Currently we have around 50-60 repos being managed with these 3 types of modules (proxy, sharedflow and config).
In order to ease the process we have created a Centralized Repo (apigee-devops-pipeline) and managing the devops configuration, Repository variables and the bitbucket-pipeline.yml for the individual repos (50-60). Currently we have done this setup for 1 per each module, almost we are at the end of the centralized pipeline setup now. With App Password by using REST API i could get the result but if i use API Token i am getting 401 error.
Scenario:
When a developer pushes the code and raises a PR from from feature to develop branch sonar check should happen in centralized pipeline once the PR is raised in the individual repo and need to provide its Pass/fail result to Individual repo.
Result:
We tried to create Bitbucket APP password which is going to be deprecated soon and used that in the centralized pipeline. By using the REST API's i could get the Sonar scan status under the checks in the individual PR request screen. So when the developer merge the changes if the sonar is success then it will allow to merge and if it fails then developer needs to fix it and then merge.
100 1910 100 1655 100 255 4057 625 --:--:-- --:--:-- --:--:-- 4692
* Connection #0 to host api.bitbucket.org left intact
2025-08-01T19:37:25.741820045Z stdout P {"key": "sonar-pr-feature/check", "type": "build", "state": "FAILED", "name": "Sonar Scan", "refname": null, "commit": {"hash": "b323157158021b9fde92a32fa4ae847756f82a32", "links": {"self": {"href": " [REDACTED]"}, "html": {"href": [REDACTED]}}, "type": "commit"}, "url": [REDACTED], "repository": {"type": "repository", "full_name": " [REDACTED]", "links": {"self": {"href": [REDACTED]}, "html": {"href": " [REDACTED]"}, "avatar": {"href": "https://bytebucket.org/ravatar/%7B28af68b8-7690-4d7d-8313-3902bb6335c0%7D?ts=default"}}, "name": "sharedflow-templatesharedflow", "uuid": " [REDACTED]"}, "description": "Sonar Scan failed. Check pipeline logs and SonarCloud report.", "created_on": "2025-08-01T19:37:25.582119+00:00", "updated_on": "2025-08-01T19:37:25.582134+00:00", "links": {"self": {"href": " [REDACTED]"}, "commit": {"href": " [REDACTED]}}}
Similarly we tried to create bitbucket API Token for the same scenario and from the centralized pipeline i could not get the sonar scan status under the checks in the individual PR Request Screen. I am getting 401 error when trying to do with the REST API,
* The requested URL returned error: 401
100 280 0 0 100 280 0 1566 --:--:-- --:--:-- --:--:-- 1573
* Connection #0 to host api.bitbucket.org left intact
curl: (22) The requested URL returned error: 401
Build teardown
Hi @vinoth_vinothkumaar_accenture and welcome to the community!
API tokens can be used with Bitbucket Cloud APIs. However, you need to use the Atlassian account email address for the user you generated the API token for. Static usernames, like x-token-auth, cannot be used for authentication in Bitbucket Cloud APIs with an API token.
So, instead of
-u "x-token-auth:$BITBUCKET_API_TOKEN_WRITE"
you will need to use
-u "$ATLASSIAN_ACCOUNT_EMAIL:$BITBUCKET_API_TOKEN_WRITE"
where ATLASSIAN_ACCOUNT_EMAIL is a variable you need to create, with value the Atlassian account email of the user.
Please also keep in mind that you will need to generate an API with scopes. For this specific endpoint you are using, the necessary scope is read:repository:bitbucket.
If you select a specific API endpoint from the left sidebar in the APIs documentation, you will see Forge app and API Token scopes required: so that you know what scope you need for each endpoint.
Another option would to be to generate an access token for $TRIGGER_REPO, so that you don't expose user credentials. Then, instead of
-u "$ATLASSIAN_ACCOUNT_EMAIL:$BITBUCKET_API_TOKEN_WRITE"
you could use
--header "Authorization: Bearer $ACCESS_TOKEN"
Please feel free to reach out if you have any questions!
Kind regards,
Theodora
Ok Thanks For the Suggestion, let me check it out and let you know.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
With the Atlassian Account Email i could notice that the scenario is working fine. Thanks for the suggestion.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @vinoth_vinothkumaar_accenture
First of all, welcome to the Atlassian Community!
It looks like you're facing a similar issue to what I encountered when switching from an App password to an API token. If I'm understanding correctly, it seems like the header name might not be supported. Could you try following this guide and see if that helps? Also, make sure that the necessary scope is included when you create the API token. Give it a try and let me know how it goes!
Jin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.