Personal access tokens
Personal access tokens can be used in Bitbucket Data Center and Server in place of passwords for Git over HTTPS, or to authenticate when using the Bitbucket REST API.
- You can't use a token to log in via the web UI.
- You can't use a token to perform changes on behalf of a user (for example, create new tokens or update user account details).
- In Git and API calls, you can use the project and repository level token only with Bearer authentication. Don't use this token with a username in Basic authentication.
On this page:
Related pages:
Creating personal access tokens
To create a personal access token:
- Go to Profile picture > Manage account > Personal access tokens.
- Select Create token.
- Set the token name, permissions, and expiry.
Permissions
Permissions restrict what a token can do. As tokens are like passwords, your token’s permissions will be set at your current level of access by default. We recommend, however, restricting your token’s permissions to only the level it will need.
Here are the permission combinations you can assign to a token:
Repo permissions are inherited from the project permissions
A token’s repository permission must be as high as its project permission.
If you give a token project write permission, you cannot give it only repository read permissions (it must be write-level or higher).
Project read | Project write | Project admin | |
---|---|---|---|
Repository read | Pull and clone repositories | Combination not possible | Combination not possible |
Repository write | Perform pull request actions Push, pull, and clone repositories | Perform pull request actions Push, pull, and clone repositories | Combination not possible |
Repository admin | Perform pull request actions Update repository settings and permissions Push, pull, and clone repositories | Perform pull request actions Update repository settings and permissions Push, pull, and clone repositories | Perform pull request actions Update repository settings and permissions Update project settings and permissions Push, pull, clone, and fork repositories Create repositories |
You can modify a token’s permissions, or revoke a token, by going to Profile picture > Manage account > Personal access tokens.
Expiry
For added security, when you’re creating a token you can also set it to automatically expire. This is optional, but if your administrator has made this a requirement you’ll need to choose an expiry date that’s within the limits they’ve set.
Once a token has been created, its expiry date cannot be changed. You can see the expiry dates for all your tokens by going to Profile picture > Manage account > Personal access tokens.
Using personal access tokens
Map one token per integration
Personal access tokens are a secure way to use scripts and to integrate external applications with Bitbucket. We recommend only mapping one token per integration. This way, if the system is compromised, you can simply revoke the token and not affect other integrations.
For Git operations, you can use your personal access token as a substitute for your password. For example, to clone using a personal access token you can enter:
> git clone https://bitbucketserver.com/scm/projectname/teamsinspace.git
Cloning into 'teamsinspace'...
Username for 'https://bitbucketserver.com':username
Password for 'https://username@bitbucketserver.com':MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx
Or using Basic Auth:
git clone https://username:MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx@bitbucketserver.com/scm/projectname/teamsinspace.git
In addition, for REST operations you can use Basic Auth:
curl -u username:MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx https://bitbucketserver.com/rest/api/latest/resource/path
For project or repository tokens, you must only use Bearer Auth without the username:
curl -H 'Authorization: Bearer MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx' https://example.com/rest/api/latest/resource/path