How to Auto Follow-Back on Bluesky: DIY Scripts vs. a Safer Setup
Auto follow-back sounds simple until a script follows every bot that follows you. How the DIY route really works, where it breaks, and how to follow back the right people automatically.
"Follow back everyone who follows me" is the most common automation people want on Bluesky, and the easiest one to get wrong. A follow-back bot that fires on every new follower will faithfully follow spam accounts, engagement farms, and dormant profiles right alongside your real audience. This guide covers how auto follow-back actually works, the real cost of the do-it-yourself route, and how to follow back only the people worth following back.
- Auto follow-back is easy to build and easy to misuse: with no filter, it mirrors every bot that follows you.
- DIY scripts use an app password, which hands full account access to a file on your machine and skips OAuth's scoped, revocable permissions.
- The hard parts are not the follow call. They are rate-limit backoff, bot filtering, pagination, and state so you never re-follow the same person.
- A healthy setup follows back selectively, filters out bots, and paces itself instead of reacting to every notification instantly.
What auto follow-back really does
Auto follow-back watches for new followers and follows them in return. The appeal is obvious: a higher follow-back rate signals reciprocity, keeps your ratio tidy, and rewards people who found you first. The problem is that "new follower" is not the same as "good follower." On an open network, a fresh account attracts bots and follow-farmers along with real people, and a blind mirror follows them all.
Spam accounts specifically target profiles that auto-follow back, because a guaranteed follow is free reach for them. The more mechanically you reciprocate, the more low-quality follows you attract, and the worse your engagement rate looks to everyone else.
The DIY route: a script and an app password
The GitHub approach uses Bluesky's atproto API with an app password, usually in Python or Node, on a timer. The core is only a few lines, which is exactly why it looks more finished than it is.
import { AtpAgent } from "@atproto/api";
const agent = new AtpAgent({ service: "https://bsky.social" });
await agent.login({
identifier: process.env.BSKY_HANDLE!,
password: process.env.BSKY_APP_PASSWORD!, // full-scope app password
});
// Follow back everyone who follows you -- with no filtering.
const { data } = await agent.getFollowers({ actor: agent.session!.did });
for (const follower of data.followers) {
await agent.follow(follower.did); // no bot check, no pacing, no backoff
}Two things are easy to miss here. First, the app password is not scoped: it can post, follow, and change your profile, and it lives in an environment file or a cloud function for as long as the script runs. OAuth exists precisely so tools do not need that. Second, the snippet re-follows everyone on every run, has no idea who is a bot, and will happily march straight into a rate limit. Making it safe is most of the work, and it never really ends.
| Concern | Naive script | What it actually needs |
|---|---|---|
| Account access | Full app password in a file | Scoped OAuth grant you can revoke |
| Bot filtering | None | Heuristics or scoring before following |
| Pacing | Instant, all at once | Spread out with jitter and a daily cap |
| Rate limits | Ignored until it fails | Detect, back off, and resume |
| State | Re-follows every run | Remembers who it already handled |
| Maintenance | You, forever | Handled for you |
Eight yes-or-no questions. Anything you cannot check is worth fixing before you let anything follow back on your behalf.
Most of the spam signature is still present. Fix the unchecked items before adding any volume.
How to follow back the right people
A good follow-back policy is selective, not reflexive. The goal is to reward real people who found you while quietly ignoring the noise.
- Filter before you reciprocate. Skip accounts with no avatar, no bio, near-zero posts, or a wildly lopsided following ratio. These are the cheapest bot tells.
- Prioritize relevance and engagement. Someone who followed you and liked a post is worth following back long before an account that followed a thousand people today.
- Pace it. You do not need to follow back within seconds. A short, natural delay looks human and gives filters time to catch obvious spam.
- Keep a whitelist. Once you follow someone back, remember it, so a nightly job never re-follows or churns them.
- Measure the outcome. Track whether your new mutuals actually engage. A rising follower count with flat engagement means your filter is too loose.
This is also where follow-back automation connects to growth. Following back well raises your effective follow-back rate with real people, which is the number that compounds, rather than inflating a count with accounts that will never reply to anything.
How SkyFollowing handles follow-back
SkyFollowing treats follow-back as a filtered decision, not a mirror. It connects through official OAuth, so there is no app password sitting in a file, and you can revoke access from Bluesky at any moment. Incoming followers are checked against bot heuristics and AI relevance scoring before anything reciprocates, actions are paced with jitter inside your active hours, and rate-limit backoff is built in so you never trip a wall.
Because it also runs engagement-aware cleanup, the accounts that follow, get followed back, and then never engage do not clutter your graph forever, while everyone who actually interacted with you is kept. You get the reciprocity without the bot magnet, and without maintaining a script. The wider rulebook lives in is automation allowed on Bluesky.
Frequently asked questions
Is a follow-back bot allowed on Bluesky?
Yes, within the same limits as any automation. Bluesky moderates spam and inauthentic behavior, not automation itself. A selective, paced follow-back that filters out obvious bots stays well inside the rules; a blind mirror that reciprocates everything trends toward the behavior moderation dislikes.
Should I use an app password or OAuth?
Prefer OAuth wherever it is offered. An app password grants broad access and has to be stored somewhere for a script to keep running. OAuth grants scoped permission you can revoke from Bluesky's settings without changing your password.
Why did my follow-back script get me spammy followers?
Because unfiltered mirroring is a magnet for them. Spam accounts target profiles that guarantee a follow back. Add filtering on bios, avatars, post counts, and ratios, or use a tool that scores followers before reciprocating.
How fast should I follow back?
There is no benefit to doing it within seconds, and a small natural delay both looks human and lets filters catch obvious spam. Following back within a few hours is plenty responsive.
If you want reciprocity without babysitting a script or feeding the bots, start a free SkyFollowing trial. Follow-back runs filtered, paced, and password-free by default.
SkyFollowing applies these safety rules to every campaign it runs. Free for 7 days, no card required.