Skip to main content

Overview

Laravel Bluesky supports two authentication methods. All API calls after authentication share the same interface regardless of which method you use.
LegacyAgent is named for the “pre-OAuth” authentication style, but App Password itself is not deprecated. For scenarios that do not involve user interaction — such as notifications and automated posting — App Password is simpler and often preferable.

Architecture

BlueskyManager is the implementation behind the Bluesky facade. You set an agent via login() or withToken(), and all subsequent API calls work identically regardless of which agent is active.

App Password (LegacyAgent)

Authentication flow

Bluesky::login()

Set your App Password in .env and call login().

Resuming a LegacySession

Calling login() on every request makes an API call each time. Cache the session data to avoid this.

LegacySession keys

When to use App Password

  • Background jobs and queue workers for automated posting
  • Laravel Notification channel
  • Scheduled tasks and batch processing
  • When posting from the application’s own account

OAuth (OAuthAgent)

Authentication flow

Bluesky::withToken()

Pass the OAuthSession obtained from Socialite to withToken().
In background jobs or console commands where Laravel sessions are unavailable, build an OAuthSession from database values.

OAuthSession keys

The OAuth refresh_token can only be used once. Use the OAuthSessionUpdated event to save the new token to your database after each refresh. See Socialite for details.

When to use OAuth

  • User login via Socialite
  • Performing actions on behalf of a user
  • When different users need to act from their own accounts

API calls are identical after authentication

After authenticating with either method, you call the same API methods on the Bluesky facade.
BlueskyManager switches between LegacyAgent and OAuthAgent internally, but the calling code is unaffected.

Choosing between the two

You can use both methods together. A common pattern is to use App Password for notifications and scheduled tasks while using OAuth for user-facing login. There is no conflict between the two.
Last modified on April 29, 2026