An App Password is an authentication method for third-party apps to sign in to a user's account via their PDS and create a session. It only grants third-party apps read-write access to resources like posts, likes, and follows, while not disclosing more sensitive data like a user's email address, password, or (by default) direct messages.
App Passwords were introduced in April 2023 as “a short-term solution for authentication” until better and more granular authentication methods are available. Despite the introduction of OAuth authentication in September 2024, they remain a core part of the user experience of using third-party apps.
Following the introduction of direct messages to Bluesky in May 2024, Bluesky added an option to allow sessions created through app passwords to also access direct messages.