App password permissions

App passwords are single purpose, user-based access tokens which can be created with limited permissions (or scope). The following types of permissions are available for App passwords:

Account

Account permissions provide access to view or modify the user’s Bitbucket Cloud account. Bitbucket Cloud allows the following account permission levels:

  • Email

  • Read

  • Write

Email

Equivalent to the email API scope.

Provides access to view the user's primary email address.

Read

Equivalent to the account API scope.

Provides access to view all of the user’s account information, including (but not limited to):

  • full name

  • email addresses

  • location

  • user groups

  • SSH keys

  • website

  • language

Write

Equivalent to the account:write API scope.

Provides access to manage the user’s account information, including access to delete the user’s account.

Workspace membership

Workspace membership permissions provide access to view or modify the user’s Bitbucket Cloud Workspaces. Bitbucket Cloud allows the following workspace membership permission levels:

  • Read

  • Write

Read

Equivalent to the team API scope.

Provides access to view the workspaces where the user is a member.

Write

Equivalent to the team:write API scope.

Provides access to manage all workspaces where the user is an administrator.

Projects

Project permissions provide access to view or modify the user’s Bitbucket Cloud Projects. Bitbucket Cloud allows the following project permission levels:

  • Read

  • Write

  • Admin

Read

Equivalent to the project API scope.

Provides access to view the projects the user has access to view. Read access (repository) to all the repositories in the projects is also granted.

Write

Equivalent to the project:write API scope.

This scope is deprecated, and has been made obsolete by project:admin. Please see the deprecation notice here.

Admin

Equivalent to the project:admin API scope.

Provides administrative access to a project or projects. No distinction is made between public and private projects. This scope doesn't implicitly grant the project scope or the repository:write scope on any repositories under the project. It gives access to the admin features of a project only, not direct access to the project’s repositories. This scope provides access to:

  • create a project

  • update a project

  • delete a project

Repositories

Repository permissions provide access to view or modify the user’s Bitbucket Cloud repositories. Bitbucket Cloud allows the following repository permission levels:

  • Read

  • Write

  • Admin

  • Delete

Read

Equivalent to the repository API scope.

Provides access to view all the repositories the user has access to view, including the source code, Issues, and Wiki. This does not include pull requests.

Write

Equivalent to the repository:write API scope.

Provides access to modify all the repositories the user has access to change, including the source code, Issues, and Wiki. This does not include pull requests.

Admin

Equivalent to the repository:admin API scope.

Provides access to administrator access to all repositories the user has administrator access for. This permission (scope) allows the user to:

  • View and manipulate committer mappings.

  • List and edit deploy keys.

  • Ability to delete the repositories.

  • View and edit repositories permissions.

  • View and edit branch permissions.

  • Import and export the issue tracker.

  • Enable and disable the issue tracker.

  • List and edit issue tracker version, milestones, and components.

  • Enable and disable the wiki.

  • List and edit default reviewers.

  • List and edit repository links (such as Jira, Bamboo, and custom links).

  • List and edit the repository webhooks.

  • Initiate a repository ownership transfer.

Delete

Equivalent to the repository:delete API scope.

Provides access to delete repositories where the user is an administrator.

Pull requests

Pull request permissions provide access to view or modify Bitbucket Cloud pull requests accessible by the user. Bitbucket Cloud allows the following pull request permission levels:

  • Read

  • Write

Read

Equivalent to the pullrequest API scope.

Provides access to view and list pull requests on the repositories the user has access to view. This permission (scope) also allows the user to create and resolve tasks.

Write

Equivalent to the pullrequest:write API scope.

Provides access to create, comment, approve, decline, and merge pull requests the user has access to modify.

Issues

Issues permissions provide access to view or modify Bitbucket Cloud repository issues accessible by the user. Bitbucket Cloud allows the following issue permission levels:

  • Read

  • Write

Read

Equivalent to the issue API scope.

Provides access to view, list, search, create, comment, watch, and vote for issues on repositories the user has access to view.

Write

Equivalent to the issue:write API scope.

Provides access to transition and delete issues the user has access to modify.

Wikis

The Wikis permission provides access to view or modify Bitbucket Cloud Wikis that are accessible by the user.

Read and Write

Equivalent to the wiki API scope.

Provides access to create, edit, and view wiki pages; including cloning and pushing to the wiki repositories the user has access to modify.

Snippets

Snippets permissions provide access to view or modify Bitbucket Cloud code snippets in Workspaces that are accessible by the user. Bitbucket Cloud allows the following snippet permission levels:

  • Read

  • Write

Read

Equivalent to the snippet API scope.

Provides access to view and comment on any Snippets the user has access to view.

Write

Equivalent to the snippet:write API scope.

Provides access to create, edit, and delete any Snippets the user has access to modify.

Webhooks

The Webhooks permission provides access to view all existing webhooks that are accessible to the user, and provides write access for creating webhooks when combined with other permissions. For details, see: Bitbucket Cloud REST APIs — Webhooks.

Read and write

Equivalent to the webhook API scope.

Required for webhook operations. Additional API scopes may be required. For details, see: Bitbucket Cloud REST APIs — Webhooks.

Pipelines

Pipelines permissions provide access to view or control Bitbucket Pipelines for repositories that are accessible by the user. Bitbucket Cloud allows the following pipeline permission levels:

  • Read

  • Write

  • Edit variables

Read

Equivalent to the pipeline API scope.

Provides access to view the pipelines, steps, deployment environments, and variables the user has access to view.

Write

Equivalent to the pipeline:write API scope.

Provides access to stop, rerun, resume, and manually trigger pipelines the user has access to control.

Edit variables

Equivalent to the pipeline:variable API scope.

Provides access to create pipelines environmental variables in workspaces, repositories, and deployments where the user can create environmental variables.

Runners

Runners permissions provide access to view or modify Bitbucket Pipelines Runners for a Workspace and its repositories. Bitbucket Cloud allows the following pipeline runner permission levels:

  • Read

  • Write

Read

Equivalent to the runner API scope.

Provides access to view the pipelines runners for a Workspace and its repositories.

Write

Equivalent to the runner:write API scope.

Provides access to create, edit, disable, and delete pipelines runners for a Workspace and its repositories.

Still need help?

The Atlassian Community is here for you.