custos personal data server

Powerful enough to run your presence. Unable to take your identity.

Custos is a complete AT Protocol PDS in a single Rust binary: it hosts repositories, signs commits, serves the firehose, and federates with the network. Its signing key sits at rotationKeys[1] — below the key your users hold. A Custos instance can act for its users; it cannot act against them.

Open source, in active development. Reports the literal truth — including its own limits.

What it runs.

one binary
Rust, one process, SQLite in a single file. No database server to run, secure, or babysit.
backup
Litestream streams the database off-box continuously — point-in-time recovery without a backup cron.
deploy
Ships as an OCI image built from the repo’s Dockerfile. Runs anywhere a container runs.
federation
Native firehose (com.atproto.sync.subscribeRepos), sync serving, and outbound requestCrawl — accounts on Custos are first-class citizens of the network.
auth
A full OAuth provider — PAR, DPoP-bound tokens, JWKS — plus app passwords for legacy clients.
accounts
Claim codes minted by you, the operator. Nobody signs up on your box unless you handed them a code.
admin
Administer from your pocket with the Admin Companion iOS app: every request is signed by that phone’s own Secure Enclave key, so there is no replayable admin secret to lose with the device.
custody seam
Custos holds rotationKeys[1] and signs repo commits. Your users’ wallets hold rotationKeys[0] and sign identity operations. The server works; the user rules.

Run it.

Build the image from source and point it at your public hostname. The justfile in the repo carries the full local workflow; the deploy guide covers staging, releases, and Litestream.

$ git clone https://github.com/malpercio-dev/ezpds
$ cd ezpds
$ docker build -t custos .
$ docker run -p 8080:8080 \
    -e EZPDS_PUBLIC_URL=https://pds.example.com \
    -e EZPDS_ADMIN_TOKEN=<your-admin-token> \
    custos

 custos — listening on 0.0.0.0:8080

Details, configuration reference, and the production checklist live in the repository’s deploy guide.

The deal between Custos and its users.

A PDS necessarily holds its users’ data — that is its job. The Custos bet is that it should hold their data without holding their identity. Because each user’s wallet key outranks the server’s, a Custos operator — even a compromised one — cannot rotate an identity away from its owner, and every identity operation the server does sign is visible in the public PLC log, monitored and reversible by the user’s wallet inside the 72-hour window.

That is the whole design: an operator powerful enough to run the service, and structurally too weak to betray the people on it.