I haven't worked with Fedify before, but what I'm talking about is the difference between a service that has a "translation layer" between their own internal data model and ActivityPub, and a server that actually stores full ActivityPub object's in the user's inbox and outbox, and displays them unchanged to clients. 90% of deployed ActivityPub applications—like yours!—are the former, not the latter.

A true "ActivityPub server" is almost as simple as a Bluesky PDS—all it's responsible for is 1) storing blobs of data, 2) fanning out subscriptions and 3) collecting incoming data for you to view. In the original way ActivityPub was designed, all of the actual data presentation layers—Mastodon, PeerTube, Pixelfed—were designed to be specialized clients that could communicate with the user's generic server. However, the first popular implementations cut out the client-to-server part of the protocol, so now we're stuck in a place where everyone thinks ActivityPub means you need a separate identity for every client application.

So, what I would recommend for your own username/password site is implementing an ActivityPub client, and recommending that users use it to connect to a third-party ActivityPub server. That way, the user owns the data, and they simply use your service to get access to (filtered version of) it.

Unfortunately, since this is a less implemented part of the protocol, the client APIs necessary to make this a reality haven't seen much development. And you're facing an uphill battle for user adoption. In practice, users don't seem to mind having separate accounts and identities for different clients. It reminds me a bit of the "key management problem" in e2e cryptography. Having a stable cryptographic identity is doable if you're technically minded, but most people just muddle along and don't really care about it that much—they create new keys every time they get a new laptop instead of trying to figure out cross-signing, and everything works itself out more or less fine.

I mess around with fedify a lot, it's great. It's fun to integrate with existing websites.

I've thought a lot about ATProto and integrating it in similar ways. I'd love to have a look at what you're doing and how. The struggle I have is that I think the ATProto repos have a fairly strong cryptographic structure compared to AP

If someone requests an object over AP, that object contents can come from anywhere easily, and can be signed easy. So for me, when someone requests an activitypub object of one of my notes via fedify, it just reads the truth from my markdown note files and returns it. If I edit my markdown files, it's no real issue, the next request gets the latest version of that markdown (there's some signing nuances in places, but it's generally straightforward)

With ATProto PDS and repositories use things like Merkle Search Trees and other things which I assume means the backend data needs to be a lot more... consistent. Like the data has to live in the PDS, and that has to become the source of truth to maintain the merkle structures, including updates.

But with AP via fedify, it feels super easy and nice for my source of truth to be whatever backend store I like (markdown notes).

I've done enough with crypto to see the benefits provided by the transparent verifiable history of merkle like structures, but honestly, this is social media not cash: I don't care if someone wants to subtly change something to manage how they come across with their own social media. In that respect, I feel the ATProto repositories overcomplicate things a bit.

What's the username/password application in this context?