Okay, my analysis is complete! Here are the core changes to Ktistec required for Mastodon API compatibility:

• PKCE (Proof Key for Code Exchange) must be optional: Because Mastodon makes PKCE optional, clients don't support it, which means other servers can't require it. PKCE (and the code_challenge parameter) ensures that an authorization code can only be exchanged by the client that initiated the OAuth request.
• Support for the client_credentials grant type: The client_credentials grant type is used to grant a client app-level access without requiring user authentication. Mastodon requires this for some of its "public" API endpoints. This necessitates a change to the database schema to allow a null account id in the client secrets table.
• Addition of a created_at timestamp property: Mastodon requires a non-standard created_at property in the body of the /oauth/token endpoint response instead of (in addition to) the standard expires_in property.
• Support for both form-encoded and JSON request bodies: This isn't a Mastodon requirement per se but popular clients clearly demand some latitude in what they send.
• WebFinger must accept requests with no resource parameter: This is honestly a bug on my part.
• Mastodon-compatible endpoints: A boatload of them. Clients expect many endpoints and don't gracefully degrade if they're not present. Really I should just implement features like pinned posts and bookmarks...

The only thing here that gives me heartburn is that PKCE is not required.

#ktistec #mastodonapi #oauth

Okay, my analysis is complete! Here are the core changes to Ktistec required for Mastodon API compatibility:

• PKCE (Proof Key for Code Exchange) must be optional: Because Mastodon makes PKCE optional, clients don't support it, which means other servers can't require it. PKCE (and the code_challenge parameter) ensures that an authorization code can only be exchanged by the client that initiated the OAuth request.
• Support for the client_credentials grant type: The client_credentials grant type is used to grant a client app-level access without requiring user authentication. Mastodon requires this for some of its "public" API endpoints. This necessitates a change to the database schema to allow a null account id in the client secrets table.
• Addition of a created_at timestamp property: Mastodon requires a non-standard created_at property in the body of the /oauth/token endpoint response instead of (in addition to) the standard expires_in property.
• Support for both form-encoded and JSON request bodies: This isn't a Mastodon requirement per se but popular clients clearly demand some latitude in what they send.
• WebFinger must accept requests with no resource parameter: This is honestly a bug on my part.
• Mastodon-compatible endpoints: A boatload of them. Clients expect many endpoints and don't gracefully degrade if they're not present. Really I should just implement features like pinned posts and bookmarks...

The only thing here that gives me heartburn is that PKCE is not required.

#ktistec #mastodonapi #oauth

🆕 blog! “Getting started with Mastodon's Quote Posts - technical implementation details for servers”

Quoting posts on Mastodon is slightly complex. Because of the privacy conscious nature of the platform and its users, reposting isn't merely a case of sharing a URl.

A user writes a status. The user…

👀 Read more: https://shkspr.mobi/blog/2025/10/getting-started-with-mastodons-quote-posts-technical-implementation-details-for-servers/
⸻
#ActivityPub #fediverse #mastodon #MastodonAPI

🆕 blog! “Getting started with Mastodon's Quote Posts - technical implementation details for servers”

Quoting posts on Mastodon is slightly complex. Because of the privacy conscious nature of the platform and its users, reposting isn't merely a case of sharing a URl.

A user writes a status. The user…

👀 Read more: https://shkspr.mobi/blog/2025/10/getting-started-with-mastodons-quote-posts-technical-implementation-details-for-servers/
⸻
#ActivityPub #fediverse #mastodon #MastodonAPI

Another curious #ActivityPub / #MastodonAPI issue.

A Mastodon server is sending me a DELETE message.

The delete is because a user has been deleted.

My server tries to validate the HTTP Signature.

My server looks up the deleted user's main-key.

The user has been deleted so the public key 404s.

My server never acknowledges the delete, so the other server keeps sending me the same request.

So… How do I validate the signature of a deleted user?

Another curious #ActivityPub / #MastodonAPI issue.

A Mastodon server is sending me a DELETE message.

The delete is because a user has been deleted.

My server tries to validate the HTTP Signature.

My server looks up the deleted user's main-key.

The user has been deleted so the public key 404s.

My server never acknowledges the delete, so the other server keeps sending me the same request.

So… How do I validate the signature of a deleted user?

Ω🪬Ω
#FediAlgo (the customizable timeline algorithm / filtering system for your Mastodon feed) v1.2.2 is deployed now. Has a switch that makes sure any #hashtags / users / etc. that you follow are displayed as filter options even if they don't meet the minimum number of recent toots threshold.

Also a bunch of bug fixes and small improvements.

* Try it here: https://michelcrypt4d4mus.github.io/fedialgo_demo_app_foryoufeed/
* Code: https://github.com/michelcrypt4d4mus/fedialgo_demo_app_foryoufeed
* Video of FediAlgo in action (slightly outdated): https://universeodon.com/@cryptadamist/114395249311910522

#activitypub #algorithm #algorithmicFeed #algorithmicTimeline #Fedi #FediTips #FediTools #Fediverse #Feed #FOSS #GoToSocial #hashtag #hashtags #javascript #MastoAdmin #Mastodon #MastodonApi #mastohelp #mastojs #node #nodejs #opensource #socialmedia #SocialWeb #timeline #TL #typescript #webdev

Here's the Quote Request Mastodon sends me.
https://colours.bots.edent.tel/data/inbox/68d979af-145daa4fe72cf333caba16effb8419ee85f7ed100b15c7ec16b0394629a309bb.json

This is the Stamp my bot generates.
https://colours.bots.edent.tel/quotes/68d979af-3a15-f520-ac6e-13b2d6d96d1b.json

This is the Accept my bot sends Mastodon.
https://colours.bots.edent.tel/quotes/68d979af-aeb1-83c3-a66c-fcb359e1ff90.json

The Mastodon.Social server shows the quote toot. External servers don't.

Please, someone explain what bone-headed mistake I've made.

(Edit: Updated the links)
#ActivityPub #MastodonAPI

RE: https://colours.bots.edent.tel/posts/68d87379-8e35-18be-b901-2730376a090d.json

Ok, I need some #ActivityPub help, please.

The reply to this will have links to the QuoteRequest the bot received, the QuoteAuthorization which it saves, and the Accept message it returns.

Can anyone figure out why the Quote permissions aren't showing on external servers?

#MastodonAPI

OK gang, I'm stumped (and a little drunk).

I'm trying to get Quote posts working ActivityBot.

✅ Quote posts are an available option.

❓ This Accept message is sent - https://colours.bots.edent.tel/quotes/68d85b0d-1b15-f5b5-8a57-4115155d48c0.json

❓ Which references this stamp - https://colours.bots.edent.tel/quotes/68d85b0d-a589-851c-961d-438079e30caf.json

But the quote never gets approved. Can you spot any obvious mistakes with my JSON?

#MastodonAPI

EDIT! Solved. Turns out, you actually have to post the message to the right server. Who knew?!?!

I want to allow my bots' posts to be quoted.

Do I need all these interaction policies - or can I just have the simplified interactionPolicy?

#MastodonAPI #QuoteToot

Ω🪬Ω
#FediAlgo (the customizable timeline algorithm / filtering system for your Mastodon feed) v1.2.2 is deployed now. Has a switch that makes sure any #hashtags / users / etc. that you follow are displayed as filter options even if they don't meet the minimum number of recent toots threshold.

Also a bunch of bug fixes and small improvements.

* Try it here: https://michelcrypt4d4mus.github.io/fedialgo_demo_app_foryoufeed/
* Code: https://github.com/michelcrypt4d4mus/fedialgo_demo_app_foryoufeed
* Video of FediAlgo in action (slightly outdated): https://universeodon.com/@cryptadamist/114395249311910522

#activitypub #algorithm #algorithmicFeed #algorithmicTimeline #Fedi #FediTips #FediTools #Fediverse #Feed #FOSS #GoToSocial #hashtag #hashtags #javascript #MastoAdmin #Mastodon #MastodonApi #mastohelp #mastojs #node #nodejs #opensource #socialmedia #SocialWeb #timeline #TL #typescript #webdev

Ω🪬Ω
#FediAlgo v1.1.19 is deployed. Minor bugfixes and improvements to the customizable timeline algorithm / filtering system for your Mastodon feed.

* Link: https://michelcrypt4d4mus.github.io/fedialgo_demo_app_foryoufeed/
* Code: https://github.com/michelcrypt4d4mus/fedialgo_demo_app_foryoufeed
* Video of FediAlgo in action (slightly out of date): https://universeodon.com/@cryptadamist/114395249311910522

#activitypub #algorithm #algorithmicFeed #algorithmicTimeline#Fedi#FediTips#FediTools #Fediverse#Feed#FOSS#GoToSocial #hashtag #hashtags #MastoAdmin #Mastodon #MastodonApi #mastohelp #mastojs #nodejs #nod #opensource #socialmedia#SocialWeb #timeline#TL #typescript#webdev

Ω🪬Ω
#FediAlgo v1.1.19 is deployed. Minor bugfixes and improvements to the customizable timeline algorithm / filtering system for your Mastodon feed.

* Link: https://michelcrypt4d4mus.github.io/fedialgo_demo_app_foryoufeed/
* Code: https://github.com/michelcrypt4d4mus/fedialgo_demo_app_foryoufeed
* Video of FediAlgo in action (slightly out of date): https://universeodon.com/@cryptadamist/114395249311910522

#activitypub #algorithm #algorithmicFeed #algorithmicTimeline#Fedi#FediTips#FediTools #Fediverse#Feed#FOSS#GoToSocial #hashtag #hashtags #MastoAdmin #Mastodon #MastodonApi #mastohelp #mastojs #nodejs #nod #opensource #socialmedia#SocialWeb #timeline#TL #typescript#webdev