Skip to main content
Crypto is an advanced internal implementation. You do not need it for typical usage such as posting, fetching feeds, or notifications. Refer to this page when building low-level signature verification or custom OAuth flows on top of AT Protocol.

Overview of cryptography in AT Protocol

AT Protocol relies on elliptic-curve cryptography (ECC) throughout its stack. The main uses are:

Key pair classes

AbstractKeypair

AbstractKeypair is the shared base class for P256 and K256. It uses phpseclib3 internally.

P256 (secp256r1)

Used for OAuth (DPoP and Client Assertion). OAuthKey extends P256 and loads the private key from config('bluesky.oauth.private_key'). An Artisan command is provided to generate a new OAuth private key:

K256 (secp256k1)

Used for authentication in Feed Generators and Labelers. The Bluesky PDS and Relay verify signatures using this curve.

DidKey

The DidKey class encodes and decodes public keys in the did:key format.

What is did:key?

AT Protocol represents public keys as did:key:z... strings. A curve identifier prefix is prepended to the compressed public key, then the result is multibase-encoded with Base58btc.

Encode a public key as did:key

Parse a public key from a DID Document


JsonWebToken (JWT)

The JsonWebToken class provides JWT encode and decode operations.

DPoP (Demonstrated Proof of Possession)

DPoP is an OAuth security mechanism that binds an access token to a specific client key pair, preventing token replay attacks. The DPoP class is used internally. You normally do not need to call it directly — the OAuthAgent middleware injects DPoP headers automatically.

Signature (format conversion)

AT Protocol uses a 64-byte compact signature format, but phpseclib3 produces ASN.1 DER signatures. The Signature class handles the conversion.

JsonWebKey

JsonWebKey represents a JWK (JSON Web Key). It is used when generating DPoP proofs.

OAuthKey

OAuthKey extends P256 and is the OAuth-specific key class. It reads the private key from config('bluesky.oauth.private_key').
This is handled automatically by the Bluesky Socialite integration.

References

Source: src/Crypto/
Last modified on April 25, 2026