🎉 Excited to announce that #Fedify is now on Open Collective! Support the project's development starting at:

• Backer (from $5/mo)
• Supporter (from $25/mo)
• Sponsor (from $100/mo)
• Corporate Sponsor (from $500/mo)
• Custom donations welcome

Your support will help us maintain and improve Fedify. Check it out here:

https://opencollective.com/fedify

#OpenCollective #support #backing #sponsor #donation

Fedify is an #ActivityPub server framework in #TypeScript & #JavaScript. It aims to eliminate the complexity and redundant boilerplate code when building a federated server app, so that you can focus on your business logic and user experience.

The key features it provides currently are:

• Type-safe objects for Activity Vocabulary (including some vendor-specific extensions)
• #WebFinger client and server
• HTTP Signatures & Linked Data Signatures & Object Integrity Proofs
• Middleware for handling webhooks
• #NodeInfo protocol
• #Node.js, #Deno, and #Bun support
• CLI toolchain for testing and debugging

If you're curious, take a look at the #Fedify website! There's comprehensive docs, a demo, a tutorial, example code, and more:

https://fedify.dev/

Recently, @moreal built ap-thread-reader, a tool that displays threaded posts on a single page. Works with any ActivityPub platform, not just Mastodon.

Try it at https://ap-thread-reader.fly.dev/.

Built with Fedify and released as open source: https://github.com/moreal/ap-thread-reader.

More details at https://blog.moreal.dev/2026/02/ap-thread-reader-introduction/index.en.html.

It was great to see fantastic people at @offline today, and thank you for listening my talk! If you'd like to get my deck, here it is: Fedify: Building ActivityPub servers without the pain.

Huge thanks @liaizon for organizing this event!

Thanks all for listening to my talk about #Fedify at #FOSDEM 2026 today! Here's my deck for the talk: Fedify: Building ActivityPub servers without the pain.

@fedify abstracts away complexity in building for the fediverse

Now we have @hongminhee presenting @fedify!

Slides from @hongminhee talking about @fedify

#Fediverse #FOSDEM #FOSDEM2026 #SocialWeb #SocialWebFOSDEM #SocialWebFOSDEM2026

Up next is @hongminhee talking about @fedify

#Fediverse #FOSDEM #FOSDEM2026 #SocialWeb #SocialWebFOSDEM #SocialWebFOSDEM2026

We've published an AI usage policy for the Fedify project, inspired by Ghostty's approach.

TL;DR: AI tools are welcome, but contributions must disclose AI usage, be tied to accepted issues, and be human-verified. Maintainers are exempt.

https://github.com/fedify-dev/fedify/blob/main/AI_POLICY.md

ioriとFedify

ioriがActivityPubをサポートできているのは、間違いなくFedifyのおかげである。

自分でActivityPubの仕様を一から実装しようとしたことはこれまでに何度もあるが、以下の問題にぶつかり、いつも挫折してきた。

• データモデリングの対象が広範囲に及ぶ
  • Vocabularyが多岐にわたる
  • オブジェクトタイプやアクタータイプが多い
• ネットワーク通信の仕様が複雑
  • HTTPシグネチャチャの実装
  • JSON-LDのコンテキスト解決

私が本当に提供したいのはナレッジ管理サービスであり、ActivityPubの実装ではない。Fedifyはこれらの複雑さを抽象化し、開発者がビジネスロジックに集中できるようにしてくれる。

@reiver From personal experience, at the very least anything based on @fedify can represent multiple keys for an actor.

FEP-521a has a list of implementations: https://codeberg.org/fediverse/fep/src/branch/main/fep/521a/fep-521a.md#implementations

On changing keys, I used to think this was impossible, but then I saw Claire mention that Mastodon will simply accept a changed key as long as the valid updated actor can be fetched from its canonical URI. So I guess that might work straightforwardly?

I'll be presenting @fedify at @fosdem 2026! My talk Fedify: Building ActivityPub servers without the pain was accepted for the Social Web Devroom. See you in Brussels on January 31–February 1!

Fedifyってテスト用に相手のAPサーバーのモック的なのが使えるのね。署名やネットワークのことを気にせずにActivityの送受信をテストできると。素晴らしい。
https://fedify.dev/manual/test#mocking

요즘 fedify를 이용한 연합되는 블로그 만들기에 열 올리고 있는데... 참 재밌는 것 같아요. fedify도 참 잘 만든 라이브러리인 것 같구... 나중에 블로그 실서비스 하게 될 때가 기대되네요♡

Fedify 1.10.0: Observability foundations for the future debug dashboard

Fedify is a #TypeScript framework for building #ActivityPub servers that participate in the #fediverse. It reduces the complexity and boilerplate typically required for ActivityPub implementation while providing comprehensive federation capabilities.

We're excited to announce #Fedify 1.10.0, a focused release that lays critical groundwork for future debugging and observability features. Released on December 24, 2025, this version introduces infrastructure improvements that will enable the upcoming debug dashboard while maintaining full backward compatibility with existing Fedify applications.

This release represents a transitional step toward Fedify 2.0.0, introducing optional capabilities that will become standard in the next major version. The changes focus on enabling richer observability through OpenTelemetry enhancements and adding prefix scanning capabilities to the key–value store interface.

Enhanced OpenTelemetry instrumentation

Fedify 1.10.0 significantly expands OpenTelemetry instrumentation with span events that capture detailed ActivityPub data. These enhancements enable richer observability and debugging capabilities without relying solely on span attributes, which are limited to primitive values.

The new span events provide complete activity payloads and verification status, making it possible to build comprehensive debugging tools that show the full context of federation operations:

• activitypub.activity.received event on activitypub.inbox span — records the full activity JSON, verification status (activity verified, HTTP signatures verified, Linked Data signatures verified), and actor information
• activitypub.activity.sent event on activitypub.send_activity span — records the full activity JSON and target inbox URL
• activitypub.object.fetched event on activitypub.lookup_object span — records the fetched object's type and complete JSON-LD representation

Additionally, Fedify now instruments previously uncovered operations:

• activitypub.fetch_document span for document loader operations, tracking URL fetching, HTTP redirects, and final document URLs
• activitypub.verify_key_ownership span for cryptographic key ownership verification, recording actor ID, key ID, verification result, and the verification method used

These instrumentation improvements emerged from work on issue #234 (Real-time ActivityPub debug dashboard). Rather than introducing a custom observer interface as originally proposed in #323, we leveraged Fedify's existing OpenTelemetry infrastructure to capture rich federation data through span events. This approach provides a standards-based foundation that's composable with existing observability tools like Jaeger, Zipkin, and Grafana Tempo.

Distributed trace storage with FedifySpanExporter

Building on the enhanced instrumentation, Fedify 1.10.0 introduces FedifySpanExporter, a new OpenTelemetry SpanExporter that persists ActivityPub activity traces to a KvStore. This enables distributed tracing support across multiple nodes in a Fedify deployment, which is essential for building debug dashboards that can show complete request flows across web servers and background workers.

The new @fedify/fedify/otel module provides the following types and interfaces:

import { MemoryKvStore } from "@fedify/fedify";
import { FedifySpanExporter } from "@fedify/fedify/otel";
import {
  BasicTracerProvider,
  SimpleSpanProcessor,
} from "@opentelemetry/sdk-trace-base";

const kv = new MemoryKvStore();
const exporter = new FedifySpanExporter(kv, {
  ttl: Temporal.Duration.from({ hours: 1 }),
});

const provider = new BasicTracerProvider();
provider.addSpanProcessor(new SimpleSpanProcessor(exporter));

The stored traces can be queried for display in debugging interfaces:

// Get all activities for a specific trace
const activities = await exporter.getActivitiesByTraceId(traceId);

// Get recent traces with summary information
const recentTraces = await exporter.getRecentTraces({ limit: 100 });

The exporter supports two storage strategies depending on the KvStore capabilities. When the list() method is available (preferred), it stores individual records with keys like [prefix, traceId, spanId]. When only cas() is available, it uses compare-and-swap operations to append records to arrays stored per trace.

This infrastructure provides the foundation for implementing a comprehensive debug dashboard as a custom SpanExporter, as outlined in the updated implementation plan for issue #234.

Optional list() method for KvStore interface

Fedify 1.10.0 adds an optional list() method to the KvStore interface for enumerating entries by key prefix. This method enables efficient prefix scanning, which is useful for implementing features like distributed trace storage, cache invalidation by prefix, and listing related entries.

interface KvStore {
  // ... existing methods
  list?(prefix?: KvKey): AsyncIterable<KvStoreListEntry>;
}

When the prefix parameter is omitted or empty, list() returns all entries in the store. This is useful for debugging and administrative purposes. All official KvStore implementations have been updated to support this method:

• MemoryKvStore — filters in-memory keys by prefix
• SqliteKvStore — uses LIKE query with JSON key pattern
• PostgresKvStore — uses array slice comparison
• RedisKvStore — uses SCAN with pattern matching and key deserialization
• DenoKvStore — delegates to Deno KV's built-in list() API
• WorkersKvStore — uses Cloudflare Workers KV list() with JSON key prefix pattern

While list() is currently optional to give existing custom KvStore implementations time to add support, it will become a required method in Fedify 2.0.0 (tracked in issue #499). This migration path allows implementers to gradually adopt the new capability throughout the 1.x release cycle.

The addition of list() support was implemented in pull request #500, which also included the setup of proper testing infrastructure for WorkersKvStore using Vitest with @cloudflare/vitest-pool-workers.

NestJS 11 and Express 5 support

Thanks to a contribution from Cho Hasang (@crohasang), the @fedify/nestjs package now supports NestJS 11 environments that use Express 5. The peer dependency range for Express has been widened to ^4.0.0 || ^5.0.0, eliminating peer dependency conflicts in modern NestJS projects while maintaining backward compatibility with Express 4.

This change, implemented in pull request #493, keeps the workspace catalog pinned to Express 4 for internal development and test stability while allowing Express 5 in consuming applications.

What's next

Fedify 1.10.0 serves as a stepping stone toward the upcoming 2.0.0 release. The optional list() method introduced in this version will become required in 2.0.0, simplifying the interface contract and allowing Fedify internals to rely on prefix scanning being universally available.

The enhanced #OpenTelemetry instrumentation and FedifySpanExporter provide the foundation for implementing the debug dashboard proposed in issue #234. The next steps include building the web dashboard UI with real-time activity lists, filtering, and JSON inspection capabilities—all as a separate package that leverages the standards-based observability infrastructure introduced in this release.

Depending on the development timeline and feature priorities, there may be additional 1.x releases before the 2.0.0 migration. For developers building custom KvStore implementations, now is the time to add list() support to prepare for the eventual 2.0.0 upgrade. The implementation patterns used in the official backends provide clear guidance for various storage strategies.

Acknowledgments

Special thanks to Cho Hasang (@crohasang) for the NestJS 11 compatibility improvements, and to all community members who provided feedback and testing for the new observability features.

For the complete list of changes, bug fixes, and improvements, please refer to the CHANGES.md file in the repository.

#fedidev #release

On a related note, if you learn better by building things, @fedify has a step-by-step tutorial where you create a federated microblog from scratch—implementing actors, inbox/outbox, following, and posts along the way:

https://fedify.dev/tutorial/microblog

According to @tchambers's My 2026 Open Social Web Predictions:

Fedify will power the federation layer for at least one mid-sized social platform (500K+ users) that adds ActivityPub support in 2026. The “build vs. buy” calculation for federation shifts decisively toward “just use Fedify.”

We're honored by this recognition and will keep working hard to make #ActivityPub adoption easier for everyone. Thank you, Tim!

#Fedify #fediverse #fedidev

My 2026 Open Social Web Predictions: includes fediverse predctions focuesed on work being done by: @dansup @surf @Mastodon @piefedadmin @ghostexplore @rimu @activitypub.blog @anewsocial @fedify @fed.brid.gy @altstore See what you think. What did I miss? https://www.timothychambers.net/2025/12/23/my-open-social-web-predictions.html

🚨 Security Advisory: CVE-2025-68475

A ReDoS (Regular Expression Denial of Service) vulnerability has been discovered in Fedify's HTML parsing code. This vulnerability could allow a malicious federated server to cause denial of service by sending specially crafted HTML responses.

If you're running Fedify in production, please upgrade to one of the patched versions immediately.

For full details, see the security advisory: https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93

Thank you to Yue (Knox) Liu for responsibly reporting this vulnerability.

#Fedify #ActivityPub #security #fediverse #fedidev

We've been struggling with a JSR publishing issue for nearly two months now—@fedify/cli and @fedify/testing packages hang indefinitely during the server-side processing stage, blocking our releases. Strangely, the problem doesn't reproduce on a local JSR server at all.

We've opened a GitHub issue to track this: https://github.com/jsr-io/jsr/issues/1238.

Fedify has been a Deno-first, JSR-first project from the start, and we really want to keep it that way. If you've experienced similar issues or have any insights, we'd appreciate your input on the issue.

@sirber83@fosstodon.org that's not true! There is Fedify! @hongminhee@hollo.social

There's also the helper lib that NodeBB uses, although that's baked in core.

I'm happy to split this out into an npm module if there is interest though!

@shauna @fedify Nice try! Fedify is elegant to provide federation abilities for web projects.

Chris Hayes built a single-user ActivityPub server for sharing YouTube videos on the fediverse using Fedify and Next.js. The source code is available at https://codeberg.org/chris-hayes/yt-on-fedi.

It's alive! 🧟

After a bit of trial-error, got fediverse comments showing on a #nextjs site running #fedify. My personal fediverse-connected youtube mirror is now mostly feature complete.
(The video post in the screenshot is over here: https://watch.hayes.software/video/16)
#fediverse

It's very long so there's basically no chance of doing this all in one sitting but...whatever, let's see how far I can get this afternoon with @fedify's "build a federated microblog" tutorial: https://unstable.fedify.dev/tutorial/microblog

TBH I may get stuck with basic setup, I've written a lot of javascript but I've largely avoided having to learn JS/TS package management. 😂 (Fun fact, I learned Vue over React or Angular etc because you can build absurdly complex apps while still just importing vue via script tag)

Just opened an issue for a major new task for #Fedify: building an #interoperability smoke test suite.

To ensure Fedify-built servers federate correctly with the wider #fediverse, we're planning to run automated E2E tests in #CI against live instances of Mastodon, Misskey, and more. This is crucial for a framework's reliability.

You can see the full plan and discussion here:

https://github.com/fedify-dev/fedify/issues/481

#ActivityPub #fedidev

By the way:

As a consumer of the public ORCID API, Encyclia is not allowed to generate revenue. To be on the safe side, we don't accept donations either. However, we are happy to be making a modest contribution out of our private pockets to @fedify on @opencollective here: https://opencollective.com/fedify

If you'd like to donate some money to improve Encyclia's functionality and reliability, @fedify is the best place to do so! 🙂

恭喜！太猛了！！
ActivityPub 框架 Fedify 獲得了主權科技基金（Sovereign Tech Fund）19.2 萬歐元的補助，以進一步強化生態系統。

https://hollo.social/@fedify/0199a579-adb3-7bf5-a8ea-970c8fa91f09

Quick update on our release schedule! While we initially planned for Fedify 2.0 to follow version 1.9, we've decided to release Fedify 1.10 next instead. A few features originally slated for 1.9 need more time to mature, and we want to ensure Fedify 2.0 gets the careful attention it deserves for its breaking changes. This means you'll get incremental improvements sooner with 1.10—including our new RFC 6570 URI Template implementation for better expansion and pattern matching—while we continue preparing the more substantial architectural changes for 2.0 in parallel. Rest assured, this doesn't change our long-term roadmap; it just gives us more flexibility to deliver features when they're ready rather than holding them back for a major release.

Fedify 1.9.0: Security enhancements, improved DX, and expanded framework support

We are excited to announce Fedify 1.9.0, a mega release that brings major security enhancements, improved developer experience, and expanded framework support. Released on October 14, 2025, this version represents months of collaborative effort, particularly from the participants of Korea's OSSCA (Open Source Contribution Academy).

This release would not have been possible without the dedicated contributions from OSSCA participants: Jiwon Kwon (@z9mb1), Hyeonseo Kim (@gaebalgom), Chanhaeng Lee (@2chanhaeng), Hyunchae Kim (@r4bb1t), and An Subin (@nyeong). Their collective efforts have significantly enhanced Fedify's capabilities and made it more robust for the fediverse community.

Origin-based security model

Fedify 1.9.0 implements FEP-fe34, an origin-based security model that protects against content spoofing attacks and ensures secure federation practices. This critical security enhancement enforces same-origin policy for ActivityPub objects and their properties, preventing malicious actors from impersonating content from other servers.

The security model introduces a crossOrigin option in Activity Vocabulary property accessors (get*() methods) with three security levels:

// Default behavior: logs warning and returns null for cross-origin content
const actor = await activity.getActor({ crossOrigin: "ignore" });

// Strict mode: throws error for cross-origin content
const object = await activity.getObject({ crossOrigin: "throw" });

// Trust mode: bypasses security checks (use with caution)
const attachment = await note.getAttachment({ crossOrigin: "trust" });

Embedded objects are automatically validated against their parent object's origin. When an embedded object has a different origin, Fedify performs automatic remote fetches to ensure content integrity. This transparent security layer protects your application without requiring significant code changes.

For more details about the security model and its implications, see the origin-based security model documentation.

Enhanced activity idempotency

Activity idempotency handling has been significantly improved with the new withIdempotency() method. This addresses a critical issue where activities with the same ID sent to different inboxes were incorrectly deduplicated globally instead of per-inbox.

federation
  .setInboxListeners("/inbox/{identifier}", "/inbox")
  .withIdempotency("per-inbox")  // New idempotency strategy
  .on(Follow, async (ctx, follow) => {
    // Each inbox processes activities independently
  });

The available strategies are:

• "per-origin": Current default for backward compatibility
• "per-inbox": Recommended strategy (will become default in Fedify 2.0)
• Custom strategy function for advanced use cases

This enhancement ensures that shared inbox implementations work correctly while preventing duplicate processing within individual inboxes. For more information, see the activity idempotency documentation.

Relative URL resolution

Fedify now intelligently handles ActivityPub objects containing relative URLs, automatically resolving them by inferring the base URL from the object's @id or document URL. This improvement significantly enhances interoperability with ActivityPub servers that use relative URLs in properties like icon.url and image.url.

// Previously required manual baseUrl specification
const actor = await Actor.fromJsonLd(jsonLd, { baseUrl: new URL("https://example.com") });

// Now automatically infers base URL from object's @id
const actor = await Actor.fromJsonLd(jsonLd);

This change, contributed by Jiwon Kwon (@z9mb1), eliminates a common source of federation failures when encountering relative URLs from other servers.

Full RFC 6570 URI template support

TypeScript support now covers all RFC 6570 URI Template expression types in dispatcher path parameters. While the runtime already supported these expressions, TypeScript types previously only recognized simple string expansion.

// Now fully supported in TypeScript
federation.setActorDispatcher("/{+identifier}", async (ctx, identifier) => {
  // Reserved string expansion — recommended for URI identifiers
});

The complete set of supported expression types includes:

• {identifier}: Simple string expansion
• {+identifier}: Reserved string expansion (recommended for URIs)
• {#identifier}: Fragment expansion
• {.identifier}: Label expansion
• {/identifier}: Path segments
• {;identifier}: Path-style parameters
• {?identifier}: Query component
• {&identifier}: Query continuation

This was contributed by Jiwon Kwon (@z9mb1). For comprehensive information about URI templates, see the URI template documentation.

WebFinger customization

Fedify now supports customizing WebFinger responses through the new setWebFingerLinksDispatcher() method, addressing a long-standing community request:

federation.setWebFingerLinksDispatcher(async (ctx, actor) => {
  return [
    {
      rel: "http://webfinger.net/rel/profile-page",
      type: "text/html",
      href: actor.url?.href,
    },
    {
      rel: "http://ostatus.org/schema/1.0/subscribe",
      template: "https://example.com/follow?uri={uri}",
    },
  ];
});

This feature was contributed by Hyeonseo Kim (@gaebalgom), and enables applications to add custom links to WebFinger responses, improving compatibility with various fediverse implementations. Learn more in the WebFinger customization documentation.

New integration packages

Fastify support

Fedify now officially supports Fastify through the new @fedify/fastify package:

import Fastify from "fastify";
import { fedifyPlugin } from "@fedify/fastify";

const fastify = Fastify({ logger: true });
await fastify.register(fedifyPlugin, {
  federation,
  contextDataFactory: () => ({ /* your context data */ }),
});

This integration was contributed by An Subin (@nyeong). It supports both ESM and CommonJS, making it accessible to all Node.js projects. See the Fastify integration guide for details.

Koa support

Koa applications can now integrate Fedify through the @fedify/koa package:

import Koa from "koa";
import { createMiddleware } from "@fedify/koa";

const app = new Koa();
app.use(createMiddleware(federation, (ctx) => ({
  user: ctx.state.user,
  // Pass Koa context data to Fedify
})));

The integration supports both Koa v2.x and v3.x. Learn more in the Koa integration documentation.

Next.js integration

The new @fedify/next package brings first-class Next.js support to Fedify:

// app/api/ap/[...path]/route.ts
import { federation } from "@/federation";
import { fedifyHandler } from "@fedify/next";

export const { GET, POST } = fedifyHandler(federation);

This integration was contributed by Chanhaeng Lee (@2chanhaeng). It works seamlessly with Next.js App Router. Check out the Next.js integration guide for complete setup instructions.

CommonJS support

All npm packages now support both ESM and CommonJS module formats, resolving compatibility issues with various Node.js applications and eliminating the need for the experimental --experimental-require-module flag. This particularly benefits NestJS users and other CommonJS-based applications.

FEP-5711 collection inverse properties

Fedify now implements FEP-5711, adding inverse properties to collections that provide essential context about collection ownership:

const collection = new Collection({
  likesOf: note,  // This collection contains likes of this note
  followersOf: actor,  // This collection contains followers of this actor
  // … and more inverse properties
});

This feature was contributed by Jiwon Kwon (@z9mb1). The complete set of inverse properties includes likesOf, sharesOf, repliesOf, inboxOf, outboxOf, followersOf, followingOf, and likedOf. These properties improve data consistency and enable better interoperability across the fediverse.

CLI enhancements

NodeInfo visualization

The new fedify nodeinfo command provides a visual way to explore NodeInfo data from fediverse instances. This replaces the deprecated fedify node command and offers improved parsing of non-semantic version strings. Try it with:

fedify nodeinfo https://comam.es/snac/

This was contributed by Hyeonseo Kim (@gaebalgom). The command now correctly handles various version formats and provides a cleaner visualization of instance capabilities. See the CLI documentation for more options.

Enhanced lookup with timeout

The fedify lookup command now supports a timeout option to prevent hanging on slow or unresponsive servers:

fedify lookup --timeout 10 https://example.com/users/alice

This enhancement, contributed by Hyunchae Kim (@r4bb1t), ensures reliable operation even when dealing with problematic remote servers.

Package modularization

Several modules have been separated into dedicated packages to improve modularity and reduce bundle sizes. While the old import paths remain for backward compatibility, we recommend migrating to the new packages:

• @fedify/cfworkers replaces @fedify/fedify/x/cfworkers
• @fedify/denokv replaces @fedify/fedify/x/denokv
• @fedify/hono replaces @fedify/fedify/x/hono
• @fedify/sveltekit replaces @fedify/fedify/x/sveltekit

This modularization was contributed by Chanhaeng Lee (@2chanhaeng). The old import paths are deprecated and will be removed in version 2.0.0.

Acknowledgments

This release represents an extraordinary collaborative effort, particularly from the OSSCA participants who contributed numerous features and improvements. Their dedication and hard work have made Fedify 1.9.0 the most significant release to date.

Special thanks to all contributors who helped shape this release, including those who provided feedback, reported issues, and tested pre-release versions. The fediverse community's support continues to drive Fedify's evolution.

For the complete list of changes, bug fixes, and improvements, please refer to the CHANGES.md file in the repository.

https://hollo.social/@fedify/0199a579-adb3-7bf5-a8ea-970c8fa91f09

Hope this leads to an even larger shared-layer between all the js/node #activitypub implementations like Ghost, NodeBB, *keys et.al.

Particularly wishing for convergence around a shared *identity core* across all these AP apps in accordance with NomadPub by @silverpill

https://codeberg.org/ap-next/ap-next/src/branch/main/nomadpub.md

FEP-ef61: Portable Objects
FEP-ae97: Client-side activity signing

That in addition to a common OAuth foundation would effectively be ActivityPub 2.0 and on-par with atproto.