Your Personal Data Server (PDS) operator holds the keys to your entire digital identity on ATProto. Not just your Bluesky account, but every app built on the protocol: Tangled for git, Grain for social, Leaflet for writing, whatever comes next. And that operator can be you.
Kevin's post lays it out bluntly. The PDS stores your signing key and your rotation key. The signing key signs every commit to your ATProto repo. Every post, like, follow, commit. The rotation key lets the operator change that signing key, point your DID to a new PDS, or lock you out entirely. From the protocol's perspective, signatures are valid, commits are well-formed. It's you.
One Key to Rule All Apps
This isn't Twitter's data admins messing with your tweets. On ATProto, your PDS doesn't just store Bluesky posts. It stores everything from every app using the same repo, signed by the same key, controlled by the same operator. A third-party PDS host with a few thousand developer accounts? The operator can post inflammatory takes from well-known developers, grant themselves push access to Tangled repos (supply chain attack in the open), publish blog posts on Leaflet. All cryptographically indistinguishable from the real person.
Flipside: if you cross your PDS operator, they can kill your identity. Not just Bluesky. Your ability to post, commit, publish across every ATProto app. On a traditional platform, getting banned from Twitter doesn't touch your GitHub. Here, one operator's decision locks you out of the entire ecosystem. Your data is still out there on the firehose, but your identity is dead.
Convenience Over Sovereignty
Key management is hard. Most users will never handle their own keys. So ATProto made a trade: give the PDS full power. The consequence is that the whole system's security rests on trusting your PDS operator. One compromised operator (state actor with a warrant, rogue employee, flat-out malicious host) and every account on that PDS is exposed, across every app. The protocol's decentralization promises are architectural, not operational.
Kevin suggests a fix: enroll a self-controlled rotation key with higher priority than your PDS's key. That way, even if your PDS goes rogue, you can rotate the signing key, point your DID at a new PDS, and move on. But it's not the default. So virtually no one does it. That should change. Backup rotation key enrollment should be part of the default account creation flow, built into clients, not just the API. Users need a way to audit what their PDS has signed on their behalf. ATProto asks you to put more of your digital life under a single identity, hand the keys to that identity to someone else, and trust they'll be good. Right now, that's a level of trust that makes even a centralized platform blush.
Source: Who Owns Your ATProto Identity? Hint: It's Probably Not You
Domain: kevinak.se
Comments load interactively on the live page.