Decentralized Identifier — the permanent identifier of an AT Protocol account that all databases key on. Handles and PDS assignments can change, but the DID cannot. Maps to a DID document (public JSON) listing handles, cryptography, and the server-assigned PDS endpoint. Two types in use: did:plc (by far the most common, served by the central PLC directory) and did:web (identity looked up on a well-known file of a domain; rarely used because losing the domain loses the account).