Password Authentication
If you are using password auth, you should generate an app password for your account rather than using your main account password. If you are using Bluesky, you can generate an app password in your account settings.
Start by importing PasswordSession, providing credentials to PasswordSession.login(), and creating a session:
import { PasswordSession } from '@atproto/lex-password-session'
const result = await PasswordSession.login({
service: 'https://bsky.social', // or your PDS host
identifier: 'your-handle.bsky.social',
password: 'your-app-password',
})
if (result.success) {
const session = result.value
}
Applications with an end user login flow should use OAuth authentication rather than app password sessions. Password auth is acceptable for bots and command line tools. Both methods will produce the same authenticated session.
Client Sessions
Once you have a logged-in session, you can create a Client instance to read and write data:
import { Client } from '@atproto/lex'
const client = new Client(session)
// Make authenticated API calls
console.log('Logged in as:', session.did)
From here, you can go directly to making API requests.
API Tokens
Rate limits for logging in are generally lower than for other API operations. Calling the login method multiple times in a short period may trigger rate limits. You only need to call the login method once per session to authenticate.
The com.atproto.server.createSession API endpoint called by login methods returns a session object containing two API tokens:
accessJwt: an access token which is used to authenticate requests but expires after a few minutesrefreshJwt: a refresh token which lasts longer and is used only to update the session with a new access token