Thanks for the tag, we'll work on this.

Here is the #TennisSky feed

bsky.app/profile/did:...

That's fair, but we wanted to keep the price point low for barrier of entry.

There are additional tiers that people can donate more than $5.

We are actively working to bring down current costs and optimize infrastructure.

We appreciate the feedback, assistance, and support.

#Clearsky

We get $.61 for every $1 donated so we are only asking for $3k. Our DB is the bulk of the costs, ~$2k and ~5TB of data. It is a managed instance.

We have been transparent and haven't done anything shady so it's strange for people to assume that's what's going on initially.

I'm open to suggestions on how to make things more efficient.

We aren't paying salaries.

You know we don't get exactly $1 from the donation, right? The costs isn't $5000/mo.

I'm currently watching a Roblox funeral and I am weak 😂

All high roads have been taken, it's a traffic jam up there.

And the only consequence is the user decides not to log in. The security of the implementation is sound.

We've already dropped down in permissions. This is a none issue now.

This is a clash of the "privacy" userbase and "data transparency" userbase.

Sit back and get some popcorn.

Initially, people begged for these features to be behind a login.

It won't send the sensitive authorization code to an unapproved location. Additionally, all of our communication uses HTTPS, and Bluesky's OAuth implementation enforces the use of the state parameter and PKCE (Proof Key for Code Exchange) to prevent code interception and session hijacking.

​If an attacker tried to swap the link, Bluesky's server would reject the request or refuse to redirect the user to the malicious URL. even if a malicious link were somehow injected onto our site, the Bluesky server controls the redirection.

​We mitigate this using strict redirect URI validation, we have pre-registered a specific, exact URL with Bluesky (the Authorization Server).

When you start the login, we tell Bluesky: "After the user authorizes access, only send them back to this exact, pre-registered address."

Explain how.

I am disappointed but not surprised. We are working to bring services to the community so that you are informed about your data. We appreciate all the support people have given and we are learning from the criticism.

A looottttaaaa people in replies complaining and being down right nasty about a free service that someone has dedicated a ton of their time to simply to help you have more transparency about your account, which they absolutely did not have to do! Y’all have an astonishing sense of entitlement!

Lol

There is a difference between something being ready and you being upset that those are the permissions. The implementation is ready and working.

Literacy is dead because why would you used quotes for something you weren't quoting what someone said verbatim. We asked you we error were you seeing and you didn't reply.

It is ready. The current OAuth implementation is secure, that's what we've been explaining. And we also have updated the permissions that are being asked when you log in.

I appreciate your kind words and sticking your neck out for me 🫶🏿

The larger non specialized/technical user base is already using OAuth. It’s your early/technical adopters that you are experiencing friction with.

I really disagree with the framing of this as a problem with OAuth and not app passwords

I tried to use just "atproto" and I just tried again and I get this error: "The remote endpoint returned an error: Scope "transition:generic" is not declared in the client metadata"

I tried to use just "atproto" and I just tried again and I get this error: "The remote endpoint returned an error: Scope "transition:generic" is not declared in the client metadata"

Thanks for the advice.

That is the only permission set available, which is stated in the thread. We understand if you want to wait until Bluesky is done with adding the smaller permission scopes. We plan to drop down to the least permissions as soon as they are available.