Hubbry Logo
WebFingerWebFingerMain
Open search
WebFinger
Community hub
WebFinger
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
WebFinger
WebFinger
WebFinger
View on Wikipedia
from Wikipedia
Logo of WebFinger

WebFinger is a protocol specified by the Internet Engineering Task Force IETF in RFC 7033 that allows for discovery of information about people and things identified by a URI.[1] Information about a person might be discovered via an acct: URI, for example, which is a URI that looks like an email address.

WebFinger is specified as the discovery protocol for OpenID Connect,[2] which is a protocol that allows one to more easily log in to various sites on the Internet.[3]

The WebFinger protocol is used by federated software, such as GNU social (via its use in OStatus), Diaspora,[4] or Mastodon,[5] to discover users on federated nodes and pods, as well as the remoteStorage protocol.[6] The WebFinger protocol does not specify the usage of "template" within the "links" section. That is an extension made by the former oStatus protocol that the Fediverse inherited from. The reasoning for expanding upon this later was justified by wanting to use a different key for a value that isn't an URL but a pattern to create one.[7]

As a historical note, the name "WebFinger" is derived from the old ARPANET Finger protocol, but it is a very different protocol designed for HTTP.[8]

The protocol payload is represented in JSON format with a MIME-Type of application/jrd+json.[9]

Technical overview

[edit]

Basically the WebFinger is just a structured data format. The content of this structure depends entirely on the applications using it. While ensuring compatibility and extensibility.

Example format of a WebFinger JSON data model.

Basic example with profile page and business card

[edit]

For this example we've two users Alice and Bob. Alice only knows the E-Mail address of bob bob@example.com. Bob previously setup WebFinger over at example.com.

  1. Alice opens the "Add contact" page of their E-Mail client and only enters Bobs E-Mail Address.
  2. The application then derives the WebFinger URL:
    • test
    • https://
    • + the domain part of the email address example.com
    • + /.well-known/webfinger?resource=
    • + the kind of schema the application is looking for, in this case we want to have account information, so it's acct
    • + followed by an URL-Encoded :-character, aka. %3A
    • + followed by the URL-Encoded value (the email address) we'd like to know more of bob%40example.com.
    • Resulting in the URL: https://example.com/.well-known/webfinger?resource=acct%3Abob%40example.com
  3. The application then makes a HTTP-Request towards it and follows all potential HTTP redirects according to the HTTP specification.
  4. When the application got a successful result it parses the obtained JSON looking at all of the obtained "properties" and "links" to find ones it understands ignoring all others. Like e.g. http://webfinger.net/rel/profile-page for populating the users homepage field or http://webfinger.net/rel/avatar for adding a picture to the contact details.

For this the client sends the following request: 

GET /.well-known/webfinger?resource=acct%3Abob%40example.com HTTP/1.1
Host: example.com

Server response body: 

{
	"subject": "acct:bob@example.com",
	"aliases": [
		"https://www.example.com/~bob/"
	],
	"properties": {
		"http://example.com/ns/role": "employee"
	},
	"links": [
		{
			"rel": "http://webfinger.net/rel/profile-page",
			"href": "https://www.example.com/~bob/"
		},
		{
			"rel": "http://webfinger.net/rel/avatar",
			"type": "image/png",
			"href": "https://www.example.com/~bob/avatar.png"
		}
	]
}


Usage within the Fediverse

[edit]

Fediverse instances like e.g. Mastodon[5], Peertube, Misskey, ... can look up the server name of a specific usernames by sending a request to the WebFinger endpoint of the domain within their username (the part after the 2nd @-symbol). This also allows companies, influencers (anyone with their own DNS domain name) to point towards their official accounts within the Fediverse (aka. with ActivityPub) without needing to have their own instance running on their own domain and without all of the accounts having to be on the same instance (e.g. automatic accounts populated by the websites CRM, one for some primarily video content on a Peertube instance, and some personalised "employee" accounts on either one or multiple different Mastodon/Fediverse instances WITHOUT having to separate all of these to different (sub) domain names. Allowing to have a single easily readable and recognisable association with ones website within multiple usernames like e.g.: @authorname@bigcompany.tld, @news@bigcompany.tld, and @videotutorialsXYZ@bigcompany.tld instead of a confusing mix of e.g. @authorname@social.bigcompany.tld, @feed@feed.bigcompany.tld, @videotutorialsXYZ@videos.bigcompany.tld, and especially instead of @authorname@othercompany.tld. Without WebFinger when a company either chooses to outsource or team up with another company for operating these platforms on their behalf they normally not only make it trivial for others to impersonate them (because of having usernames that do not depend on their websites like e.g. @something@anothercompany.tld) but they also have to give up control over that account and its social capital to that specific company. The owner of anothercompany.tld is now in control of a companies entire social capital. Even worse should that company decide to shut down their servers for one reason or another the entire social capital could have to be rebuilt from scratch as nobody will be able to find the new company they moved to.

With WebFinger all of these problems can be avoided easily as e.g. @authorname@bigcompany.tld does not have to be served by https://bigcompany.tld/, nor does @otherauthorname@bigcompany.tld have to be on the same server anymore. If WebFinger is used a company gets enabled to use Mastodon.social today but once it either is no longer ideal or becomes inaccessible they can on their own accord - without any approval, vetoing, or even cooperation of the Mastodon gGmbH that owns and operates Mastodon.social, moved towards any other instance without losing their social capital. Be it a self-hosted one, one spun-up and operated by a smal regional IT contractor, or similar. And all of this completely transparently and without any for their community members having to "refollow" or do anything. Basically making migrating ones social media platform operator as easy as the one for ones website. Thereby eliminating vendor lock-in (e.g. as seen on centralised "big-tech" platforms like Twitter, Facebook, TikTok, or Instagram) and allowing one to staying in control of their network relationships and social capital.

All at the little cost of having to purchase single DNS domain. And to stay in control of it (e.g. by being registered and listed as the rightful owner of that DNS domain name within the DNS registry). Note: In most cases this is neither anything new or unique to WebFinger and for most companies associated risks are also already being managed as losing control over ones domain usually includes also losing ones Website, E-Mail reachability, and thereby not "just" their social capital but their entire web presence including losing out on income from e.g. ads, affiliate links, and/or sales. For WebFinger specifically one most ideally should also ensures to stay in control over their webspace as well. However compared to losing ones entire DNS domain that's basically just an annoying inconvenience.

When WebFinger is solely being used for the Fediverse alone it can be seen as a more universal, versatile, and simpler alternative to the more walled off AT_Protocol controlled and solely used by Bluesky. As all that is needed for WebFinger to function for this is host a single static file per username with a fixed file name of webfinger?resource=acct%3A<<USERNAME>>%40example.com within the .well-known folder on ones website. This means when someone visits https://example.com/.well-known/webfinger?resource=acct%3A<<USERNAME>>%40example.com they need to get a small JSON-file (aka. a text file) with content similar to the example below).

Example for user @Mastodon@mastodon.social

[edit]

WebFinger aware platforms and clients first tries to access the URL https://mastodon.social/.well-known/webfinger?resource=acct%3AMastodon%40mastodon.social by sending the HTTP-Request: 

GET /.well-known/webfinger?resource=acct%3AMastodon%40mastodon.social HTTP/1.1
Host: mastodon.social

Then the server responds with:

More human readable and formatted: 

{
   "subject":"acct:Mastodon@mastodon.social",
   "aliases":[
      "https://mastodon.social/@Mastodon",
      "https://mastodon.social/users/Mastodon"
   ],
   "links":[
      {
         "rel":"http://webfinger.net/rel/profile-page",
         "type":"text/html",
         "href":"https://mastodon.social/@Mastodon"
      },
      {
         "rel":"self",
         "type":"application/activity+json",
         "href":"https://mastodon.social/users/Mastodon"
      },
      {
         "rel":"http://ostatus.org/schema/1.0/subscribe",
         "template":"https://mastodon.social/authorize_interaction?uri={uri}"
      },
      {
         "rel":"http://webfinger.net/rel/avatar",
         "type":"image/png",
         "href":"https://files.mastodon.social/accounts/avatars/000/013/179/original/b4ceb19c9c54ec7e.png"
      }
   ]
}

Response in raw unformatted and unmodified including all headers for reference: 

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 628
referrer-policy: same-origin
x-runtime: 0.016346
x-frame-options: DENY
x-xss-protection: 0
content-type: application/jrd+json; charset=utf-8
etag: W/"1b12765828befeb0088ccfaa101276d5"
x-request-id: 6b75d72dfe8e62d97f15f6fce1095d7b
x-content-type-options: nosniff
via: 1.1 varnish, 1.1 varnish
content-security-policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://mastodon.social; img-src 'self' data: blob: https://mastodon.social https://files.mastodon.social; style-src 'self' https://mastodon.social 'nonce-VcuwDlT8Sp/BslgCzk90Aw=='; media-src 'self' data: https://mastodon.social https://files.mastodon.social; manifest-src 'self' https://mastodon.social; form-action 'self'; child-src 'self' blob: https://mastodon.social; worker-src 'self' blob: https://mastodon.social; connect-src 'self' data: blob: https://mastodon.social https://files.mastodon.social wss://streaming.mastodon.social; script-src 'self' https://mastodon.social 'wasm-unsafe-eval'; frame-src 'self' https:
cache-control: max-age=259200, public
Accept-Ranges: bytes
Age: 102821
Date: Sun, 12 Oct 2025 13:27:46 GMT
X-Served-By: cache-fra-eddf8230117-FRA, cache-fra-eddf8230158-FRA
X-Cache: MISS, HIT
X-Cache-Hits: 0, 0
X-Timer: S1760275667.945082,VS0,VE1
Vary: Origin
Strict-Transport-Security: max-age=31557600
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400

{"subject":"acct:Mastodon@mastodon.social","aliases":["https://mastodon.social/@Mastodon","https://mastodon.social/users/Mastodon"],"links":[{"rel":"http://webfinger.net/rel/profile-page","type":"text/html","href":"https://mastodon.social/@Mastodon"},{"rel":"self","type":"application/activity+json","href":"https://mastodon.social/users/Mastodon"},{"rel":"http://ostatus.org/schema/1.0/subscribe","template":"https://mastodon.social/authorize_interaction?uri={uri}"},{"rel":"http://webfinger.net/rel/avatar","type":"image/png","href":"https://files.mastodon.social/accounts/avatars/000/013/179/original/b4ceb19c9c54ec7e.png"}]}

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

WebFinger

View on Grokipedia
from Grokipedia
WebFinger is a protocol that enables the discovery of information about people or other entities on the using standard HTTP methods over , primarily through queries based on URIs such as addresses or account identifiers. Defined in RFC 7033 and published by the (IETF) in September 2013, it allows clients to retrieve static metadata about a resource, such as profile details, associated services, or alternative identifiers, without requiring prior knowledge of the entity's location. The protocol operates by directing clients to send a GET request to the /.well-known/webfinger endpoint on the host derived from the target URI, including a resource parameter specifying the entity (e.g., acct:username@[example.com](/page/Example.com)) and optionally a rel parameter to filter for specific link relations. Servers respond with a Resource Descriptor (JRD), a structured document containing the subject's URI, aliases (alternative URIs), properties (key-value pairs like names or photos), and links to related with types defined by the Link Relations registry. This design supports decentralized discovery across domains, facilitating interoperability in applications like social networking, identity management, and federated services, while mandating for transport to ensure security. Key features include support for (CORS) to allow browser-based queries, redirection for hosted services, and extensibility via the properties and links in JRDs, though it explicitly excludes dynamic or to maintain simplicity and boundaries. Security considerations emphasize the use of valid TLS certificates, to prevent abuse, and user consent for published information, as exposure of personal details can lead to risks or spam harvesting. Developed by Paul E. Jones, Gonzalo Salgueiro, Michael B. Jones, and Joseph Smarr, WebFinger builds on earlier discovery mechanisms like LRDD but standardizes them into a single, RESTful interface for broader adoption.

Overview

Definition and purpose

WebFinger is a protocol defined in RFC 7033 that enables the discovery of information about people or other entities on the through standard HTTP methods, primarily using in the form of "acct:" URIs or email addresses. It operates by allowing clients to query a server's well-known endpoint, typically via , to retrieve static metadata associated with the identifier, without requiring direct access to the entity's location on the web. The core purpose of WebFinger is to facilitate decentralized discovery of public profile information, contact details, or other metadata, avoiding the need for centralized directories or systems. By leveraging , it promotes among diverse services such as social networks, providers, and identity systems, enabling users to share and access information across platforms in a standardized manner. This approach supports broader goals of decentralized identity management on the web, where entities can expose links to resources like profile pages without relying on siloed APIs. WebFinger draws conceptual inspiration from earlier user discovery mechanisms, including the UNIX "finger" protocol and integrations with systems like OpenID for simplifying identity lookups. It has been adapted for use in OpenID Connect to dynamically discover identity providers based on user identifiers. The protocol returns results in a JSON Resource Descriptor (JRD) format, which encapsulates links and properties related to the queried entity.

Key concepts

WebFinger relies on the acct: URI scheme to identify users and entities in a standardized manner. The format is acct:user@host, where "user" represents the local identifier and "host" is the domain, providing a URI-based account reference that is distinct from addresses despite superficial similarity, as it functions solely for resource discovery rather than message routing. At the core of the protocol are resource descriptors, which are structured documents typically formatted as Resource Descriptors (JRDs). These descriptors contain an array of links pointing to related resources, such as user profiles, avatar images, or additional metadata, enabling clients to retrieve contextual information about the identified entity. Discovery begins at a standardized endpoint, specifically /.well-known/webfinger on the target host, which serves as the for querying resource information via HTTP. Each resource descriptor includes essential properties, with the subject field mandating the acct: URI of (e.g., acct:user@host), and an array of link relations defined by the rel to specify the type of connection, such as rel="http://webfinger.net/rel/profile-page" for linking to a user's profile webpage. These relations use either IANA-registered values or full URIs for precision, accompanied by optional attributes like href for the target , type for media types, and properties for embedded metadata.

History

Development origins

WebFinger originated in 2009, when , then at and known for his work on and , proposed the protocol as an extension of XMPP's XEP-0157 to enable web-based discovery of user information. This proposal aimed to adapt the XMPP extension's approach to contact addresses—originally designed for specifying service details like and JabberIDs—into a simpler HTTP-based mechanism for broader use. The development was driven by the growing interest in decentralized social networking during the late 2000s, where users sought ways to link identities and profiles across independent sites without relying on centralized platforms. Fitzpatrick's idea built on existing efforts to make email addresses more expressive as identifiers, influenced by OpenID's decentralized model and the (FOAF) project's emphasis on descriptions of relationships and profiles. Early prototypes focused on practical implementations tied to blogging platforms, including , to support cross-site profile linking and user discovery through straightforward HTTP queries. These initial efforts highlighted WebFinger's potential for enabling services like exploration and identity verification in distributed environments. Key early discussions involved the IETF's XMPP , where contributors like Peter Saint-Andre recognized similarities to XEP-0157 and advocated for broader standardization to refine the protocol for internet-scale adoption.

Standardization process

The standardization of WebFinger began with an individual Internet-Draft submission titled "The WebFinger Protocol" (draft-hammer-webfinger-00), authored by Eran Hammer-Lahav, Brad Fitzpatrick, and Blaine Cook, and posted to the IETF on October 19, 2009. This initial draft outlined the protocol's use of HTTP GET requests to a for discovering metadata about entities identified by URIs, including the introduction of the 'acct' URI scheme for user accounts. In April 2012, the IETF issued a call for adoption of the evolving draft by the Applications Area (APPSAWG), marking its transition to a working group effort under the name draft-ietf-appsawg-webfinger. The , chaired by Barry Leiba and Murray Kucherawy, refined the specification through 19 iterations of drafts between July 2012 and August 2013, addressing feedback on , extensibility, and integration with HTTP standards. Key contributors during this phase included Paul E. Jones, Gonzalo Salgueiro, Michael B. Jones, and Joseph Smarr. The finalized document was approved by the Internet Engineering Steering Group (IESG) and published as RFC 7033, "WebFinger," on September 27, 2013, achieving Proposed Standard status. This RFC formally defines the protocol's core mechanics, including the use of for all requests to ensure secure discovery, the structure of Resource Descriptors (JRDs) for responses, and extensibility through link relations; it also incorporates security considerations such as protection against information leakage and denial-of-service attacks. Additionally, the 'acct' URI scheme was further specified in a separate RFC 7565, published in August 2015. Following publication, RFC 7033 has seen no major formal updates or revisions, with no reported errata as of the latest IETF records. Community-driven extensions have emerged in related standards, such as the W3C's (published as a Recommendation in ), which leverages WebFinger for actor discovery in federated social networks while enforcing as mandated; these adaptations focus on integration with modern web architectures without altering the core protocol.

Technical specification

Resource discovery

WebFinger resource discovery involves parsing the input URI to identify the target host. The acct: URI, an identifier of the form acct:username@[hostname](/page/Hostname), is parsed according to RFC 3986 to extract the component, which forms the base for the (e.g., https://[hostname](/page/Hostname)). The client then constructs the WebFinger URI by appending the fixed path /.well-known/webfinger to the and adding the required resource query with the encoded target URI (e.g., https://[hostname](/page/Hostname)/.well-known/webfinger?resource=acct%3Ausername%40[hostname](/page/Hostname)). Upon querying the WebFinger URL, a 404 status indicates the resource is unknown to the server.

Host metadata retrieval

Once the WebFinger endpoint has been discovered for a given host, clients retrieve metadata about a specific resource by sending an HTTP GET request to the path /.well-known/webfinger on that host, appending the required resource query parameter that specifies the target URI (e.g., acct:[email protected], URL-encoded as acct%3Auser%40example.com). To indicate the desired response format, clients include an Accept header with the value application/jrd+json, ensuring the server returns the resource descriptor in JSON Resource Descriptor (JRD) format if supported. The request supports an optional rel parameter to filter the response by specific link relation types, allowing clients to retrieve only relevant metadata; for instance, specifying rel=http://webfinger.net/rel/avatar limits results to avatar-related links. Multiple rel values can be provided for broader filtering, and the parameter uses URL encoding for any special characters in relation URIs. Servers process these parameters to generate a targeted response, which upon success returns a 200 OK status code with a Content-Type header set to application/jrd+json. In cases of failure, such as an invalid resource or server error, the server issues appropriate 4xx or 5xx HTTP status codes without disclosing sensitive details. All WebFinger queries must use to protect the and integrity of the exchanged metadata, with the request host matching the host portion of the resource URI to prevent cross-host leaks. For performance and scalability, servers include standard HTTP caching headers, such as Cache-Control, in responses to specify expiration times or validators, enabling clients to cache resource descriptors and reduce repeated queries. This caching mechanism aligns with HTTP/1.1 guidelines, allowing conditional requests to refresh stale data efficiently.

JSON resource descriptor format

The JSON Resource Descriptor (JRD) serves as the standardized response format in the WebFinger protocol, consisting of a single object that conveys metadata about the queried resource. As specified in RFC 7033, the root object of a JRD includes a "subject" member, which SHOULD be present and is a string representing the URI (typically an acct: URI) of the entity being described, and an optional "links" member that is an array of link description objects. Additional optional root-level members include "aliases", an array of alternative URIs for the subject, and "properties", an object mapping URI keys to string or null values for arbitrary metadata. Each element in the "links" array is a JSON object describing a hyperlink, with the following properties: "rel", a required string indicating the relation type (a URI or registered link relation name); "href", an optional string providing the target URI; "type", an optional string specifying the media type of the target resource; "titles", an optional object of language-tagged strings for human-readable titles; and "properties", an optional object for extension metadata similar to the root "properties". Servers may include multiple links, and clients must ignore any unrecognized properties or members to ensure extensibility. Common relation types in JRD links include "http://webfinger.net/rel/profile-page", which points to the user's profile page, as illustrated in the protocol's normative example. Another frequently used relation is "me", a registered link relation indicating that the target resource represents the same entity as the subject, often linking to a self-referential profile or identity endpoint. For instance, a typical JRD response for the subject "acct:[email protected]" might appear as follows:

json

{ "subject": "acct:[email protected]", "links": [ { "rel": "http://webfinger.net/rel/profile-page", "href": "https://www.example.com/~bob/" }, { "rel": "me", "href": "https://www.example.com/~bob/", "type": "text/html" } ] }

{ "subject": "acct:[email protected]", "links": [ { "rel": "http://webfinger.net/rel/profile-page", "href": "https://www.example.com/~bob/" }, { "rel": "me", "href": "https://www.example.com/~bob/", "type": "text/html" } ] }

This structure adheres to the schema in RFC 7033, where validation ensures the "subject" matches the queried resource and links conform to the defined object format, though servers are not required to perform strict schema validation.

Examples

Basic profile lookup

To perform a basic profile lookup using WebFinger, consider a hypothetical query for the identifier acct:[email protected] on the fictional host example.com. This initiates a discovery process where a client sends an HTTP GET request to the server's /.well-known/webfinger endpoint, specifying the resource parameter to identify the user. The server responds with a JSON Resource Descriptor (JRD) containing links to relevant resources, such as a profile page and contact information. The request is constructed as follows:

GET /.well-known/webfinger?resource=acct%3Aalice%40example.com HTTP/1.1 Host: example.com Accept: application/jrd+json

GET /.well-known/webfinger?resource=acct%3Aalice%40example.com HTTP/1.1 Host: example.com Accept: application/jrd+json

This URL-encodes the acct:[email protected] URI in the resource query parameter and requests the JRD . For manual verification, the curl command-line tool can be used:
curl -H "Accept: application/jrd+json" "https://example.com/.well-known/webfinger?resource=acct%3Aalice%40example.com". This fetches the response directly from the server, assuming is enforced for security. A successful response includes an HTTP 200 status, appropriate headers, and the JRD body. The headers typically specify the content type and may include CORS allowances:

HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/jrd+json; charset=utf-8

HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/jrd+json; charset=utf-8

The JRD payload is a JSON object with a subject field matching the queried resource and an array of links describing discoverable items. For this example:

json

{ "subject": "acct:[email protected]", "links": [ { "rel": "http://webfinger.net/rel/profile-page", "href": "https://example.com/~alice/" }, { "rel": "http://webfinger.net/rel/avatar", "href": "https://example.com/~alice/photo.jpg", "type": "image/jpeg" }, { "rel": "http://packetizer.com/rel/businesscard", "type": "text/vcard", "href": "https://example.com/~alice/alice.vcf" } ] }

{ "subject": "acct:[email protected]", "links": [ { "rel": "http://webfinger.net/rel/profile-page", "href": "https://example.com/~alice/" }, { "rel": "http://webfinger.net/rel/avatar", "href": "https://example.com/~alice/photo.jpg", "type": "image/jpeg" }, { "rel": "http://packetizer.com/rel/businesscard", "type": "text/vcard", "href": "https://example.com/~alice/alice.vcf" } ] }

Parsing this output yields links to Alice's profile page (a personal webpage), avatar photo (an image file), and (a file containing contact details like name, email, and address). These relations follow registered link types for interoperability.

Social networking integration

WebFinger plays a crucial role in enabling user discovery across federated social networks, particularly in platforms like , where it facilitates interactions between users on different instances without relying on centralized directories. In , when a user enters a such as @[email protected] to follow someone remotely, the local instance triggers a WebFinger lookup by querying the remote server's /.well-known/webfinger endpoint with the resource parameter set to the account URI (e.g., acct:[email protected]). This process allows seamless cross-instance following by resolving the remote user's identity and associated resources. The response from a server in the is a Resource Descriptor (JRD) that includes the subject's URI and an array of links pointing to key resources, such as the ActivityPub actor document (via a self rel with application/activity+json type), the user's profile page (via profile-page rel with text/html type), and the avatar image (via an http://webfinger.net/rel/avatar rel). These links enable the requesting instance to fetch the remote user's profile details, posts, and media for integration into the local feed, supporting features like displaying avatars and bios during follows. Beyond , WebFinger supports cross-instance discovery in other federated platforms. In , it resolves user handles to hCard documents and seed location endpoints, allowing pods to exchange profile data and initiate connections across the network. Similarly, employs WebFinger to identify users via acct: URIs and discover their feeds and endpoints, promoting interoperability in decentralized social environments. This integration provides significant benefits in social contexts by enabling decentralized user search and , where individuals can locate and interact with others across independent servers using simple identifiers, eliminating the need for central registries and enhancing privacy through distributed control.

Implementations and adoption

Server-side tools

Several open-source libraries and servers facilitate the implementation of WebFinger endpoints on the server side, enabling hosts to provide discoverable resource descriptors for users or entities. One prominent PHP-based option is the WebFinger library, a lightweight implementation that handles HTTP requests to the /.well-known/webfinger path and returns Resource Descriptors (JRDs) compliant with RFC 7033. This library integrates easily into PHP applications, such as systems, by mapping user identifiers to profile data like profile URLs or avatar links. Similarly, the WebFinger plugin for , developed by Norbert Pfefferle, extends the platform to serve WebFinger responses for users, pulling data from user profiles and post feeds. In environments, the node-webfinger-service provides a dedicated server module for exposing WebFinger endpoints, supporting both standalone operation and integration into applications. It processes resource queries (e.g., acct:username@host) and generates JRDs dynamically from a configurable data store, making it suitable for custom social or identity services. For broader ecosystems like the , WebFinger is natively built into platforms such as and to ensure compatibility. Mastodon's implementation resolves acct: URIs to actor profiles via its Rails-based routing, while Pleroma's backend handles WebFinger lookups to federate user discovery across instances. Setting up a WebFinger endpoint typically involves configuring routes for /.well-known/webfinger and implementing logic to generate JRDs from user data, such as linking to profile pages or service endpoints. For instance, in or setups, developers route GET requests with resource and rel parameters to a handler that queries a database for the user's information and formats it as a object with subject, aliases, and links arrays. This process adheres to the protocol's requirements for HTTP 200 responses with application/jrd+json content type, often secured via . As of November 2025, WebFinger's adoption in the exceeds 19,000 active instances, primarily through integrations in and , underscoring its role in decentralized social networking. By March 2025, the had surpassed 15 million users.

Client-side usage

Client-side usage of WebFinger involves applications querying remote servers to discover descriptors for entities by URIs, typically using HTTP GET requests to well-known endpoints. This enables dynamic retrieval of metadata such as profile links, avatars, or contact information without prior configuration. Several open-source libraries facilitate WebFinger queries in client applications. In Python, the python-webfinger library provides a straightforward implementation for performing lookups compliant with RFC 7033, supporting resource discovery via LRDD or direct JRD formats. For JavaScript environments, the e14n/webfinger module offers a client that handles XRD and JRD documents over HTTP/, while the silverbucket/webfinger.js library extends support to browsers and with types for modern web applications. Common use cases include auto-discovering contact details in email clients, where a client can provision configuration data like IMAP/SMTP servers by querying a user's URI. In verification-focused apps, WebFinger allows confirmation of user identities by resolving links to authoritative profiles or endpoints. Integration examples demonstrate WebFinger's role in authentication flows, such as embedding it within 2.0 and to dynamically locate issuers based on user identifiers. It also supports decentralized identity systems, where clients resolve domain-based URIs to fetch credential endpoints, as seen in blockchain name services like Unstoppable Domains. Adoption has grown in projects since 2020, particularly within the IndieWeb and ecosystems; for instance, implementations like rely on WebFinger for actor discovery across federated servers. In contexts, its use in protocols has increased, enabling URI-based resolution in distributed applications.

Security considerations

Privacy risks

WebFinger's public discovery endpoints can lead to unintended information leakage, as they allow any unauthenticated to retrieve metadata about users, such as profile links, avatars, or associated services, without requiring explicit . This exposure occurs because the protocol relies on standard HTTP GET requests to well-known URIs, making discoverable by anyone with network access. For instance, querying a user's account URI can reveal existence confirmation and linked resources, potentially enabling of user accounts or social graphs. Historically, early implementations and drafts of WebFinger prior to RFC 7033 in 2013 were susceptible to risks from unencrypted HTTP transports, which could expose query details, including sensitive resource identifiers, to interception on compromised networks. Although the final specification mandates HTTPS to mitigate such eavesdropping, legacy systems or misconfigurations in pre-RFC deployments allowed plaintext transmission of user metadata, heightening the potential for data interception and abuse. WebFinger utilizes (CORS), inheriting all applicable security considerations from the CORS specification, including potential risks associated with cross-origin requests from web browsers.

Mitigation strategies

To mitigate risks associated with unauthorized access to user metadata, WebFinger implementations must enforce the use of for all queries and responses, as non-secure HTTP connections are explicitly prohibited to prevent man-in-the-middle attacks that could intercept or alter sensitive information. Clients are required to validate server certificates and reject invalid or untrusted ones, ensuring and integrity of the JSON Resource Descriptor (JRD) exchanged during lookups. Server operators should implement robust access controls to curb potential abuse, such as large-scale data harvesting or denial-of-service attempts through excessive queries. based on client IP addresses or other identifiers is recommended to restrict the frequency of requests, thereby reducing the feasibility of automated scraping while allowing legitimate usage. For queries involving sensitive information, servers may require token-based authentication or other mechanisms to verify client legitimacy before disclosing non-public details, enabling differentiated responses that withhold private or from unauthenticated requesters. Minimizing data disclosure is a core for preserving user privacy in WebFinger deployments, where servers must limit JRD contents to publicly intended properties only, excluding any private identifiers, locations, or relationships unless explicitly authorized by the user. System administrators are advised to provide granular user controls, allowing individuals to configure which elements of their metadata—such as profile URLs or contact details—are exposed via WebFinger, thereby preventing inadvertent leakage of personal information to unauthorized parties. On the client side, developers should incorporate practices that respect and enhance query , such as performing WebFinger lookups only with explicit user to avoid unintended privacy intrusions. Where applicable, clients can include headers in requests to signal a preference against persistent logging of query activity, and anonymize requests by omitting unnecessary identifying headers or using privacy-preserving proxies to further obscure the requester's origin.

References

  1. https://www.rfc-editor.org/rfc/rfc7033.html
  2. https://www.rfc-editor.org/info/rfc7033
  3. https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-webfinger-08
  4. https://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/00/
  5. https://groups.google.com/g/webfinger
  6. https://xmpp.org/extensions/xep-0157.html
  7. https://datatracker.ietf.org/doc/draft-hammer-webfinger/
  8. https://datatracker.ietf.org/doc/draft-hammer-webfinger/00/
  9. https://datatracker.ietf.org/doc/draft-jones-appsawg-webfinger/history/
  10. https://datatracker.ietf.org/doc/rfc7033/history/
  11. https://datatracker.ietf.org/doc/rfc7033/
  12. https://datatracker.ietf.org/doc/rfc7565/
  13. https://www.rfc-editor.org/rfc/rfc3986.html
  14. https://datatracker.ietf.org/doc/html/rfc7033
  15. https://datatracker.ietf.org/doc/html/rfc7033#section-4.4
  16. https://datatracker.ietf.org/doc/html/rfc7033#section-4.4.4
  17. https://datatracker.ietf.org/doc/html/rfc7033#section-4.3
  18. https://www.packetizer.com/ws/webfinger/link_relations.html
  19. https://fedify.dev/manual/webfinger
  20. https://docs.joinmastodon.org/spec/webfinger/
  21. https://diaspora.github.io/diaspora_federation/discovery/webfinger.html
  22. https://www.w3.org/wiki/Socialwg/Social_API/pump.io_API
  23. https://github.com/sabre-io/webfinger
  24. https://github.com/pfefferle/webfinger
  25. https://github.com/silverbucket/node-webfinger-service
  26. https://www.packetizer.com/ws/webfinger/server.html
  27. https://libera.site/channel/fediverse
  28. https://syhmac.pl/blog/2025/03/06/fediverse-reaches-15-million-users/
  29. https://github.com/jcarbaugh/python-webfinger
  30. https://github.com/e14n/webfinger
  31. https://github.com/silverbucket/webfinger.js
  32. https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-webfinger-14
  33. https://docs.unstoppabledomains.com/identity/guides/login-protocols/authorization-server/
  34. https://www.rfc-editor.org/rfc/rfc7033.html#section-9.2
  35. https://www.rfc-editor.org/rfc/rfc7033.html#section-9.1
  36. https://www.rfc-editor.org/rfc/rfc7033.html#section-9.3
Add your contribution
Related Hubs
User Avatar
No comments yet.