In this series of posts we’re going to explore ActivityPub, the protocol that powers microblogging across the Fediverse.

This post is going to focus on how ActivityPub models microblogging. We’re going to dive into the three main parts: Actors, Activities and Objects. We’ll also take a look at how we use these to achieve microblogging in practice.


An Actor in ActivityPub is meant to represent someone or something performing an activity. The something here is important, it doesn’t have to be a person, it could be a service.

In practice you’ll find this is normally the Person from the Activity Vocabulary. This means they’ll be described as type: "Person" and should have a name attribute too.


The object represents things that you may share or exchange over social media. It’s things like a Note, Audio an Image, a Place etc. The special Tombstone object is used to represent an object that has been deleted.

In the context of ActivityPub you’ll primarily run into the Note, as that is the equivalent of a tweet. Officially it is:

A short written work typically less than a single paragraph in length.

Most client allow messages of around 500 characters which is somewhere between 70 and 125 words. A paragraph is usually anywhere between 100 and 200 words so this works out.


This is where it gets a little more complicated. There are two types of activities: the regular activity and the intransitive activity. The regular activity can also be called a transitive activity but the spec doesn’t seem to use that term.

Intransitive activities can be thought of as things that are happening to the actor itself. For example, the Actor has Arrived at a location or is Travelling. Asking a Question, typically used to represent a poll is the last of the intransitives and is a little odd in that it normally doesn’t have an actor. Because you’re not doing an action to a thing the intransitive activity never has an object it is referencing.

Regular activities represent something the Actor is doing or has done to an Object, such as Create a Note, Like an object or Follow a Person. Regular activites always have an Actor repersenting who is doing it and an Object, the target to which it is done.

Createing a Note is how you tweet, and this is what the message looks like:

{"@context": "",
 "type": "Create",
 "id": "https://social.example/alyssa/posts/9282e9cc-14d0-42b3-a758-d6aeca6c876b",
 "to": ["https://social.example/alyssa/followers/",
 "actor": "https://social.example/alyssa/",
 "object": {"type": "Note",
            "id": "https://social.example/alyssa/posts/d18c55d4-8a63-4181-9745-4e6cf7938fa1",
            "attributedTo": "https://social.example/alyssa/",
            "to": ["https://social.example/alyssa/followers/",
            "content": "Lending books to friends is nice.  Getting them back is even nicer! :)"}}


In order to microblog, aka tweet, we use the CLient-to-Server and Server-to- Server APIs.

Both the Client-to-Server and Server-to-Server APIs use your Actor’s inbox and outbox to do things. The way we discover where your inbox and outbox are located is done through something called WebFinger.

You and other servers interact with your inbox and outbox over HTTP by POSTing JSON messages to it. Your inbox is used to receive messages, so you never POST to it, you only retrieve messages from it.

The outbox are objects you create and activities you perform, they’re what eventually federates out. Your server picks up objects and activities in your outbox and then tries to do something useful with it. Servers then drop those activities in the inbox of your followers, which is how your followers become aware of you having done something like Createing a Note.

Discovering a user’s inbox and outbox

WebFinger, also known as RFC 7033, is how we go from a handle like @name@domain.tld to a set of endpoints that tell us where your inbox and outbox are. It’s an “over the web”, read HTTP, implementation of the old Finger User Information protocol, RFC 1288. ActivityPub and WebFinger are completely separate specs and ActivityPub doesn’t mandate the use of WebFinger, but it’s what happens in practice.

The way this works is that on domain.tld an endpoint exists at /.well-known/webfinger to which you pass a query of resource=acct:name@domain.tld. This should then return a JSON document and within its links array you’ll find one of rel=self, type=application/activity+json and the href that we can use to query to get more information about you, like your inbox.

$ curl ''

  "subject": "",
  "aliases": [
  "links": [
      "rel": "",
      "type": "text/html",
      "href": ""
      "rel": "self",
      "type": "application/activity+json",
      "href": ""
      "rel": "",
      "template": "{uri}"

So we continue on, and we now query the ActivityPub server. Keep in mind that you can’t assume that @name@domain.tld is actually hosted on domain.tld, they might use a subdomain like social.domain.tld or have it delegated to a different domain entirely. This is why we go through WebFinger. It provides that layer of indirection decoupling the handle from the domain the ActivityPub server is hosted on.

$ curl '' -H 'Accept: application/ld+json; profile=""'

  "id": "",
  "type": "Person",
  "following": "",
  "followers": "",
  "inbox": "",
  "outbox": "",
  "featured": "",
  "featuredTags": "",
  "preferredUsername": "Gargron",
  "publicKey": {
    "id": "",
    "owner": "",
    "publicKeyPem": "..."
  "endpoints": {
    "sharedInbox": ""

There’s a lot more information in there, but for our purposes we now know enough. We’ve found where their inbox and outbox are located, a number of URLs for different collections like who they are following and who their followers are etc. We also now know their publicKey, which we’ll use to verify the HTTP signature of a message that gets POSTed to our inbox.


Client-to-Server is how an ActivityPub application could interact with your server so you can send messages. In practice this doesn’t happen because most applications are coded against Mastodon’s API, so everyone tends to implement that instead.

The idea with C2S is that it’s more or less the same as Server-to-Server. This is helpful when working on an implementation, since if you implement one part you’ve almost got the other too.

There is a slight asymetry though that for a bunch of things you do in C2S you don’t have to do it through an Activity. The idea is you only POST the Note object to your outbox, which your server then picks up, wraps in a Create activity and posts that to your outbox. Since there’s now a Create activity in your outbox, the server picks that up and does what is necessary to POST that to the inboxes of whoever you intended the message for. You can however also use the Create activity yourself directly.

The Block activity is unique to the C2S API, since we don’t want to federate out the fact that we’ve blocked something (someone) and inform them of that fact.


Server-to-Server is how ActivityPub federates, it’s how we share messages between people on different instances. Everyone implements this as without it you’re not connected to the rest of the ActivityPub fediverse. Some instances explicitly chose not to federate at all.

This is very similar to the C2S API. When activites that are meant to federate are posted to your outbox, your server goes and figures out who it should send that activity to. Once it’s built up the list of everyone it should go to, it’ll lookup everyone’s inbox and POST the activity to it.

Sometimes users have a sharedInbox. You can POST an activity to that inbox and then the receiving instance will figure out which user’s inboxes on it should receive the activity. This means that if you have 50 followers all on the same instance and each of those followers share a sharedInbox, you server will only have to do one POST request. Reducing a really big list of followers down to as many shared inboxes as possible greatly reduces the amount of traffic we need to federate a message.

Other servers will POST messages to your inbox and that’s how you become aware of one of the people you follow having sent out a message. When receiving a message we check the HTTP signature with the publicKeyPem of the user the message was supposedly sent by. This ensures you can’t go around impersonating people by dropping messages in other people’s inboxes.


ActivityPub is a relatively simple system. Actors are performing Activities on Objects. You create messages in your outbox which your server then goes and plops into other people’s inboxes. This is how you send out a message to other people in the Fediverse, notably the people following you. You in turn will be receiving messages in your inbox from other people in the Fediverse, specifically from folks you are following.

In order to map a handle to a set of HTTP endpoints to post messages to, we first use WebFinger to find the user’s ActivityPub instance. Once we have that we query the instance for the user which should return an object with at least the inbox and outbox, and potentially other collections as well.