Changelog

As part of end of support for Connect app, we will be deprecating application property APIs.

When we reach Connect EOL, the following endpoints will be removed:

1. GET /repositories/{workspace}/{repo_slug}/commit/{commit}/properties/{app_key}/{property_name}

2. PUT /repositories/{workspace}/{repo_slug}/commit/{commit}/properties/{app_key}/{property_name}

3. DEL /repositories/{workspace}/{repo_slug}/commit/{commit}/properties/{app_key}/{property_name}

4. GET /repositories/{workspace}/{repo_slug}/properties/{app_key}/{property_name}

5. PUT /repositories/{workspace}/{repo_slug}/properties/{app_key}/{property_name}

6. DEL /repositories/{workspace}/{repo_slug}/properties/{app_key}/{property_name}

7. GET /repositories/{workspace}/{repo_slug}/pullrequests/{pullrequest_id}/properties/{app_key}/{property_name}

8. PUT /repositories/{workspace}/{repo_slug}/pullrequests/{pullrequest_id}/properties/{app_key}/{property_name}

9. DEL /repositories/{workspace}/{repo_slug}/pullrequests/{pullrequest_id}/properties/{app_key}/{property_name}

10. GET /users/{selected_user}/properties/{app_key}/{property_name}

11. PUT /users/{selected_user}/properties/{app_key}/{property_name}

12. DEL /users/{selected_user}/properties/{app_key}/{property_name}

We've introduced a structured process for partners and Atlassian to jointly investigate security incidents affecting your app or the customer data it handles.

What's changing

• Log sharing for Forge apps: Atlassian can now share incident-scoped platform logs and app telemetry with you during an investigation. This provides the data you need to diagnose and resolve issues faster.

• A single reporting path: You can now report security incidents through the new developer support portal form. This form serves as the shared record for both you and Atlassian.

What you need to do

• Review the program overview page to understand eligibility and support levels.

• Ensure your security contact information is up to date in the partner account to ensure you are ready before an incident occurs.

As announced in Feb 5, 2026, we have removed the Bitbucket Cloud Connect addon linker APIs. These endpoints are no longer available.

The following REST API endpoints have been removed from Bitbucket Cloud:

• GET /2.0/addon/linkers

• GET /2.0/addon/linkers/{linker_key}

• GET /2.0/addon/linkers/{linker_key}/values

• PUT /2.0/addon/linkers/{linker_key}/values

• POST /2.0/addon/linkers/{linker_key}/values

• DEL /2.0/addon/linkers/{linker_key}/values

• GET /2.0/addon/linkers/{linker_key}/values/{value_id}

If you were using these endpoints, you must update your integrations to remove these calls as they will now return an error. For more information on the end of support for Connect on Bitbucket Cloud, please refer to the official announcement.

We’ve added new navigation targets for the Forge bridge’s router object. These allow you to use the router API to navigate to supported UI module pages in Bitbucket.

What’s changing:

The following Bitbucket modules are now supported as navigation targets:

• bitbucket:workspaceGlobalPage

• bitbucket:workspacePersonalSettingsPage

• bitbucket:workspaceSettingsMenuPage

• bitbucket:projectSettingsMenuPage

• bitbucket:repoMainMenuPage

• bitbucket:repoSettingsMenuPage

What you need to do:

You can now update your Custom UI or UI Kit apps to use these targets with router methods. For implementation details and examples, see the router object documentation.

Bitbucket Cloud is transitioning to API tokens to enhance security. As part of this transition, app passwords will be fully deprecated on Jul 28, 2026. To help you identify and migrate any remaining usage before the final removal, we are running a series of controlled brownouts starting Jun 9, 2026.

What’s changing:

During each brownout window, API requests authenticated using app passwords will fail with an HTTP 401 while Git-over-HTTPS operations authenticated using app passwords will fail with an HTTP 410.

What you need to do:
You must migrate to API tokens before Jul 28, 2026. API tokens offer improved security, expiration controls, and centralized management.

To create and use an API token:

1. Select your Profile icon, then select Account settings.

2. Select Security, then Create and manage API tokens, and then select Create API token.

3. Select Create API token with scopes.

4. Name the token, set an expiry date, select Bitbucket as the app.

5. Assign the necessary scopes and save the token.

6. Update your integration credentials, CI/CD pipelines, and local Git configurations with the new API token.

For detailed guidance, see the API token documentation.

As recently announced in Raising the bar on Marketplace cloud app security: together we are updating the Marketplace Security Bug Fix Policy to shorten vulnerability remediation timelines for Marketplace cloud apps. These changes ensure a higher security standard across our ecosystem.

What’s changing
The remediation Service Level Objectives (SLOs) for Marketplace cloud apps are being shortened. The timelines for Data Center apps remain unchanged.

Updated Cloud App SLOs (Enforceable September 1, 2026):

• Critical: 10 days

• High: 4 weeks

• Medium: 12 weeks

• Low: 25 weeks

Data Center App SLOs (Unchanged):

• Critical: 12 weeks

• High: 12 weeks

• Medium: 12 weeks

• Low: 25 weeks

Additionally, we have published the Marketplace Security Enforcement Policy, a consolidated source of truth for marketplace security compliance expectations, including vulnerability management, OAuth compliance, partner verification, bug bounty participation, and incident response.

What you need to do

• Review the new timelines: Ensure your internal processes are updated to meet the new cloud app SLOs by September 1, 2026.

• Check your tickets: We have corrected an issue where some AMS Data Center tickets incorrectly showed cloud remediation dates. If you believe a ticket still has an incorrect date, please raise an ECOHELP ticket.

• Watch the policy page: The Marketplace Security Enforcement Policy is a living document, we recommend "watching" the page for future updates.

We've introduced the Tile component for Forge UI Kit apps, now available in Preview. The Tile component is a rounded square container for displaying assets like emojis, or objects in a consistent, styled way.

The component supports various sizes (from 16px to 48px), customizable background colors using design tokens, optional borders, and adjustable internal padding for different asset types including third-party logos.

For implementation details and examples, see the Tile component documentation.

SSH access to Bitbucket Cloud repositories via bitbucket.org will be removed after approximately six months. SSH traffic is being separated from HTTPS traffic to enable enhanced security protections on Bitbucket's public web and API endpoints.

Customers who use Git over SSH must update their remote URLs to use ssh.bitbucket.org instead of bitbucket.org. HTTPS access to bitbucket.org is not affected by this change.

To maintain system stability as our usage scales, we updated Bitbucket Pipelines to only detect the [skip ci] or [ci skip] label within the first 200 characters of a commit message. This means pipelines won’t be skipped if the label appears further in a long message.

To ensure your builds are intentionally skipped, place the label near the start of your commit message, ideally in the subject line. Manual runs are not affected by this change.

For details, read
https://support.atlassian.com/bitbucket-cloud/kb/how-to-skip-triggering-an-automatic-pipeline-build-using-skip-ci-label/.

What’s changing
We’ve introduced a new Bitbucket REST API endpoint that allows a Forge app to retrieve the clientKey of its linked Connect app installation.

This endpoint supports the migration process from Connect to Forge. By retrieving the clientKey, the installed Forge app can identify the equivalent Connect app installation, enabling you to perform data migration or cleanup tasks effectively.

What you need to do
To use this endpoint, ensure you have configured the linkage between your Connect and Forge apps.

• Add the forgeAppId key to your Connect app descriptor.

• Use the new endpoint to fetch the clientKey during your app's migration logic.

We are deprecating the Bitbucket Cloud legacy code search API endpoints effective May 1, 2026, with full removal on November 1, 2026.

The following endpoints are being decommissioned and will be removed on November 1, 2026:

• GET /2.0/repositories/{workspace}/{repo_slug}/search/code — Repository-level code search

• GET /2.0/workspaces/{workspace}/search/code — Workspace-level code search

We are actively working on the new API which will be released ahead of the removal.

As shared in our https://developer.atlassian.com/cloud/bitbucket/changelog/#CHANGE-3052, Bitbucket Cloud will fully deprecate / change behaviour for a small set of OAuth2 features on May 4, 2026. To help teams identify and migrate any remaining usage ahead of the enforcement date, we will run a series of controlled brownouts starting Apr 20, 2026, for two weeks, after which the functionality will be fully removed on May 4, 2026.

During each brownout window:

• All OAuth authenticated requests directed at www.bitbucket.org will fail with an HTTP 401 error code

• All OAuth authenticated requests which provide the OAuth access token in the access_token query parameters / POST body will fail with an HTTP 401 error code

• The Client credentials grant flow will not issue refresh tokens in their token response.

• OAuth token response payloads will return “scope"  instead of “scopes" (See notes)

Notes:

• The minting of OAuth2 access tokens should always be made to https://bitbucket.org/site/oauth2/access_token. Bitbucket’s API does not mount these urls under the api subdomain.

• In the week beginning Apr 12, 2026 the scope property will be returned alongside the scopes property, allowing time to onboard prior to the start of the brownout.

You can now nominate genuine migration blockers or major customer‑impact risks via the “Request review” flow on FRGE issues.

This flow will allow us to triage and assess requests to address remaining blockers to Forge migration before Connect end of support in December 2026. We’ll review requests over 3 monthly cycles, then freeze decisions.

Please review for existing tickets before creating new FRGE tickets. You may also review the announcement.

We've introduced three new Forge triggers for Bitbucket deployment events. These triggers allow your Forge app to respond to deployment lifecycle events in Bitbucket Pipelines.

The new triggers are:

• avi:bitbucket:pending:deployment — Fires when a deployment is pending

• avi:bitbucket:started:deployment — Fires when a deployment starts

• avi:bitbucket:completed:deployment — Fires when a deployment completes

To use these triggers, add them to the trigger section of your app's manifest.yml file. Each trigger provides deployment event data including environment, state, and pipeline details.

For more information, see Bitbucket events.

Following this deprecation announcement on Feb 17, 2026, the Connect Inspector Service is now decommissoned.

We recommend migrating to Atlassian Forge for a more robust Events model, as Atlassian Connect will reach end of support in December 2026.

Developers who still need similar functionality can use the open‑sourced version of the tool.