bitbucket API v2 /repositories/{username}/{repo_slug}/ permissions problem


I have both buitbucket API v1 and v2 working with plain curl commands, but I run into a user configuration problem.

  • The user I am using has read permissions on the repo
  • the repo is set to private
  • and the oauth consumer has the scope repository.

With API v2

I am getting my access token (using password grant type)

curl -s -X POST -d 'grant_type=password&username=__USERNAME__&password=__PASSWORD__' --user '__USERID__:__KEY__' | jq --raw-output .access_token

I can use this token in other API calls, that return 200 and data. So I have managed to make authentication work.

curl -s -H "Authorization: bearer `curl -s -X POST -d 'grant_type=password&username=__USERNAME__&password=__PASSWORD__' --user '__USERID__:__KEY__' | jq --raw-output .access_token`" | jq .

"next": "",
"page": 1,
"values": [
"description": "",
"is_private": false,


However when I try the same on /repositories/{username}/{repo_slug}/commits/master it fails with 401

curl -s -H "Authorization: bearer `curl -s -X POST -d 'grant_type=password&username=__USERNAME__&password=__PASSWORD__' --user '__USERID__:__KEY__' | jq --raw-output .access_token`" | jq .

So I am wondering what could I be doing wrong here? The only thing I can think of is a configuration on the bitbucket's repo or user, but I am unclear on how to proceed.


With API v1

Accessing the commits with v1 works fine (so I guess permissions are ok?)

curl -s --user __USERID__:__KEY__ "" | jq --raw-output .

but I cannot filter the commits per branch, which makes it very hard to look for a specific branch.

1 answer

1 accepted

2 votes
Accepted answer


Your test of the 2.0 endpoint (using /2.0/repositories/__TEAM__/) is a little deceiving. That endpoint doesn't require authentication at all. If it's called without authentication, or with invalid credentials, it will return public repositories.

In your case, the fix should be simple. The "Bearer" in the Authorization header is case sensitive. Change it from "bearer" to "Bearer" and it will likely work.

All of that said, depending on what you're after, that isn't necessarily required. We have no plans to stop supporting Basic auth for the endpoints. The Basic auth you're using on the v1 api will work fine on a v2 api, and the oauth2 credentials will work on the v1 api. If you're writing a script that has access to your username and password anyway, and have no need to use OAuth for any other reason, feel free to keep using basic auth. It will fail if you use 2FA on your account, but that's true of both Basic auth and the password flow for OAuth2 on Bitbucket.

Indeed, the case sensitive header authentication problem, was masked by a bad test!

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

655 views 5 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you