Overview of cryptography in AT Protocol
AT Protocol relies on elliptic-curve cryptography (ECC) throughout its stack. The main uses are:Key pair classes
AbstractKeypair
AbstractKeypair is the shared base class for P256 and K256. It uses phpseclib3 internally.
P256 (secp256r1)
OAuthKey extends P256 and loads the private key from config('bluesky.oauth.private_key').
An Artisan command is provided to generate a new OAuth private key:
K256 (secp256k1)
DidKey
TheDidKey class encodes and decodes public keys in the did:key format.
What is did:key?
AT Protocol represents public keys asdid:key:z... strings. A curve identifier prefix is prepended to the compressed public key, then the result is multibase-encoded with Base58btc.
Encode a public key as did:key
Parse a public key from a DID Document
JsonWebToken (JWT)
TheJsonWebToken class provides JWT encode and decode operations.
DPoP (Demonstrated Proof of Possession)
DPoP is an OAuth security mechanism that binds an access token to a specific client key pair, preventing token replay attacks. TheDPoP class is used internally. You normally do not need to call it directly — the OAuthAgent middleware injects DPoP headers automatically.
Signature (format conversion)
AT Protocol uses a 64-byte compact signature format, but phpseclib3 produces ASN.1 DER signatures. TheSignature class handles the conversion.
JsonWebKey
JsonWebKey represents a JWK (JSON Web Key). It is used when generating DPoP proofs.
OAuthKey
OAuthKey extends P256 and is the OAuth-specific key class. It reads the private key from config('bluesky.oauth.private_key').
References
Source: src/Crypto/