Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

API token benefits?

Stojan Cveticanin
Stojan Cveticanin August 7, 2025

Hi.

I am trying to switch from using app password to api tokens as you marked app password obsolete from 09.09. but I don't see any benefits from it, it just make my life harder.

Your documentation about switching it in SourceTree is not working (it is not possible to use email as username and if I leave username I used with app password it does not work when I switch to api token).

Also, why is necessary for token to have expiration date? That means I should always make alarms once a year to update it everywhere. That does not lead to increased security but to annoying users.

Can you give me some benefits? And can you fix/update documentation how to switch to it in SourceTree?

Greetings,
Stojan

Answer
Watch
Like Be the first to like this
148 views

2 answers

1 accepted

1 vote
Answer accepted
Ben
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 7, 2025

Hi Stojan,

The primary reason behind switching from App Passwords to API tokens is for security reasons.

The permissions scope for App Passwords is quite limited vs API tokens (which provide more granularity), and the purpose of an expiration is to ensure that older projects which may not be maintained frequently are not able to be compromised by an App Password which does not expire.

Further reasons are highlighted in the announcement post:

Regarding the documentation - this is indeed incorrect. I've created an internal ticket to get this article updated accordingly to avoid further confusion. Thank you for bringing this to our attention.

 

You'll need to create the API token and make sure that you first specify the correct scope (see: deprecation documentation) - if the scope is incorrect, this could be why it's failing in Sourcetree:

  1. Click the gear cog icon, select Atlassian Account settings > Security tab > Create and manage API Tokens

  2. Click Create API token with scopes and select Bitbucket Cloud

  3. If you want to be able to clone/push/pull to the repository - you'll need to tick both read:repository:bitbucket and write:repository:bitbucket - clone only would just be read:repository:bitbucket.
    More information on scopes can be found in our API scopes documentation.

  4. In Sourcetree, you can use either of the following URL formats (if using the first command - you can find your username by clicking the gear cog icon and selecting Personal Bitbucket Settings - it's visible under the Bitbucket Profile Settings heading):


Please perform the above and let me know how this goes. If you are still encountering issues, I will assist you further.

Cheers!

- Ben (Bitbucket Cloud Support)

View More Comments
Stojan Cveticanin
Stojan Cveticanin August 8, 2025

Hi Ben,

Thanks for quick answer.

I understand your company's point of view on security, but as I said reasons you said is not benefit for me, I see it just as more job to do. At the end, I don't understand trend to "keep users safe" if the users find this not beneficial but annoying. However, thanks on explanation on this.

About the Sourcetree, I don't understand what you wrote me at all. If I want to create an account it asks for Basic or OAuth authentication, username and password and protocol. It is as simple as that. With my current username and app password it works, if I change app password with api token it does not. My token has all permissions. So, because your change it means I can not use Sourcetree any more starting from June next year.

Greetings,
Stojan

Like
Ben
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 10, 2025

Hi Stojan,

My apologies - I should have clarified. Can you attempt to perform a clone outside of Sourcetree in a terminal window using one of the URL's I provided above? This will allow us to test if the token scope is correct, and if there is an issue with Sourcetree specifically or not:

git clone https://username:APIToken@bitbucket.org/workspaceID/reposlug.git

If the clone succeeds - there may be a problem with the Sourcetree configuration or the platform in general. The authentication type configured should be basic, and the credentials should be your username and APIToken.

Cheers!

- Ben (Bitbucket Cloud Support)

Like
Stojan Cveticanin
Stojan Cveticanin August 10, 2025

Hi Ben,

I set up API token instead of app password in my mac key chain and working with git from command line is working fine.

Greetings,
Stojan

Like
Ben
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 10, 2025

Hi @Stojan Cveticanin 

I am also able to use my API Token to clone/push/pull against my GIT repository in a terminal window.

I've attempted to configure API Token in the latest version of Sourcetree for Mac (v4.2.13) and it does not accept the API Token in the configuration settings (requires email, which is not correct) and Basic auth does not authenticate. It seems that this is a platform-specific issue.

I have raised a bug ticket on your behalf accordingly, please Watch this to receive future updates related to it:

For now - I'd suggest continuing to use AppPassword, or authenticating your account with OAuth until this is fixed.

Thank you for raising this to our attention.

Cheers!

- Ben (Bitbucket Cloud Support)

Like
Stojan Cveticanin
Stojan Cveticanin August 10, 2025

Thanks a lot.

Greetings, 
Stojan

Like
Reply
0 votes
Stojan Cveticanin
Stojan Cveticanin August 14, 2025

Answer from Ben, that completes this (I don't know why it is not visible here):

Configuring in Sourcetree:

In Sourcetree, you'll need to perform the following steps:

  1. Make sure you're on the latest version of Sourcetree at the time of writing this (v4.2.13 295) by clicking Check for Updates and installing any. This version fully supports API tokens and you may encounter issues with older versions
  2. Confirm you're on the latest version by clicking About Sourcetree
  3. Once confirmed, access Settings > Accounts tab
  4. Click the Add button
  5. Select Bitbucket as the host 
  6. Select API Token as the Auth Type
  7. Enter the user email tied to your Bitbucket Cloud user account
  8. Paste your API token from above
  9. Click Save
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security