Bitbucket "Invalid credentials" / Repository Access Denied
A step tried to access a repository or registry and the credentials were rejected. An app password, access token, or SSH key is missing, expired, or lacks the required scope.
What this error means
A clone, push, or registry login fails with an authentication error - "Invalid credentials", "Authentication failed", or HTTP 401/403. The build itself is fine; the credential is the problem.
remote: Invalid credentials
fatal: Authentication failed for 'https://bitbucket.org/team/other-repo.git/'Common causes
Missing or expired credential
An app password / access token referenced via a repository variable is unset, expired, or was rotated, so authentication fails.
Insufficient scope or wrong key
The credential authenticates but lacks the permission needed (e.g. read but not write to another repo), or an SSH key is not configured for the target.
How to fix it
Provide credentials via secured variables
Store the token as a secured repository/workspace variable and reference it in the step, never hard-coded.
script:
- git clone https://x-token-auth:$ACCESS_TOKEN@bitbucket.org/team/other-repo.gitCheck scope, expiry, and SSH keys
- Confirm the app password/token has the required scopes (e.g. repository write).
- Regenerate it if it has expired or was revoked, and update the variable.
- For SSH access, add the Pipelines SSH key to the target repo’s access keys.
How to prevent it
- Store credentials as secured variables, not in the repo.
- Grant the minimum scope each step needs.
- Rotate tokens on a schedule and update the variables when you do.