Bluesky has implemented age verification measures in response to regional laws that restrict access:
-
UK users are shown a banner for attempting identity verification through Epic Games' Kids Web Services before they could access adult content, following the Online Safety Act.
-
Mississippi users are completely blocked from acccessing Bluesky due to HB1126, which would require identity verification for all users regardless of content preferences.
This sucks, but thankfully there are ways to work around it.
This was obvious, but using a VPN to connect from outside your location will bypass the age assurance requirements entirely.
If you don't already have one, a VPN routes your connection through servers in other countries and prevents your ISP from tracking and selling your browsing data, though you're essentially trading trust from your ISP to your VPN provider instead.
My personal recommendations are Mullvad, IVPN or ProtonVPN.
Don't fall for VPN services that heavily focus on marketing, especially if they market features like "military-grade encryption" or make exaggerated privacy claims.
You don't have to use the official Bluesky app to access the platform. Third-party clients like Klearsky or TOKIMEKI currently don't implement these restrictions. For read-only access without signing in, Anartia is also available.
Note that these alternatives work only as long as their developers don't implement similar age assurance measures or block UK users outright (and as the person behind Anartia, I have no plans to implement such thing.)
You can add the following filter rules to your adblocker.
||bsky.app/ipcc$replace=/(?<="countryCode":").+?(?=")/US/
||bsky.app/ipcc$replace=/(?<="isAgeRestrictedGeo":)true/false/
||bsky.app/ipcc$replace=/(?<="isAgeBlockedGeo":)true/false/
||ip.bsky.app/config$replace=/(?<="countryCode":").+?(?=")/US/
||ip.bsky.app/config$replace=/(?<="regionCode":").+?(?=")/WA/
||ip.bsky.app/config$replace=/(?<="isAgeRestrictedGeo":)true/false/
||ip.bsky.app/config$replace=/(?<="isAgeBlockedGeo":)true/false/
- Open uBlock Origin dashboard › My filters
- Enable Enable my custom filters
- Enable Allow custom filters requiring trust
- Add the rules provided above
- Open Settings › Shields › Content filtering
- Enable Developer mode
- Add the rules provided above to Create custom filters
- Open Ghostery extension window › Ad-Blocking › Custom Filters
- Make sure it's enabled
- Add the rules provided above
- Open Adguard Settings › User Rules
- Make sure it's enabled
- Add the rules provided above
Note: Custom filter rules is a paid feature on the Android version.
Based on testing, this seems to produce wonky results. The setup process is also more complex. But if it works, it allows you to use Bluesky's Android app as usual.
- Create a text file containing the filter rules provided above and save it to somewhere accessible
- Open Adguard and navigate to Settings › Filtering › Filters › Custom Filters › Add custom filter
- Tap Browse and locate the text file you created
- Select the file to add it as a custom filter list
Chrome's Manifest v3 changes broke all adblockers including uBlock Origin by replacing the webRequest API that they rely on with the less powerful declarativeNetRequest API instead. uBlock Origin Lite was created specifically to work with DNR, and thankfully it's still very usable for our purposes.
- Install uBlock Origin Lite
- Open uBlock Origin Lite dashboard
- Enable Developer mode
- Head to Develop › View: Custom DNR rules
- Insert the following rules:
---
priority: 1
action:
type: redirect
redirect:
url: https://gist.githubusercontent.com/mary-ext/6e27b24a83838202908808ad528b3318/raw/ipcc-response.json
condition:
requestDomains:
- bsky.app
initiatorDomains:
- bsky.app
- main.bsky.dev
urlFilter: /ipcc
resourceTypes:
- xmlhttprequest
---
priority: 1
action:
type: redirect
redirect:
url: https://gist.githubusercontent.com/mary-ext/6e27b24a83838202908808ad528b3318/raw/ipcc-response.json
condition:
requestDomains:
- ip.bsky.app
initiatorDomains:
- bsky.app
- main.bsky.dev
urlFilter: /config
resourceTypes:
- xmlhttprequest
---
priority: 1
action:
type: redirect
redirect:
url: https://gist.githubusercontent.com/mary-ext/6e27b24a83838202908808ad528b3318/raw/getAgeAssuranceState-response.json
condition:
initiatorDomains:
- bsky.app
- main.bsky.dev
urlFilter: /xrpc/app.bsky.unspecced.getAgeAssuranceState
resourceTypes:
- xmlhttprequest
---
You can use userscripts, or scriptlets in Brave.
-
Install a userscript manager
- Chrome: Violentmonkey
- Firefox: Violentmonkey
- Edge: Violentmonkey
- Safari: Userscripts
-
Install this userscript
Open Settings › Shields › Content filtering (or go to about:adblock
)
Enable Developer mode, and add the following scriptlet, saving it as user-bsky-age-assurance.js
.
const _fetch = globalThis.fetch;
globalThis.fetch = async function (req, init) {
if (req instanceof Request) {
const url = new URL(req.url);
switch (url.pathname) {
case '/xrpc/app.bsky.unspecced.getAgeAssuranceState': {
return Response.json({
lastInitiatedAt: '2025-07-14T14:22:43.912Z',
status: 'assured',
});
}
}
} else if (req === 'https://bsky.app/ipcc' || req === 'https://ip.bsky.app/config') {
return Response.json({
countryCode: 'US',
regionCode: 'WA',
isAgeBlockedGeo: false,
isAgeRestrictedGeo: false,
});
}
return _fetch.call(this, req, init);
};
Then reference the scriptlet in a custom filter.
bsky.app##+js(user-bsky-age-assurance.js)
main.bsky.dev##+js(user-bsky-age-assurance.js)
If your account is hosted on a PDS you own or control, you can add these rules to your Nginx or Caddy configuration.
server {
server_name pds.example.com;
location /xrpc/app.bsky.unspecced.getAgeAssuranceState {
default_type application/json;
add_header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" always;
add_header access-control-allow-origin "*" always;
return 200 '{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}';
}
}
pds.example.com {
handle /xrpc/app.bsky.unspecced.getAgeAssuranceState {
header content-type "application/json"
header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy"
header access-control-allow-origin "*"
respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200
}
}
Bluesky's implementation of age-based content restrictions is entirely client-side, this is an intentional design decision. The API (called the "AppView") doesn't impose content restrictions directly and isn't aware of your location as requests are proxied through your account's hosting server (called the "PDS").
bsky.app (or the "client") checks your location by making a request to https://bsky.app/ipcc
,
which returns:
countryCode
: your country based on IP address, which is used for regional content moderation.isAgeRestrictedGeo
: whether your location mandates identity verificationisAgeBlockedGeo
: whether your location is blocked from accessing Bluesky
When isAgeRestrictedGeo
is true, it will then make a request to
<pds host>/xrpc/app.bsky.unspecced.getAgeAssuranceState
, which returns:
status
: your account's current verification statuslastInitiated
: when you last started the identity verification process
These workarounds exploit the client-side nature of these checks.
Worth noting that decentralized social networks aren't above the law. All platforms, including Mastodon and other federated networks, must comply with local regulations like the Online Safety Act, and a fully decentralized network may need individual server operators to handle compliance.
It remains unclear whether regulators would consider Bluesky's client-side implementation sufficient for legal compliance. However, Bluesky Social PBC could reasonably argue the restrictions are effectively enforced for users on their PDS using unmodified clients, and that's as far as they can guarantee in a decentralized network like Bluesky.
I am not a lawyer however.
While these workarounds provide immediate relief, consider taking action to address the root cause:
-
UK users: Reach out to your Member of Parliament to express concerns about the Act's impact on privacy and digital rights. You can find your MP and their contact details on the UK Parliament website.
-
Mississippi users: Contact your state legislators about HB1126's impact on free speech and access to information. You can find your representatives on the Mississippi Legislature website.
Consider supporting or getting involved with organizations that advocate for digital rights and privacy:
International:
- Electronic Frontier Foundation (EFF) - Defends civil liberties in the digital world
- Internet Freedom Foundation - Works to ensure that technology respects fundamental rights
UK-specific:
- Open Rights Group - Campaigns for digital rights and freedoms in the UK
- Big Brother Watch - Fights for privacy, free speech and civil liberties
US-specific:
- American Civil Liberties Union (ACLU) - Defends constitutional rights including digital privacy
- Fight for the Future - Campaigns for digital rights and internet freedom
Mention VPN as an option?