Bitbucket App Password Deprecated: Set Up SSH Key to Fix Git Pull and Git Push

If you are using Bitbucket over HTTPS, one day you may run:

git pull

or:

git push origin main

and suddenly get this error:

remote: App passwords are deprecated and must be replaced with API tokens.
fatal: unable to access 'https://bitbucket.org/anhtran/atdevblog.git/': The requested URL returned error: 410

Or you may see a shorter error:

fatal: Authentication failed

The common reason is that your project is still using an old Bitbucket App Password, or your machine has an old HTTPS credential saved in the credential cache.

A quick solution is to switch to a Bitbucket API Token. However, if you want a cleaner and more stable setup for your personal development machine, especially if you use a MacBook to push and pull code often, using an SSH Key is usually a very good option.

This guide explains how to set up an SSH key for Bitbucket on MacBook, what each command means, where to run each command, how to know if the setup is successful, and what is different on Windows.

1. When should you use SSH Key instead of HTTPS or API Token?

You should use SSH Key if:

• You often push and pull code from your personal machine.

• You do not want Git to ask for a password or API Token every time.

• You do not want to put a token directly inside the Git remote URL.

• You want to avoid Bitbucket App Password deprecated errors when using HTTPS.

• You want a clean and stable Git setup that depends less on credential cache.

Old HTTPS remote example:

https://bitbucket.org/anhtran/atdevblog.git

After switching to SSH, the remote becomes:

git@bitbucket.org:anhtran/atdevblog.git

From that point, Git authenticates using your SSH key instead of asking for a password or API Token.

2. Repository example used in this article

In this article, the example repository is:

anhtran/atdevblog.git

HTTPS remote:

https://bitbucket.org/anhtran/atdevblog.git

SSH remote:

git@bitbucket.org:anhtran/atdevblog.git

You only need to replace anhtran/atdevblog.git with your real workspace and repository name.

3. Set up SSH Key on MacBook

Step 1: Open Terminal

On MacBook, open:

Terminal

You can run the SSH key creation command from any folder.

The reason is that the path:

~/.ssh/...

always points to the .ssh folder inside the current user’s Home directory.

For example:

~/.ssh/bitbucket_atdevblog

means the key file will be created at:

/Users/<your-mac-user>/.ssh/bitbucket_atdevblog

You do not need to cd into your project folder when creating the SSH key.

Step 2: Create an SSH Key

Run this command:

ssh-keygen -t ed25519 -C "anhtran-local-bitbucket" -f ~/.ssh/bitbucket_atdevblog

Here is what each part means:

ssh-keygen

This command is used to generate an SSH key.

-t ed25519

This selects the Ed25519 key type. It is a modern, short, and commonly recommended SSH key type.

-C "anhtran-local-bitbucket"

This is a comment that helps you identify what this key is used for.

You can name it something like:

"anhtran-macbook-bitbucket"

or:

"atdevblog-local-bitbucket"

-f ~/.ssh/bitbucket_atdevblog

This tells SSH where to save the key file.

In this example, the private key will be:

~/.ssh/bitbucket_atdevblog

and the public key will be:

~/.ssh/bitbucket_atdevblog.pub

When asked for a passphrase:

Enter passphrase (empty for no passphrase):

You can enter a passphrase for better security, or leave it empty if you want Git operations to be faster on your personal machine.

If you leave it empty, make sure your MacBook is protected with a strong password, Touch ID, and ideally FileVault.

Step 3: Copy the public key

After creating the key, run:

cat ~/.ssh/bitbucket_atdevblog.pub

The output will look like this:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIxxxxxxxxxxxxxxxx anhtran-local-bitbucket

Copy the entire line.

Important notes:

• Only copy the .pub file.

• Do not copy the private key.

• Do not send ~/.ssh/bitbucket_atdevblog to anyone.

• Do not commit your private key to Git.

The public key is safe to add to Bitbucket. The private key must stay on your machine.

Step 4: Add the SSH Key to Bitbucket

Open Bitbucket in your browser and go to:

Personal Bitbucket settings → Security → SSH keys → Add key

Enter a clear label, for example:

MacBook - atdevblog

Paste the public key you copied earlier.

Example:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIxxxxxxxxxxxxxxxx anhtran-local-bitbucket

Then click: Add key

Step 5: Create or edit the SSH config file

Next, you need to create an SSH config file so your machine knows which SSH key to use when connecting to Bitbucket.

Run:

nano ~/.ssh/config

If the file does not exist, this command will create it.

If the file already exists, this command will open it for editing.

You can run this command from any folder because ~/.ssh/config belongs to your current user, not to a specific project.

Step 6: Add Bitbucket SSH configuration

Add this block to the file:

Host bitbucket.org
  HostName bitbucket.org
  User git
  IdentityFile ~/.ssh/bitbucket_atdevblog
  IdentitiesOnly yes

Explanation:

Host bitbucket.org

This is the host pattern. When Git sees a remote like:

git@bitbucket.org:anhtran/atdevblog.git

SSH will use this configuration block.

HostName bitbucket.org

This is the real server address that SSH connects to.

User git

The SSH user for Bitbucket is always git.

This is not your personal Bitbucket username.

IdentityFile ~/.ssh/bitbucket_atdevblog

This tells SSH which private key to use.

In this example, SSH will use:

~/.ssh/bitbucket_atdevblog

IdentitiesOnly yes

This tells SSH to use only the key defined in IdentityFile.

It helps avoid problems when your machine has many SSH keys.

To save and exit nano:

Control + O
Enter
Control + X

Step 7: Set correct SSH file permissions

Run:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/bitbucket_atdevblog
chmod 644 ~/.ssh/bitbucket_atdevblog.pub
chmod 600 ~/.ssh/config

This makes sure your SSH files are not too open.

If the private key permission is too open, SSH may refuse to use it.

Step 8: Test SSH connection to Bitbucket

Run:

ssh -T git@bitbucket.org

What result means it is working?

If the setup is correct, you may see a message similar to:

authenticated via ssh key.
You can use git to connect to Bitbucket. Shell access is disabled

The message:

Shell access is disabled

is normal.

Bitbucket allows SSH for Git clone, pull, and push. It does not allow you to open a normal Linux shell through SSH.

If you see a successful authentication message, your SSH key setup is working.

4. Change local Git remote from HTTPS to SSH

After your SSH key works, you need to change your project remote from HTTPS to SSH.

Step 1: Go to your local project folder

This command must be run inside your Git project folder.

Example:

cd ~/Projects/atdevblog

Or use your real project path:

cd /path/to/your/project

Check whether you are inside a Git repository:

git status

If you see something like:

On branch main

you are in the correct project folder.

Step 2: Check the current remote

Run:

git remote -v

If your project is still using HTTPS, you may see:

origin https://bitbucket.org/anhtran/atdevblog.git (fetch)
origin https://bitbucket.org/anhtran/atdevblog.git (push)

Step 3: Change the remote to SSH

Run:

git remote set-url origin git@bitbucket.org:anhtran/atdevblog.git

Then check again:

git remote -v

The correct output should look like this:

origin git@bitbucket.org:anhtran/atdevblog.git (fetch)
origin git@bitbucket.org:anhtran/atdevblog.git (push)

If you see git@bitbucket.org:..., your remote has been changed to SSH successfully.

5. Test git pull and git push

Test git pull

Run:

git pull origin main

If your local branch is already up to date, you may see:

Already up to date.

If there is new code, Git will show the updated files or commits.

Both results are fine as long as there is no authentication error.

Test git push

If your account has permission to push to the repository, run:

git push origin main

What result means it is working?

If there is nothing new to push, you may see:

Everything up-to-date

If you have new commits, you may see something like:

Enumerating objects: ...
Counting objects: ...
Compressing objects: ...
Writing objects: ...
To bitbucket.org:anhtran/atdevblog.git
old_commit..new_commit main -> main

If Git pushes to bitbucket.org:anhtran/atdevblog.git successfully and you no longer see Authentication failed, your SSH setup is working.

6. Is Windows different from macOS?

Yes, but only slightly.

The main flow is the same:

Create SSH key → Add public key to Bitbucket → Create SSH config → Test ssh -T → Change remote to SSH → Test pull/push

The main differences are the terminal, file path, and how you open the SSH config file.

Which terminal should you use on Windows?

You can use:

• Git Bash

• PowerShell

• Windows Terminal

• VS Code integrated terminal

If you already installed Git for Windows, Git Bash is usually the easiest option because the commands are very similar to macOS and Linux.

Create SSH key on Windows using Git Bash

Open Git Bash and run:

ssh-keygen -t ed25519 -C "anhtran-windows-bitbucket" -f ~/.ssh/bitbucket_atdevblog

In Git Bash, ~ still points to your user home folder.

It usually maps to:

C:\Users\<YourUser>\.ssh\

Example private key path:

C:\Users\AnhTran\.ssh\bitbucket_atdevblog

Example public key path:

C:\Users\AnhTran\.ssh\bitbucket_atdevblog.pub

Copy the public key:

cat ~/.ssh/bitbucket_atdevblog.pub

Then add it to Bitbucket just like on Mac:

Personal Bitbucket settings → Security → SSH keys → Add key

Create SSH config on Windows

If you are using Git Bash, run:

nano ~/.ssh/config

If nano is not available, use Notepad:

notepad ~/.ssh/config

Or open this file directly:

C:\Users\<YourUser>\.ssh\config

Add the same content:

Host bitbucket.org
  HostName bitbucket.org
  User git
  IdentityFile ~/.ssh/bitbucket_atdevblog
  IdentitiesOnly yes

The meaning is the same as on macOS:

• Host bitbucket.org: configuration for Bitbucket connections.

• HostName bitbucket.org: the real server to connect to.

• User git: Bitbucket SSH user is git.

• IdentityFile ~/.ssh/bitbucket_atdevblog: the key used for authentication.

• IdentitiesOnly yes: use only this key.

Test SSH on Windows

In Git Bash, run:

ssh -T git@bitbucket.org

The successful result is similar to macOS:

authenticated via ssh key.
You can use git to connect to Bitbucket. Shell access is disabled

If this is your first connection, Windows/Git Bash may ask:

Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type:

yes

Then run the SSH test again if needed.

Change remote to SSH on Windows

This step is the same as macOS.

You need to be inside your Git project folder.

Example:

cd /c/Users/AnhTran/Projects/atdevblog

Check the current remote:

git remote -v

Change the remote:

git remote set-url origin git@bitbucket.org:anhtran/atdevblog.git

Test pull:

git pull origin main

Test push:

git push origin main

Key differences between Windows and macOS

7. Common Bitbucket SSH Key errors

Error 1: Permission denied publickey

Error:

git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Possible reasons:

• You did not add the public key to Bitbucket.

• You added the wrong public key.

• IdentityFile points to the wrong key.

• Git is using a different SSH key.

• Your Bitbucket account does not have access to the repository.

How to check:

ssh -T git@bitbucket.org

If the SSH test is not successful, do not test git pull or git push yet. Fix SSH first.

Error 2: Remote is still using HTTPS

If you already set up SSH but still get App Password or API Token errors, your remote may still be using HTTPS.

Check:

git remote -v

If you still see:

https://bitbucket.org/anhtran/atdevblog.git

change it to SSH:

git remote set-url origin git@bitbucket.org:anhtran/atdevblog.git

Error 3: Host key verification failed

Error:

Host key verification failed.
fatal: Could not read from remote repository.

Try:

ssh -T git@bitbucket.org

If the system asks whether you trust the host, type:

yes

Then test again:

git pull origin main

Error 4: Your machine has multiple SSH keys

If your machine has many SSH keys, SSH may use the wrong one.

The fix is to clearly define the Bitbucket key inside:

~/.ssh/config

Use:

Host bitbucket.org
  HostName bitbucket.org
  User git
  IdentityFile ~/.ssh/bitbucket_atdevblog
  IdentitiesOnly yes

If it still fails, run:

ssh -vT git@bitbucket.org

This command helps you see which key SSH is trying to use.

Error 5: Push is denied even though SSH test works

If this command works:

ssh -T git@bitbucket.org

but this command fails:

git push origin main

your account or SSH key may only have read permission.

Possible fixes:

• Check your permission in the repository.

• Check whether you have write access to the repository.

• Check whether the main branch has branch restrictions.

• Try pushing to another branch if direct push to main is blocked.

8. Quick checklist after setup

Check that the SSH key exists:

ls -la ~/.ssh

Check SSH config:

cat ~/.ssh/config

Test SSH:

ssh -T git@bitbucket.org

It is OK if you see successful SSH key authentication.

Check remote:

git remote -v

The remote is correct if you see:

git@bitbucket.org:anhtran/atdevblog.git

Test pull:

git pull origin main

It is OK if there is no authentication error.

Test push:

git push origin main

It is OK if you see Everything up-to-date or the commit is pushed successfully.

9. Should you use SSH Key or API Token?

If you have successfully set up SSH Key on your MacBook, it is a very good option for your personal development environment.

For staging or production servers, avoid copying your local private key to the server if possible. It is better to create a separate SSH key directly on the server or use a Repository Access Token for deployment.

10. Conclusion

When Bitbucket App Password is deprecated, Git commands over HTTPS such as:

git pull
git clone
git push

may fail with authentication errors.

There are several ways to fix the issue, but if you use a personal machine for daily development, setting up an SSH Key is a clean, stable, and easy-to-maintain solution.

The standard MacBook flow is:

ssh-keygen -t ed25519 -C "anhtran-local-bitbucket" -f ~/.ssh/bitbucket_atdevblog
cat ~/.ssh/bitbucket_atdevblog.pub
nano ~/.ssh/config
ssh -T git@bitbucket.org
git remote set-url origin git@bitbucket.org:anhtran/atdevblog.git
git pull origin main
git push origin main

The standard Windows flow using Git Bash is:

mkdir -p ~/.ssh
ssh-keygen -t ed25519 -C "anhtran-windows-bitbucket" -f ~/.ssh/bitbucket_atdevblog
cat ~/.ssh/bitbucket_atdevblog.pub
notepad ~/.ssh/config
ssh -T git@bitbucket.org
git remote set-url origin git@bitbucket.org:anhtran/atdevblog.git
git pull origin main
git push origin main

Key points to remember:

• Create the SSH key on your local machine if you want to push and pull from your local machine.

• Create the SSH key on the server if the server needs to run git pull for deployment.

• Do not share your private key.

• Do not commit your private key to Git.

• The correct SSH remote format is:

git@bitbucket.org:anhtran/atdevblog.git

If ssh -T git@bitbucket.org works and git remote -v shows the SSH remote, you can push and pull code without using App Password or API Token in the remote URL.

CTA

If you are seeing App passwords are deprecated, Authentication failed, or error 410 when using Bitbucket, check your Git remote first. If you work from a personal development machine, consider switching to SSH Key for a cleaner, safer, and more stable push/pull workflow.