API settings
The API settings endpoints let you read and update an organization's API security settings, mirroring the Security > API settings page in the Buildkite UI.
These endpoints require a read_organization_settings or write_organization_settings access token scope, and the authenticated user must be a Buildkite organization administrator.
Get API settings
curl -H "Authorization: Bearer $TOKEN" \
-X GET "https://api.buildkite.com/v2/organizations/{org.slug}/api-settings"
{
"url": "https://api.buildkite.com/v2/organizations/acme-inc/api-settings",
"allowed_ip_addresses": "192.0.2.0/24 198.51.100.0/24",
"revoke_inactive_tokens_after_days": 90,
"restrict_user_api_token_creation": false,
"features": {
"api_ip_allow_list": true,
"inactive_api_token_revocation": true
}
}
Required scope: read_organization_settings
Success response: 200 OK
Error responses:
403 Forbidden |
The token does not have the read_organization_settings scope, or the authenticated user is not an organization administrator. |
|---|
Update API settings
Updates one or more API security settings for the organization. Include only the fields you want to change. The response contains the full updated settings.
curl -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-X PATCH "https://api.buildkite.com/v2/organizations/{org.slug}/api-settings" \
-d '{
"allowed_ip_addresses": "192.0.2.0/24 198.51.100.0/24",
"revoke_inactive_tokens_after_days": 90,
"restrict_user_api_token_creation": true
}'
{
"url": "https://api.buildkite.com/v2/organizations/acme-inc/api-settings",
"allowed_ip_addresses": "192.0.2.0/24 198.51.100.0/24",
"revoke_inactive_tokens_after_days": 90,
"restrict_user_api_token_creation": true,
"features": {
"api_ip_allow_list": true,
"inactive_api_token_revocation": true
}
}
Required scope: write_organization_settings
Success response: 200 OK
Error responses:
403 Forbidden |
The token does not have the write_organization_settings scope, the authenticated user is not an organization administrator, or the organization's plan does not include the requested plan-gated feature. |
|---|---|
422 Unprocessable Entity |
A field value failed validationโfor example, an IP address not in CIDR notation, a revocation period not in the set of allowed values, or a non-boolean value for restrict_user_api_token_creation. |
Request fields
allowed_ip_addresses |
A space-separated string of CIDR ranges that are permitted to make API requests for this organization. Pass null to remove the allowlist. Requires the API IP allowlist plan feature; returns 403 if the organization is not entitled. |
|---|---|
revoke_inactive_tokens_after_days |
Automatically revokes API tokens that have been inactive for the specified number of days. Accepted values are 30, 60, 90, 180, and 365. Pass null to disable automatic revocation. Requires the inactive API token revocation plan feature; returns 403 if the organization is not entitled. |
restrict_user_api_token_creation |
When true, only organization administrators can create API access tokens. Accepts true or false. |
Response fields
url |
The canonical API URL for this resource. |
|---|---|
allowed_ip_addresses |
The current IP allowlist as a space-separated string of CIDR ranges, or null if no allowlist is configured. |
revoke_inactive_tokens_after_days |
The number of days of inactivity after which API tokens are automatically revoked, or null if automatic revocation is not configured. |
restrict_user_api_token_creation |
Whether non-administrator users are prevented from creating API access tokens. |
features |
A map of plan-gated features for this organization. Each key corresponds to a feature (api_ip_allow_list, inactive_api_token_revocation) and its value is true if the feature is available on the organization's plan, or false if it is not. Use this to distinguish between a setting being configured off and the feature not being available on the plan. |
The IP allowlist takes effect immediately. If you write a CIDR range that does not include your own IP address, your next API request will be rejected. There is no dry-run mode. This matches the behavior of the UI.