Credentials
FxEmbed needs X/Twitter account credentials to fetch post data from the Twitter API. These credentials are encrypted and stored securely.
Credential Format
Section titled “Credential Format”Credentials are defined in a credentials.json file:
{ "twitter": { "accounts": [ { "authToken": "your_auth_token", "csrfToken": "your_ct0_csrf", "username": "account_screen_name" } ] }}You can include multiple accounts in the accounts array. FxEmbed will use them to distribute requests.
Obtaining Tokens
Section titled “Obtaining Tokens”The authToken and csrfToken values come from an authenticated X/Twitter session. You can extract them from your browser’s cookies:
authToken: Theauth_tokencookiecsrfToken: Thect0cookie
Credential Management Scripts
Section titled “Credential Management Scripts”FxEmbed includes tooling to encrypt, push, and pull credentials:
Encrypt Credentials
Section titled “Encrypt Credentials”Encrypt your credentials.json using your CREDENTIAL_KEY:
npm run credentials:encryptPush to R2
Section titled “Push to R2”Upload encrypted credentials to Cloudflare R2 storage:
npm run credentials:pushEncrypt and Push
Section titled “Encrypt and Push”Combined encrypt + push in one step:
npm run credentials:encrypt-pushPull from R2
Section titled “Pull from R2”Download and decrypt credentials from R2:
npm run credentials:pullAdd CSRF Tokens
Section titled “Add CSRF Tokens”Refresh CSRF tokens for existing credentials:
npm run credentials:add-csrfStrip Credentials
Section titled “Strip Credentials”Remove sensitive data from the credentials file:
npm run credentials:stripSetting the Credential Key
Section titled “Setting the Credential Key”The encryption key must be set as a Wrangler secret so the deployed worker can decrypt credentials at runtime:
wrangler secret put CREDENTIAL_KEYBluesky
Section titled “Bluesky”FxEmbed by default will use the public Bluesky AppView API. We support specifying fallback accounts on different PDSes in the event of downtime of the public API. We will always prefer the public API unless it is down.
The proxy uses standard Bluesky app passwords — no OAuth flow, no DPoP, nothing exotic.
Credential Format
Section titled “Credential Format”Bluesky accounts live alongside Twitter accounts in the same credentials.json:
{ "bluesky": { "accounts": [ { "identifier": "your.handle.bsky.social", "appPassword": "xxxx-xxxx-xxxx-xxxx", "service": "https://bsky.social" } ] }}Fields:
identifier: The account’s handle (e.g.your.handle.bsky.social) or DID.appPassword: An app password generated at bsky.app/settings/app-passwords. Do not use the account’s main password.service: The base URL of the account’s PDS. For accounts hosted on Bluesky’s infrastructure, usehttps://bsky.social(the entryway will route to the correct*.host.bsky.networkPDS automatically). For self-hosted or third-party PDSes, set this to the actual PDS URL (e.g.https://pds.example.com).
Generating an App Password
Section titled “Generating an App Password”- Sign in to the account you want to use as a proxy.
- Open Settings → Privacy and security → App passwords (or visit bsky.app/settings/app-passwords directly).
- Click Add App Password, give it a descriptive name (e.g.
FxEmbed Proxy), and copy the generatedxxxx-xxxx-xxxx-xxxxvalue. - Paste it into the
appPasswordfield above.
App passwords can be revoked at any time from the same screen if a key is ever compromised.
Encryption and Deployment
Section titled “Encryption and Deployment”Bluesky credentials are encrypted, pushed, and pulled using the exact same credential management scripts and CREDENTIAL_KEY as Twitter — there’s nothing Bluesky-specific to configure on the worker side.