Copyright © 2016 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and permissive document license rules apply.
The ActivityPub protocol is a social networking protocol based upon the ActivityStreams 2.0 data format. It is based upon experience gained from implementing and working with the OStatus and Pump.io protocols.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
This document is a proposed submission to the W3C Social working group.
This document was published by the Social Web Working Group as a Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to public-socialweb@w3.org (subscribe, archives). All comments are welcome.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This document is governed by the 1 September 2015 W3C Process Document.
The ActivityPub protocol is broadly based on the distribution of activities, described using [ActivityStreams]; these activities are produced in response to a user performing an activity. Most activities are purely responsive in nature - they are produced as a response to a user having done something. In addition, certain activities posted by a user to their outbox may trigger certain operations on the user's behalf. Finally, activities may have side effects as they propogate throughout the social graph. As an example of this:
like activity to their outbox. This activity causes the user's server to perform an activity on behalf of the user; in particular, it adds the specified object to the collection of objects the user has liked.
This specification defines two closely related and interacting protocols:
All servers claiming conformance to this specification are required to implement the former protocol, and may optionally implement the latter. This gives three conformance classes:
It is called out whenever a portion of the specification only applies to implementation of the federation protocol. In addition, whenever requirements are specified, it is called out whether they apply to the client or server (for the client-to-server protocol) or which of a pair of servers in the server-to-server protocol.
Objects are the core concept around which both [ActivityStreams] and ActivityPub are built. Objects are often wrapped in Activities and are contained in streams of Collections, which are themselves subclasses of Objects. See the ActivityStreams Vocabulary document, particularly the Core Classes, to get a sense of how this lays out; ActivityPub follows the mapping of this vocabulary very closely.
Servers SHOULD validate the content they receive to avoid content spoofing attacks. In particular, servers SHOULD NOT trust client submitted content, and federated servers also SHOULD NOT trust content received from a server other than the content's origin without some form of verification. The general mechanism that is specified for this at this time is for a recipient of some referenced activitystreams object to verify the presence of that object on the original server. Other mechanisms such as verifying signatures are left out of scope of this document. (However, if other generally agreed upon mechanisms for handling verification become available in the future, servers are welcome to use those methods, in the future.)
{
"type": "Like",
"actor": "https://example.net/~mallory",
"to": ["https://hatchat.example/sarah/",
"https://example.com/peeps/john/"],
"object": {
"id": "https://example.org/~alice/note/23",
"type": "Note",
"author": "https://example.org/~alice",
"content": "I'm a goat"
}
}id both to ensure that it exists and is a valid object, and that it is not misrepresenting the object. (In this example, Mallory could be spoofing an object allegedly posted by Alice.)
All Objects in [ActivityStreams] should have unique global identifiers. ActivityPub extends this requirement; all objects distributed by the ActivityPub protocol MUST have unique global identifiers; these identifiers must fall into one of the following groups:
null object, which implies an anonymous object (a part of its parent context)
Identifiers MUST be provided for activities posted in server to server communication. However, for client to server communication, a server receiving an object with no specified id should allocate an object ID in the user's namespace and attach it to the posted object.
All objects must have the following properties:
The HTTP GET method may be dereferenced against an object's
id property to retrieve the activity. Servers MAY use HTTP content negotiation as defined in [RFC7231] to select the type of data to return in response to a request. The client MUST specify an Accept header, this specification only applies in the selection of the
application/activity+json media type.
Servers MAY implement other behavior for requests which do not comply with the above requirement. (For example, servers may implement additional legacy protocols, or may use the same URI for both HTML and ActivityStreams representations of a resource)
Servers MAY require authorization as specified in 9. Authorization, and may additionally implement their own authentication rules. Servers SHOULD fail requests which do not pass their authorization or authentication checks with the appropriate HTTP error code, or the 404 Not Found error code where the existence of the object is considered private.
GET methodThe HTTP GET method shall return an up-to-date version of the object.
Actors in ActivityPub are represented by HTTP URI. When entered directly into a user interface (for example on a login form), it is desirable to support simplified naming. For this purpose cases, ID normalization SHOULD be performed as follows:
Once the actor's URI has been identified, it should be dereferenced.
Actor objects are ActivityStreams objects which are subclasses of the
Actor type. Actor objects MUST have, in addition to the properties mandated by 3.1 Object Identifiers, the following properties:
Implementations SHOULD, in addition, provide the following properties:
id.
{
"@context": [
"https://www.w3.org/ns/activitystreams",
"https://www.w3.org/ns/activitypub"
],
"type": "Person",
"id": "https://johnsmith.example.com/",
"following": "https://johnsmith.example.com/following.json",
"followers": "https://johnsmith.example.com/followers.json",
"inbox": "https://johnsmith.example.com/inbox.json",
"outbox": "https://johnsmith.example.com/feed.json",
"preferredUsername": "johnsmith",
"name": "John Smith",
"summary": "Just an example guy",
"icon": [
"https://johnsmith.example.com/image/165987aklre4"
]
}Implementations MAY, in addition, provide the following properties:
[ActivityStreams] defines the collection concept; ActivityPub defines several collections with special behavior. Additionally, it defines a subset of collections termed streams.
Every actor SHOULD have a followers collection. This is a list of everyone who has sent a Follow activity for the user, added as a side effect. This is where one would find a list of all the users that are following the actor.
The follow activity generally is a request to see the objects a user creates. This makes the Followers collection an appropriate default target for delivery of notifications.
Every actor MAY have a Following collection. This is a list of everybody that the actor has followed, added as a side effect.
Every actor MAY have a Likes collection. This is a list of every object from all of the actor's Like activities, added as a side effect.
Streams are collections of ActivityStreams objects, generally Activities, which are always presented in reverse chronological order.
The outbox is discovered through the outbox property of an actor's profile.
The outbox stream contains objects the user has published, subject to the ability of the requestor to retrieve the object (that is, the contents of the outbox are filtered by the permissions of the person reading it). If a user submits a request without Authorization the server should respond with all of the Public posts. This could potentially be all relevant objects published by the user, though the number of available items is left to the descretion of those implementing and deploying the server.
The outbox accepts HTTP POST requests, with behaviour described in Client to Server Interactions.
The inbox is discovered through the inbox property of an actor's profile.
The inbox stream contains all objects received by the user. The server SHOULD filter content according to the requester's permission. In general, the owner of an inbox is likely to be able to access all of their inbox contents. Depending on access control, some other content may be public, whereas other content may require authentication for non-owner users, if they can access the inbox at all.
The server MUST perform de-duplication of activities returned by the inbox. Duplication can occur if an activity is addressed both to a user's followers, and a specific user who also follows the recipient user, and the server has failed to de-duplicate the recipients list. Such deduplication MUST be performed by comparing the
id of the activities and dropping any activities already seen.
The inbox accepts HTTP POST requests, with behaviour described in Delivery.
In addition to [ActivityStreams] collections and objects, Activities may additionally be addressed to the special "public" collection denoted by:
{
"@context": "https://www.w3.org/ns/activitystreams",
"id": "https://www.w3.org/ns/activitypub/Public",
"type": "Collection"
}Activities addressed to this special URI shall be accessible to all users, without authentication.
New URI for AP? Or can we get as:public?
There is the ability to submit binary data such as images, video or other binary data you wish to use in ActivityPub. This is done by means of submitting the binary data to the user's
mediaEndpoint on their ActivityStreams profile object. The request MUST contain the HTTP headers Content-Type and
Content-Length. A client should expect that it must be
properly authenticated in order to be able to upload media. Upon successful submission a response containing the object with an ID is returned that can be posted to the users outbox.
An example response for an image I might upload is:
{
"@context": "",
"id": "https://example.com/~erik/photos/1",
"type": "Image",
"to": ["https://example.com/~erik/public",
"https://example.org/~sarah/"],
"cc": ["https://example.com/~erik/followers"],
"url": [
{
"type": "Link",
"href": "https://example.com/~erik/photos/1.png",
"mediaType": "image/png"
}
]
}Activities as defined by [ActivityStreams] are the core mechanism for creating, modifying and sharing content within the social graph. Client to server interaction takes place through clients posting activities to a user's outbox.
Clients are responsible for addressing new Activites appropriately. To some extent, this is dependent upon the particular client implementation, but clients must be aware that the server will only forward new Activities to addressees in the to,
cc and bcc fields.
Clients MAY address new Activities to the user's Followers Collection or the Public Collection by default.
Clients SHOULD check any objects attached to the Activity via the
object, target, inReplyTo and/or
tag fields, retrieve their actor or
attributedTo properties, and MAY also retrieve their addressing properties, and add these to the to or cc fields of the new Activity being created. Clients MAY recurse through attached objects, but if doing so, SHOULD set a limit for this recursion.
Clients MAY give the user the chance to amend this addressing in the UI.
For example, when Chris likes the following article by Amy:
{
"id": "https://rhiaro.co.uk/2016/05/minimal-activitypub",
"type": "Article",
"name": "Minimal ActivityPub update client",
"content": "Today I finished morph, a client for posting ActivityStreams2...",
"attributedTo": "https://rhiaro.co.uk/#amy",
"to": "https://rhiaro.co.uk/followers/",
"cc": "https://e14n.com/evan"
}the like is generated by the client as:
{
"@context": "https://www.w3.org/ns/activitystreams#",
"type": "Like",
"actor": "https://dustycloud.org/chris/"
"name": "Chris liked 'Minimal ActivityPub update client'",
"object": "https://rhiaro.co.uk/2016/05/minimal-activitypub",
"to": ["https://rhiaro.co.uk/#amy",
"https://dustycloud.org/followers",
"https://rhiaro.co.uk/followers/"],
"cc": "https://e14n.com/evan"
}The receiving outbox can then perform delivery to not only the followers of Chris (the liker), but also to Amy, and Amy's followers and Evan, both of whom received the original article.
To submit new Activities to a user's server, clients MUST discover the URL of the user's outbox from their profile and then MUST make an HTTP POST request to to this URL with the Content-Type of
application/ld+json; profile="https://www.w3.org/ns/activitystreams#". The request MUST be authenticated with the credentials of the user to whom the outbox belongs. The body of the POST request MUST contain a single Activity (which MAY contain embedded objects), or a single non-Activity object which
will be wrapped in a Create activity
by the server.
POST /outbox/ HTTP/1.1
Host: dustycloud.org
Authorization: Bearer XXXXXXXXXXX
Content-Type: application/ld+json; profile="https://www.w3.org/ns/activitystreams#"
{
"@context": "https://www.w3.org/ns/activitystreams#",
"type": "Like",
"actor": "https://dustycloud.org/chris/"
"name": "Chris liked 'Minimal ActivityPub update client'",
"object": "https://rhiaro.co.uk/2016/05/minimal-activitypub",
"to": ["https://dustycloud.org/followers", "https://rhiaro.co.uk/followers/"],
"cc": "https://e14n.com/evan"
}
If an Activity is submitted with a value in the id property, servers MUST ignore this and generate a new id for the Activity. Servers MUST return a 201 Created HTTP code with the new URL in the Location header.
HTTP/1.1 201 Created
Location: https://dustycloud.org/likes/345The server adds this new Activity to the outbox collection. Depending on the type of Activity, servers may then be required to carry out further side effects. These are described per individual Activity below.
The Create activity is used to when posting a new object. This has the side effect that the object embedded within the Activity (in the object property) is created.
When a Create activity is posted, the actor of the activity SHOULD be copied onto the object's
attributedTo field.
For client to server posting, it is possible to create a new object without a surrounding activity. The server MUST accept a valid [ActivityStreams] object that isn't a subtype of Activity in the POST request to the outbox. The server then MUST attach this object as the object of a Create Activity.
The Location value returned by the server should be the URL of the new Create activity (rather than the object).
The audience specified on the object MUST be copied over to the new Create activity by the server.
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "Note",
"content": "This is a note",
"published": "2015-02-10T15:04:55Z",
"to": ["https://example.org/~john/"],
"cc": ["https://example.com/~erik/followers"]
}{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "Create"
"id": "https://example.net/~mallory/87374"
"actor": "https://example.net/~mallory",
"object": {
"id": "https://example.com/~mallory/note/72",
"type": "Note",
"attributedTo": "https://example.net/~mallory",
"content": "This is a note",
"published": "2015-02-10T15:04:55Z",
"to": ["https://example.org/~john/"],
"cc": ["https://example.com/~erik/followers"]
},
"published": "2015-02-10T15:04:55Z",
"to": ["https://example.org/~john/"],
"cc": ["https://example.com/~erik/followers"]
}
The Update activity is used when updating an already existing object. The side effect of this is that the object MUST be modified to reflect the new structure in defined in the update activity.
The Delete activity is used to delete an already existing object. The side effect of this is that the server MAY replace the
object with a Tombstone of the object that will be displayed in activities which reference the deleted object. If the deleted object is requested the server SHOULD respond with either the HTTP 410 Gone status code if a Tombstone is used, otherwise respond with a HTTP 404 Not Found.
A deleted object:
{
"@context": "https://www.w3.org/ns/activitystreams",
"id": "https://example.com/~alice/note/72",
"type": "Tombstone",
"published": "2015-02-10T15:04:55Z",
"updated": "2015-02-10T15:04:55Z",
"deleted": "2015-02-10T15:04:55Z",
}
The Follow activity is used to subscribe to the activities of another user.
The side effect of receiving this in an outbox is that the server SHOULD add the object to the
actor's Following Collection.
Upon receipt of an Add activity into the
outbox, the server SHOULD add the object to the collection specified in the
target property, unless:
target is not owned by the receiving user, and thus they can't update it.
object is not allowed to be added to the
target collection for some other reason, at the receiver's discretion.
Upon receipt of a Remove activity into the
outbox, the server SHOULD remove the object from the collection specified in the
target property, unless:
target is not owned by the receiving server, and thus they can't update it.
object is not allowed to be added to the
target collection for some other reason, at the receiver's discretion.
The Like activity indicates the actor likes the object.
The side effect of receiving this in an outbox is that the server MAY add the object to the
actor's Likes Collection.
The Block activity is used to indicate that the actor does not want a user (defined in the object property) to be able to interact with objects posted by the user. The server SHOULD prevent the user from interacting with any object posted by the actor.
Servers SHOULD NOT deliver Block Activities to their object.
The Undo activity is used to undo a previous activity. For example, Undo may be used to undo a previous
Like or Follow. The undo activity and the activity being undone MUST both have the same author. Side effects (such as adding activities to a user's inbox after a
Follow) should be undone, to the extent possible.
There are some exceptions where there is an existing and explicit "inverse activity" which should be used instead.
Create based activities should instead use
Delete, and Add activities should use
Remove.
Federated servers MUST perform delivery on all Activities posted to the outbox according to outbox delivery.
Servers communicate with other servers and propagate information across the social graph by posting activities to actors' inbox endpoints.
In order to propagate updates throughout the social graph, Activities are sent to the appropriate recipients. First, these recipients are determined through following the appropriate links between objects until you reach an agent (targeting), and then the Activity is inserted into the agent's inbox (delivery). This allows recipient servers to:
Delivery is usually triggered by, for example:
Primary targeting is per the audience targetting properties from the [ ActivityStreams] specification. Notification targeting ensures the owners of all linked objects are notified of a new Activity that relates to them. Thus, the target(s) for delivery of an Activity may be:
to, cc or bcc fields (likely to include the followers collection)
actors for all objects in the object, target,
inReplyTo or tag fields
If the entry is a collection, then the server MUST dereference the collection (with the user's credentials) and discover inboxes for each item in the collection. Servers MUST limit the number of layers of indirections through collections which will be performed, which MAY be one.
Servers MUST de-duplicate the final recipient list. Servers MUST also exclude actors from the list which are the same as the actor of the Activity being notified about.
What to do when there are no recipients specified is not defined, however it's recommended that if no recipients are specified the object remains completely private and access controls restrict the access to object. If the object is just sent to the "public" collection the object is not delivered to any users but is publicly viewable in the actor's outbox.
Once the target(s) for delivery have been determined, discovery of the recipient inbox(es), and delivery, are performed according to [LDN].
In summary, the inbox is determined through the
inbox property in the actor's profile, and an HTTP POST request (with authorization of the submitting user) is made to to the
inbox, with the Activity as the body of the request. This Activity is added by the receiver as an item in the inbox Collection.
For federated servers performing delivery to a 3rd party server, delivery SHOULD be performed asynchronously to completion of the original activity submission request, and SHOULD additionally retry delivery to recipients if it fails due to network error.
When objects are received in the outbox, the server MUST target and deliver to:
to, cc or bcc fields if their values are individuals, or Collections owned by the server.
These fields will have been populated appropriately by the client which posted the Activity to the outbox.
When Activities are received in the inbox, the server needs to forward these to recipients that the origin was unable to deliver them to. To do this, the server MUST target and deliver to the values of to, cc and/or bcc if and only if all of the following are true:
to, cc and/or bcc contain a Collection owned by the server.
inReplyTo, object,
target and/or tag are objects owned by the server. The server SHOULD recurse through these values to look for linked objects owned by the server, and SHOULD set a maximum limit for recursion (ie. the point at which the thread is so deep the recipients followers may not mind if they are no longer getting updates that don't directly involve the recipient). The server MUST only target the values of to, cc and/or bcc on the original object being forwarded, and not pick up any new addressees whilst recursing through the linked objects (in case these addressees were purposefully amended by or via the client).
The server MAY filter its delivery targets according to implementation-specific rules, for example, spam filtering.
The side effect of receving this in an inbox is that the server SHOULD add the actor to the object user's Followers Collection.
The side effect of receving this in an inbox is that the server MAY increment the object's count of likes.
Upon receipt of an Add activity into the
inbox, the server SHOULD add the object to the collection specified in the
target property, unless:
target is not owned by the receiving server, and thus they can't update it.
object is not allowed to be added to the
target collection for some other reason, at the receiver's discretion.
Upon receipt of a Remove activity into the
inbox, the server SHOULD remove the object from the collection specified in the
target property, unless:
target is not owned by the receiving server, and thus they can't update it.
object is not allowed to be added to the
target collection for some other reason, at the receiver's discretion.
This section is non-normative.