# Bitbucket Server/Bitbucket Data Center

<TierCallout>
	Supported on [Enterprise](/pricing/plans/enterprise) plans.
	<user>Available via the Web app.</user>
</TierCallout>

Site admins can sync Git repositories hosted on [Bitbucket Server](https://www.atlassian.com/software/bitbucket/server) or [Bitbucket Data Center](https://www.atlassian.com/enterprise/data-center/bitbucket) with Sourcegraph so that users can search and navigate their repositories.

To connect Bitbucket Server / Bitbucket Data Center to Sourcegraph:

1. Go to **Site admin > Manage code hosts > Add repositories**
1. Select **Bitbucket Server / Bitbucket Data Center**.
1. Configure the connection to Bitbucket Server / Bitbucket Data Center using the action buttons above the text field, and additional fields can be added using <kbd>Cmd/Ctrl+Space</kbd> for auto-completion. See the [configuration documentation below](#configuration).
1. Press **Add repositories**.

Also consider installing the [Sourcegraph Bitbucket Server plugin](/integration/bitbucket-server#sourcegraph-bitbucket-server-plugin) which enables native code navigation for every Bitbucket user when browsing code and reviewing pull requests, allows for faster permission syncing between Sourcegraph and Bitbucket Server / Bitbucket Data Center and adds support for webhooks to Bitbucket Server / Bitbucket Data Center.

## Access token permissions

Sourcegraph requires a Bitbucket Server / Bitbucket Data Center personal access token with **read** permissions to sync repositories.

When using [batch changes](/batch-changes/) the access token needs **write** permissions on the project and repository level. See "[Code host interactions in batch changes](/batch-changes/permissions-in-batch-changes#code-host-interactions-in-batch-changes)" for details.

You can create a personal access token at `https://[your-bitbucket-hostname]/plugins/servlet/access-tokens/add`. Also set the corresponding `username` field.

For Bitbucket Server instances that don't support personal access tokens (Bitbucket Server version 5.4 and older), specify user-password credentials in the `username` and `password` fields.

## Repository syncing

There are four fields for configuring which repositories are mirrored:

-   [`repos`](/admin/code-hosts/bitbucket-server#configuration)
    -   A list of repositories in `projectKey/repositorySlug` format. The order determines the order in which we sync repository metadata and is safe to change.
-   [`repositoryQuery`](/admin/code-hosts/bitbucket-server#configuration)
    -   A list of strings with some pre-defined options (`none`, `all`), and/or a [Bitbucket Server / Bitbucket Data Center Repo Search Request Query Parameters](https://docs.atlassian.com/bitbucket-server/rest/6.1.2/bitbucket-rest.html#idp355).
-   [`exclude`](/admin/code-hosts/bitbucket-server#configuration)
    -   A list of repositories to exclude which takes precedence over the `repos`, and `repositoryQuery` fields.
-   [`excludePersonalRepositories`](/admin/code-hosts/bitbucket-server#configuration)
    -   With this enabled, Sourcegraph will exclude any personal repositories from being imported, even if it has access to them.

## Webhooks

Using the `webhooks` property on the external service has been deprecated.

Please consult [this page](/admin/webhooks/incoming) in order to configure webhooks.

## Repository permissions

Enforcing Bitbucket Server / Bitbucket Data Center permissions can be configured via the `authorization` setting in its configuration.

> NOTE: It can take some time to complete full cycle of repository permissions sync if you have a large number of users or repositories. [See sync duration time](/admin/permissions/syncing#sync-duration) for more information.

> NOTE: Sourcegraph can only sync permissions for personal repositories on Bitbucket Server / Bitbucket Data Center when the Sourcegraph [Bitbucket Server plugin](/integration/bitbucket-server) is installed.

### Prerequisites

1. You have the exact same user accounts, **with matching usernames**, in Sourcegraph and Bitbucket Server / Bitbucket Data Center. This can be accomplished by configuring an [external authentication provider](/admin/auth/) that mirrors user accounts from a central directory like LDAP or Active Directory. The same should be done on Bitbucket Server / Bitbucket Data Center with [external user directories](https://confluence.atlassian.com/bitbucketserver/external-user-directories-776640394.html).
1. Ensure you have set `auth.enableUsernameChanges` to **`false`** in the [site config](/admin/config/site-config) to prevent users from changing their usernames and **escalating their privileges**.

### Setup

Repository permissions for Bitbucket Server / Bitbucket Data Center can be configured via OAuth1 or OAuth2. OAuth2 is the recommended method.

#### OAuth2

You'll first need to [configure Bitbucket Server as an auth provider](/admin/auth/#bitbucket-server). Next, in your Bitbucket Server code host connection, add the following `authorization` settings:

    ```json
    {
      // Other config goes here
      "authorization": {
        "oauth2": true
      }
    }
    ```

Once a user has connected their Bitbucket Server account, either by signing-in via Bitbucket Server or by connecting the account on their **Settings** > **Account security** page, their OAuth token will be used to sync their repository permissions.

#### OAuth1

This section walks you through the process of setting up an _Application Link between Sourcegraph and Bitbucket Server / Bitbucket Data Center_ and configuring the Sourcegraph Bitbucket Server / Bitbucket Data Center configuration with `authorization` settings. It assumes the above prerequisites are met.

As an admin user, go to the "Application Links" page. You can use the sidebar navigation in the admin dashboard, or go directly to [https://bitbucketserver.example.com/plugins/servlet/applinks/listApplicationLinks](https://bitbucketserver.example.com/plugins/servlet/applinks/listApplicationLinks).

> NOTE: There has been some [changes to the flow in Bitbucket v7.20](https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-and-server-7-20-release-notes-1101934428.html). Depending on your Bitbucket version, the setup is slightly different. Please follow the instructions for the correct version of Bitbucket below:

-   [Bitbucket v7.20 and above](#bitbucket-v720-and-above)
-   [Bitbucket v7.19 and below](#bitbucket-v719-and-below)

#### Bitbucket v7.20 and above

{/* <!-- Duplicating content in this section and in 7.19 on purpose. If we decide to implement OAuth2 support, the 7.20 instructions would be much more different than now --> */}

1. Click on **Create link** button.
   ![Screenshot of Bitbucket Application Links page.](https://storage.googleapis.com/sourcegraph-assets/docs/images/administration/config/external-services/bitbucket_server/application_links_landing_page.png)
1. Make sure **Atlassian product** is selected (This will probably look confusing, but it is the only way to setup legacy OAuth app that Sourcegraph supports).
   Write Sourcegraph's external URL in the **Application URL** field and click **Continue**. Click **Continue** on the next screen again, even if Bitbucket Server / Bitbucket Data Center warns you about the given URL not responding.
   ![Screenshot of Bitbucket Create Link form.](https://storage.googleapis.com/sourcegraph-assets/docs/images/administration/config/external-services/bitbucket_server/create_link_part_1.png)
1. Write `Sourcegraph` as the _Application Name_ and select `Generic Application` as the _Application Type_. Leave everything else unset and click **Continue**.
   ![Screenshot of second part of Bitbucket Create Link form.](https://storage.googleapis.com/sourcegraph-assets/docs/images/administration/config/external-services/bitbucket_server/create_link_part_2.png)
1. Now click the **Edit** button in the `Sourcegraph` Application Link that you just created and select the **Incoming Authentication** panel.
   ![Screenshot of first part of Bitbucket Edit Link form.](https://storage.googleapis.com/sourcegraph-assets/docs/images/administration/config/external-services/bitbucket_server/edit_link_part_1.png)
1. Generate a _Consumer Key_ in your terminal with `echo sourcegraph$(openssl rand -hex 16)`. Copy this command's output and paste it in the _Consumer Key_ field. Write `Sourcegraph` in the _Consumer Name_ field.
   ![Screenshot of second part of Bitbucket Edit Link form.](https://storage.googleapis.com/sourcegraph-assets/docs/images/administration/config/external-services/bitbucket_server/edit_link_part_2.png)
1. Generate an RSA key pair in your terminal with `ssh-keygen -t rsa -b 4096 -o -a 100 -f sourcegraph.pem -m PEM && openssl rsa -in sourcegraph.pem -pubout > sourcegraph.pub`. Note that the private key must be in PKCS#1 format. Copy the contents of `sourcegraph.pub` and paste them in the _Public Key_ field.
   ![Screenshot of third part of Bitbucket Edit Link form.](https://storage.googleapis.com/sourcegraph-assets/docs/images/administration/config/external-services/bitbucket_server/edit_link_part_3.png)
1. Scroll to the bottom and check the **_Allow 2-Legged OAuth_** checkbox, then write your admin account's username (this **must** match the `username` used in the external service configuration. In an instance where you may choose to use a service account, make sure that it has admin privileges.) in the _Execute as_ field and, lastly, check the **_Allow user impersonation through 2-Legged OAuth_** checkbox. Press **Save**.
   ![Screenshot of last part of Bitbucket Edit Link form.](https://storage.googleapis.com/sourcegraph-assets/docs/images/administration/config/external-services/bitbucket_server/edit_link_part_4.png)
1. Go to your Sourcegraph's _Manage code hosts_ page (i.e. `https://sourcegraph.example.com/site-admin/external-services`) and either edit or create a new _Bitbucket Server / Bitbucket Data Center_ connection. Add the following settings:
    ```json
    {
    	// Other config goes here
    	"authorization": {
    		"identityProvider": {
    			"type": "username"
    		},
    		"oauth": {
    			"consumerKey": "<KEY GOES HERE>",
    			"signingKey": "<KEY GOES HERE>"
    		}
    	}
    }
    ```
1. Copy the _Consumer Key_ you generated before to the `oauth.consumerKey` field and the output of the command `base64 sourcegraph.pem | tr -d '\n'` to the `oauth.signingKey` field. Finally, **save the configuration**. You're done!

#### Bitbucket v7.19 and below

1. Write Sourcegraph's external URL in the text area (e.g. `https://sourcegraph.example.com`) and click **Create new link**.
    ![Create new link dialog](https://imgur.com/Hg4bzOf.png)
1. Click **Continue** even if Bitbucket Server / Bitbucket Data Center warns you about the given URL not responding.
    ![URL warning dialog](https://imgur.com/x6vFKIL.png)
1. Write `Sourcegraph` as the _Application Name_ and select `Generic Application` as the _Application Type_. Leave everything else unset and click **Continue**.
    ![Application configuration](https://imgur.com/161rbB9.png)
1. Now click the edit button in the `Sourcegraph` Application Link that you just created and select the `Incoming Authentication` panel.
    ![Edit Application Link](https://imgur.com/sMGmzhH.png)
1. Generate a _Consumer Key_ in your terminal with `echo sourcegraph$(openssl rand -hex 16)`. Copy this command's output and paste it in the _Consumer Key_ field. Write `Sourcegraph` in the _Consumer Name_ field.
    ![Consumer Key configuration](https://imgur.com/1kK2Y5x.png)
1. Generate an RSA key pair in your terminal with `openssl genrsa -out sourcegraph.pem 4096 && openssl rsa -in sourcegraph.pem -pubout > sourcegraph.pub`. Copy the contents of `sourcegraph.pub` and paste them in the _Public Key_ field.
    ![Public Key configuration](https://imgur.com/YHm1uSr.png)
1. Scroll to the bottom and check the _Allow 2-Legged OAuth_ checkbox, then write your admin account's username in the _Execute as_ field and, lastly, check the _Allow user impersonation through 2-Legged OAuth_ checkbox. Press **Save**.
    ![OAuth settings](https://imgur.com/1qxEAye.png)
1. Go to your Sourcegraph's _Manage code hosts_ page (i.e. `https://sourcegraph.example.com/site-admin/external-services`) and either edit or create a new _Bitbucket Server / Bitbucket Data Center_ connection. Add the following settings:
    ```json
    {
    	// Other config goes here
    	"authorization": {
    		"identityProvider": {
    			"type": "username"
    		},
    		"oauth": {
    			"consumerKey": "<KEY GOES HERE>",
    			"signingKey": "<KEY GOES HERE>"
    		}
    	}
    }
    ```
1. Copy the _Consumer Key_ you generated before to the `oauth.consumerKey` field and the output of the command `base64 sourcegraph.pem | tr -d '\n'` to the `oauth.signingKey` field. Finally, **save the configuration**. You're done!

### Fast permission sync with Bitbucket Server plugin

By installing the [Bitbucket Server plugin](/integration/bitbucket-server), you can make use of the fast permission sync feature that allows using Bitbucket Server / Bitbucket Data Center permissions on larger instances.

### Fast permission syncing

With the [Sourcegraph Bitbucket Server plugin](/integration/bitbucket-server#sourcegraph-bitbucket-server-plugin) you can enable fast permission syncing:

1. Connect Bitbucket Server / Bitbucket Data Center to Sourcegraph (_see instructions above_).
1. Follow the [instructions to set up repository permissions](#repository-permissions) with Bitbucket Server / Bitbucket Data Center.
1. Install the [Sourcegraph Bitbucket Server plugin](/integration/bitbucket-server#sourcegraph-bitbucket-server-plugin) on your Bitbucket Server / Bitbucket Data Center instance.
1. In Sourcegraph, go to **Site admin > Manage code hosts** and edit the Bitbucket Server / Bitbucket Data Center configuration.
1. Add the `"plugin.permissions"` property:

```json
{
	// [...]
	"plugin": {
		"permissions": "enabled"
	}
}
```

### Authentication for older Bitbucket Server / Bitbucket Data Center versions

Bitbucket Server / Bitbucket Data Center versions older than v5.5 require specifying a less secure username and password combination, as those versions of Bitbucket Server / Bitbucket Data Center do not support [personal access tokens](https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html).

### HTTPS cloning

Sourcegraph by default clones repositories from your Bitbucket Server / Bitbucket Data Center via HTTP(S), using the access token or account credentials you provide in the configuration. The [`username`](/admin/code-hosts/bitbucket-server#configuration) field is always used when cloning, so it is required.

## Internal rate limits

See [Internal rate limits](/admin/code-hosts/rate-limits#internal-rate-limits).

## Configuration

Bitbucket Server / Bitbucket Data Center connections support the following configuration options, which are specified in the JSON editor in the site admin "Manage code hosts" area.

{/* <div markdown-func=jsonschemadoc jsonschemadoc:path="admin/code_hosts/bitbucket_server.schema.json">[View page on our docs](/admin/code-hosts/bitbucket-server) to see rendered content.</div> */}

### admin/code_hosts/bitbucket_server.schema.json

{/* SCHEMA_SYNC_START: admin/code_hosts/bitbucket_server.schema.json */}
{/* WARNING: This section is auto-generated during releases. Do not edit manually. */}
{/* Last updated: 2026-04-02T22:07:28Z */}
```json
	// Authentication alternatives: token OR password

{
	// If non-null, enforces Bitbucket Server / Bitbucket Data Center repository permissions.
	"authorization": {
		"identityProvider": {
			"type": null
		},
		"oauth": {
			"consumerKey": null,
			"signingKey": null
		},
		"oauth2": false
	},

	// ⚠️  DEPRECATED: DEPRECATED: Use the tls.external setting in site config
	// DEPRECATED: Use the tls.external setting in site config
	// Other example values:
	// - "-----BEGIN CERTIFICATE-----\n..."
	"certificate": null,

	// A list of repositories to never mirror from this Bitbucket Server / Bitbucket Data Center instance. Takes precedence over "repos" and "repositoryQuery".
	// Supports excluding by name ({"name": "projectKey/repositorySlug"}) or by ID ({"id": 42}).
	// Other example values:
	// - [
	//     {
	//       "name": "myproject/myrepo"
	//     },
	//     {
	//       "id": 42
	//     }
	//   ]
	// - [
	//     {
	//       "name": "myproject/myrepo"
	//     },
	//     {
	//       "name": "myproject/myotherrepo"
	//     },
	//     {
	//       "name": "~USER/theirrepo"
	//     },
	//     {
	//       "pattern": "^topsecretproject/.*"
	//     }
	//   ]
	"exclude": null,

	// Whether or not personal repositories should be excluded or not. When true, Sourcegraph will ignore personal repositories it may have access to. See https://sourcegraph.com/docs/integration/bitbucket_server#excluding-personal-repositories for more information.
	"excludePersonalRepositories": false,

	// SSH cipher to use when cloning via SSH. Must be a valid choice from `ssh -Q cipher`.
	"gitSSHCipher": null,

	// SSH keys to use when cloning Git repo.
	"gitSSHCredential": null,

	// The type of Git URLs to use for cloning and fetching Git repositories on this Bitbucket Server / Bitbucket Data Center instance.
	// If "http", Sourcegraph will access Bitbucket Server / Bitbucket Data Center repositories using Git URLs of the form http(s)://bitbucket.example.com/scm/myproject/myrepo.git (using https: if the Bitbucket Server / Bitbucket Data Center instance uses HTTPS).
	// If "ssh", Sourcegraph will access Bitbucket Server / Bitbucket Data Center repositories using Git URLs of the form ssh://git@example.bitbucket.org/myproject/myrepo.git. See the documentation for how to provide SSH private keys and known_hosts: https://sourcegraph.com/docs/admin/repo/auth.
	// Valid options: "http", "ssh"
	// Other example values:
	// - "ssh"
	"gitURLType": "http",

	// The maximum number of repos that will be deleted per sync. A value of 0 or less indicates no maximum.
	"maxDeletions": 0,

	// The password to use when authenticating to the Bitbucket Server / Bitbucket Data Center instance. Also set the corresponding "username" field.
	// For Bitbucket Server / Bitbucket Data Center instances that support personal access tokens (Bitbucket Server / Bitbucket Data Center version 5.5 and newer), it is recommended to provide a token instead (in the "token" field).
	"password": null,

	// Configuration for Bitbucket Server / Bitbucket Data Center Sourcegraph plugin
	"plugin": {
		"permissions": "disabled",
		"webhooks": {
			"disableSync": false,
			"secret": null
		}
	},

	// An array of project key strings that defines a collection of repositories related to their associated project keys
	"projectKeys": null,

	// Rate limit applied when making background API requests to BitbucketServer.
	"rateLimit": {
		"enabled": true,
		"requestsPerHour": 28800
	},

	// An array of repository "projectKey/repositorySlug" strings specifying repositories to mirror on Sourcegraph.
	// Other example values:
	// - [
	//     "myproject/myrepo",
	//     "myproject/myotherrepo",
	//     "~USER/theirrepo"
	//   ]
	"repos": null,

	// The pattern used to generate the corresponding Sourcegraph repository name for a Bitbucket Server / Bitbucket Data Center repository.
	// - "{host}" is replaced with the Bitbucket Server / Bitbucket Data Center URL's host (such as bitbucket.example.com)
	// - "{projectKey}" is replaced with the Bitbucket repository's parent project key (such as "PRJ")
	// - "{repositorySlug}" is replaced with the Bitbucket repository's slug key (such as "my-repo").
	// For example, if your Bitbucket Server / Bitbucket Data Center is https://bitbucket.example.com and your Sourcegraph is https://src.example.com, then a repositoryPathPattern of "{host}/{projectKey}/{repositorySlug}" would mean that a Bitbucket Server / Bitbucket Data Center repository at https://bitbucket.example.com/projects/PRJ/repos/my-repo is available on Sourcegraph at https://src.example.com/bitbucket.example.com/PRJ/my-repo.
	// It is important that the Sourcegraph repository name generated with this pattern be unique to this code host. If different code hosts generate repository names that collide, Sourcegraph's behavior is undefined.
	// Other example values:
	// - "{projectKey}/{repositorySlug}"
	"repositoryPathPattern": "{host}/{projectKey}/{repositorySlug}",

	// An array of strings specifying which repositories to mirror on Sourcegraph. Each string is a URL query string with parameters that filter the list of returned repos. Examples: "?name=my-repo&projectname=PROJECT&visibility=private".
	// The special string "none" can be used as the only element to disable this feature. Repositories matched by multiple query strings are only imported once. Here's the official Bitbucket Server / Bitbucket Data Center documentation about which query string parameters are valid: https://docs.atlassian.com/bitbucket-server/rest/6.1.2/bitbucket-rest.html#idp355
	// Other example values:
	// - [
	//     "?name=my-repo\u0026projectname=PROJECT\u0026visibility=private"
	//   ]
	"repositoryQuery": [
		"none"
	],

	// A Bitbucket Server / Bitbucket Data Center personal access token with Read permissions. When using batch changes, the token needs Write permissions. Create one at https://[your-bitbucket-hostname]/plugins/servlet/access-tokens/add. Also set the corresponding "username" field.
	// For Bitbucket Server / Bitbucket Data Center instances that don't support personal access tokens (Bitbucket Server / Bitbucket Data Center version 5.4 and older), specify user-password credentials in the "username" and "password" fields.
	"token": null,

	// REQUIRED:
	// URL of a Bitbucket Server / Bitbucket Data Center instance, such as https://bitbucket.example.com.
	// Other example values:
	// - "https://bitbucket.example.com"
	"url": null,

	// REQUIRED:
	// The username to use when authenticating to the Bitbucket Server / Bitbucket Data Center instance. Also set the corresponding "token" or "password" field.
	"username": null,

	// ⚠️  DEPRECATED: DEPRECATED: See https://sourcegraph.com/docs/admin/config/webhooks/incoming#deprecation-notice
	// DEPRECATED: See https://sourcegraph.com/docs/admin/config/webhooks/incoming#deprecation-notice
	"webhooks": {
		"secret": null
	}
}
```
{/* SCHEMA_SYNC_END: admin/code_hosts/bitbucket_server.schema.json */}