Permissioned data on atproto: a technical walkthrough
Bryan (they/them)
June 24, 2026
A developer-facing walkthrough of the atproto permissioned-data design, built from Daniel Holmgren six-post Permissioned Data Diary, the Modeling communities essay, and the draft proposal (bluesky-social/proposals number 94) plus the Spaces Design Spec. Covers why access control is the right framing rather than end-to-end encryption; why the unit of access is a space, a member list under a DID, rather than a record or an app; where permissioned repos actually live, one per member per space on each member own PDS; the three-credential cascade of delegation token, client attestation, and space credential, and why an app gets the whole space; application allow and deny lists, and public permissioned spaces. Then the layer above: modeling communities as many typed spaces under one DID rather than one universal container. And what the draft spec made concrete: push-then-pull sync that never touches the public firehose, notifyWrite then getRepoOplog, and deliberately deniable commit signatures. With animated diagrams for the credential cascade and the end-to-end read sequence.
Discussion in the ATmosphere