In an effort to continue improving the security of Bitbucket Cloud, and to support long-term performance and scalability, we’re making a set of OAuth and token-authentication updates. These changes align our implementation more closely with OAuth 2.0 specifications, eliminate insecure patterns, and streamline our backend architecture for better reliability.
These updates will begin enforcing on May 4th, 2026. If your integration relies on any of the listed behaviors being deprecated, please update it before May 4th 2026. After the cutoff, requests using deprecated authentication patterns will no longer be accepted.
Changes to OAuth 2.0
-
Changes to the client credentials grant flow
-
Client credentials grants will no longer issue refresh tokens; existing refresh tokens from this flow will expire or no longer be returned
-
Client credentials access from OAuth consumers owned by personal workspaces will only have access to data residing in the owning workspace.
-
Client credentials grants will authenticate as an app_user.
-
-
Changes to refresh tokens grant flow
-
Consumers must support rotating refresh tokens; each use of a refresh token will generate a new refresh token.
-
Unused refresh tokens will expire after 3 months, requiring full 3LO re-authorization.
-
-
Other changes to OAuth 2.0
-
OAuth token response payloads will return “scope" instead of “scopes".
-
OAuth access tokens can no longer be provided via query parameters or POST body. They must be sent exclusively in the Authorization header as a Bearer token.
-
Changes to authorization
- All token based authenticated requests must be directed to https://api.bitbucket.org
For full details, see the announcement or contact support. We know changes like these require effort, and we’re here to support you. If you have questions, run into issues, or need guidance, please reach out to Bitbucket support or leave a comment below.