> The artist, JT Nimoy, was an Emacs user but still thought it would be fun to set up a dichotomy--some fun details on this blog
I don't see any details about setting up a dichotomy in that article (just that the author was a happy Emacs user). Or maybe that was in that HN meetup you mention?
Bearer tokens should be replaced with schemes based on signing and the private keys should never be directly exposed (if they are there's no difference between them and a bearer token). Signing agents do just that. Github's API is based on HTTP but mutual TLS authentication with a signing agent should be sufficient.
You don't need any third party modules and can proxy based on ALPN (https://wiki.xmpp.org/web/Tech_pages/XEP-0368#nginx) thus running everything on port 443. Note that ALPN is not encrypted AFAIK but public wifi services don't care.