Introducing did:fid: A Credibly Neutral DID Method for AT Protocol

I took a break from working on AT-SMS this weekend to prototype an idea that's been bouncing around my head for a while - an alternative DID method for AT Protocol that addresses some of the centralization concerns people have been raising.

The Problem with Current DIDs

If you've been following AT Protocol development, you know we have two blessed DID methods:

  • did:plc - Works great, but it's controlled by Bluesky PBC. This creates a central point of control criticized by many.

  • did:web - Based on DNS and HTTPS. Fine for brands, but not ideal for individual users since domains require annual renewal and can be seized.

Both methods have their place, but neither provides the censorship resistance that a truly decentralized social protocol needs.

Enter did:fid

This weekend I built a proof of concept for did:fid - a DID method based on Farcaster's identity system. Here's why this should be the third blessed DID method we need:

It's Already Battle-Tested

Farcaster has over 1 million registered identities running on smart contracts on Optimism. These aren't theoretical users - they're real accounts that have been working in production for years. The infrastructure is proven.

True Decentralization Through Smart Contracts

Unlike did:plc, there's no company that controls did:fid. The entire system runs on immutable smart contracts:

No single entity can censor or revoke your identity. That's credible neutrality.

Security Done Right

Farcaster IDs have solved a problem that plagues most crypto systems - the balance between self-custody and recoverability. Each FID has three levels of control:

  • Custody address - Controls the identity, can transfer ownership

  • Recovery address - Can recover if custody key is lost

  • Signer keys - For day-to-day operations

This means users get both security and peace of mind. Lost your main key? Recovery address has you covered. The recovery address can be managed by you or a third party. Delegate signer keys to apps like your AT Protocol PDS? Use delegated signer keys without risking your identity key.

How DIDs Work in AT Protocol

For those new to AT Protocol development, DIDs aren't just identifiers - they're decentralized accounts. They provide:

  • Persistent identity across different services

  • Cryptographic verification for authenticating users

  • Service discovery to find where user data lives (PDS)

  • Provider independence so users can migrate services freely

did:fid slots right into this model. When you resolve did:fid:1898, you get a W3C-compliant DID Document with verification methods pulled straight from the blockchain.

What's Missing

There's one piece we still need: a smart contract to store AT Protocol-specific data like handles and PDS endpoints. Right now my implementation uses placeholders, but deploying this contract would be straightforward.

The economics work out too:

  • ~$1 to register a new did:fid

  • Less than $0.01 for updates

  • Free lookups (just gas for reading)

We could even add optional fees for AT Protocol registration to fund public AT Protocol infrastructure. These fees also serve as a base layer protection for spam accounts—creating 1 Million spam accounts cost $1M.

What This Means for AT Protocol

Adding did:fid as a third blessed DID method would give users real choice in how they manage their identity:

  • did:plc for those who trust Bluesky and want simplicity

  • did:web for brands and organizations with domains

  • did:fid for users who want censorship resistance and true ownership

It also opens the door for the million+ Farcaster users to join AT Protocol with their existing identities. Imagine Farcaster users being able to post to Bluesky without creating new accounts.

Try It Out

I've published the code at github.com/cboscolo/farcaster-did. The did:fid resolver is already integrated into a fork of the atproto packages, and there's a CLI tool to test resolution.

The implementation is clean - it fits right into AT Protocol's existing DID resolver pattern. No hacks, no workarounds, just a new resolver that handles did:fid:* DIDs.

Next Steps

This is just a proof of concept, but I think it shows the potential. If there's interest from the community, the path forward would be:

  • Deploy the AT Protocol registry contract

  • Build registration tools for new users

  • Create a Farcaster frame for existing users to add AT Protocol info

  • Get Bluesky PBC to bless this DID, and merge the code.

The code is MIT licensed and open for contributions. If you care about decentralization and want AT Protocol to be truly censorship-resistant, let's make this happen.

The Bigger Picture

AT Protocol has the potential to be the foundation for a decentralized social web, but only if users truly own their identities. did:fid brings that ownership model from Farcaster's proven system.

We don't need to wait for perfect solutions. We have working, battle-tested infrastructure today. Let's use it.

Thoughts? Hit me up on Bluesky or check out the repo. Let's build a social web where users actually control their identities.