What Is ActivityPub?

ActivityPub is a W3C-recommended open protocol that enables decentralized social networking. It's the backbone of the Fediverse — the constellation of interconnected platforms like Mastodon, Pixelfed, PeerTube, and Lemmy that can all communicate with each other without a central authority.

If you've ever wondered how a Mastodon user can follow a Pixelfed account or reply to a PeerTube video, the answer is ActivityPub.

The Two Sides of ActivityPub

ActivityPub defines two distinct APIs:

  • Server-to-Server (Federation): How servers communicate with each other to share posts, follows, likes, and other activities across instances.
  • Client-to-Server: How clients (apps) communicate with their home server to read and publish content. In practice, most Fediverse apps use custom APIs here rather than the C2S spec.

Core Concepts: Actors, Objects, and Activities

Actors

Every user (or bot, or service) is an Actor — a JSON-LD document served at a stable URL. An actor has an inbox (where it receives messages) and an outbox (where its published activities are listed).

Activities

Everything in ActivityPub is expressed as an Activity using the ActivityStreams 2.0 vocabulary. Common activity types include:

  • Create — publishing a new post or object
  • Follow — subscribing to an actor
  • Like / Announce — reacting to or boosting content
  • Delete / Undo — removing content or reversing an action

Objects

Activities wrap Objects — the actual content, like a Note (a post), Article, Image, or Video.

How Federation Works Step by Step

  1. User A on mastodon.social follows User B on fosstodon.org.
  2. mastodon.social sends a Follow activity to B's inbox.
  3. fosstodon.org responds with an Accept activity.
  4. When B posts, fosstodon.org delivers a Create(Note) activity to all followers' inboxes, including A's server.
  5. mastodon.social receives the delivery and shows the post to A.

HTTP Signatures: Security in Federation

To prevent spoofing, ActivityPub implementations use HTTP Signatures. When server A delivers an activity to server B, it signs the HTTP request with A's private key. Server B verifies the signature against A's public key, which is published on the actor's JSON-LD document. This ensures activities genuinely come from who they claim to.

What Makes ActivityPub Powerful

  • No central authority: Anyone can run a server and join the network.
  • Interoperability by design: Different platforms with different UX all speak the same underlying language.
  • Data portability: Users can move between instances without losing their social graph (with tools like account migration).
  • Open standard: W3C spec, not a proprietary API subject to sudden changes.

Building with ActivityPub

If you're building a federated application, start by implementing Actor discovery via WebFinger, serving your Actor JSON-LD at a stable HTTPS URL, and accepting signed POST requests to an inbox. Libraries like activitypub-express (Node.js) and little-boxes (Python) can accelerate your implementation significantly.

ActivityPub is more than a protocol — it's a foundation for a more open, resilient internet where users, not corporations, own the social graph.