> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up the Buildkite MCP server

> Create a Buildkite API access token, then register the Buildkite MCP server in C1 and govern the tools it exposes.

<Note>
  **Activation required.** AI access management must be enabled for your tenant before you can use it. To get started, [contact the C1 support team](mailto:support@c1.ai) for a walkthrough.
</Note>

The Buildkite MCP server lets you govern access to Buildkite — organizations, pipelines, builds, jobs, agents, and clusters — as tools your AI clients can call through C1.

Buildkite authenticates with an API access token. A single token authenticates everyone, so all tool calls reach Buildkite as one shared identity.

## How C1 connects to Buildkite

C1 hosts the Buildkite MCP server, so your users' AI clients only ever see MCP tools — they never call Buildkite directly. When an AI client calls one of these tools, C1 makes the matching request to the Buildkite API using the credentials you configure here, then returns the result to the AI client.

The credentials you set up below are what C1 uses to call Buildkite on your users' behalf.

## Before you begin

* AI access management must be enabled for your tenant. See [Enable AI access management](/product/admin/enable-ai-access-management).
* A Buildkite account that can create an API access token with access to the organizations you want to govern.

<Note>
  If you don't see **Buildkite** in your MCP server catalog, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant.
</Note>

## Create a Buildkite API access token

Create an API access token in Buildkite so C1 can authenticate to the Buildkite API.

<Steps>
  <Step>
    Sign in to Buildkite and open **Personal Settings** > **API Access Tokens**. For details, see Buildkite's [Managing API access tokens](https://buildkite.com/docs/apis/managing-api-tokens) documentation.
  </Step>

  <Step>
    Select **New API Access Token**.
  </Step>

  <Step>
    Give the token a recognizable description such as `C1`, then choose the **organizations** it can access.
  </Step>

  <Step>
    Select the **REST API scopes** the token needs for the operations you plan to govern, such as reading builds, pipelines, and agents.
  </Step>

  <Step>
    Create the token and copy it. Buildkite shows the token only once.
  </Step>
</Steps>

For a shared production setup, create the token from a dedicated service account so activity is attributable to C1 rather than a person.

## How Buildkite credentials are shared

Every user's tool calls use the one API access token you provided, so Buildkite sees a single shared identity. C1 still attributes each call to the individual user in the [AI tool usage audit log](/product/admin/audit-ai-tool-usage). For a shared setup, use a dedicated service account so activity is attributable to C1 rather than a person.

For how shared and per-user credentials work across MCP servers, see [Configure authentication](/product/admin/mcp-servers#configure-authentication).

## Register the Buildkite MCP server in C1

With your API access token ready, register the server and provide your credentials.

<Steps>
  <Step>
    Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Buildkite** from the catalog.
  </Step>

  <Step>
    When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose **Bearer token** and paste your API access token.
  </Step>

  <Step>
    Save your changes. C1 starts a sync that discovers the tools the Buildkite server exposes.
  </Step>
</Steps>

## Discover and govern tools

After you register the server, C1 runs tool discovery against Buildkite. Discovered tools appear on the server's **Tools** tab.

Each tool starts as either **Pending review** or automatically **Approved**, depending on the option chosen when the server was set up or your tenant's default tool settings in **Settings** > **AI Connections**. See [Require tool approval](/product/admin/enable-ai-access-management#require-tool-approval) and [Default tool classification](/product/admin/enable-ai-access-management#default-tool-classification).

Before anyone can call a Buildkite tool, it must be approved, added to a toolset, and bound to an access profile. Continue to [Govern tools and toolsets](/product/admin/tools-and-toolsets) to set this up.

<Note>
  Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn't confirm that authentication is working. You confirm your Buildkite credentials when an approved user successfully calls a Buildkite tool from their AI client.
</Note>

## Manage your Buildkite credentials

* **Rotate the API access token** by creating a new token on your Buildkite **API access tokens** page and updating it in C1, then revoking the old token.
* **Adjust access** by editing the token's organizations and REST API scopes in Buildkite.
