The 'App password required. Your account has 2FA enabled' error occurs when pushing to Bitbucket with two-factor authentication enabled. Bitbucket requires an App Password instead of your regular account password for Git operations when 2FA is active.
This error indicates that Bitbucket has rejected your authentication attempt because your account has two-factor authentication (2FA) enabled. When 2FA is active, Bitbucket blocks regular password authentication for Git operations over HTTPS, requiring you to use an App Password instead. App Passwords are special tokens designed specifically for authenticating third-party applications and Git clients when 2FA is enabled. They provide a secure way to grant access without exposing your main account password or requiring 2FA codes for every Git operation. This security measure protects your account by: 1. **Separating authentication concerns** - App Passwords can be revoked individually without changing your main password 2. **Limiting scope** - Each App Password can have restricted permissions 3. **Enabling automation** - CI/CD pipelines and scripts can authenticate without interactive 2FA prompts 4. **Maintaining 2FA protection** - Your account stays protected while allowing programmatic access
Since 2FA is enabled, you need to create an App Password to authenticate Git operations:
1. Log in to [bitbucket.org](https://bitbucket.org) in your browser
2. Click your profile avatar in the bottom left corner
3. Select Personal settings
4. Under "Access management", click App passwords
5. Click Create app password
6. Enter a descriptive label (e.g., "Git CLI", "Work Laptop", "CI Pipeline")
7. Select the required permissions:
- Repositories: Read, Write (for push/pull operations)
- Account: Read (optional, for profile access)
8. Click Create
9. Copy the generated password immediately - you won't be able to see it again!
Minimum permissions for git operations:
- Repositories: Read - for clone, fetch, pull
- Repositories: Write - for push
Store the App Password securely in a password manager.
Remove old credentials from your system so Git prompts for new ones:
Windows (Credential Manager):
# Open Credential Manager
control /name Microsoft.CredentialManager
# Or via command line - delete Bitbucket credentials
cmdkey /delete:git:https://bitbucket.orgLook under "Windows Credentials" for entries containing bitbucket.org and remove them.
macOS (Keychain):
# Remove Bitbucket credentials from Keychain
git credential-osxkeychain erase
host=bitbucket.org
protocol=https
# Press Enter twice after the above linesOr open Keychain Access app, search for "bitbucket", and delete the entries.
Linux:
# If using Git Credential Manager
git credential reject
host=bitbucket.org
protocol=https
# Press Enter twice
# If using ~/.git-credentials file
# Edit and remove bitbucket.org lines
nano ~/.git-credentials
# If using GNOME Keyring
secret-tool clear server bitbucket.orgNow use your App Password instead of your account password:
# When Git prompts for credentials:
git push origin main
Username: your-bitbucket-username
Password: <paste your App Password here>Important: Use your Bitbucket username (the one in your profile URL), not your email address.
Configure credential storage:
# Cache credentials in memory (15 minutes default)
git config --global credential.helper cache
# Cache for 1 hour
git config --global credential.helper 'cache --timeout=3600'
# Store permanently (less secure but convenient)
git config --global credential.helper store
# On macOS, use Keychain
git config --global credential.helper osxkeychain
# On Windows, use Credential Manager
git config --global credential.helper managerAfter configuring a credential helper, run your git command once, enter your username and App Password, and it will be stored for future use.
For automation or CI/CD, you can embed the App Password in the URL:
# Check current remote URL
git remote -v
# Update remote URL with credentials
git remote set-url origin https://USERNAME:[email protected]/WORKSPACE/REPO.git
# Example
git remote set-url origin https://johndoe:[email protected]/myteam/my-repo.gitSecurity warning: This stores credentials in plain text in .git/config. Only use this for:
- Private CI/CD environments
- Local development machines you control
- Scripts that need non-interactive access
Better approach for CI/CD - use environment variables:
# In your CI/CD pipeline
git remote set-url origin https://${BITBUCKET_USER}:${BITBUCKET_APP_PASSWORD}@bitbucket.org/${WORKSPACE}/${REPO}.gitIn Bitbucket Pipelines, you can use repository variables to store credentials securely.
SSH keys provide a more secure alternative that doesn't require App Passwords:
Generate an SSH key:
# Generate new SSH key
ssh-keygen -t ed25519 -C "[email protected]"
# Or RSA if ed25519 is not supported
ssh-keygen -t rsa -b 4096 -C "[email protected]"
# Start SSH agent
eval "$(ssh-agent -s)"
# Add key to agent
ssh-add ~/.ssh/id_ed25519Add the public key to Bitbucket:
# Copy your public key
cat ~/.ssh/id_ed25519.pub
# Copy the output1. Go to Bitbucket > Personal settings > SSH keys
2. Click Add key
3. Paste your public key and save
Update your remote URL to use SSH:
# Change from HTTPS to SSH
git remote set-url origin [email protected]:WORKSPACE/REPO.git
# Example
git remote set-url origin [email protected]:myteam/my-repo.git
# Verify the change
git remote -v
# Test SSH connection
ssh -T [email protected]You should see: "authenticated via ssh key" with your username.
If you're using a Git GUI like SourceTree, you need to update credentials there as well:
SourceTree:
1. Go to Tools > Options (Windows) or SourceTree > Preferences (macOS)
2. Click the Authentication tab
3. Find or add your Bitbucket account
4. For HTTPS: Use your App Password as the password
5. For SSH: Ensure your SSH key is loaded
VS Code:
1. When prompted, enter your username and App Password
2. VS Code will store credentials using your system's credential manager
IntelliJ IDEA / JetBrains IDEs:
1. Go to Settings > Version Control > Git
2. Under SSH executable, ensure it's configured correctly
3. For HTTPS, update saved passwords in the system credential manager
Git Credential Manager (GCM):
# If using GCM, it will prompt for re-authentication
git fetch
# Or manually clear and re-authenticate
git credential-manager erase
host=bitbucket.org
protocol=httpsIf authentication still fails, check your App Password has the required permissions:
1. Go to Bitbucket > Personal settings > App passwords
2. Review the permissions granted to your App Password
3. If needed, create a new App Password with correct permissions
Required permissions by operation:
| Operation | Required Permissions |
|-----------|---------------------|
| Clone | Repositories: Read |
| Pull/Fetch | Repositories: Read |
| Push | Repositories: Read, Write |
| Create branches | Repositories: Read, Write |
| Delete branches | Repositories: Read, Write, Admin |
| Manage webhooks | Webhooks: Read, Write |
| Access Pipelines | Pipelines: Read, Write |
If you've lost access to an App Password:
- You cannot view existing App Passwords
- Create a new one and update your credentials
- Revoke old App Passwords you no longer use
Workspace-level restrictions:
Some workspaces may have IP allowlists or additional restrictions. Contact your workspace administrator if you have correct permissions but still can't authenticate.
### Managing Multiple App Passwords
Create separate App Passwords for different purposes:
- Development laptop - Full repository access
- CI/CD pipeline - Read/Write only
- Backup script - Read only
- IDE integration - Read/Write
This way, you can revoke access for one use case without affecting others.
### Bitbucket Pipelines
For Bitbucket Pipelines, you often don't need App Passwords because it provides built-in authentication:
# bitbucket-pipelines.yml
pipelines:
default:
- step:
script:
# Clone other repos using built-in token
- git clone https://x-token-auth:${REPOSITORY_OAUTH_ACCESS_TOKEN}@bitbucket.org/workspace/repo.gitFor cross-repository access, use Repository Variables to store App Passwords securely.
### Workspace Access Tokens (for Automation)
For organization-wide automation, consider using Workspace Access Tokens instead of personal App Passwords:
1. Go to Workspace settings > Access tokens
2. Create a token with required permissions
3. The token belongs to the workspace, not a personal account
This prevents issues when team members leave or change accounts.
### Troubleshooting SSH Issues
If SSH isn't working after setup:
# Test SSH connection with verbose output
ssh -vT [email protected]
# Check if SSH agent has your key
ssh-add -l
# If key not loaded
ssh-add ~/.ssh/id_ed25519
# On macOS, add to Keychain
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
# Check SSH config
cat ~/.ssh/configRecommended SSH config for Bitbucket:
# ~/.ssh/config
Host bitbucket.org
HostName bitbucket.org
User git
IdentityFile ~/.ssh/id_ed25519
AddKeysToAgent yes### Two-Factor Authentication Recovery
If you're locked out of 2FA:
1. Use recovery codes if you saved them
2. Contact Bitbucket support with account verification
3. Consider adding a backup 2FA method (authenticator app + phone number)
### Debugging Authentication
# Enable Git debugging
GIT_CURL_VERBOSE=1 git fetch 2>&1
# Check what credential helper is being used
git config --get credential.helper
# List all credential-related config
git config --list | grep credential
# Test credentials manually
echo "host=bitbucket.org" | git credential fill### App Password Best Practices
1. Use descriptive labels - "MacBook Pro 2023", "Jenkins CI", "Backup Server"
2. Minimum permissions - Only grant what's needed
3. Regular rotation - Create new passwords periodically
4. Revoke unused - Delete App Passwords you no longer need
5. Never share - Create separate passwords for each person/service
6. Store securely - Use a password manager, not plain text files
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git