Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Cloning a repository using OAuth key and secret

In connection with a DDEV shell I need to use a clone command in the same way at it is done with personal access tokens in this documentation:  


git clone --mirror -- '' '/mnt/ddev-global-cache/composer/vcs/'

At the moment it ends up in an error message: 

remote: Invalid username or password
fatal: Authentication failed for 'https://myOAuthKey:myOAuthSecret@b'

However the key and secret are identical to those set for an OAuth consumer of this account's working space settings.

 What must I do to make this working?

1 answer

0 votes

Hi Franz and welcome to the community.

The documentation you included in your post is for Bitbucket Server access tokens. Based on the clone URL, it looks that you are using Bitbucket Cloud instead (repo hosted on so that documentation is not applicable.

If you are looking to authenticate with something similar like Bitbucket Server personal access tokens, you can check Bitbucket Cloud app passwords:

You can generate an app password for your Bitbucket Cloud account, and use it instead of the account's password when you clone.

You can also use OAuth, however, the process is a little more complex.

The key and secret of an OAuth consumer can be used to generate an access token, and it is this access token that should be used in the clone command. The documentation for OAuth in Bitbucket Cloud can be found here:

I am explaining below the steps you can follow in order to clone using OAuth:


1. While you are logged in to Bitbucket, go to your avatar > All workspaces > select the workspace you want to generate an OAuth consumer for.

After you open the workspace, go to its Settings from the sidebar > OAuth consumers > Add consumer.

Provide a name and Permissions for the consumer (if you only want to clone, then Repositories:Read should be enough).
You can use as Callback URL http://localhost.
Save the new consumer.


2. Open a new tab/window in your browser and navigate to the following URL (replace {consumer_key} with the consumer key that was generated, no brackets in the URL):{consumer_key}&response_type=code

When you hit Enter, you will see a page requesting that you grant access to the workspace. Select Grant access and then you will get redirected to


The code will be different, the above is just an example. Copy the code from the response (in my example it's fpYPDYsryEpsRawrj4)


3. You can then obtain an access token by executing the following command on a terminal

curl -X POST -u "key:secret" -d grant_type=authorization_code -d code=fpYPDYsryEpsRawrj4

Replace key with the consumer's key
Replace secret with the consumer's secret
Replace the code value in there (fpYPDYsryEpsRawrj4) with your code from the previous step

The output will look like this:

"access_token" : 6yElg-w1wXrlbM826XY1Nu-w5WfObqP0EOYo2JFMzs615QxZaX9z8Gsy_21yT23Ujftblt8eKeBAcfhCrHY=,
"scopes": "repository",
"expires_in" : 7200,
"refresh_token" : 2Eoiw6UJ707AD9aIyUR,
"token_type" : bearer


4. You can use now the access token from the previous step, to clone any repo the workspace owns, as follows:

git clone https://x-token-auth:{access_token}<workspace-id>/<my-repo>.git

Replace access_token with your access_token from the previous step, but leave the brackets in the URL. Also, make sure to replace the workspace-id and repo name.


5. Our access tokens expire in two hours. When this happens you'll get 401 responses.

You will have to use the refresh token from the output in step 3 to get a new access token.

curl -X POST -u "key:secret" -d grant_type=refresh_token -d refresh_token={2Eoiw6UJ707AD9aIyUR}

Replace key with the consumer's key
Replace secret with the consumer's secret
Replace the value of the refresh_token in there (2Eoiw6UJ707AD9aIyUR) with the one from the output in step 3.

The output of the above command will give you a new access token (with the same 2 hour expiry) and also a refresh token.

If you have any questions, please feel free to let me know.

Kind regards,

This is very clear and works fine.

And I even can use it with a call to composer which accesses the Bitbucket url to do this cloning.


See .


composer config [--global] x-token-auth {access_token}

The only drawback is that I have to execute the refresh command every to 2 hours. And this will give me a new access token. And as a consequence I will have to execute the command from above again. 

It would be nice if I could increase the timeout to 7 days.  

Hi Franz,

Thank you for your reply, I'm glad that this works for you.

I'm afraid that it is not possible to change the expiry time for access tokens.

If this is an issue for you, the other alternative I can suggest is the app passwords, which don't have an expiry date:

Kind regards,

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

Git push size limits are coming to Bitbucket Cloud starting April 4th, 2022

Beginning on April 4th, we will be implementing push limits. This means that your push cannot be completed if it is over 3.5 GB. If you do attempt to complete a push that is over 3.5 GB, it will fail...

2,247 views 2 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you