Resolve the handle "bsky.app" to a DID. First tries HTTPS well-known, then falls back to DNS TXT record. Method used: DNS TXT _atproto.
GET DNS TXT _atproto.bsky.app
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": false,
"CD": false,
"Question": [
{
"name": "_atproto.bsky.app",
"type": 16
}
],
"Answer": [
{
"name": "_atproto.bsky.app",
"type": 16,
"TTL": 300,
"data": "\"did=did:plc:z72i7hdynmk6r22z27h6tvur\""
}
]
}Fetch the DID document for did:plc:z72i7hdynmk6r22z27h6tvur. Using plc.directory (centralized DID registry).
GET https://plc.directory/did:plc:z72i7hdynmk6r22z27h6tvur
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/multikey/v1",
"https://w3id.org/security/suites/secp256k1-2019/v1"
],
"id": "did:plc:z72i7hdynmk6r22z27h6tvur",
"alsoKnownAs": [
"at://bsky.app"
],
"verificationMethod": [
{
"id": "did:plc:z72i7hdynmk6r22z27h6tvur#atproto",
"type": "Multikey",
"controller": "did:plc:z72i7hdynmk6r22z27h6tvur",
"publicKeyMultibase": "zQ3shQo6TF2moaqMTrUZEM1jeuYRQXeHEx4evX9751y2qPqRA"
...Check that the DID document's alsoKnownAs field contains "at://bsky.app". Handle resolved to DID (hop 1) and DID document lists handle (hop 2) must agree.
VERIFY DID document alsoKnownAs field
Found PDS at https://puffball.us-east.host.bsky.network. Verified it's reachable by calling describeServer.
GET https://puffball.us-east.host.bsky.network/xrpc/com.atproto.server.describeServer
{
"did": "did:web:puffball.us-east.host.bsky.network",
"availableUserDomains": [
".puffball.us-east.host.bsky.network"
],
"inviteCodeRequired": true,
"links": {
"privacyPolicy": "https://bsky.social/about/support/privacy-policy",
"termsOfService": "https://bsky.social/about/support/tos"
},
"contact": {}
}Query the PDS for repository metadata. This shows which collections (post types) exist in the user's repo.
GET https://puffball.us-east.host.bsky.network/xrpc/com.atproto.repo.describeRepo?repo=did%3Aplc%3Az72i7hdynmk6r22z27h6tvur
{
"handle": "bsky.app",
"did": "did:plc:z72i7hdynmk6r22z27h6tvur",
"didDoc": {
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/multikey/v1",
"https://w3id.org/security/suites/secp256k1-2019/v1"
],
"id": "did:plc:z72i7hdynmk6r22z27h6tvur",
"alsoKnownAs": [
"at://bsky.app"
],
"verificationMethod": [
{
"id": "did:plc:z72i7hdynmk6r22z27h6tvur#atproto",
"type": "Multikey",
"controller": "did:p
...Extract the atproto signing key from the DID document. This key signs every record in the repository, allowing anyone to verify data authenticity without trusting the PDS.
EXTRACT DID document verificationMethod field
{
"id": "did:plc:z72i7hdynmk6r22z27h6tvur#atproto",
"type": "Multikey",
"controller": "did:plc:z72i7hdynmk6r22z27h6tvur",
"publicKeyMultibase": "zQ3shQo6TF2moaqMTrUZEM1jeuYRQXeHEx4evX9751y2qPqRA"
}Here's who you're trusting at each layer of the identity resolution: