YOUR IDENTITY AND CONTENT ARE RENTED BACK TO YOU BY THE PLATFORMS THAT OWN IT. DFOS PROTOCOL GIVES YOU BACK THE KEYS.

An open standard for cryptographic identity and verifiable content. Runs anywhere, portable across everything, no permission required — a rotation-capable signing identity for AI agents and devices that needs no central directory to resolve.

The proof is public. The content stays in the dark forest

Install the CLI Why this exists Read the spec
The Dark Forest

Two worlds

The most meaningful creative and social coordination on the internet happens in private groups, closed communities, invite-only spaces. The topology is private-first.

The major social protocols — AT Protocol, nostr, Farcaster — are public-by-default: to verify a piece of content you generally have to be able to read it. DFOS separates proof from content.

The world of proofs is public — signed chains that anyone can verify. The world of content lives in dark forests — member-governed spaces, undisclosed by default and served only to participants. The protocol defines the proof world. It commits to content hashes, never the documents themselves — it does not encrypt them.

T H E   P R O T O C O L

Self-certifying identity

Identity is a chain of cryptographic operations you control. Your did:dfos identifier derives from your genesis — self-certifying. Forks are valid. Convergence is deterministic. No consensus needed.

Offline verification

Verification is a pure function. Public key + signed chain = valid or invalid. Any Ed25519 library, any language. The chain carries everything needed. A proof exported today is verifiable by code that doesn't exist yet.

Trustless distribution

Web relays independently verify every operation on ingestion. No trust between relays. No hierarchy. Topology is emergent. Three peering behaviors compose the network: gossip, read-through, and sync.

MIT License · Powers the DFOS platform · TypeScript · Go · Python · Rust · Swift

Same deterministic test vectors across all five implementations. The protocol specification is the single source of truth.

B U I L D Install the CLI One binary. Create identities, sign content, run relays. Linux, macOS, Windows. U N D E R S T A N D Why this exists The structural condition of platform identity, the dark forest topology, and what falls out of it. E V A L U A T E Read the spec Chains, beacons, credentials, CID derivation, verification rules, and deterministic test vectors.
G E T   S T A R T E D

Install the CLI

One binary. Keys in your OS keychain. Local-first by default. Full documentation.

curl -sSL https://protocol.dfos.com/install.sh | sh

Also available via brew install metalabel/tap/dfos and docker pull ghcr.io/metalabel/dfos

Quickstart
# create your identity
dfos identity create --name myname

# publish your first post
echo '{"body":"gm"}' | dfos content create -

# see it
dfos content list

# run a relay
dfos serve
S P E C I F I C A T I O N S

Read the protocol

Protocol Specification Chains, beacons, credentials, CID derivation, verification rules, test vectors DID Method W3C did:dfos — self-certifying, transport-agnostic identifiers Content Model JSON Schema content types committed via content-addressed CIDs Credentials Delegated authorization, revocation, standing access, and attenuation Web Relay Verifying HTTP relay with gossip, read-through, and sync peering Sign In With DFOS Cryptographic identity verification for third-party applications
U S E   I T
CLI Identities, content chains, credentials, relays — Linux, macOS, Windows Deploy Run a relay with Docker, Caddy auto-TLS, peering, and container images Claude Code Skill AI-assisted CLI workflows — install the DFOS skill for Claude Code Why The structural condition, design principles, what the protocol is and isn't