You are using a third-party Bluesky client such as Graze, Skeets, or a custom web app. Suddenly the app stops working and shows a “Token Expired” error. Every time you log in again, the same error appears after a few minutes or hours. This loop makes the client unusable.
The root cause is a mismatch between how Bluesky issues authentication tokens and how third-party clients store or refresh them. Bluesky uses short-lived access tokens for security, and some clients fail to handle the refresh process correctly.
This article explains why the token expiration loop happens and provides three reliable fixes. You will learn how to revoke old sessions, update client settings, or switch to a more compatible app.
Key Takeaways: Breaking the Bluesky Token Expired Loop
- Bluesky Web > Settings > App Passwords: Create a dedicated app password for third-party clients to avoid session conflicts.
- Client Settings > Clear Cache: Wipes stale token data that forces repeated login prompts.
- Switch to an Official Client: The Bluesky iOS, Android, or web app handles token refresh automatically without looping.
Why Bluesky Tokens Expire in Third-Party Clients
Bluesky authentication uses two types of tokens: an access token and a refresh token. The access token is valid for about two hours. The refresh token lasts longer and is used to get a new access token without asking the user to log in again.
Third-party clients must correctly handle this refresh cycle. Many clients do not store the refresh token securely or fail to call the refresh endpoint before the access token expires. When the client tries to use an expired access token, Bluesky returns a “Token Expired” error. The client then prompts for login again, creating an infinite loop.
Another common cause is session conflicts. If you have multiple active sessions from different apps using the same main password, Bluesky may invalidate all tokens for security. This forces every client to reauthenticate simultaneously.
How Bluesky Token Expiration Works
Bluesky uses the AT Protocol, which defines a token lifespan of 7200 seconds for access tokens. The refresh token lasts 30 days. After the access token expires, the client must send the refresh token to the endpoint com.atproto.server.refreshSession. If the client does not implement this call, the user sees the error.
Why Third-Party Clients Fail
Many third-party clients are built by independent developers who may not implement the full AT Protocol authentication flow. Some clients only store the access token and discard the refresh token. Others cache the access token but do not check its expiration time. When the token expires, the client has no way to renew it without manual login.
Three Fixes for the Bluesky Token Expired Loop
Try these fixes in order. The first fix resolves most cases. The second fix helps when client data is corrupted. The third fix is a permanent workaround.
Fix 1: Create a Dedicated App Password
Using your main Bluesky account password in a third-party client can cause session conflicts. Bluesky recommends generating an app password for each third-party client.
- Open Bluesky Web Settings
Go to Bluesky Web and log in with your main account. Click on your profile picture in the top-right corner. Select Settings from the dropdown menu. - Navigate to App Passwords
In the left sidebar, click Moderation. Scroll down to the App Passwords section. This page lists all existing app passwords. - Generate a New App Password
Click Add App Password. Give it a name that matches the third-party client you are using, for example “Graze client”. Click Create. Copy the generated password immediately — you will not see it again. - Use the App Password in the Client
Open your third-party client. Go to its account or login settings. Enter your Bluesky handle and paste the app password you just copied. Do not use your main password. Confirm the change. - Revoke Old Sessions
Still in Bluesky Web Settings > Moderation > App Passwords, click the trash icon next to any old app passwords you may have created for the same client. This removes stale tokens that may cause conflicts.
Fix 2: Clear Client Cache and Reauthenticate
Corrupted cached token data can cause the loop even with a correct app password. Clearing the cache forces the client to request fresh tokens.
- Open Client Settings
Launch the third-party client. Look for a gear icon or a menu labeled Settings, Preferences, or Options. This is usually in the top or bottom toolbar. - Find Cache or Storage Options
Scroll through the settings until you see Cache, Storage, or Data Management. The exact wording varies by client. Tap or click it. - Clear Token Cache
Select Clear Cache or Clear Token Data. Some clients have a specific button labeled Clear Auth Data. Confirm the action when prompted. - Restart the Client
Close the client completely. On mobile, swipe it away from the app switcher. On desktop, quit the application. Relaunch it. - Log In Again
Enter your Bluesky handle and the app password you created in Fix 1. Do not check any “Stay Logged In” box if the client offers one — let the default session time apply.
Fix 3: Switch to the Official Bluesky Client
If the loop persists after the first two fixes, the third-party client may not support token refresh at all. In this case, use the official Bluesky client instead.
- Download the Official App
On iOS, open the App Store and search for Bluesky. On Android, open Google Play and search for Bluesky. On desktop, go to bsky.app in your browser. The official client is free. - Log In with Main Password
Open the official app. Enter your Bluesky handle and main account password. The official client handles token refresh automatically and does not suffer from the expired token loop. - Delete the Problematic Third-Party Client
If you no longer need the third-party client, uninstall it from your device. This prevents accidental re-login attempts that may trigger session conflicts again.
If the Token Expired Loop Still Appears
Some issues require additional steps beyond the three main fixes. Below are specific failure patterns and their solutions.
“Token Expired” Error Appears Every Few Minutes
This indicates the client is not refreshing the token at all. The client may be using an outdated API endpoint. Check the client’s documentation or GitHub page for an update. If no update exists, switch to the official client as described in Fix 3.
Multiple Third-Party Clients Show the Same Error
This suggests a problem with your Bluesky account itself, not the client. Log in to Bluesky Web and go to Settings > Moderation > App Passwords. Revoke all existing app passwords. Create one fresh app password per client. Do not reuse the same app password across multiple clients.
Error Persists After Clearing Cache and Using App Password
The third-party client may have a bug in its token refresh logic. Check the client’s release notes or issue tracker for a known token refresh problem. If the developer has not fixed it, you have two options: use a different third-party client or use the official client.
App Password vs Main Password: Differences for Third-Party Clients
| Item | App Password | Main Password |
|---|---|---|
| Purpose | Single-use for one third-party client | Full account access |
| Token lifespan | Same as main password tokens | Same as app password tokens |
| Session conflict risk | Low — separate session per app | High — shared session causes invalidation |
| Revocation | Can be revoked individually | Requires changing the main password |
| Recommended for third-party clients | Yes | No |
Use app passwords for every third-party client. This isolates each client’s session and prevents the token expired loop caused by session conflicts. If you already used your main password, change it immediately in Bluesky Web Settings > Password, then create app passwords for all clients.
Now you can stop the “Token Expired” loop. Start with Fix 1: create an app password for the affected client. If the error returns, clear the client cache. As a final step, switch to the official Bluesky app. For advanced control, monitor your active sessions in Bluesky Web Settings > Moderation > App Passwords and revoke any that you do not recognize.