From 2f3de1af3cab060b0382bb3ef109bccda9c6f233 Mon Sep 17 00:00:00 2001
From: Gabriel Bauman <967743+gabrielbauman@users.noreply.github.com>
Date: Sat, 6 Jun 2026 13:31:41 -0700
Subject: [PATCH] Add AT Protocol (lexicon/XRPC) support and one-command
 install

Add an `atproto` adapter kind: search/execute against any AT Protocol service
(e.g. Bluesky) via a thin, typed XRPC client. Types are reused from @atproto/api
with a type-only import, so none of the SDK runs in the execute sandbox;
writeTypes emits only an NSID -> {params,input,output} map, letting
client.query/procedure infer from the NSID string literal. The operation index
is built from the package's runtime `schemas`, and NSID -> namespace names come
from its `ids` export (never derived) so a type reference can't drift and break
the whole-program check.

Auth runs in the parent like OAuth: app-password sessions
(createSession/refreshSession), injecting only a short-lived access JWT into the
sandbox. Registering without an identifier is anonymous (public reads, no
token); with one, the parent mints/refreshes a session and guides to `login`
when needed.

install.sh now runs `anyapi-mcp install` after building (best-effort; opt out
with ANYAPI_MCP_NO_INSTALL), and `install` also registers with OpenCode by
merging an `mcp` entry into its config (its `mcp add` is interactive-only).
Docs and the landing page updated throughout.
---
 CLAUDE.md               |  95 +++++++----
 README.md               | 105 +++++++-----
 deno.lock               |  94 ++++++++++-
 site/index.html         |  37 +++--
 site/install.sh         |  34 +++-
 src/adapters.ts         |   2 +
 src/atproto-auth.ts     | 285 ++++++++++++++++++++++++++++++++
 src/atproto.ts          | 352 ++++++++++++++++++++++++++++++++++++++++
 src/atproto_test.ts     | 217 +++++++++++++++++++++++++
 src/commands/add.ts     |  76 ++++++++-
 src/commands/install.ts |  95 ++++++++++-
 src/commands/list.ts    |   5 +
 src/commands/login.ts   |  81 ++++++++-
 src/commands/logout.ts  |  30 +++-
 src/commands/serve.ts   |  85 ++++++++--
 src/register.ts         |  46 +++++-
 src/registry.ts         |  24 ++-
 17 files changed, 1524 insertions(+), 139 deletions(-)
 create mode 100644 src/atproto-auth.ts
 create mode 100644 src/atproto.ts
 create mode 100644 src/atproto_test.ts

diff --git a/CLAUDE.md b/CLAUDE.md
index 4e8a667..651c1ab 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,8 +1,9 @@
 # CLAUDE.md
 
 anyapi-mcp is a Deno 2.x CLI + stdio MCP server (TypeScript, strict) that turns
-an HTTP API (OpenAPI, GraphQL, or SOAP/WSDL) into a typed client the model
-drives by writing code. See [README.md](README.md) for the user-facing pitch.
+an HTTP API (OpenAPI, GraphQL, SOAP/WSDL, or AT Protocol/lexicon/XRPC) into a
+typed client the model drives by writing code. See [README.md](README.md) for
+the user-facing pitch.
 
 ## Commands
 
@@ -29,23 +30,24 @@ protocol plugs in through one in-tree adapter object.
 - `src/commands/{add,install,list,regenerate,login,logout,remove,serve}.ts`: one
   file per subcommand. `serve.ts` is the MCP server exposing `search`,
   `execute`, `authenticate`, `configure_oauth`, `add_api`, `list_apis`,
-  `remove_api`; `install.ts` registers anyapi-mcp with Claude Code / Desktop;
-  `login`/`logout` manage OAuth sessions; `regenerate.ts` rebuilds generated
-  code from saved sources (credentials untouched) — and `serve` runs the same
-  pass on stale entries at startup (see `register.ts`).
+  `remove_api`; `install.ts` registers anyapi-mcp with Claude Code, Claude
+  Desktop, and OpenCode; `login`/`logout` manage OAuth sessions and atproto
+  app-password sessions; `regenerate.ts` rebuilds generated code from saved
+  sources (credentials untouched) — and `serve` runs the same pass on stale
+  entries at startup (see `register.ts`).
 - `src/adapter.ts`: the `ProtocolAdapter` seam. `prepare()` turns a source into
   base URL + hosts + operation index + generated client types (+ optional
   discovered OAuth config); `buildHarness()` builds the `execute` preamble that
   puts a typed `client` in scope.
 - `src/adapters.ts`: discriminated-union registry keyed by `kind`. **Adding a
   protocol means a new entry here plus an adapter file, not a plugin system.**
-- `src/openapi.ts` / `src/graphql.ts` / `src/soap.ts`: the three adapters.
-  OpenAPI also does OAuth2 discovery (`discoverOAuth`) and derives the base URL
-  from document-, path-, or operation-level `servers` (`resolveBaseUrl`),
-  failing loudly if the result lands on a raw spec-hosting host (e.g.
-  raw.githubusercontent.com) rather than silently registering a broken base.
-  After `openapi-typescript` writes the `.d.ts`, OpenAPI post-processes it
-  through `src/openapi-sanitize.ts` (see below).
+- `src/openapi.ts` / `src/graphql.ts` / `src/soap.ts` / `src/atproto.ts`: the
+  protocol adapters. OpenAPI also does OAuth2 discovery (`discoverOAuth`) and
+  derives the base URL from document-, path-, or operation-level `servers`
+  (`resolveBaseUrl`), failing loudly if the result lands on a raw spec-hosting
+  host (e.g. raw.githubusercontent.com) rather than silently registering a
+  broken base. After `openapi-typescript` writes the `.d.ts`, OpenAPI
+  post-processes it through `src/openapi-sanitize.ts` (see below).
 - `src/openapi-sanitize.ts`: post-processes openapi-typescript output so a
   recursive "arbitrary JSON" schema (or a `$ref` cycle) can't fail the
   whole-program type check `execute` runs. openapi-typescript references schemas
@@ -63,8 +65,28 @@ protocol plugs in through one in-tree adapter object.
   browser login flow (local one-shot callback server), token storage in the
   keystore, automatic refresh (`ensureAccessToken`), and a small known-provider
   quirks table (e.g. Strava's real endpoints + comma scope separator).
+- `src/atproto.ts`: the AT Protocol adapter. It generates **no** types of its
+  own: `prepare()` dynamic-imports the lexicons shipped in `@atproto/api`
+  (pinned `ATPROTO_API`) to build the operation index from the runtime
+  `schemas`, and `writeTypes` emits only an `XrpcMethods` map (NSID →
+  `{ params, input, output }`) whose members point at the official per-method
+  type namespaces. NSID → namespace name comes from the package's own `ids`
+  export (never derived), so a `Lex.<Name>` reference can't drift and break the
+  whole-program check. The harness imports those types **type-only**
+  (`import type * as Lex`), so nothing from the SDK runs in the sandbox; the
+  client is a thin XRPC fetch wrapper whose `query`/`procedure` infer params +
+  result from the NSID string literal.
+- `src/atproto-auth.ts`: app-password session auth, the atproto analogue of
+  `oauth.ts`. `ensureAtprotoAccessToken` returns `string | undefined` and
+  escalates only as far as needed — empty `identifier` → `undefined` (anonymous;
+  public reads, no token) → cached access JWT → `refreshSession` →
+  `createSession` from the stored app password (the self-heal path; no browser,
+  unlike OAuth) — all in the parent. `identifier` is the intent signal: set
+  means "act as this account" (and a missing session/password is a hard
+  `AtprotoNeedsLoginError`, not a silent anonymous fallback); empty means
+  anonymous by design.
 - `src/registry.ts`: the `apis.jsonl` registry (one `RegistryEntry` per line).
-  `Auth` is a union: `none` | `bearer` | `oauth2`.
+  `Auth` is a union: `none` | `bearer` | `oauth2` | `atproto`.
 - `src/register.ts`: registration logic shared by `add` and `add_api`; resolves
   the OAuth config (precedence: explicit flag > quirk > discovered). `force`
   upserts in place (fresh `addedAt` invalidates serve's ops cache; same-id
@@ -85,7 +107,9 @@ protocol plugs in through one in-tree adapter object.
 - `src/keystore.ts`: OS keychain access (`security` on macOS, `secret-tool` on
   Linux). Service name is `anyapi-mcp`; accounts look like `anyapi-mcp:<id>`
   (bearer), `anyapi-mcp:<id>:client` / `anyapi-mcp:<id>:oauth` (OAuth client
-  creds + token bundle, each a JSON blob).
+  creds + token bundle), and `anyapi-mcp:<id>:apppass` /
+  `anyapi-mcp:<id>:session` (atproto app password + session bundle), each a JSON
+  blob.
 - `src/paths.ts`: XDG dirs. Registry under `~/.config/anyapi-mcp`, generated
   types under `~/.cache/anyapi-mcp`.
 - `src/execute/run.ts`: the sandboxed subprocess runner (per-call `check` and
@@ -106,12 +130,13 @@ protocol plugs in through one in-tree adapter object.
   `--check` — it never touches the net/env allowlist above, so it is not a grant
   widening.
 - **Secrets** live only in the OS keystore. The registry stores keystore account
-  names (`tokenKey`; for OAuth also `clientKey`), never the secret itself. No
-  MCP tool may accept secrets: bearer tokens go through
-  `anyapi-mcp add --token`, and OAuth client credentials go through
-  `anyapi-mcp login` (`--client-id` / `--client-secret`). The agent-facing
-  `authenticate` tool only (re-)runs the browser flow with credentials the user
-  already stored.
+  names (`tokenKey`; for OAuth also `clientKey`; for atproto `passwordKey` /
+  `sessionKey`), never the secret itself. No MCP tool may accept secrets: bearer
+  tokens go through `anyapi-mcp add --token`, OAuth client credentials through
+  `anyapi-mcp login` (`--client-id` / `--client-secret`), and atproto app
+  passwords through `anyapi-mcp login` (`--identifier`, password read without
+  echo) or `add --app-password`. The agent-facing `authenticate` tool only
+  (re-)runs the OAuth browser flow with credentials the user already stored.
 - **Agents may set only the _safe_ OAuth params.** `configure_oauth` (and the
   `login`/`add` CLI) can change `scopes`/`scopeSeparator`/`extraAuthParams`, but
   the `authorizationUrl`/`tokenUrl` endpoints are CLI-only: `tokenUrl` is where
@@ -119,11 +144,13 @@ protocol plugs in through one in-tree adapter object.
   exfiltration vector. `buildAuthorizeUrl` and `configure_oauth` both reject
   `RESERVED_AUTHORIZE_PARAMS` (`client_id`, `redirect_uri`, `response_type`,
   `scope`, `state`) in `extraAuthParams`.
-- **OAuth lives in the parent, never the sandbox.** Token refresh and the login
-  flow run in the serve/CLI process (full net + keystore). The execute sandbox
-  only ever receives a ready access token via `ANYAPI_MCP_TOKEN`; it never sees
-  the client secret or refresh token and never calls the token endpoint. Refresh
-  happens in `executeRequest` (via `ensureAccessToken`) before the harness runs.
+- **OAuth/atproto auth lives in the parent, never the sandbox.** Token/session
+  refresh and the login flow run in the serve/CLI process (full net + keystore).
+  The execute sandbox only ever receives a ready access token/JWT via
+  `ANYAPI_MCP_TOKEN`; it never sees the OAuth client secret/refresh token, nor
+  the atproto app password/refresh JWT, and never calls the token or session
+  endpoints. Refresh happens in `executeRequest` (via `ensureAccessToken` /
+  `ensureAtprotoAccessToken`) before the harness runs.
 - `serve` re-reads the registry on each call, so a mid-session `add_api`/`add`
   is usable without restart. Keep it stateless across calls.
 - Strict TS is on (`noUnusedLocals`, `noUnusedParameters`, `noImplicitOverride`,
@@ -133,8 +160,16 @@ protocol plugs in through one in-tree adapter object.
 
 OpenAPI specs in JSON or YAML — OpenAPI 3.x, or Swagger 2.0 auto-converted to
 3.0 via swagger2openapi — GraphQL endpoints, SOAP/WSDL (WSDL 1.1,
-document/literal). Auth: none, bearer, or OAuth 2.0 **authorization-code** (the
+document/literal), and AT Protocol/lexicon/XRPC (the lexicon set shipped in the
+pinned `@atproto/api`; `add --kind atproto <pds-url>`, e.g.
+https://bsky.social). Auth: none, bearer, OAuth 2.0 **authorization-code** (the
 only OAuth flow; auto-discovered from OpenAPI security schemes, or set manually
-with `--oauth`/`--auth-url`/`--token-url`). No PKCE, no implicit/client-creds/
-password grants yet. Each `execute` is a fresh subprocess with no persisted
-state; OAuth tokens persist in the keystore and refresh automatically.
+with `--oauth`/`--auth-url`/`--token-url`), or atproto **app-password sessions**
+(`createSession`/`refreshSession`, minted/refreshed in the parent; the sandbox
+gets only the access JWT) — or **anonymous** atproto (no `--identifier`) for
+public reads, replacing the old "point an OpenAPI entry at the public AppView"
+trick. No PKCE, no implicit/client-creds/password grants, and no atproto
+**OAuth** (its DPoP-bound tokens can't be replayed as a bearer through the
+sandbox) yet. Each `execute` is a fresh subprocess with no persisted state;
+OAuth tokens and atproto sessions persist in the keystore and refresh
+automatically.
diff --git a/README.md b/README.md
index e4bed51..4a1b51d 100644
--- a/README.md
+++ b/README.md
@@ -2,10 +2,11 @@
 
 **anyapi-mcp is one local MCP server that lets your model talk to almost any
 HTTP API.** Add it once to Claude Code or Claude Desktop, then point it at any
-API you find (an OpenAPI spec, a GraphQL endpoint, or a SOAP/WSDL service) and
-your model can search and call it right away. No separate server or custom
-integration per API: one server covers everything you register, and it stays
-token-efficient however many calls a task takes.
+API you find (an OpenAPI spec, a GraphQL endpoint, a SOAP/WSDL service, or an AT
+Protocol/XRPC service like Bluesky) and your model can search and call it right
+away. No separate server or custom integration per API: one server covers
+everything you register, and it stays token-efficient however many calls a task
+takes.
 
 Under the hood it generates a typed client from the API's own description and
 exposes a small set of tools: `search` to find operations, `execute` to run a
@@ -50,20 +51,17 @@ The quickest way - builds from source, so you'll need [Deno](https://deno.com/)
 curl -fsSL https://gabrielbauman.github.io/anyapi-mcp/install.sh | sh
 ```
 
-It fetches the source, runs `deno task compile`, and drops an `anyapi-mcp`
-binary in `~/.local/bin` (override the location with `ANYAPI_MCP_BIN_DIR`).
+It fetches the source, runs `deno task compile`, drops an `anyapi-mcp` binary in
+`~/.local/bin` (override the location with `ANYAPI_MCP_BIN_DIR`), and registers
+it with Claude Code, Claude Desktop, and OpenCode so it's ready to use (skip
+that last step with `ANYAPI_MCP_NO_INSTALL=1`).
 
 Or build it yourself:
 
 ```sh
 deno task compile          # produces a self-contained ./anyapi-mcp binary
 mv ./anyapi-mcp ~/.local/bin/   # or anywhere on your PATH
-```
-
-Then point your MCP client at it automatically:
-
-```sh
-anyapi-mcp install           # adds it to Claude Code and/or Claude Desktop
+anyapi-mcp install              # register it with Claude Code, Claude Desktop, and OpenCode
 ```
 
 Or run from source during development:
@@ -76,24 +74,26 @@ deno task dev list         # = deno run -A src/main.ts list
 
 ### `add <url-or-path> [options]`
 
-Inspects the source (an OpenAPI spec, a GraphQL endpoint, or a WSDL), derives
-the base URL and host, builds a searchable operation index, generates a typed
-client, and writes a registry entry.
-
-| Option                            | Description                                                                                               |
-| --------------------------------- | --------------------------------------------------------------------------------------------------------- |
-| `--kind <openapi\|graphql\|soap>` | Protocol (default: `openapi`). `graphql` introspects an endpoint; `soap` reads a WSDL URL.                |
-| `--id <slug>`                     | Id used on the CLI and in `execute` (default: the base URL in reverse-DNS form, e.g. `com.github.api`).   |
-| `--name <name>`                   | Human-friendly name (default: spec `info.title`).                                                         |
-| `--base-url <url>`                | Override the base URL (otherwise derived from the spec's document-, path-, or operation-level `servers`). |
-| `--docs <url>`                    | Documentation URL to store and surface (not parsed).                                                      |
-| `--token`                         | Store a bearer token. Read without echo from a TTY, or piped via stdin.                                   |
-| `--oauth`                         | Treat the API as OAuth 2.0 even if the spec doesn't declare it.                                           |
-| `--auth-url` / `--token-url`      | OAuth authorize / token endpoints (override the spec's values).                                           |
-| `--scope <name>`                  | Scope to request at login (repeatable; default: the spec's scopes).                                       |
-| `--scope-separator <sep>`         | Scope separator in the authorize URL (default `" "`; Strava uses `","`).                                  |
-| `--no-auth`                       | Register without authentication.                                                                          |
-| `--force`                         | Overwrite an existing API with the same id instead of failing (e.g. to fix a wrong base URL).             |
+Inspects the source (an OpenAPI spec, a GraphQL endpoint, a WSDL, or an atproto
+PDS/service URL), derives the base URL and host, builds a searchable operation
+index, generates a typed client, and writes a registry entry.
+
+| Option                                     | Description                                                                                                                                                |
+| ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--kind <openapi\|graphql\|soap\|atproto>` | Protocol (default: `openapi`). `graphql` introspects an endpoint; `soap` reads a WSDL URL; `atproto` takes a PDS/service URL (e.g. `https://bsky.social`). |
+| `--id <slug>`                              | Id used on the CLI and in `execute` (default: the base URL in reverse-DNS form, e.g. `com.github.api`).                                                    |
+| `--name <name>`                            | Human-friendly name (default: spec `info.title`).                                                                                                          |
+| `--base-url <url>`                         | Override the base URL (otherwise derived from the spec's document-, path-, or operation-level `servers`).                                                  |
+| `--docs <url>`                             | Documentation URL to store and surface (not parsed).                                                                                                       |
+| `--token`                                  | Store a bearer token. Read without echo from a TTY, or piped via stdin.                                                                                    |
+| `--identifier <handle>`                    | atproto: the account handle/email to authenticate as (not a secret).                                                                                       |
+| `--app-password`                           | atproto: store an app password now. Read without echo from a TTY, or piped via stdin.                                                                      |
+| `--oauth`                                  | Treat the API as OAuth 2.0 even if the spec doesn't declare it.                                                                                            |
+| `--auth-url` / `--token-url`               | OAuth authorize / token endpoints (override the spec's values).                                                                                            |
+| `--scope <name>`                           | Scope to request at login (repeatable; default: the spec's scopes).                                                                                        |
+| `--scope-separator <sep>`                  | Scope separator in the authorize URL (default `" "`; Strava uses `","`).                                                                                   |
+| `--no-auth`                                | Register without authentication.                                                                                                                           |
+| `--force`                                  | Overwrite an existing API with the same id instead of failing (e.g. to fix a wrong base URL).                                                              |
 
 If the base URL can't be derived and would fall back to a raw spec-hosting host
 (e.g. `raw.githubusercontent.com`), `add` fails loudly instead of registering a
@@ -121,6 +121,13 @@ anyapi-mcp add https://countries.trevorblades.com/ --kind graphql
 
 # soap - read a public WSDL pointing at a live service:
 anyapi-mcp add "http://www.dneonline.com/calculator.asmx?WSDL" --kind soap
+
+# atproto - anonymous public reads (no login), via the public AppView:
+anyapi-mcp add https://public.api.bsky.app --kind atproto --id bsky-public
+
+# atproto - register your account to post / read private data (PDS + login):
+anyapi-mcp add https://bsky.social --kind atproto --id bsky --identifier you.bsky.social
+anyapi-mcp login bsky   # prompts for an app password (no echo)
 ```
 
 ### `list`
@@ -360,13 +367,26 @@ For a **SOAP** API the harness exposes one method per operation -
 `{ status, data, raw }` where `data` is the parsed SOAP `Body`. anyapi-mcp
 builds the envelope and parses the response for you.
 
+For an **atproto** (AT Protocol / lexicon / XRPC) API the harness exposes
+`client.query(nsid, params)` and `client.procedure(nsid, input)`. The NSID
+string literal selects the official `@atproto/api` types (imported type-only, so
+none of the SDK runs in the sandbox), so params, input, and the awaited result
+are all typed -
+`const tl = await client.query("app.bsky.feed.getTimeline", { limit: 20 })`
+gives a typed `tl.feed`. Public reads work anonymously - register against the
+public AppView (`https://public.api.bsky.app`) with no `--identifier`. Writes
+and your own private data need a session: register against your PDS (e.g.
+`https://bsky.social`) with `--identifier`, then run
+[`login`](#login-id-options) once to store an app password.
+
 ## Design notes & limits
 
 - **Secrets** live in the OS keystore (service `anyapi-mcp`), never in the
   registry. The registry only records keystore account names (`tokenKey`; for
-  OAuth also `clientKey`). OAuth refresh and the browser login run in the parent
-  process — the execute sandbox only ever receives a ready access token, never
-  the client secret or refresh token.
+  OAuth also `clientKey`; for atproto `passwordKey` / `sessionKey`). OAuth and
+  atproto refresh/login run in the parent process — the execute sandbox only
+  ever receives a ready access token/JWT, never the client secret, refresh
+  token, app password, or refresh JWT.
 - **Files**: registry at `$XDG_CONFIG_HOME/anyapi-mcp/apis.jsonl` (default
   `~/.config/anyapi-mcp`); generated `.d.ts` and operation indexes at
   `$XDG_CACHE_HOME/anyapi-mcp` (default `~/.cache/anyapi-mcp`).
@@ -381,18 +401,21 @@ builds the envelope and parses the response for you.
 - **Protocols & adapters**: each protocol is an in-tree `ProtocolAdapter`
   (`src/adapter.ts`) - a `prepare()` that turns a source into base URL + hosts +
   an operation index + generated types, and a `buildHarness()` that puts a typed
-  `client` in scope. OpenAPI, GraphQL, and SOAP/WSDL ship today; adding one is a
-  new arm in `src/adapters.ts`, not a plugin system. The registry, `search`, and
-  the execute sandbox are protocol-agnostic.
+  `client` in scope. OpenAPI, GraphQL, SOAP/WSDL, and AT Protocol/XRPC ship
+  today; adding one is a new arm in `src/adapters.ts`, not a plugin system. The
+  registry, `search`, and the execute sandbox are protocol-agnostic.
 - **SOAP scope**: WSDL 1.1, SOAP 1.1/1.2, document/literal, public WSDL → live
   service. Not covered: rpc/encoded, WS-Security / SOAP headers, MTOM, external
   XSD imports, WSDL 2.0.
 - **v1 scope**: OpenAPI specs in JSON or YAML - OpenAPI 3.x, or Swagger 2.0
-  auto-converted to 3.0 - plus GraphQL endpoints and SOAP/WSDL services; **no /
-  bearer / OAuth 2.0 authorization-code** auth (no PKCE, implicit,
-  client-credentials, or password grants). `search` is keyword-based over the
-  operation index - no embeddings or freeform-doc search. Each `execute` is a
-  fresh subprocess (no persistent state between calls); OAuth tokens persist in
+  auto-converted to 3.0 - plus GraphQL endpoints, SOAP/WSDL services, and AT
+  Protocol/lexicon/XRPC (the lexicon set shipped in the pinned `@atproto/api`).
+  Auth: **none / bearer / OAuth 2.0 authorization-code** (no PKCE, implicit,
+  client-credentials, or password grants), or atproto **app-password sessions**
+  (or anonymous, for public reads; atproto OAuth, whose tokens are DPoP-bound,
+  isn't supported yet). `search` is keyword-based over the operation index - no
+  embeddings or freeform-doc search. Each `execute` is a fresh subprocess (no
+  persistent state between calls); OAuth tokens and atproto sessions persist in
   the keychain and refresh automatically.
 
 ## Development
diff --git a/deno.lock b/deno.lock
index 8d3baf3..b550eb5 100644
--- a/deno.lock
+++ b/deno.lock
@@ -10,6 +10,7 @@
     "jsr:@std/internal@^1.0.14": "1.0.14",
     "jsr:@std/path@^1.1.5": "1.1.5",
     "jsr:@std/yaml@^1.1.1": "1.1.1",
+    "npm:@atproto/api@0.20.9": "0.20.9",
     "npm:@modelcontextprotocol/sdk@1.29.0": "1.29.0_zod@4.4.3",
     "npm:fast-xml-parser@*": "4.5.6",
     "npm:fast-xml-parser@^4.5.6": "4.5.6",
@@ -56,6 +57,67 @@
     }
   },
   "npm": {
+    "@atproto/api@0.20.9": {
+      "integrity": "sha512-Yuw7Ewn+yMJZ8GskbuvI3lKPW65rsXic1xjFA2Dpq6H8WjVYs6xNZ31bkwtTYDDwjKIZcJmAVbAVgdfjo4T9iw==",
+      "dependencies": [
+        "@atproto/common-web",
+        "@atproto/lexicon",
+        "@atproto/syntax",
+        "@atproto/xrpc",
+        "await-lock",
+        "multiformats",
+        "tlds",
+        "zod@3.25.76"
+      ]
+    },
+    "@atproto/common-web@0.5.0": {
+      "integrity": "sha512-ReWnkuZdDU/74/I47gaI26uxQjHmpq4edp41NnZZQ5vIIKGb7Ei6pZHzDTUD9JURo109SKrPx9RMP2IQm0fOKA==",
+      "dependencies": [
+        "@atproto/lex-data",
+        "@atproto/lex-json",
+        "@atproto/syntax",
+        "zod@3.25.76"
+      ]
+    },
+    "@atproto/lex-data@0.1.1": {
+      "integrity": "sha512-/xza8nU/YhtzhETnHL3QKKofaJ28/0NCzhT7LaYoUkm8EgypWp5ykEtmW52yLhQM2JF6fVa25g1soQmNTGqtSg==",
+      "dependencies": [
+        "multiformats",
+        "tslib",
+        "uint8arrays",
+        "unicode-segmenter"
+      ]
+    },
+    "@atproto/lex-json@0.1.0": {
+      "integrity": "sha512-oWUrRMwFyWpmi/5k1Se3xBTbP06XdxBS5iFuUz9LmqItaPXwrWRD87a9ldPvINQ/A2/mn7J6/qug8sDVlhD+vQ==",
+      "dependencies": [
+        "@atproto/lex-data",
+        "tslib"
+      ]
+    },
+    "@atproto/lexicon@0.7.1": {
+      "integrity": "sha512-voNfNED5KUxn3vpo7N5DMRblBDfWf7kSfdKhJFC1RrLCxg38YbBzzURNVQJ32bp13Oot8kYfyXBWxTgtKLvw8w==",
+      "dependencies": [
+        "@atproto/common-web",
+        "@atproto/syntax",
+        "multiformats",
+        "zod@3.25.76"
+      ]
+    },
+    "@atproto/syntax@0.6.1": {
+      "integrity": "sha512-kA4dQDoMPpWCH8N0Q4KoSq024u5MkVfDVa8DdhyLjGA72z/khbOf1jXKPv7NIL2oEc9aj7geKELdvqyf4ogopA==",
+      "dependencies": [
+        "iso-datestring-validator",
+        "tslib"
+      ]
+    },
+    "@atproto/xrpc@0.8.0": {
+      "integrity": "sha512-NJy02bIKrWlE2NQkRV1kT0Cj0ixbuxlF/MejBdo4cPWAa9v3oZexvAcjjb0zaOYeABkaU14iyIhvn2G4e/oLpw==",
+      "dependencies": [
+        "@atproto/lexicon",
+        "zod@3.25.76"
+      ]
+    },
     "@babel/code-frame@7.29.7": {
       "integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==",
       "dependencies": [
@@ -94,7 +156,7 @@
         "json-schema-typed",
         "pkce-challenge",
         "raw-body",
-        "zod",
+        "zod@4.4.3",
         "zod-to-json-schema"
       ]
     },
@@ -167,6 +229,9 @@
     "argparse@2.0.1": {
       "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="
     },
+    "await-lock@3.0.0": {
+      "integrity": "sha512-eO6fLiSnrJrMdjWMNK8zbVRXPs2TKJg78iKZd9wDpN3na5tcoV6EoeiOlMgk2QaAQ1gIrK1YuMsJHXWqz89tSA=="
+    },
     "balanced-match@1.0.2": {
       "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="
     },
@@ -485,6 +550,9 @@
     "isexe@2.0.0": {
       "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="
     },
+    "iso-datestring-validator@2.2.2": {
+      "integrity": "sha512-yLEMkBbLZTlVQqOnQ4FiMujR6T4DEcCb1xizmvXS+OxuhwcbtynoosRzdMA69zZCShCNAbi+gJ71FxZBBXx1SA=="
+    },
     "jose@6.2.3": {
       "integrity": "sha512-YYVDInQKFJfR/xa3ojUTl8c2KoTwiL1R5Wg9YCydwH0x0B9grbzlg5HC7mMjCtUJjbQ/YnGEZIhI5tCgfTb4Hw=="
     },
@@ -534,6 +602,9 @@
     "ms@2.1.3": {
       "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
     },
+    "multiformats@13.4.2": {
+      "integrity": "sha512-eh6eHCrRi1+POZ3dA+Dq1C6jhP1GNtr9CRINMb67OKzqW9I5DUuZM/3jLPlzhgpGeiNUlEGEbkCYChXMCc/8DQ=="
+    },
     "negotiator@1.0.0": {
       "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg=="
     },
@@ -849,12 +920,19 @@
       ],
       "bin": true
     },
+    "tlds@1.261.0": {
+      "integrity": "sha512-QXqwfEl9ddlGBaRFXIvNKK6OhipSiLXuRuLJX5DErz0o0Q0rYxulWLdFryTkV5PkdZct5iMInwYEGe/eR++1AA==",
+      "bin": true
+    },
     "toidentifier@1.0.1": {
       "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA=="
     },
     "tr46@0.0.3": {
       "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
     },
+    "tslib@2.8.1": {
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w=="
+    },
     "type-fest@4.41.0": {
       "integrity": "sha512-TeTSQ6H5YHvpqVwBRcnLDCBnDOHWYu7IvGbHT6N8AOymcr9PJGjc1GTtiWZTYg0NCgYwvnYWEkVChQAr9bjfwA=="
     },
@@ -870,6 +948,15 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "bin": true
     },
+    "uint8arrays@5.1.1": {
+      "integrity": "sha512-9muQwa4wZG4dKi9gMAIBtnk2Pw87SRpvWTH6lOGm19V2Uqxr4uomUf2PGqPnWc+qs06sN8owUU4jfcoWOcfwVQ==",
+      "dependencies": [
+        "multiformats"
+      ]
+    },
+    "unicode-segmenter@0.14.5": {
+      "integrity": "sha512-jHGmj2LUuqDcX3hqY12Ql+uhUTn8huuxNZGq7GvtF6bSybzH3aFgedYu/KTzQStEgt1Ra2F3HxadNXsNjb3m3g=="
+    },
     "unpipe@1.0.0": {
       "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ=="
     },
@@ -934,9 +1021,12 @@
     "zod-to-json-schema@3.25.2_zod@4.4.3": {
       "integrity": "sha512-O/PgfnpT1xKSDeQYSCfRI5Gy3hPf91mKVDuYLUHZJMiDFptvP41MSnWofm8dnCm0256ZNfZIM7DSzuSMAFnjHA==",
       "dependencies": [
-        "zod"
+        "zod@4.4.3"
       ]
     },
+    "zod@3.25.76": {
+      "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="
+    },
     "zod@4.4.3": {
       "integrity": "sha512-ytENFjIJFl2UwYglde2jchW2Hwm4GJFLDiSXWdTrJQBIN9Fcyp7n4DhxJEiWNAJMV1/BqWfW/kkg71UDcHJyTQ=="
     }
diff --git a/site/index.html b/site/index.html
index b6ba722..048cf51 100644
--- a/site/index.html
+++ b/site/index.html
@@ -3,11 +3,11 @@
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>anyapi-mcp - one MCP server for almost any HTTP API</title>
-  <meta name="description" content="One local MCP server that lets your model talk to almost any HTTP API: OpenAPI, GraphQL, or SOAP/WSDL. Install with a single command.">
+  <title>anyapi-mcp - one MCP server, every API your model needs</title>
+  <meta name="description" content="One local MCP server that lets your model use any HTTP API you register - OpenAPI, GraphQL, SOAP/WSDL, or AT Protocol (Bluesky). Register as many as you want; it searches and calls whichever the task needs, and can add more on the fly.">
   <meta name="theme-color" content="#0b0e13">
   <meta property="og:title" content="anyapi-mcp">
-  <meta property="og:description" content="One local MCP server for almost any HTTP API. Point it at an OpenAPI spec, a GraphQL endpoint, or a SOAP/WSDL service and your model can call it right away.">
+  <meta property="og:description" content="Run one local MCP server, then ask your model to use any HTTP API - OpenAPI, GraphQL, SOAP/WSDL, or AT Protocol (Bluesky). Register as many as you want; it calls whichever the task needs, no tool-per-endpoint bloat, no restart.">
   <meta property="og:type" content="website">
   <style>
     :root {
@@ -134,11 +134,14 @@
     </header>
 
     <main>
-      <h1>One MCP server for almost any HTTP API.</h1>
+      <h1>Ask your model to use any API.</h1>
       <p class="lede">
-        Point it at an OpenAPI spec, a GraphQL endpoint, or a SOAP/WSDL service,
-        and your model can search and call it right away, driving a typed
-        client by writing code instead of one MCP tool per endpoint.
+        anyapi-mcp is one local MCP server for all the APIs your model needs.
+        Register as many as you want - OpenAPI specs, GraphQL endpoints,
+        SOAP/WSDL services, AT Protocol services like Bluesky - and your model
+        searches and calls whichever the task needs by writing code against a
+        typed client. It can even register new ones mid-conversation. No tool
+        per endpoint, no restart.
       </p>
 
       <div class="install">
@@ -156,14 +159,19 @@ <h1>One MCP server for almost any HTTP API.</h1>
       <section>
         <h2>Then</h2>
         <ol class="steps">
-          <li><code class="inline">anyapi-mcp install</code> - register it with Claude Code and/or Claude Desktop.</li>
-          <li><code class="inline">anyapi-mcp add &lt;spec-url&gt;</code> - point it at an API.</li>
+          <li>Ask your model to register an API - give it any OpenAPI, GraphQL, SOAP, or AT Protocol URL.</li>
           <li>Ask your model to use it. It searches, writes a short program, and runs it.</li>
         </ol>
+        <p class="note">
+          Prefer the terminal? It's a full CLI too -
+          <code class="inline">anyapi-mcp add</code>, <code class="inline">list</code>,
+          <code class="inline">login</code>, and more
+          (<code class="inline">anyapi-mcp --help</code>).
+        </p>
       </section>
 
       <section>
-        <h2>Three tools, not three hundred</h2>
+        <h2>A handful of tools, not hundreds</h2>
         <div class="grid">
           <div class="card">
             <h3>search</h3>
@@ -179,9 +187,12 @@ <h3>add_api</h3>
           </div>
         </div>
         <p class="note">
-          The model writes code and runs it; intermediate results stay in the
-          sandbox instead of round-tripping through the model, so a ten-step
-          workflow costs one tool call and a handful of tokens, not ten.
+          These are the three you'll use most (a few more handle listing,
+          removing, and signing in). The set is fixed - it never grows into one
+          tool per endpoint, however many APIs you register. The model writes
+          code and runs it, and intermediate results stay in the sandbox instead
+          of round-tripping through the model, so a ten-step workflow costs one
+          tool call and a handful of tokens, not ten.
         </p>
       </section>
     </main>
diff --git a/site/install.sh b/site/install.sh
index c92816b..4f894b3 100755
--- a/site/install.sh
+++ b/site/install.sh
@@ -1,11 +1,14 @@
 #!/bin/sh
-# anyapi-mcp installer: build the CLI from source and drop it on your PATH.
+# anyapi-mcp installer: build the CLI from source, drop it on your PATH, and
+# register it with your MCP clients (Claude Code, Claude Desktop, OpenCode) so the
+# model can use it right away.
 #
 #   curl -fsSL https://gabrielbauman.github.io/anyapi-mcp/install.sh | sh
 #
 # Overridable via environment:
-#   ANYAPI_MCP_REF      git ref (branch or tag) to install   (default: main)
-#   ANYAPI_MCP_BIN_DIR  directory to install the binary into  (default: ~/.local/bin)
+#   ANYAPI_MCP_REF         git ref (branch or tag) to install   (default: main)
+#   ANYAPI_MCP_BIN_DIR     directory to install the binary into  (default: ~/.local/bin)
+#   ANYAPI_MCP_NO_INSTALL  set to any value to skip registering with MCP clients (Claude Code, Desktop, OpenCode)
 set -eu
 
 REPO="gabrielbauman/anyapi-mcp"
@@ -53,7 +56,25 @@ mv "$tmp/src/$BIN_NAME" "$BIN_DIR/$BIN_NAME"
 chmod +x "$BIN_DIR/$BIN_NAME"
 info "Installed $BIN_NAME to $BIN_DIR/$BIN_NAME"
 
-# 5. PATH hint, then next steps.
+# 5. Register with local MCP clients (Claude Code, Claude Desktop, OpenCode) so the
+#    model can use it right away. Run via the full path (BIN_DIR may not be on PATH yet) and
+#    best-effort: a missing/odd client shouldn't fail an otherwise-good install.
+#    Opt out with ANYAPI_MCP_NO_INSTALL (e.g. to register manually at a different scope).
+if [ -n "${ANYAPI_MCP_NO_INSTALL:-}" ]; then
+  info ""
+  info "Skipping client registration (ANYAPI_MCP_NO_INSTALL set); register later with:"
+  info "  $BIN_NAME install"
+else
+  info ""
+  info "Registering with your MCP clients ($BIN_NAME install) ..."
+  if ! "$BIN_DIR/$BIN_NAME" install; then
+    info ""
+    info "note: automatic registration didn't finish; run it yourself with:"
+    info "  $BIN_NAME install"
+  fi
+fi
+
+# 6. PATH hint.
 case ":$PATH:" in
   *":$BIN_DIR:"*) ;;
   *)
@@ -63,7 +84,8 @@ case ":$PATH:" in
     ;;
 esac
 
+# 7. Next steps.
 info ""
-info "Done. Next:"
-info "  $BIN_NAME install        # register it with Claude Code and/or Claude Desktop"
+info "Done. Try it:"
 info "  $BIN_NAME add https://petstore3.swagger.io/api/v3/openapi.json"
+info "Then start (or restart) your client and ask your model to use it."
diff --git a/src/adapters.ts b/src/adapters.ts
index d04bd79..a336664 100644
--- a/src/adapters.ts
+++ b/src/adapters.ts
@@ -4,11 +4,13 @@ import type { ProtocolAdapter } from "./adapter.ts";
 import { openapiAdapter } from "./openapi.ts";
 import { graphqlAdapter } from "./graphql.ts";
 import { soapAdapter } from "./soap.ts";
+import { atprotoAdapter } from "./atproto.ts";
 
 const ADAPTERS: Record<string, ProtocolAdapter> = {
   openapi: openapiAdapter,
   graphql: graphqlAdapter,
   soap: soapAdapter,
+  atproto: atprotoAdapter,
 };
 
 /** Adapter kinds that can be registered, e.g. for CLI help and validation. */
diff --git a/src/atproto-auth.ts b/src/atproto-auth.ts
new file mode 100644
index 0000000..5ad9418
--- /dev/null
+++ b/src/atproto-auth.ts
@@ -0,0 +1,285 @@
+// AT Protocol app-password session auth. Like the OAuth module, everything here
+// runs in the *parent* serve/CLI process (full network + keystore). The execute
+// sandbox only ever receives a short-lived access JWT via ANYAPI_MCP_TOKEN; the
+// app password and the refresh JWT never enter it.
+//
+// A session is minted with com.atproto.server.createSession (identifier + app
+// password) and kept fresh with com.atproto.server.refreshSession. Because the
+// app password is stored in the keystore, a dead session re-mints with no browser
+// and no human - so this "self-heals" where OAuth would need a fresh login.
+//
+// Secrets boundary (mirrors the bearer/OAuth ones): the registry stores only
+// keystore account names (passwordKey, sessionKey). The app password and the
+// session bundle live exclusively in the keystore.
+
+import { deleteSecret, getSecret, setSecret } from "./keystore.ts";
+import type { AtprotoAuth, RegistryEntry } from "./registry.ts";
+
+/** A session bundle, stored as JSON under the keystore `sessionKey`. */
+export interface AtprotoSession {
+  accessJwt: string;
+  refreshJwt: string;
+  did: string;
+  handle: string;
+}
+
+/** Refresh when the access JWT is within this window of its (decoded) expiry. */
+const EXPIRY_SKEW_MS = 60_000;
+
+/**
+ * Thrown when an atproto API can't be used until the user (re-)authenticates
+ * (no app password stored, or the stored one no longer works). The serve layer
+ * turns this into guidance rather than a hard failure.
+ */
+export class AtprotoNeedsLoginError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "AtprotoNeedsLoginError";
+  }
+}
+
+// ---- keystore ----
+
+export function loadAppPassword(
+  auth: AtprotoAuth,
+): Promise<string | undefined> {
+  return getSecret(auth.passwordKey);
+}
+export async function saveAppPassword(
+  auth: AtprotoAuth,
+  password: string,
+): Promise<void> {
+  await setSecret(auth.passwordKey, password);
+}
+async function loadSession(
+  auth: AtprotoAuth,
+): Promise<AtprotoSession | undefined> {
+  const raw = await getSecret(auth.sessionKey);
+  if (!raw) return undefined;
+  try {
+    return JSON.parse(raw) as AtprotoSession;
+  } catch {
+    return undefined;
+  }
+}
+async function saveSession(
+  auth: AtprotoAuth,
+  session: AtprotoSession,
+): Promise<void> {
+  await setSecret(auth.sessionKey, JSON.stringify(session));
+}
+/** Delete the session (always) and, if `forgetPassword`, the app password too. */
+export async function clearAtprotoSecrets(
+  auth: AtprotoAuth,
+  opts: { forgetPassword?: boolean } = {},
+): Promise<{ session: boolean; password: boolean }> {
+  const session = await deleteSecret(auth.sessionKey);
+  const password = opts.forgetPassword
+    ? await deleteSecret(auth.passwordKey)
+    : false;
+  return { session, password };
+}
+
+// ---- session endpoints (com.atproto.server.*) ----
+
+function xrpcUrl(baseUrl: string, nsid: string): string {
+  return `${baseUrl.replace(/\/+$/, "")}/xrpc/${nsid}`;
+}
+
+interface SessionResponse {
+  accessJwt?: string;
+  refreshJwt?: string;
+  did?: string;
+  handle?: string;
+  error?: string;
+  message?: string;
+}
+
+function parseSession(json: SessionResponse): AtprotoSession {
+  if (!json.accessJwt || !json.refreshJwt) {
+    throw new Error(
+      json.error
+        ? `${json.error}${json.message ? `: ${json.message}` : ""}`
+        : "session response missing accessJwt/refreshJwt",
+    );
+  }
+  return {
+    accessJwt: json.accessJwt,
+    refreshJwt: json.refreshJwt,
+    did: json.did ?? "",
+    handle: json.handle ?? "",
+  };
+}
+
+async function postSession(
+  url: string,
+  init: { body?: string; bearer?: string },
+): Promise<AtprotoSession> {
+  const headers: Record<string, string> = {};
+  if (init.body !== undefined) headers["content-type"] = "application/json";
+  if (init.bearer) headers["authorization"] = `Bearer ${init.bearer}`;
+  const res = await fetch(url, { method: "POST", headers, body: init.body });
+  const text = await res.text();
+  let json: SessionResponse;
+  try {
+    json = JSON.parse(text) as SessionResponse;
+  } catch {
+    throw new Error(
+      `atproto session endpoint returned non-JSON (HTTP ${res.status}): ${
+        text.slice(0, 200)
+      }`,
+    );
+  }
+  if (!res.ok && !json.accessJwt) {
+    throw new Error(
+      json.error
+        ? `${json.error}${json.message ? `: ${json.message}` : ""}`
+        : `HTTP ${res.status}: ${text.slice(0, 200)}`,
+    );
+  }
+  return parseSession(json);
+}
+
+/** Mint a fresh session from an app password (com.atproto.server.createSession). */
+export function createSession(
+  baseUrl: string,
+  identifier: string,
+  password: string,
+): Promise<AtprotoSession> {
+  return postSession(xrpcUrl(baseUrl, "com.atproto.server.createSession"), {
+    body: JSON.stringify({ identifier, password }),
+  });
+}
+
+/** Exchange the refresh JWT for a fresh session (com.atproto.server.refreshSession). */
+function refreshSession(
+  baseUrl: string,
+  refreshJwt: string,
+): Promise<AtprotoSession> {
+  return postSession(xrpcUrl(baseUrl, "com.atproto.server.refreshSession"), {
+    bearer: refreshJwt,
+  });
+}
+
+/**
+ * Mint a session from an app password and persist both (used by `anyapi-mcp
+ * login`). createSession runs first, so a wrong password throws before anything
+ * is stored. Returns the new session (the caller reports who it's for).
+ */
+export async function loginWithAppPassword(
+  auth: AtprotoAuth,
+  baseUrl: string,
+  identifier: string,
+  password: string,
+): Promise<AtprotoSession> {
+  const session = await createSession(baseUrl, identifier, password);
+  await saveAppPassword(auth, password);
+  await saveSession(auth, session);
+  return session;
+}
+
+/** Decode a JWT's `exp` claim to epoch ms, or undefined if absent/unparseable. */
+function jwtExpiryMs(jwt: string): number | undefined {
+  const parts = jwt.split(".");
+  if (parts.length < 2) return undefined;
+  try {
+    const b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padded = b64 + "=".repeat((4 - (b64.length % 4)) % 4);
+    const payload = JSON.parse(atob(padded)) as { exp?: number };
+    return typeof payload.exp === "number" ? payload.exp * 1000 : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+function nearExpiry(jwt: string): boolean {
+  const exp = jwtExpiryMs(jwt);
+  if (exp === undefined) return false; // can't tell; assume usable
+  return Date.now() >= exp - EXPIRY_SKEW_MS;
+}
+
+/**
+ * Return a usable access JWT, or `undefined` to run anonymously. Escalates only
+ * as far as needed:
+ *   0. no identifier configured => anonymous; return undefined (public reads);
+ *   1. a cached, unexpired access JWT is used as-is;
+ *   2. else refreshSession (using the refresh JWT);
+ *   3. else createSession (using the stored app password) - the self-heal path.
+ * An empty identifier means the user never set up credentials (both `login` and
+ * `add --app-password` require one), so it's anonymous by intent rather than a
+ * dropped session. When an identifier IS set but there's no usable session/app
+ * password, throws AtprotoNeedsLoginError to steer the caller to
+ * `anyapi-mcp login` (rather than silently 401ing on an authed endpoint).
+ * Persists any newly minted/refreshed session back to the keystore.
+ */
+export async function ensureAtprotoAccessToken(
+  entry: RegistryEntry,
+  auth: AtprotoAuth,
+): Promise<string | undefined> {
+  if (!auth.identifier) return undefined;
+
+  const session = await loadSession(auth);
+  if (session && !nearExpiry(session.accessJwt)) return session.accessJwt;
+
+  if (session?.refreshJwt) {
+    try {
+      const refreshed = await refreshSession(entry.baseUrl, session.refreshJwt);
+      await saveSession(auth, refreshed);
+      return refreshed.accessJwt;
+    } catch {
+      // The refresh JWT is likely expired/revoked; fall through to a fresh login.
+    }
+  }
+
+  const password = await loadAppPassword(auth);
+  if (!password) {
+    throw new AtprotoNeedsLoginError(
+      `"${entry.id}" (atproto) is set up for ${auth.identifier} but isn't logged ` +
+        `in. Ask the user to run \`anyapi-mcp login ${entry.id}\` (stores an app ` +
+        `password in the OS keychain; secrets never go through this chat).`,
+    );
+  }
+  try {
+    const fresh = await createSession(entry.baseUrl, auth.identifier, password);
+    await saveSession(auth, fresh);
+    return fresh.accessJwt;
+  } catch (err) {
+    throw new AtprotoNeedsLoginError(
+      `"${entry.id}" (atproto) could not authenticate as ${auth.identifier} (${
+        err instanceof Error ? err.message : String(err)
+      }). The app password may be wrong or revoked; re-run ` +
+        `\`anyapi-mcp login ${entry.id}\`.`,
+    );
+  }
+}
+
+/** A human-readable login status for `list` / `list_apis`. */
+export async function atprotoAuthStatus(
+  auth: AtprotoAuth,
+): Promise<{ text: string; needsLogin: boolean }> {
+  // No identifier => anonymous by design; public reads work, so no login is owed.
+  if (!auth.identifier) {
+    return {
+      text:
+        "atproto (anonymous - public reads; re-add with an identifier to write)",
+      needsLogin: false,
+    };
+  }
+  const session = await loadSession(auth);
+  if (session) {
+    const who = session.handle || auth.identifier || session.did || "?";
+    return { text: `atproto (logged in as ${who})`, needsLogin: false };
+  }
+  const hasPassword = (await getSecret(auth.passwordKey)) !== undefined;
+  if (hasPassword) {
+    return {
+      text:
+        `atproto (app password stored for ${auth.identifier}; session mints on first use)`,
+      needsLogin: false,
+    };
+  }
+  return {
+    text: `atproto (not logged in as ${auth.identifier})`,
+    needsLogin: true,
+  };
+}
diff --git a/src/atproto.ts b/src/atproto.ts
new file mode 100644
index 0000000..740172d
--- /dev/null
+++ b/src/atproto.ts
@@ -0,0 +1,352 @@
+// AT Protocol (atproto / lexicon / XRPC) adapter: build an operation index and a
+// typed method map from the lexicons shipped in @atproto/api, and run model code
+// against a thin XRPC fetch client.
+//
+// Unlike the other adapters we generate NO types of our own. The harness imports
+// the official lexicon types straight from @atproto/api (type-only, so nothing
+// from the SDK runs in the sandbox), and writeTypes emits only a small
+// NSID -> { params, input, output } map (`XrpcMethods`) that points at those
+// official types. That map is what lets `client.query("app.bsky.feed.getTimeline",
+// ...)` infer its params and result from the NSID string literal.
+//
+// Method names come from @atproto/api's own `ids` export (NSID -> exported
+// namespace), never derived, so a `Lex.<Name>` reference can't drift from what the
+// package exports and break the whole-program type check `execute` runs.
+//
+// Auth is app-password sessions, managed entirely in the parent (src/atproto-auth.ts);
+// the sandbox only ever receives a short-lived access JWT via ANYAPI_MCP_TOKEN.
+
+import { toFileUrl } from "@std/path";
+import { ensureCacheDir } from "./paths.ts";
+import type { ProtocolAdapter } from "./adapter.ts";
+import { applyEnum, clampDescription } from "./operation.ts";
+import type { OperationInfo, OperationParam } from "./operation.ts";
+import type { RegistryEntry } from "./registry.ts";
+
+/**
+ * Pinned so the op index, the generated method map, and the harness's type-only
+ * import all read the same lexicon set. @atproto/api re-exports every per-method
+ * type namespace (AppBskyFeedGetTimeline, ...) through its main entry, plus the
+ * runtime `schemas`/`ids` we read here.
+ */
+const ATPROTO_API = "npm:@atproto/api@0.20.9";
+
+function isUrl(s: string): boolean {
+  return /^https?:\/\//i.test(s);
+}
+
+// --- minimal, defensive lexicon navigation (the dynamic import is untyped) ---
+
+type Json = Record<string, unknown>;
+function obj(v: unknown): Json | undefined {
+  return v && typeof v === "object" && !Array.isArray(v)
+    ? (v as Json)
+    : undefined;
+}
+function str(v: unknown): string | undefined {
+  return typeof v === "string" ? v : undefined;
+}
+
+interface Lexicons {
+  /** LexiconDoc[] - each with `id` (NSID) and `defs.main`. */
+  schemas: unknown[];
+  /** Exported-namespace name -> NSID, e.g. AppBskyFeedGetTimeline -> app.bsky.feed.getTimeline. */
+  ids: Record<string, string>;
+}
+
+async function loadLexicons(): Promise<Lexicons> {
+  const mod = await import(ATPROTO_API) as { schemas?: unknown; ids?: unknown };
+  const schemas = Array.isArray(mod.schemas) ? mod.schemas : [];
+  const ids = obj(mod.ids) ?? {};
+  if (schemas.length === 0) {
+    throw new Error(`${ATPROTO_API} exported no lexicon schemas.`);
+  }
+  return { schemas, ids: ids as Record<string, string> };
+}
+
+/** A query/procedure pulled from the lexicons, with its exact exported namespace name. */
+export interface XrpcMethod {
+  nsid: string;
+  /** PascalCase namespace as exported by @atproto/api, e.g. AppBskyFeedGetTimeline. */
+  nsName: string;
+  type: "query" | "procedure";
+  /** Whether the lexicon declares an output schema (else the result is typed `unknown`). */
+  hasOutputSchema: boolean;
+}
+
+/** Tag = the NSID minus its final segment: "app.bsky.feed.getTimeline" -> "app.bsky.feed". */
+export function namespaceTag(nsid: string): string {
+  const i = nsid.lastIndexOf(".");
+  return i > 0 ? nsid.slice(0, i) : nsid;
+}
+
+/** Render a lexicon parameter's type for search display (e.g. "string", "integer[]"). */
+function paramTypeName(def: Json): string {
+  const t = str(def.type) ?? "unknown";
+  if (t === "array") {
+    const items = obj(def.items);
+    return `${(items && str(items.type)) ?? "unknown"}[]`;
+  }
+  return t;
+}
+
+/** A closed `enum` on a lexicon param (knownValues is an open set, deliberately not surfaced). */
+function paramEnum(def: Json): string[] | undefined {
+  const e = def.enum;
+  if (!Array.isArray(e) || e.length === 0) return undefined;
+  const out = e.filter((x): x is string => typeof x === "string");
+  return out.length ? out : undefined;
+}
+
+function buildParams(parameters: Json | undefined): OperationParam[] {
+  const props = parameters && obj(parameters.properties);
+  if (!props) return [];
+  const requiredList = parameters && Array.isArray(parameters.required)
+    ? parameters.required
+    : [];
+  const required = new Set(
+    requiredList.filter((x): x is string => typeof x === "string"),
+  );
+  const params: OperationParam[] = [];
+  for (const [name, raw] of Object.entries(props)) {
+    const def = obj(raw);
+    if (!def) continue;
+    const param: OperationParam = {
+      name,
+      in: "query",
+      required: required.has(name),
+      type: paramTypeName(def),
+    };
+    const description = clampDescription(str(def.description));
+    if (description) param.description = description;
+    const values = paramEnum(def);
+    if (values) applyEnum(param, values);
+    params.push(param);
+  }
+  return params;
+}
+
+/** Short type hint for a lexicon input/output schema node (ref name, "object", "union", ...). */
+function schemaHint(schema: Json | undefined): string | undefined {
+  if (!schema) return undefined;
+  const t = str(schema.type);
+  if (t === "ref") return str(schema.ref) ?? "ref";
+  if (t === "union") return "union";
+  return t;
+}
+
+/** Walk the lexicons into the search index + the typed method list, from one pass. */
+export function buildIndexAndMethods(
+  schemas: unknown[],
+  ids: Record<string, string>,
+): { operations: OperationInfo[]; methods: XrpcMethod[] } {
+  const nsidToName = new Map<string, string>();
+  for (const [name, nsid] of Object.entries(ids)) {
+    if (typeof nsid === "string") nsidToName.set(nsid, name);
+  }
+  const operations: OperationInfo[] = [];
+  const methods: XrpcMethod[] = [];
+  for (const raw of schemas) {
+    const doc = obj(raw);
+    const nsid = doc && str(doc.id);
+    const defs = doc && obj(doc.defs);
+    const main = defs && obj(defs.main);
+    const type = main && str(main.type);
+    if (!nsid || !main || (type !== "query" && type !== "procedure")) continue;
+    // Use the package's own NSID -> namespace name; skip anything it doesn't
+    // export (can't be typed safely, and a dangling Lex.<Name> would fail check).
+    const nsName = nsidToName.get(nsid);
+    if (!nsName) continue;
+
+    const input = obj(main.input);
+    const output = obj(main.output);
+    const op: OperationInfo = {
+      method: type,
+      path: nsid,
+      operationId: nsid,
+      tags: [namespaceTag(nsid)],
+      params: buildParams(obj(main.parameters)),
+    };
+    const summary = clampDescription(str(main.description));
+    if (summary) op.summary = summary;
+    if (input) {
+      const encoding = str(input.encoding) ?? "application/json";
+      const hint = schemaHint(obj(input.schema)) ??
+        (encoding === "application/json" ? "object" : "bytes");
+      op.requestBodyHint = `${encoding}: ${hint}`;
+    }
+    const returns = output ? schemaHint(obj(output.schema)) : undefined;
+    if (returns) op.returns = returns;
+    operations.push(op);
+
+    methods.push({
+      nsid,
+      nsName,
+      type,
+      hasOutputSchema: !!(output && obj(output.schema)),
+    });
+  }
+  return { operations, methods };
+}
+
+/**
+ * The generated .d.ts: a map from each XRPC NSID to its official @atproto/api
+ * param/input/output types. Imported (type-only) by the harness, so the client's
+ * query/procedure signatures resolve from the NSID string literal.
+ */
+export function generateMethodMap(methods: XrpcMethod[]): string {
+  const lines = [
+    "// AUTO-GENERATED by anyapi-mcp (atproto lexicon method map) - do not edit.",
+    "// Each XRPC NSID maps to its official @atproto/api param/input/output types,",
+    "// so the execute client infers them from the NSID string literal.",
+    `import type * as Lex from ${JSON.stringify(ATPROTO_API)};`,
+    "",
+    "export interface XrpcMethods {",
+  ];
+  for (const m of methods) {
+    const output = m.hasOutputSchema
+      ? `Lex.${m.nsName}.OutputSchema`
+      : "unknown";
+    lines.push(
+      `  ${JSON.stringify(m.nsid)}: {`,
+      `    type: ${JSON.stringify(m.type)};`,
+      `    params: Lex.${m.nsName}.QueryParams;`,
+      `    input: Lex.${m.nsName}.InputSchema;`,
+      `    output: ${output};`,
+      "  };",
+    );
+  }
+  lines.push("}", "");
+  return lines.join("\n");
+}
+
+export const atprotoAdapter: ProtocolAdapter = {
+  kind: "atproto",
+
+  async prepare(source, opts) {
+    const log = opts.onProgress ?? (() => {});
+    // The harness appends `/xrpc/<nsid>`, so the base is the service root. Strip a
+    // trailing slash and a trailing `/xrpc` (a natural paste - e.g. the public
+    // AppView's public.api.bsky.app/xrpc) so requests don't land on /xrpc/xrpc/...
+    const baseUrl = (opts.baseUrlOverride ?? source)
+      .replace(/\/+$/, "")
+      .replace(/\/xrpc$/i, "")
+      .replace(/\/+$/, "");
+    if (!isUrl(baseUrl)) {
+      throw new Error(
+        `atproto source must be a PDS/service URL (e.g. https://bsky.social or ` +
+          `https://public.api.bsky.app), got "${source}".`,
+      );
+    }
+    const host = new URL(baseUrl).host;
+    log(`Loading atproto lexicons from ${ATPROTO_API} ...`);
+    const { schemas, ids } = await loadLexicons();
+    const { operations, methods } = buildIndexAndMethods(schemas, ids);
+    return {
+      name: `AT Protocol (${host})`,
+      baseUrl,
+      hosts: [host],
+      operations,
+      writeTypes: async (outPath: string) => {
+        await ensureCacheDir();
+        await Deno.writeTextFile(outPath, generateMethodMap(methods));
+      },
+    };
+  },
+
+  buildHarness(entry: RegistryEntry, code: string): string {
+    const typesUrl = toFileUrl(entry.typesPath).href;
+    return `// AUTO-GENERATED anyapi-mcp execute harness (atproto) - do not edit.
+import type { XrpcMethods } from ${JSON.stringify(typesUrl)};
+
+type QueryNsid = {
+  [K in keyof XrpcMethods]: XrpcMethods[K]["type"] extends "query" ? K : never;
+}[keyof XrpcMethods];
+type ProcedureNsid = {
+  [K in keyof XrpcMethods]: XrpcMethods[K]["type"] extends "procedure" ? K
+    : never;
+}[keyof XrpcMethods];
+
+const service = ${JSON.stringify(entry.baseUrl)}.replace(/\\/+$/, "");
+const token = Deno.env.get("ANYAPI_MCP_TOKEN");
+
+function buildQuery(params: unknown): string {
+  const sp = new URLSearchParams();
+  for (
+    const [k, v] of Object.entries((params ?? {}) as Record<string, unknown>)
+  ) {
+    if (v === undefined || v === null) continue;
+    // atproto array params repeat the key (?uri=a&uri=b), never comma-join.
+    if (Array.isArray(v)) for (const item of v) sp.append(k, String(item));
+    else sp.append(k, String(v));
+  }
+  const q = sp.toString();
+  return q ? \`?\${q}\` : "";
+}
+
+async function xrpc(
+  nsid: string,
+  method: "GET" | "POST",
+  params: unknown,
+  input: unknown,
+) {
+  const url = \`\${service}/xrpc/\${nsid}\` +
+    (method === "GET" ? buildQuery(params) : "");
+  const headers: Record<string, string> = {};
+  if (token) headers["authorization"] = \`Bearer \${token}\`;
+  let body: BodyInit | undefined;
+  if (method === "POST" && input !== undefined) {
+    // Binary inputs (e.g. com.atproto.repo.uploadBlob) go as a raw octet-stream
+    // body; everything else is JSON.
+    if (
+      input instanceof Uint8Array || input instanceof ArrayBuffer ||
+      input instanceof Blob
+    ) {
+      headers["content-type"] = "application/octet-stream";
+      body = input;
+    } else {
+      headers["content-type"] = "application/json";
+      body = JSON.stringify(input);
+    }
+  }
+  const res = await fetch(url, { method, headers, body });
+  const ct = res.headers.get("content-type") ?? "";
+  const data = ct.includes("application/json")
+    ? await res.json()
+    : await res.text();
+  if (!res.ok) {
+    const detail = data && typeof data === "object" && "message" in data
+      ? \`: \${(data as { message?: unknown }).message}\`
+      : data
+      ? \`: \${String(data).slice(0, 200)}\`
+      : "";
+    throw new Error(
+      \`XRPC \${method} \${nsid} -> HTTP \${res.status} \${res.statusText}\${detail}\`,
+    );
+  }
+  return data;
+}
+
+// A typed XRPC client: the NSID string literal selects the official @atproto/api
+// types for params, input, and the awaited result. Auth is injected automatically.
+const client = {
+  query<K extends QueryNsid>(
+    nsid: K,
+    params: XrpcMethods[K]["params"],
+  ): Promise<XrpcMethods[K]["output"]> {
+    return xrpc(nsid, "GET", params, undefined);
+  },
+  procedure<K extends ProcedureNsid>(
+    nsid: K,
+    input: XrpcMethods[K]["input"],
+  ): Promise<XrpcMethods[K]["output"]> {
+    return xrpc(nsid, "POST", undefined, input);
+  },
+};
+
+await (async () => {
+${code}
+})();
+`;
+  },
+};
diff --git a/src/atproto_test.ts b/src/atproto_test.ts
new file mode 100644
index 0000000..2a159f8
--- /dev/null
+++ b/src/atproto_test.ts
@@ -0,0 +1,217 @@
+import { assert, assertEquals, assertStringIncludes } from "@std/assert";
+import {
+  buildIndexAndMethods,
+  generateMethodMap,
+  namespaceTag,
+} from "./atproto.ts";
+
+// A synthetic lexicon set covering the cases the builder must handle: a query
+// with params + output, a procedure with input + output, a procedure with NO
+// output, a subscription and a record (both skipped), a doc whose NSID isn't in
+// `ids` (skipped - can't be typed), and a doc with no `main` (skipped).
+const schemas = [
+  {
+    lexicon: 1,
+    id: "app.bsky.feed.getTimeline",
+    defs: {
+      main: {
+        type: "query",
+        description: "Get the requesting account's home timeline.",
+        parameters: {
+          type: "params",
+          properties: {
+            algorithm: { type: "string" },
+            limit: { type: "integer" },
+            cursor: { type: "string" },
+          },
+        },
+        output: {
+          encoding: "application/json",
+          schema: { type: "ref", ref: "#feedViewPost" },
+        },
+      },
+    },
+  },
+  {
+    lexicon: 1,
+    id: "com.atproto.repo.createRecord",
+    defs: {
+      main: {
+        type: "procedure",
+        description: "Create a single new repository record.",
+        input: {
+          encoding: "application/json",
+          schema: {
+            type: "object",
+            required: ["repo", "collection", "record"],
+            properties: {},
+          },
+        },
+        output: { encoding: "application/json", schema: { type: "object" } },
+      },
+    },
+  },
+  {
+    lexicon: 1,
+    id: "com.atproto.server.requestPasswordReset",
+    defs: {
+      main: {
+        type: "procedure",
+        input: { encoding: "application/json", schema: { type: "object" } },
+        // no output
+      },
+    },
+  },
+  {
+    lexicon: 1,
+    id: "app.bsky.actor.searchActors",
+    defs: {
+      main: {
+        type: "query",
+        parameters: {
+          type: "params",
+          required: ["q"],
+          properties: {
+            q: { type: "string", description: "Search query string." },
+            limit: { type: "integer" },
+            typeahead: { type: "boolean" },
+          },
+        },
+        output: { encoding: "application/json", schema: { type: "ref" } },
+      },
+    },
+  },
+  // skipped: not a query/procedure
+  {
+    lexicon: 1,
+    id: "com.atproto.sync.subscribeRepos",
+    defs: { main: { type: "subscription" } },
+  },
+  {
+    lexicon: 1,
+    id: "app.bsky.feed.post",
+    defs: { main: { type: "record", key: "tid", record: { type: "object" } } },
+  },
+  // skipped: NSID absent from `ids`, so no exported namespace to point at
+  {
+    lexicon: 1,
+    id: "app.bsky.unknown.method",
+    defs: { main: { type: "query" } },
+  },
+  // skipped: no `main`
+  { lexicon: 1, id: "app.bsky.feed.defs", defs: {} },
+];
+
+const ids: Record<string, string> = {
+  AppBskyFeedGetTimeline: "app.bsky.feed.getTimeline",
+  ComAtprotoRepoCreateRecord: "com.atproto.repo.createRecord",
+  ComAtprotoServerRequestPasswordReset:
+    "com.atproto.server.requestPasswordReset",
+  AppBskyActorSearchActors: "app.bsky.actor.searchActors",
+  ComAtprotoSyncSubscribeRepos: "com.atproto.sync.subscribeRepos",
+  AppBskyFeedPost: "app.bsky.feed.post",
+  // app.bsky.unknown.method intentionally absent
+};
+
+Deno.test("namespaceTag drops the final NSID segment", () => {
+  assertEquals(namespaceTag("app.bsky.feed.getTimeline"), "app.bsky.feed");
+  assertEquals(
+    namespaceTag("com.atproto.repo.createRecord"),
+    "com.atproto.repo",
+  );
+  assertEquals(namespaceTag("single"), "single");
+});
+
+Deno.test("buildIndexAndMethods keeps only query/procedure docs present in ids", () => {
+  const { operations, methods } = buildIndexAndMethods(schemas, ids);
+  const paths = operations.map((o) => o.path).sort();
+  assertEquals(paths, [
+    "app.bsky.actor.searchActors",
+    "app.bsky.feed.getTimeline",
+    "com.atproto.repo.createRecord",
+    "com.atproto.server.requestPasswordReset",
+  ]);
+  // subscription, record, unknown-nsid, and no-main docs are all dropped.
+  assertEquals(methods.length, 4);
+});
+
+Deno.test("buildIndexAndMethods maps a query: method, tag, params, returns", () => {
+  const { operations } = buildIndexAndMethods(schemas, ids);
+  const tl = operations.find((o) => o.path === "app.bsky.feed.getTimeline")!;
+  assertEquals(tl.method, "query");
+  assertEquals(tl.operationId, "app.bsky.feed.getTimeline");
+  assertEquals(tl.tags, ["app.bsky.feed"]);
+  assertEquals(tl.params.map((p) => p.name).sort(), [
+    "algorithm",
+    "cursor",
+    "limit",
+  ]);
+  assert(tl.params.every((p) => p.in === "query"));
+  assert(tl.params.every((p) => !p.required)); // none listed in `required`
+  assertEquals(tl.returns, "#feedViewPost");
+  assertEquals(tl.requestBodyHint, undefined); // queries have no body
+});
+
+Deno.test("buildIndexAndMethods marks required params and keeps types", () => {
+  const { operations } = buildIndexAndMethods(schemas, ids);
+  const search = operations.find((o) =>
+    o.path === "app.bsky.actor.searchActors"
+  )!;
+  const q = search.params.find((p) => p.name === "q")!;
+  assertEquals(q.required, true);
+  assertEquals(q.type, "string");
+  assertEquals(q.description, "Search query string.");
+  assertEquals(
+    search.params.find((p) => p.name === "limit")!.type,
+    "integer",
+  );
+  assertEquals(
+    search.params.find((p) => p.name === "typeahead")!.type,
+    "boolean",
+  );
+});
+
+Deno.test("buildIndexAndMethods maps a procedure's input/output hints", () => {
+  const { operations, methods } = buildIndexAndMethods(schemas, ids);
+  const create = operations.find((o) =>
+    o.path === "com.atproto.repo.createRecord"
+  )!;
+  assertEquals(create.method, "procedure");
+  assertEquals(create.requestBodyHint, "application/json: object");
+  assertEquals(create.returns, "object");
+  assertEquals(
+    methods.find((m) => m.nsid === "com.atproto.repo.createRecord")!
+      .hasOutputSchema,
+    true,
+  );
+});
+
+Deno.test("a procedure without an output schema is typed unknown", () => {
+  const { operations, methods } = buildIndexAndMethods(schemas, ids);
+  const reset = operations.find((o) =>
+    o.path === "com.atproto.server.requestPasswordReset"
+  )!;
+  assertEquals(reset.returns, undefined);
+  const method = methods.find((m) =>
+    m.nsid === "com.atproto.server.requestPasswordReset"
+  )!;
+  assertEquals(method.hasOutputSchema, false);
+});
+
+Deno.test("generateMethodMap points each NSID at the exact exported namespace", () => {
+  const { methods } = buildIndexAndMethods(schemas, ids);
+  const dts = generateMethodMap(methods);
+  assertStringIncludes(dts, `import type * as Lex from "npm:@atproto/api@`);
+  // string-literal key -> official param/input/output types
+  assertStringIncludes(dts, `"app.bsky.feed.getTimeline": {`);
+  assertStringIncludes(dts, `params: Lex.AppBskyFeedGetTimeline.QueryParams;`);
+  assertStringIncludes(dts, `input: Lex.AppBskyFeedGetTimeline.InputSchema;`);
+  assertStringIncludes(dts, `output: Lex.AppBskyFeedGetTimeline.OutputSchema;`);
+  assertStringIncludes(dts, `type: "procedure";`);
+  // no output schema -> unknown, never a dangling Lex reference
+  assertStringIncludes(dts, `output: unknown;`);
+  assert(
+    !dts.includes("ComAtprotoServerRequestPasswordReset.OutputSchema"),
+    "no-output method must not reference a missing OutputSchema",
+  );
+});
diff --git a/src/commands/add.ts b/src/commands/add.ts
index 7166c6f..fac6397 100644
--- a/src/commands/add.ts
+++ b/src/commands/add.ts
@@ -16,12 +16,14 @@ Usage:
   anyapi-mcp add <url-or-path> [options]
 
 Options:
-  --kind <openapi|graphql|soap>  Protocol (default: openapi). "graphql" introspects an endpoint; "soap" reads a WSDL URL.
+  --kind <openapi|graphql|soap|atproto>  Protocol (default: openapi). "graphql" introspects an endpoint; "soap" reads a WSDL URL; "atproto" takes a PDS/service URL (e.g. https://bsky.social).
   --id <slug>        Id used on the CLI and in execute (default: base URL in reverse-DNS form, e.g. com.github.api)
   --name <name>      Human-friendly name (default: spec title / endpoint host)
   --base-url <url>   Override the base URL derived from the source
   --docs <url>       Documentation URL to store and surface (not parsed)
   --token            Store a bearer token (read without echo, or piped via stdin)
+  --identifier <h>   atproto: the account handle/email to authenticate as
+  --app-password     atproto: store an app password now (read without echo, or piped via stdin)
   --oauth            Treat this API as OAuth 2.0 even if the spec doesn't declare it
   --auth-url <url>   OAuth authorize endpoint (overrides the spec's value)
   --token-url <url>  OAuth token endpoint (overrides the spec's value)
@@ -32,12 +34,14 @@ Options:
   -h, --help         Show this help
 
 OpenAPI specs that declare an OAuth2 authorization-code flow are detected
-automatically; after adding, run \`anyapi-mcp login <id>\` to authenticate.`;
+automatically; after adding, run \`anyapi-mcp login <id>\` to authenticate.
+For atproto, run \`anyapi-mcp login <id> --identifier <handle>\` (or pass
+--identifier/--app-password here) to store an app password.`;
 
-/** Read a token without echo from a TTY, or from piped stdin in non-interactive use. */
-async function readToken(): Promise<string> {
+/** Read a secret without echo from a TTY, or from piped stdin in non-interactive use. */
+async function readSecret(prompt: string): Promise<string> {
   if (Deno.stdin.isTerminal()) {
-    return (promptSecret("Paste token (input hidden): ") ?? "").trim();
+    return (promptSecret(prompt) ?? "").trim();
   }
   return (await new Response(Deno.stdin.readable).text()).trim();
 }
@@ -50,13 +54,14 @@ export async function runAdd(args: string[]): Promise<void> {
       "base-url",
       "docs",
       "kind",
+      "identifier",
       "auth-url",
       "token-url",
       "scope",
       "scope-separator",
     ],
     collect: ["scope"],
-    boolean: ["help", "no-auth", "token", "oauth", "force"],
+    boolean: ["help", "no-auth", "token", "app-password", "oauth", "force"],
     alias: { h: "help" },
   });
 
@@ -71,6 +76,7 @@ export async function runAdd(args: string[]): Promise<void> {
     console.error(HELP);
     Deno.exit(1);
   }
+  const kind = flags.kind as ApiKind | undefined;
   if (flags.token && flags["no-auth"]) {
     console.error(
       "anyapi-mcp add: pass either --token or --no-auth, not both.",
@@ -83,29 +89,57 @@ export async function runAdd(args: string[]): Promise<void> {
     );
     Deno.exit(1);
   }
+  if ((flags["app-password"] || flags.identifier) && kind !== "atproto") {
+    console.error(
+      "anyapi-mcp add: --identifier/--app-password apply only to --kind atproto.",
+    );
+    Deno.exit(1);
+  }
+  if (kind === "atproto" && flags.token) {
+    console.error(
+      "anyapi-mcp add: atproto APIs use app passwords, not --token (use --app-password).",
+    );
+    Deno.exit(1);
+  }
+  if (flags["app-password"] && !flags.identifier) {
+    console.error(
+      "anyapi-mcp add: --app-password requires --identifier <handle> (who to authenticate as).",
+    );
+    Deno.exit(1);
+  }
 
   const specSource = isUrl(rawSource) ? rawSource : resolve(rawSource);
 
-  // Read the token (if any) before the slow type-gen step so the prompt comes first.
+  // Read secrets (if any) before the slow type-gen step so the prompt comes first.
   let token: string | undefined;
   if (flags.token) {
-    token = await readToken();
+    token = await readSecret("Paste token (input hidden): ");
     if (!token) {
       console.error("anyapi-mcp add: empty token; aborting.");
       Deno.exit(1);
     }
   }
+  let appPassword: string | undefined;
+  if (flags["app-password"]) {
+    appPassword = await readSecret("Paste app password (input hidden): ");
+    if (!appPassword) {
+      console.error("anyapi-mcp add: empty app password; aborting.");
+      Deno.exit(1);
+    }
+  }
 
   const scopes = (flags.scope as string[] | undefined) ?? [];
   try {
     const { entry, operationCount, overwritten } = await registerApi({
       specSource,
-      kind: flags.kind as ApiKind | undefined,
+      kind,
       id: flags.id,
       name: flags.name,
       baseUrl: flags["base-url"],
       docsUrl: flags.docs,
       token,
+      identifier: flags.identifier,
+      appPassword,
       oauth: flags.oauth,
       authUrl: flags["auth-url"],
       tokenUrl: flags["token-url"],
@@ -119,6 +153,8 @@ export async function runAdd(args: string[]): Promise<void> {
       ? `bearer (${entry.auth.tokenKey})`
       : entry.auth.kind === "oauth2"
       ? `oauth2 (not logged in)`
+      : entry.auth.kind === "atproto"
+      ? `atproto (${entry.auth.identifier || "no identifier yet"})`
       : entry.auth.kind;
     console.error(
       `${
@@ -146,6 +182,28 @@ export async function runAdd(args: string[]): Promise<void> {
           `  scopes:    ${scopeList}`,
       );
     }
+    if (entry.auth.kind === "atproto") {
+      if (!entry.auth.identifier) {
+        console.error(
+          `\nRegistered for anonymous (unauthenticated) reads against ${
+            entry.hosts.join(", ")
+          }.\n` +
+            `To act as an account (writes + private reads), re-add with --identifier ` +
+            `<handle> pointed at your PDS (e.g. https://bsky.social), then ` +
+            `\`anyapi-mcp login ${entry.id}\`.`,
+        );
+      } else if (appPassword) {
+        console.error(
+          `\nStored an app password for ${entry.auth.identifier}; a session mints on first use.`,
+        );
+      } else {
+        console.error(
+          `\nTo authenticate as ${entry.auth.identifier} (stores an app password in your OS keychain):\n` +
+            `  anyapi-mcp login ${entry.id}\n` +
+            `Create an app password at https://bsky.app/settings/app-passwords (or your PDS).`,
+        );
+      }
+    }
   } catch (err) {
     console.error(
       `anyapi-mcp add: ${err instanceof Error ? err.message : String(err)}`,
diff --git a/src/commands/install.ts b/src/commands/install.ts
index 6d320a9..b903e33 100644
--- a/src/commands/install.ts
+++ b/src/commands/install.ts
@@ -1,24 +1,30 @@
 // `anyapi-mcp install` - register this MCP server with local clients so you don't
-// have to wire it up by hand. Targets Claude Code (via the `claude` CLI) and
-// Claude Desktop (by editing its config file), pointing both at `<binary> serve`.
+// have to wire it up by hand. Targets Claude Code (via the `claude` CLI), Claude
+// Desktop, and OpenCode (by editing their config files), pointing each at
+// `<binary> serve`.
+//
+// OpenCode's `opencode mcp add` is an interactive wizard with no flags, so it
+// can't be driven unattended; per its docs we register by merging an `mcp` entry
+// into its config (the same read-modify-write we do for Claude Desktop).
 //
 // It registers the path of the running binary, so run it from the installed
 // `anyapi-mcp`, not via `deno task dev` (where the running executable is `deno`).
 
 import { parseArgs } from "@std/cli/parse-args";
 import { basename, dirname, join, resolve } from "@std/path";
+import { ensureDir } from "@std/fs";
 
 const HELP = `anyapi-mcp install - register this MCP server with local clients
 
 Usage:
   anyapi-mcp install [options]
 
-Points Claude Code (via the \`claude\` CLI) and/or Claude Desktop (via its config
-file) at this binary's \`serve\` command. Run it from the compiled binary so it
-registers that binary's own path.
+Points Claude Code (via the \`claude\` CLI), Claude Desktop, and OpenCode (via
+their config files) at this binary's \`serve\` command. Run it from the compiled
+binary so it registers that binary's own path.
 
 Options:
-  --client <code|desktop|all>   Client(s) to set up (default: all available)
+  --client <code|desktop|opencode|all>  Client(s) to set up (default: all available)
   --command <path>              Path to register (default: this binary)
   --scope <user|project|local>  Claude Code scope (default: user)
   --name <name>                 Server name to register as (default: anyapi-mcp)
@@ -146,6 +152,76 @@ async function installDesktop(opts: Options): Promise<string> {
     `  Restart Claude Desktop to load it.`;
 }
 
+/** OpenCode's global config directory ($XDG_CONFIG_HOME/opencode or ~/.config/opencode). */
+function opencodeConfigDir(): string | null {
+  const home = Deno.env.get("HOME");
+  if (!home) return null;
+  const xdg = Deno.env.get("XDG_CONFIG_HOME");
+  const base = xdg && xdg.trim() !== "" ? xdg : join(home, ".config");
+  return join(base, "opencode");
+}
+
+async function installOpencode(opts: Options): Promise<string> {
+  const manual =
+    `  By hand: run \`opencode mcp add\` (interactive), or add to opencode.json:\n` +
+    `    "mcp": { "${opts.name}": { "type": "local", "command": ["${opts.command}", "serve"], "enabled": true } }`;
+  const dir = opencodeConfigDir();
+  if (!dir) return `OpenCode: HOME not set; skipped.\n${manual}`;
+  // Detect OpenCode by its config dir (PATH-independent; `opencode mcp add` is an
+  // interactive wizard we can't script, so we edit the config instead).
+  if (!(await pathExists(dir))) {
+    return `OpenCode: not installed (no ${dir}); skipped.`;
+  }
+
+  // Prefer an existing config file; only fall back to creating opencode.json so we
+  // don't leave a second file competing with an existing opencode.jsonc.
+  let configPath = join(dir, "opencode.json");
+  const jsonc = join(dir, "opencode.jsonc");
+  if (!(await pathExists(configPath)) && (await pathExists(jsonc))) {
+    configPath = jsonc;
+  }
+
+  // Read-modify-write so other servers/settings survive. Refuse to clobber a
+  // config we can't parse (e.g. a .jsonc with comments) - report manual steps.
+  let config: Record<string, unknown> = {};
+  let existed = false;
+  if (await pathExists(configPath)) {
+    const raw = await Deno.readTextFile(configPath);
+    if (raw.trim() !== "") {
+      existed = true;
+      try {
+        config = JSON.parse(raw) as Record<string, unknown>;
+      } catch {
+        return `OpenCode: config at ${configPath} isn't plain JSON (comments?); left untouched.\n${manual}`;
+      }
+    }
+  }
+  // Only stamp $schema on a freshly created config; don't edit an existing one's shape.
+  if (!existed && typeof config["$schema"] !== "string") {
+    config["$schema"] = "https://opencode.ai/config.json";
+  }
+  if (
+    typeof config.mcp !== "object" || config.mcp === null ||
+    Array.isArray(config.mcp)
+  ) {
+    config.mcp = {};
+  }
+  const servers = config.mcp as Record<string, unknown>;
+  servers[opts.name] = {
+    type: "local",
+    command: [opts.command, "serve"],
+    enabled: true,
+  };
+
+  if (opts.dryRun) {
+    return `OpenCode: would set mcp.${opts.name} in ${configPath}`;
+  }
+  await ensureDir(dir);
+  await Deno.writeTextFile(configPath, `${JSON.stringify(config, null, 2)}\n`);
+  return `OpenCode: registered "${opts.name}" in ${configPath}\n` +
+    `  Restart OpenCode to load it.`;
+}
+
 export async function runInstall(args: string[]): Promise<void> {
   const flags = parseArgs(args, {
     string: ["client", "command", "scope", "name"],
@@ -168,9 +244,9 @@ export async function runInstall(args: string[]): Promise<void> {
   const command = resolve(flags.command ?? selfPath);
 
   const client = (flags.client ?? "all").toLowerCase();
-  if (!["code", "desktop", "all"].includes(client)) {
+  if (!["code", "desktop", "opencode", "all"].includes(client)) {
     console.error(
-      `anyapi-mcp install: unknown --client "${flags.client}" (use code, desktop, or all).`,
+      `anyapi-mcp install: unknown --client "${flags.client}" (use code, desktop, opencode, or all).`,
     );
     Deno.exit(1);
   }
@@ -197,6 +273,9 @@ export async function runInstall(args: string[]): Promise<void> {
     if (client === "desktop" || client === "all") {
       results.push(await installDesktop(opts));
     }
+    if (client === "opencode" || client === "all") {
+      results.push(await installOpencode(opts));
+    }
   } catch (err) {
     console.error(
       `anyapi-mcp install: ${err instanceof Error ? err.message : String(err)}`,
diff --git a/src/commands/list.ts b/src/commands/list.ts
index 3b8552d..7817ac3 100644
--- a/src/commands/list.ts
+++ b/src/commands/list.ts
@@ -3,6 +3,7 @@
 import { readRegistry } from "../registry.ts";
 import { readOpsIndex } from "../operation.ts";
 import { describeExpiry, loadToken } from "../oauth.ts";
+import { atprotoAuthStatus } from "../atproto-auth.ts";
 
 export async function runList(_args: string[]): Promise<void> {
   const entries = await readRegistry();
@@ -25,6 +26,10 @@ export async function runList(_args: string[]): Promise<void> {
         ? `oauth2 (logged in, ${describeExpiry(token)})`
         : "oauth2 (not logged in)";
       loginHint = !token;
+    } else if (e.auth.kind === "atproto") {
+      const status = await atprotoAuthStatus(e.auth);
+      authText = status.text;
+      loginHint = status.needsLogin;
     }
     console.log(`${e.id}  -  ${e.name}`);
     console.log(`  base URL: ${e.baseUrl}`);
diff --git a/src/commands/login.ts b/src/commands/login.ts
index 23a466e..cd9dfc0 100644
--- a/src/commands/login.ts
+++ b/src/commands/login.ts
@@ -9,7 +9,7 @@
 
 import { parseArgs } from "@std/cli/parse-args";
 import { promptSecret } from "@std/cli/prompt-secret";
-import { findEntry, updateEntry } from "../registry.ts";
+import { findEntry, type RegistryEntry, updateEntry } from "../registry.ts";
 import {
   defaultRedirectUri,
   describeExpiry,
@@ -19,13 +19,19 @@ import {
   saveClient,
   saveToken,
 } from "../oauth.ts";
+import { loginWithAppPassword } from "../atproto-auth.ts";
 
-const HELP = `anyapi-mcp login - authenticate an OAuth 2.0 API in the browser
+const HELP =
+  `anyapi-mcp login - authenticate an API: OAuth (browser) or atproto (app password)
 
 Usage:
   anyapi-mcp login <id> [options]
 
+For an atproto API, this stores an app password instead:
+  anyapi-mcp login <id> [--identifier <handle>]   (app password read without echo, or piped via stdin)
+
 Options:
+  --identifier <handle>     atproto: account handle/email to authenticate as (if not set at add time)
   --client-id <id>          OAuth app client id (required on first login)
   --client-secret <secret>  Client secret (omit to be prompted without echo; or pipe via stdin)
   --scope <name>            Scope to request (repeatable; default: the API's configured scopes)
@@ -53,9 +59,74 @@ async function readClientSecret(): Promise<string | undefined> {
   return value === "" ? undefined : value;
 }
 
+/** Read an app password without echo (TTY) or from piped stdin. */
+async function readAppPassword(): Promise<string> {
+  if (Deno.stdin.isTerminal()) {
+    return (promptSecret("Paste app password (input hidden): ") ?? "").trim();
+  }
+  return (await new Response(Deno.stdin.readable).text()).trim();
+}
+
+/**
+ * atproto login: store an app password and mint a first session. createSession
+ * validates the credentials, so a wrong password fails before anything persists.
+ */
+async function loginAtproto(
+  entry: RegistryEntry,
+  identifierFlag: string | undefined,
+): Promise<void> {
+  if (entry.auth.kind !== "atproto") return; // for narrowing; never reached
+  const auth = entry.auth;
+  const identifier = identifierFlag ?? auth.identifier;
+  if (!identifier) {
+    console.error(
+      `anyapi-mcp login: "${entry.id}" has no identifier; pass --identifier <handle>.`,
+    );
+    Deno.exit(1);
+  }
+
+  const password = await readAppPassword();
+  if (!password) {
+    console.error("anyapi-mcp login: empty app password; aborting.");
+    Deno.exit(1);
+  }
+
+  // Persist a changed identifier before minting so later refreshes reuse it.
+  if (identifier !== auth.identifier) {
+    auth.identifier = identifier;
+    if (!(await updateEntry(entry))) {
+      console.error(
+        `anyapi-mcp login: "${entry.id}" is no longer registered; aborting.`,
+      );
+      Deno.exit(1);
+    }
+  }
+
+  try {
+    const session = await loginWithAppPassword(
+      auth,
+      entry.baseUrl,
+      identifier,
+      password,
+    );
+    console.error(
+      `\nAuthenticated "${entry.id}" as ${session.handle || identifier}${
+        session.did ? ` (${session.did})` : ""
+      }.\n` +
+        `  App password stored in the OS keychain; sessions refresh automatically.`,
+    );
+  } catch (err) {
+    console.error(
+      `anyapi-mcp login: ${err instanceof Error ? err.message : String(err)}`,
+    );
+    Deno.exit(1);
+  }
+}
+
 export async function runLogin(args: string[]): Promise<void> {
   const flags = parseArgs(args, {
     string: [
+      "identifier",
       "client-id",
       "client-secret",
       "scope",
@@ -86,9 +157,13 @@ export async function runLogin(args: string[]): Promise<void> {
     console.error(`anyapi-mcp login: no API with id "${id}".`);
     Deno.exit(1);
   }
+  if (entry.auth.kind === "atproto") {
+    await loginAtproto(entry, flags.identifier);
+    return;
+  }
   if (entry.auth.kind !== "oauth2") {
     console.error(
-      `anyapi-mcp login: "${id}" is not an OAuth API (auth: ${entry.auth.kind}). ` +
+      `anyapi-mcp login: "${id}" is not an OAuth or atproto API (auth: ${entry.auth.kind}). ` +
         `Re-add it with --oauth (and --auth-url/--token-url if its spec doesn't declare them).`,
     );
     Deno.exit(1);
diff --git a/src/commands/logout.ts b/src/commands/logout.ts
index d485f0a..4f9ba3f 100644
--- a/src/commands/logout.ts
+++ b/src/commands/logout.ts
@@ -5,14 +5,15 @@
 import { parseArgs } from "@std/cli/parse-args";
 import { findEntry } from "../registry.ts";
 import { clearOAuthSecrets } from "../oauth.ts";
+import { clearAtprotoSecrets } from "../atproto-auth.ts";
 
-const HELP = `anyapi-mcp logout - remove stored OAuth tokens for an API
+const HELP = `anyapi-mcp logout - remove stored tokens/session for an API
 
 Usage:
   anyapi-mcp logout <id> [--forget-client]
 
 Options:
-  --forget-client   Also delete the stored client id/secret (re-enter them at next login)
+  --forget-client   OAuth: also delete the stored client id/secret. atproto: also delete the stored app password (otherwise the session re-mints from it on next use).
   -h, --help        Show this help`;
 
 export async function runLogout(args: string[]): Promise<void> {
@@ -38,9 +39,32 @@ export async function runLogout(args: string[]): Promise<void> {
     console.error(`anyapi-mcp logout: no API with id "${id}".`);
     Deno.exit(1);
   }
+  if (entry.auth.kind === "atproto") {
+    const { session, password } = await clearAtprotoSecrets(entry.auth, {
+      forgetPassword: flags["forget-client"],
+    });
+    console.error(
+      session
+        ? `Logged out of "${id}" (session removed).`
+        : `"${id}" had no stored session.`,
+    );
+    if (flags["forget-client"]) {
+      console.error(
+        password
+          ? "App password removed; run `anyapi-mcp login` again to re-authenticate."
+          : "No app password was stored.",
+      );
+    } else if (session) {
+      // The app password is kept by default; make the self-heal explicit.
+      console.error(
+        "App password kept; the session re-mints on next use. Pass --forget-client to remove it.",
+      );
+    }
+    return;
+  }
   if (entry.auth.kind !== "oauth2") {
     console.error(
-      `anyapi-mcp logout: "${id}" is not an OAuth API (auth: ${entry.auth.kind}); nothing to do.`,
+      `anyapi-mcp logout: "${id}" is not an OAuth or atproto API (auth: ${entry.auth.kind}); nothing to do.`,
     );
     Deno.exit(1);
   }
diff --git a/src/commands/serve.ts b/src/commands/serve.ts
index ef42958..54ba2d8 100644
--- a/src/commands/serve.ts
+++ b/src/commands/serve.ts
@@ -39,6 +39,11 @@ import {
   runAuthorizationCodeFlow,
   saveToken,
 } from "../oauth.ts";
+import {
+  atprotoAuthStatus,
+  AtprotoNeedsLoginError,
+  ensureAtprotoAccessToken,
+} from "../atproto-auth.ts";
 
 const DEFAULT_LIMIT = 25;
 const MAX_LIMIT = 50;
@@ -70,6 +75,14 @@ const EXEC_SHAPE_BULLETS: Record<ApiKind, string> = {
     "available as Schema.* (e.g. `client.query<{ user: Schema.User }>(...)`).\n",
   soap: "- SOAP (kind soap): one method per operation - " +
     "`const { status, data, raw } = await client.OperationName({ ...args });` (data is the parsed Body).\n",
+  atproto:
+    "- atproto (kind atproto): `client.query(nsid, params)` for lexicon queries and " +
+    "`client.procedure(nsid, input)` for procedures, e.g. " +
+    '`const tl = await client.query("app.bsky.feed.getTimeline", { limit: 20 });`. The NSID ' +
+    "string literal selects the official @atproto/api types, so params, input, and the awaited " +
+    "result are fully typed (tl.feed here). Pass {} when a query takes no params. Public reads " +
+    "work unauthenticated; writes and private data need a session (the user logs in once via " +
+    "`anyapi-mcp login`).\n",
 };
 
 /**
@@ -82,7 +95,7 @@ function buildExecuteDescription(kinds: Set<ApiKind>): string {
     `Run TypeScript against a registered API. A typed "client" is already in scope, with auth ` +
     `injected automatically. The client's shape depends on the API's kind (shown by list_apis; ` +
     `search's method also signals it):\n`;
-  const order: ApiKind[] = ["openapi", "graphql", "soap"];
+  const order: ApiKind[] = ["openapi", "graphql", "soap", "atproto"];
   const bullets = order
     .filter((k) => kinds.size === 0 || kinds.has(k))
     .map((k) => EXEC_SHAPE_BULLETS[k])
@@ -116,9 +129,12 @@ const CONFIGURE_OAUTH_DESCRIPTION =
 
 const ADD_API_DESCRIPTION =
   "Register a new API so search/execute can use it. Pass an OpenAPI spec URL (kind " +
-  '"openapi", the default), a GraphQL endpoint URL (kind "graphql", introspected), or a WSDL ' +
-  'URL (kind "soap"). Generates a typed client and makes the API available immediately (no ' +
-  "restart). Use this for public APIs. For an API that requires a secret token, do NOT pass the " +
+  '"openapi", the default), a GraphQL endpoint URL (kind "graphql", introspected), a WSDL ' +
+  'URL (kind "soap"), or a PDS/service URL (kind "atproto", e.g. https://bsky.social) for AT ' +
+  "Protocol/lexicon/XRPC. Generates a typed client and makes the API available immediately (no " +
+  "restart). Use this for public APIs. For an atproto API, optionally pass identifier (the " +
+  "account handle, not a secret); the user sets the app password later via `anyapi-mcp login`. " +
+  "For an API that requires a secret token, do NOT pass the " +
   "token here - tell the user to run `anyapi-mcp add <url> --token [--kind …]` in a " +
   "shell, which stores it in the OS keychain. If the spec's server can't be derived (it lands on a " +
   "raw-file host like raw.githubusercontent.com), registration fails loudly - pass baseUrl with the " +
@@ -127,7 +143,7 @@ const ADD_API_DESCRIPTION =
   "Input: { specUrl, kind?, id?, name?, baseUrl?, docsUrl?, force? }.";
 
 const LIST_APIS_DESCRIPTION =
-  "List the registered APIs as JSON - each with id, name, kind (openapi/graphql/soap), baseUrl, " +
+  "List the registered APIs as JSON - each with id, name, kind (openapi/graphql/soap/atproto), baseUrl, " +
   "operation count, a short description (when the spec provides one), auth status (including OAuth " +
   "login/expiry), and docsUrl. Use it to see what's available and what each API is for, or to confirm " +
   "an add_api/remove_api took effect. Pass an `api` id to get just that one API plus its capability " +
@@ -154,7 +170,7 @@ function howToAdd(): string {
 
 function buildInstructions(entries: RegistryEntry[]): string {
   const intro =
-    "anyapi-mcp turns HTTP APIs (OpenAPI, GraphQL, SOAP) into code you run. `search` finds " +
+    "anyapi-mcp turns HTTP APIs (OpenAPI, GraphQL, SOAP, AT Protocol/XRPC) into code you run. `search` finds " +
     "operations; `execute` runs TypeScript against a typed `client` (chain several calls in one " +
     "execute - intermediate data stays in the sandbox, saving round-trips). `list_apis` shows what's " +
     "registered; `add_api` registers more (force:true overwrites a wrong one) and `remove_api` " +
@@ -388,6 +404,17 @@ async function executeRequest(
       }
       throw err;
     }
+  } else if (entry.auth.kind === "atproto") {
+    // Session mint/refresh happens here in the parent; the sandbox only ever
+    // receives the short-lived access JWT (never the app password or refresh JWT).
+    try {
+      token = await ensureAtprotoAccessToken(entry, entry.auth);
+    } catch (err) {
+      if (err instanceof AtprotoNeedsLoginError) {
+        return { text: err.message, isError: true };
+      }
+      throw err;
+    }
   }
 
   const source = getAdapter(entry.kind).buildHarness(entry, code);
@@ -667,6 +694,8 @@ async function listApisResult(
       auth = token
         ? `oauth2 (logged in, ${describeExpiry(token)})`
         : "oauth2 (not logged in)";
+    } else if (e.auth.kind === "atproto") {
+      auth = (await atprotoAuthStatus(e.auth)).text;
     }
     const api: Record<string, unknown> = {
       id: e.id,
@@ -907,10 +936,15 @@ export async function runServe(_args: string[]): Promise<void> {
 
   const addApiShape = {
     specUrl: z.string().describe(
-      'OpenAPI spec URL (or path); a GraphQL endpoint URL for kind "graphql"; a WSDL URL for kind "soap"',
+      'OpenAPI spec URL (or path); a GraphQL endpoint URL for kind "graphql"; a WSDL URL for ' +
+        'kind "soap"; a PDS/service URL (e.g. https://bsky.social) for kind "atproto"',
+    ),
+    kind: z.enum(["openapi", "graphql", "soap", "atproto"]).optional().describe(
+      'Protocol adapter: "openapi" (default), "graphql", "soap", or "atproto" (AT Protocol / lexicon / XRPC)',
     ),
-    kind: z.enum(["openapi", "graphql", "soap"]).optional().describe(
-      'Protocol adapter: "openapi" (default), "graphql", or "soap"',
+    identifier: z.string().optional().describe(
+      "atproto only: the account handle or email to authenticate as (not a secret). " +
+        "The app password is set separately by the user via `anyapi-mcp login`.",
     ),
     id: z.string().optional().describe(
       "Id used by search/execute (default: the base URL in reverse-DNS form, e.g. com.github.api)",
@@ -937,13 +971,15 @@ export async function runServe(_args: string[]): Promise<void> {
       inputSchema: addApiShape,
     },
     async (
-      { specUrl, kind, id, name, baseUrl, docsUrl, force }: AddApiArgs,
+      { specUrl, kind, identifier, id, name, baseUrl, docsUrl, force }:
+        AddApiArgs,
     ) => {
       try {
         const specSource = isUrl(specUrl) ? specUrl : resolve(specUrl);
         const { entry, operationCount, overwritten } = await registerApi({
           specSource,
           kind,
+          identifier,
           id,
           name,
           baseUrl,
@@ -959,18 +995,33 @@ export async function runServe(_args: string[]): Promise<void> {
           } "${entry.id}" (${entry.name}): ` +
           `${operationCount} operations, base ${entry.baseUrl}. ` +
           `Available now - call search with api "${entry.id}", then execute.`;
-        const authHelp = entry.auth.kind === "oauth2"
-          ? ` This API uses OAuth 2.0. The user must create an OAuth app (redirect ` +
+        let authHelp: string;
+        if (entry.auth.kind === "oauth2") {
+          authHelp =
+            ` This API uses OAuth 2.0. The user must create an OAuth app (redirect ` +
             `URL ${entry.auth.redirectUri}) and run \`anyapi-mcp login ${entry.id} ` +
             `--client-id <id> --client-secret <secret>\` in a shell (secrets never go ` +
             `through this chat). After that, execute works and you can call the ` +
-            `authenticate tool to re-login if a session expires.`
-          : ` If requests come back 401/403 this API needs a token: run ` +
+            `authenticate tool to re-login if a session expires.`;
+        } else if (entry.auth.kind === "atproto") {
+          authHelp = entry.auth.identifier
+            ? ` This is an AT Protocol API set up for ${entry.auth.identifier}. To act as ` +
+              `that account the user runs \`anyapi-mcp login ${entry.id}\` in a shell (stores ` +
+              `an app password in the OS keychain; secrets never go through this chat); then ` +
+              `execute works and sessions refresh automatically.`
+            : ` This is an AT Protocol API registered for anonymous reads - public data works ` +
+              `in execute right now. For writes or private data, the user re-adds it with ` +
+              `--identifier <handle> pointed at their PDS (e.g. https://bsky.social) and runs ` +
+              `\`anyapi-mcp login\`.`;
+        } else {
+          authHelp =
+            ` If requests come back 401/403 this API needs a token: run ` +
             `\`anyapi-mcp add ${specSource} --id ${entry.id} --token${kindFlag}\` in a shell so the token ` +
             `is stored in your OS keychain (never through this chat).`;
-        // A new registration may introduce a kind (e.g. the first GraphQL/SOAP
-        // API in an OpenAPI-only session); refresh the execute description so its
-        // client shape is documented immediately.
+        }
+        // A new registration may introduce a kind (e.g. the first GraphQL / SOAP /
+        // atproto API in an OpenAPI-only session); refresh the execute description
+        // so its client shape is documented immediately.
         syncExecuteDescription(await readRegistry());
         return { content: [{ type: "text" as const, text: head + authHelp }] };
       } catch (err) {
diff --git a/src/register.ts b/src/register.ts
index 4739484..2b0e9f8 100644
--- a/src/register.ts
+++ b/src/register.ts
@@ -24,6 +24,7 @@ import {
   type DiscoveredOAuth,
   quirkForAuthUrl,
 } from "./oauth.ts";
+import { clearAtprotoSecrets } from "./atproto-auth.ts";
 
 /**
  * Version of the generated-code contract. Bump this whenever a change would make
@@ -84,6 +85,10 @@ export interface RegisterOptions {
   scopeSeparator?: string;
   /** Register with no auth even if OAuth was discovered. */
   noAuth?: boolean;
+  /** atproto: handle or email used to mint sessions. */
+  identifier?: string;
+  /** atproto: app password to store up front (the long-lived secret); else set via `login`. */
+  appPassword?: string;
   /** Overwrite an existing entry with the same id instead of failing. */
   force?: boolean;
   /** Optional progress sink (the CLI passes console.error; the MCP tool omits it). */
@@ -134,6 +139,7 @@ export interface RegisterResult {
 function secretAccounts(auth: Auth): string[] {
   if (auth.kind === "bearer") return [auth.tokenKey];
   if (auth.kind === "oauth2") return [auth.clientKey, auth.tokenKey];
+  if (auth.kind === "atproto") return [auth.passwordKey, auth.sessionKey];
   return [];
 }
 
@@ -182,6 +188,13 @@ export async function unregisterApi(id: string): Promise<UnregisterResult> {
     secretsNote = `deleted OAuth secrets (token: ${
       token ? "yes" : "none"
     }, client: ${client ? "yes" : "none"})`;
+  } else if (entry.auth.kind === "atproto") {
+    const { session, password } = await clearAtprotoSecrets(entry.auth, {
+      forgetPassword: true,
+    });
+    secretsNote = `deleted atproto secrets (session: ${
+      session ? "yes" : "none"
+    }, app password: ${password ? "yes" : "none"})`;
   }
 
   await removeEntry(id);
@@ -239,12 +252,23 @@ export async function registerApi(
   await prepared.writeTypes(typesPath);
   await writeOpsIndex(id, prepared.operations);
 
-  // Auth precedence: an explicit --token wins (bearer); --no-auth forces none;
-  // otherwise OAuth is adopted when discovered or explicitly requested. The
-  // browser login happens later via `anyapi-mcp login` - registration only
-  // records the (unauthenticated) OAuth config.
+  // Auth precedence: an atproto API always uses app-password sessions; otherwise
+  // an explicit --token wins (bearer); --no-auth forces none; else OAuth is
+  // adopted when discovered or explicitly requested. The actual login happens
+  // later via `anyapi-mcp login` - registration only records the config (and
+  // stores an app password / token if one was supplied up front).
   let auth: Auth = { kind: "none" };
-  if (opts.token !== undefined) {
+  if (kind === "atproto") {
+    const passwordKey = `anyapi-mcp:${id}:apppass`;
+    const sessionKey = `anyapi-mcp:${id}:session`;
+    if (opts.appPassword) await setSecret(passwordKey, opts.appPassword);
+    auth = {
+      kind: "atproto",
+      identifier: opts.identifier ?? "",
+      passwordKey,
+      sessionKey,
+    };
+  } else if (opts.token !== undefined) {
     const tokenKey = `anyapi-mcp:${id}`;
     await setSecret(tokenKey, opts.token);
     auth = { kind: "bearer", header: "Authorization", tokenKey };
@@ -276,6 +300,18 @@ export async function registerApi(
     // in). Only drop secrets, and a types file at a now-stale path (kind change),
     // that the new entry no longer references.
     await cleanupOrphanedSecrets(existing.auth, entry.auth);
+    // An atproto re-register that changes the account must not keep acting as the
+    // old one: the cached session is the old identifier's, and the stored app
+    // password is too (unless this call supplied a new one). Drop them so the next
+    // execute re-auths as the new identifier instead of silently using the old.
+    if (
+      existing.auth.kind === "atproto" && entry.auth.kind === "atproto" &&
+      existing.auth.identifier !== entry.auth.identifier
+    ) {
+      await clearAtprotoSecrets(entry.auth, {
+        forgetPassword: !opts.appPassword,
+      });
+    }
     if (existing.typesPath !== entry.typesPath) {
       try {
         await Deno.remove(existing.typesPath);
diff --git a/src/registry.ts b/src/registry.ts
index b107bb2..a247617 100644
--- a/src/registry.ts
+++ b/src/registry.ts
@@ -34,13 +34,33 @@ export interface OAuth2Auth {
   tokenKey: string;
 }
 
+/**
+ * AT Protocol (atproto) app-password session auth. Like OAuth, this holds NO
+ * secrets: the app password and the session bundle (access/refresh JWTs) live in
+ * the keystore under `passwordKey`/`sessionKey`. `identifier` (a handle or email)
+ * is not a secret, so it is stored here. Sessions are minted/refreshed in the
+ * parent (see src/atproto-auth.ts); the execute sandbox only ever receives the
+ * short-lived access JWT via ANYAPI_MCP_TOKEN - never the app password or the
+ * refresh JWT.
+ */
+export interface AtprotoAuth {
+  kind: "atproto";
+  /** Handle or email used to mint sessions (com.atproto.server.createSession). */
+  identifier: string;
+  /** Keystore account holding the app password (the long-lived secret). */
+  passwordKey: string;
+  /** Keystore account holding the JSON session bundle (access/refresh JWTs + did/handle). */
+  sessionKey: string;
+}
+
 export type Auth =
   | { kind: "none" }
   | { kind: "bearer"; header: string; tokenKey: string }
-  | OAuth2Auth;
+  | OAuth2Auth
+  | AtprotoAuth;
 
 /** Which protocol adapter handles this API. */
-export type ApiKind = "openapi" | "graphql" | "soap";
+export type ApiKind = "openapi" | "graphql" | "soap" | "atproto";
 
 export interface RegistryEntry {
   /** Slug, unique, used on the CLI and in execute. */