Token security

Supported Buildkite tokens

The following Buildkite tokens are supported by this program.

API access tokens

Buildkite API access tokens are also known as Buildkite user access tokens, whose acronym forms the prefix for these types of tokens.

• Prefix: bkua_
• Example: bkua_MTA.4f6ccde8c73e26244d73c5a77c91c242c0c818ce

Applies to API access tokens created after: March, 2023

Agent session tokens

Buildkite agent session tokens are also known as Buildkite agent access tokens, whose acronym forms the prefix for these types of tokens.

• Prefix: bkaa_
• Example: bkaa_MTA.Miyf6S3a3g9j8pyBGTyLC1frg9k6gDHTJdL9Fy7FXzRhrAVPckkzK6oEmdQVLvzUjt4rvW7cRPJEu

Applies to agent access tokens created after: January, 2025

Agent job tokens

Buildkite agent job tokens form the acronym for the prefix of their values.

• Prefix: bkaj_
• Example: bkaj_eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIwMTk2NjAxYi01YTc0LTRlOTUtYmNhOC0wNjM0M2EyYjkwNzkiLCJhdWQiOiIwMTk2NjAxYi01NDcwLTQ0YWYtYjRmNi0xMjllNTcyNDU1ZTUiLCJpc3MiOiJidWlsZGtpdGUiLCJleHAiOjE3NDcxMDQ5MzgsImlhdCI6MTc0NzEwMTAzOCwib3JnYW5pemF0aW9uX2lkIjoiNjQ4OTlhNjUtMmFiZS00MTRiLTg2MjUtYTljOWE3MjYzZGRjIn0.p-IZUkRWJOkbTuVrxa4yaWrb7b1h-X2KsxfcCRHoxsb8h4rMjc47Ox1InAdku5fCjfdQ5hFKxXF2JUJc-YoWHQ

Unclustered agent tokens

Buildkite unclustered agent tokens are also known as Buildkite agent registration tokens, whose acronym forms the prefix for these types of tokens.

• Prefix: bkar_
• Example: bkar_MTU.D3Efk6R62Fj7uprMGXsGjLhqugSfAXtAvpSjpMsykTzrHQnCH3rKETjo1NJ4yD9cSuGxsW5t3LJ6C

Applies to unclustered agent tokens created after: April, 2025

Agent tokens

Buildkite agent tokens are also known as Buildkite cluster tokens, whose acronym forms the prefix for these types of tokens.

• Prefix: bkct_
• Example: bkct_MTI.nYMxCVxgALbhwoc7pvvMfEURJgXXvzUVrogdmo1NKZqCcUTsmWRUWu9h3tW9j3nRvJ54aXyaKAdf6

Applies to agent tokens created after: April, 2025

Registry tokens

Buildkite registry tokens, are a type of Buildkite Package (Registries) token, whose acronym forms the prefix for these tokens.

• prefix: bkpt_
• example: bkpt_eyJfcmFpbHMiOnsiZGF0YSI6WyIwMTk2NjAyOC04OTk4LTQzZDctOTAyNC1mOGU0YjJhZThiZmEiLCI2MDA5MTFmMS1kZmU0LTRmMDctOGQ5OC0wYWZmMGI5ZDAyMTgiXSwiZXhwIjoiMjAyNS0wNS0xNlQwMjozNjozNC4wNzZaIn19--3116a4b837e78265cc7d3a90a12d90c263729880

Package Registries temporary tokens

Buildkite Package Registries temporary tokens, which are presented on a registry's pages for either publishing packages to the registry or installing specific packages from them. See the relevant Package ecosystem pages to learn more about these types of tokens, which are a type of Buildkite Package (Registries) token, whose acronym forms the prefix for these tokens.

• Prefix: bkpt_
• Example: bkpt_eyJfcmFpbHMiOnsiZGF0YSI6WyIwMTk2NjAzOS0zMGUxLTQ0NmUtOTg4Yi0xNmNjNmQ3ZTlmYmYiLCIwMThmNTZlZi05NTZjLTc0NzAtOTVhNC1lOTE1MDlkMjlmMWUiXSwiZXhwIjoiMjAyNS0wNS0xNlQwMjozNjozNC40MDNaIn19--bb46c0fcd8d9a797df4282403030453043018155

Portal tokens

Buildkite portal tokens cover the following types of tokens:

• Long-lived service tokens, generated when a new portal is created, as well as through the portal's Security page.
• Ephemeral portal tokens, which requires a portal secret to be generated.
• Portal tokens that are user-invoked and scoped.

These types of tokens are also known as Buildkite portal access tokens, whose acronym forms the prefix for these types of tokens.

• Prefix: bkpat_
• Example: bkpat_MTQ_5f6ccde8c73e26244d73c5a77c91c242c0c818ce

Portal secrets

Buildkite portal secrets, whose acronym forms the prefix to their values, are used to generate ephemeral portal tokens, which are a type of portal token.

• Prefix: bkps_
• Example: bkps_Mw_388c52458682d4e2621f28df4b3018f27b130ee6c7a263bbd3f96eb86916