Your password? We never see it — here's how BlueOrbit login works
When you sign in to BlueOrbit, something important happens behind the scenes: we never see your password. Not during login, not after, not ever.
BlueOrbit uses OAuth — the same system that lets you “Sign in with Google” or “Sign in with Apple” on other apps. Except we use Bluesky’s own OAuth system, built specifically for the AT Protocol.
Here’s exactly how it works.
The login flow, step by step
1. You enter your Bluesky handle
You type your handle (like you.bsky.social) into BlueOrbit. That’s the only thing you send us.
2. Bluesky’s official login page opens
Your browser redirects to Bluesky’s own authorization page — the same page you’d see if any app asked to connect to your account. This page is hosted by Bluesky, not by BlueOrbit.
You see what BlueOrbit is requesting:
- Access to your account (post, follow, like)
- Access to your email (for account recovery)
- Access to DMs (for welcome messages and notifications)
3. You approve on Bluesky’s page
You click “Authorize” on Bluesky’s page. Bluesky issues a temporary access token and sends you back to BlueOrbit.
At no point does BlueOrbit see your password. Bluesky handles the authentication. We only receive the access token that Bluesky issues after you approve.
4. BlueOrbit stores the access token
BlueOrbit saves the access token so it can act on your behalf — posting scheduled content, detecting follow-backs, sending welcome messages. The token is encrypted before it’s stored in our database.
What we store (and what we don’t)
| We store | We don’t store |
|---|---|
| Your Bluesky handle | Your password |
| Your Bluesky DID (your unique identity) | Your private keys |
| An encrypted access token | Your auth session on Bluesky |
| An encrypted refresh token | Any raw credentials |
| Your profile info (avatar, display name) |
The access token is like a limited key. It lets BlueOrbit do specific things on your account — post, follow, like — but it doesn’t give us your password or full control.
Encryption
Your tokens are encrypted at rest using Fernet symmetric encryption. Even if someone accessed our database directly, the tokens would be unreadable without the encryption key.
What BlueOrbit can do with your token
With your approval, BlueOrbit can:
- Post content — scheduled posts and threads you create
- Follow and unfollow — as part of workflows you set up
- Like posts — engagement actions you configure
- Send DMs — welcome messages to new followers, or notifications when your workflow pauses
- Read your profile — to display stats and track growth
BlueOrbit cannot:
- Change your password
- Delete your account
- Access your DMs with other people
- See your private information beyond what’s in your public profile
How to revoke access
You’re always in control. You can disconnect BlueOrbit at any time.
Option 1: Log out from BlueOrbit
In your account settings, click Log out. This removes the access token from our system. BlueOrbit can no longer act on your behalf.
Option 2: Log out from all devices
If you’ve used BlueOrbit on multiple browsers or devices, you can log out from all of them at once. This also pauses any active workflows so nothing runs without your knowledge.
Option 3: Revoke from Bluesky directly
You can also revoke app permissions from your Bluesky account settings. Bluesky lets you see which apps have access and remove them individually.
Token refresh — how we stay connected
Access tokens expire. When they do, BlueOrbit uses your refresh token to get a new access token automatically — without you having to log in again.
This happens in the background:
- BlueOrbit detects the token is about to expire
- It asks Bluesky for a new access token using the refresh token
- Bluesky issues a new access token
- The old token is replaced
If the refresh fails (for example, if you revoked access), BlueOrbit pauses your workflows and notifies you. Nothing runs without a valid token.
Multi-device support
You can log in to BlueOrbit from multiple browsers or devices. Each login creates a separate session. If one session fails or expires, the others keep working.
If you log out from one device, the other sessions stay active — unless you choose “Log out from all devices.”
The technical details (if you’re curious)
For those who want to dig deeper:
- BlueOrbit uses OAuth 2.0 with DPoP (Demonstrating Proof-of-Possession) — a modern security standard that binds tokens to specific clients, preventing token theft
- We use Pushed Authorization Requests (PAR) — the authorization request is sent server-to-server before you see the login page, preventing interception
- Tokens are encrypted with Fernet symmetric encryption at rest in PostgreSQL
- The session cookie is HTTP-only and secure — it can’t be accessed by JavaScript
Why this matters
Your Bluesky account is yours. BlueOrbit is a tool that helps you grow your audience — but it should never compromise your security.
By using OAuth, we ensure:
- Your password stays with you — we never see it
- You control what we can do — you approve specific permissions
- You can disconnect anytime — revoke access whenever you want
- Your tokens are protected — encrypted at rest, bound to your device
If you have questions about our security practices, reach out. We’re happy to explain how anything works.