Mastodon - User Discovery and Verification via Email, the Easy Way

This is going to be a short blog entry because it’s simple: Mastodon is fantastic, but discovering and verifying users is a pain (as with most social networks). The best solution most people have landed on is scraping their Twitter account followers/following for profiles with Mastodon IDs like @kurtseifried@mastodon.social.

But what if there was an easier way? Some way that leveraged well-known, trustworthy identifiers, especially for corporations and other large organizations?

Email addresses come to mind as the obvious solution. When you have to contact someone what do you generally use? Email. For companies and other organizations, what’s the easiest way to prove you’re associated with them? An email address @domain-name.tld.

Well, I have good news for you. Mastodon servers and clients support the Webfinger protocol, which means you can simply set up a Webfinger server (CSA has released a Node.js one) and answer queries.

You can also redirect the Webfinger queries, as long as they are served over HTTPS. So you can, for example, redirect https://domain-name.tld/.well-known/webfinger to https://webfinger.domain-name.tld/ or https://some.cloud.host.function.tld/a/long/path/name, and the client will happily follow it and send the query string.

Also, I lied, you don’t even have to set up a server, you can just use a Cloudflare worker (CSA has released one):

You then simply add a map of email addresses to Mastodon IDs and that’s it. It just works. If you have any questions feel free to toot at us at @cloudsecurityalliance@cloudsecurityalliance.org or contact us through the usual channels.

Here are some Twitter account scrapers (note that they require read access to your account). They can both export a CSV that Mastodon can import:

• Debirdify
• Fedifinder