This http response haunts my dreams. I’ve been looking at it for over a week, scouring the internet to try to overcome it and achieve the screenshot at the top of this article. The stars have finally aligned and I’m happy to share how to implement a very basic ActivityPub Server which can post to Mastodon.
Response Code: 401
Response Body: {"error":"Unable to fetch key JSON at https://gioandjake.com/u/actor"}
I was stuck on this 401 Response after following the Mastodon Blog’s tutorial How to implement a basic ActivityPub server. There are some important details missing from this blog if you hope to use it to publish activities to the fediverse.
Getting up to Speed π
The Mastodon Blog post lays out the basics of core data types in ActivityPub.
- Actor: represents a user in most social media
- Webfinger: metadata endpoint to confirm existence of actors
- Message: this would be any type of action on social media: like, post, follow, etc.
All of these are communicated over https as JSON-LD. JSON-LD is a specific content type, but static JSON files can be used for simple use cases like this. The guidance on how to serve these files is a bit bare, for example:
The Webfinger endpoint is always under /.well-known/webfinger, and it receives queries such as /.well-known/webfinger?resource=acct:bob@my-example.com. Well, in our case we can cheat, and just make it a static file[…]
After this is uploaded to your webhost and available under your domain with a valid SSL certificate, you could already look up your actor from another Mastodon by entering alice@my-example.com into the search bar. Although itβll look quite barren.
The static content needs to be POSTed with a valid public key associated with the actor. The blog gives advice on creating a public and private key pair, setting the public key in the actor’s data, and signing a request to the mastodon inbox with the private key.
I went through this tutorial and tried to execute the ruby program, only to see a 401/Unauthorized.
What was missing? π
The key missing piece of the blog post is details on hosting the static files. Mastodon expects the files to have a very specific content type - application/activity+json.
Here are the headers I overrode in Nginx to get this demo working
Content-Type: applicaiton/activity+json
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
NOTE! You must include a valid toot link in the
inReplyToproperty. Otherwise, the toot will not show up under the profile on Mastodon.
Once these additions are made, we can do fun things, like publish ActivityPub messages on blog post updates! Take a look!
Everything you need to Publish to Mastodon in 2025 π
Here is everything I’ve used to implement a static ActivityPub Server.
Nginx Conf (server) π
server {
server_name gioandjake.com www.gioandjake.com;
root /var/www/gioandjake.com/html;
index index.html index.htm;
location /u/ {
types {}
default_type "application/activity+json";
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Origin *;
autoindex on;
try_files $uri $uri.json $uri/ = 404;
}
location /messages/ {
types {}
default_type "application/activity+json";
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Origin *;
autoindex on;
try_files $uri $uri.json $uri/ = 404;
}
location /.well-known/ {
types {}
default_type "application/activity+json";
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Origin *;
index webfinger.json;
}
location /inbox {
types {}
default_type "application/activity+json";
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Origin *;
return 200;
}
... ssl by certbot stuff
}
$root/.well-known/webfinger.json (server) π
{
"subject": "acct:jake@gioandjake.com",
"links": [
{
"rel": "self",
"type": "application/activity+json",
"href": "https://gioandjake.com/u/actor"
}
]
}
$root/u/actor.json (server) π
{
"@context": [
"https://www.w3.org/ns/activitystreams",
"https://w3id.org/security/v1"
],
"id": "https://gioandjake.com/u/actor",
"type": "Person",
"preferredUsername": "jake",
"inbox": "https://gioandjake.com/inbox",
"publicKey": {
"id": "https://gioandjake.com/u/actor#main-key",
"owner": "https://gioandjake.com/u/actor",
"publicKeyPem": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n" // copied from local machine after running openssl commands
}
}
$root/messages/create-hello-world.json (server + local machine) π
{
"@context": "https://www.w3.org/ns/activitystreams",
"id": "https://gioandjake.com/messages/create-hello-world",
"type": "Create",
"actor": "https://gioandjake.com/u/actor",
"object": {
"id": "https://gioandjake.com/messages/hello-world",
"type": "Note",
"published": "2025-01-23T17:17:11Z",
"attributedTo": "https://gioandjake.com/u/actor",
"inReplyTo": "https://mastodon.social/@baadjaake/113888857964172133",
"content": "<p>Hello world?</p>",
"to": "https://www.w3.org/ns/activitystreams#Public"
}
}
deliver.rb (local machine) π
require 'http'
require 'openssl'
document = File.read('/path/to/local/create-hello-world.json')
sha256 = OpenSSL::Digest::SHA256.new
digest = "SHA-256=" + Base64.strict_encode64(sha256.digest(document))
date = Time.now.utc.httpdate
keypair = OpenSSL::PKey::RSA.new(File.read('/path/to/local/private.pem'))
signed_string = "(request-target): post /inbox\nhost: mastodon.social\ndate: #{date}\ndigest: #{digest}"
signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest::SHA256.new, signed_string))
header = 'keyId="https://gioandjake.com/u/actor",headers="(request-target) host date digest",signature="' + signature + '"'
response = HTTP.headers({ 'Host': 'mastodon.social', 'Date': date, 'Signature': header, 'Digest': digest })
.post('https://mastodon.social/inbox', body: document)
# Output the response
puts "Response Code: #{response.code}"
puts "Response Body: #{response.body}"
openssl commands (local machine) π
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem