Secrets
Buildkite secrets is an encrypted key-value store secrets management service. Secrets are scoped within a Buildkite cluster and can be accessed by agents within that cluster using the buildkite-agent secret get
command or by defining secrets
within a pipeline YAML configuration. Access to secrets is controlled through access policies.
Secret data model
id |
ID of the secret |
---|---|
graphql_id |
GraphQL ID of the secret |
key |
A unique identifier for the secret |
value |
The encrypted secret value. This field is never returned by the API |
description |
Description of the secret |
policy |
YAML policy defining access rules for the secret |
url |
Canonical API URL of the secret |
cluster_url |
API URL of the cluster this secret belongs to |
created_at |
When the secret was created |
created_by |
User who created the secret |
updated_at |
When the secret was last updated |
updated_by |
User who last updated the secret |
last_read_at |
When the secret was last accessed by a build |
organization |
Organization this secret belongs to |
List secrets
Returns a paginated list of a cluster's secrets.
curl -H "Authorization: Bearer $TOKEN" \
-X GET "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets"
[
{
"id": "9bf7650d-52ba-40e6-a18e-7a34a109f8bc",
"key": "MY_SECRET",
"description": "My secret description",
"policy": "- pipeline_slug: my-pipeline\n build_branch: main",
"created_at": "2025-10-01T06:51:21.067Z",
"created_by": {
"id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
"name": "Staff",
"email": "test+staff@example.com"
},
"updated_at": "2025-10-01T06:51:21.173Z",
"updated_by": null,
"last_read_at": null,
"url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/9bf7650d-52ba-40e6-a18e-7a34a109f8bc",
"cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
"organization": {
"id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
"slug": "my-org",
"url": "http://api.buildkite.com/v2/organizations/my-org",
"web_url": "http://buildkite.com/my-org"
}
}
]
Required scope: read_secret_details
Success response: 200 OK
Get a secret
curl -H "Authorization: Bearer $TOKEN" \
-X GET "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/{id}"
{
"id": "9bf7650d-52ba-40e6-a18e-7a34a109f8bc",
"key": "MY_SECRET",
"description": "My secret description",
"policy": "- pipeline_slug: my-pipeline\n build_branch: main",
"created_at": "2025-10-01T06:51:21.067Z",
"created_by": {
"id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
"name": "Staff",
"email": "test+staff@example.com"
},
"updated_at": "2025-10-01T06:51:21.173Z",
"updated_by": null,
"last_read_at": null,
"url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/9bf7650d-52ba-40e6-a18e-7a34a109f8bc",
"cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
"organization": {
"id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
"slug": "my-org",
"url": "http://api.buildkite.com/v2/organizations/my-org",
"web_url": "http://buildkite.com/my-org"
}
}
Required scope: read_secret_details
Success response: 200 OK
Create a secret
curl -H "Authorization: Bearer $TOKEN" \
-X POST "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets" \
-H "Content-Type: application/json" \
-d '{
"key": "MY_SECRET",
"value": "secret-value",
"description": "My secret description",
"policy": "- pipeline_slug: my-pipeline\n build_branch: main"
}'
{
"id": "30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
"key": "MY_SECRET",
"description": "My secret description",
"policy": "- pipeline_slug: my-pipeline\n build_branch: main",
"created_at": "2025-10-01T07:43:38.648Z",
"created_by": {
"id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
"name": "Staff",
"email": "test+staff@example.com"
},
"updated_at": "2025-10-01T07:43:38.708Z",
"updated_by": null,
"last_read_at": null,
"url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
"cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
"organization": {
"id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
"slug": "my-org",
"url": "http://api.buildkite.com/v2/organizations/my-org",
"web_url": "http://buildkite.com/my-org"
}
}
Required request body properties:
key |
A unique identifier for the secret. Must start with a letter and only contain letters, numbers, and underscores. Cannot start with buildkite or bk (case insensitive). Maximum length is 255 characters. Must be unique within the clusterExample: "MY_SECRET"
|
---|
Optional request body properties:
value |
The secret value to encrypt and store. Must be less than 8 kilobytes. Cannot be blank. Example: "secret-value"
|
---|---|
description |
A description of the secret Example: "My secret description"
|
policy |
YAML policy defining access rules. See Access policies for Buildkite secrets for details on policy structure and available claims Example: "- pipeline_slug: my-pipeline\n build_branch: main"
|
Required scope: write_secrets
Success response: 201 Created
Update a secret's description and access policy
Updates a secret's description and access policy. To update its value instead, see Update a secret's value.
curl -H "Authorization: Bearer $TOKEN" \
-X PUT "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/{id}" \
-H "Content-Type: application/json" \
-d '{
"description": "Updated description",
"policy": "- pipeline_slug: my-pipeline\n build_branch: production"
}'
{
"id": "30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
"key": "MY_SECRET",
"description": "Updated description",
"policy": "- pipeline_slug: my-pipeline\n build_branch: production",
"created_at": "2025-10-01T07:43:38.648Z",
"created_by": {
"id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
"name": "Staff",
"email": "test+staff@example.com"
},
"updated_at": "2025-10-01T07:43:46.949Z",
"updated_by": {
"id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
"name": "Staff",
"email": "test+staff@example.com"
},
"last_read_at": null,
"url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
"cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
"organization": {
"id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
"slug": "my-org",
"url": "http://api.buildkite.com/v2/organizations/my-org",
"web_url": "http://buildkite.com/my-org"
}
}
Optional request body properties:
description |
A description of the secret Example: "Updated description"
|
---|---|
policy |
YAML policy defining access rules. See Access policies for Buildkite secrets for details on policy structure and available claims Example: "- pipeline_slug: my-pipeline\n build_branch: production"
|
Unpermitted request body properties:
key |
Attempting to update the key parameter returns an error: "The key parameter cannot be updated."
|
---|---|
value |
Attempting to update the value parameter returns an error: "The value parameter cannot be updated on this endpoint."
|
Required scope: write_secrets
Success response: 200 OK
Update a secret's value
Updates a secret's encrypted value only. To update the secret's other details, see Update a secret's description and access policy.
curl -H "Authorization: Bearer $TOKEN" \
-X PUT "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/{id}/value" \
-H "Content-Type: application/json" \
-d '{"value": "new-secret-value"}'
{
"id": "30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
"key": "MY_SECRET",
"description": "Updated description",
"policy": "- pipeline_slug: my-pipeline\n build_branch: production",
"created_at": "2025-10-01T07:43:38.648Z",
"created_by": {
"id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
"name": "Staff",
"email": "test+staff@example.com"
},
"updated_at": "2025-10-01T07:44:09.081Z",
"updated_by": {
"id": "01987d6e-44a6-415c-85d1-c247c938e8d5",
"name": "Staff",
"email": "test+staff@example.com"
},
"last_read_at": null,
"url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/30f93dd5-bc23-4a14-8ad3-fd1920ea8eb5",
"cluster_url": "http://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}",
"organization": {
"id": "0198e45b-c0d5-4a0b-8e37-e140af750d2d",
"slug": "my-org",
"url": "http://api.buildkite.com/v2/organizations/my-org",
"web_url": "http://buildkite.com/my-org"
}
}
Required request body properties:
value |
The new secret value to encrypt and store. Must be less than 8 kilobytes. Cannot be blank. Example: "new-secret-value"
|
---|
Required scope: write_secrets
Success response: 200 OK
Delete a secret
curl -H "Authorization: Bearer $TOKEN" \
-X DELETE "https://api.buildkite.com/v2/organizations/{org.slug}/clusters/{cluster.id}/secrets/{id}"
Required scope: write_secrets
Success response: 204 No Content