New authentication flow for Sill

Since Sill launched in late 2024, the open social web has come a long way. While Sill was one of the first to adopt the AT Protocol's OAuth authentication process in production, it was not used to create the user's core Sill account. Instead, users needed to sign up with an email address, and then connect their AT Protocol account and/or Mastodon account to Sill's user account via OAuth.

I initially chose to build in this way for a few reasons, but it has been clear for a while that it was the wrong approach. It was a cumbersome process and many users bounced off or refused to sign up at all. Users have the expectation that they can sign up for services on the open social web without providing an email or setting up a new password. I think this is awesome and an excellent demonstration of the power of the open social web. Sill needs to meet these expectations.

Sill has a new authentication flow now, powered entirely by OAuth. On the login screen, users can now enter either their Atmosphere handle or Mastodon handle to kickstart the process. If you already have a Sill account connected to one of those handles, you will be logged in. If you don't, Sill will create a new account for you and begin the onboarding process.

(Note, for legacy Sill users, if you want to use your old email and password, just expand the "log in with email" section.)

The new onboarding process has three steps: account connection, list subscription, and digest setup. At the account connection step, you can connect whichever type of social account you didn't initially sign up with. So, if you signed up with a Mastodon account, this is your chance to enter your Atmosphere handle so that Sill reads timelines from both.

After your accounts are connected, you can subscribe to any of your lists or custom feeds so that Sill watches those for links in addition to your following timelines. As you subscribe to new lists and attach new accounts, the initial 24 hour fetch happens asynchronously -- no more waiting for initial downloads before you can do anything.

Finally, you can setup your Daily Digest, Sill's daily update on the top links in your network, which you can receive via email or RSS. If you do choose email, you do have to provide an email address and verify it. However, it is no longer mandatory for Sill users to provide an email address. I consider this a major win.

A note on ATProto auth scopes

On the ATProto side, Sill still uses the transition:generic OAuth scope, which gives Sill the same level of access as an app password. Sill is mostly a read-only application (with the optional exception of bookmarks, which can write to your PDS if you want to), and there are new scopes available that would give Sill less access. I haven't adopted these yet for two main reasons:

Long story short, when Bluesky releases the official permission sets for their lexicons, I will update Sill's OAuth scopes. This will require a communication plan for users and a managed transition so users known when they need to log back in and reauthorize Sill.

Try Sill today!