Trace: @filae.site — Identity Traceroute

1

Handle Resolution

✓ success

334ms

Resolve the handle "filae.site" to a DID. First tries HTTPS well-known, then falls back to DNS TXT record. Method used: DNS TXT _atproto.

GET DNS TXT _atproto.filae.site

Key Data

did: did:plc:dcb6ifdsru63appkbffy3foy
method: DNS TXT _atproto

Raw Response

{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": false,
  "CD": false,
  "Question": [
    {
      "name": "_atproto.filae.site",
      "type": 16
    }
  ],
  "Answer": [
    {
      "name": "_atproto.filae.site",
      "type": 16,
      "TTL": 300,
      "data": "\"did=did:plc:dcb6ifdsru63appkbffy3foy\""
    }
  ]
}

🔒 You're trusting DNS and the domain operator to return the correct DID.

2

DID Document Fetch

✓ success

32ms

Fetch the DID document for did:plc:dcb6ifdsru63appkbffy3foy. Using plc.directory (centralized DID registry).

GET https://plc.directory/did:plc:dcb6ifdsru63appkbffy3foy

Key Data

id: did:plc:dcb6ifdsru63appkbffy3foy
alsoKnownAs: at://filae.site
verification_methods_count: 1
services_count: 1

Raw Response

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/multikey/v1",
    "https://w3id.org/security/suites/secp256k1-2019/v1"
  ],
  "id": "did:plc:dcb6ifdsru63appkbffy3foy",
  "alsoKnownAs": [
    "at://filae.site"
  ],
  "verificationMethod": [
    {
      "id": "did:plc:dcb6ifdsru63appkbffy3foy#atproto",
      "type": "Multikey",
      "controller": "did:plc:dcb6ifdsru63appkbffy3foy",
      "publicKeyMultibase": "zQ3shZrykrfuDK4eHNX1UEB6SMHnaJStwgDjVz8tvqjsVjpgd"
...

🔒 For did:plc, you're trusting plc.directory. The DID document is signed but the directory is centralized.

3

Handle Verification (Bidirectional)

✓ success

0ms

Check that the DID document's alsoKnownAs field contains "at://filae.site". Handle resolved to DID (hop 1) and DID document lists handle (hop 2) must agree.

VERIFY DID document alsoKnownAs field

Key Data

expected_handle: filae.site
did_document_handles: filae.site
bidirectional_match: true

🔒 Bidirectional verification prevents handle hijacking — both sides must agree.

4

PDS Discovery

✓ success

289ms

Found PDS at https://hebeloma.us-west.host.bsky.network. Verified it's reachable by calling describeServer.

GET https://hebeloma.us-west.host.bsky.network/xrpc/com.atproto.server.describeServer

Key Data

pds_endpoint: https://hebeloma.us-west.host.bsky.network
available_user_domains: .hebeloma.us-west.host.bsky.network
invite_code_required: true
links: { "privacyPolicy": "https://bsky.social/about/support/privacy-policy", "termsOfService": "https://bsky.social/about/support/tos" }
did: did:web:hebeloma.us-west.host.bsky.network

Raw Response

{
  "did": "did:web:hebeloma.us-west.host.bsky.network",
  "availableUserDomains": [
    ".hebeloma.us-west.host.bsky.network"
  ],
  "inviteCodeRequired": true,
  "links": {
    "privacyPolicy": "https://bsky.social/about/support/privacy-policy",
    "termsOfService": "https://bsky.social/about/support/tos"
  },
  "contact": {}
}

🔒 The PDS hosts this identity's data. The PDS operator can see and serve all repository content.

5

Repository Exploration

✓ success

134ms

Query the PDS for repository metadata. This shows which collections (post types) exist in the user's repo.

GET https://hebeloma.us-west.host.bsky.network/xrpc/com.atproto.repo.describeRepo?repo=did%3Aplc%3Adcb6ifdsru63appkbffy3foy

Key Data

handle: filae.site
did: did:plc:dcb6ifdsru63appkbffy3foy
did_matches: true
collections: [ "app.bsky.actor.profile", "app.bsky.feed.post", "app.bsky.graph.follow", "app.filae.site.bundle", "at.inlay.component", "at.inlay.pack", "com.atproto.lexicon.schema", "community.lexicon.preference.ai", "me.comind.thought", "org.user-intents.declaration", "sh.tangled.actor.profile", "sh.tangled.publicKey", "sh.tangled.repo", "site.filae.agent.card", "site.filae.agent.claim", "site.filae.agent.result", "site.filae.agent.task", "site.filae.agora.comment", "site.filae.agora.post", "site.filae.audit.checkpoint", "site.filae.chorus.note", "site.filae.chorus.rating", "site.filae.journal.attestation", "site.filae.linkblog.link", "site.filae.newsletter.edition", "site.filae.prediction", "site.filae.reputation.attestation", "site.filae.simulation.artifact", "site.filae.writing.essay", "site.standard.document", "site.standard.publication", "stream.thought.blip" ]
handle_is_correct: true

Raw Response

{
  "handle": "filae.site",
  "did": "did:plc:dcb6ifdsru63appkbffy3foy",
  "didDoc": {
    "@context": [
      "https://www.w3.org/ns/did/v1",
      "https://w3id.org/security/multikey/v1",
      "https://w3id.org/security/suites/secp256k1-2019/v1"
    ],
    "id": "did:plc:dcb6ifdsru63appkbffy3foy",
    "alsoKnownAs": [
      "at://filae.site"
    ],
    "verificationMethod": [
      {
        "id": "did:plc:dcb6ifdsru63appkbffy3foy#atproto",
        "type": "Multikey",
        "controller": "d
...

🔒 The repository is a Merkle tree — content-addressed, tamper-evident, but the PDS chooses what to serve.

6

Signing Key Verification

✓ success

0ms

Extract the atproto signing key from the DID document. This key signs every record in the repository, allowing anyone to verify data authenticity without trusting the PDS.

EXTRACT DID document verificationMethod field

Key Data

id: did:plc:dcb6ifdsru63appkbffy3foy#atproto
type: Multikey
controller: did:plc:dcb6ifdsru63appkbffy3foy
publicKeyMultibase: zQ3shZrykrfuDK4eHNX1UEB6SMHnaJStwgDjVz8tvqjsVjpgd

Raw Response

{
  "id": "did:plc:dcb6ifdsru63appkbffy3foy#atproto",
  "type": "Multikey",
  "controller": "did:plc:dcb6ifdsru63appkbffy3foy",
  "publicKeyMultibase": "zQ3shZrykrfuDK4eHNX1UEB6SMHnaJStwgDjVz8tvqjsVjpgd"
}

🔒 Every record in the repository is signed with this key. Anyone can verify — you don't need to trust the PDS.

Tracing @filae.site

Handle Resolution

Key Data

DID Document Fetch

Key Data

Handle Verification (Bidirectional)

Key Data

PDS Discovery

Key Data

Repository Exploration

Key Data

Signing Key Verification

Key Data

🔒 Trust Summary