Bitbucket access tokens reference

2 minute read

Bitbucket Cloud access tokens for CloudBees Unify integrations follow a three-tier containment hierarchy with differing scope support and plan requirements. Use this reference when configuring a Bitbucket integration or selecting the appropriate token type for your use case.

Token types

Bitbucket Cloud provides three token types, arranged from broadest to narrowest scope:

  • Workspace access token (WAT): Grants access to all projects and repositories in a workspace.

  • Project access token (PAT): Grants access to all repositories in a single project.

  • Repository access token (RAT): Grants access to a single repository.

Project and Workspace access tokens are a Bitbucket Cloud Premium feature. Bitbucket Standard plan customers can generate Repository access tokens only.
Project access token support has not been fully validated. Where possible, use a repository or workspace access token for production workflows.

Token type by use case

Use this table to select the appropriate token type for your CloudBees Unify integration.

Table 1. Token type by use case
Use case Recommended token type Notes

Single repository integration

Repository access token

One token per repository.

Multiple repositories in one project

Project access token

Supports repository:write scope. Suitable for workflows that commit workflow YAML back to repositories.

Multiple repositories with full workflow support

Workspace access token

Supports all CloudBees Unify operations including committing workflow YAML files back to repositories.

Triggering Bitbucket Pipelines

Any token type

Requires pipeline:write scope, available on all three token types.

Required scopes

The following table lists the Bitbucket scopes required for each CloudBees Unify operation, and which token types support them.

Table 2. Required Bitbucket scopes per CloudBees Unify operation
CloudBees Unify operation Required Bitbucket scope Repository token Project token Workspace token

Git checkout (clone)

repository (read)

Yes

Yes

Yes

SCM integration, commit workflow YAML

repository:write

Yes

Yes

Yes

Create webhooks

webhook

Yes

Yes

Yes

Run a Bitbucket pipeline

pipeline:write

Yes

Yes

Yes

Project access tokens support repository:write as of February 2023. All three token types can be used for workflows that commit YAML back to repositories.

Workspace field

When you configure a Bitbucket integration using a Project or Workspace access token, you must provide the Workspace slug in the integration form. The workspace slug is the value that appears in the Bitbucket URL: https://bitbucket.org/<workspace-slug>.

For existing integrations that have already onboarded at least one repository, the workspace is auto-populated by the hourly repository sync process. No manual action is required for those integrations.

Token expiration and rotation

Bitbucket access tokens have a configurable expiration date. Set an expiration date that aligns with your organization’s security policies. To rotate a token, create a new token in Bitbucket with the same scopes and update the corresponding CloudBees Unify secret.