01What happened

The story, straight

A technical deep-dive by developer Kevin Akesson argues that Bluesky's AT Protocol gives PDS (Personal Data Server) operators effectively total control over user identity. Because the PDS holds both the signing key and rotation key for a user's DID (decentralized identifier), an operator can post, like, and follow as the user — and those actions would carry valid cryptographic signatures, making them indistinguishable from genuine activity.

kevin akesson's deep-dive on AT Protocol identity shows your PDS operator holds both your signing and rotation keys. they can post as you, like as you, follow as you — all with valid signatures that the protocol can't tell apart from the real thing. it's not just lockout risk; it's full impersonation baked into the architecture.

02Spread timeline

Where it actually started

Jun 21, 2026Origin
Kevin Akesson publishes technical analysis of ATProto PDS identity control on his blog, posted to Hacker News.kevin akesson drops a detailed blog post on how PDS operators control your ATProto identity, surfaces on HN
source

03Source receipts

Every claim, linked

04What's solid, what isn't

What's solid and what isn't

Confirmed
  • PDS operators hold both the signing key and rotation key for user DIDs on ATProto.
  • A PDS operator can change a user's signing key and redirect which PDS their account points to.
  • Actions taken by a PDS operator on behalf of a user carry valid cryptographic signatures.
Disputed
  • Whether any PDS operator has actually exploited this capability to impersonate a user.
  • Whether Bluesky PBC's own infrastructure has additional safeguards beyond the protocol specification.
Developing
  • Akesson references a previous article on Bluesky centralization risks, suggesting this is an ongoing line of inquiry.

05Why it matters

The editorial take

Bluesky has marketed itself as a decentralized alternative to platforms like X, but this analysis highlights a fundamental trust gap: users don't actually control their own identity at the protocol level. For a platform whose pitch is user sovereignty, that's a structural contradiction worth examining as ATProto adoption grows.

bluesky's whole pitch is decentralized ownership of your data. turns out the entity hosting your PDS can impersonate you at the cryptographic level and nothing in the protocol flags it. for anyone who moved to bluesky specifically to escape platform control, this is worth sitting with.