App passwords are tied to a single user account and share that user's permissions.
Tokens are restricted to a single repository, project, or workspace. Project and workspace tokens are paid features that require a premium Bitbucket Cloud account.
SaaS customers: your secrets can be uploaded to our Client Portal by your organization's admin user.
Self hosted customers: your admin needs to configure the token in the app as detailed in our docs.
You can create an app password from your Bitbucket account personal settings. Be sure to set the permissions to repository read access.
You can set an access token from the workspace, project, or repository settings.
Please remember: this token will only be able to access repositories within that particular scope. This means that your repository token will not be able to access anything other than the single repository in that workspace.