Application properties provide a way for Connect apps to store data inside Bitbucket, as if it were a key/value store. We support storing properties against repositories, users, pull requests, and commits. Properties stored against other object types will likely be supported in the future.
Users can access properties using the REST APIs. For this reason, never use entity or app properties to store personal data or privileged configuration information. Your app has to handle storage and permissions for security-sensitive information.
The URL for fetching a property value looks like this:
1 2GET https://api.bitbucket.org/2.0/repositories/<account>/<repository>/properties/<app key>/<property>
In this example, account
is the account where the app is installed, repository
is the
repository against which the property is stored, app key
is the key of the application,
and property
is the name of the property.
Set a property value with this URL:
1 2PUT https://api.bitbucket.org/2.0/repositories/<account>/<repository>/properties/<app key>/<property> { "foo": "bar", "abc": "def", "enabled": true }
All the placeholders in this PUT
example are the same as for the GET
example,
additionally there is a JSON body containing the value being set for the property. The structure of the
body is largely defined by the caller. There are a couple of important notes:
keys
of any JSON object must match the regular expression ^[-_a-zA-Z0-9]+$
._attributes
value at the top level can be used to control who can read and write the variable. For
details, see Attributes.There is a corresponding DELETE
method available to remove properties that
were previously set:
1 2DELETE https://api.bitbucket.org/2.0/repositories/<account>/<repository>/properties/<app key>/<property>
To GET
a property, any valid Bitbucket API
authentication type may be used (see this page
and this page for ways to authenticate
requests to Bitbucket). A property may not be visible
to requests signed with certain kinds of auth depending on the property
attributes (explained below).
To PUT
or DELETE
a property,
requests may always be made
using a JWT token.
Additionally, they may sometimes
be made from the app client in the browser using the
AP.require('request', ...)
pattern. The situations where it is appropriate
to call the mutative methods from the browser are described in the
following section on Attributes.
When you create a property value you can set attributes for it, like this:
1 2PUT https://api.bitbucket.org/2.0/repositories/<account>/<repository>/properties/<app key>/<property> { 'foo': 'bar', '_attributes': [ 'read_only', 'public' ] }
The two supported attributes are read_only
and public
.
Properties with the read_only
attribute are only able to be
set or removed using JWT authentication.
This provides a way for apps to set values that
cannot be tampered with by an end user that invokes an
AP.require('request', ...)
call to the properties API from
the browser. This way, an app knows that it is the only one that has
mutated these values, which could be handy if the property is being used
to enforce security controls. Properties without this attribute may also be
mutated via calls to AP.require('request', ...)
from the
browser.
Properties with public
attribute may be queried by callers
other than the app, providing a way for apps to share non-sensitive information
externally with others. If this attribute is not present, a property
may only be queried by the app that created it, either with a JWT-signed
request or via the AP.require('request', ...)
API called
from the app browser client.
It is possible to refer to application properties in the
app descriptor to include the value of an application property in
the url
field of modules, such as in the following example:
1 2"modules": { "repoPages": [ { "url": "/home?userProperty={user.properties.get(attribute=app.key).myproperty.enabled}", "name": { "value": "Home page" }, "location": "org.bitbucket.repository.navigation", "key": "home", } ] }
It is also possible to refer to application properties in the
app descriptor conditions
to configure the conditional
render logic of a module, such as in the following example:
1 2"conditions": [{ "type": "or", "conditions": [{ "condition": "property_exists", "target": "repository.properties", "params": { "appKey": { "eval": "app.key" }, "propertyKey": "myproperty", "objectName": "enabled" }, "invert": true }, { "condition": "equals", "target": "repository.properties.get(attribute=app.key).myproperty.enabled", "params": { "value": "true" } }] }]
In this example of a module conditions block
the module is only rendered if either the property myproperty
has not been set, or if has been set to the value:
1 2{ 'enabled': true }
If it has been set to the value:
1 2{ 'enabled': false }
or any other value for enabled
other than true,
the module will not be shown in the UI for this account/repository.
Another cool thing you can do is request that repository properties be returned in API responses that are returning Bitbucket repositories. To request properties are attached to an API response you can do:
1 2curl -G -u <user>:<app password> https://api.bitbucket.org/2.0/repositories/<account>/<repository> \ --data-urlencode 'fields=+properties.*'
If you have property values containing nested objects you'd like returned
in the response, you will need to appropriately specify the depth of the
inclusion of properties field (for example, fields=+properties.*.*.*
).
Note, non-public properties will only be visible
to requests signed with a JWT token crafted by the app, or if an app
makes requests using AP.require('request', ...)
from within
a connect iframe. Public properties
can be accessed via the API by any requests that have permission to
access the repository.
When retrieving application properties in this manner, you are limited to a maximum of 100 properties in the repsonse.
Rate this page: