Bluesky requires an app password when you connect a third-party client like Graze, Skeets, or a custom automation tool. Using your main account password with these apps puts your entire account at risk if that client is compromised. An app password is a single-use token that grants access only to the specific service you authorize. This article explains what app passwords are, why you need them, and provides step-by-step instructions to create and use one.
Key Takeaways: App Passwords for Third-Party Bluesky Clients
- Settings > App Passwords: The only place to generate a unique token for each third-party client.
- One password per client: Create a separate app password for each app or service to limit damage if one is exposed.
- Revoke anytime: You can delete an app password from the same settings page without changing your main login credentials.
What Are Bluesky App Passwords and Why Are They Required
An app password is a randomly generated 16-character string that acts as a substitute for your account password. Bluesky enforces the use of app passwords for any client that is not the official Bluesky website or mobile app. This separation means that if a third-party client suffers a data breach, the attacker obtains only the limited app password, not your full account credentials.
The app password can only perform actions the issuing user can do. It does not allow the client to change your email, reset your password, or delete your account. You control exactly which app gets which token. If you suspect a client has been compromised, you revoke that single app password and all other clients continue working.
When You Need an App Password
You must generate an app password in these situations:
- Using a third-party Bluesky desktop client such as Graze, Deck.blue, or Skeets
- Connecting a mobile client like Bluesky for Android or third-party iOS apps
- Running automation scripts with the Bluesky API, including bots and feed generators
- Integrating Bluesky with services like IFTTT, Zapier, or custom webhooks
Steps to Generate an App Password on Bluesky
You can create an app password from any Bluesky client that supports the settings menu. The process is identical on the web version and the official mobile app. Follow these steps exactly.
- Open Bluesky Settings
On the web, click your profile picture in the top-right corner and select Settings. On the mobile app, tap the hamburger menu icon (three lines) on the top-left, then tap your profile picture and choose Settings. - Navigate to App Passwords
In the Settings menu, scroll down to the Advanced section and click or tap App Passwords. This page lists any existing app passwords you have created. - Click Add App Password
Click the Add App Password button. A dialog box appears asking you to name the app password. Use a descriptive name such as “Graze Desktop” or “Skeets Mobile” so you can identify it later. - Generate the Password
After typing the name, click Create. Bluesky generates a 16-character string that looks like this:abcd-efgh-ijkl-mnop. This is the only time you see the full password. Copy it immediately and paste it into the third-party client’s login field. - Enter the App Password in the Third-Party Client
Open the third-party client and find its login or account settings. In the password field, paste the app password you just copied. Do not use your main Bluesky password. Click sign in or connect. - Verify the Connection
The third-party client should now display your Bluesky feed, notifications, or the specific feature you intended to use. If it fails, double-check that you copied the entire app password with no extra spaces.
Common Mistakes and Things to Avoid When Using App Passwords
App Password Does Not Work on First Attempt
If the third-party client rejects the app password, open the Bluesky App Passwords settings page again. Click the trash icon next to the failed password and generate a new one. Copy the new password without any leading or trailing spaces. Some clients require you to delete the old saved password from their settings before entering the new one.
Using the Main Account Password Instead of an App Password
Never enter your main Bluesky password into any third-party client. If you have already done so, change your main password immediately from the Bluesky Settings > Password page. Then generate a fresh app password for that client.
Creating One App Password for Multiple Clients
Each third-party client should have its own unique app password. If you use the same token for two different apps and one gets compromised, both apps stop working when you revoke that single password. Creating separate passwords also makes it easier to identify which app caused a problem.
App Password Expiration
Bluesky app passwords do not expire on their own. They remain valid until you manually delete them from the App Passwords settings page. If you stop using a third-party client, delete its app password to keep your account secure.
Third-Party Client Still Asks for Main Password
Some older or poorly coded third-party clients may not support app passwords. In that case, do not use that client. Look for an alternative that explicitly states it supports Bluesky app passwords or OAuth authentication.
App Password vs Main Password: Key Differences
| Item | App Password | Main Password |
|---|---|---|
| Purpose | Limited access for third-party clients | Full account login and management |
| Revocation | Can be revoked individually without affecting other logins | Changing it logs out all sessions and requires re-authentication everywhere |
| Visibility | Shown only once at creation; after that, you must generate a new one | Never stored in plain text by Bluesky; you can reset it via email |
| Allowed actions | Read and write posts, follow, like, repost, send messages | All account actions including email change, password reset, account deletion |
Now you can connect any Bluesky-compatible third-party client without exposing your full account credentials. Start by generating one app password for the client you need most. After the connection works, create separate passwords for each additional app. For maximum security, review your App Passwords page every few months and delete any tokens for clients you no longer use.