You actually don’t need an OAuth consumer for Bitbucket Cloud at all. In fact, the preferred way is to not create and specify one in the descriptor.
Instead, make sure your descriptor uses “jwt” as the value for the authentication field (https://developer.atlassian.com/cloud/bitbucket/authentication-for-apps/). Then head over to you profile page’s “Integrations” -> “Manage apps” -> “Create app” and provide the URL of your descriptor to register the app in Bitbucket Cloud (this step is slight different from our other products, as Bitbucket Cloud is not yet fully integrated with the Marketplace and the developer.atlassian.com platform.
The registration of your app also generates a shared key and secret. This is used to JWT-sign any requests you’ll be making to the Bitbucket API from your app’s backend. We also use it to JWT-sign any requests we send your way (such as iframes).
You won’t be needing to use OAuth directly and you won’t be creating an OAuth consumer.
Once registered, you can get users to install your addon by sending them to https://bitbucket.org/site/addons/authorize?descriptor_uri=<descriptor_uri>&redirect_uri=<redirect_uri> as per https://developer.atlassian.com/cloud/bitbucket/install-an-app-from-your-site/
During the installation, the user will be asked to authorize your app and is presented with the auth scopes listed in your descriptor (JWT tokens use the same auth scopes as OAuth tokens).
When you access the Bitbucket API in JS in your app’s iframes (using
AP.request() as per https://developer.atlassian.com/cloud/bitbucket/jsapi/request/), those requests authenticate as the end user. API calls that you make from your backend (signed with the JWT secret as per https://developer.atlassian.com/cloud/bitbucket/understanding-jwt-for-apps/) authenticate as the account the app was installed into.
Hope this helps.