You can define REST endpoints in ScriptRunner, for example to:

Adding a REST Endpoint

Navigate to Admin → REST Endpoints.

Click a heading to add a handler. Choose Custom endpoint to add your own endpoint.

REST endpoints are configured programatically. There is currently one sample defined (click Expand Examples), which we’ll discuss in-depth:

import groovy.json.JsonBuilder
import groovy.transform.BaseScript


@BaseScript CustomEndpointDelegate delegate (1)

doSomething( (2)
    // bitbucket-administrators is a group we have added ourselves
    httpMethod: "GET", groups: ["bitbucket-administrators"] (3)
) { MultivaluedMap queryParams, String body -> (4)
    return Response.ok(new JsonBuilder([abc: 42]).toString()).build() (5)
1 - this line makes methods in your script recognisable as endpoints, and is required
2 - the name of the REST endpoint, which forms part of the URL, in this case doSomething
3 - configuration of the endpoint, in this case which HTTP verb to handle, and what groups to allow
4 - parameters which are provided to your method body
5 - the body of your method, where you will return a object

Once this is added to the list of configured endpoints, either as an inline script, or by copying it to a file and adding as a script file, you should be able to test the endpoint by visiting in your browser:


Alternatively using a command line utility:

>curl -u admin:admin http://localhost:8080/bitbucket/rest/scriptrunner/latest/custom/doSomething

If you are using a file, you can try changing the response, though you may need to hit the "Scan" button on the REST Endpoints page before calls to the endpoint return the new response. See the section on script root scanning, below.

admin:admin corresponds to a username and password.


The general format of a method defining a REST endpoint is:

methodName (Map configuration, Closure closure)

For the configuration only the following options are supported:




One or more groups. If the requesting user is in any of these groups the request will be allowed

Note that either or both of these can be omitted. If you omit the groups attribute, the endpoint will be available to unauthenticated users.

The closure can take these parameters:

MultivaluedMap queryParams

corresponds to the URL parameters

String content

The body of the request, for POST and PUT etc

HttpServletRequest request

The request object. You can use this to get the requesting user for instance.

You can use any of these forms for your closure:

something() { MultivaluedMap queryParams ->
something() { MultivaluedMap queryParams, String body ->
something() { MultivaluedMap queryParams, String body, HttpServletRequest request ->

depending on what you need access to.

Access request URL

Sometimes you may need to use the URL path after your method name, for instance in the following call, you want to retrieve the /foo/bar:


To get this, use the 3-param form of the closure definition, and call the getAdditionalPath method from the base class:

doSomething() { MultivaluedMap queryParams, String body, HttpServletRequest request ->

    def extraPath = getAdditionalPath(request)
    // extraPath will contain /foo/bar when called as above
In previous versions, an extraPath variable was injected into the scripts, but this is not thread-safe - use the above method instead.


Allow Cross-Domain Requests

This example demonstrates how to access the official REST API from another domain. As at the time of writing Bitbucket does not support CORS (cross-origin requests).

To demonstrate this when trying to GET from the following REST endpoint from


You may have received an error like

Origin is not allowed by Access-Control-Allow-Origin.
@BaseScript CustomEndpointDelegate delegate

// replace this url with your Bitbucket instance url
def http = new RESTClient("")

// add authentication to proxy request
http.client.addRequestInterceptor(new HttpRequestInterceptor() {

    void process(HttpRequest httpRequest, HttpContext httpContext) {
        httpRequest.addHeader('Authorization', 'Basic ' + 'username:password'.bytes.encodeBase64().toString())
        httpRequest.addHeader('X-Atlassian-Token', "no-check")

        httpMethod: "GET", groups: ["bitbucket-administrators"]
) { MultivaluedMap queryParams, String body, HttpServletRequest request ->

    // get the path after the method name, so we can proxy the request
    def extraPath = getAdditionalPath(request)

    HttpResponse response = http.request(GET, JSON) {
        uri.path = extraPath

    return Response
            .ok(new JsonBuilder(
            // allows all origins to access resource
            .header("Access-Control-Allow-Origin", "*")

Most of this code is simply involved with proxying the original request through to the official REST API. We make use of the extraPath to capture the location we need to proxy the request to.

To test it you could use

curl -v -X GET -u admin:admin <bitbucket_base_url>/rest/scriptrunner/latest/custom/bitbucketproxy/rest/api/1.0/projects/PROJECTKEY/repos/reposlug

You will notice you get the following header back which allows all domains to access the resource

Access-Control-Allow-Origin: *

Also note that you can have multiple methods with the same name in the same file, which is useful to do simple CRUD REST APIs, eg:

POST /bitbucketproxy - proxy POST requests (create)
PUT /bitbucketproxy - proxy PUT requests (update)
DELETE /bitbucketproxy - proxy DELETE requests (delete)
GET /bitbucketproxy - proxy GET requests (get)

Further Examples

For how-to questions please ask on Atlassian Answers where there is a very active community. Adaptavist staff are also likely to respond there.

Ask a question about ScriptRunner for JIRA, for for Bitbucket Server, or for Confluence.