Skip to content

Instantly share code, notes, and snippets.

@phantomtail

phantomtail/bluesky-osa.md

Forked from mary-ext/bluesky-osa.md
Created July 23, 2025 23:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save phantomtail/8d618708d5a8bcba8a1e96d21543a3df to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save phantomtail/8d618708d5a8bcba8a1e96d21543a3df to your computer and use it in GitHub Desktop.
Download ZIP
Bluesky's UK age assurance sucks, here's how to work around it.
Raw
bluesky-osa.md

Bluesky's UK age assurance sucks, here's how to work around it.

Bluesky recently announced that they're complying with the UK's Online Safety Act, which requires users to provide personal identity verification confirming their age (through Epic Games' Kids Web Services) before accessing certain parts of the platform.

This sucks for privacy reasons, but thankfully there are ways to work around it.

Workaround methods

Method 1. uBlock Origin

Open uBlock Origin dashboard › My filters.

Enable Allow custom filters requiring trust, then add the following rules:

||bsky.app/ipcc$replace=/(?<="isAgeRestrictedGeo":)true/false/

! Optional, if Bluesky ever adds regional content moderation to UK users
||bsky.app/ipcc$replace=/(?<="countryCode":").+?(?=")/US/

These filter rules work with similar capable adblockers like AdGuard or Brave.

Method 2. Brave scriptlets

If you use Brave browser, you also have the option to use custom scriptlets.

Open Settings › Shields › Content filtering (or go to about:adblock)

Enable Developer mode, and add the following scriptlet, saving it as user-bsky-age-assurance.js.

const _fetch = globalThis.fetch;
globalThis.fetch = async function (req, init) {
  if (req instanceof Request) {
    const url = new URL(req.url);

    switch (url.pathname) {
      case "/xrpc/app.bsky.unspecced.getAgeAssuranceState": {
        return Response.json({
          lastInitiatedAt: "2025-07-14T14:22:43.912Z",
          status: "assured",
        });
      }
    }
  } else if (req === "https://bsky.app/ipcc") {
    return Response.json({
      countryCode: "US",
      isAgeRestrictedGeo: false,
    });
  }

  return _fetch.call(this, req, init);
};

Then reference the scriptlet in a custom filter.

bsky.app##+js(user-bsky-age-assurance.js)
main.bsky.dev##+js(user-bsky-age-assurance.js)

Method 3. self-hosted PDS

If your account is hosted on a PDS you own or control, you can add server-level rules.

For Nginx users:

server {
	server_name pds.example.com;

	location /xrpc/app.bsky.unspecced.getAgeAssuranceState {
		default_type application/json;
		return 200 '{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}';
	}
}

For Caddy users:

pds.example.com {
	handle /xrpc/app.bsky.unspecced.getAgeAssuranceState {
		header Content-Type application/json
		respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200
	}
}

Background

Bluesky's implementation of age-based content restrictions is entirely client-side. The API (called the "AppView") doesn't impose content restrictions directly and isn't aware of your UK location as requests are proxied through your account's hosting server (called the "PDS").

bsky.app checks your location by making a request to https://bsky.app/ipcc, which returns:

  • countryCode: your country based on IP address, which is used for regional content moderation.
  • isAgeRestrictedGeo: whether your country mandates identity verification

When isAgeRestrictedGeo is true, it will then make a request to <pds host>/xrpc/app.bsky.unspecced.getAgeAssuranceState, which returns:

  • status: your account's current verification status
  • lastInitiated: when you last started the identity verification process

These workarounds exploit the client-side nature of these checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment