App Passwords

An App Password is an authentication method for third-party apps to sign in to a user's account via their PDS and create a session. It only grants third-party apps read-write access to resources like posts, likes, and follows, while not disclosing more sensitive data like a user's email address, password, or (by default) direct messages.

App Passwords were introduced in April 2023 as “a short-term solution for authentication” until better and more granular authentication methods are available.^[1] Despite the introduction of OAuth authentication in September 2024,^[2] they remain a core part of the user experience of using third-party apps.

Following the introduction of direct messages to Bluesky in May 2024, Bluesky added an option to allow sessions created through app passwords to also access direct messages.^[3]

References[edit | edit source]

↑ "The AT Protocol Developer Ecosystem". Bluesky. Retrieved March 12, 2025.
↑ "OAuth for AT Protocol". Bluesky. Retrieved March 12, 2025.
↑ mary [@mary.my.id] (May 24, 2024). "OTA update has been pushed and you can now make app passwords with access to direct messages". (Post) – via Bluesky.

[1] "The AT Protocol Developer Ecosystem". Bluesky. Retrieved March 12, 2025.

[2] "OAuth for AT Protocol". Bluesky. Retrieved March 12, 2025.

[3] ry [@mary.my.id] (May 24, 2024). "OTA update has been pushed and you can now make app passwords with access to direct messages". (Post) – via Bluesky.

[1]

[2]

[3]