Changelog

What’s changing
We’ve introduced a new Bitbucket REST API endpoint that allows a Forge app to retrieve the clientKey of its linked Connect app installation.

This endpoint supports the migration process from Connect to Forge. By retrieving the clientKey, the installed Forge app can identify the equivalent Connect app installation, enabling you to perform data migration or cleanup tasks effectively.

What you need to do
To use this endpoint, ensure you have configured the linkage between your Connect and Forge apps.

• Add the forgeAppLink key to your Connect app descriptor.

• Use the new endpoint to fetch the clientKey during your app's migration logic.

We are deprecating the Bitbucket Cloud legacy code search API endpoints effective May 1, 2026, with full removal on November 1, 2026.

The following endpoints are being decommissioned and will be removed on November 1, 2026:

• GET /2.0/repositories/{workspace}/{repo_slug}/search/code — Repository-level code search

• GET /2.0/workspaces/{workspace}/search/code — Workspace-level code search

We are actively working on the new API which will be released ahead of the removal.

As shared in our https://developer.atlassian.com/cloud/bitbucket/changelog/#CHANGE-3052, Bitbucket Cloud will fully deprecate / change behaviour for a small set of OAuth2 features on May 4, 2026. To help teams identify and migrate any remaining usage ahead of the enforcement date, we will run a series of controlled brownouts starting Apr 20, 2026, for two weeks, after which the functionality will be fully removed on May 4, 2026.

During each brownout window:

• All OAuth authenticated requests directed at www.bitbucket.org will fail with an HTTP 401 error code

• All OAuth authenticated requests which provide the OAuth access token in the access_token query parameters / POST body will fail with an HTTP 401 error code

• The Client credentials grant flow will not issue refresh tokens in their token response.

• OAuth token response payloads will return “scope"  instead of “scopes" (See notes)

Notes:

• The minting of OAuth2 access tokens should always be made to https://bitbucket.org/site/oauth2/access_token. Bitbucket’s API does not mount these urls under the api subdomain.

• In the week beginning Apr 12, 2026 the scope property will be returned alongside the scopes property, allowing time to onboard prior to the start of the brownout.

You can now nominate genuine migration blockers or major customer‑impact risks via the “Request review” flow on FRGE issues.

This flow will allow us to triage and assess requests to address remaining blockers to Forge migration before Connect end of support in December 2026. We’ll review requests over 3 monthly cycles, then freeze decisions.

Please review for existing tickets before creating new FRGE tickets. You may also review the announcement.

We've introduced three new Forge triggers for Bitbucket deployment events. These triggers allow your Forge app to respond to deployment lifecycle events in Bitbucket Pipelines.

The new triggers are:

• avi:bitbucket:pending:deployment — Fires when a deployment is pending

• avi:bitbucket:started:deployment — Fires when a deployment starts

• avi:bitbucket:completed:deployment — Fires when a deployment completes

To use these triggers, add them to the trigger section of your app's manifest.yml file. Each trigger provides deployment event data including environment, state, and pipeline details.

For more information, see Bitbucket events.

Following this deprecation announcement on Feb 17, 2026, the Connect Inspector Service is now decommissoned.

We recommend migrating to Atlassian Forge for a more robust Events model, as Atlassian Connect will reach end of support in December 2026.

Developers who still need similar functionality can use the open‑sourced version of the tool.

As shared in our https://developer.atlassian.com/cloud/bitbucket/changelog/#CHANGE-2887, Bitbucket Cloud will fully deprecate support for OAuth 1.0 and implicit grant flows on Feb 27, 2026. To help teams identify and migrate any remaining usage ahead of the enforcement date, we will run a series of controlled brownouts starting Feb 28, 2026, for two weeks, after which the functionality will be fully removed on Mar 14, 2026.

During each brownout window:

• All requests to generate OAuth 1.0 or implicit grant access tokens will fail with an HTTP 400 error code.

• All requests authenticated with existing OAuth 1.0 or implicit grant access tokens will fail with an HTTP 401 error code.

As shared in our previous announcement, Bitbucket Cloud will fully sunset the cross-workspace APIs on April 14, 2026. We had previously communicated an earlier date but have decided to postpone this due to feedback from our partners.

To see the full list of affected APIs and the corresponding alternative APIs that we suggest transitioning to, please follow the “More details” section of this prior announcement. Based on feedback, we have also released a new API that allows you to list repository permissions in a workspace for a user.

To help teams identify and migrate any remaining usage ahead of the enforcement date, we will run a series of controlled brownouts starting March 23, 2026, for three weeks. During each brownout window, requests using the old cross-workspace APIs will be rejected, and affected endpoints will return a 410 Gone error. If you have made the switch to the new APIs, announced here, then you will not be impacted during the brownouts.

As part of our wider announcement for deprecation of native Bitbucket Cloud Issues and Wikis, we will be removing API endpoints that support Issue Tracker in mid-August, 2026.

Expand the More Details view below to see the full list of endpoints being removed.

We are introducing baseline security requirements for Atlassian Government Cloud (AGC) apps, which will take effect on Mar 31, 2026. If you have any questions regarding these new standards, please contact us here: https://ecosystem.atlassian.net/servicedesk/customer/portal/34/group/109/create/579

We’re also publishing our annual update to the general Cloud App Security Requirements for 2026, which includes new provisions for AI security, data protection, and supply chain security. See More details for highlights on this update.

We've introduced two new components to UI Kit, now available in Preview: AtlassianTile and AtlassianIcon. Use these components to display Atlassian object type icons—such as stories, tasks, epics, blogs, and more—with consistent styling that aligns with the Atlassian Design System.

Both components provide fixed color, size, and styling options for Atlassian object types. Any updates to icon or tile styling in the Atlassian Design System are automatically reflected in your app.

For implementation details and examples, see the Atlassian icon and Atlassian tile component documentation.

The Connect Inspector service is moving to open source and also being deprecated. This service will no longer allow the creation of new temporary apps. Already registered temporary apps will stop recording new events, and old events will be deleted. Any apps already installed on developer sites will not be uninstalled.

We’ve added a new rovo.isEnabled method to the Forge UI bridge API. This method returns a boolean indicating whether Rovo is enabled for the tenant. You can use it alongside the existing rovo.open method to conditionally invoke Rovo only when it’s available.

For more information, see the updated documentation for the Rovo bridge methods.

We've added optional height and width properties to the Frame component in UI Kit. Apps can now set explicit dimensions in pixels or percentages, instead of relying on automatic resizing. This gives you more control over your app's layout.

For more information, see the updated documentation for the Frame component.

As part of end of support for Connect app, we will be deprecating addon linkers APIs.

On May 7, 2026 we will be removing the following endpoints:

1. GET /2.0/addon/linkers

2. GET /2.0/addon/linkers/{linker_key}

3. GET /2.0/addon/linkers/{linker_key}/values

4. PUT /2.0/addon/linkers/{linker_key}/values

5. POST /2.0/addon/linkers/{linker_key}/values

6. DEL /2.0/addon/linkers/{linker_key}/values

7. GET /2.0/addon/linkers/{linker_key}/values/{value_id}

8. DEL /2.0/addon/linkers/{linker_key}/values/{value_id}