When connecting your Bluesky account to a third-party app like Surf, Bluesky recommends using an App Password rather than your main account password.

Why use an App Password?

  • Your real password stays private. No third-party app, including Surf, ever sees or stores your actual Bluesky login credentials. App Passwords are separate, one-purpose codes.
  • Works alongside two-factor authentication (2FA). If you have 2FA enabled on your Bluesky account, App Passwords let Surf connect without triggering repeated 2FA prompts. The app gets secure, persistent access without bypassing your 2FA protection on the account itself.
  • Easy to revoke at any time. Want to disconnect Surf? Just delete its App Password in Bluesky settings. Your account and any other connected apps are completely unaffected.
  • Limited permissions by design. App Passwords can't perform account-level actions like deleting your account, migrating it to another server, or creating additional App Passwords. They're scoped to normal app activity only.
Have 2FA turned on? You'll need to use an App Password (not your main password) to sign in to Surf. Bluesky does not allow third-party apps to authenticate directly with a 2FA-protected account using your primary password. App Passwords are the supported method.

How to create a Bluesky App Password

  1. Open Bluesky and go to Settings.
    • On desktop, you'll find Settings on the left side of the screen.
    • In the Bluesky mobile app, tap the menu icon (three horizontal lines) in the top-left corner.
  2. Go to Privacy & Security > App Passwords, or go directly to the App Passwords page here.
  3. Click "Add App Password" and give it a recognizable name, for example "Surf," so you can identify it later.
  4. Choose whether to allow access to your direct messages. This is unchecked by default. Only enable this if you want Surf to show DMs once that feature is supported in the beta. You can safely leave it unchecked for now.
  5. Click "Next," then copy the generated App Password and use it to log in to Surf.
Important: Bluesky only shows the App Password once. If you navigate away before copying it, you'll need to delete it and create a new one.

Revoking access

If you ever want to disconnect Surf from your Bluesky account, go back to App Passwords in Bluesky settings and click the red trash icon next to the App Password you created for Surf, then select Delete. Access is revoked immediately.

Tip: If you've lost or forgotten an App Password, there's no way to retrieve it after it's generated, but creating a new one takes only a moment. Just delete the old one first.

If you're having trouble connecting your Bluesky account, email us at [email protected] and we'll be happy to help.