# OIDC authentication

Buildkite Test Engine [test collectors](/docs/test-engine/glossary#test-collector) can use [ephemeral OIDC tokens](/docs/agent/cli/reference/oidc#request-oidc-token) generated by `buildkite-agent` as an alternative to the long-lived suite token associated with each suite.

## Configure a project to use OIDC

For a project that is already configured to use test collection, first set an **OIDC policy** in the settings for the suite you want to upload to, listing the pipelines you want to upload test results from.

```yaml
- iss: "https://agent.buildkite.com"
  claims:
    organization_slug: "your-org"
    pipeline_slug:
      in:
        - "your-pipeline"
        - "another-pipeline"
  scopes:
    - "read_suites"
    - "write_uploads"
```

Add a script to generate and export an OIDC token to `BUILDKITE_ANALYTICS_TOKEN` before each run.

> 📘
> If you use `bktec`, you can skip the following steps. `bktec` [generates OIDC tokens](/docs/test-engine/bktec/installing-and-using-the-client#using-bktec-configure-environment-variables) automatically.

```bash
SUITE_URL="https://buildkite.com/organizations/my-org/analytics/suites/my-project-test-suite"
LIFETIME=300 # Lifetime of tokens in seconds.
BUILDKITE_ANALYTICS_TOKEN=$(buildkite-agent oidc request-token --audience "$SUITE_URL" --lifetime $LIFETIME)
export BUILDKITE_ANALYTICS_TOKEN
```
{: codeblock-file="generate-test-engine-oidc-token"}

> 📘
> Specify a lifetime that exceeds the duration of your longest expected build script to ensure the token does not expire during the build.

Remove any existing configuration that sets `BUILDKITE_ANALYTICS_TOKEN` and call the token generation script before your build script.

```yaml
steps:
  - label: "Run tests"
    commands:
      - generate-test-engine-oidc-token
      - test-runner-execution-command
```
{: codeblock-file="pipeline.yml"}