You created a Bluesky app password to log into a third-party client like Skeetdeck, Graysky, or a custom bot, but the login fails with an authentication error. This usually happens because the app password was generated incorrectly, the third-party client expects the main account password, or the app password has been revoked. This article explains why app passwords fail for third-party clients and provides the exact steps to fix the issue quickly.
Key Takeaways: Fixing Bluesky App Password Authentication Failures
- Settings > App Passwords > Add App Password: Generate a new app password with a descriptive name for each third-party client.
- Copy the password immediately: Bluesky shows the password only once; you must paste it into the third-party client before closing the window.
- Revoke and re-create: If the password fails, delete the old app password from Settings and generate a fresh one.
Why an App Password Fails to Authenticate in a Third-Party Client
Bluesky uses app passwords as single-use tokens that grant limited access to your account. Unlike your main account password, an app password cannot change account settings or access two-factor authentication flows. When a third-party client rejects the app password, one of three things is wrong:
First, the app password was never generated correctly. Users sometimes type their main account password into the third-party client instead of generating a dedicated app password. Second, the app password was generated but the user did not copy and save it before closing the dialog. Bluesky shows the password only once. Third, the app password was revoked by the user or expired due to a security reset. Resetting your account password invalidates all existing app passwords.
Third-party clients that use the Bluesky API with the com.atproto.server.createSession endpoint require the app password as the password field. If the client sends the main account password, the server rejects it because the main password is not allowed for OAuth-style token authentication. The fix is always to generate a fresh app password and enter it exactly as shown.
Steps to Generate and Use a Working App Password
- Open Bluesky Settings
Log into your Bluesky account on the web or in the official app. Click your profile icon in the top-right corner and select Settings from the dropdown menu. - Go to App Passwords
In the Settings menu, scroll down to the Privacy and Security section. Click App Passwords. If you use the mobile app, tap Settings then App Passwords. - Add a New App Password
Click or tap the Add App Password button. A dialog box appears asking for a name. Type a descriptive name such as Skeetdeck or Graysky Client. This name helps you identify which client uses this password. - Copy the Generated Password
Bluesky generates a string of random characters. Click the Copy button or manually select and copy the password. Paste it into a temporary text file or password manager. Do not close the dialog until you have pasted the password into the third-party client. - Enter the App Password in the Third-Party Client
Open the third-party client. In the login screen, enter your Bluesky handle or email address as the username. In the password field, paste the app password you copied in the previous step. Do not use your main account password. - Save and Test the Login
Click the login or sign-in button. The client should connect to Bluesky immediately. If it fails, double-check that you pasted the full app password without extra spaces. If the error persists, repeat steps 1 through 5 with a fresh app password.
If Bluesky Still Rejects the App Password After Regeneration
The app password was revoked by a password reset
If you recently changed your main Bluesky password, all existing app passwords are automatically revoked. You must generate a new app password for every third-party client. Go to Settings > App Passwords, delete any old passwords, and create new ones following the steps above.
The third-party client uses an outdated API endpoint
Some older third-party clients still use the com.atproto.server.createAccount endpoint for login, which expects the main account password. Check the client documentation for updates. If the client is no longer maintained, switch to a supported client such as Skeetdeck or the official Bluesky app.
The app password contains characters that the client strips
Bluesky app passwords include mixed-case letters, numbers, and special characters. Some third-party clients trim spaces or strip certain characters during paste. Manually type the app password into the client field instead of pasting. If the password has a hyphen or underscore, ensure the client accepts those characters.
Two-factor authentication is enabled
Bluesky does not yet support two-factor authentication for third-party clients. If you have 2FA enabled on your account, app passwords still work because they bypass the 2FA requirement. If the client asks for a 2FA code, you are using the main account password instead of the app password. Generate a fresh app password and use only that.
| Item | App Password | Main Account Password |
|---|---|---|
| Purpose | Single-use token for third-party clients | Full account access and security settings |
| Regeneration after reset | Must create new password after main password change | Changed directly by user |
| Visibility | Shown once at creation | Always known to user |
| Revocable individually | Yes, from Settings > App Passwords | No, only by changing the password |
| Works with 2FA | Yes, bypasses 2FA | No, requires 2FA code |
You can now generate a working app password and log into any Bluesky third-party client without authentication errors. If the problem returns, revoke the old password and create a fresh one from Settings > App Passwords. For advanced security, use a password manager to store each app password and label it with the client name so you can revoke it individually if a client is compromised.