<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title><![CDATA[Does the instance actor have special privileges?]]></title><description><![CDATA[<p dir="auto">Just something I noticed while testing non-public posts... when I try to message <a href="https://community.nodebb.org/user/jdp23%40blahaj.zone" rel="nofollow ugc">@jdp23@blahaj.zone</a>, sharkey tries to grab the <code>inReplyTo</code>, but it attempts to do so with <em>the instance actor</em>, which obviously doesn't have access to the chat.</p>
<p dir="auto">Feels like a Sharkey bug, but I also noticed this behaviour when I tried to use <a href="https://community.nodebb.org/user/crepels%40mastodon.social" rel="nofollow ugc">@crepels@mastodon.social</a>'s activitypub.academy... using the search bar (and the explorer) caused the request to be made with the instance actor.</p>
<p dir="auto">So now I'm not even sure what to think.</p>
]]></description><link>https://bb.devnull.land/topic/9d12d3b2-29b9-435a-80cd-d6720fa123f8/does-the-instance-actor-have-special-privileges</link><generator>RSS for Node</generator><lastBuildDate>Tue, 14 Jul 2026 12:28:54 GMT</lastBuildDate><atom:link href="https://bb.devnull.land/topic/9d12d3b2-29b9-435a-80cd-d6720fa123f8.rss" rel="self" type="application/rss+xml"/><pubDate>Thu, 10 Oct 2024 04:13:34 GMT</pubDate><ttl>60</ttl><item><title><![CDATA[Reply to Does the instance actor have special privileges? on Thu, 10 Oct 2024 16:59:47 GMT]]></title><description><![CDATA[<p><span><a href="/user/julian%40community.nodebb.org">@<span>julian</span></a></span> <span><a href="/user/silverpill%40mitra.social">@<span>silverpill</span></a></span> </p><p>&gt; treat the resolved actor via HTTP signature to be like an API token, it's basically a fancy password!</p><p>yup, exactly. imagine if we used out-of-band bearer tokens. same principle. same with DPoP. the keys are all custodial in most cases. any “security” comes from the bidirectional link between actor and key (and it’s not much, but it’s barely enough to establish an identity at all)</p>]]></description><link>https://bb.devnull.land/post/https://mastodon.social/users/trwnh/statuses/113284191818377002</link><guid isPermaLink="true">https://bb.devnull.land/post/https://mastodon.social/users/trwnh/statuses/113284191818377002</guid><dc:creator><![CDATA[trwnh@mastodon.social]]></dc:creator><pubDate>Thu, 10 Oct 2024 16:59:47 GMT</pubDate></item></channel></rss>