When you authenticate with an API token ,
you choose which scopes the token grants. This page maps every bb command to
the minimum scope required to run it, so you can mint a token with exactly the
permissions a workflow needs and nothing more.
Bitbucket Cloud API token scopes follow the format <action>:<resource>:bitbucket.
The CLI uses these scopes:
Scope Grants read:user:bitbucketRead your own user profile (required by bb auth status, used to verify any login) read:repository:bitbucketList and view repositories, commits, and commit build statuses; list default reviewers write:repository:bitbucketCreate repositories, manage default reviewers, set commit build statuses admin:repository:bitbucketDelete repositories read:pullrequest:bitbucketList, view, and diff pull requests; read comments, activity, checks, and reviewers write:pullrequest:bitbucketCreate, edit, approve, decline, merge, and mark PRs ready; add/edit/delete comments; add/remove reviewers read:pipeline:bitbucketList and view pipelines and their steps, read step logs write:pipeline:bitbucketTrigger and stop pipelines read:issue:bitbucketList and view issues write:issue:bitbucketCreate, edit, comment on, and close issues read:workspace:bitbucketList and view workspaces read:project:bitbucketList and view projects admin:project:bitbucketCreate projects read:snippet:bitbucketList and view snippets write:snippet:bitbucketCreate, edit, and delete snippets
Command Required scopes bb auth loginread:user:bitbucket (verifies the credentials)bb auth logout(none — local-only for API tokens; OAuth revoke uses the existing token) bb auth statusread:user:bitbucketbb auth token(none — prints the locally-stored token)
Command Required scopes bb repo listread:repository:bitbucketbb repo viewread:repository:bitbucketbb repo cloneread:repository:bitbucket (plus your normal git auth)bb repo createwrite:repository:bitbucketbb repo deleteadmin:repository:bitbucketbb repo default-reviewers listread:repository:bitbucketbb repo default-reviewers addwrite:repository:bitbucketbb repo default-reviewers removewrite:repository:bitbucket
Read-only PR commands — list, view, diff, checkout, activity,
checks, comments list, reviewers list — only need
read:pullrequest:bitbucket (plus read:repository:bitbucket for repository
context).
Command Required scopes bb pr listread:pullrequest:bitbucket, read:repository:bitbucketbb pr viewread:pullrequest:bitbucket, read:repository:bitbucketbb pr diffread:pullrequest:bitbucket, read:repository:bitbucketbb pr checkoutread:pullrequest:bitbucket, read:repository:bitbucketbb pr activityread:pullrequest:bitbucket, read:repository:bitbucketbb pr checksread:pullrequest:bitbucket, read:repository:bitbucketbb pr comments listread:pullrequest:bitbucket, read:repository:bitbucketbb pr reviewers listread:pullrequest:bitbucket, read:repository:bitbucketbb pr createwrite:pullrequest:bitbucket, read:repository:bitbucketbb pr editwrite:pullrequest:bitbucket, read:repository:bitbucketbb pr readywrite:pullrequest:bitbucket, read:repository:bitbucketbb pr approvewrite:pullrequest:bitbucket, read:repository:bitbucketbb pr declinewrite:pullrequest:bitbucket, read:repository:bitbucketbb pr mergewrite:pullrequest:bitbucket, read:repository:bitbucketbb pr comments addwrite:pullrequest:bitbucket, read:repository:bitbucketbb pr comments editwrite:pullrequest:bitbucket, read:repository:bitbucketbb pr comments deletewrite:pullrequest:bitbucket, read:repository:bitbucketbb pr reviewers addwrite:pullrequest:bitbucket, read:repository:bitbucketbb pr reviewers removewrite:pullrequest:bitbucket, read:repository:bitbucket
Command Required scopes bb pipeline listread:pipeline:bitbucketbb pipeline viewread:pipeline:bitbucketbb pipeline logsread:pipeline:bitbucketbb pipeline runwrite:pipeline:bitbucketbb pipeline stopwrite:pipeline:bitbucket
Commits are part of the repository resource, so commit commands reuse the
repository scopes:
Command Required scopes bb commit listread:repository:bitbucketbb commit viewread:repository:bitbucket
Commit build statuses also live under the repository resource:
Command Required scopes bb status listread:repository:bitbucketbb status setwrite:repository:bitbucket
Command Required scopes bb issue listread:issue:bitbucketbb issue viewread:issue:bitbucketbb issue createwrite:issue:bitbucketbb issue editwrite:issue:bitbucketbb issue closewrite:issue:bitbucketbb issue commentwrite:issue:bitbucket
Command Required scopes bb workspace listread:workspace:bitbucketbb workspace viewread:workspace:bitbucket
Command Required scopes bb project listread:project:bitbucketbb project viewread:project:bitbucketbb project createadmin:project:bitbucket
Command Required scopes bb snippet listread:snippet:bitbucketbb snippet viewread:snippet:bitbucketbb snippet createwrite:snippet:bitbucketbb snippet editwrite:snippet:bitbucketbb snippet deletewrite:snippet:bitbucket
These don’t hit the API and don’t need any scope:
bb config (all subcommands)bb completionbb (root, including the version-check)
Pick the profile that matches your workflow and grant only those scopes when
creating the token.
read:repository:bitbucket
read:pullrequest:bitbucket
read:repository:bitbucket
read:pullrequest:bitbucket
write:pullrequest:bitbucket
read:repository:bitbucket
write:repository:bitbucket
admin:repository:bitbucket
read:repository:bitbucket
write:repository:bitbucket
read:repository:bitbucket
Don’t grant write: or admin: scopes to a token unless the script that uses
it actually needs them. A leaked read-only token is far less damaging than a
leaked admin token.
If a command exits with 2003 API_FORBIDDEN
bb auth login -u your-username -p new-token
