Mastodon (social network)


Mastodon is a free and open-source software platform for decentralized social networking with microblogging features similar to Twitter. It operates as a federated network of independently managed servers that communicate using the ActivityPub protocol, allowing users to connect across different instances within the Fediverse. Each Mastodon instance establishes its own moderation policies and content guidelines, distinguishing it from centrally controlled social media platforms.
First released in 2016 by Eugen Rochko, Mastodon has positioned itself as an alternative to mainstream social media, particularly for users seeking decentralized, community-driven spaces. The platform has experienced multiple surges in adoption, most notably following the Twitter acquisition by Elon Musk in 2022, as users sought alternatives to Twitter. It is part of a broader shift toward decentralized social networks, including Bluesky and Lemmy.
Mastodon emphasizes user privacy and moderation flexibility, offering features such as granular post visibility controls, content warning options, and local community-driven moderation. The software is written in Ruby on Rails and Node.js, with a web interface built using React and Redux. It is interoperable with other ActivityPub-based platforms, such as Threads, and supports various third-party applications on desktop and mobile devices.

Functionality

Users post short-form status messages, historically known as "toots", for others to see and interact with.
On a standard Mastodon instance, these messages can include up to 500 text-based characters, greater than Twitter's 280-character limit. Some instances support even longer messages. Images, audio files, videos or polls can also be added to a message.
Users join a specific Mastodon server, rather than a single centralized website or application. The servers are connected as nodes in a network, and each server can administer its own rules, account privileges, and whether to share messages to and from other servers. Users can communicate and follow each other across connected Mastodon servers with usernames similar in format to full email addresses.
Since version 2.9.0, Mastodon's web user interface has offered a single-column mode for new users by default. In advanced mode, the interface approximates the microblogging interface of TweetDeck.

Privacy

Mastodon includes a number of specific privacy features. Each message has a variety of privacy options available, and users can choose whether the message is public or private.
Messages can display public on a global feed, known as a timeline, or can be shared only to the user's followers. Messages can also be marked as unlisted from timelines or direct between users. Users can also mark their accounts as completely private.
In the timeline, messages can display with an optional content warning feature, which requires readers to click on the hidden main body of the message to reveal it.
Mastodon servers have used this feature to hide spoilers, trigger warnings, and not safe for work content, though some accounts use the feature to hide links and thoughts others might not want to read.
Mastodon aggregates messages in local and federated timelines in real time. The local timeline shows messages from users on a singular server, while the federated timeline shows messages across all participating Mastodon servers.

Content moderation

In early 2017, journalists like Sarah Jeong distinguished Mastodon from Twitter for its approach to combating harassment.
Mastodon uses community-based moderation, in which each server can limit or filter out undesirable types of content, while Twitter uses a single, global policy on content moderation. Servers can choose to limit or filter out messages with disparaging content.
The founder of Mastodon, Eugen Rochko, believes that small, closely related communities deal with unwanted behavior more effectively than a large company's small safety team.
In Move Slowly and Build Bridges, Robert W. Gehl argues that predominantly white participation has shaped Mastodon in ways that affect how reports of racism are received and limit its ability to replicate Black Twitter on Twitter.
Users can also block and report others to administrators, much like on Twitter.
Instance administrators can block other instances from interacting with their own, an action called defederation. By posting toots hashtagged with #fediblock, some instance administrators and users alert others of issues requiring moderation.

Searching

Mastodon by default allows searching for hashtags and mentioned accounts in the Fediverse. Server administrators can optionally enable Elasticsearch to search the full-text of public posts that have opted in to being indexed.

Versions

In September 2018, with the release of version 2.5 with redesigned public profile pages, Mastodon marked its 100th release.
Mastodon 2.6 was released in October 2018, introducing the possibilities of verified profiles and live, in-stream link previews for images and videos.
Version 2.7, in January 2019, made it possible to search for multiple hashtags at once, instead of searching for just a single hashtag, with more robust moderation capabilities for server administrators and moderators, while accessibility, such as contrast for users with sight issues, was improved.
The ability for users to create and vote in polls, as well as a new invitation system to manage registrations was integrated in April 2019.
Mastodon 2.8.1, released in May 2019, made images with content warnings blurred instead of completely hidden.
In version 2.9 in June 2019, an optional single-column view was added. This view became the default displayed to new users, with a user "preferences" option to switch to a multiple-column-based view.
In August 2020, Mastodon 3.2 was released. It included a redesigned audio player with custom thumbnails and the ability to add personal notes to one's profile.
In July 2021, an official client for iOS devices was released. According to the project's then CEO, Eugen Rochko, the release was part of an effort to attract new users.
Mastodon 4.0 was released in November 2022, including language support for translating posts, editing posts and following hashtags.
Mastodon 4.5 was released in November 2025. Among other features it introduced quote posts, which were previously rejected from being implemented due to concerns about toxicity and harassment. To mitigate these issues Mastodon's quote post feature has been designed in a way that lets users decide if and by whom their posts can be quoted.

Software

Mastodon is published as free and open-source software under the Affero GPL license, allowing anyone to use the software or modify it as they wish.
Servers can be run by any individual or organization, and users can join these servers as they wish.
The server software itself is powered by Ruby on Rails and Node.js, with its web client being written in React.js and Redux.
The only database software supported is PostgreSQL, with Redis being used for job processing and various actions that Mastodon needs to process.
The service is interoperable with the fediverse, a collection of social networking services which use the ActivityPub protocol for communication between each other, with previous versions containing support for OStatus.
Client apps for interacting with the Mastodon API are available for desktop computer operating systems, including Windows, macOS and the Linux family of operating systems, as well as mobile phones running iOS and Android. The API is open for anyone to utilize, allowing clients to be built for any operating system that can connect to the internet.

Integration with Fediverse

Mastodon uses the ActivityPub protocol for federation; this allows users to communicate between independent Mastodon instances and other ActivityPub compatible services. Thus, Mastodon is generally considered to be a part of the Fediverse.
Services utilizing the ActivityPub protocol exist which allow for searching all posts on all instances as long as users opt-in.
For similar reasons, only hashtags can appear in a Mastodon instance's trending topics, not arbitrary popular words. Trending topics vary between instances, since individual instances are aware of different subsets of posts from the whole fediverse.

Security concerns

While Mastodon's decentralized structure is one of its most distinctive features, it also poses additional security challenges.
Since many Mastodon instances are run by volunteers, some security experts are concerned about data security and responsiveness to new threats and vulnerabilities across the network, considering the difficulty of configuring and maintaining an instance as well as uneven skill levels among administrators.
Administrators of an instance also have access to the private information of any users that are either registered with that instance or have federated private content to it, so a malicious administrator from either a local or remote instance can read private posts and direct messages if it has been stored onto the instance's database.
Configuration errors and security bugs in server implementations has led to user data either being scraped or modified by attackers. It is worth noting that Mastodon also collects considerably less personal data, compared to other social media platforms, which makes it a lower-value target and reduces potential damage. The creator of Mastodon, Eugen Rochko, argues that these issues do not set it apart from other software products that can be hosted by non-professionals.

Previous issues

In 2023, the Mozilla Foundation contracted cybersecurity firm Cure53 to perform penetration testing on the Mastodon software, in preparation for establishing an instance for the Mozilla community. The testing discovered several vulnerabilities, including one called "TootRoot" that would have enabled arbitrary code execution and another that would have enabled cross-site scripting attacks through oEmbed cards. These vulnerabilities were patched in July 2023.
Mastodon has been the main suspect in an issue regarding the generation of OpenGraph link previews, wherein the data from the link is not cached by the post and transmitted to other instances. Many instances automatically fetch the preview data as soon as they receive the post, creating an accidental DDoS attack that can temporarily increase the load of a victim's server. A fix to add federation for link previews was planned for 4.3, but has since been delayed for Mastodon 4.4.