Bluesky
App-password login over the AT Protocol (com.atproto.server.createSession). The connect endpoint is POST /api/v1/social/bluesky/connect — not OAuth, no callback. Sosyabot stores { identifier, appPassword } and calls createSession per post.
Authentication at a glance
| Field | Value |
|---|---|
| Auth model | App password |
| Required ENV | BLUESKY_SERVICE_URL |
| Callback URL | ${BASE_URL}(no callback — direct credentials POST) |
| Scopes / permissions | app password (created at bsky.app/settings/app-passwords) |
| Auto token refresh | No — manual reconnect on expiry |
ENV details
BLUESKY_SERVICE_URL defaults to https://bsky.social. Override only if you run a self-hosted PDS.
How to connect
- Create an app password at bsky.app/settings/app-passwords.
- Open Connections → Bluesky → Connect.
- Paste your handle (e.g.
you.bsky.social) and the app password.
Token refresh
AT Protocol JWTs are short-lived but Sosyabot doesn't store them — every post starts a fresh session from the stored identifier + app password.
Notes
- Use a dedicated app password — not the main account password. Revoke at any time from
bsky.app/settings/app-passwords. - The connection record carries
login_type: 2to indicate non-standard auth. - If you rotate the app password, reconnect from the Connections UI; Sosyabot re-tests
createSessionbefore persisting.
Troubleshooting
If the channel shows needs_reconnect, the access token was rejected by Bluesky. Common causes:
- The user revoked Sosyabot's authorization on the platform.
- The platform invalidated the token (password change, security event).
- Your OAuth app credentials rotated and the existing tokens no longer match.
Re-run the connect flow above. See Troubleshooting for the workspace-wide checklist.