Troubleshoot OAuth requests

OAuth requires you to write your own code and a third-party OAuth library. Our Support resources cannot debug your application code or a third-party OAuth library.  This page provides some tips for troubleshooting problems with your OAuth requests.

Check your Oauth version

Bitbucket supports OAuth 1.0a with HMAC-SHA1 (shared secret) signatures. We support both 3-Legged and 2-Legged OAuth. RSA-SHA1 (the public/private keys feature) is not currently supported.  

Check your application server's clock

Make sure your application server's clock is accurate. OAuth requires that timestamps be within five minutes of the Bitbucket server clock.  If the timestamp is not within a five minutes either side of the actual current time, the request is rejected.

Test your signature interactively

You should verify your key and secret with some public code.

Review the OAuth library you are utilizing

While there are plenty of great libraries referenced from, not all are created equal and some may not work as expected. For example, the rauth library uses query parameters in the URL by default. We wrote our OAuth implementation specifically with header authentication in mind as the primary authentication method. As a result, rauth calls may fail with Bitbucket if a URL's length exceeds 4094 characters.

If you have issues with a specific library,  review your library's API to ensure it is using a standard implementation of OAuth 1.0a. If you aren't sure, try another library, there are multiple for all the major languages, including JavaScript.

Additional Help