App passwords are substitute passwords for a user account which you can use for scripts and integrating tools to avoid putting your real password into configuration files.
App passwords are designed to be used for a single purpose with limited permissions, so they don't require two-step verification (2SV). This means app passwords can be used by users with 2SV make API calls to their Bitbucket account, and to integrate Bitbucket with other tools like Sourcetree and Bamboo.
About app passwords
Some important points about app passwords:
You cannot view an app password or adjust permissions after you create the app password.Why?
Because app passwords are encrypted on our database and cannot be viewed by anyone. They are essentially designed to be disposable. If you need to change the scopes or lost the password just create a new one.
- You cannot use them to log into your Bitbucket account at bitbucket.org.
You cannot use app passwords to manage team actions.
App passwords are tied to an individual account's credentials and should not be shared. If you're sharing your app password you're essentially giving direct, authenticated, access to everything that password has been scoped to do with the Bitbucket API's.
You can use them for API call authentication, even if you don't have two-step verification enabled.
- You can set permission scopes (specific access rights) for each app password.
Create an app password
To create an app password:
- From your avatar in the bottom left, click Bitbucket settings.
- Click App passwords under Access management.
- Click Create app password.
- Give the app password a name related to the application that will use the password.
- Select the specific access and permissions you want this application password to have.
- Copy the generated password and either record or paste it into the application you want to give access. The password is only displayed this one time.
That's all there is to creating an app password. See your applications documentation for how to apply the app password for a specific application.
Revoke an app password
To revoke an app password, select the password and click Revoke. Then confirm that you want to revoke the password.
Using an app password
An app password is a substitute password for the user account where you configure it, so you simply use it when authenticating with Bitbucket:
- username: your normal Bitbucket username
- password: the app password.
This applies to direct API access (e.g. via
curl with HTTP authentication) as well as for tools that integrate with Bitbucket via the HTTP API. As mentioned above, you cannot log in to the Bitbucket web interface with an app password.