Have been wondering about this in terms of how safe/secure it may be to use them. Not that a Lemmy account is exactly something to fret a ton over, but I always appreciate a little more peace of mind.
Searching through here I found where Alexandrite’s dev gives a rundown to someone asking in regards to their work, but I didn’t surface similar for others. I’ve tried running some broader searches but haven’t had a ton of luck, so thought I’d ask.
I’m the developer of a (still beta) mobile app for Lemmy and I don’t have a backend, the credentials are inserted by the user in the app and are sent to the Lemmy instance they are using directly with no steps in between.
Instance name verification is done by just calling a public (non authenticated) API like the community list and seeing if this healthcheck passes, whereas authentication is done by the Lemmy instance itself which returns an error if the user does not exist or the password is wrong.
The login API provides a token, as explained by other devs in this thread, which is saved in the app database (but the database is encrypted with a key randomly generated on a per-install base on the device and local to that device only). This token is appended to the body (where specified) or auth header of the subsequent authenticated API calls, which are in turn encrypted too since it’s HTTPS.