Skip to content
Latchkey

Bitbucket "Invalid credentials" / Repository Access Denied

A step tried to access a repository or registry and the credentials were rejected. An app password, access token, or SSH key is missing, expired, or lacks the required scope.

What this error means

A clone, push, or registry login fails with an authentication error - "Invalid credentials", "Authentication failed", or HTTP 401/403. The build itself is fine; the credential is the problem.

Bitbucket log
remote: Invalid credentials
fatal: Authentication failed for 'https://bitbucket.org/team/other-repo.git/'

Common causes

Missing or expired credential

An app password / access token referenced via a repository variable is unset, expired, or was rotated, so authentication fails.

Insufficient scope or wrong key

The credential authenticates but lacks the permission needed (e.g. read but not write to another repo), or an SSH key is not configured for the target.

How to fix it

Provide credentials via secured variables

Store the token as a secured repository/workspace variable and reference it in the step, never hard-coded.

bitbucket-pipelines.yml
script:
  - git clone https://x-token-auth:$ACCESS_TOKEN@bitbucket.org/team/other-repo.git

Check scope, expiry, and SSH keys

  1. Confirm the app password/token has the required scopes (e.g. repository write).
  2. Regenerate it if it has expired or was revoked, and update the variable.
  3. For SSH access, add the Pipelines SSH key to the target repo’s access keys.

How to prevent it

  • Store credentials as secured variables, not in the repo.
  • Grant the minimum scope each step needs.
  • Rotate tokens on a schedule and update the variables when you do.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →