Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Reposotory token instant leak on clone

Is it possible to do not leak instantly repository access token when cloning repository?

The suggested clone url is:

This leaks completely everywhere, in console, CI configuration (the repo address)

1 answer

1 vote
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Feb 24, 2023

Hi @Mikołaj and welcome to the community!

Even though it is possible to use a repository access token as part of the clone URL, this is something we do not recommend:

This method is useful if the Repository Access Token has been stored securely as a 'secret' variable in a build tool.

If this is not possible with the CI tool you are using, and if you only need to clone and pull from repos (and not push or any other operation), you can consider using SSH Access keys instead:

Access keys provide read-only access to a certain repository and are commonly used in CI tools that need to pull or clone a repository.

If you have any questions, please feel free to let me know.

Kind regards,

I was about to use the repository access token, to allow CI to push build status back to the Bitbucket. But since TeamCity requires username and token to do that (, but username for access token is not available, then I simply abandon this idea.

So in this case, for read-only access, I'll check the ssh access key.

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Mar 13, 2023

Hi Mikołaj,

Thank you for the update.

If you would like to allow CI to push back to the repository, you could use the username and an app password of an account that has write access to this repo. You can read more app passwords here:

Kind regards,

Unfortunately, app password is bound to the specific user, which should be avoided because CI server is not about users but about projects. What's more, users may change frequently.

The ideal option would be to have an access-key with additional write permissions - like access tokens.

Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Apr 06, 2023

Hello @Mikołaj ,

Bitbucket Cloud offers 3 different scopes of Access Keys: Repository, Project, and Workspace Access keys.

While the repository and project access keys only provide read access, the workspace access keys offer read/write access, so it might be an option to be used on your CI/CD tool in case you need to push back to a repository using the access key.

I've recently authored an article about the Difference between the repository, project and workspace access keys which might be of help :) 

Thank you, @Mikołaj !
Patrik S

I'm aware of this, and it's kind of strange that only workspace key are read/write, but not project and repository (If one would restrict write access to the smallest scope possible instead of giving it for whole workspace)

What's more, project and workspace access keys are not available in standard plan.

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events