upload artifact to repository download always give 401

repo was on the team, repo are private, team is not private profile. i have tried every way that i could find

+ curl -u "${USERNAME}:${PASSWORD}" -X POST "https://api.bitbucket.org/2.0/repositories/${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}/downloads" -F files=@production.zip -v
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 18.205.93.7...
* Connected to api.bitbucket.org (18.205.93.7) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
*      subject: C=US; ST=California; L=San Francisco; O=Atlassian, Inc.; OU=Bitbucket; CN=*.bitbucket.org
*      start date: 2017-06-12 00:00:00 GMT
*      expire date: 2020-06-16 12:00:00 GMT
*      subjectAltName: api.bitbucket.org matched
*      issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*      SSL certificate verify ok.
* Server auth using Basic with user 'pipeline'
> POST /2.0/repositories/co-learningspace/learningcamp/downloads HTTP/1.1
> Authorization: Basic cGlwZWxpbmU6bVdEaHpwaFp2enhTRjROejJ2TmU=
> User-Agent: curl/7.38.0
> Host: api.bitbucket.org
> Accept: */*
> Content-Length: 2115295
> Expect: 100-continue
> Content-Type: multipart/form-data; boundary=------------------------f98c048cfdcdc11d
> 
< HTTP/1.1 100 Continue
} [data not shown]
< HTTP/1.1 401 Unauthorized
* Server nginx is not blacklisted
< Server: nginx
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Bitbucket.org HTTP"
< Content-Type: text/html; charset=utf-8
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Date: Mon, 03 Sep 2018 10:15:31 GMT
< X-Served-By: app-162
< X-Static-Version: c9cd32908bea
< ETag: "d41d8cd98f00b204e9800998ecf8427e"
< X-Render-Time: 0.0139489173889
< Connection: Keep-Alive
< X-Version: c9cd32908bea
< X-Request-Count: 560
< X-Frame-Options: SAMEORIGIN
< Content-Length: 0
* HTTP error before end of send, stop sending
< 

100 2065k    0     0  100 2065k      0  11.2M --:--:-- --:--:-- --:--:-- 11.2M
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
} [data not shown]

+ curl -X POST "https://${BB_AUTH_STRING}@api.bitbucket.org/2.0/repositories/${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}/downloads" -F files=@vendor.zip -v
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 18.205.93.7...

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to api.bitbucket.org (18.205.93.7) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
*      subject: C=US; ST=California; L=San Francisco; O=Atlassian, Inc.; OU=Bitbucket; CN=*.bitbucket.org
*      start date: 2017-06-12 00:00:00 GMT
*      expire date: 2020-06-16 12:00:00 GMT
*      subjectAltName: api.bitbucket.org matched
*      issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*      SSL certificate verify ok.
* Server auth using Basic with user 'pipeline'
> POST /2.0/repositories/co-learningspace/learningcamp/downloads HTTP/1.1
> Authorization: Basic cGlwZWxpbmU6bVdEaHpwaFp2enhTRjROejJ2TmU=
> User-Agent: curl/7.38.0
> Host: api.bitbucket.org
> Accept: */*
> Content-Length: 14902725
> Expect: 100-continue
> Content-Type: multipart/form-data; boundary=------------------------57b2751f9cfa77bb
> 
< HTTP/1.1 100 Continue
} [data not shown]
< HTTP/1.1 401 Unauthorized
* Server nginx is not blacklisted
< Server: nginx
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Bitbucket.org HTTP"
< Content-Type: text/html; charset=utf-8
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Date: Mon, 03 Sep 2018 10:15:31 GMT
< X-Served-By: app-161
< X-Static-Version: c9cd32908bea
< ETag: "d41d8cd98f00b204e9800998ecf8427e"
< X-Render-Time: 0.0169620513916
< Connection: Keep-Alive
< X-Version: c9cd32908bea
< X-Request-Count: 358
< X-Frame-Options: SAMEORIGIN
< Content-Length: 0
* HTTP error before end of send, stop sending
< 

100 14.2M    0     0  100 14.2M      0  37.6M --:--:-- --:--:-- --:--:-- 37.5M
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
} [data not shown]
Searching for test report files in directories named [test-results, failsafe-reports, test-reports, surefire-reports] down to a depth of 4
Finished scanning for test reports. Found 0 test report files.
Merged test suites, total number tests is 0, with 0 failures and 0 errors.