First of all: only OAuth 2 tokens can be used to clone repos
While unclear from this page, I've seen people try to use OAuth 1 access tokens. Unfortunately Git and Mercurial do not support OAuth 1 and so it is not possible to clone repos that way.
This is because OAuth 1 requires requests to be uniquely signed. The token itself is merely one of the input variables for the cryptographic signing process that git and hg do not support.
Now we did indeed recently add support for OAuth 2 which, despite its name, is a very different protocol and does not include cryptographic signing. As a result, OAuth 2 tokens can be used to clone over https.
Here's a dump of me creating a new OAuth 2 access/bearer token and using it to clone one of my private repos:
$ curl https://bitbucket.org/site/oauth2/access_token \
-d grant_type=client_credentials \
-u dqN7QFLwJEcHsHadYw:pzvZG25WEDqbm9aeUVRHtQRHgTRgDr9t
{
"access_token": "He1rBW1eYAzmT3ePJcvYDtkIcF1Pb1izZHo8oqpKMEL5ivsku71qkjfumVgR2bWsCiRM7XeEmbVffxU92w==",
"scopes": "repository email",
"expires_in": 3600,
"refresh_token": "pfcnxSpXNPAeTcYhcQ",
"token_type": "bearer"
}
$ git clone "https://x-token-auth:JU5dAtlMD30BisLpDkIap7T18Ry9v6p0Xif4owkQUyen_rLx5_B3PjjeqhLhpde0ezR1wyGLeqYE2HA49A==@bitbucket.org/evzijst/crypt"
Cloning into 'crypt'...
remote: Counting objects: 26, done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 26 (delta 8), reused 0 (delta 0)
Unpacking objects: 100% (26/26), done.
Checking connectivity... done.
Now be aware that OAuth 2 tokens expire in an hour. After that they will cease to work. Depending on how you obtained the access token you may have a refresh token. You can use this refresh token to issue a new access token immediately before attempting to clone, to avoid expiration.