Summary

Update for Bitbucket API tokens.

Review Request #14809 — Created Feb. 10, 2026 and submitted Feb. 12, 2026, 7:31 a.m.

Information

Owner

david

Repository

Review Board

Branch

release-7.1.x

Bugs

5058

Depends On

Reviewers

Groups

reviewboard

People

Description

Bitbucket is shifting away from app passwords towards the new Atlassian
API tokens. It's already impossible to create new passwords, and they
will stop working in June of this year.

API tokens work very similar to app passwords (both are fundamentally
just HTTP Basic auth), but there are two changes necessary:

Usernames are now e-mail addresses (where before they were explicitly
not e-mail addresses).
API tokens only work with the https://api.bitbucket.org/ endpoint, and
not the https://bitbucket.org/api/ endpoint.

This change fixes up our form and API URL to handle this. Docs have been
updated, along with a big notice at the top.

I've also snuck in a fix for the GitHub PAT instructions to open the
link in a new tab.

Testing Done


Added a new Bitbucket account using API tokens and verified that API

  calls worked as expected.
Ran unit tests.
Built the user manual.

Commits

Summary	ID
Update for Bitbucket API tokens. Bitbucket is shifting away from app passwords towards the new Atlassian API tokens. It's already impossible to create new passwords, and they will stop working in June of this year. API tokens work very similar to app passwords (both are fundamentally just HTTP Basic auth), but there are two changes necessary: - Usernames are now e-mail addresses (where before they were explicitly not e-mail addresses). - API tokens only work with the https://api.bitbucket.org/ endpoint, and not the https://bitbucket.org/api/ endpoint. This change fixes up our form and API URL to handle this. Docs have been updated, along with a big notice at the top. I've also snuck in a fix for the GitHub PAT instructions to open the link in a new tab. Testing Done: - Added a new Bitbucket account using API tokens and verified that API calls worked as expected. - Ran unit tests. - Built the user manual.	wtlxzsuwpqvyvnupkxlrpxlvrnykouws

Summary

Update for Bitbucket API tokens.

Bitbucket is shifting away from app passwords towards the new Atlassian API tokens. It's already impossible to create new passwords, and they will stop working in June of this year. API tokens work very similar to app passwords (both are fundamentally just HTTP Basic auth), but there are two changes necessary: - Usernames are now e-mail addresses (where before they were explicitly *not* e-mail addresses). - API tokens only work with the https://api.bitbucket.org/ endpoint, and not the https://bitbucket.org/api/ endpoint. This change fixes up our form and API URL to handle this. Docs have been updated, along with a big notice at the top. I've also snuck in a fix for the GitHub PAT instructions to open the link in a new tab. Testing Done: - Added a new Bitbucket account using API tokens and verified that API calls worked as expected. - Ran unit tests. - Built the user manual.

wtlxzsuwpqvyvnupkxlrpxlvrnykouws

Issues

Description	From	Last Updated
How does this affect existing setups? We don't want to immediately break users after upgrade.	chipx86	Feb. 11, 2026, 10:26 a.m.
We should mention which releases support this.	chipx86	Feb. 11, 2026, 10:27 a.m.
Instead of saying all of this information directly in the help text, should we link to the docs above instead? …	maubin	Feb. 11, 2026, 10:32 a.m.

flake8 passed.

JSHint passed.

reviewboard/hostingsvcs/bitbucket.py (Diff revision 1)

The issue has been dropped. Show all issues

Instead of saying all of this information directly in the help text, should we link to the docs above instead? That way if anything ever changes, like the URLs for example, then we can deploy new docs and this help text will still be correct. But if we put the info here directly, the help text will be wrong until we do the next Review Board release.

david Feb. 11, 2026, 10:33 a.m.

We can't be prescient here--I think we're probably okay for a while, but theoretical future changes on Bitbucket's end may affect only docs or may affect our implementation (like this one did). Given that it's probably equally likely either way, I'd prefer to let people click a single link here to get where they need to go, instead of needing to click through to our docs and then read more before clicking other links. The likelihood of people actually reading anything is already low, and reading multiple things is almost zero.

maubin Feb. 11, 2026, 8:46 p.m.
```
Good point.
```

The issue has been dropped. Show all issues

How does this affect existing setups? We don't want to immediately break users after upgrade.

david Feb. 11, 2026, 10:33 a.m.

Existing repos with app passwords should continue to work until June.

docs/manual/admin/configuration/repositories/bitbucket.rst (Diff revision 1)

The issue has been resolved. Show all issues

We should mention which releases support this.

Change Summary:


Add version note to the docs.
Open links from the help text in a new tab (and include a similar fix for the github help text)

Description:

		Bitbucket is shifting away from app passwords towards the new Atlassian
		API tokens. It's already impossible to create new passwords, and they
		will stop working in June of this year.

		API tokens work very similar to app passwords (both are fundamentally
		just HTTP Basic auth), but there are two changes necessary:

		Usernames are now e-mail addresses (where before they were explicitly not e-mail addresses).
		API tokens only work with the https://api.bitbucket.org/ endpoint, and not the https://bitbucket.org/api/ endpoint.

		This change fixes up our form and API URL to handle this. Docs have been
		updated, along with a big notice at the top.
	+
	+	I've also snuck in a fix for the GitHub PAT instructions to open the
	+	link in a new tab.

Commits:

	Summary	ID
	Update for Bitbucket API tokens. Bitbucket is shifting away from app passwords towards the new Atlassian API tokens. It's already impossible to create new passwords, and they will stop working in June of this year. API tokens work very similar to app passwords (both are fundamentally just HTTP Basic auth), but there are two changes necessary: - Usernames are now e-mail addresses (where before they were explicitly not e-mail addresses). - API tokens only work with the https://api.bitbucket.org/ endpoint, and not the https://bitbucket.org/api/ endpoint. This change fixes up our form and API URL to handle this. Docs have been updated, along with a big notice at the top. Testing Done: - Added a new Bitbucket account using API tokens and verified that API calls worked as expected. - Ran unit tests. - Built the user manual.	wtlxzsuwpqvyvnupkxlrpxlvrnykouws
	Update for Bitbucket API tokens. Bitbucket is shifting away from app passwords towards the new Atlassian API tokens. It's already impossible to create new passwords, and they will stop working in June of this year. API tokens work very similar to app passwords (both are fundamentally just HTTP Basic auth), but there are two changes necessary: - Usernames are now e-mail addresses (where before they were explicitly not e-mail addresses). - API tokens only work with the https://api.bitbucket.org/ endpoint, and not the https://bitbucket.org/api/ endpoint. This change fixes up our form and API URL to handle this. Docs have been updated, along with a big notice at the top. I've also snuck in a fix for the GitHub PAT instructions to open the link in a new tab. Testing Done: - Added a new Bitbucket account using API tokens and verified that API calls worked as expected. - Ran unit tests. - Built the user manual.	wtlxzsuwpqvyvnupkxlrpxlvrnykouws

Diff:

Revision 2 (+178 -250)

Show changes

	docs/manual/admin/configuration/repositories/bitbucket.rst
	reviewboard/hostingsvcs/bitbucket.py
	reviewboard/hostingsvcs/github.py
	reviewboard/hostingsvcs/tests/test_bitbucket.py

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Bugs:: 5058

Ship it!

Status:: Completed
Change Summary:: Pushed to release-7.1.x (2cf1f9c)