Agent v3.104+: OIDC token requests now require Job API socket for redaction

Starting in Agent v3.104.0, OIDC tokens are automatically redacted from build logs by default. This security improvement uses the Job API (a local API exposed over a unix socket) to perform redaction.

By default, the Job API environment variables (BUILDKITE_AGENT_JOB_API_SOCKET and BUILDKITE_AGENT_JOB_API_TOKEN) and socket are available in the job environment. However, when running buildkite-agent oidc request-token in a container or sandbox, these variables and the socket path must be explicitly passed through. See this docker-compose example.

If the Job API is not accessible, the command will fail with:

buildkite-agent: fatal: failed to create Job API client: BUILDKITE_AGENT_JOB_API_SOCKET empty or undefined

Who is affected: Customers using buildkite-agent oidc request-token outside of a standard Buildkite job environment.

Workaround: If you're unable to make the Job API available to buildkite-agent oidc request-token, you can disable automatic redaction with:

buildkite-agent oidc request-token --skip-redaction

If you need to roll back, v3.103.1 does not include this change.

Capabilities

Pipelines→

Test Engine→

Package Registries→

Mobile Delivery Cloud→

Flexible compute

The Buildkite Platform→

Agentic workflows→

Replace Jenkins

Workflows for MLOps

Testing at scale

Monorepo mojo

Bazel orchestration

Example pipelines

Webinars

Blog

Public pipelines

Case studies

Events

Follow Buildkite

About

Careers

Follow Buildkite

Agent v3.104+: OIDC token requests now require Job API socket for redaction

Sorcha

Start turning complexity into an advantage

Platform

Hosting options

Resources

Company

Solutions

Legal

Support