Add branch restriction via REST API


BItbucket 5.13.4

We are trying to use the restrictions REST Api

We want to add/remove Repository Branch Restrictions via REST.

We are using a user with SYS_ADMIN permission and we are able to remove a restriction from a repo but we are not able to add a restriction via REST, we always receive a 401 error with the message
“You are not permitted to access this resource”.

The same user is able to add/remove restrictions via the Bitbucket GUI.

Any idea on what could be the problem would be greatly appreciated!

Thanks in advance,

Hi @computerpraxis,

Can you please show us the request you’re making? I believe that the GUI uses the public REST API so it seems unlikely that there is a bug - perhaps our REST API documentation is wrong, or there is a problem with your request. Knowing exactly what you tried would help us narrow that down.

Developer on Bitbucket Server

Hi Kristy!

Thanx for Your reply!


This is the reply
statuscode 401
message: You are not permitted to access this resource
exceptionName: com.atlassian.bitbucket.AuthorisationException



Using the Chrome Developer Tools I see a different JSON payload being sent when adding a branch restriction via the GUI:


So maybe there is aa problem with the docu ?


Ah, it seems that the GUI uses the bulk interface instead.

I tried your Json payload on 5.13.4 and it seems to work fine:

> curl -v 'http://localhost:7990/bitbucket/rest/branch-permissions/latest/projects/PROJECT_1/repos/rep_1/restrictions'  -u admin:admin -H 'Content-Type: application/json' -d '{"type":"read-o
*   Trying ::1...
* Connected to localhost (::1) port 7990 (#0)
* Server auth using Basic with user 'admin'
> POST /bitbucket/rest/branch-permissions/latest/projects/PROJECT_1/repos/rep_1/restrictions HTTP/1.1
> Host: localhost:7990
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 153
* upload completely sent off: 153 out of 153 bytes
< HTTP/1.1 200
< X-AREQUESTID: @MKAMO2x886x91x0
< X-AUSERNAME: admin
< Cache-Control: no-cache, no-transform
< Vary: X-AUSERNAME,Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: application/json;charset=UTF-8
< X-Content-Type-Options: nosniff
< Date: Thu, 22 Apr 2021 04:46:31 GMT
* Connection #0 to host localhost left intact

Maybe there is something wrong with the authentication you’re using?

  • Are you using basic or bearer authentication?
  • Are you using a personal access token or the user’s password?
  • If you’re using a personal access token, what permission is it scoped to?
  • Do you have basic authentication disabled?


Thanks for Your investigations!

I found out, that the Url for the REST Call was missing “stash”.
After adding that to the Url, adding a branch permission/restriction worked fine.

Interestingly, the removal of a branch permission/restriction worked fine before, WITHOUT having “stash” in the Url …

Everything works now.

Thanks & Regards,