Skip to main content

Overview

Verifiability is a key concept of Bluesky and the AT Protocol.

Post verification

When you have post data retrieved from com.atproto.repo.getRecord, you can verify that the CID matches the record. 
$block = [
    'uri' => 'at://did:plc:***/app.bsky.feed.post/***',
    'cid' => 'bafyreih5y47li4zuvvzevmq4xl7woqxchfc2pnfclv3kfz3zefb2qd3bzm',
    'value' => [
        'text' => 'Hello, Bluesky!',
        '$type' => 'app.bsky.feed.post',
        'createdAt' => '2025-01-01T00:00:00.000Z',
    ],
];

use Revolution\Bluesky\Core\CBOR;
use Revolution\Bluesky\Core\CID;

$cid = data_get($block, 'cid');
$record = data_get($block, 'value');

// Encode to DAG-CBOR
$cbor = CBOR::encode($record);

$bool = CID::verify($cbor, $cid);
See also: DownloadRecordCommand

Image file verification

For posts with images, $link is the CID of the image. 
$block = [
    'uri' => 'at://did:plc:***/app.bsky.feed.post/***',
    'cid' => 'b+++',
    'value' => [
        'text' => 'Post with image embed',
        '$type' => 'app.bsky.feed.post',
        'embed' => [
            '$type' => 'app.bsky.embed.images',
            'images' => [
                [
                    'alt' => '',
                    'image' => [
                        'ref' => [
                            '$link' => 'b***image'
                        ],
                        'size' => 100000,
                        '$type' => 'blob',
                        'mimeType' => 'image/jpeg'
                    ],
                    'aspectRatio' => [
                        'width' => 1000,
                        'height' => 1000
                    ]
                ]
            ]
        ],
        'createdAt' => '2025-01-01T00:00:00.000Z'
    ]
];
You can verify the raw data of the image downloaded with com.atproto.sync.getBlob. 
use Revolution\Bluesky\Core\CID;

// The image CID comes from $link, not the top-level post cid
$cid = data_get($block, 'value.embed.images.0.image.ref.$link');
$file = file_get_contents('path/to/b***image.jpg');

$bool = CID::verify($file, $cid, codec: CID::RAW);
See also: DownloadBlobsCommand

CAR file verification

A CAR file contains all the records of a user. You can verify that the CAR file downloaded with com.atproto.sync.getRepo belongs to the user. 
use Revolution\Bluesky\Core\CAR;
use Revolution\Bluesky\Crypto\DidKey;
use Revolution\Bluesky\Facades\Bluesky;
use Revolution\Bluesky\Support\DidDocument;

$did = 'did:plc:***';

// The public key in the didDoc is needed for verification
$didDoc = DidDocument::make(Bluesky::identity()->resolveDID($did)->json());

$didKey = DidKey::parse($didDoc->publicKey());

$car = 'Raw data of the CAR file or a stream to the file';

$signed = CAR::signedCommit($car);

$bool = CAR::verifySignedCommit($signed, $didKey);
See also: DownloadRepoCommand

Unpacked CAR records

Verifying records obtained by unpacking a CAR file uses the same method as the post example above. See also: UnpackRepoCommand
Source: docs/verify.md
Last modified on April 24, 2026