Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket Cloud enters phase 2 of app password deprecation

September 9, 2025

Hello Bitbucket Cloud community,

At Bitbucket, we’re dedicated to keeping your development workflows secure, modern, and reliable. As part of our ongoing commitment to evolving security in the developer ecosystem, we’re excited to share that Bitbucket Cloud has officially entered Phase 2 of our app password deprecation journey, moving toward API tokens as the standard for authentication. This change, effective September 9, 2025, is a significant step toward a safer and more streamlined experience for our community.

What’s happening in phase 2?

Starting today, new app password creation is disabled in Bitbucket Cloud. Here’s what this means for you:

  • Existing app passwords will remain valid during this phase, so your current integrations will not be interrupted

  • New integrations, however, will need to use API tokens with scopes, which are now the standard for authentication

  • Customers will be routed to create API tokens from this date forward and will be encouraged to adopt API tokens for their integrations during this phase.

This phase ensures that all new integrations are built on a modern, secure foundation while giving you plenty of time to transition existing setups.

Why switch to API tokens?

App passwords have served as a reliable authentication method, but API tokens offer enhanced security and greater control for all users: 

  • Expiration control: API tokens can be set to expire after a defined period, reducing the risk of long-term exposure if a token is compromised.

  • Centralized management: API tokens are managed through a centralized system, enabling easier oversight, revocation, and control. For managed accounts within a claimed domain, Org Admins gain visibility into API token usage and the ability to revoke tokens as needed.

  • Modern scopes: API tokens support modern identity scopes, which are more secure and flexible than the classic scopes used by app passwords. 

Transitioning to API tokens ensures a more secure and consistent authentication experience for all Bitbucket Cloud users.

What you need to do

Here’s how Phase 2 impacts you and how to prepare:

  • If you rely on existing app passwords: They’ll continue to work until June 9, 2026. when Phase 3 fully deprecates them. However, we encourage you to start migrating to API tokens early to avoid any last-minute hiccups.

  • If you’re creating new integrations: Starting today, September 9, 2025, you’ll need to use API tokens for any new scripts, CI/CD tools, or apps connecting to Bitbucket.

  • If you’re an admin: Rally your teams to begin transitioning now. Early adoption will ensure a smooth shift and help you stay ahead of the final deadline.

Looking ahead to phase 3

Mark your calendars for June 9, 2026, when Phase 3 will take effect. At that point, all app passwords will be permanently disabled, and API tokens will be the only way to authenticate with Bitbucket Cloud. By preparing now, you can avoid disruptions and keep your workflows running smoothly.

How to get started with API tokens

You can start using API tokens for scripting, CI/CD tools, or testing Bitbucket-connected applications. Follow these steps:

  1. From the top navigation bar, select Settings > Atlassian account settings > Security.

  2. Choose Create and manage API tokens > Create API token with scopes.

  3. Name the token, set an expiry date, and select Bitbucket as the app.

  4. Assign necessary permissions (see Bitbucket API token permissions for details).

  5. Create the token, copy it, and paste it into your application. Note: The token is displayed only once.

Learn more in our support documentation.

We’re here to support you

We know transitions like this can raise questions, and we’re committed to making this process as smooth as possible for our community. Throughout Phase 2, we’ll provide regular reminders, detailed guides, and hands-on support to help you migrate with confidence. Have questions or need help? Drop a comment below on this post. Your feedback is invaluable as it helps us refine our tools and support to better serve you.

Comment
Watch
Like # people like this
693 views

0 comments

Comment

Log in or Sign up to comment
Hamreet Kaur

Hamreet Kaur

Atlassian Team
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.

About this author

Associate Product Manager - Bitbucket Cloud

Atlassian

14 total posts

View profile
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security