1. Resources
  2. /
  3. Changelog
  4. /
  5. Read-only API tokens no longer expose pipeline webhook URLs

Read-only API tokens no longer expose pipeline webhook URLs

Read-only API access tokens no longer return a pipeline's webhook_url in REST and GraphQL responses.

Previously, a read_only token created by someone with pipeline write access could still retrieve the webhook_url. Because that URL can be used to trigger builds, a token intended to be read-only could effectively grant write access.

Buildkite now checks both the token's scope and its creator's permissions, applying whichever is more restrictive.

This is a breaking change if you rely on reading a pipeline's webhook_url using a read-only token. Update that automation to use a token with pipeline write scope instead.

For more on token scopes, see the managing API tokens documentation.

Jonathan

Atom feed

Start turning complexity into an advantage

Create an account to get started for free.

Get started free
Buildkite Pipelines

Platform

  1. Pipelines
  2. Public pipelines
  3. Test Engine
  4. Package Registries
  5. Mobile Delivery Cloud
  6. Pricing

Hosting options

  1. Self-hosted agents
  2. Mac hosted agents
  3. Linux hosted agents

Resources

  1. Docs
  2. Blog
  3. Changelog
  4. Example pipelines
  5. Plugins
  6. Webinars
  7. Case studies
  8. Events
  9. Migration Services
  10. CI/CD perspectives

Company

  1. About
  2. Careers
  3. Press
  4. Security
  5. Brand assets
  6. Contact

Solutions

  1. Replace Jenkins
  2. Workflows for MLOps
  3. Testing at scale
  4. Monorepo mojo
  5. Bazel orchestration

Legal

  1. Terms of Service
  2. Acceptable Use Policy
  3. Privacy Policy
  4. Subprocessors
  5. Service Level Agreement
  6. Supplier Code of Conduct
  7. Modern Slavery Statement

Support

  1. System status
  2. Forum
© Buildkite Pty Ltd 2026