Handle

A handle in the AT Protocol is a human-friendly identifier for user accounts, similar to usernames in other social media platforms. While Decentralized Identifiers (DIDs) serve as the permanent technical identifiers for accounts, handles provide a more memorable and user-friendly way to reference accounts. As such, handles facilitate user discovery, allowing users to use domains they control for their identity and maintain that same public identity while changing service providers.

Structure[edit | edit source]

Handles in the AT Protocol are structured as domain names, following the format:

username.tld
username.domain.tld

For example, alice.bsky.social or bob.example.com are both valid handles.

This domain-based approach allows users to maintain their identity under domains they control, providing a robust DNS-based account verification mechanism at the protocol level.

Handles support Internationalized Domain Names (IDNs), allowing non-ASCII characters through Punycode encoding. For example, the handle xn--ls8h.test would display as 💩.test in supporting applications.

Resolution to DIDs[edit | edit source]

For handles to function in the AT Protocol, they must resolve to a Decentralized Identifier (DID). This resolution happens through one of two methods:

1. DNS TXT Record: A DNS record at _atproto.{handle} containing the DID
2. HTTPS Well-Known Endpoint: An HTTPS endpoint at https://{handle}/.well-known/atproto-did returning the DID

This resolution system ensures that only those with control over a domain can claim handles on that domain.

Verification[edit | edit source]

The link between a handle and a DID must be verified bidirectionally. This means the handle must resolve to the DID, and, conversely, the DID document must list the handle in its alsoKnownAs field. This two-way verification prevents unauthorized handle claims.