Your password? We never see it — here's how BlueOrbit login works

When you sign in to BlueOrbit, something important happens behind the scenes: we never see your password. Not during login, not after, not ever.

BlueOrbit uses OAuth — the same system that lets you “Sign in with Google” or “Sign in with Apple” on other apps. Except we use Bluesky’s own OAuth system, built specifically for the AT Protocol.

Here’s exactly how it works.

The login flow, step by step

1. You enter your Bluesky handle

You type your handle (like you.bsky.social) into BlueOrbit. That’s the only thing you send us.

2. Bluesky’s official login page opens

Your browser redirects to Bluesky’s own authorization page — the same page you’d see if any app asked to connect to your account. This page is hosted by Bluesky, not by BlueOrbit.

You see what BlueOrbit is requesting:

  • Access to your account (post, follow, like)
  • Access to your email (for account recovery)
  • Access to DMs (for welcome messages and notifications)

3. You approve on Bluesky’s page

You click “Authorize” on Bluesky’s page. Bluesky issues a temporary access token and sends you back to BlueOrbit.

At no point does BlueOrbit see your password. Bluesky handles the authentication. We only receive the access token that Bluesky issues after you approve.

4. BlueOrbit stores the access token

BlueOrbit saves the access token so it can act on your behalf — posting scheduled content, detecting follow-backs, sending welcome messages. The token is encrypted before it’s stored in our database.

What we store (and what we don’t)

We storeWe don’t store
Your Bluesky handleYour password
Your Bluesky DID (your unique identity)Your private keys
An encrypted access tokenYour auth session on Bluesky
An encrypted refresh tokenAny raw credentials
Your profile info (avatar, display name)

The access token is like a limited key. It lets BlueOrbit do specific things on your account — post, follow, like — but it doesn’t give us your password or full control.

Encryption

Your tokens are encrypted at rest using Fernet symmetric encryption. Even if someone accessed our database directly, the tokens would be unreadable without the encryption key.

What BlueOrbit can do with your token

With your approval, BlueOrbit can:

  • Post content — scheduled posts and threads you create
  • Follow and unfollow — as part of workflows you set up
  • Like posts — engagement actions you configure
  • Send DMs — welcome messages to new followers, or notifications when your workflow pauses
  • Read your profile — to display stats and track growth

BlueOrbit cannot:

  • Change your password
  • Delete your account
  • Access your DMs with other people
  • See your private information beyond what’s in your public profile

How to revoke access

You’re always in control. You can disconnect BlueOrbit at any time.

Option 1: Log out from BlueOrbit

In your account settings, click Log out. This removes the access token from our system. BlueOrbit can no longer act on your behalf.

Option 2: Log out from all devices

If you’ve used BlueOrbit on multiple browsers or devices, you can log out from all of them at once. This also pauses any active workflows so nothing runs without your knowledge.

Option 3: Revoke from Bluesky directly

You can also revoke app permissions from your Bluesky account settings. Bluesky lets you see which apps have access and remove them individually.

Token refresh — how we stay connected

Access tokens expire. When they do, BlueOrbit uses your refresh token to get a new access token automatically — without you having to log in again.

This happens in the background:

  1. BlueOrbit detects the token is about to expire
  2. It asks Bluesky for a new access token using the refresh token
  3. Bluesky issues a new access token
  4. The old token is replaced

If the refresh fails (for example, if you revoked access), BlueOrbit pauses your workflows and notifies you. Nothing runs without a valid token.

Multi-device support

You can log in to BlueOrbit from multiple browsers or devices. Each login creates a separate session. If one session fails or expires, the others keep working.

If you log out from one device, the other sessions stay active — unless you choose “Log out from all devices.”

The technical details (if you’re curious)

For those who want to dig deeper:

  • BlueOrbit uses OAuth 2.0 with DPoP (Demonstrating Proof-of-Possession) — a modern security standard that binds tokens to specific clients, preventing token theft
  • We use Pushed Authorization Requests (PAR) — the authorization request is sent server-to-server before you see the login page, preventing interception
  • Tokens are encrypted with Fernet symmetric encryption at rest in PostgreSQL
  • The session cookie is HTTP-only and secure — it can’t be accessed by JavaScript

Why this matters

Your Bluesky account is yours. BlueOrbit is a tool that helps you grow your audience — but it should never compromise your security.

By using OAuth, we ensure:

  • Your password stays with you — we never see it
  • You control what we can do — you approve specific permissions
  • You can disconnect anytime — revoke access whenever you want
  • Your tokens are protected — encrypted at rest, bound to your device

If you have questions about our security practices, reach out. We’re happy to explain how anything works.