What would you consider the minimal features to be considered an #ActivityPub C2S server?

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Tue, 02 Jun 2026 04:14:59 GMT

steve@social.technoetic.com — Tue, 02 Jun 2026 04:14:59 GMT

@evan Using my browser-based C2S test app, it looks like Mastodon enables CORS for at least actor, activity, outbox collection, and Note objects.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 16:21:11 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 16:21:11 GMT

@steve @reiver I agree with that. It's the option that says, it just isn't going to work unless you do it this way.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 16:18:58 GMT

steve@social.technoetic.com — Mon, 01 Jun 2026 16:18:58 GMT

@evan @reiver Speaking for myself, I'm not interested in compelling powers. I think MUST is valuable not because it forces developers to behave, but because it defines the behavioral contract we can test, reason about, and build on (with interoperability guarantees).

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 15:46:02 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 15:46:02 GMT

@steve @reiver You have more faith in the compelling powers of MUST than I do.

https://cosocial.ca/@evan/116403967622366259

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 13:30:01 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 13:30:01 GMT

@steve @reiver @smallcircles I think Bonfire and Emissary both support cookie auth for their social API implementations, but that seems like an internal implementation issue and not an interoperability issue. Third party apps can't use cookie auth I think?

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 13:26:21 GMT

steve@social.technoetic.com — Mon, 01 Jun 2026 13:26:21 GMT

@evan @reiver Maybe we need a read-only and write-only subprofiles? But what about an C2S server that doesn't allow reading the inbox nor posting to the outbox (like Mastodon) but still satisfies the MUST requirements in the profile?

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 13:21:20 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 13:21:20 GMT

@steve @reiver @smallcircles that's interesting!

I think the whole reason we have OAuth is so you don't have to put your password into a third-party app. Basic Auth sounds like trouble!

For the pre-authed token, aka "personal access tokens", I use those a lot for different APIs, but I think they're usually just treated as Bearer tokens? So they'd fit here.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 13:12:40 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 13:12:40 GMT

@steve @reiver that's interesting.

It's something a client can quickly detect with an OPTIONS request.

Inbox read access seems important but not essential.

I can think of a lot of write-only client applications that don't need read access to the inbox. Like a video game that shares in-game achievements, or a follow button widget.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 13:03:10 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 13:03:10 GMT

@steve @reiver one part I am concerned isn't "minimal" is the section on client to server interactions.

https://swicg.github.io/activitypub-api/basicprofile#client-to-server

That said, this is about the minimum of what I'd want to work with as a client developer: creating web content and organizing it into collections.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:56:21 GMT

steve@social.technoetic.com — Mon, 01 Jun 2026 12:56:21 GMT

@evan @reiver Thanks. I saw that. These seem like fundamental C2S capabilities to me (more than a "SHOULD") but I can add my comments in the github repo.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:53:04 GMT

steve@social.technoetic.com — Mon, 01 Jun 2026 12:53:04 GMT

@evan @reiver An actor not being able to read their own inbox disqualifies it as a C2S API for me (even a read-only one).

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:52:53 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 12:52:53 GMT

@steve @reiver I also think it's perfectly reasonable for Mastodon to move iteratively closer to this basic profile. Supporting CIMD or dynamic client registration would be great. CORS for actors, objects and collections would be nice, too.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:48:32 GMT

smallcircles@social.coop — Mon, 01 Jun 2026 12:48:32 GMT

@steve @evan @reiver

Adding the link, for reader's information..

https://codeberg.org/fediverse/delightful-fediverse-apps/issues/130

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:46:57 GMT

steve@social.technoetic.com — Mon, 01 Jun 2026 12:46:57 GMT

@evan @reiver I wasn't thinking of something instead, although I can imagine implementations that use pre-shared "app tokens" or HTTP Basic Auth (as examples). The motivation for the question is the C2S list maintained by @smallcircles. It seems like most of those are not what I'd think of as C2S (Social API) servers.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:43:50 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 12:43:50 GMT

@steve @reiver you can get pretty far with Mastodon's implementation of actors, collections and objects! It's an OK read-only API. The CORS support sucks, though; you have to run everything through a proxy.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:40:45 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 12:40:45 GMT

@steve @reiver

"Social API servers SHOULD provide an inbox collection that accepts the GET HTTP method. Social API servers SHOULD allow actors to read their own inbox collection.

"Social API servers SHOULD provide an outbox collection that accepts the POST HTTP method."

I'm not crazy about the language though. It needs tightening up.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:39:12 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 12:39:12 GMT

@steve @reiver authorization code flow is so common in OAuth 2 that a lot of people just call it "OAuth". What were you thinking of instead?

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:38:24 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 12:38:24 GMT

@steve @reiver so, this is a profile to make it easier to write social API clients.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 12:34:32 GMT

evan@cosocial.ca — Mon, 01 Jun 2026 12:34:32 GMT

@steve you saw this right?

https://swicg.github.io/activitypub-api/basicprofile

Maybe we can work together on it?

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 08:43:25 GMT

reiver@mastodon.social — Mon, 01 Jun 2026 08:43:25 GMT

@steve

I think the document is preliminary. And, Evan has asked for feedback.

I'm sure he would welcome your feedback on anything you feel is missing.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 08:34:56 GMT

smallcircles@social.coop — Mon, 01 Jun 2026 08:34:56 GMT

@reiver @steve

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 08:33:43 GMT

smallcircles@social.coop — Mon, 01 Jun 2026 08:33:43 GMT

@reiver @steve

What I found interesting and had a nice exchange on some time ago (unfindable, lost in the fedi) is that I found what is listed on the ActivityPub API task force README to be a particular interpretation of what is needed, that is not the minimum perhaps.

But that is against my thinking that fediverse - via post-facto interoperability and protocol decay - diverged from the power and promise of AP. With AP a "social graph of addressable actors that exchange activities with an object payload" and fediverse having all kinds of leaked abstractions and conventions that make it more a content publishing environment to remodel existing social media but more decentralized.

https://github.com/swicg/activitypub-api

What fedivers is, is in the eye of the beholder, though, so

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 08:33:09 GMT

steve@social.technoetic.com — Mon, 01 Jun 2026 08:33:09 GMT

@reiver Thanks. I knew there were some related git issues, but I didn't know Evan had created a document for his proposals. Based on that document, servers that don't support OAuth2 auth code grants would not be considered C2S (Social API) servers. It's interesting to me that there's no requirement for outbox POST or inbox GET. It seems like Mastodon would satisfy these C2S server requirements (OAuth2 auth code grants, bearer tokens, 429 rate limits, etc.), but that doesn't seem correct to me.

Reply to What would you consider the minimal features to be considered an #ActivityPub C2S server? on Mon, 01 Jun 2026 08:17:05 GMT

reiver@mastodon.social — Mon, 01 Jun 2026 08:17:05 GMT

@steve

This may be relevant:

https://swicg.github.io/activitypub-api/basicprofile

#ActivityPubAPI