custos personal data server
Powerful enough to run your presence. Unable to take your identity.
Custos is a complete AT Protocol PDS in a single Rust binary: it hosts
repositories, signs commits, serves the firehose, and federates with the
network. Its signing key sits at rotationKeys[1] — below the key
your users hold. A Custos instance can act for its users; it cannot
act against them.
Open source, in active development. Reports the literal truth — including its own limits.
What it runs.
- one binary
- Rust, one process, SQLite in a single file. No database server to run, secure, or babysit.
- backup
- Litestream streams the database off-box continuously — point-in-time recovery without a backup cron.
- deploy
- Ships as an OCI image built from the repo’s Dockerfile. Runs anywhere a container runs.
- federation
-
Native firehose (
com.atproto.sync.subscribeRepos), sync serving, and outboundrequestCrawl— accounts on Custos are first-class citizens of the network. - auth
- A full OAuth provider — PAR, DPoP-bound tokens, JWKS — plus app passwords for legacy clients.
- accounts
- Claim codes minted by you, the operator. Nobody signs up on your box unless you handed them a code.
- admin
- Administer from your pocket with the Admin Companion iOS app: every request is signed by that phone’s own Secure Enclave key, so there is no replayable admin secret to lose with the device.
- custody seam
-
Custos holds
rotationKeys[1]and signs repo commits. Your users’ wallets holdrotationKeys[0]and sign identity operations. The server works; the user rules.
Run it.
Build the image from source and point it at your public hostname. The
justfile in the repo carries the full local workflow; the deploy
guide covers staging, releases, and Litestream.
$ git clone https://github.com/malpercio-dev/ezpds $ cd ezpds $ docker build -t custos . $ docker run -p 8080:8080 \ -e EZPDS_PUBLIC_URL=https://pds.example.com \ -e EZPDS_ADMIN_TOKEN=<your-admin-token> \ custos ▸ custos — listening on 0.0.0.0:8080
Details, configuration reference, and the production checklist live in the repository’s deploy guide.
The deal between Custos and its users.
A PDS necessarily holds its users’ data — that is its job. The Custos bet is that it should hold their data without holding their identity. Because each user’s wallet key outranks the server’s, a Custos operator — even a compromised one — cannot rotate an identity away from its owner, and every identity operation the server does sign is visible in the public PLC log, monitored and reversible by the user’s wallet inside the 72-hour window.
That is the whole design: an operator powerful enough to run the service, and structurally too weak to betray the people on it.