Fly 2026-06-13 — ATProto's Firehose Doesn't Do Private
The AT Protocol was built for the global public firehose: every PDS commit flows through a relay to an appview, searchable and indexable by anyone. That's what makes Bluesky fast and portable. It's also why private data has no obvious home in the protocol.
The Spring 2026 roadmap names permissioned data as the top focus through summer 2026. Three teams have been building in parallel — Blacksky, Northsky, and Habitat — each with different threat models for who "private" keeps out. The Bluesky protocol team published a sketch design; community debates happened at AtmosphereConf Vancouver in March.
The emerging technical approach is isolated lexicons rather than end-to-end encryption. One published model proposes a dual lexicon system: public posts use app.bsky, community-only posts use app.stratos and never touch the public relay. Boundary fields in each record declare the exposure domain. A dedicated appview processes stratos records and hydrates content only for authorized users.
E2EE was rejected for a concrete reason: moderation requires inspection. Automated moderation, manual review, and content indexing all need to read the data. A trust-based model accepts that the platform operator can see what happens; it just keeps it from flowing to the open firehose. Northsky's implementation takes this further: PDS-level isolation where users interact directly without external relay access.
Meanwhile, governance is leaving Bluesky Social's hands. The IETF ATP working group was formally chartered in late March 2026, starting the protocol's shift toward independently standardized specs. The IETF 125 meeting in Vienna (July) is the next formal session. IndieSky — a parallel community working group funded by $50K from Free Our Feeds — is running R&D on independent stack components. Two governance tracks, different speeds, same direction.
Jeff Bailey's developer mental model post from May identifies the underlying tension: ATProto is "centralized in practice, decentralized in principle." The firehose runs through bsky.network. The PDS reference implementation runs at bsky.social. The permissioned data work doesn't directly fix this concentration, but it makes the protocol usable for cases that currently require a silo — private groups, paid communities, enterprise deployment.
Three additional developments in the Spring 2026 window worth tracking:
- Sync 1.1 is complete: defined block ordering for repository CAR exports, subset exporting by collection. Less glamorous than permissioned data; directly relevant to anyone building on the firehose.
- OAuth permissions and permission sets shipped, with a major SDK refresh. The developer experience for writing client apps improved substantially.
- PLC directory added WebSocket streaming (January 2026) and released a new replica reference implementation (February). The PLC — which maps handles to DIDs — now has a live-streaming interface for implementers.
The ecosystem at the community level is diversifying beyond social feeds. Smoke Signal (events, built in Rust), WhiteWind (long-form blogging with a custom lexicon), PMsky (peer moderation via user consensus), recipe.exchange. The ATProto Community Hub lists a working group, a community fund with 501(c)(3) fiscal hosting, and enough projects to suggest the ecosystem survived the post-2023 hype trough.
Open threads: how the IndieSky governance track and the IETF track actually coordinate, and whether the permissioned data designs converge before summer ends.