Capability Chains: A Protocol-Level Extension of Object Capabilities

Ocaps in ATProto

April 04, 2026

The Core Innovation

Traditional object capability systems assume a controlled runtime. Possession of an unforgeable reference is sufficient authorization — if you hold it, you can use it. This works in closed systems where the runtime mediates all access.

In an open decentralized protocol like ATProto, this assumption breaks. Anyone can read records, build clients, and attempt to use references. A leaked raw reference is indistinguishable from a legitimately delegated one. Possession alone is insufficient.

The innovation is requiring a valid delegation chain as part of capability validation. Not just "do you hold this reference" but "can you prove you received this reference through a legitimate chain of delegation."

The Mechanism

Signed references. Every capability record is signed by the issuing party. Attribution is cryptographically enforced, not just conventional.

Encrypted payloads. Alice encrypts the capability meant for Bob with Bob's public key. Only Bob can decrypt it. The reference is cryptographically bound to its intended recipient.

Chain requirement. To use a capability, you must present the full delegation chain — every signed, encrypted link from the root to your receipt. A leaked raw reference is useless without the chain. Carol can't use what Bob leaked because she can't produce a valid chain showing legitimate receipt.

Root record anchoring. Every delegation chain traces back to a root record on the issuing party's PDS. The issuer controls their PDS. Deleting the root record invalidates the entire downstream tree instantly — no revocation list, no coordination, no notification required. Just a 404.

Fractal accountability. Each party in the chain is accountable upward to whoever granted them access, and authoritative downward over whoever they delegated to. Bob is accountable to Alice. Carol is accountable to Bob. Governance happens as close to the terrain as possible. The root deletion is the nuclear option, rarely needed because the social incentive structure prevents abuse before it happens.

Why It's Novel

Traditional ocap theory produces the capability leakage problem precisely because possession is sufficient authorization. The chain requirement closes that attack surface without abandoning the ocap model. It extends ocaps to open decentralized protocols where the runtime cannot be trusted to mediate all access.

ATProto's existing infrastructure makes this natural. Public keys live in DID documents. Records are cryptographically signed by their authors. Deletion is sovereign — each party controls their own PDS. The capability chain system is built from primitives ATProto already provides.

The system encodes the social reality of trust. Delegation is vouching. If you share with someone who abuses that access, you are accountable for the introduction. The protocol makes that accountability concrete and unavoidable.

If I share with you, you may share further. But if that bites me later, I'll bite you.

Properties

No ACLs at any layer
No revocation lists
No central administrator
No coordination required for revocation
Leakage is cryptographically prevented, not just socially discouraged
Delegation chains are fully legible and auditable
Fractal katocratic governance — authority flows downward, accountability flows upward, decisions made as close to the terrain as possible