Own Your Bluesky Identity: Self-Host a PDS on Open Source Cloud

Your Bluesky account lives on a server you don't control. When Bluesky the company makes decisions about that server, you inherit them. The AT Protocol was designed to fix this — your identity is a DID (decentralized identifier) that can be anchored to a server you run. But most people never self-host because standing up a Personal Data Server is too much work.

This guide gets you a running PDS in about five minutes. No Kubernetes experience required.

Why it matters

Your PDS is more than storage. It's the root of your AT Protocol identity. When your account lives on bsky.social, your DID resolves through Bluesky's infrastructure. When you self-host, your DID resolves through yours. You can migrate back to bsky.social or to any other PDS at any time — the AT Protocol guarantees portability. But you're never dependent on one company's availability or policies.

For developers especially: a self-hosted PDS lets you experiment with the AT Protocol directly, create accounts for testing, and build on infrastructure you understand end to end.

What you'll need

• An account on Open Source Cloud (free tier works)
• A terminal (for the PDS admin steps)

That's it. OSC handles the container, TLS, and DNS automatically.

Step 1: Create the PDS instance

There are two ways to spin up a PDS on OSC.

Option A: Use the web console

Log in to app.osaas.io, find Bluesky Personal Data Server in the service catalog, and click Create. Fill in a name and an admin password. That's it — OSC provisions the container, TLS certificate, and DNS record for you.

Option B: Use an AI agent via MCP

Connect the OSC MCP server to Claude, ChatGPT, or any MCP-compatible AI tool. Then just tell it:

Create a bluesky-social-pds instance named "mypds" with admin password "choose-a-strong-password"

The agent calls the create-service-instance tool and hands you back a running URL.

Either way, you'll get an instance URL in the pattern:

https://{tenant}-mypds.bluesky-social-pds.auto.prod.osaas.io

Hold onto that URL — it's your PDS hostname for every step below.

Step 2: Verify it's running

The PDS exposes a health endpoint. Give it 30 seconds to start, then:

curl https://YOUR_PDS_URL/xrpc/_health

You should see:

{"version":"0.4.208"}

If you get a connection error, wait another 30 seconds. The container is still starting.

You can also check what domains and features the server advertises:

curl https://YOUR_PDS_URL/xrpc/com.atproto.server.describeServer

This returns the server DID, available user domains, and whether invite codes are required (they are, by default).

Step 3: Create an invite code

The PDS requires an invite code to create accounts. This is an admin-only operation.

curl -X POST \
  -H "Authorization: Basic $(echo -n 'admin:YOUR_ADMIN_PASSWORD' | base64)" \
  -H "Content-Type: application/json" \
  -d '{"useCount": 1}' \
  https://YOUR_PDS_URL/xrpc/com.atproto.server.createInviteCode

Replace YOUR_ADMIN_PASSWORD with the password you set in Step 1.

The response looks like:

{"code":"mypds-abcd1234-xyz"}

Save that code — you'll need it in the next step. Set useCount higher if you want the same code to work multiple times.

Step 4: Create your account

curl -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@example.com",
    "handle": "yourname.YOUR_PDS_HOSTNAME",
    "password": "your-account-password",
    "inviteCode": "mypds-abcd1234-xyz"
  }' \
  https://YOUR_PDS_URL/xrpc/com.atproto.server.createAccount

The handle follows the pattern username.your-pds-hostname — for example:

alice.mytenant-mypds.bluesky-social-pds.auto.prod.osaas.io

The response includes your DID, handle, and access tokens:

{
  "did": "did:plc:...",
  "handle": "alice.mytenant-mypds...",
  "accessJwt": "...",
  "refreshJwt": "..."
}

Your DID is your permanent identity on the AT Protocol. The handle is how people find you.

Step 5: Log in from the Bluesky app

Open the Bluesky app (iOS, Android, or web at bsky.app).

On the sign-in screen, look for "Advanced" or "Hosting provider" — the exact label varies by app version. Enter your PDS URL as the hosting provider:

https://YOUR_PDS_URL

Then sign in with the handle and password you created in Step 4. The app will connect to your PDS directly.

Optional: Use a custom domain

The default hostname is readable but not exactly elegant. If you own a domain, you can map it to your PDS and use handles like alice.yourdomain.com.

Two things need to happen:

1. Add the custom domain in OSC

In the web console, go to My Apps and add a custom domain for your PDS instance (e.g., pds.yourdomain.com). You can also do this via MCP — ask your AI agent to add a custom domain for your PDS instance. This tells OSC to provision a TLS certificate and route traffic for that domain to your instance.

2. Point DNS to OSC

Add a CNAME record in your DNS provider pointing pds.yourdomain.com to your instance's auto-generated hostname. Once DNS propagates and the TLS certificate is issued, your PDS is reachable at the custom domain.

When creating the PDS instance, set the DnsName field to your custom domain so the PDS knows its public hostname. Handles on your PDS then become username.pds.yourdomain.com.

You can also configure SMTP for sending verification emails by setting the EmailSmtpUrl and EmailFromAddress fields when creating the instance.

What's next: migrate your existing account

If you already have a Bluesky account on bsky.social, you can migrate it to your PDS. The AT Protocol supports account migration — your DID stays the same, your follows and followers transfer, and your existing posts remain accessible. The migration process is documented in the AT Protocol specs and Bluesky has a migration tool in their settings.

You don't have to do this immediately. Your new self-hosted account and your bsky.social account can coexist.

The infrastructure should be simple

Running your own PDS used to mean setting up a VPS, installing Docker, managing volumes, dealing with TLS, and hoping nothing breaks on Saturday night. That friction is why most people never do it.

The Bluesky PDS is available on Open Source Cloud because it belongs there — alongside Postgres, Valkey, MinIO, and 160+ other open source projects, all running as managed services. No configuration overhead, no infrastructure babysitting.

The AT Protocol's bet is that social media built on open protocols is more durable than any single platform. The infrastructure underneath that bet should be just as open and just as easy to run.

---

Open Source Cloud provides open source software as managed services. The Bluesky PDS is one of 160+ services available — all open source, no vendor lock-in.