Personal access tokens

Personal access tokens can be used in place of passwords for Git over HTTPS, or to authenticate when using the Bitbucket Server REST API.

  • You can't use a token to log in via the web UI
  • You can't use a token to perform changes on behalf of a user (for example, create new tokens or update user account details)

Creating personal access tokens

To create a personal access token:

  1. Go to Profile picture > Manage account > Personal access tokens.
  2. Click Create a token. 
  3. Set the token name, permissions, and expiry.

Permissions

Permissions restrict what a token can do. As tokens are like passwords, your token’s permissions will be set at your current level of access by default. We recommend, however, restricting your token’s permissions to only the level it will need.

Here are the permission combinations you can assign to a token:

Repo permissions are inherited from the project permissions

A token’s repository permission must be as high as its project permission.

If you give a token project write permission, you cannot give it only repository read permissions (it must be write-level or higher).


Project readProject writeProject admin
Repository read(tick) Pull and clone repositories(error) Combination not possible(error) Combination not possible
Repository write

(tick) Perform pull request actions

(tick) Push, pull, and clone repositories

(tick) Perform pull request actions

(tick) Push, pull, and clone repositories

(error) Combination not possibl
Repository admin(tick) Perform pull request actions

(tick) Update repository settings and permissions

(tick) Push, pull, and clone repositories

(tick) Perform pull request actions

(tick) Update repository settings and permissions

(tick) Push, pull, and clone repositories

(tick) Perform pull request actions

(tick) Update repository settings and permissions

(tick) Update project settings and permissions

(tick) Push, pull, clone, and fork repositories

(tick) Create repositories

You can modify a token’s permissions, or revoke a token, by going to Profile picture > Manage account > Personal access tokens.

Expiry

For added security, when you’re creating a token you can also set it to automatically expire. This is optional, but if your administrator has made this a requirement you’ll need to choose an expiry date that’s within the limits they’ve set.

Once a token has been created, its expiry date cannot be changed. You can see the expiry dates for all your tokens by going to Profile picture > Manage account > Personal access tokens.

Using personal access tokens

Map one token per integration

Personal access tokens are a secure way to use scripts and to integrate external applications with Bitbucket Server. We recommend only mapping one token per integration. This way, if the system is compromised, you can simply revoke the token and not affect other integrations.

For Git operations, you can use your personal access token as a substitute for your password. For example, to clone using a personal access token you can enter:

> git clone https://bitbucketserver.com/scm/projectname/teamsinspace.git
Cloning into 'teamsinspace'...
Username for 'https://bitbucketserver.com':username
Password for 'https://username@bitbucketserver.com':MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx

Or using Basic Auth:

git clone https://username:MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx@bitbucketserver.com/scm/projectname/teamsinspace.git

In addition, for REST operations you can use Basic Auth:

curl -u username:MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx https://bitbucketserver.com/rest/api/latest/resource/path

Or you can use Bearer Auth without your username:

curl -H 'Authorization: Bearer MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx' https://bitbucketserver.com/rest/api/latest/resource/path
Last modified on Jun 4, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.