Bluesky API Pricing: Full Breakdown for 2026

Bluesky API pricing in 2026 is the simplest answer in this whole series: there is no paid tier, no per-call fee, and no Meta-style app review on the official Bluesky AT Protocol API.

I’ve been shipping on social media APIs for years, and Bluesky is the platform where the price question stops at the docs. The friction is somewhere else. The official AT Protocol API runs on a points-based rate limit that caps you at about 1,666 record creations per hour per account (posts, likes, follows, and reposts all count), OAuth has been in developer preview since September 25, 2024 and is the recommended path for new builds, and the legacy App Password flow still works but Bluesky has asked developers to stop using it for new projects.

This guide covers what Bluesky API access actually costs in 2026, the points math behind the rate limits, the OAuth-versus-App-Password decision, what third-party wrappers charge per 1,000 posts, and when going through a wrapper like Blotato makes more sense than wiring AT Protocol auth yourself.

Bluesky API Pricing at a Glance (2026)

Access path	Cost	Best for	Key friction
Bluesky AT Protocol API (official)	Free, no paid tier published	Posting, reading, building clients on your own account	5,000 points/hour rate limit, OAuth vs App Password decision, no SLA
Public AppView endpoints	Free	Read-only public data (feeds, profiles, search)	Generous limits but no posting
RapidAPI BlueSky wrapper	$0 Basic up to $200/mo Mega (1M requests)	Quick prototyping of read flows	Unofficial, vendor-listed prices, verify before subscribing
PostPeer (multi-platform wrapper)	$8.50 per 1,000 posts (drops to $6 on Pro)	Cheapest per-post for Bluesky publishing	9 networks supported, free tier limited to 20 posts
Zernio multi-platform API	Per-connected-account pricing, derived as roughly $158 per 1,000 posts in PostPeer’s published comparison	Bluesky plus Reddit, Telegram, Snapchat	Account-based rather than post-based pricing, verify on the vendor page
Ayrshare	From $299/month (Launch plan, 10 accounts)	Enterprise teams needing SLAs	Different pricing unit, monthly subscription vs per-post
Blotato unified API	Starter $29/mo, Creator $97/mo, Agency $499/mo	Posting Bluesky plus eight other platforms from one endpoint	API access on paid plans only, generating a key ends the free trial

The honest answer is that Bluesky itself does not charge for API access. The catch is that “free” still costs you the rate-limit math, the auth migration, and the engineering hours to write the OAuth flow when you could be shipping product instead.

For teams that just want to publish to Bluesky and other networks without owning the auth layer, Blotato wraps the whole posting stack behind one endpoint. The dashboard has a 7-day free trial. The Blotato API runs on paid plans starting at $29 per month.

Start free week →

Free 7-day trial · Cancel anytime

What Changed in 2026 for the Bluesky API

Three shifts on the Bluesky developer surface in the past twelve months matter for builders deciding what to ship in 2026.

The first is the OAuth rollout. Bluesky announced OAuth for AT Protocol on September 25, 2024 and explicitly told developers to “stop using the legacy App Password system for new projects.” OAuth has been deployed on the bsky.social PDS and the official TypeScript SDK, and remained in developer preview through 2025. On June 12, 2025, Bluesky shipped the first granular auth scope, transition:email, for reading the account email, with broader auth-scope work still wrapping up in protocol design. If you are starting a project in 2026, OAuth is the path. App Passwords still work for personal scripts and accounts you own.

The second is the rate-limit posture. The points-based limits have stayed at 5,000 points per hour and 35,000 points per day per account since the September 15, 2023 announcement, but the official rate-limits page is now the canonical reference and the AppView endpoints at api.bsky.app and public.api.bsky.app are documented as having “generous rate-limits” with an explicit “contact us” path if you actually hit them. The practical effect is that read-heavy clients have more headroom than write-heavy bots.

The third is the network. Bluesky grew from roughly 10 million users in September 2024 to more than 40 million by October 2025, with the federation surface (third-party PDS instances, custom feeds, third-party AppViews) maturing alongside it. The API contract is stable, the SDKs are public, and the platform is now a first-class publishing destination, not a side experiment.

Bluesky API Pricing, in Plain English

The Bluesky AT Protocol API has no published paid tier and no per-call fee. The official Bluesky API docs point developers at three host categories, all free:

• https://bsky.social for the Bluesky-hosted PDS, where authenticated calls (createSession, createRecord, deleteRecord) live for accounts on the default hosting service.
• https://api.bsky.app and https://public.api.bsky.app for the AppView, where reads of feeds, profiles, and public data live.
• https://bsky.network for the Relay (firehose), which streams the public network’s events.

Authenticated reads and writes route through the user’s PDS. Public reads can hit the AppView directly, with “additional caching” per the official API hosts directory. None of these hosts charge by request, by month, or by quota.

The first cost line in the post is therefore zero dollars. The next sections cover what does cost you: rate limits, auth choice, and the operational tax of running on AT Protocol versus wrapping it.

The Points System: How Bluesky Charges Without Charging

Bluesky meters write actions on a points system instead of a dollar bill. Every record write costs points, and your account has a points budget per hour and per day.

Action	Points	What it means
Create a record (post, like, follow, repost)	3	Adds a new entry to your repository
Update a record (edit profile, edit feed generator)	2	Modifies an existing record
Delete a record	1	Removes a record
Account limit, per hour	5,000	About 1,666 creates, 2,500 updates, or 5,000 deletes
Account limit, per day	35,000	About 11,666 creates, 17,500 updates, or 35,000 deletes

On top of the account limits, the Bluesky-hosted PDS enforces an IP-level limit of 3,000 requests per 5 minutes across all routes, plus per-endpoint caps: 10 handle updates per 5 minutes (50 per day), 30 createSession calls per 5 minutes (300 per day), 100 createAccount calls per 5 minutes per IP, and 50 resetPassword and deleteAccount calls per 5 minutes per IP. The numbers are on Bluesky’s rate limits doc, which is the source you should treat as canonical.

A few things to keep in mind:

The per-hour limit is the one most builders hit first. If your bot does anything more than text posting (auto-likes, auto-follows, repost loops, mass deletion of old content), every action counts at 3 or 1 points and the hour budget burns down fast.

Bursts trigger 429s, not bans. Requests that cross a limit receive an HTTP 429 “Too Many Requests” response status code per the official docs. Back off, retry on a longer window, and you are fine.

Federation changes the math. “Bluesky is built on top of an open network (atproto), and other providers in the network are likely to have different rate-limits,” per the Bluesky docs. If you run your own self-hosted PDS, you control the rate limits for accounts on it. If you build against someone else’s PDS, their numbers apply.

Blob uploads cap at 50 MB. Media uploads top out at 52,428,800 bytes per file, which is also worth knowing before you wire a video pipeline.

App Passwords vs OAuth: The Auth Decision

The other “cost” of the Bluesky API in 2026 is the auth migration. There are two production paths, and the right one depends on whether you are building for yourself or for users.

App Passwords are the legacy path. You generate a separate password in your Bluesky settings (so your real password is not exposed), pass it to com.atproto.server.createSession along with your handle, and you get short-lived access plus refresh tokens. App Passwords are still functional in 2026 and remain the simplest pattern for personal scripts and bots on accounts you own. They cost zero dollars and zero calendar time to set up.

OAuth is the modern path. Bluesky announced OAuth for AT Protocol on September 25, 2024 with the explicit note: “encourage application and SDK developers to start working with the specification now, and stop using the legacy App Password system for new projects.” OAuth supports public clients (browser and mobile apps with no server-side secret) and confidential clients (server-side apps), and as of June 2025 includes granular auth scopes for limiting what your app can do. The Bluesky OAuth client implementation guide walks through the flow.

The trade-off is that OAuth requires more setup. You host a client-metadata.json file at a public URL, handle PAR (pushed authorization requests) and DPoP (demonstrating proof-of-possession), build the callback handler, and refresh tokens correctly. The official @atproto/api TypeScript SDK handles most of the plumbing, but it is still meaningfully more work than three lines of createSession.

In practice: if you are building a public product that onboards users in 2026, build OAuth. If you are scripting against your own account, App Passwords are still fine.

Real-World Access Examples

Three usage profiles. Each one shows what “free” looks like when you add up the auth work, the rate-limit budget, and any wrapper fees.

The Indie SaaS Publisher

A solo founder posting 10 to 20 times a day to a single Bluesky account, with the occasional auto-like or repost on top.

• Bluesky API monthly cost: $0
• Auth path: App Password, 10 minutes to wire with the official @atproto/api SDK
• Rate-limit headroom: 20 posts a day plus 100 likes lands at roughly 360 points, deep inside the 35,000-per-day budget
• Total: $0/month, about 2 hours of setup

The Agency Posting for 30 Clients

You run a content agency that posts on behalf of 30 different Bluesky accounts.

• Bluesky API monthly cost: $0
• Auth path: OAuth, per Bluesky’s recommendation for new projects, plus a client-metadata.json hosted at a public URL and a callback handler
• 30 separate token-refresh jobs to maintain, no Meta-style app review, no business verification
• Total: $0/month, roughly 1 to 2 weeks of OAuth engineering and ongoing token maintenance

The Brand Monitor or Researcher

You are tracking public Bluesky conversation for clients at firehose volume.

• Public AppView calls to public.api.bsky.app: $0 within the “generous” but undefined rate limits, with a contact path if you actually need more
• Firehose subscription to bsky.network: $0, with per-PDS Relay limits of 50 events per second, 2,600 per hour, and 21,000 per day on the source side
• Total: $0/month, with the caveat that the open firehose is the same surface AI training crawlers have been documented using to scrape Bluesky’s public posts at scale

The Wrapper Tax: When Paid APIs Beat Free

The Bluesky API is free. That is not the same as “the cheapest way to ship a Bluesky integration.” A few third-party wrappers price themselves against the engineering hours, not against Bluesky, and they are the only place real Bluesky API pricing actually lives.

Wrapper	Free tier	Cheapest paid tier	Per-1k posts (effective)	Networks	Notable
PostPeer	20 posts	$17/mo Starter (2,000 credits)	$8.50, drops to $6 on Pro	9	Cheapest per-post for Bluesky publishing
RapidAPI BlueSky API	20 requests/month	$15/mo Pro (10k requests)	Not priced per-post	1 (Bluesky only)	Read-skewed, unofficial wrapper
Zernio	Free (1-2 accounts)	$6 per account (3-10 accts)	~$158 at a low-tier comparison from PostPeer	13+ inc. Reddit, Telegram, Snapchat	Per-account model, not per-post
Ayrshare	None	$299/mo Launch (10 profiles)	Not priced per-post	Multi-platform	Enterprise option with SLA

Per-1k rates assume the cheapest paid tier and are the only comparable unit across vendors that price differently. The Zernio number is PostPeer’s derived comparison rather than Zernio’s own pricing model. Verify each vendor’s live pricing page before subscribing.

If you are posting only to Bluesky and you have engineering time, going direct to AT Protocol is free and the math is hard to beat at low volume. If you are posting to Bluesky plus four other networks, every wrapper saves you the OAuth-flow-per-platform tax, and the math flips fast.

Already Using App Passwords? Here Is What Migrating to OAuth Costs

If you shipped on Bluesky during the App Password era and you are deciding whether to migrate, the calendar cost is real but contained.

You need a client-metadata.json file at a stable public URL (Bluesky uses this as the OAuth client ID, per the official OAuth client guide), a callback endpoint that handles the OAuth response, refresh-token handling for long sessions, and the DPoP-signed request flow the SDK abstracts. The official TypeScript and Node.js OAuth examples on GitHub cut the work substantially. Plan for one to two weeks of engineering for an existing single-account integration, longer for multi-account products.

The upside is that OAuth is the path Bluesky is asking new projects to use, and the granular scope work shipped in mid-2025 means you can ask for read-only access (or transition:email, or write-only) without taking full account control. App Passwords cannot do that.

The Honest Pitch: Skip the Bluesky API and Use Blotato

Founder disclosure first: I run Blotato, so this section is a pitch by definition. Treat it as one.

The real cost of Bluesky integration is not the API itself. It is the auth flow, the rate-limit handling, the per-platform OAuth file per network you want to publish to, and the token-refresh job that runs forever once you have users. For a Bluesky-only personal bot, doing it yourself is the right call. The moment you add a second network on top, the auth code does not cleanly compose and the engineering hours start to dominate the bill.

One API. Every social platform.

Blotato’s unified API turns Bluesky publishing (and eight other platforms) into a single HTTP request:

curl -X POST https://backend.blotato.com/v2/posts \
  -H "blotato-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "post": {
      "accountId": "YOUR_BLUESKY_ACCOUNT_ID",
      "target": { "targetType": "bluesky" },
      "content": {
        "text": "Posted to Bluesky via the Blotato API.",
        "mediaUrls": [],
        "platform": "bluesky"
      }
    }
  }'

That is the minimal Bluesky payload. The same envelope works for the other eight platforms in the API enum (X, Instagram, LinkedIn, TikTok, YouTube, Threads, Facebook, Pinterest), with platform-specific target fields. The Blotato API quickstart guide covers the full schema, including Bluesky-specific options.

The API is included on every paid plan, with no per-post charges layered on top. The pricing page puts it directly: “No per-post fees, no seat fees, no hidden tax on your soul.”

Blotato plans:

• Starter ($29/month): 1,250 AI credits, 20 connected accounts
• Creator ($97/month)
• Agency ($499/month)

Start a free week of Blotato →

If you are also evaluating direct integrations for the other big platforms, the broader Social Media APIs developer guide covers every platform side by side.

Sabrina’s Take

I’m biased, obviously. Of the nine APIs we ship against at Blotato, Bluesky is the one I would recommend to a developer who only ever wants to post to one platform. The docs are clean, the auth flow is reasonable, and the rate-limit page is the only one in this series that actually answers the question in the title without a footnote.

Going direct breaks the moment you also need X’s pay-per-use API, Threads, or LinkedIn, because every platform’s OAuth surface is a different shape. That is the gap a wrapper closes. If you are a solo dev posting only to your own Bluesky account, save the $29. If you are shipping anything multi-platform, the day you stop maintaining four separate auth flows is the day this stops being a math question.

FAQs

Is the Bluesky API free in 2026?

Yes. The official Bluesky API pricing is zero dollars: no paid tier, no per-call fee, no per-platform quota for the AT Protocol API. Authentication is free, posting is free, reading the public firehose is free. The costs that exist are rate-limit math (5,000 points per hour per account) and the engineering time to wire OAuth or App Password auth.

How do I get access to the Bluesky API?

You don’t apply. Create a Bluesky account, generate an App Password in settings (or set up OAuth, per Bluesky’s September 2024 recommendation), and call the official endpoints. There is no developer portal, no review process, and no API key issued by Bluesky directly.

What are the Bluesky API rate limits in 2026?

Writes are budgeted in points (3 create, 2 update, 1 delete) up to 5,000 per hour and 35,000 per day per account. The Bluesky-hosted PDS adds a 3,000-requests-per-5-minutes IP cap. AppView reads have generous undefined limits with a contact path. Full details on the official rate-limits page.

Should I use App Passwords or OAuth for a new Bluesky integration?

Bluesky’s official guidance is to use OAuth for new projects and stop using App Passwords. OAuth has been in developer preview since September 2024, shipped its first granular auth scope (transition:email) in June 2025, and is handled by the official TypeScript SDK. App Passwords still work for personal scripts on accounts you own.

Do I need to self-host a PDS to use the Bluesky API?

No. Most developers run their app against the Bluesky-hosted PDS at bsky.social and never touch a self-hosted instance. Self-hosting a PDS becomes relevant when you want full control over the rate limits applied to accounts on it, or when you are building a competing client on AT Protocol with its own user base. The PDS self-hosting guide covers the Docker setup.