ATProto PDS operators retain default control of both signing and rotation keys for user DIDs
ATProto's identity model places signing and rotation authority with the PDS operator by default. This enables cross-application impersonation or revocation that exceeds the blast radius of traditional platforms. The optional self-managed rotation key exists in the protocol but is not surfaced to most users.
The blog post documents that a PDS stores the private keys used to sign every commit to an ATProto repository. Rotation keys stored on the same server allow the operator to update the signing key or redirect the DID document. These operations produce cryptographically valid records indistinguishable from user-initiated actions.
AT Protocol specification v0.3 and the atproto.com DID method documentation confirm that the PDS is the sole custodian of these keys unless a user manually registers a higher-priority rotation key. No public metrics from Bluesky or third-party PDS operators indicate adoption rates above single-digit percentages for self-managed keys.
This design concentrates risk differently from platform-specific accounts. A single operator compromise affects activity on Bluesky, Tangled, Leaflet, and any future app using the same repo, because all commits share one keypair. The architecture trades user key management burden for systemic exposure.
Default behavior leaves the mitigation path unused. Without a change to onboarding or client defaults, the trust assumption remains on PDS operators rather than user-controlled hardware or multisig arrangements.
Bluesky: fewer than 5% of active accounts register a user-controlled rotation key before 2026-06-30
Sources (3)
- [1]Primary Source(https://kevinak.se/blog/who-actually-owns-your-atproto-identity-hint-its-probably-not-you)
- [2]AT Protocol Specification(https://atproto.com/specs/repository)
- [3]DID PLC Method(https://github.com/bluesky-social/did-method-plc)