docs/batch-changes: add Bitbucket Server and Cloud OAuth credential documentation

BolajiOlajide · BolajiOlajide · commit 3267a3662a4a · 2026-03-30T13:14:23.000+01:00
diff --git a/docs/batch-changes/configuring-credentials.mdx b/docs/batch-changes/configuring-credentials.mdx
@@ -258,6 +258,8 @@ Batch Changes require the access token to have the `write` permission on both pr
 
 ![bb-token](https://sourcegraphstatic.com/docs/images/batch_changes/bb-token.png)
 
+Alternatively, you can use [Bitbucket Server OAuth](#bitbucket-server-oauth) to authenticate without manually creating a token.
+
 ### Bitbucket Cloud
 
 On Bitbucket, follow the steps to [create an app password](https://support.atlassian.com/bitbucket-cloud/docs/app-passwords/). Batch Changes requires the following scopes:
@@ -270,6 +272,8 @@ On Bitbucket, follow the steps to [create an app password](https://support.atlas
 
 ![bb-cloud](https://sourcegraphstatic.com/docs/images/batch_changes/bb-cloud-app-password.png)
 
+Alternatively, you can use [Bitbucket Cloud OAuth](#bitbucket-cloud-oauth) to authenticate without manually creating an app password.
+
 ### Azure DevOps
 
 Follow the steps to [create a PAT](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Windows#create-a-pat) on Azure DevOps. Batch Changes requires the following scopes:
@@ -373,3 +377,90 @@ To remove a GitHub app from your Sourcegraph instance, navigate back to the same
 </video>
 
 If you want to delete the GitHub app entirely, you have to navigate to [GitHub's list of applications](https://github.com/settings/apps/) and delete it from there.
+
+## Bitbucket OAuth
+
+Sourcegraph supports OAuth-based authentication for Batch Changes with both Bitbucket Server (Data Center) and Bitbucket Cloud. This allows users to authorize Batch Changes to act on their behalf using OAuth instead of manually creating personal access tokens or app passwords.
+
+<Callout type="note">
+	Bitbucket OAuth for Batch Changes requires a site administrator to first configure a Bitbucket
+	[authentication provider](/admin/auth) in Sourcegraph. The same auth provider used for SSO sign-in
+	is reused for Batch Changes — no additional provider configuration is needed.
+</Callout>
+
+### Bitbucket Server OAuth
+
+#### Prerequisites
+
+A Sourcegraph site administrator must configure a [Bitbucket Server authentication provider](/admin/auth#bitbucket-server). If your instance already uses Bitbucket Server for sign-in, this step is already complete.
+
+The OAuth consumer in Bitbucket Server should be configured as an incoming application link with at minimum **Read** permission on **Repositories**. When a user initiates the Batch Changes OAuth flow, Sourcegraph automatically requests the elevated scopes needed:
+
+-   `REPO_READ` — read repository contents and metadata
+-   `REPO_WRITE` — push branches and create/update pull requests
+
+#### Adding a Bitbucket Server OAuth credential
+
+-   Navigate to **User settings > Batch Changes**
+-   Click **Add credentials** for your Bitbucket Server code host
+-   Select **Bitbucket Server OAuth** as the **Authentication strategy**
+-   Click the **Authorize** button
+-   You will be redirected to your Bitbucket Server instance to grant access
+-   After authorizing, you will be redirected back to Sourcegraph with the credential automatically provisioned
+
+#### Migrating from PATs to Bitbucket Server OAuth
+
+You can migrate from personal access tokens to OAuth by deleting the existing PAT credential and creating a new one using the Bitbucket Server OAuth option. Existing batch changes will continue to work with the new credential.
+
+### Bitbucket Cloud OAuth
+
+#### Prerequisites
+
+A Sourcegraph site administrator must configure a [Bitbucket Cloud authentication provider](/admin/auth#bitbucket-cloud). If your instance already uses Bitbucket Cloud for sign-in, this step is already complete.
+
+The OAuth consumer in Bitbucket Cloud should have the following permissions enabled:
+
+-   **Account**: Read
+-   **Email**: Read
+-   **Repositories**: Read
+-   **Pull requests**: Read and Write
+
+<Callout type="warning">
+	If the OAuth consumer is missing required permissions, users will see an `invalid_scope` error
+	during the OAuth flow. Ensure all the above permissions are selected in your Bitbucket Cloud
+	workspace under **Settings > OAuth consumers**.
+</Callout>
+
+When a user initiates the Batch Changes OAuth flow, Sourcegraph requests the following scopes:
+
+-   `account` — read the authenticated user's account information
+-   `email` — read the authenticated user's email addresses
+-   `repository` — read and access repository contents
+-   `pullrequest:write` — create and update pull requests
+
+#### Adding a Bitbucket Cloud OAuth credential
+
+-   Navigate to **User settings > Batch Changes**
+-   Click **Add credentials** for your Bitbucket Cloud code host
+-   Select **Bitbucket Cloud OAuth** as the **Authentication strategy**
+-   Click the **Authorize** button
+-   You will be redirected to Bitbucket Cloud to grant access
+-   After authorizing, you will be redirected back to Sourcegraph with the credential automatically provisioned
+
+#### Migrating from app passwords to Bitbucket Cloud OAuth
+
+You can migrate from app passwords to OAuth by deleting the existing credential and creating a new one using the Bitbucket Cloud OAuth option. Existing batch changes will continue to work with the new credential.
+
+### Token refresh
+
+OAuth tokens have limited lifetimes. Sourcegraph automatically refreshes tokens when they expire using the refresh token obtained during authorization. Token refresh is handled transparently — users do not need to re-authorize unless the refresh token itself is revoked or the OAuth consumer is deleted.
+
+<Callout type="warning">
+	The Bitbucket authentication provider must remain configured in the Sourcegraph site configuration
+	for token refresh to work. If the auth provider is removed, tokens will not be refreshed and will
+	eventually expire.
+</Callout>
+
+### Removing a Bitbucket OAuth credential
+
+When a Bitbucket OAuth credential is removed, the linked external account used for Batch Changes is also cleaned up. This does not affect the user's ability to sign in to Sourcegraph via Bitbucket — sign-in and Batch Changes use separate external accounts.
