App passwords

App passwords are user-based access tokens for scripting tasks and integrating tools (such as CI/CD tools) with Bitbucket Cloud. App passwords are designed to be used for a single purpose with limited permissions, so they don't require two-step verification (2SV, also known as two-factor authentication or 2FA).

App passwords are tied to an individual account's credentials and should not be shared. By sharing your App password you're giving direct, authenticated access to everything that password has permissions to do with the Bitbucket APIs.

App passwords features

App passwords have the following features:

  • They can be used to authenticate API calls.

  • They have limited permissions (scopes), specified when the App password is created.

  • They are intended to be single purpose, rather than reusable.

  • They are encrypted on our database and can't be viewed by anyone.

App passwords limitations

App passwords have the following limitations:

  • They can't be used to manage workspace actions.

  • They can't be viewed or edited after they are created. They are intended to be replaced with a new App password rather than recovered or modified.

  • They can't be used to log in to your Bitbucket account at

Still need help?

The Atlassian Community is here for you.