Overview
Laravel Bluesky supports two authentication methods. All API calls after authentication share the same interface regardless of which method you use.
LegacyAgent is named for the “pre-OAuth” authentication style, but App Password itself is not deprecated. For scenarios that do not involve user interaction — such as notifications and automated posting — App Password is simpler and often preferable.
Architecture
BlueskyManager is the implementation behind the Bluesky facade. You set an agent via login() or withToken(), and all subsequent API calls work identically regardless of which agent is active.
App Password (LegacyAgent)
Authentication flow
Bluesky::login()
Set your App Password in .env and call login().
Resuming a LegacySession
Calling login() on every request makes an API call each time. Cache the session data to avoid this.
LegacySession keys
When to use App Password
- Background jobs and queue workers for automated posting
- Laravel Notification channel
- Scheduled tasks and batch processing
- When posting from the application’s own account
OAuth (OAuthAgent)
Authentication flow
Bluesky::withToken()
Pass the OAuthSession obtained from Socialite to withToken().
In background jobs or console commands where Laravel sessions are unavailable, build an OAuthSession from database values.
OAuthSession keys
The OAuth refresh_token can only be used once. Use the OAuthSessionUpdated event to save the new token to your database after each refresh. See Socialite for details.
When to use OAuth
- User login via Socialite
- Performing actions on behalf of a user
- When different users need to act from their own accounts
API calls are identical after authentication
After authenticating with either method, you call the same API methods on the Bluesky facade.
BlueskyManager switches between LegacyAgent and OAuthAgent internally, but the calling code is unaffected.
Choosing between the two
You can use both methods together. A common pattern is to use App Password for notifications and scheduled tasks while using OAuth for user-facing login. There is no conflict between the two.
Related pages