Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket API OAuth vs App password

Sander Mol
Sander Mol
Contributor
November 17, 2022

Greetings Atlassian community,

 

Not being too familiar with OAuth, I was wondering what the recommended approach would be for the following use-case.

We have a metrics scrape service, that basically scrapes the different Bitbucket API endpoints of our instance in-order to get a complete metrics overview of our different projects. This is a continuously running service that scrapes each minute. This service is owned by a (internal service) team.

For this use-case, I was wondering what the best approach for authenticating with the Bitbucket API. OAuth requires a bit more complexity in code, whereas an App Password is much more simple.

Any recommendations between OAuth vs App Password?

Answer
Watch
Like Ulrich Kuhnhardt _IzymesCo_ likes this
1101 views

1 answer

1 accepted

2 votes
Answer accepted
Ben
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 23, 2022

Hey Sander,

The decision to use AppPassword vs OAuth will all come down to personal preference.

For both, they require the knowledge of both a username as well as a specific token. The difference is, OAuth is configured at the workspace-level meaning that anyone on that workspace can generate tokens if they have the necessary read/write permissions and the permissions granted by that token are configurable, whereas AppPassword is configured on the personal level and the access is based on the access that personal account has to the workspace.

OAuth will require, as you stated - more code complexity and tokens expire after a certain time - meaning that it is generally more secure vs AppPassword where this does not expire however both can be revoked/regenerated at any time.

As long as OAuth tokens/AppPasswords are not shared with third-party users, you can consider these both secure.

If you are wanting simplicity, AppPassword would be the suggested choice - if you are wishing to favour security at the cost of code complexity, OAuth is the suggested choice.

Cheers!

- Ben (Bitbucket Cloud Support)

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events