Hold the keys to your own identity.

Obsign is an identity wallet for the AT Protocol — the network behind Bluesky. The keys that control your identity live in your device’s Secure Enclave, not on someone else’s server. No platform, host, or provider can take your identity, block your exit, or hold it hostage.

Open source. In development — iOS builds ship via TestFlight. No tokens, no coins, nothing to buy.

Owned, not rented.

On the AT Protocol, your identity is a did:plc — and it is controlled by whoever holds its rotation keys. On most hosts today, that’s the server. Your ability to leave, to recover from an attack, or simply to stay yourself is a policy promise: real only for as long as your host is honest, solvent, and online.

Obsign turns that promise into arithmetic. Your device holds the highest-priority rotation key, so the final word on your identity is signed by you — and only ever by you.

rotationKeys[0]
your device — Secure Enclave, non-extractable
rotationKeys[1]
your server — signs posts, can never outrank you
recovery window
72 hours, during which your key overrides any other
backup
your key, split 2-of-3 — no single custodian

How Obsign defends an identity.

Set it up once, with care. After that, Obsign watches quietly — and if something is wrong, it says so in plain words.

Sealed in your device

Your identity key is generated inside the Secure Enclave and never leaves it. It signs identity operations only after you approve them — reviewed on screen, confirmed with your biometrics.

It keeps watch

Obsign monitors the public PLC directory for changes to your identity. Every entry is verified against your own key — any operation you didn’t authorize raises an alarm that tells you exactly what changed.

72 hours to take it back

Inside the directory’s recovery window, your device key outranks every other key. One clear, reviewed action signs the override and reclaims the identity — calmly, before the window closes.

Backup without a custodian

At setup, your key is split into three shares — iCloud Keychain, your server’s escrow, and a place you choose. Any two recover it; no single share (and no single company) can.

The wallet’s urgency states. Status is never color alone — every state carries an icon, a label, and a position, so it can’t be misread under stress or with color-blindness.

Leaving is allowed. That’s the point.

Because you hold the top rotation key, moving your identity to a new host is an operation you sign — it never requires your old server’s permission, cooperation, or continued existence. Credible exit stops being a promise in a terms-of-service and becomes a property of the keys.

And nothing about this leaves the network behind: your server keeps a lower-priority rotation key, so standard AT Protocol tooling and ordinary migrations keep working exactly as they do everywhere else.

Plain answers.

Is this a crypto thing?

No. There are no coins, no tokens, and nothing to buy or trade. A did:plc is a public log of signed operations run for the AT Protocol — not a blockchain. Obsign is a key holder, the way a passport wallet holds a passport.

What if I lose my phone?

Your key is split 2-of-3 at setup: one share in iCloud Keychain, one held in escrow by your server, one wherever you choose. Losing the phone loses one share — any two remaining shares recover the key.

Do I need to understand the cryptography?

No — and you’re never asked to. Obsign leads with plain human stakes. But every screen keeps the machinery — the DIDs, the keys, the audit log — one deliberate tap away, so you can verify anything yourself whenever you want to.

What if this project disappears?

Your identity outlives it. It’s a did:plc in the public directory, your keys are on your device, and your server remains a standard rotation key — so ordinary AT Protocol tooling can still operate on your identity. All of this is open source.

custos the server side

Run the room your identity lives in.

Custos is Obsign’s personal data server — a complete AT Protocol PDS in a single Rust binary. It hosts your repository, signs your posts, and federates with the network. What it cannot do, by construction, is take your identity: its key is ranked below yours.