What Is ActivityPub?

ActivityPub is a decentralized social networking protocol published as a W3C Recommendation in January 2018. It defines how servers can send and receive social activities — things like posts, likes, follows, and comments — in a standardized way, regardless of which software is running on each server.

In plain terms: ActivityPub is the common language that lets a Mastodon user follow a Pixelfed account, comment on a PeerTube video, or boost a post from a Pleroma instance. Without a shared protocol, each platform would be its own walled garden.

The Core Concepts

Actors

In ActivityPub, every entity — a user, a group, a service — is an Actor. Actors have a unique URL (their ID), a public key for cryptographic verification, and an inbox and outbox for receiving and sending activities.

Activities

An Activity is a JSON-LD object describing something that happened. Common activity types include:

  • Create — a new post or object was created
  • Follow — one actor started following another
  • Like — an actor liked an object
  • Announce — an actor boosted/shared an object
  • Delete — an actor deleted an object
  • Undo — reverses a previous activity (e.g., unfollow)

Objects

Activities wrap Objects — the actual content. Common object types are Note (a post), Article, Image, Video, and Person.

How Federation Actually Works: A Step-by-Step Example

Here's what happens when you follow someone on a different instance:

  1. Your client sends a Follow activity to your server's outbox.
  2. Your server looks up the target actor's profile URL via WebFinger (a discovery protocol) to find their inbox.
  3. Your server delivers the Follow activity to the remote server's inbox via an HTTPS POST.
  4. The remote server verifies the request using HTTP Signatures (cryptographic proof that the activity really came from your server).
  5. If the target account is public, the remote server sends back an Accept activity.
  6. From now on, new posts from that account are pushed to your server's inbox automatically.

HTTP Signatures and Security

One of the less visible but critical pieces of ActivityPub federation is HTTP Signatures. Every activity sent between servers is cryptographically signed with the sending actor's private key. The receiving server verifies this signature against the public key published in the sender's actor profile. This prevents impersonation and ensures that activities haven't been tampered with in transit.

WebFinger: The Address Book of the Fediverse

WebFinger is a simple lookup protocol that allows servers to discover information about users given only a handle like @alice@example.social. When you type that handle into a search box, your server makes a WebFinger query to example.social asking for Alice's actor profile URL. It's the DNS of the Fediverse.

Why Open Standards Matter

Because ActivityPub is a published W3C standard — not a proprietary API — anyone can implement it. This is why there are dozens of incompatible-looking platforms (Mastodon, Misskey, Pixelfed, PeerTube, Lemmy, WordPress, Nextcloud) that all interoperate. The protocol, not a corporation, defines the rules.

Even Meta's Threads has begun federating via ActivityPub, illustrating both the protocol's reach and the ongoing community debate about corporate participation in open standards.

Further Reading

If you want to go deeper, the official ActivityPub specification is available at www.w3.org/TR/activitypub/. The ActivityStreams 2.0 vocabulary document defines all the object and activity types used by the protocol.