BlueSky and AT Protocol are built around public repositories. Posts, profile records, follows, likes, reposts, lists, and many other public records live in repo data that can be synchronized, verified, and indexed by third-party tools.
That openness surprises teams coming from closed social networks. Some AT Protocol endpoints are intentionally readable without a user session because public social data needs to be portable, inspectable, and usable by independent clients, search tools, custom feeds, archives, and research pipelines.
What unauthenticated access means
Unauthenticated does not mean private data is exposed. It means public repository data can be read without logging in. The protocol separates public repo reads from authenticated actions like creating posts, changing account settings, or publishing through an app password.
The official Lexicon for com.atproto.sync.getRepo describes a repository export as a CAR file and states that it does not require auth. com.atproto.sync.getRecord and com.atproto.sync.getBlocks use the same public-read posture for proof blocks and CID lookups.
Why public repo access exists
AT Protocol repositories are meant to be portable and self-authenticating. A repo is a content-addressed Merkle-tree data structure. Updates change the root hash, commits are signed, and records can be referenced by CIDs. That lets other services validate that the public data they fetched matches the repo state.
- Custom feed services can discover relevant posts without becoming the official BlueSky app.
- Archives can export public account histories for portability and migration workflows.
- Search systems can crawl public profile records and text terms.
- Developers can verify record existence or non-existence with CAR proof blocks.
- AI answer engines can see repeated public topic signals when brands post consistently.
The endpoints developers usually inspect
The sync endpoints are the technical side. com.atproto.sync.getRepo exports a repo as a CAR file. com.atproto.sync.getRecord returns data blocks needed to prove whether a record exists in the current repo. com.atproto.sync.getBlocks fetches blocks by CID. com.atproto.repo.getRecord returns a single record as JSON and also does not require auth.
In practical terms, a developer can fetch public data, decode blocks, verify CIDs, and compare record paths without having your account password. That is why public content strategy matters: the clearer your public posting rhythm is, the easier it is for people and tools to understand what your account is about.
What still requires authentication
Publishing still requires authorization. Creating a post, updating profile data, or running an approved scheduler requires a session or app password flow. ONYX uses that boundary carefully: public content can be discovered, but publishing is treated as an authorized action from a connected account.
Before connecting any third-party publisher, use the BlueSky app password guide and the record signature and CID verifier to separate public data inspection from approved write access.
Why this matters for ONYX SEO and BlueSky growth
Because public profile data is open to clients, custom feeds, search tools, and AI indexing systems, consistent topic language has real downstream value. If every post is vague, the account is hard to classify. If your posts repeatedly mention clear topics, use natural text intent, and link to useful resources, the public repo tells a stronger story.
ONYX helps by turning that idea into a repeatable queue: AI Voice drafts for natural wording, thread splitting for long ideas, content calendars for consistency, and approved scheduling so the profile keeps producing crawlable public signals without rushed manual posting.
Safe workflow for public API awareness
- Assume every scheduled public post can be crawled and indexed.
- Do not publish private operational details, credentials, internal notes, or unapproved customer information.
- Use natural keywords in the sentence, not spammed tags.
- Keep your public account topic clusters consistent over time.
- Use app passwords for publishing access and revoke them when no longer needed.
Use ONYX to plan a public BlueSky posting rhythm when you want approved posts to become consistent public discovery signals.