App passwords

App passwords are substitute passwords for a user account which you can use for scripts and integrating tools to avoid putting your real password into configuration files.

App passwords are designed to be used for a single purpose with limited permissions, so they don't require two-step verification (2SV). This means app passwords can be used by users with 2SV to make API calls to their Bitbucket account, and to integrate Bitbucket with other tools like Sourcetree and Bamboo.

About app passwords

Some important points about app passwords:

  • You cannot view an app password or adjust permissions after you create the app password.


Because app passwords are encrypted on our database and cannot be viewed by anyone. They are essentially designed to be disposable. If you need to change the scopes or lost the password just create a new one.

  • You cannot use them to log in to your Bitbucket account at

  • You cannot use your email address as your username when using app passwords.

  • You cannot use app passwords to manage workspace actions.

App passwords are tied to an individual account's credentials and should not be shared. If you're sharing your app password you're essentially giving direct, authenticated access to everything that password has been scoped to do with the Bitbucket APIs.

  • You can use them for API call authentication, even if you don't have two-step verification enabled.

  • You can set permission scopes (specific access rights) for each app password.

Create an app password

To create an app password:

  1. Select your avatar (Your profile and settings) in the upper-right corner of the top navigation.

  2. Select Personal settings from the Your profile and settings dropdown menu.

  3. Select App passwords under Access management.

  4. Select Create app password.

  5. Give the app password a name related to the application that will use the password.

  6. Select the specific access and permissions you want this application password to have.

  7. Copy the generated password and either record or paste it into the application you want to give access. The password is only displayed this one time.

Add an app password to Sourcetree or another application

To add your app password to Sourcetree:

  1. Go to the tab where you'll add or edit your account details:

    1. (Windows) Go to Tools > Options. From the Options dialog, select the Authentication tab.

    2. (macOS) Go to Sourcetree > Preferences. From the dialog that options, select the Accounts tab.

  2. Click to Edit your account details or Add a new one.

  3. From Authentication or Auth Type, select Basic, and enter your Username if it's not already there.

  4. Enter the app password you just created as your Password. If you're on Windows, you'll need hit Refresh Password first.

  5. Click OK or Save to save your account details.

To add your app password to another application, see the application's documentation for how to apply the app password.

Revoke an app password

To revoke an app password, select the password and click Revoke. Then confirm that you want to revoke the password.

Using an app password

An app password is a substitute password for the user account where you configure it, so you simply use it when authenticating with Bitbucket:

  • username: your normal Bitbucket username

    • Note: You cannot use your email address as your username.

  • password: the app password.

This applies to direct API access (e.g. via curl with HTTP authentication) as well as for tools that integrate with Bitbucket via the HTTP API. As mentioned above, you cannot log in to the Bitbucket web interface with an app password.

Additional Help