$BITBUCKET_TOKEN not injected in pipeline / Auth proxy returns 400 for api.bitbucket.org

Problem 1 — $BITBUCKET_TOKEN is empty:
According to Atlassian documentation, $BITBUCKET_TOKEN should be auto-injected in pipeline steps. We cannot find the "Enable OAuth" toggle under Repository Settings → Pipelines → Settings. The variable is
consistently empty in our pipeline.

Problem 2 — Auth proxy at localhost:29418 returns 400 for api.bitbucket.org:
Following Atlassian documentation and advice from our workspace admin, we set up an OAuth consumer (CLIENT_ID + CLIENT_SECRET) and tried routing API calls through the proxy. The proxy rejects CONNECT to
api.bitbucket.org:443 with HTTP/1.1 400 Bad Request:

curl -v --proxy http://localhost:29418 https://api.bitbucket.org/2.0/repositories/{workspace}/{slug}
> CONNECT api.bitbucket.org:443 HTTP/1.1
< HTTP/1.1 400 Bad Request

Problem 3 — IP allowlist blocks pipeline IPs:
Our workspace has IP allowlisting enabled. Personal Atlassian API tokens and repository access tokens both return 403 - "An admin must whitelist your IP" from pipeline runners. Pipeline IPs rotate so static
whitelisting is not viable.

Questions:
1. How do we enable $BITBUCKET_TOKEN injection? Where exactly is the toggle in the current Bitbucket UI?
2. Is the auth proxy at localhost:29418 supposed to support CONNECT tunneling to api.bitbucket.org? If yes, what configuration are we missing?
3. What is the recommended way to make authenticated Bitbucket REST API calls from a pipeline step when IP allowlisting is enabled on the workspace?