Secrets

Buildkite secrets is an encrypted key-value store secrets management service. Secrets are scoped within a Buildkite cluster and can be accessed by agents within that cluster using the buildkite-agent secret get command or by defining secrets within a pipeline YAML configuration. Access to secrets is controlled through access policies.

Secret data model

`id`	ID of the secret
`graphql_id`	GraphQL ID of the secret
`key`	A unique identifier for the secret
`value`	The encrypted secret value. This field is never returned by the API
`description`	Description of the secret
`policy`	YAML policy defining access rules for the secret
`url`	Canonical API URL of the secret
`cluster_url`	API URL of the cluster this secret belongs to
`created_at`	When the secret was created
`created_by`	User who created the secret
`updated_at`	When the secret was last updated
`updated_by`	User who last updated the secret
`last_read_at`	When the secret was last accessed by a build
`organization`	Organization this secret belongs to

List secrets

Returns a paginated list of a cluster's secrets.

curl -H "Authorization: Bearer $TOKEN" \
  -X GET "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets"

[
  {
    "id": "9bf7650d-52ba-40e6-a18e-7a34a109f8bc",
    "key": "MY_SECRET",
    "description": "My secret description",
    "policy": "- pipeline_slug: my-pipeline\n  build_branch: main",
    "created_at": "2025-10-01T06:51:21.067Z",
    "created_by": {
      "id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
      "name": "Staff",
      "email": "test+staff@example.com"
    },
    "updated_at": "2025-10-01T06:51:21.173Z",
    "updated_by": null,
    "last_read_at": null,
    "url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/9bf7650d-52ba-40e6-a18e-7a34a109f8bc",
    "cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
    "organization": {
      "id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
      "slug": "my-org",
      "url": "http://api.buildkite.com/v2/organizations/my-org",
      "web_url": "http://buildkite.com/my-org"
    }
  }
]

Required scope: read_secret_details

Success response: 200 OK

Get a secret

curl -H "Authorization: Bearer $TOKEN" \
  -X GET "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/{id}"

{
  "id": "9bf7650d-52ba-40e6-a18e-7a34a109f8bc",
  "key": "MY_SECRET",
  "description": "My secret description",
  "policy": "- pipeline_slug: my-pipeline\n  build_branch: main",
  "created_at": "2025-10-01T06:51:21.067Z",
  "created_by": {
    "id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
    "name": "Staff",
    "email": "test+staff@example.com"
  },
  "updated_at": "2025-10-01T06:51:21.173Z",
  "updated_by": null,
  "last_read_at": null,
  "url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/9bf7650d-52ba-40e6-a18e-7a34a109f8bc",
  "cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
  "organization": {
    "id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
    "slug": "my-org",
    "url": "http://api.buildkite.com/v2/organizations/my-org",
    "web_url": "http://buildkite.com/my-org"
  }
}

Required scope: read_secret_details

Success response: 200 OK

Create a secret

curl -H "Authorization: Bearer $TOKEN" \
  -X POST "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets" \
  -H "Content-Type: application/json" \
  -d '{
    "key": "MY_SECRET",
    "value": "secret-value",
    "description": "My secret description",
    "policy": "- pipeline_slug: my-pipeline\n  build_branch: main"
  }'

{
  "id": "30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
  "key": "MY_SECRET",
  "description": "My secret description",
  "policy": "- pipeline_slug: my-pipeline\n  build_branch: main",
  "created_at": "2025-10-01T07:43:38.648Z",
  "created_by": {
    "id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
    "name": "Staff",
    "email": "test+staff@example.com"
  },
  "updated_at": "2025-10-01T07:43:38.708Z",
  "updated_by": null,
  "last_read_at": null,
  "url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
  "cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
  "organization": {
    "id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
    "slug": "my-org",
    "url": "http://api.buildkite.com/v2/organizations/my-org",
    "web_url": "http://buildkite.com/my-org"
  }
}

Required request body properties:

`key`	A unique identifier for the secret. Must start with a letter and only contain letters, numbers, and underscores. Cannot start with `buildkite` or `bk` (case insensitive). Maximum length is 255 characters. Must be unique within the cluster Example: `"MY_SECRET"`

Optional request body properties:

`value`	The secret value to encrypt and store. Must be less than 8 kilobytes. Cannot be blank. Example: `"secret-value"`
`description`	A description of the secret Example: `"My secret description"`
`policy`	YAML policy defining access rules. See Access policies for Buildkite secrets for details on policy structure and available claims Example: `"- pipeline_slug: my-pipeline\n build_branch: main"`

Required scope: write_secrets

Success response: 201 Created

Update a secret's description and access policy

Updates a secret's description and access policy. To update its value instead, see Update a secret's value.

curl -H "Authorization: Bearer $TOKEN" \
  -X PUT "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/{id}" \
  -H "Content-Type: application/json" \
  -d '{
    "description": "Updated description",
    "policy": "- pipeline_slug: my-pipeline\n  build_branch: production"
  }'

{
  "id": "30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
  "key": "MY_SECRET",
  "description": "Updated description",
  "policy": "- pipeline_slug: my-pipeline\n  build_branch: production",
  "created_at": "2025-10-01T07:43:38.648Z",
  "created_by": {
    "id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
    "name": "Staff",
    "email": "test+staff@example.com"
  },
  "updated_at": "2025-10-01T07:43:46.949Z",
  "updated_by": {
    "id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
    "name": "Staff",
    "email": "test+staff@example.com"
  },
  "last_read_at": null,
  "url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
  "cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
  "organization": {
    "id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
    "slug": "my-org",
    "url": "http://api.buildkite.com/v2/organizations/my-org",
    "web_url": "http://buildkite.com/my-org"
  }
}

Optional request body properties:

`description`	A description of the secret Example: `"Updated description"`
`policy`	YAML policy defining access rules. See Access policies for Buildkite secrets for details on policy structure and available claims Example: `"- pipeline_slug: my-pipeline\n build_branch: production"`

Unpermitted request body properties:

`key`	Attempting to update the `key` parameter returns an error: `"The key parameter cannot be updated."`
`value`	Attempting to update the `value` parameter returns an error: `"The value parameter cannot be updated on this endpoint."`

Required scope: write_secrets

Success response: 200 OK

Update a secret's value

Updates a secret's encrypted value only. To update the secret's other details, see Update a secret's description and access policy.

curl -H "Authorization: Bearer $TOKEN" \
  -X PUT "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/{id}/value" \
  -H "Content-Type: application/json" \
  -d '{"value": "new-secret-value"}'

{
  "id": "30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
  "key": "MY_SECRET",
  "description": "Updated description",
  "policy": "- pipeline_slug: my-pipeline\n  build_branch: production",
  "created_at": "2025-10-01T07:43:38.648Z",
  "created_by": {
    "id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
    "name": "Staff",
    "email": "test+staff@example.com"
  },
  "updated_at": "2025-10-01T07:44:09.081Z",
  "updated_by": {
    "id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
    "name": "Staff",
    "email": "test+staff@example.com"
  },
  "last_read_at": null,
  "url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
  "cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
  "organization": {
    "id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
    "slug": "my-org",
    "url": "http://api.buildkite.com/v2/organizations/my-org",
    "web_url": "http://buildkite.com/my-org"
  }
}

Required request body properties:

`value`	The new secret value to encrypt and store. Must be less than 8 kilobytes. Cannot be blank. Example: `"new-secret-value"`

Required scope: write_secrets

Success response: 200 OK

Delete a secret

curl -H "Authorization: Bearer $TOKEN" \
  -X DELETE "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/{id}"

Required scope: write_secrets

Success response: 204 No Content