Adding user safety through Authorized Fetch on Mastodon

This is a bit technical, but there’s a little-known feature on Mastodon called “Authorized Fetch”, aka “Secure Mode”. By default it is switched off as it uses more resources and can cause compatibility problems with servers running older software.

When it is switched on, it makes all blocks more effective, including both server-level and user-level blocks. This empowers users to fight abusers and trolls more effectively, and makes the server’s own blocks more powerful too.

Which kind of posts does this affect? Can abusers see followers-only or mentions-only posts?

Posts using follower-only or mentions-only visibilities are already protected from unauthorised interaction. Authorized Fetch only makes a difference on public or unlisted posts. If you never use public or unlisted posts, you don’t need Authorized Fetch.

Please see the post visibility guide for all the kinds of visibilities that a post can be, and how to set your defaults.

I am a server admin, how do I find out more about this?

There’s an official technical description of Authorized Fetch here ⧉ and a detailed unofficial article here ⧉ which might be useful.

How to activate Authorized Fetch on Mastodon

Only server admins can activate it, so if you’re not an admin you’ll need to contact your server’s admin and ask them to do this.

The latest version of Mastodon includes controls in the graphical interface for activating it:

  1. The admin should sign onto the Mastodon server’s website or web app using their admin account
  2. Click ⚙️ Preferences
  3. Click Administration (on the left of the screen or in ☰ on the mobile site)
  4. Click Server Settings
  5. Click the Discovery tab at the top
  6. Tick the box marked Require authentication from federated servers
  7. Click Save changes

On some managed hosting services this option may be greyed out. If so, ask the managed hosting company to switch it on for you.

Why isn’t this on by default?

Authorized Fetch uses more server resources as the server has to do a lot more checks for each post to prevent unauthorised interactions. However, the costs of these extra resources may be worth it for the extra level of user safety the feature brings.

I heard this causes compatibility problems and consumes massive amounts of resources?

No, not nowadays. It consumes more resources, but not a huge amount more. There also don’t seem to be compatibility problems any more, as software has been updated to take account of servers with this option activated.

Does this stop website scraping?

No, nothing can stop scraping of public posts on a public website. However, scraping a website and copying its contents is not the same thing as interacting directly with a thread on a social network.

Compatibility with other Fediverse servers

Authorized Fetch is an official feature of Mastodon and it should work fine when federating with servers that are running Mastodon 3.0.0 or higher. It should also work with GoToSocial (which uses Authorized Fetch by default), Pixelfed, PeerTube and most other Fediverse server types.

↩ Back to the front page