Branch-restriction management via api (2.0)

I am trying to make a shell script to make it really easy to lock a branch in a git repository - ie so that only administrators can push/merge.

I am using basic auth with curl -u ‘user:pass’ like this:

curl -i -g -u "$bbUser":"$bbPass" -H "Content-Type: application/json" "" -X POST --data "$requestJson"

By trial and error I found the minimal json to send which looks like the following:

  "kind": "restrict_merges",
  "pattern": "develop",
  "groups": [
          "owner": {
            "username": "groupname"
          "slug": "developers"

This seems to work well enough.

The problem is that we always have restrictions on certain branches and sometimes we just want to change the restrictions temporarily. I expected to be able to do this with the same curl line as above except changing the verb from POST to PUT. This doesn’t work, however. I get the following somewhat strange error (given the circumstances):

403 Forbidden
This endpoint does not support token-based authentication

I figured perhaps I could use the DELETE verb to remove any existing restrictions before POST’ing the one I want - but I can’t find any way to do that either.

What is going on? How do I accomplish what I want?