Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

New app! API Token Authentication for Bitbucket (Server and Data Center)

API-token-Bitbucket-1200x569

We are happy to announce we have just released a new member of the API Token authentication family! Now you can enjoy advanced API token management also in Bitbucket Server and Data Center.

 

But I thought that Bitbucket already had personal access tokens!

Yes, indeed. Bitbucket ships with personal access tokens so that users can leverage secure access to the Bitbucket REST API.

If you’re used to Bitbucket’s personal access tokens, jumping onto API Token Auth will be quite transparent, because there are important similarities.

Similarities between Bitbucket personal access tokens and resolution’s API tokens for Bitbucket

Similarity 1: Tokens can do what the user can do

A token can be used to interact with the API with the same permissions that the user has.

For example, if the user Mary Smith can fork a repository in project A but not in project B, a token for Mary can be used to fork a repository in project A, but not in project B.

Similarity 2: Token scopes

On top of the user permissions, you have the option to restrict what a token can do even further.

Here’s where the approach differs a bit.

  • With resolution’s API Token Authenticator for Bitbucket, you can define two types of scopes:
    • Read only permits GET, HEAD and OPTIONS requests
    • Read/write also permits PUT, POST, DELETE

image-20210217-113801(1).png

 

Differences between Bitbucket personal access tokens and resolution’s API tokens for Bitbucket

Beyond the similarities, there are some major differences that can improve the security of Bitbucket and give administrators more options to control who has the rights to connect to the API, and for doing what.

Difference 1: permissions to use and create tokens (also for other users)

In Bitbucket, every user can create tokens for himself, and admins can revoke tokens. Period.

With the API Token Auth permissions, on top of the same base functionality you can decide which groups get to:

  • Use tokens
  • Create tokens
  • Create tokens on behalf of other users (and revoke other user’s tokens).

image-20210217-112952.png

Bonus Trick: You can also restrict who gets to create read & write tokens with the options above.

image-20210217-113604.png

Difference 2: Advanced system settings

As with the above, the older brothers of API Token Authenticator for Bitbucket already contained interesting restrictions that give additional security:

  • Restrict API Tokens so they are only accepted if coming from specific IP addresses and ranges. This can be used to whitelist connections from authorized cloud vendors like Salesforce and from your own servers.
  • when running Bitbucket behind a reverse proxy, admins can adjust the app config so that the client IP address making a request with an API Token is read from a different header. This makes it possible for IP address restrictions to work as intended also in that setting.
  • Disable password authentication. If you want your users to stop using their passwords to access the API, this is a good one!

What’s coming next?

With this launch, API Token Authentication for Bitbucket has a complete set of functionality that we won’t expand in the short term.

But this can change, we’re always listening to our customers requirements.

What other features would you like to see?

We are highly responsive to the feature requests of our customers. Starting with SAML SSO, those feature requests have been the foundation to build our enterprise user management apps into the market leaders they currently are.

 

Start your evaluation

Start your evaluation of API Token Authentication for Bitbucket now from the Atlassian Marketplace

1 comment

Mohammed Amine Community Leader Jun 10, 2021

Interesting content

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Apps & Integrations

🍻🍂Apptoberfest Update: Upcoming Virtual Events 🎉

Hello Community! I hope you've been enjoying the 🍂Apptoberfestivities🍂 (I know I have!) The event is heating up next week with a series of virtual events that we're calling the 🍻🍂Partner App ...

396 views 3 17
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you