Identify the HTTP access token used for Git or API operations in Bitbucket Data Center

Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

This article covers how to identify the HTTP access token used for Git or API operations.

How access token and authentication work

When a Git or API request is authenticated using an HTTP access token linked to a project or repository, a username that isn't present in Bitbucket's user directories is logged. This occurs because the HTTP access token at the project or repository level doesn't have a corresponding user account. As a result, a system-generated username is assigned when the token is first stored, and this username appears in the logs. However, administrators may occasionally need to verify which access token was used for a specific Git operation.

Solution

This Database Query / Functionality is not officially supported.
Atlassian is not responsible for translating queries for different databases.
- This query is PostgreSQL compatible and should only be used as an example. Any desired adjustments should be checked with your local Database Administrator, including queries related to different DBMS that are not present in this KB article, like Oracle Database.
Atlassian will not provide support for changes, adjustments, or inquiries regarding the below queries, as this is not part of Atlassian Support Offerings.
- Atlassian does not provide any support for the sample database queries provided in our knowledge base documents. Extraction of data from Bitbucket should be performed using the REST API as we do not keep all data relationships in the DB. Many connections to data are handled in the code. The REST API can go through the code paths to get the data. A SQL would have to do that manually or, in some cases, it can’t be done at all.

First, find the request in the atlassian-bitbucket-access.log file.
10.255.11.7,10.255.11.6 | https | i@1C42G8Bx514x1250x0 | - | 2025-12-01 08:34:21,223 | "GET /rest/api/latest/projects/pro1/repos/repo5 HTTP/1.1" | "" "curl/8.6.0" | - | - | - | - | - | - | 10.255.11.7,10.255.11.6 | https | o@1C42G8Bx514x1250x0 | access-token-user/1/3 | 2025-12-01 08:34:21,939 | "GET /rest/api/latest/projects/pro1/repos/repo5 HTTP/1.1" | "" "curl/8.6.0" | 200 | 0 | 565 | access-token:id:238745678966 | 720 | - |
Identify the token ID field. For instance, in this log, the token ID is recorded as "access-token:id:238745678966". This token ID(238745678966 in this case) will be used in the following queries to retrieve the token details.
Execute the query below using the token ID identified above. If any row has repo_id, repo_slug, and repo_name as null, it indicates that the token was created at the project level and applies to all repositories within that project.

SELECT 
    act."NAME", 
    act."TOKEN_ID", 
    act."USER_ID",
    CASE 
        WHEN atp."PERMISSION" = 2 THEN 'PROJECT_READ'
        WHEN atp."PERMISSION" = 3 THEN 'PROJECT_WRITE'
        WHEN atp."PERMISSION" = 4 THEN 'PROJECT_ADMIN'
        WHEN atp."PERMISSION" = 0 THEN 'REPO_READ'
        WHEN atp."PERMISSION" = 1 THEN 'REPO_WRITE'
        WHEN atp."PERMISSION" = 8 THEN 'REPO_ADMIN' 
    END AS permission,
    p.project_key, 
    p.id as project_id, 
    p.name as project_name,
    CASE 
        WHEN r.id IS NOT NULL THEN r.id 
        ELSE NULL 
    END as repo_id,
    CASE 
        WHEN r.slug IS NOT NULL THEN r.slug 
        ELSE NULL 
    END as repo_slug,
    CASE 
        WHEN r.name IS NOT NULL THEN r.name 
        ELSE NULL 
    END as repo_name,
    ssu.display_name, 
    ssu.label,
    act."CREATED_DATE", 
    act."EXPIRY_DAYS", 
    act."HASHED_TOKEN", 
    act."LAST_AUTHENTICATED",
    CASE 
        WHEN r.id IS NOT NULL THEN 'REPOSITORY'
        ELSE 'PROJECT'
    END AS token_level
FROM 
    "AO_E5A814_ACCESS_TOKEN" act
LEFT JOIN 
    "AO_E5A814_ACCESS_TOKEN_PERM" atp ON act."TOKEN_ID" = atp."FK_ACCESS_TOKEN_ID"
LEFT JOIN 
    sta_service_user ssu ON act."USER_ID" = ssu.user_id
LEFT JOIN 
    (
        SELECT 
            rp.user_id, 
            rp.repo_id, 
            NULL as project_id 
        FROM 
            sta_repo_permission rp 
        UNION ALL
        SELECT 
            pp.user_id, 
            NULL as repo_id, 
            pp.project_id 
        FROM 
            sta_project_permission pp
    ) permissions ON permissions.user_id = act."USER_ID"
LEFT JOIN 
    repository r ON r.id = permissions.repo_id
LEFT JOIN 
    PROJECT p ON (r.project_id = p.id OR p.id = permissions.project_id)
WHERE 
    ssu.user_id IS NOT NULL
 and act."TOKEN_ID" = <token-id-identified-in-step2>;

Updated on December 3, 2025

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Identify the HTTP access token used for Git or API operations in Bitbucket Data Center

Summary

How access token and authentication work

Solution

Still need help?