Federated identity

Discovery files used by federated networks (Fediverse, AT Protocol) that misadvertise software identity or DID ownership.

GET /.well-known/atproto-did

AT Protocol (Bluesky) handle verification. A domain proves it owns a DID by returning the DID identifier in this file. Modes return malformed DIDs, multiple lines (spec says single), wrong DID methods, or empty content.

mode invalid-did-format (default; not in DID format), multiple-lines (two DIDs returned, spec says one), wrong-method (did:web pointing to a different domain than the one serving it), empty (no body at all).

details

GET /.well-known/nodeinfo

Fediverse server discovery document. Mastodon, Pleroma, Misskey, and other federated software fetch this to advertise their identity. Modes break the link's rel value, claim impossible versions, or point at other hosts.

mode bad-link (default; href points to a 404), wrong-rel (rel value is not the standard nodeinfo schema URL), version-mismatch (claims version 9.99 that does not exist), cross-host (link points to elsewhere.example).

details

Federated networks delegate identity discovery to the domain itself. If the discovery file is wrong, identity-binding silently fails or, worse, binds the wrong account. AT Protocol’s atproto-did and Fediverse’s nodeinfo are both fetched as part of normal federation handshakes.

Use these to test that your federation client surfaces malformed identity files clearly rather than silently dropping the identity claim.