Using Workspace Access Token to Integrate with Azure DevOps

I am also trying to use access tokens as credentials for Azure DevOps Pipelines to access Bitbucket repositories.

It seems that Azure Devops wants to do two main things with Bitbucket:

• Access repository content. Presumably this is done via Git over HTTPS.
• Add webhooks so that Azure DevOps can be notified when commits are pushed to the repository. Presumably it does this via the Bitbucket API.

Ideally I would like to use an access token, scoped to the project, with only "repository read" and "webhook read/modify/write" permissions. I am trying to avoid using a Bitbucket Cloud "bot" account, because to give it webhook permissions, it seems the user needs to have admin permissions on a project/repository/etc. (even if the scope of the app password or user API token is restricted properly).

Reading here, access tokens can be used to do Git operations over HTTPS using the username "x-token-auth", so that's fine. The problem is, Bitbucket API access using access tokens seems to only support HTTP Bearer authorization. For Bitbucket Cloud, Azure DevOps only supports using OAuth or HTTP Basic authorization.

My understanding is that OAuth ultimately is for doing things on behalf of a user, so I run into the user permissions problem.

User API tokens and app passwords can be used with HTTP Basic authorization, but again, this is on behalf of a user.

Do I have to grant my Bitbucket Cloud bot account admin permissions on projects/repositories to be able to programmatically set up webhooks via either OAuth or something that supports HTTP Basic authorization?

Separately, it annoys me that the Azure DevOps docs and UI push you to use OAuth as your personal user to connect to Bitbucket Cloud, but I'd think that goes against best practice of not using someone's personal account for automated operations, eg. if they leave the company and their account permissions are removed.