diff --git a/app/controllers/authorize_interactions_controller.rb b/app/controllers/authorize_interactions_controller.rb
index 99eed018b070ed..1efd4de2d07b87 100644
--- a/app/controllers/authorize_interactions_controller.rb
+++ b/app/controllers/authorize_interactions_controller.rb
@@ -3,7 +3,7 @@
 class AuthorizeInteractionsController < ApplicationController
   include Authorization
 
-  before_action :authenticate_user!
+  before_action :authenticate_user_if_remote!
   before_action :set_resource
 
   def show
@@ -18,6 +18,11 @@ def show
 
   private
 
+  def authenticate_user_if_remote!
+    return if uri_param_is_url? && Rails.configuration.x.local_domain == parsed_uri.host
+    authenticate_user!
+  end
+
   def set_resource
     @resource = located_resource
     authorize(@resource, :show?) if @resource.is_a?(Status)
diff --git a/app/controllers/well_known/protocol_handler_controller.rb b/app/controllers/well_known/protocol_handler_controller.rb
new file mode 100644
index 00000000000000..6db65a0c3d5c7c
--- /dev/null
+++ b/app/controllers/well_known/protocol_handler_controller.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module WellKnown
+  class ProtocolHandlerController < ActionController::Base # rubocop:disable Rails/ApplicationController
+
+    before_action :set_target
+    before_action :target_acceptable?
+
+    rescue_from ActionController::ParameterMissing, with: :bad_request
+
+    def show
+      redirect_to authorize_interaction_path(uri: @target.sub("web+ap", "https"))
+    end
+
+    private
+
+    def set_target
+      @target = target_param
+    end
+
+    # NOTE: supports "probing"
+    def target_acceptable?
+      # FIXME: this should be web+ap: but doing it this way avoids issues in
+      # the short term... revisit this once web+ap:foo... is being used in
+      # addition to web+ap://example/...
+      return if @target.starts_with? "web+ap://"
+      not_found
+    end
+
+    def target_param
+      params.require(:target)
+    end
+
+    def bad_request
+      expires_in(3.minutes, public: true)
+      head 400
+    end
+
+    def not_found
+      expires_in(3.minutes, public: true)
+      head 404
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index 4114db5f43478a..94ae479aa6424f 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -71,6 +71,7 @@ def redirect_with_vary(path)
       get 'host-meta', to: 'host_meta#show', as: :host_meta, defaults: { format: 'xml' }
       get 'nodeinfo', to: 'node_info#index', as: :nodeinfo, defaults: { format: 'json' }
       get 'webfinger', to: 'webfinger#show', as: :webfinger
+      get 'protocol-handler', to: 'protocol_handler#show', as: :protocol_handler
     end
     get 'change-password', to: redirect('/auth/edit'), as: nil
     get 'proxy', to: redirect { |_, request| "/authorize_interaction?#{request.params.to_query}" }, as: nil