Skip to main content

Set up the Buildkite MCP server

The Buildkite MCP server gives AI agents access to your pipelines, builds, and agents. Buildkite hosts it at two endpoints — one using OAuth, where users authorize in the browser, and one using long-lived API tokens. This guide covers setting up both and explains which to choose.

Prerequisites

  • A MintMCP admin account
  • A Buildkite account (sign up at buildkite.com)

Which option should I use?

OAuthAPI token
Store listingBuildkite (OAuth)Buildkite (API token)
How users authenticateAuthorize through Buildkite in the browser on first connect — no token to createCreate an API access token in Buildkite and paste it on first connect
Credential lifetimeAccess tokens expire after 12 hours; users re-authorize when promptedLong-lived — revoke manually when no longer needed
Works without an interactive loginNo — requires a browser authorize flowYes — suitable for headless agents and background services

Add Buildkite to MintMCP

Both options are pre-listed as recommended servers in the MintMCP MCP store.

Buildkite (OAuth) is pre-listed as a recommended server in the MintMCP MCP store. Buildkite supports dynamic client registration, so MintMCP registers automatically on first connect — no app creation or token needed.

  1. In MintMCP, go to MCP store > Manage store.
  2. Find Buildkite (OAuth) in the recommended servers list.
  3. Click Approve.

When users first connect, they select their Buildkite organization and authorize access. OAuth access tokens expire after 12 hours; users re-authorize when prompted.

IP allowlists

If your Buildkite organization has an API IP allowlist configured, add Buildkite's egress IP addresses to it — the remote MCP server makes requests from Buildkite's own infrastructure. Current egress IPs are available at api.buildkite.com/v2/meta.

Security considerations

  • API access tokens are shown only once at creation — copy the value before leaving the page.
  • Apply the minimum scopes required by your agent. Read-only scopes are sufficient for most query operations.
  • Revoke API tokens at buildkite.com/user/api-access-tokens when they are no longer needed.
  • OAuth tokens are short-lived (12 hours), which limits the exposure window if a token is intercepted.
  • Per-user auth (both OAuth and API tokens) ties each tool call to an individual Buildkite identity, so actions are auditable per user.

Next steps