Protocol Overview

The Authenticated Transfer Protocol, aka atproto, is a decentralized protocol for large-scale social web applications. This document will introduce you to the ideas behind the AT Protocol.

Identity

Users in AT Protocol have permanent decentralized identifiers (DIDs) for their accounts. They also have a configurable domain name, which acts as a human-readable handle. Identities include a reference to the user's current hosting provider and cryptographic keys.

Data Repositories

User data is exchanged in signed data repositories. These repositories are collections of records which include posts, comments, likes, follows, etc.

Network Architecture

The AT Protocol has a federated network architecture, meaning that account data is stored on host servers, as opposed to a peer-to-peer model between end devices. Federation was chosen to ensure the network is convenient to use and reliably available. Repository data is synchronized between servers over standard web technologies (HTTP and WebSockets).

The three core services in our network are Personal Data Servers (PDS), Relays, and App Views. There are also supporting services such as feed generators and labelers.

The lower-level primitives that can get stacked together differently are the repositories, lexicons, and DIDs. We published an overview of our technical decisions around federation architecture on our blog.

Interoperation

A global schemas network called Lexicon is used to unify the names and behaviors of the calls across the servers. Servers implement "lexicons" to support featuresets, including the core com.atproto.* lexicons for syncing user repositories and the app.bsky.* lexicons to provide basic social behaviors.

While the Web exchanges documents, the AT Protocol exchanges schematic and semantic information, enabling the software from different organizations to understand each others' data. This gives atproto clients freedom to produce user interfaces independently of the servers, and removes the need to exchange rendering code (HTML/JS/CSS) while browsing content.

Achieving Scale

Personal Data Servers are your home in the cloud. They host your data, distribute it, manage your identity, and orchestrate requests to other services to give you your views.

Relays collect data updates from many servers in to a single firehose.

App Views provide aggregated application data for the entire network. They support large-scale metrics (likes, reposts, followers), content discovery (algorithms), and user search.

This separation of roles is intended to provide users with choice between multiple interoperable providers, while also scaling to large network sizes.

Algorithmic choice

As with Web search engines, users are free to select their aggregators. Feeds, labelers, and search indices can be provided by independent third parties, with requests routed by the PDS, based on client app configuration. Client apps may be tied to specific services, such as App Views or mandatory labelers.

Account portability

We assume that a Personal Data Server may fail at any time, either by going offline in its entirety, or by ceasing service for specific users. The goal of the AT Protocol is to ensure that a user can migrate their account to a new PDS without the server's involvement.

User data is stored in signed data repositories and authenticated by DIDs. Signed data repositories are like Git repos but for database records, and DIDs provide a directory of cryptographic keys, similar in some ways to the TLS certificate system. Identities are expected to be secure, reliable, and independent of the user's PDS.

Most DID documents publish two types of public keys: a signing key and rotation keys.

• Signing key: Validates the user's data repository. All DIDs include such a key.
• Rotation keys: Asserts changes to the DID Document itself. The PLC DID method includes this, while the DID Web method does not.

The signing key is entrusted to the PDS so that it can manage the user's data, but rotation keys can be controlled by the user, e.g. as a paper key. This makes it possible for the user to update their account to a new PDS without the original host's help.

A backup of the user’s data could be persistently synced to a user's own device as a backup (contingent on the disk space available), or mirrored by a third-party service. In the event their PDS disappears without notice, the user should be able to migrate to a new provider by updating their DID Document and uploading their data backup.

Speech, reach, and moderation

AT Protocol's model is that speech and reach should be two separate layers, built to work with each other. The “speech” layer should remain permissive, distributing authority and designed to ensure everyone has a voice. The “reach” layer lives on top, built for flexibility and designed to scale.

The base layer of atproto (personal data repositories and federated networking) creates a common space for speech where everyone is free to participate, analogous to the Web where anyone can put up a website. The indexing services then enable reach by aggregating content from the network, analogous to a search engine.

Specifications

Some of the primary specifications comprising the initial version of the AT Protocol are:

• Authenticated Transfer Protocol
• DIDs and Handles
• Repository and Data Model
• Lexicon
• HTTP API (XRPC) and Event Streams