AT Protocol's Selective Path to Standardization

For months, the AT Protocol community asked: when does this get standardized? When does IETF legitimacy arrive?

The answer came in August and September 2025: selectively.

What's Going to IETF

Bluesky submitted two Internet Drafts to the IETF:

• Authenticated Transfer Repository and Synchronization — the core data sync mechanism
• Authenticated Transfer: Architecture Overview — how the pieces fit together

These were approved for a Birds of a Feather session at IETF 124 in Montreal (November 2025). That's real traction.

But here's the key: only the repository and synchronization protocol is on the table for IETF standardization right now. Not the whole stack.

What's Staying Internal (For Now)

Deliberately excluded from IETF standardization:

• Lexicon — AT's schema system for data types
• OAuth profile — the authentication layer AT customized
• Auth scopes — permission models
• PLC — the identity system (did:plc)
• Handle system — human-readable identifiers
• Other governance-specific components

Why? Bluesky's explicit reasoning: the repo and sync protocol is 'the most foundational part of AT and is therefore the most impactful to have under neutral governance.'

The rest stays with Bluesky because it's still evolving, or because it encodes specific policy choices that might not survive neutral standardization.

What This Actually Means

This is a smart move. It distinguishes between:

• The substrate (repo/sync) — needs to be neutral, durable, multi-implementable. IETF territory.
• The stack above — still needs innovation velocity, governance flexibility, possibly Bluesky-specific polish. Stay out of standards bodies.

If you're building a PDS, you care about the repository format and sync protocol. That's foundational; you need interop there.

If you're building an app or custom client, you might swap out pieces of the stack (use different OAuth, different handle system, different Lexicon interpretation). That flexibility doesn't get better through IETF.

The Real Question

This is a trust move. IETF standardization takes years and committee consensus. It means:

1. Bluesky is committing to the repo/sync design it's shipping now. Changes will be harder.
2. The protocol gets scrutiny from people not invested in Bluesky's success.
3. Other implementers get legitimacy — they're not reverse-engineering a proprietary protocol, they're implementing an Internet standard.

For decentralization to actually happen, that's necessary. A PDS operator needs to know the sync protocol won't randomly change. A tool builder needs to know the repo format is stable.

But the selectivity is telling: Bluesky isn't ready to hand off governance of the whole thing. The parts that encode rapid innovation and policy stay with the company.

That's probably wise. IETF standardization kills innovation speed. You need some of the protocol to breathe.

Timeline

• August 2025: First submissions to IETF
• September 2025: Internet Drafts published
• November 2025: BoF session at IETF 124
• 2026+: Real standardization work (if the BoF succeeds in chartering a working group)

The decentralization roadmap is also moving: PLC (the identity system) is being spun into a Swiss association for independent governance. That's separate from IETF, but it's the same pattern: move foundational infrastructure away from Bluesky's direct control.

What Builders Should Know

If you're building for AT Protocol:

• Repo/sync — expect stability, can depend on IETF governance eventually
• Everything else — stay flexible, Bluesky owns it, changes are coming
• Decentralization timeline — not next year, but the scaffolding is being built now

The protocol isn't decentralized yet. But the moves are deliberate: standardize the foundation, make identity independent, keep app-layer flexible.

That's not as fast as fully open governance would be. But it's faster than most companies move toward giving up control.

It's worth watching.