Free AT Protocol integrity checklist

BlueSky record signature and CID verifier

Check the DID, AT URI, record CID, commit CID, repo revision, and signature evidence you need before verifying an AT Protocol repository update or BlueSky post record.

Check record evidence

This browser-only helper validates field shape and creates a verification plan. Full cryptographic verification still requires fetching CAR blocks, decoding DRISL CBOR, and checking the signature with the public signing key in the DID document.

Repository DIDRecord AT URIRecord CIDCommit CIDRepo revisionSignature bytes

Repository DID

did:plc:ewvi7nxzyoun6zhxrhs64oiz

Looks valid

AT Protocol repos are identified by DIDs, usually did:plc or did:web.

Record AT URI

at://did:plc:ewvi7nxzyoun6zhxrhs64oiz/app.bsky.feed.post/3k4duaz5vfs2b

Looks valid

A public record path should resolve as at://did/collection/rkey.

Record CID

bafyreibjifzpqj6o6wcq3hejh7y4z4z2vmiklkvykc57tw3pcbx3kxifpm

Looks valid

CIDs are content hashes for records, MST nodes, blobs, and commits.

Commit CID

bafyreig2fjxi3rptqdgylg7e5hmjl6mcke7rn2b6cugzlqq3i4zu6rq52q

Looks valid

The CAR root should point to the signed commit block for the repo revision.

Repo rev

3k4duaz5vfs2b

Looks valid

Repo revisions are logical-clock strings. They should increase over time.

Signature bytes

optional in this local checklist

Looks valid

Full verification requires decoded commit bytes, SHA-256, and the current signing key from the DID document.

Verification plan JSON

6/6 checks

{
  "repository": "did:plc:ewvi7nxzyoun6zhxrhs64oiz",
  "record": {
    "uri": "at://did:plc:ewvi7nxzyoun6zhxrhs64oiz/app.bsky.feed.post/3k4duaz5vfs2b",
    "cid": "bafyreibjifzpqj6o6wcq3hejh7y4z4z2vmiklkvykc57tw3pcbx3kxifpm"
  },
  "commit": {
    "cid": "bafyreig2fjxi3rptqdgylg7e5hmjl6mcke7rn2b6cugzlqq3i4zu6rq52q",
    "rev": "3k4duaz5vfs2b",
    "signatureProvided": false
  },
  "recommendedSteps": [
    "Fetch the repo or record proof from the account PDS with com.atproto.sync.getRepo, getRecord, or getBlocks.",
    "Decode the CAR file and confirm the root block is the signed commit object.",
    "Verify the commit fields: did, version, data CID, rev, prev, and sig.",
    "Hash the unsigned commit CBOR bytes with SHA-256 and verify the signature with the account signing key from the DID document.",
    "Walk the MST proof chain until the requested record path maps to the expected record CID."
  ]
}

What this verifies

CIDs are content hashes. Commit signatures authenticate repo updates. Together, they let developers prove that a public record path maps to a specific block inside the signed repository state.

ONYX uses the same integrity mindset for scheduling: authorized app-password publishing, reviewed queues, stable account identity, and no need to expose your master password to draft content.

Developer sequence

1. Resolve the handle to a DID and PDS endpoint.
2. Fetch the repo, record proof, or blocks from the PDS sync API.
3. Decode the CAR blocks and identify the commit root.
4. Verify the unsigned commit hash against the raw signature bytes.
5. Walk the MST proof chain to the record CID.

Official references

AT Protocol repository spec AT Protocol cryptography spec AT Protocol sync guide

Schedule after validation

Once identity and publishing permissions are clear, use ONYX to keep approved posts moving through a focused BlueSky calendar.

Start Free