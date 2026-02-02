Agent v3.104+: OIDC token requests now require Job API socket for redaction
Starting in Agent v3.104.0, OIDC tokens are automatically redacted from build logs by default. This security improvement uses the Job API (a local API exposed over a unix socket) to perform redaction.
By default, the Job API environment variables (
BUILDKITE_AGENT_JOB_API_SOCKET and
BUILDKITE_AGENT_JOB_API_TOKEN) and socket are available in the job environment. However, when running
buildkite-agent oidc request-token in a container or sandbox, these variables and the socket path must be explicitly passed through. See this docker-compose example.
If the Job API is not accessible, the command will fail with:
buildkite-agent: fatal: failed to create Job API client: BUILDKITE_AGENT_JOB_API_SOCKET empty or undefined
Who is affected: Customers using
buildkite-agent oidc request-token outside of a standard Buildkite job environment.
Workaround: If you're unable to make the Job API available to
buildkite-agent oidc request-token, you can disable automatic redaction with:
buildkite-agent oidc request-token --skip-redaction
If you need to roll back, v3.103.1 does not include this change.
