Bitbucket Connect without predefined oauth consumer

Hi all,

I’m wanting to develop a Bitbucket Cloud app that would theoretically get added to the marketplace in time. So the concept of having to ask every user to create their own OAuth consumer before the app can be installed seems like an odd step.

Is there something which can be added to the atlassian-connect.json which will prompt Bitbucket to ask if the user is willing to install the integration and then generate the OAuth key?

It seems odd that the connect boilerplate expects a hardcoded OAuth consumer (and login details in plaintext) for an instance, surely I’m missing something.



Adding an OAuth consumer is needed for development. See this page on how you can set up a button on your site that handles the consumer for your users on installation. All they need to do is approve the permissions you’re requesting of them.

Additionally, the Marketplace also handles this for you.

You’re providing the credentials and oAuth consumer cause the boilerplate is registering your app on start-up to make the development experience easier than uninstalling/reinstalling all the time. The boilerplate is handling going to<yourusername>/addon-management and submitting the descriptor url for you. You would not publish the credentials.json to your production system.

Hope that helps.

You actually don’t need an OAuth consumer for Bitbucket Cloud at all. In fact, the preferred way is to not create and specify one in the descriptor.

Instead, make sure your descriptor uses “jwt” as the value for the authentication field ( Then head over to you profile page’s “Integrations” -> “Manage apps” -> “Create app” and provide the URL of your descriptor to register the app in Bitbucket Cloud (this step is slight different from our other products, as Bitbucket Cloud is not yet fully integrated with the Marketplace and the platform.

The registration of your app also generates a shared key and secret. This is used to JWT-sign any requests you’ll be making to the Bitbucket API from your app’s backend. We also use it to JWT-sign any requests we send your way (such as iframes).

You won’t be needing to use OAuth directly and you won’t be creating an OAuth consumer.

Once registered, you can get users to install your addon by sending them to<descriptor_uri>&redirect_uri=<redirect_uri> as per

During the installation, the user will be asked to authorize your app and is presented with the auth scopes listed in your descriptor (JWT tokens use the same auth scopes as OAuth tokens).

When you access the Bitbucket API in JS in your app’s iframes (using AP.request() as per, those requests authenticate as the end user. API calls that you make from your backend (signed with the JWT secret as per authenticate as the account the app was installed into.

Hope this helps.

if that is the case, what is the purpose of exchanging the JWT to an access token documented here? -