Bitbucket Cloud transitions to API tokens: enhancing security with app password deprecation

At Atlassian, we are dedicated to strengthening the security of our platforms to safeguard your data and integrations. As part of this commitment, we are announcing the deprecation of app passwords in Bitbucket Cloud and transitioning to API tokens, which provide a more secure authentication method, increased admin flexibility, and additional expiry controls.

Important: No changes are taking effect immediately, and existing integrations using app passwords will continue to function without interruption. However, this change is time-sensitive, with a 12-month transition period. Integrations with app passwords will stop working entirely on June 9, 2026.

We strongly recommend starting the transition to Bitbucket API tokens as soon as possible to ensure uninterrupted access and improved security. Early preparation will ensure a smooth experience, and transitioning to API tokens is straightforward. This announcement outlines the steps to create API tokens, the reasons for this change, the timeline, and next steps.

Why app passwords are being deprecated

App passwords have served as a reliable authentication method, but API tokens offer enhanced security and greater control for all users: 

• Expiration control: API tokens can be set to expire after a defined period, reducing the risk of long-term exposure if a token is compromised.
• Centralized management: API tokens are managed through a centralized system, enabling easier oversight, revocation, and control. For managed accounts within a claimed domain, Org Admins gain visibility into API token usage and the ability to revoke tokens as needed.
• Modern scopes: API tokens support modern identity scopes, which are more secure and flexible than the classic scopes used by app passwords. 

Transitioning to API tokens ensures a more secure and consistent authentication experience for all Bitbucket Cloud users. Learn more about user API tokens and different roles.

Deprecation timeline

A phased approach is being adopted to ensure a smooth transition with minimal disruption to existing integrations:

Phase 1: Announcement and preparation (June 9th 2025 )

• No customer impact: App passwords will continue to work as expected, and all existing integrations remain unaffected.
• Customers can begin transitioning to API tokens at their own pace.
• Review our support documentation to help you create and implement API tokens.
• We will be working with our partners, to make sure they are also aware of these changes and make necessary adjustments to their application to ensure smooth transition for 3rd party integrations for our customers.

Phase 2: Disabling new app password creation (September 9th 2025) 

• Bitbucket Cloud will no longer allow the creation of new app passwords.
• Existing App passwords will continue to work, ensuring no disruption to your integrations.
• Customers will be routed to create API tokens from this date forward and will be encouraged to adopt API tokens for their integrations during this phase.

Phase 3: Full deprecation of app passwords (June 9th 2026 )

• App passwords will cease to function, and integrations using them will stop working.
• All integrations previously using app passwords now must switch to API token to authenticate with Bitbucket Cloud.
• Regular updates, reminders, and support will be provided throughout this process to ensure a seamless transition.

How to create API tokens

To prepare, you can start using API tokens for scripting, CI/CD tools, or testing Bitbucket-connected applications. Follow these steps:

1. From the top navigation bar of Bitbucket account, select Settings > Atlassian account settings > Security.
2. Choose Create and manage API tokens > Create API token with scopes.
3. Name the token, set an expiry date, and select Bitbucket as the app.
4. Assign necessary permissions (see Bitbucket API token permissions for details).
5. Create the token, copy it, and paste it into your application to update the credentials. Note: The token is displayed only once.

Learn more on how to create API tokens in our documentation.

Next steps

• Review app passwords: No changes are happening now, and integrations remain unaffected. However check Bitbucket personal settings for existing app passwords, which will stop working on June 9, 2026, and prepare for upcoming changes.
• Start updating to API tokens: Begin integrating API tokens in your environment to ensure compatibility with your workflows.
• Stay informed: Monitor our communications for updates, including reminders and additional resources to support your transition.

We are committed to making this transition as smooth as possible. For detailed guidance, please review our Bitbucket API token Documentation. If you have any questions or need support, visit our community page to ask questions, share insights, and get assistance throughout this process.