Aura Auth
OAuth Providers

Bitbucket Authorization Provider

Add Bitbucket authorization provider to Aura Auth to authentication and authorize

Bitbucket

Set up the Bitbucket authorization provider in your Aura Auth instance.

What you'll build

Through this quick start guide you are going to learn and understand the basics and how to set up the Bitbucket provider for Aura Auth.

Bitbucket OAuth App

Register the Application

The first step is to create and register an OAuth App on the Bitbucket developer console to obtain access to the user's resources.

  1. Navigate to Bitbucket and open your Workspace settings.
  2. Under "Apps and features", click on OAuth consumers.
  3. Click Add consumer.
  4. Fill in the "Name" and optionally a "Description".
  5. Set the Callback URL to http://localhost:3000/auth/callback/bitbucket.
    • (Make sure to replace localhost:3000 with your production domain when deploying)
  6. Ensure you select the correct permissions/scopes for the app (e.g., Account: Read).
  7. Save the consumer. You will then see the Key (Client ID) and Secret (Client Secret).

Installation

Install the package using a package manager like npm, pnpm, or yarn:

npm install @aura-stack/auth

Environment setup

Now, you must configure the environment variables required by Aura Auth, including the Bitbucket credentials and the encryption secrets.

.env
# Aura Secrets
AURA_AUTH_SECRET="your-32-byte-secret"
AURA_AUTH_SALT="your-32-byte-salt"

# Bitbucket Credentials
AURA_AUTH_BITBUCKET_CLIENT_ID="your_bitbucket_client_id"
AURA_AUTH_BITBUCKET_CLIENT_SECRET="your_bitbucket_client_secret"

CRITICAL SECURITY WARNING: The AURA_AUTH_SECRET and AURA_AUTH_SALT variables are used to encrypt and sign user sessions. These MUST be securely generated, highly randomized strings consisting of at least 32 bytes to ensure adequate entropy. Never hardcode these values in your repository. Use a secure generator (like openssl rand -base64 32) to create them, and store them exclusively in your secure environment variables manager.

Configure the Auth Instance

Configure the createAuth instance inside an auth.ts file located at the root of your project. Ensure you explicitly export the handlers, api, and jose objects.

auth.ts
import { createAuth } from "@aura-stack/auth"

export const auth = createAuth({
  oauth: ["bitbucket"],
})

// Extract the required utilities
export const { handlers, api, jose } = auth

The handlers object contains mapping utilities for standard HTTP methods (GET, POST, PATCH) as well as a unified ALL handler. This allows you to easily mount the authentication routes across any framework (Next.js, Elysia, Express, etc.).

Customizing the OAuth Provider

If you need to define custom scopes, change the response type, or map profile data differently, you can use the provider's factory function instead of a simple string identifier.

auth.ts
import { createAuth } from "@aura-stack/auth"
import { bitbucket } from "@aura-stack/auth/oauth/bitbucket"

export const auth = createAuth({
  oauth: [
    bitbucket({
      authorize: {
        params: {
          // Override default scopes
          scope: "account",
        },
      },
    }),
  ],
})

export const { handlers, api, jose } = auth

Sign In to Bitbucket (Client & Server)

There are multiple ways to trigger the sign-in flow depending on your ecosystem.

Sign-in Path (Direct Navigation)

The common route to trigger the auth flow natively without needing a client library is simply navigating the browser to: http://localhost:3000/auth/signIn/bitbucket

Client-Side (React, Vue, etc.)

You can utilize the createAuthClient utility to programmatically trigger sign-ins. You can also define a redirectTo destination.

Constraint Rule: The baseURL passed into createAuthClient MUST exactly match the root domain and path where the HTTP handlers expose their endpoints on the server.

components/Login.tsx
import { createAuthClient } from "@aura-stack/auth/client"

export const authClient = createAuthClient({
  baseURL: "http://localhost:3000/auth",
})

const triggerSignIn = async () => {
  await authClient.signIn("bitbucket", {
    redirectTo: "/dashboard",
  })
}

Server-Side (Next.js Actions, Remix Loaders, etc.)

For environments supporting server-side actions, use the programmatic api.signIn method securely.

actions.ts
import { api } from "./auth"

export const serverSignIn = async () => {
  const response = await api.signIn("bitbucket", {
    redirectTo: "http://localhost:3000/dashboard",
  })

  // Example returning redirect location
  return response.headers.get("Location")
}

Session Retrieval

After a user successfully signs in, you can retrieve their session data securely.

Client-Side:

const session = await authClient.getSession()
console.log(session?.user) // The authenticated user profile

Server-Side:

// Note: You must pass the native Web Request object or Headers!
const session = await api.getSession(request)
console.log(session?.user) // Safely retrieved backend session

Resources

Atlassian Authorization Provider

Add Atlassian authorization provider to Aura Auth to authentication and authorize

ClickUp Authorization Provider

Add ClickUp authorization provider to Aura Auth to authentication and authorize

On this page

BitbucketWhat you'll buildBitbucket OAuth AppRegister the ApplicationInstallationEnvironment setupConfigure the Auth InstanceCustomizing the OAuth ProviderSign In to Bitbucket (Client & Server)Sign-in Path (Direct Navigation)Client-Side (React, Vue, etc.)Server-Side (Next.js Actions, Remix Loaders, etc.)Session RetrievalResources