How do I Find the Owner of a BitBucket API Key?

tl;dr If a BitBucket API key has the account scope, use BitBucket's /user API endpoint to retrieve the owner's details (email, name, etc.). If the key lacks this scope, infer ownership by using TruffleHog to query repository metadata.

Identifying the Owner of a BitBucket API Key

BitBucket provides an API endpoint to fetch user details, but there’s a catch: it requires the account scope. If your key includes this scope, identifying the owner is straightforward.

Using the /user Endpoint

If your API key has the necessary permissions, run the following cURL command to retrieve user details:


curl --request GET \
  --url 'https://api.bitbucket.org/2.0/user' \
  --header 'Authorization: Bearer <access_token>' \
  --header 'Accept: application/json'


Expected results:


{
  "display_name":"<string>",
}


The display_name field will return the user’s name. To retrieve their email address, send an additional request to the user’s emails API endpoint.

Inferring the Key Owner Without the account Scope

If the API key lacks the account scope, direct user identification is impossible. Instead, you can infer ownership by querying repository metadata - this requires the repository scope. This process is tedious, but TruffleHog automates it by sending API queries and extracting relevant metadata.

Using TruffleHog’s BitBucket Analyzer

Run the following command:


trufflehog analyze bitbucket


You'll be prompted to enter the API key.

IMAGE


How TruffleHog’s BitBucket Analyzer Works

  • Authenticates to BitBucket.

  • Queries repositories where the user is a member, owner, admin, or contributor.

  • Extracts repository metadata to help security teams determine ownership.

Manually Inferring Key Ownership Details

If you prefer a manual approach, query BitBucket’s API for repository metadata.


curl --request GET \
  --url 'https://api.bitbucket.org/2.0/repositories' \
  --header 'Authorization: Bearer <access_token>'


Depending on the account’s size, pagination may be required to retrieve all accessible repositories.

Look at the following fields to infer ownership:

  • full_name

  • name

  • project[‘name’]

  • workspace[‘name’]

  • owner[‘username’]

What if I don’t have the repository scope?

Without the repository scope, ownership inference becomes more difficult. You'll need to:

  1. Identify all permissions available to the API key.

  2. Parse the BitBucket API documentation.

  3. Send one-off cURL requests based on available permissions.

To simplify this process, run:


trufflehog analyze bitbucket


This will automatically identify the API key’s permissions and scopes. From there, consult the BitBucket API docs to determine how to infer ownership. 

Why This Matters

Leaked BitBucket API keys pose a significant security risk, potentially exposing private repositories and sensitive data. Security teams should:

  • Immediately rotate exposed keys.

  • Audit repository access and project associations.

  • Use TruffleHog to streamline key attribution and detection.


For more details, check out the TruffleHog BitBucket Analyzer Code.