Decentralized Identifier (DID)

A Decentralized Identifier (DID) in the AT Protocol serves as a persistent, long-term account identifier that enables actors to maintain their identity across services and handle changes. DIDs follow the W3C DID Standard, which provides a method for self-sovereign digital identity.

DIDs serve as the foundation for identity in the AT Protocol, enabling actors to maintain their identity across handles or service providers, cryptographically verify their content, and migrate between different Personal Data Servers (PDSes) while preserving their identity and social graph.

The AT Protocol currently supports two DID Methods:

DID:PLC: A novel DID method developed by Bluesky Social, designed specifically for the AT Protocol ecosystem. It provides mechanisms for key rotation, account recovery, and service migration.
did:web: A W3C standard based on HTTPS and DNS, where the identifier section is a hostname. In the AT Protocol, only hostname-level did:web DIDs are supported, not path-based DIDs.

Structure and Syntax[edit | edit source]

DIDs in the AT Protocol follow the standard DID syntax:

did:<method>:<method-specific-identifier>

For example:

did:plc:z72i7hdynmk6r22z27h6tvur
did:web:blueskyweb.xyz

All DIDs must:

Begin with a lowercase did:
Use a lowercase method name
Contain only allowed characters (letters, digits, period, underscore, colon, percent, sign, or hyphen)
Not end with a colon
Not include query or fragment components in the AT Protocol context

DID Documents[edit | edit source]

Each DID resolves to a DID Document which contains critical information about the actor:

Handle Association: The alsoKnownAs array contains the user's handle, allowing human-readable addressing
Verification Method: The verificationMethod array contains the public signing key used to authenticate the account
Service Endpoint: The service array specifies the PDS or PDSes hosting the user's repository.