Docs / Guides

Stable

Complete the ATProto OAuth handoff

After Atmosphere selection passes, start your app-owned AT Protocol OAuth flow with the selected account.

Use the selected handle or DID as login_hint.Your app owns authorization scopes, token storage, refresh, and logout.Verify the OAuth token response sub DID according to the AT Protocol OAuth profile.

Boundary

Atmosphere stops before app OAuth starts

Start OAuth after selection
if (!verified.ok) throw new Error(verified.error);

const loginHint = verified.claims.handle || verified.claims.sub;
const oauthUrl = await atprotoOAuthClient.authorizeUrl({
  loginHint,
  scope: "atproto",
});

return Response.redirect(oauthUrl);

ATProto checks still apply

  • Resolve and bind the selected account DID for the OAuth flow.
  • Verify the authorization server is authoritative for the account.
  • Check the token response sub matches the expected DID.
  • Reject token responses that omit the atproto scope.
  • Do not send your app OAuth access or refresh tokens to Atmosphere.
On this page

Next steps

Keep building