ActivityPub Server’s Custom Reply‑Control Extensions Undermine Federation

It seems like Activitbypub developers are extending ActivityPub with optional metadata to fix a lot of its issues, but that is still problematic. Trying to add moderation tools and user control to threads seems to be the ongoing battle. I am fascinated by dumpster fires, so I’ve started looking at the ActivityPub protocol in detail. I tend to become fascinated with things that are going down in flames.

As a brief recap of the problem:

So, one of the very popular features on Bluesky—also popular on Twitter—is the ability to select who can reply to a post. A major issue in the Fediverse is the inability to decide who can reply, and once you block someone, their harassing reply is still there. I honestly thought it was simply a case of them choosing not to add or address it for cultural reasons. What is clear from that thread is that they were always aware that the ActivityPub protocol and most Fediverse implementations don’t provide a universal way to control reply visibility or enforce blocks across instances.

An ActivityPub server that has reply control is GoToSocial. ActivityPub, as defined by the W3C specification, standardizes how servers federate activities. It defines actors, inboxes, outboxes, and activity types (Create, Follow, Like, Announce, etc.) expressed using ActivityStreams 2.0. It also specifies delivery mechanics (including how a Create activity reaches another server’s inbox) and how collections behave.

The specification does not include interaction policy semantics such as “only followers may reply” or “replies require manual approval.” There is no field in the normative vocabulary requiring conforming servers to enforce reply permissions. That category of rule is outside the protocol’s defined contract.

GoToSocial implements reply controls through what it calls interaction policies. These appear as additional properties on ActivityStreams objects using a custom JSON-LD namespace controlled by the GoToSocial project.

JSON-LD permits additional namespaced terms. This means the document remains structurally valid ActivityStreams and federates normally. The meaning of those custom fields, however, comes from GoToSocial’s own documentation and implementation. Other servers can ignore them without violating ActivityPub because they are not part of the interoperable core vocabulary.

Enforcement occurs locally. When a remote server sends a reply—a Create activity whose object references another via inReplyTo—ActivityPub governs delivery, not acceptance criteria. Whether the receiving server checks a reply policy, rejects the activity, queues it, or displays it is determined in the server’s inbox-processing code. The decision to accept, display, or require approval happens after successful protocol-level delivery. This behavior belongs to the application layer.

These are server-side features layered on top of ActivityPub’s transport and data model that are not actually part of ActivityPub. The protocol ensures standardized delivery of activities; however, the server implementation defines additional constraints and user-facing behavior. Two GoToSocial instances may both recognize and act on the same extension fields. However, a different implementation, such as Mastodon, has no obligation under the specification to interpret or enforce GoToSocial’s interactionPolicy properties. These fields function as extension metadata rather than protocol requirements.

The semantics of GoToSocial are not part of the specification’s defined vocabulary and processing rules for ActivityPub. They no longer operate purely at the protocol layer; it has become an application-layer contract implemented by specific servers.

Let’s use the AT Protocol as an example. Bluesky’s direct messages (DMs) are not currently part of the AT Protocol (ATProto). The AT Protocol has nothing that specifies anything for DMs, so DMs are not part of the AT Protocol. The AT Protocol was designed to handle public social interactions, but it does not define private or encrypted messaging. Bluesky implemented DMs at the application level, outside of the core protocol. DMs are centralized and stored on Bluesky’s servers. What is happening with servers like GoToSocial is sort of like that. The difference is that the AT Protocol was designed for different app views; ActivityPub was not.

The issue is the divergence in semantic interpretation that emerges at the interpretation layer. ActivityPub standardizes message delivery and defines common activity types. However, it leaves extension semantics and application-layer policy decisions to individual implementations. Servers may introduce custom JSON-LD namespaces and enforce local behaviors, such as reply restrictions, while remaining protocol-compliant. But, the noise created by divergences are problematic, because it creates unexpected, unintended, and unpredictable behavior.

Divergence appears when implementations rely on non-normative metadata and assume reciprocal handling to preserve a consistent user experience. Behavioral alignment then varies. Syntactic exchange succeeds, but behavioral consistency is not guaranteed. Though instances continue to federate at the transport level, policy semantics and processing logic differ across deployments. Those differences produce inconsistent experiences and results between implementations.

That leads to fragmentation, specifically semantic or behavioral fragmentation and an inconsistent user experiences. ActivityPub ensures syntactic interoperability, but semantic interoperability (everyone interprets and enforces rules the same way) varies. This creates a system that is federated at the transport level yet fragmented in behavior and expectations across implementations. It is funny how the thing that the fediverse touted has made the entire thing very brittle. ActivityPub technically federates correctly, but semantically falls apart once servers start adding their own behavioral rules.