Token security

Buildkite is a member of the GitHub secret scanning program .

If you have enabled GitHub Secret Protection for repositories in your GitHub organization, GitHub will automatically scan these private or public repositories within your GitHub organization for Buildkite tokens and notify you if any are found.

In the case of Buildkite API access tokens (bkua_) leaked on public repositories, GitHub will notify Buildkite directly and any valid tokens will be automatically revoked and their owner's and associated organizations notified.

If you are notified of any other tokens, please contact Buildkite support.

Supported Buildkite tokens

The following Buildkite tokens are supported by this program.

API access tokens

Buildkite API access tokens are also known as Buildkite user access tokens, whose acronym forms the prefix for these types of tokens.

  • Prefix: bkua_
  • Example: bkua_*****************************************************

Applies to API access tokens created after: March, 2023

Agent session tokens

Buildkite agent session tokens are also known as Buildkite agent access tokens, whose acronym forms the prefix for these types of tokens.

  • Prefix: bkaa_
  • Example: bkaa_***************************************************************************

Applies to agent access tokens created after: January, 2025

Agent job tokens

Buildkite agent job tokens form the acronym for the prefix of their values.

  • Prefix: bkaj_
  • Example: bkaj_*********************************************************************************************************************************************************************************************************************************************************************************************************************************************

Unclustered agent tokens

Buildkite unclustered agent tokens are also known as Buildkite agent registration tokens, whose acronym forms the prefix for these types of tokens.

  • Prefix: bkar_
  • Example: bkar_*************************************************************************

Applies to unclustered agent tokens created after: April, 2025

Agent tokens

Buildkite agent tokens are also known as Buildkite cluster tokens, whose acronym forms the prefix for these types of tokens.

  • Prefix: bkct_
  • Example: bkct_*************************************************************************

Applies to agent tokens created after: April, 2025

Registry tokens

Buildkite registry tokens, are a type of Buildkite Package (Registries) token, whose acronym forms the prefix for these tokens.

  • Prefix: bkpt_
  • Example: bkpt_*******************************************************************************************************************************************************************************************************

Package Registries temporary tokens

Buildkite Package Registries temporary tokens, which are presented on a registry's pages for either publishing packages to the registry or installing specific packages from them. See the relevant Package ecosystem pages to learn more about these types of tokens, which are a type of Buildkite Package (Registries) token, whose acronym forms the prefix for these tokens.

  • Prefix: bkpt_
  • Example: bkpt_*******************************************************************************************************************************************************************************************************

Portal tokens

Buildkite portal tokens cover the following types of tokens:

These types of tokens are also known as Buildkite portal access tokens, whose acronym forms the prefix for these types of tokens.

  • Prefix: bkpat_
  • Example: bkpat_******************************************************

Portal secrets

Buildkite portal secrets, whose acronym forms the prefix to their values, are used to generate ephemeral portal tokens, which are a type of portal token.

  • Prefix: bkps_
  • Example: bkps_****************************************************************