For obtaining access/bearer tokens, we support three of RFC-6749's grant flows, plus a custom Bitbucket flow for exchanging JWT tokens for access tokens. Note that Resource Owner Password Credentials Grant (4.3) is no longer supported. Check out our OAuth 2.0 developer documentation for more details.
This section provides the basic OAuth 2.0 information to register your consumer and set up OAuth 2.0 to make API calls.
Create a consumer
OAuth needs a key and secret, together these are know as an OAuth consumer. You can create a consumer on any existing workspace. To create a consumer, do the following:
Select your avatar (Your profile) from the navigation bar at the top of the screen.
Under Recent workspaces, select the workspace that will be accessed using the consumer; or find and open the workspace under All workspaces.
Select the Settings cog on the top navigation bar.
Select Workspace settings from the Settings dropdown menu.
On the sidebar, under Apps and features, select OAuth consumers.
Click the Add consumer button.
The system requests the following information:
Name: The display name for your consumer. This must be unique within your account. This is required. Description: An optional description of what your consumer does. Callback URL: Required for OAuth 2.0 consumers.
When making requests you can include a call back URL in the request:
If you do include the URL in a request it must be appended to the same URL configured in the consumer. So if your consumer callback URL is example.com/add-on the URL in your request must be something similar to example.com/add-on/function.
If you don't include the URL in the request we redirect to the callback URL in the consumer.
URL: An optional URL where the curious can go to learn more about your cool application.
Click Save. The system generates a key and a secret for you.
Toggle the consumer name to see the generated Key and Secret value for your consumer.
For obtaining access/bearer tokens, we support three of RFC-6749's grant flows, plus a custom Bitbucket flow for exchanging JWT tokens for access tokens through the following URL's:
Scopes are defined on the client/consumer instance. Bitbucket Cloud does not currently support the use of the optional scope parameter on the individual grant requests.
When the scope parameter is provided, Bitbucket will validate that it contains no scopes that were not already present on the client/consumer and fail if additional scopes are requested, but asking for fewer scopes will not affect the resulting access token.