This guide walks you through creating Personal Access Tokens (PATs) for GitHub, GitLab, and Bitbucket to use with Ampel. By the end, you'll be able to add provider accounts directly through the Ampel UI without needing OAuth configuration.
- Prerequisites
- Understanding PATs
- GitHub PAT Setup
- GitLab PAT Setup
- Bitbucket PAT Setup
- Adding Accounts to Ampel
- Security Best Practices
- Troubleshooting
- Additional Resources
Before you begin, make sure you have:
- Accounts on the platforms you want to integrate (GitHub, GitLab, and/or Bitbucket)
- Access to create PATs/app passwords (available on all account types)
- Ampel running and accessible (local or deployed)
Personal Access Tokens (PATs) are a secure way to authenticate with Git providers without sharing your password. They offer several advantages:
| Advantage | Description |
|---|---|
| No OAuth Setup | No need to register applications or configure callbacks |
| Fine-grained Permissions | Grant only the access your application needs |
| Easily Revocable | Revoke a token instantly if compromised |
| Multiple Tokens | Create separate tokens for different purposes |
| Expiration Options | Set automatic expiration for enhanced security |
- Log in to GitHub
- Click your profile picture (top-right corner)
- Select Settings
- Scroll down and click Developer settings (left sidebar)
- Click Personal access tokens
- Choose Tokens (classic) or Fine-grained tokens (recommended)
- Click Generate new token > Generate new token (fine-grained)
- Fill in the token details:
| Field | Value |
|---|---|
| Token name | Ampel PR Dashboard |
| Expiration | 90 days (or custom - recommended for security) |
| Resource owner | Select your account or organization |
| Repository access | Select repositories (choose repos you want Ampel to access) |
- Under Permissions, configure:
Repository permissions:
| Permission | Access Level | Purpose |
|---|---|---|
| Pull requests | Read and write | View and manage pull requests |
| Contents | Read-only | Access repository files |
| Metadata | Read-only | Access repository metadata |
| Issues | Read-only | View linked issues |
Account permissions:
| Permission | Access Level | Purpose |
|---|---|---|
| Email addresses | Read-only | Read user email |
If you prefer classic tokens:
- Click Generate new token > Generate new token (classic)
- Fill in the details:
| Field | Value |
|---|---|
| Note | Ampel PR Dashboard |
| Expiration | 90 days (recommended) |
- Select scopes:
| Scope | Purpose |
|---|---|
repo |
Full control of private repositories (includes pull requests) |
read:org |
Read organization membership |
read:user |
Read user profile data |
user:email |
Read user email addresses |
- Click Generate token
- Copy the token immediately - you won't see it again!
- Store it securely (you'll paste it into Ampel in the next section)
Quick URL: https://github.com/settings/tokens/new
- Log in to GitLab (or your self-hosted instance)
- Click your avatar (top-right)
- Select Edit profile
- Click Access Tokens (left sidebar)
- Scroll to Add new token
Quick URL: https://gitlab.com/-/profile/personal_access_tokens
Fill in the token details:
| Field | Value |
|---|---|
| Token name | Ampel PR Dashboard |
| Expiration date | 90 days from now (recommended) |
Check the following scopes:
| Scope | Purpose |
|---|---|
api |
Full API access (required for repositories and merge requests) |
read_user |
Read user profile information |
read_api |
Read-only API access (alternative to api if read-only is sufficient) |
read_repository |
Read repository contents |
For read-only access: Use read_api and read_repository instead of api.
For write access (merge, comment): Include api scope.
- Click Create personal access token
- Copy the token immediately - GitLab shows it only once!
- Store it securely
For self-hosted GitLab instances, the process is identical. You'll also need to configure the base URL in Ampel when adding the account.
Bitbucket uses "App Passwords" instead of PATs. They work similarly but are created differently.
- Log in to Bitbucket
- Click your avatar (bottom-left)
- Select Personal settings
- Click App passwords (left sidebar, under "Access management")
- Click Create app password
Quick URL: https://bitbucket.org/account/settings/app-passwords/new
| Field | Value |
|---|---|
| Label | Ampel PR Dashboard |
Check the following permissions:
Account:
| Permission | Purpose |
|---|---|
| Read | Read user profile information |
Workspace membership:
| Permission | Purpose |
|---|---|
| Read | Access workspace details |
Repositories:
| Permission | Purpose |
|---|---|
| Read | View repositories |
Pull requests:
| Permission | Purpose |
|---|---|
| Read | View pull requests |
| Write | Comment, approve, merge PRs (optional) |
- Click Create
- Copy the app password immediately - you won't see it again!
- Store it securely
Note: You'll use your Bitbucket username along with the app password when adding the account to Ampel.
Once you have your tokens/app passwords, add them to Ampel:
- Log in to Ampel
- Navigate to Settings > Provider Accounts
- Click Add Account
- Select the provider (GitHub, GitLab, or Bitbucket)
- Fill in the form:
GitHub:
| Field | Value |
|---|---|
| Account Name | A friendly name (e.g., "My GitHub") |
| Personal Access Token | Paste your GitHub token |
GitLab:
| Field | Value |
|---|---|
| Account Name | A friendly name (e.g., "My GitLab") |
| Personal Access Token | Paste your GitLab token |
| Base URL | Leave default for GitLab.com, or enter your self-hosted URL |
Bitbucket:
| Field | Value |
|---|---|
| Account Name | A friendly name (e.g., "My Bitbucket") |
| Username | Your Bitbucket username |
| App Password | Paste your Bitbucket app password |
- Click Test Connection to verify
- Click Save
You can add multiple accounts from the same provider:
- Personal GitHub + Work GitHub
- GitLab.com + Self-hosted GitLab
- Multiple Bitbucket workspaces
Each account is stored securely with encrypted tokens.
-
Use expiration dates
- Set tokens to expire in 90 days or less
- Rotate tokens periodically
- Remove unused tokens
-
Grant minimum permissions
- Only enable the scopes you actually need
- Use read-only access when write isn't required
- Review permissions quarterly
-
One token per application
- Create separate tokens for different tools
- Easier to identify and revoke if compromised
- Better audit trail
-
Never commit tokens to version control
- Tokens are stored encrypted in Ampel's database
- Don't share tokens via email or chat
- Use secure password managers for temporary storage
Ampel stores tokens securely:
- Encryption: AES-256-GCM encryption at rest
- Encryption key: Stored separately in environment variables
- Database: Encrypted tokens stored in PostgreSQL
- Memory: Tokens only decrypted when actively used
If a token is exposed:
-
Revoke immediately:
- GitHub: Settings > Developer settings > Personal access tokens > Delete
- GitLab: Profile > Access Tokens > Revoke
- Bitbucket: Personal settings > App passwords > Delete
-
Create a new token following the steps above
-
Update Ampel with the new token via Settings > Provider Accounts
-
Review access logs on the provider platform for suspicious activity
GitHub:
- View token usage at
https://github.com/settings/tokens - Shows last used date and IP address
GitLab:
- View active tokens at
https://gitlab.com/-/profile/personal_access_tokens - Shows last used date and expiration
Bitbucket:
- View app passwords at
https://bitbucket.org/account/settings/app-passwords/ - Shows creation date (no usage tracking)
"Invalid token" error
- Verify you copied the entire token (no truncation)
- Check for extra whitespace when pasting
- Ensure the token hasn't expired
- Confirm the token has the required scopes
"Insufficient permissions" error
- Review the token scopes/permissions
- For GitHub: Ensure
reposcope is enabled - For GitLab: Ensure
apiorread_apiscope is enabled - For Bitbucket: Ensure repositories and pull requests have read permission
"Token expired" error
- Create a new token (tokens can't be renewed)
- Update the account in Ampel settings
- Consider using a longer expiration next time
Can't see repositories after connecting
- GitHub (fine-grained): Ensure you selected repository access
- GitHub (classic): Token may only have access to public repos
- GitLab: Check project visibility and token scopes
- Bitbucket: Verify workspace membership and repository permissions
You can test tokens manually using curl:
GitHub:
curl -H "Authorization: token YOUR_TOKEN" https://api.github.com/userGitLab:
curl -H "Authorization: Bearer YOUR_TOKEN" https://gitlab.com/api/v4/userBitbucket:
curl -u YOUR_USERNAME:YOUR_APP_PASSWORD https://api.bitbucket.org/2.0/userIf these commands fail, the token itself is invalid.
GitHub:
GitLab:
Bitbucket:
| Provider | Token Creation URL | Token Type | Key Scopes |
|---|---|---|---|
| GitHub | github.com/settings/tokens | Personal Access Token (classic or fine-grained) | repo, read:user, read:org |
| GitLab | gitlab.com/-/profile/personal_access_tokens | Personal Access Token | api, read_user, read_repository |
| Bitbucket | bitbucket.org/account/settings/app-passwords | App Password | Account:Read, Repositories:Read, Pull requests:Read |
| Provider | Format | Example |
|---|---|---|
| GitHub | ghp_ prefix (classic) or github_pat_ (fine-grained) |
ghp_abcd1234efgh5678ijkl9012mnop3456qrst |
| GitLab | glpat- prefix |
glpat-abc123xyz789 |
| Bitbucket | Alphanumeric string | ATBBxyz123abc456 |
If you previously used OAuth configuration:
- Create PATs for each provider following the guides above
- Add accounts via Ampel UI (Settings > Provider Accounts)
- Existing OAuth environment variables are no longer needed
- The
.envfile no longer requires OAuth credentials - All authentication is now handled through provider accounts in the database
This PAT-based approach is simpler, more flexible, and doesn't require OAuth application registration.