Event

Event
16:30
-
16:50
Day 1
Fedify: Building ActivityPub servers without the pain
Assembly-Event
<p>Implementing ActivityPub looks simple at first—it's just JSON over HTTP, right? Then you hit JSON-LD context resolution. Then HTTP Signature verification fails on Mastodon but works on Misskey. Then you realize the spec spans hundreds of pages across W3C documents and <a href="https://w3id.org/fep/">FEPs</a> (Fediverse Enhancement Proposals), and every implementation interprets them differently.</p> <p>I went through this pain building <a href="https://docs.hollo.social/">Hollo</a>, a single-user microblogging server. Halfway through, I realized I was building a framework instead of an app. So I extracted that framework and called it Fedify.</p> <p><a href="https://fedify.dev/">Fedify</a> is an opinionated ActivityPub framework for TypeScript. It handles the protocol plumbing so you can focus on your application logic.</p> <p>In this talk, I'll cover:</p> <ul> <li> <p><em>Type-safe vocabulary:</em> The Activity Vocabulary spec is loosely defined, but Fedify maps it to strict TypeScript types. Your IDE knows that <code>Note.content</code> is a <code>LanguageString</code>, and calling <code>await create.getActor()</code> returns an <code>Actor</code> object. No more guessing at property shapes.</p> </li> <li> <p><em>Comprehensive signature support:</em> Fedify implements four authentication mechanisms—HTTP Signatures (draft-cavage), HTTP Message Signatures (RFC 9421), Linked Data Signatures, and Object Integrity Proofs (FEP-8b32). For HTTP Signatures, it uses <a href="https://swicg.github.io/activitypub-http-signature/#how-to-upgrade-supported-versions">double-knocking</a>: trying RFC 9421 first, falling back to draft-cavage if rejected, and remembering the preference. This kind of interoperability work is exactly what you shouldn't have to do yourself.</p> </li> <li> <p><em>Framework-agnostic design:</em> Fedify works as middleware for Hono, Express, Fastify, Next.js, or any framework that speaks <code>Request</code>/<code>Response</code>. Bring your own database, ORM, and auth—Fedify only needs a key–value store for caching.</p> </li> <li> <p><em>CLI toolchain:</em> The <code>fedify inbox</code> command spins up an ephemeral server to receive and inspect activities. <code>fedify lookup</code> fetches any ActivityPub object by URL or fediverse handle—including from servers that require <a href="https://swicg.github.io/activitypub-http-signature/#authorized-fetch">authorized fetch</a>. No need to create throwaway accounts on production instances.</p> </li> </ul> <p>I'll also share production stories: <a href="https://activitypub.ghost.org/day-4/">Ghost chose Fedify</a> for federating their publishing platform rather than implementing the protocol themselves. Hollo demonstrates single-user microblogging with full Mastodon API compatibility. <a href="https://hackers.pub/">Hackers' Pub</a> shows how a developer community can integrate with the fediverse.</p> <p>Whether you're building a new federated service or adding ActivityPub to an existing app, this talk will show you how Fedify turns months of protocol wrangling into days of actual development.</p>