id
                  pattern: "^@"
                  example: "@alice:matrix.org"
                invites:
                  type: array
@ -209,23 +237,59 @@ paths:
                      mxid:
                        type: string
                        description: The now-bound user ID that received the invite.
                        format: mx-user-id
                        pattern: "^@"
                        example: "@alice:matrix.org"
                      room_id:
                        type: string
                        description: The room ID the invite is valid for.
                        format: mx-room-id
                        pattern: "^!"
                        example: "!somewhere:example.org"
                      sender:
                        type: string
                        description: The user ID that sent the invite.
                        format: mx-user-id
                        pattern: "^@"
                        example: "@bob:matrix.org"
                      # TODO (TravisR): Make this reusable when doing IS spec changes
                      #   also make sure it isn't lying about anything, like the key version
                      signed:
-                        $ref: ../../event-schemas/schema/components/signed_third_party_invite.yaml
+                        type: object
                        title: Identity Server Signatures
                        description: |-
                          Signature from the identity server using a long-term private
                          key.
                        properties:
                          mxid:
                            type: string
                            description: |-
                              The user ID that has been bound to the third-party
                              identifier.
                            example: "@alice:matrix.org"
                          token:
                            type: string
                            # TODO: What is this actually?
                            description: A token.
                            example: Hello World
                          signatures:
                            type: object
                            title: Identity Server Signature
                            description: |-
                              The signature from the identity server. The `string` key
                              is the identity server's domain name, such as vector.im
                            additionalProperties:
                              type: object
                              title: Identity Server Domain Signature
                              description: The signature for the identity server.
                              properties:
                                ed25519:0:
                                  type: string
                                  description: The signature.
                                  example: SomeSignatureGoesHere
                              required:
                                - ed25519:0
                            example:
                              vector.im:
                                ed25519:0: SomeSignatureGoesHere
                        required:
                          - mxid
                          - token
                          - signatures
                    required:
                      - medium
                      - address
--- a/data/event-schemas/schema/components/signed_third_party_invite.yaml
+++ b/data/event-schemas/schema/components/signed_third_party_invite.yaml
@ -1,45 +0,0 @@
 title: SignedThirdPartyInvite
 description: |-
  A block of content which has been signed by the identity server, which
  homeservers can use to verify the event. Clients should ignore this.
 type: object
 properties:
  mxid:
    description: |-
      The user ID that has been bound to the third-party identifier.
    type: string
    format: mx-user-id
    pattern: "^@"
    example: "@alice:example.org"
  signatures:
    title: IdentityServerSignatures
    description: |-
      The identity server signatures for this block. This is a map of identity
      server name to signing key identifier to base64-encoded signature.
      The signatures are calculated using the process described at
      [Signing JSON](/appendices/#signing-json).
    type: object
    additionalProperties:
      type: object
      additionalProperties:
        type: string
    example: {
      "magic.forest": {
        "ed25519:3": "fQpGIW1Snz+pwLZu6sTy2aHy/DYWWTspTJRPyNp0PKkymfIsNffysMl6ObMMFdIJhk6g6pwlIqZ54rxo8SLmAg"
      }
    }
  token:
    description: |-
      The token generated by the identity server at the
      [`/store_invite`](/identity-service-api/#post_matrixidentityv2store-invite)
      endpoint.
      It matches the `state_key` of the corresponding [`m.room.third_party_invite`](/client-server-api/#mroomthird_party_invite)
      event.
    type: string
    example: "abc123"
 required:
  - mxid
  - signatures
  - token
--- a/data/event-schemas/schema/m.room.member.yaml
+++ b/data/event-schemas/schema/m.room.member.yaml
@ -2,27 +2,17 @@
 allOf:
  - $ref: core-event-schema/state_event.yaml
 description: |-
-  Adjusts the membership state for a user in a room. It is preferable to use the membership APIs
+  Adjusts the membership state for a user in a room. It is preferable to use the membership APIs (`/rooms/<room id>/invite` etc) when performing membership actions rather than adjusting the state directly as there are a restricted set of valid transformations. For example, user A cannot force user B to join a room, and trying to force this state change directly will fail.
  (`/rooms/<room id>/invite` etc) when performing membership actions rather than adjusting the
  state directly as there are a restricted set of valid transformations. For example, user A cannot
  force user B to join a room, and trying to force this state change directly will fail.
  The following membership states are specified:
-  - `invite` - The user has been invited to join a room, but has not yet joined it. They may not
+  - `invite` - The user has been invited to join a room, but has not yet joined it. They may not participate in the room until they join.
-    participate in the room until they join.
+  - `join` - The user has joined the room (possibly after accepting an invite), and may participate in it.
-  - `join` - The user has joined the room (possibly after accepting an invite), and may participate
+  - `leave` - The user was once joined to the room, but has since left (possibly by choice, or possibly by being kicked).
-    in it.
+  - `ban` - The user has been banned from the room, and is no longer allowed to join it until they are un-banned from the room (by having their membership state set to a value other than `ban`).
-  - `leave` - The user was once joined to the room, but has since left (possibly by choice, or
+  - `knock` - The user has knocked on the room, requesting permission to participate. They may not participate in the room until they join.
    possibly by being kicked).
  - `ban` - The user has been banned from the room, and is no longer allowed to join it until they
    are un-banned from the room (by having their membership state set to a value other than `ban`).
  - `knock` - The user has knocked on the room, requesting permission to participate. They may not
    participate in the room until they join.
-  The `third_party_invite` property will be set if this invite is an `invite` event and is the
+  The `third_party_invite` property will be set if this invite is an `invite` event and is the successor of an `m.room.third_party_invite` event, and absent otherwise.
  successor of an [`m.room.third_party_invite`](/client-server-api/#mroomthird_party_invite) event,
  and absent otherwise.
  This event may also include an `invite_room_state` key inside the event's `unsigned` data.
  If present, this contains an array of [stripped state events](/client-server-api/#stripped-state)
@ -67,54 +57,63 @@ properties:
          - ban
        type: string
      is_direct:
-        description: |-
+        description: Flag indicating if the room containing this event was created with the intention of being a direct chat. See [Direct Messaging](/client-server-api/#direct-messaging).
          Flag indicating if the room containing this event was created with the intention of being
          a direct chat. See [Direct Messaging](/client-server-api/#direct-messaging).
        type: boolean
      join_authorised_via_users_server:
        x-addedInMatrixVersion: "1.2"
        type: string
        description: |-
-          Usually found on `join` events, this field is used to denote which homeserver (through
+          Usually found on `join` events, this field is used to denote which homeserver (through representation of a user with sufficient power level)
-          representation of a user with sufficient power level) authorised the user's join. More
+          authorised the user's join. More information about this field can be found in the [Restricted Rooms Specification](/client-server-api/#restricted-rooms).
          information about this field can be found in the [Restricted Rooms Specification](/client-server-api/#restricted-rooms).
-          Client and server implementations should be aware of the [signing implications](/rooms/v8/#authorization-rules)
+          Client and server implementations should be aware of the [signing implications](/rooms/v8/#authorization-rules) of including this
-          of including this field in further events: in particular, the event must be signed by the
+          field in further events: in particular, the event must be signed by the server which
-          server which owns the user ID in the field. When copying the membership event's `content`
+          owns the user ID in the field. When copying the membership event's `content`
-          (for profile updates and similar) it is therefore encouraged to exclude this field in the
+          (for profile updates and similar) it is therefore encouraged to exclude this
-          copy, as otherwise the event might fail event authorization.
+          field in the copy, as otherwise the event might fail event authorization.
      reason:
        x-addedInMatrixVersion: "1.1"
        type: string
        description: |-
-          Optional user-supplied text for why their membership has changed. For kicks and bans,
+          Optional user-supplied text for why their membership has changed. For kicks and bans, this is typically the reason for the kick or ban.
-          this is typically the reason for the kick or ban. For other membership changes, this is a
+          For other membership changes, this is a way for the user to communicate their intent without having to send a message to the room, such
-          way for the user to communicate their intent without having to send a message to the
+          as in a case where Bob rejects an invite from Alice about an upcoming concert, but can't make it that day.
          room, such as in a case where Bob rejects an invite from Alice about an upcoming concert,
          but can't make it that day.
-          Clients are not recommended to show this reason to users when receiving an invite due to
+          Clients are not recommended to show this reason to users when receiving an invite due to the potential for spam and abuse. Hiding the
-          the potential for spam and abuse. Hiding the reason behind a button or other component is
+          reason behind a button or other component is recommended.
          recommended.
      third_party_invite:
        title: ThirdPartyInvite
        description: |-
          A third-party invite, if this `m.room.member` is the successor to an
          [`m.room.third_party_invite`](/client-server-api/#mroomthird_party_invite)
          event.
        type: object
        properties:
          display_name:
-            description: |-
+            description: A name which can be displayed to represent the user instead of their third-party identifier
              A name which can be displayed to represent the user instead of their
              third-party identifier
            type: string
          signed:
-            $ref: components/signed_third_party_invite.yaml
+            description: 'A block of content which has been signed, which servers can use to verify the event. Clients should ignore this.'
            properties:
              mxid:
                description: The invited matrix user ID. Must be equal to the user_id property of the event.
                type: string
              signatures:
                description: 'A single signature from the verifying server, in the format specified by the Signing Events section of the server-server API.'
                title: Signatures
                type: object
                additionalProperties:
                  type: object
                  additionalProperties:
                    type: string
              token:
                description: The token property of the containing third_party_invite object.
                type: string
            required:
              - mxid
              - signatures
              - token
            title: signed
            type: object
        required:
          - display_name
          - signed
        title: Invite
        type: object
    required:
      - membership
    title: EventContent
--- a/data/event-schemas/schema/m.room.third_party_invite.yaml
+++ b/data/event-schemas/schema/m.room.third_party_invite.yaml
@ -1,56 +1,28 @@
 ---
 allOf:
  - $ref: core-event-schema/state_event.yaml
-description: |-
+description: "Acts as an `m.room.member` invite event, where there isn't a target user_id to invite. This event contains a token and a public key whose private key must be used to sign the token. Any user who can present that signature may use this invitation to join the target room."
  Acts as an `m.room.member` invite event, where there isn't a target user_id to
  invite. This event contains a token and a public key whose private key must be
  used to sign the token. Any user who can present that signature may use this
  invitation to join the target room.
 properties:
  content:
    properties:
      display_name:
-        description: |-
+        description: "A user-readable string which represents the user who has been invited. This should not contain the user's third-party ID, as otherwise when the invite is accepted it would leak the association between the matrix ID and the third-party ID."
          A user-readable string which represents the user who has been invited.
          This should not contain the user's third-party ID, as otherwise when
          the invite is accepted it would leak the association between the
          matrix ID and the third-party ID.
        type: string
      key_validity_url:
-        description: |-
+        description: "A URL which can be fetched, with querystring public_key=public_key, to validate whether the key has been revoked. The URL must return a JSON object containing a boolean property named 'valid'."
          A URL which can be fetched, with querystring public_key=public_key, to
          validate whether the key has been revoked. The URL must return a JSON
          object containing a boolean property named 'valid'.
        type: string
        format: uri
      public_key:
-        description: |-
+        description: A base64-encoded ed25519 key with which token must be signed (though a signature from any entry in public_keys is also sufficient). This exists for backwards compatibility.
          An Ed25519 key with which the token must be signed (though a signature
          from any entry in `public_keys` is also sufficient).
          The key is encoded using [Unpadded Base64](/appendices/#unpadded-base64),
          using the standard or URL-safe alphabets.
          This exists for backwards compatibility.
        type: string
      public_keys:
        description: Keys with which the token may be signed.
        items:
          properties:
            key_validity_url:
-              description: |-
+              description: "An optional URL which can be fetched, with querystring public_key=public_key, to validate whether the key has been revoked. The URL must return a JSON object containing a boolean property named 'valid'. If this URL is absent, the key must be considered valid indefinitely."
                An optional URL which can be fetched, with querystring
                `public_key=<public_key>`, to validate whether the key has been
                revoked. The URL must return a JSON object containing a boolean
                property named `valid`. If this URL is absent, the key must be
                considered valid indefinitely.
              type: string
            public_key:
-              description: |-
+              description: A base-64 encoded ed25519 key with which token may be signed.
                An Ed25519 key with which the token may be signed.
                The key is encoded using [Unpadded Base64](/appendices/#unpadded-base64),
                using the standard or URL-safe alphabets.
              type: string
          required:
            - public_key
@ -63,15 +35,11 @@ properties:
      - public_key
    type: object
  state_key:
-    description: |-
+    description: 'The token, of which a signature must be produced in order to join the room.'
      The token, of which a signature must be produced in order to join the
      room.
    type: string
  type:
    enum:
      - m.room.third_party_invite
    type: string
-title: |-
+title: 'An invitation to a room issued to a third-party identifier, rather than a matrix user ID.'
  An invitation to a room issued to a third-party identifier, rather than a
  matrix user ID.
 type: object
--- a/data/string-formats.yaml
+++ b/data/string-formats.yaml
@ -51,11 +51,6 @@ mx-room-id:
  url: appendices#room-ids
  # regex: "^!"
 mx-room-alias:
  title: Room Alias
  url: appendices#room-aliases
  # regex: "^#"
 mx-server-name:
  title: Server Name
  url: appendices#server-name
		`@ -1,2 +0,0 @@`
			`Clarify the format of third-party invites, including the fact that identity`
			`server public keys can be encoded using standard or URL-safe base64.`
		`@ -1 +0,0 @@`
			`Clarify that public keys can be encoded using standard or URL-safe base64.`