Bitbucket Cloud access tokens for CloudBees Unify integrations follow a three-tier containment hierarchy with differing scope support and plan requirements. Use this reference when configuring a Bitbucket integration or selecting the appropriate token type for your use case.
Token types
Bitbucket Cloud provides three token types, arranged from broadest to narrowest scope:
-
Workspace access token (WAT): Grants access to all projects and repositories in a workspace.
-
Project access token (PAT): Grants access to all repositories in a single project.
-
Repository access token (RAT): Grants access to a single repository.
| Project and Workspace access tokens are a Bitbucket Cloud Premium feature. Bitbucket Standard plan customers can generate Repository access tokens only. |
| Project access token support has not been fully validated. Where possible, use a repository or workspace access token for production workflows. |
Token type by use case
Use this table to select the appropriate token type for your CloudBees Unify integration.
| Use case | Recommended token type | Notes |
|---|---|---|
Single repository integration |
Repository access token |
One token per repository. |
Multiple repositories in one project |
Project access token |
Supports |
Multiple repositories with full workflow support |
Workspace access token |
Supports all CloudBees Unify operations including committing workflow YAML files back to repositories. |
Triggering Bitbucket Pipelines |
Any token type |
Requires |
Required scopes
The following table lists the Bitbucket scopes required for each CloudBees Unify operation, and which token types support them.
| CloudBees Unify operation | Required Bitbucket scope | Repository token | Project token | Workspace token |
|---|---|---|---|---|
Git checkout (clone) |
|
Yes |
Yes |
Yes |
SCM integration, commit workflow YAML |
|
Yes |
Yes |
Yes |
Create webhooks |
|
Yes |
Yes |
Yes |
Run a Bitbucket pipeline |
|
Yes |
Yes |
Yes |
Project access tokens support repository:write as of February 2023.
All three token types can be used for workflows that commit YAML back to repositories.
|
Workspace field
When you configure a Bitbucket integration using a Project or Workspace access token, you must provide the Workspace slug in the integration form.
The workspace slug is the value that appears in the Bitbucket URL: https://bitbucket.org/<workspace-slug>.
For existing integrations that have already onboarded at least one repository, the workspace is auto-populated by the hourly repository sync process. No manual action is required for those integrations.