Security in the developer ecosystem is constantly evolving, and we’re committed to ensuring Bitbucket Cloud continues to provide safe, modern, and reliable authentication. Earlier this year, we announced the start of our deprecation of app passwords in favor of API tokens. Now, we’re entering Phase 2 of that transition.
What’s changing in Phase 2
Beginning September 9, 2025, Bitbucket Cloud will no longer allow the creation of new app passwords.
- Existing app passwords will remain valid during this phase, so your current integrations will not be interrupted.
- New integrations, however, will need to use API tokens with scopes, which are now the standard for authentication.
- Customers will be routed to create API tokens from this date forward and will be encouraged to adopt API tokens for their integrations during this phase.
This phase ensures that all new integrations are built on a modern, secure foundation while giving you plenty of time to transition existing setups.
Why API tokens?
App passwords have served as a reliable authentication method, but API tokens offer enhanced security and greater control for all users:
- Expiration control: API tokens can be set to expire after a defined period, reducing the risk of long-term exposure if a token is compromised.
- Centralized management: API tokens are managed through a centralized system, enabling easier oversight, revocation, and control. For managed accounts within a claimed domain, Org Admins gain visibility into API token usage and the ability to revoke tokens as needed.
- Modern scopes: API tokens support modern identity scopes, which are more secure and flexible than the classic scopes used by app passwords.
Transitioning to API tokens ensures a more secure and consistent authentication experience for all Bitbucket Cloud users.
What this means for you
- If you rely on existing app passwords: They’ll continue to work until June 9, 2026. However, we recommend updating your integrations sooner rather than later.
- If you’re creating new integrations: You’ll need to use an API token starting September 9, 2025.
- If you’re an admin: Encourage your teams to begin migrating now. This will help avoid any last-minute disruptions when Phase 3 arrives.
Looking ahead to phase 3
The final phase will take place on June 9, 2026, when all remaining app passwords will be permanently disabled. At that point, only API tokens will work for Bitbucket Cloud authentication.
How to get started
You can start using API tokens for scripting, CI/CD tools, or testing Bitbucket-connected applications. Follow these steps:
- From the top navigation bar, select Settings > Atlassian account settings > Security.
- Choose Create and manage API tokens > Create API token with scopes.
- Name the token, set an expiry date, and select Bitbucket as the app.
- Assign necessary permissions (see Bitbucket API token permissions for details).
- Create the token, copy it, and paste it into your application. Note: The token is displayed only once.
Learn more in our support documentation.
Stay connected
We’ll continue to provide reminders, detailed guidance, and community support throughout this process. If you have any questions or need support, visit our community page to ask questions, share insights, and get assistance throughout this process.