Understanding ActivityPub: The Protocol Powering the Decentralized Web

What Is ActivityPub?

ActivityPub is a decentralized social networking protocol published as a W3C Recommendation in January 2018. It defines a standard way for servers to communicate with each other and for clients to interact with servers — enabling a federated social web where users on different platforms can follow, like, and reply to each other seamlessly.

It is the backbone of the Fediverse: a constellation of interconnected platforms including Mastodon, Pixelfed, PeerTube, Lemmy, and dozens more. Instead of one company controlling your social graph, ActivityPub distributes it across thousands of independently operated servers.

The Two Halves of the Protocol

ActivityPub is actually two protocols in one:

• Server-to-Server (Federation Protocol): Defines how servers exchange activities — posts, likes, follows, announces — with each other over HTTPS.
• Client-to-Server (Social API): Defines how a client application (like a mobile app) interacts with a user's home server to read and publish content.

In practice, most implementations focus on the federation layer. The client-to-server API sees less adoption because many platforms prefer proprietary client APIs for flexibility.

How ActivityPub Works: A Step-by-Step Flow

1. Actors: Every user, group, or bot is represented as an Actor — a JSON-LD document accessible at a stable URL (e.g., https://mastodon.social/users/alice).
2. Inboxes and Outboxes: Each actor has an inbox (where they receive activities from others) and an outbox (a public log of their activities).
3. Activities: Actions are wrapped in Activity objects — Create, Follow, Like, Announce, Delete, and more.
4. Delivery: When Alice posts something, her server sends an HTTP POST to the inbox of every follower on every remote server.
5. Verification: HTTP Signatures are used to verify that the delivering server is who it claims to be.

ActivityStreams 2.0: The Data Format

ActivityPub uses ActivityStreams 2.0 as its vocabulary, serialized as JSON-LD. Here's a minimal example of a Note (a post):

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "type": "Note",
  "id": "https://example.social/notes/1",
  "attributedTo": "https://example.social/users/alice",
  "content": "Hello, Fediverse!",
  "to": ["https://www.w3.org/ns/activitystreams#Public"]
}

The @context field links to the ActivityStreams vocabulary, making it machine-readable and extensible via JSON-LD.

Why ActivityPub Matters

• No vendor lock-in: Your followers are portable across servers and platforms.
• Censorship resistance: No single authority can silence an entire network.
• Interoperability by default: A Mastodon user can follow a PeerTube channel natively.
• Open standard: Anyone can build a compliant server or client.

Limitations to Be Aware Of

ActivityPub isn't without challenges. Key-person instances can become performance bottlenecks, content moderation is fragmented across servers, and the lack of end-to-end encryption in the core spec means private messages rely on server-level trust. Ongoing work in the W3C Social Web Incubator Community Group aims to address several of these gaps.

Getting Started

If you want to experiment with ActivityPub, the official W3C spec is surprisingly readable. Libraries like APub (Python), ActivityPhp, and reference implementations like Mastodon's source code are excellent starting points for building your own federated application.