cli + tui to publish to leaflet (wip) & manage tasks, notes & watch/read lists 馃崈
desertthunder.dev
charm
leaflet
readability
golang
1---
2title: Authentication and Identity
3sidebar_label: Auth & Identity
4description: AT Protocol authentication, security, and session handling.
5sidebar_position: 8
6---
7
8# Authentication and Identity
9
10## AT Protocol Authentication
11
12Noteleaf uses AT Protocol's authentication system:
13
141. **Handle Resolution**: Your handle (e.g., `username.bsky.social`) is resolved to a DID (Decentralized Identifier)
152. **Session Creation**: Authenticate with your app password to create a session
163. **Session Token**: Noteleaf stores the session token for future requests
174. **Token Refresh**: Sessions are refreshed automatically when they expire
18
19## Security Considerations
20
21**Use app passwords**: Never use your main BlueSky password with third-party tools. App passwords can be revoked without affecting your account.
22
23**Token storage**: Session tokens are stored locally in the Noteleaf database. Protect your database file.
24
25**Revocation**: If compromised, revoke the app password at [bsky.app/settings/app-passwords](https://bsky.app/settings/app-passwords).
26
27## Session Management
28
29**Check status**:
30
31```sh
32noteleaf pub status
33```
34
35**Re-authenticate**:
36
37```sh
38noteleaf pub auth
39```
40
41Sessions typically last 2-4 hours before requiring refresh. Noteleaf handles refresh automatically, but if authentication fails, run `pub auth` again.