In ActivityPub, follow relationships are established, updated and removed by
sending activities such as
Reject, which are assumed to
be correctly and promptly processed upon receipt.
However, due to incompatible protocol extensions, software bugs, server crashes
or database rollbacks, the two ends of a
Follow relationship may end up out of
This can be especially damaging when a remote instance has outdated information
about follow relationships that should have been revoked, as some
implementations may deliver activities addressed to the sender’s
collection by using the
sharedInbox mechanism and letting the recipient use
followers collection for local delivery and access control.
This proposal describes an optional mechanism for detecting discrepancies in following relationships across instances, with minimal overhead and without loss of privacy.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this specification are to be interpreted as described in [RFC-2119].
The proposed protocol for followers collection synchronization makes a number of assumptions that may not be suitable to every implementation or deployment.
Implementations and deployments MUST NOT implement the mechanisms described in this proposal unless they match the following requirements:
sharedInboxURIs (that is, for instance, two fediverse implementations cannot implement this proposal if they are set up on the same exact same domain name, unless implementing an additional mechanism to share follower information between them, which is out of scope for this proposal).
The reason for those requirements is to prevent the partial followers collection described below from missing legitimate followers, which could result in followers being removed for no reason.
Failing to implement this proposed synchronization mechanism should not impact compatibility with other implementations, as it is completely optional.
For efficiency and privacy purposes, we consider a subset of an actor’s
followers collection. This subset is the set of an actor’s followers whose
shares an instance’s specific URI scheme and authority.
For instance, if
https://example.org/users/1 has the following followers:
The partial follower collection of
https://example.org/users/1 for the
To enable quick checking of partial followers consistency across instances, a partial follower collection digest is computed.
This digest is created by XORing together the individual SHA256 digests of each
partialCollectionDigest = SHA256(follower1) XOR SHA256(follower2) XOR ... XOR SHA256(followerN)
For instance, the partial follower collection digest of
https://example.org/users/1 for the instance serving
3a06e99569547f444c352ab7f52e4bab207abec5ca6f07b0045cfdc9723f8fa9 XOR f939a1585d4a8f02ee339210dbe7315d7003476663d6095f7d996fc4bc7a49b6 = c33f48cd341ef046a206b8a72ec97af65079f9a3a9b90eef79c5920dce45c61f
Collection-Synchronization HTTP header provides a mechanism for quickly
checking whether the sender’s followers collection part that is relevant to the
recipient is consistent with the recipient’s knowledge.
The header field name is
Collection-Synchronization and its value is a list of
parameters and values, formatted according to the
signature syntax defined in
[HTTP-Signatures], Section 4.1.
Collection-Synchronization: collectionId="https://example.org/users/1/followers", url="https://example.org/users/1/followers_synchronization", digest="c33f48cd341ef046a206b8a72ec97af65079f9a3a9b90eef79c5920dce45c61f"
Collection-Synchronization header’s parameters are defined as follows:
collectionId: this is URI of the collection that supports synchronization. It must be the sender’s
url: this is the URL of the partial followers collection intended for the receiving instance. Accessing it should require authentication from the receiving instance.
digest: the partial follower collection digest intended for the receiving instance.
When delivering an Activity to an
sharedInbox), an instance MAY
Collection-Synchronization header intended for the corresponding
instance (determined by the
inbox URI scheme and authority).
When exactly to set this header is up to the sender, but it is recommended to
at least send it for any
Create activity addressed specifically to the
On the receiving end, upon receiving an Activity delivery with a
Collection-Synchronization header, the receiver MUST check that:
collectionIdattribute matches the sender’s
urlattribute also matches the same authority (so that the instance cannot get tricked into requesting the followers list of a third-party individual)
If any of those checks fails, the receiver MUST ignore the
The receiver SHOULD then compute the partial collection digest for the sender’s
followers based on its own knowledge. If the digest does not match the
attribute of the header, it SHOULD then query the
url, authenticating itself
to the remote server using [HTTP-Signatures] or another method.
Having fetched the up-to-date partial followers collection from the autoritative server, the receiving end:
Undo Followfor any other local follower listed in the partial followers collection but not known locally.
This proposal is implemented by Mastodon since the following Pull Request: https://github.com/tootsuite/mastodon/pull/14510
CC0 1.0 Universal (CC0 1.0) Public Domain Dedication
To the extent possible under law, the authors of this Fediverse Enhancement Proposal have waived all copyright and related or neighboring rights to this work.