This guide covers how to authenticate the bb CLI with Bitbucket Cloud.
The bb CLI supports two authentication methods:
| Method | Best For | Setup Complexity |
|---|---|---|
| OAuth 2.0 | Interactive use, full API access | Medium (one-time setup) |
| Repository Access Token | CI/CD, scripts, single repo access | Easy |
Important: Bitbucket has deprecated App Passwords. Use OAuth or Repository Access Tokens instead.
# 1. Set up OAuth consumer (one-time, see detailed instructions below)
export BB_OAUTH_CLIENT_ID="your_client_id"
export BB_OAUTH_CLIENT_SECRET="your_client_secret"
# 2. Login
bb auth loginecho "$BITBUCKET_TOKEN" | bb auth login --with-tokenOAuth is the recommended method for interactive use. It requires a one-time setup of an "OAuth consumer" in Bitbucket.
-
Go to your Workspace Settings:
https://bitbucket.org/YOUR_WORKSPACE/workspace/settings/oauth-consumers -
Click "Add consumer"
-
Configure the consumer:
- Name:
bb CLI(or any descriptive name) - Callback URL:
http://localhost:8372/callback - This is a private consumer: ✓ Check this box
- Name:
-
Select Permissions based on what you need:
Permission Commands Account: Read bb auth status, user infoRepositories: Read bb repo list,bb repo view,bb repo cloneRepositories: Write bb repo create,bb repo forkRepositories: Admin bb repo deletePull requests: Read bb pr list,bb pr view,bb pr diffPull requests: Write bb pr create,bb pr merge,bb pr reviewIssues: Read bb issue list,bb issue viewIssues: Write bb issue create,bb issue closePipelines: Read bb pipeline list,bb pipeline view,bb pipeline logsPipelines: Write bb pipeline run,bb pipeline stopSnippets: Read bb snippet list,bb snippet viewSnippets: Write bb snippet create,bb snippet delete -
Click "Save"
-
Copy the Key (Client ID) and Secret (Client Secret) shown
Add to your shell profile (~/.bashrc, ~/.zshrc, ~/.config/fish/config.fish):
export BB_OAUTH_CLIENT_ID="your_key_here"
export BB_OAUTH_CLIENT_SECRET="your_secret_here"Reload your shell:
source ~/.zshrc # or ~/.bashrcbb auth loginThis will:
- Open your browser to Bitbucket's authorization page
- Ask you to grant permissions
- Redirect back to complete authentication
- Store tokens securely
bb auth statusOAuth tokens expire (typically after 2 hours). The CLI automatically refreshes them using the stored refresh token. If refresh fails, re-run bb auth login.
Repository Access Tokens are scoped to a single repository, making them ideal for CI/CD pipelines.
-
Go to your repository:
https://bitbucket.org/WORKSPACE/REPO/admin/access-tokens -
Click "Create Repository Access Token"
-
Configure:
- Name: Descriptive name (e.g.,
ci-pipeline) - Scopes: Select required permissions
- Name: Descriptive name (e.g.,
-
Click "Create" and copy the token immediately
# Interactive
bb auth login --with-token
# Paste your token when prompted
# Non-interactive (CI/CD)
echo "$BITBUCKET_TOKEN" | bb auth login --with-token
# Or use environment variable directly (no login needed)
export BB_TOKEN="your_repository_access_token"
bb pr list| OS | Primary Storage | Fallback |
|---|---|---|
| macOS | Keychain | ~/.config/bb/hosts.yml |
| Linux | Secret Service (GNOME Keyring, KWallet) | ~/.config/bb/hosts.yml |
| Windows | Credential Manager | %APPDATA%\bb\hosts.yml |
bitbucket.org:
user: yourname
oauth_token: <stored securely>The CLI sets restrictive permissions (0600) on the credentials file.
| Variable | Description |
|---|---|
BB_TOKEN |
Access token (highest priority) |
BITBUCKET_TOKEN |
Alternative token variable |
BB_OAUTH_CLIENT_ID |
OAuth consumer key |
BB_OAUTH_CLIENT_SECRET |
OAuth consumer secret |
BB_TOKENenvironment variableBITBUCKET_TOKENenvironment variable- Stored OAuth token (from
bb auth login)
jobs:
bitbucket-sync:
runs-on: ubuntu-latest
steps:
- name: Install bb CLI
run: go install github.com/rbansal42/bitbucket-cli/cmd/bb@latest
- name: Authenticate
run: echo "${{ secrets.BITBUCKET_TOKEN }}" | bb auth login --with-token
- name: List PRs
run: bb pr list --repo myworkspace/myrepopipelines:
default:
- step:
script:
- go install github.com/rbansal42/bitbucket-cli/cmd/bb@latest
- export BB_TOKEN=$REPOSITORY_ACCESS_TOKEN
- bb pipeline listbitbucket-integration:
script:
- go install github.com/rbansal42/bitbucket-cli/cmd/bb@latest
- echo "$BITBUCKET_TOKEN" | bb auth login --with-token
- bb pr create --title "Sync from GitLab"You haven't set up the OAuth consumer environment variables:
export BB_OAUTH_CLIENT_ID="your_key"
export BB_OAUTH_CLIENT_SECRET="your_secret"See Step 1: Create an OAuth Consumer.
- Token may have expired
- Token doesn't have required permissions
- Try re-authenticating:
bb auth login
You denied the permission request in the browser. Run bb auth login again and click "Grant access".
- Token is invalid or expired
- Re-authenticate:
bb auth logout && bb auth login
- Token doesn't have required permissions
- Check OAuth consumer permissions or create a new token with correct scopes
Remove stored credentials:
bb auth logout- Use OAuth for interactive sessions
- Use Repository Access Tokens (scoped to one repo) for CI/CD
- Store tokens in CI/CD secret management (not in code)
- Rotate tokens periodically
- Use minimal permissions for your use case
- Don't commit tokens to version control
- Don't share tokens between users or systems
- Don't use overly broad permissions
- Don't store tokens in shell history