bsky.social using your Bluesky handle and an app password you generate inside your Bluesky account settings.
How Bluesky auth works
Hayon uses the@atproto/api SDK to authenticate with the AT Protocol service at https://bsky.social. On successful login, the SDK returns:
did— your decentralized identifier (e.g.did:plc:abc123), the stable unique ID for your account.handle— your human-readable handle (e.g.you.bsky.social).accessJwt— a short-lived JWT for making authenticated API calls.refreshJwt— a longer-lived JWT used to resume the session without re-entering credentials.
did, handle, accessJwt, and refreshJwt in your SocialAccount document. Your app password is used only at connect time and is never persisted.
Creating an app password
Open Bluesky settings
Log in to Bluesky and navigate to Settings > Privacy and security > App passwords.
Create a new app password
Click Add app password, give it a descriptive name (e.g.
hayon), and click Create app password.Connecting your Bluesky account
Open platform settings
In the Hayon dashboard, navigate to Settings > Connected accounts and click Connect next to Bluesky.
Enter your credentials
Provide your Bluesky handle (e.g.
yourname.bsky.social) and the app password you created above.Required credentials
| Field | Description | Example |
|---|---|---|
identifier | Your Bluesky handle or email address | yourname.bsky.social |
appPassword | App password generated in Bluesky settings | xxxx-xxxx-xxxx-xxxx |
The
identifier field accepts either your full handle (e.g. yourname.bsky.social) or your registered email address.Session refresh
Hayon can refresh your Bluesky session without re-entering credentials as long as therefreshJwt is valid. To manually refresh your stored profile data, call:
refreshJwt and updates your accessJwt, handle, display name, and avatar in the database.
If both the
accessJwt and refreshJwt have expired (e.g. after an extended period of inactivity), the session cannot be resumed. You must disconnect and reconnect Bluesky with your credentials.Supported post types
Bluesky posts (called skeets in community parlance) are text-based with optional attachments.| Content type | Supported |
|---|---|
| Text posts | Yes |
| Links with preview card | Yes (via facets) |
| Images | Yes (up to 4 images per post) |
| Videos | No |
| Polls | No |
| Threads / reply chains | No (single posts only) |
Character limits and media constraints
- Character limit: 300 graphemes per post (not bytes — emoji count as 1).
- Image limit: Maximum 4 images per post.
- Image size: Each image must be under 1 MB.
- Image formats: JPEG, PNG, and GIF (static) are accepted by the AT Protocol.
- Alt text: Bluesky supports alt text per image; Hayon passes this through when provided.
Disconnecting
To disconnect your Bluesky account, navigate to Settings > Connected accounts and click Disconnect next to Bluesky, or call:did, handle, accessJwt, refreshJwt, and profile data from the SocialAccount document and sets connected: false.
Disconnecting from Hayon does not invalidate the app password on Bluesky’s side. To fully revoke Hayon’s access, go to Settings > App passwords on Bluesky and delete the app password you created.
Troubleshooting
Authentication failed — invalid identifier or password
Authentication failed — invalid identifier or password
Verify that your handle is correct (include the full domain, e.g.
yourname.bsky.social) and that the app password matches exactly. App passwords are case-sensitive and include the dashes.Session expired / needs reconnection
Session expired / needs reconnection
When the health status shows
expired or needsReconnection: true, both JWTs have become invalid. Disconnect Bluesky and reconnect with your handle and a new app password.Profile refresh fails
Profile refresh fails
If the refresh endpoint returns an error, your
refreshJwt may have expired. Reconnect the account to obtain a fresh session.