Too many words about DIDs<br>Skip to main content<br>Too many words about DIDs<br>Jul 14, 2026 ATProto & Bluesky<br>Your “Bluesky account” is not just a Bluesky account: it is an account that<br>can be used with a variety of other applications. This post is going to be an<br>exploration of part of what that means from a technical perspective, so if you’re<br>not a software developer, this post isn’t for you. But what I’m going to explain<br>is the technical mechanism for how your account works separate from Bluesky, and<br>in fact, separate from any particular app.
Let’s talk about identity: who are you, anyway? Users of a system need some sort<br>of way to describe who they are to use it. If you want to log in, you need to<br>present who you are. If you want to make a post, well, we need to know who the<br>author of that post is. For atproto, the protocol that underlies Bluesky and<br>other apps in the ATmosphere, they use the “Decentralized Identity” standard,<br>also known as DID. The W3C standardized DIDs in<br>2022. As you might guess from the name, DIDs<br>are, an identifier that you can use as the basis of identity for building<br>applications. And the idea is that these identifiers are decentralized. However,<br>a lot of people have a lot of feelings about that specific word, and often<br>accuse atproto of not being properly decentralized. We’re going to go over the<br>details so you can understand how this works, and you can decide for yourself if<br>this approach suits you or not.
DIDs and DID Documents
Here is my DID, we’ll use this as an example: did:plc:3danwc67lo7obz2fmdg6jxcr
There are three parts, separated by colons: The scheme (did), the method (plc),<br>and the DID method-specific identifier (3danwc67lo7obz2fmdg6jxcr).
To use a DID, such as did:plc:3danwc67lo7obz2fmdg6jxcr, you resolve it into a<br>DID Document
A set of data describing the DID subject, including mechanisms, such as<br>cryptographic public keys, that the DID subject or a DID delegate can use to<br>authenticate itself and prove its association with the DID.
That document contains various<br>properties that describe the<br>identity. Here’s my DID Document, at the time of writing:
"@context": [<br>"https://www.w3.org/ns/did/v1",<br>"https://w3id.org/security/multikey/v1",<br>"https://w3id.org/security/suites/secp256k1-2019/v1"<br>],<br>"id": "did:plc:3danwc67lo7obz2fmdg6jxcr",<br>"alsoKnownAs": ["at://steveklabnik.com"],<br>"verificationMethod": [<br>"id": "did:plc:3danwc67lo7obz2fmdg6jxcr#atproto",<br>"type": "Multikey",<br>"controller": "did:plc:3danwc67lo7obz2fmdg6jxcr",<br>"publicKeyMultibase": "zQ3shfNec2kPEb8cL77gSRMbCwbWE27p9nxKkcc4E82xtW8RJ"<br>],<br>"service": [<br>"id": "#atproto_pds",<br>"type": "AtprotoPersonalDataServer",<br>"serviceEndpoint": "https://morel.us-east.host.bsky.network"<br>This document gives you everything you need to know to determine who I am, that is,<br>given an arbitrary post that claims it’s written by me, this document describes how<br>you’d verify that claim.
We’ll get into how to do that that in a moment, but first, how do you resolve<br>that DID into that DID document? Well, it’s pretty easy: each method is a<br>standard that describes how you do that. So when you see did:plc, that means<br>we use the PLC standard, which we’ll be going over in a moment. Another method<br>supported by Bluesky is did:web. In that case, you wouldn’t use the PLC<br>standard, you’d use the Web one.
This is the sense in which DIDs are decentralized: when you present your<br>identity, you get to decide what method validates that that is a real identity.<br>There’s no centralized authority that determines which DID types are valid. Now,<br>of course, that doesn’t mean that every application supports every DID method,<br>because while this specification is very generic, you’re still going to have<br>to write some code to implement that particular method. I could say “Hey I’m<br>did:foo:1243” and unless your app supports the foo method, it’s not gonna<br>inherently just know what to do. So that is one important caveat.
did:web
Let’s explain this resolution process for the web method. While supported by<br>Bluesky, a very small number of users actually use did:web, but it’s a simpler<br>method and so I think it’s illustrative to go over first. I’ll be using Liz<br>Fong-Jones did:web account as an<br>example here. Her identity for that account is did:web:lizthegrey.com.
So how do we resolve this DID into a DID Document? We take the method-specific<br>identifier, which in this case is lizthegrey.com, and put it into this URL template:
https:///.well-known/did.json
You can then go fetch this URL to resolve it into the DID Document, which at the<br>time of writing, looks like this:
"@context": [<br>"https://www.w3.org/ns/did/v1",<br>"https://w3id.org/security/multikey/v1",<br>"https://w3id.org/security/suites/secp256k1-2019/v1"<br>],<br>"id": "did:web:lizthegrey.com",<br>"alsoKnownAs": [<br>"at://web.lizthegrey.com",<br>"did:plc:i4tfenpfog244rxry5uz4vtk"<br>],<br>"verificationMethod": [<br>"id": "did:web:lizthegrey.com#atproto",<br>"type": "Multikey",<br>"controller": "did:web:lizthegrey.com",<br>"publicKeyMultibase":...