//
··
The ORCID sign-in flow on rrxiv.com works correctly whether the user arrives at the apex (rrxiv.com) or the www subdomain. The server threads the redirect_uri per request from the web client's POST body rather than reading a static ORCID_REDIRECT_URI env var, so the authorize-step URI and the token-exchange-step URI are byte-identical regardless of which origin the browser was on when the user clicked sign-in. This is the property RFC 6749 \S4.1.3 requires.