How do I Find the Owner of a BitBucket API Key?
tl;dr If a BitBucket API key has the account scope, use BitBucket's /user API endpoint to retrieve the owner's details (email, name, etc.). If the key lacks this scope, infer ownership by using TruffleHog to query repository metadata.
Identifying the Owner of a BitBucket API Key
BitBucket provides an API endpoint to fetch user details, but there’s a catch: it requires the account
scope. If your key includes this scope, identifying the owner is straightforward.
Using the /user
Endpoint
If your API key has the necessary permissions, run the following cURL command to retrieve user details:
Expected results:
The display_name
field will return the user’s name. To retrieve their email address, send an additional request to the user’s emails API endpoint.
Inferring the Key Owner Without the account
Scope
If the API key lacks the account
scope, direct user identification is impossible. Instead, you can infer ownership by querying repository metadata - this requires the repository
scope. This process is tedious, but TruffleHog automates it by sending API queries and extracting relevant metadata.
Using TruffleHog’s BitBucket Analyzer
Run the following command:
You'll be prompted to enter the API key.
IMAGE
How TruffleHog’s BitBucket Analyzer Works
Authenticates to BitBucket.
Queries repositories where the user is a
member
,owner
,admin
, orcontributor
.Extracts repository metadata to help security teams determine ownership.
Manually Inferring Key Ownership Details
If you prefer a manual approach, query BitBucket’s API for repository
metadata.
Depending on the account’s size, pagination may be required to retrieve all accessible repositories.
Look at the following fields to infer ownership:
full_name
name
project[‘name’]
workspace[‘name’]
owner[‘username’]
What if I don’t have the repository
scope?
Without the repository
scope, ownership inference becomes more difficult. You'll need to:
Identify all permissions available to the API key.
Parse the BitBucket API documentation.
Send one-off cURL requests based on available permissions.
To simplify this process, run:
This will automatically identify the API key’s permissions and scopes. From there, consult the BitBucket API docs to determine how to infer ownership.
Why This Matters
Leaked BitBucket API keys pose a significant security risk, potentially exposing private repositories and sensitive data. Security teams should:
Immediately rotate exposed keys.
Audit repository access and project associations.
Use TruffleHog to streamline key attribution and detection.
For more details, check out the TruffleHog BitBucket Analyzer Code.
STAY STRONG
DIG DEEP
DOING IT THE RIGHT WAY
SINCE 2021
© 2025 Truffle Security Co.