As of September 9, 2025, Bitbucket will no longer support the creation of app passwords, and all existing app passwords will be disabled on June 9, 2026. This creates an issue for users who need to connect to private Bitbucket repositories through OctoberCMS integrations, as app passwords can no longer be used for authentication.
I would like to suggest adding support for API tokens to access private repositories instead of app passwords. This would ensure compatibility with Bitbucket’s new authentication system and allow integrations to continue working without disruptions after app passwords are discontinued.
Why this is important:
As of September 9, 2025, new app passwords will no longer be available.
All existing app passwords will be disabled on June 9, 2026.
To continue working with private repositories, API tokens must be used.
What is needed:
Add the ability to specify API tokens for accessing private repositories in OctoberCMS settings.
Update the documentation so users can easily transition to the new authentication method.
I look forward to discussing possible solutions and implementation details. Thank you for your attention to this matter!
Thank you for reporting this. Bitbucket is phasing out App Passwords, but you can still connect to private repos over HTTPS. Just use this URL format and replace the password with your new API token, for example:
This should work the same way as before. If you run into issues, double-check you’re using the correct Bitbucket username (not your email) and that the token has the right scopes.
I tried using the URL with an API token (https://<username>:<API_TOKEN>@bitbucket.org/...) for my private repositories when adding a private plugin through the OctoberCMS account dashboard, but it didn’t work. I received the following error:
Unable to parse package, please check that the repository contains a valid composer.json file. Read the Packages / Publishing Packages documentation for more details.
I want to clarify that the repository does contain a valid composer.json, as specified in the documentation: Publishing Packages.
It seems that using the token directly in the URL is not compatible with the private plugin system in the account dashboard. This makes it impossible to connect private repositories without manually configuring auth.json, which is inconvenient for regular users.
Could you please add support for API tokens for private Bitbucket repositories in the account dashboard, so that private plugins can be connected without workarounds?
If that link does not open, then it would be a permission problem on the Bitbucket side.
The error you are seeing is generic and the October Gateway is not provided with the exact error from Satis. For adding native support for API tokens, we’ll need to investigate further. The above solution is the common approach that works for any Git provider.
At the moment, when working with private Bitbucket repositories, there is an issue: API tokens are not supported for direct HTTPS access. Unlike GitHub, where you can embed the token directly into the URL, Bitbucket requires either an App password with username or SSH keys.
and then use the standard HTTPS URL in composer.json.
2. Use SSH keys and connect via
git@bitbucket.org:owner/repo.git
It would be really helpful if OctoberCMS could add native support for Bitbucket API tokens, similar to how GitHub tokens work, so we could use tokens directly in the repository URL without these workarounds.
We will add the ability to use the newer BitBucket tokens. However, regular authentication should work. It should be possible to use basic HTTP auth unless they have disabled access via HTTPS entirely.
If the response is 404 it suggests the URL itself may be incorrect… opening the git URL should prompt for a username and password where you can test the username and token there.