You're reading the Keybase blog.
There are more posts.

When you're done, you can install Keybase.

mastodon + keybase = true love 4eva

April 15, 2019

Today we're announcing that Keybase has a new, open proof protocol, and we've kicked it off with the Mastodon Fediverse. Already, 31 communities are live (,,, etc.), with many more in the coming days.

Previously, Keybase only supported the mega-behemoths: Twitter, Facebook, Reddit, Github, and HackerNews. This new protocol change isn't just for Mastodon; we're ripping Keybase wide open, so any community can cryptographically connect profiles to Keybase.

Everyone from a small phpBB forum to a big site such as Etsy, GitLab, or StackOverflow is welcome to do this easy integration.

First, what is Mastodon?

Mastodon is a microblogging social network. It's like Twitter, except anyone can administer an "instance," on a domain of their choice, letting in whatever members they want.

If you're on an instance called cereal.eaters and I'm on an instance called, we can follow each other and see each other's "toots" across the network. Censorship rules are up to the instances. This is federation at its finest.

It's pretty slick, and it honors the original spirit of the Internet.

Keybase Proofs

Keybase is a secure (as in cryptography) app for groups, communities, families, and friends. At its core is identity. Keybase is a catalog of connected identities and keys. For example, here's my friend tammy :

tammy camp keybase

I know her as @tammycamp on Twitter, and Keybase teaches me she's also u/hodl_strong on Reddit. Further, Keybase lets me have an encrypted chat with her, or add her to a group I'm building. I can feel safe I'm talking to the right person.

My Keybase app actually checks that she posted a signed tweet on Twitter.

An example of our old way of doing things

Let's walk through one. In our scenario, Keybase user haraldbluetooth wants to prove he is @toothyharald on Twitter.

After typing his Twitter handle into the Keybase app, Harald goes through these screens:

proof flow

Problems with the old way

Pretty quick and easy, right?

Still, we think this flow is choppy. Harald's Keybase app can tell him exactly what to tweet, but once he's in Twitter, Keybase is just sitting around, hoping he didn't change anything before posting.


  • posting is brittle; Twitter may not link to a screen with the tweet pre-filled. Also Harald may edit the tweet and mess it up. Twitter will still let him post it, but it will be nonsense.
  • people can post false claims on Twitter; Keybase wouldn't understand or honor them, but a tweet that's a lie might confuse Twitter users.
  • every site is different; Keybase needs to understand how to look up tweets, parse them, confirm the author, distinguish usernames, etc. It would be easier if Twitter could tell Keybase apps how it works and how to look up a proof.
  • the tweets flow into history; how can someone start on Harald's Twitter profile and know his Keybase username?

Our new protocol

Mastodon has done all this right, starting in Mastodon version 2.8. And now anyone else can, too.

Here’s what the proof flow looks like for Mastodon. When haraldbluetooth claims in Keybase that he's allmyteeth on, he lands on a page:

proof flow

Further, His page shows this special row:

This, unlike a Tweet or Toot that could say anything, only shows up on his Mastodon page if it's legit.

FINAL RESULT: if you know Harald on Mastodon, you can end up with his keys! Or if you know him on Keybase or elsewhere, Keybase teaches you about his Mastodon identity. All cryptographically verifiable.

For programmers...a neat bonus

You can send encrypted messages from the command line, using these proofs.

# these are identical
keybase chat send haraldbluetooth "Ensam är stark!"
keybase chat send "Ensam är stark!"

Or, using the Keybase chat API

echo '{"method": "send", "params": {"options": {"channel": {"name": ""}, "message": {"body": "Ensam är stark!"}}}}' | keybase chat api

Your Keybase app will verify all the crypto, and the chat will appear:

viking tribute

What the Mastodon project had to do

It wasn't a large project. They had to create or update a couple JSON endpoints, a config file, and an extra screen to handle this proof connection. Any site can do it.

Keybase profiles - in both the app and website - now link to Mastodon.

That's it. If your team builds a site or app with members, go for it. If you use an app or website you'd like to see connected to Keybase, you can send them this page.

Having fun!

💖 Keybase


I'm on a team that's interested. How do we get our project connected to Keybase?

Here's our integration guide. It's still a bit rough around the edges, but it should only take a day or two of programming to get your side done.

I run an Mastodon instance. Am I already added?

Perhaps. Many instances are in listed in the Keybase app but we have paused adding new instances for now. If you are looking to prove your identity on a personal instance then an https proof of the domain should do the trick, proving that you own that instance.

I REALLY want the admins of Site X to integrate with Keybase.

Get ON them!

What are your hopes and dreams?

We would love to connect Keybase to any forum and messageboard software, GitLab, NPM, Ruby Gems, other code publishers, and even LinkedIn.

Over the years, people have asked us for various integrations in this ticket. If you know anyone on any of those teams, it's now in their hands...we'll be standing by to help out.

I think you should do this slightly differently.

Please let us know. We can expand and improve this.

Why Mastodon first?

Because our users requested it in force. And because we feel like there are shared values here. And because they were willing, helpful partners (thanks @gargron).

Like a Mastodon instance, we reserve the right to work with whichever partners we prefer. We specifically will avoid at least these sites:

  • sites which encourage or are known for illegal activity
  • sites which primarily link to advertisements
  • sites which feel tiny and spammy. We don't want 10,000 partners with 5 members each; if you run, say, a family or apartment website, you don't need to do this integration. Just prove ownership of the domain in the old Keybase way, putting your family's proofs in

What's next?

this answer updated, to address some confusion!

One idea we had: instance owners might like to invite their own users to a secure group (or chat) with each other. We're thinking about a tool that will let a site admin cryptographically group people together.

For example, let's say you run You'd like realtime, encrypted chat for your members. You could have your users connect their Keybase account and automatically jump into your team's encrypted chat (technically YOU would be adding them), and they'd get access to your team's encrypted files. You could even have cryptographically partitioned subteams. Say, "admins" on your site get into a special encrypted team on Keybase.

This tool wouldn't be introducing anything new; obviously you know who your Keybase connected users are already. And you have the ability to invite them into a team. It would just make it easier.

Our first attempt to explain this made some people assume Keybase (the server code) had the power to control team memberships on Keybase. We just can't do that, as our Keybase app would never accept that. Once a team is created, its role changes must be signed by its admins.

If you run a larger community or site and are interested in talking about this feature, reach out to chris on Keybase. We could prioritize this tool.

What else?

Some big visual design changes in ~2 weeks.


This is a post on the Keybase blog.