Kamin's Corner

In the process of migrating my self-hosted PDS to a new server, I managed to accidentally lose my .env file and in the process lost by rotation key which is necessary to process updates to did:plc identities. In short, my existing identity became a zombie – still technically online but forever unable to create any future posts or make any changes.

While this was a bummer, it gave me an opportunity to try out AT Protocol's other supported identification method, did:web. Instead of storing identities on a centralized directory (the PLC), did:web allows one to self-host their own identity document as a .json file. The advantage is complete control over one's identity document without needing to rely or trust an external directory to host it and process changes. The downside is of course being fully self-controlled – it's a lot easier to break things. Also, did:web identities are forever tied to the domain they are created and hosted on.

There's a fantastic site that makes the process fairly straightforward. It walks you through the steps of generating a keypair, entering in your PDS, handle, and domain. It spits out a bit of JSON that you then need to put into a file called did.json hosted on your domain at https://<domain>/.well-known/did.json. Since I'm using Caddy as my server, this is my entry:

kghorvath.com { handle /.well-known/did.json { header Content-Type “application/did+ld+json; charset=utf-8” header Access-Control-Allow-Origin “*” root * /var/www/html file_server } }

Once that's done, the site will walk you through creating a new account with an invite code that will be tied to this identity. There's one more update you need to make to your did.json and then you'll also need to create a TXT record on your domain tying your handle to your did:web identity, similar to as if you were using a custom handle on Bluesky.

Once that's done, you should be able to log in an ATProto appview with your new credentials and be fully set up with your fully self-hosted identity.