Resources/The Agent API Atlas/Developer/Jenkins

Everything an AI agent can do with the Jenkins API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints21

AuthenticationAPI token

Last updated23 June 2026

Orientation

How the Jenkins API works.

The Jenkins API is how an app or AI agent works with a Jenkins controller: reading a job and its builds, triggering a build with or without parameters, fetching console output, and creating, copying, or deleting jobs. Access is granted through a Jenkins user account and an API token sent over HTTP Basic authentication, and that account's matrix or role permissions are the boundary on everything it can do, since Jenkins has no per-endpoint scopes. The API has no version number of its own, and each controller reports its Jenkins release in a response header.

21Endpoints

6Capability groups

12Read

9Write

0Permissions

Authentication

Calls use HTTP Basic authentication with a Jenkins username and a personal API token generated on that user's account page. The token carries the same permissions as the user and, unlike a password, is exempt from CSRF crumb checks, which is why it is the recommended credential for automation. Password authentication also works but requires a CSRF crumb on every POST.

Permissions

Jenkins has no per-endpoint API scopes. Access is governed entirely by the matrix-based or role-based permissions on the user account the token belongs to, such as Job/Read, Job/Build, Job/Configure, Job/Create, Job/Delete, Overall/Read, and Overall/Administer. Permissions are additive across a user's groups, and an agent can do exactly what its user account is allowed to do, no more and no less. That account is the security boundary.

Versioning

The remote access API has no version string in its paths and is not separately versioned. Each Jenkins controller runs a specific Jenkins release and reports it in the X-Jenkins response header, and the API reflects whatever that release and its installed plugins expose. There is no header or path to pin a fixed API version.

Data model

The API mirrors the Jenkins URL tree: appending /api/json, /api/xml, or /api/python to a controller, job, build, node, or view URL returns that object. Jobs live under /job/{name}, builds under /job/{name}/{number}, agents under /computer, plugins under /pluginManager, and views under /view/{name}. The tree and depth query parameters shape how much of the object graph a response includes.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Jenkins determines what it can reach. There are several routes, each tied to a Jenkins user account and the matrix or role permissions that account carries.

Ways to connect

Remote access API

Jenkins exposes a remote access API by appending /api/ to almost any controller, job, or build URL. The same resource is available as JSON, XML, or a Python-compatible variant, and the tree and depth query parameters trim or expand the data returned.

Best forConnecting an app or AI agent to a Jenkins controller.

Governed byThe Jenkins user account and its matrix or role permissions.

Docs ↗

MCP server (Model Context Protocol)

The Jenkins community ships a first-party MCP Server plugin, jenkinsci/mcp-server-plugin, that lets an AI assistant call Jenkins through the Model Context Protocol. It implements MCP spec 2025-06-18 and exposes tools such as getJob, getJobs, triggerBuild, getBuild, and getBuildLog. The streamable HTTP endpoint is /mcp-server/mcp on the controller, and it authenticates with a Jenkins user and API token.

Best forConnecting an AI assistant to Jenkins in natural language.

Governed byThe Jenkins user account and its matrix or role permissions.

Docs ↗

Notification plugins (event push)

Jenkins core does not push events, but plugins such as the Notification plugin post a JSON payload to a receiver URL when a build starts or finishes, so an app does not have to poll for the latest result.

Best forReceiving build start and finish events without polling.

Governed byThe notification target configured on the job.

Docs ↗

Authentication

User and API token

An API token is generated on a Jenkins user's account page and sent with that username over HTTP Basic authentication. It carries the same permissions as the user, and unlike a password it is exempt from CSRF crumb checks, which makes it the recommended choice for scripts and automation.

TokenPersonal API token

Best forScripted and automated access

Docs ↗

User and password

HTTP Basic authentication with a username and password also works, but password requests are subject to CSRF protection and so need a crumb on every POST. An API token avoids that and never exposes the account password.

TokenAccount password

Best forInteractive testing rather than automation

Docs ↗

Capability map

What an AI agent can do in Jenkins.

The Jenkins API is organised around the things a controller manages, such as jobs, builds, the build queue, agent computers, plugins, and views. What an agent can do in each area is decided by the permissions on the user account it authenticates as, not by per-method scopes.

Jobs

10 endpoints

Read a job's details, trigger a build with or without parameters, read and update a job's config.xml, and create, copy, delete, enable, or disable a job.

Writes here change real job configuration and start real builds.

View endpoints →

Builds

3 endpoints

Read details and console output for a specific build, and read the most recent build of a job.

Reads here expose build logs, which can contain secrets or environment data.

View endpoints →

Build queue

2 endpoints

Read the items waiting in the build queue and cancel a queued item before it starts.

Cancelling a queued item stops a build that has not yet run.

View endpoints →

Computers & nodes

2 endpoints

Read the controller and its build agents, the executor state, and the details of a single node.

Reads here expose the controller's agents and their configuration.

View endpoints →

System & plugins

3 endpoints

Read top-level controller information, list installed plugins, and fetch a CSRF crumb.

Reads here expose the controller's installed plugins and version.

View endpoints →

Views

1 endpoint

Read the jobs grouped inside a view on the Jenkins dashboard.

Reads here expose how jobs are organised on the dashboard.

View endpoints →

Endpoint reference

Every Jenkins API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Jobs Read a job's details, trigger a build with or without parameters, read and update a job's config.xml, and create, copy, delete, enable, or disable a job.10
GET	`/job/{name}/api/json`	Get a job's details, including its builds, health, and parameters.	read	—	Current
Appending /api/json, /api/xml, or /api/python to a job URL returns it in that format. The depth and tree query parameters control how much nested data is returned. Permission: Job/Read. Acts onjob Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/job/{name}/build`	Trigger a new build of a job.	write	—	Current
On a multibranch pipeline or organization folder this triggers a scan instead. Username and API token authentication is exempt from CSRF, so no crumb is needed. Permission: Job/Build. Acts onbuild Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/job/{name}/buildWithParameters`	Trigger a build of a parameterized job, passing string or file parameters.	write	—	Current
Parameters are sent as form fields; file parameters use a multipart form. Permission: Job/Build. Acts onbuild Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/job/{name}/config.xml`	Fetch a job's full configuration as XML.	read	—	Current
The config.xml is the job's complete definition, often used as a template for creating other jobs. Permission: Job/ExtendedRead (or Job/Configure). Acts onjob Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/job/{name}/config.xml`	Replace a job's configuration by posting a new config.xml.	write	—	Current
The request body is the full XML configuration, sent with an XML content type. Permission: Job/Configure. Acts onjob Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/createItem`	Create a job from a posted config.xml, named by the name query parameter.	write	—	Current
Called as /createItem?name={job}. Inside a folder the path is prefixed with that folder, such as /job/{folder}/createItem. Permission: Job/Create. Acts onjob Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/createItem`	Copy an existing job into a new one.	write	—	Current
Called as /createItem?name={new}&mode=copy&from={existing}. The from parameter applies only when mode is copy. Permission: Job/Create. Acts onjob Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/job/{name}/doDelete`	Delete a job and its build history.	write	—	Current
Deletion is permanent and removes the job's recorded builds. Permission: Job/Delete. Acts onjob Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/job/{name}/enable`	Enable a disabled job so it can run again.	write	—	Current
Permission: Job/Configure. Acts onjob Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/job/{name}/disable`	Disable a job so it cannot be triggered.	write	—	Current
A disabled job stays configured but will not start builds until enabled. Permission: Job/Configure. Acts onjob Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Builds Read details and console output for a specific build, and read the most recent build of a job.3
GET	`/job/{name}/{number}/api/json`	Get the details of a specific build by its number.	read	—	Current
Aliases such as lastBuild, lastSuccessfulBuild, and lastStableBuild can be used in place of a number. Permission: Job/Read. Acts onbuild Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/job/{name}/lastBuild/api/json`	Get the details of a job's most recent build.	read	—	Current
Other aliases include lastSuccessfulBuild and lastFailedBuild. Permission: Job/Read. Acts onbuild Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/job/{name}/{number}/consoleText`	Fetch the plain-text console output of a build.	read	—	Current
Console output can contain secrets, file paths, and environment data printed during the build. Permission: Job/Read. Acts onbuild Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Build queue Read the items waiting in the build queue and cancel a queued item before it starts.2
GET	`/queue/api/json`	List the items currently waiting in the build queue.	read	—	Current
Each queue item carries an id that can be used to query or cancel it. Permission: Overall/Read. Acts onqueue item Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/queue/cancelItem`	Cancel a queued item before it starts running.	write	—	Current
Called as /queue/cancelItem?id={id} with the queue item id. Permission: Job/Cancel. Acts onqueue item Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Computers & nodes Read the controller and its build agents, the executor state, and the details of a single node.2
GET	`/computer/api/json`	List the controller and its build agents, with executor and offline state.	read	—	Current
The set of computers shown depends on the calling user's node permissions. Permission: Agent/Connect (read of the node list). Acts oncomputer Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/computer/{name}/api/json`	Get the details of a single build node.	read	—	Current
The built-in controller node is addressed as (built-in), URL-encoded in the path. Permission: Agent/Connect. Acts oncomputer Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
System & plugins Read top-level controller information, list installed plugins, and fetch a CSRF crumb.3
GET	`/api/json`	Get top-level controller information, including its jobs, views, and node mode.	read	—	Current
The X-Jenkins response header on this and any page reports the controller's version. Permission: Overall/Read. Acts oncontroller Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/pluginManager/api/json`	List the plugins installed on the controller.	read	—	Current
Use the depth parameter to include each plugin's version and enabled state. Reading the plugin manager requires administrator access. Permission: Overall/Administer. Acts onplugin Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/crumbIssuer/api/json`	Fetch a CSRF crumb for use on later POST requests.	read	—	Current
The crumb is sent on later POSTs in the Jenkins-Crumb header. Requests authenticated with an API token are exempt from CSRF and do not need a crumb. Permission: Overall/Read. Acts oncrumb Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Views Read the jobs grouped inside a view on the Jenkins dashboard.1
GET	`/view/{name}/api/json`	Get a view and the jobs grouped inside it.	read	—	Current
A view is a saved grouping of jobs shown as a tab on the dashboard. Permission: View/Read. Acts onview Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Jenkins core does not push events on its own. With a notification plugin installed, Jenkins can post a payload to a receiver URL when a build starts or finishes, instead of an app repeatedly asking for the latest build.

Event	What it signals	Triggered by

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Jenkins is self-hosted, so it sets no fixed request quota by default. How fast an app or AI agent can call is bounded by the controller's own capacity and any reverse proxy or plugin limits an administrator adds.

Request rate

Jenkins is self-hosted and applies no built-in request quota or rate limit by default. How fast an app or AI agent can call is set by the controller's own hardware and configuration, and by any reverse proxy, load balancer, or plugin an administrator places in front of it. Heavy polling of large jobs is best narrowed with the tree query parameter so each response carries only the needed fields, which lowers the load a controller has to handle.

Pagination

The API does not paginate in the usual page-by-page sense. A list resource, such as a job's builds or the queue, returns its items in one response, and the depth parameter pulls in nested objects while the tree parameter selects exactly which fields and sub-fields come back. Build history can be sliced with range syntax such as builds[0,10] inside a tree expression.

Request size

There is no fixed payload size limit defined by the API itself. A deep request, made with a high depth value, can return a very large document, so the tree parameter is the recommended way to keep responses small. Console output is returned in full as plain text and can be large for long builds.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
401	`Unauthorized`	Authentication is missing or invalid. The username and API token were not supplied or were rejected.	Send the username and a valid API token over HTTP Basic authentication.
403	`Forbidden`	The account is authenticated but lacks the permission for this action, or a POST was made without a valid CSRF crumb when using password authentication.	Grant the user the needed permission in the security matrix, or use an API token, which is exempt from the crumb requirement.
404	`Not Found`	The job, build, node, or view in the path does not exist, or the account cannot see it.	Confirm the item name and path, remembering that jobs inside a folder are addressed as /job/{folder}/job/{name}.
500	`Internal Server Error`	The controller hit an error handling the request, sometimes returned as an HTML stack trace rather than JSON.	Check the controller's system log for the cause, then retry once the underlying issue is fixed.

Versioning & freshness

Version history.

The Jenkins remote access API has no version number in its paths. Each Jenkins controller reports its own release in the X-Jenkins response header, and the API tracks whatever that release exposes.

Version history

What changed, and when

Latest versionCurrent

CurrentCurrent version

Unversioned remote access API

The Jenkins remote access API has no version number. Each controller runs a specific Jenkins weekly or LTS release and reports it in the X-Jenkins response header, and the API reflects whatever that release and its installed plugins expose. The notable dated changes below come from the security and tooling around the API rather than from a versioned API surface.

What changed

Appending /api/json, /api/xml, or /api/python to any resource URL returns it in that format
The tree and depth query parameters shape how much of the object graph a response includes
Access is governed by the calling user's matrix or role permissions, not by per-endpoint scopes

2025-06-18Feature update

First-party MCP Server plugin

The Jenkins community released the MCP Server plugin, which turns a controller into a Model Context Protocol server for AI assistants. It implements MCP spec 2025-06-18, recommends the streamable HTTP transport at /mcp-server/mcp, and exposes tools such as getJob, getJobs, triggerBuild, getBuild, and getBuildLog, all authenticated with a username and API token.

What changed

Added a first-party way for AI assistants to call Jenkins through the Model Context Protocol
Implements MCP specification 2025-06-18 on the MCP Java SDK
Exposes job and build tools, governed by the same user permissions as the REST API

2018-04-11Feature update

API tokens decoupled and CSRF crumbs hardened

From this period Jenkins reworked API tokens so they are generated and revoked independently of the account password, and tightened CSRF protection, with API token requests treated as exempt from the crumb requirement. This made a user-plus-API-token the recommended credential for the remote access API over username and password.

What changed

API tokens became revocable and independent of the account password
Requests authenticated with an API token were made exempt from CSRF crumb checks
User-plus-API-token established as the recommended automation credential

An integration reads the X-Jenkins header to learn the controller's release rather than pinning an API version.

Jenkins changelog ↗

Questions

Jenkins API, answered.

How do I authenticate to the Jenkins API?+

Use HTTP Basic authentication with a Jenkins username and a personal API token, generated on the user's account configuration page. The token has the same permissions as the user but is exempt from CSRF crumb checks, so it is the cleanest choice for scripts. A username and password also work, but every POST then needs a CSRF crumb fetched from the crumb issuer.

What is a crumb, and do I need one?+

A crumb is a CSRF token Jenkins requires on state-changing POST requests to confirm they are intentional. It is fetched from /crumbIssuer/api/json and sent back in the Jenkins-Crumb header. Requests authenticated with an API token are exempt from CSRF protection, so a crumb is only needed when authenticating with a username and password.

What permissions does an agent need, and are there API scopes?+

Jenkins has no per-endpoint API scopes. An agent can do exactly what the user account behind its token is allowed to do under the controller's matrix-based or role-based security, such as Job/Read to view a job, Job/Build to trigger one, and Job/Configure, Job/Create, or Job/Delete to change jobs. The fix for a 403 is to grant the missing permission to that user, not to request a different scope.

Does Jenkins have a rate limit?+

Jenkins core sets no request quota; it is self-hosted, so throughput is bounded by the controller's hardware and any proxy or plugin limits an administrator adds. To keep load down, narrow each call with the tree query parameter so only the needed fields are returned, rather than fetching deep documents with a high depth value.

How do I receive build events instead of polling?+

Jenkins core does not push events. Installing a plugin such as the Notification plugin lets a job post a JSON payload to a receiver URL when a build starts or finishes, which removes the need to poll for the latest result. Without such a plugin, an app reads build status by requesting the job or build resource.

Is there an official MCP server for Jenkins?+

Yes. The Jenkins community ships a first-party MCP Server plugin, jenkinsci/mcp-server-plugin, that turns a controller into a Model Context Protocol server. It implements MCP spec 2025-06-18, serves a streamable HTTP endpoint at /mcp-server/mcp, authenticates with a username and API token, and exposes tools such as getJob, getJobs, triggerBuild, getBuild, and getBuildLog.

How do I get JSON instead of XML?+

Append /api/json to a resource URL, or /api/xml for XML and /api/python for the Python-compatible variant. The depth parameter controls how many levels of nested objects are returned, and the tree parameter selects exactly which fields come back, which keeps responses small and fast.

What is Bollard AI?

Control what every AI agent can do in Jenkins.

Bollard AI sits between a team's AI agents and Jenkins. Grant each agent exactly the access it needs, read or write, job by job, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Jenkins user and API token.
Denied by default, so an agent reaches only the jobs and actions explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Jenkins access in Bollard Browse all APIs →

Jenkins

Release Agent

Read job and build status ResourceOffReadFull use

Trigger a build ActionOffReadFull use

Create, copy, or delete jobs ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Jenkins

How the Jenkins API works.

Connection & authentication methods.

Remote access API

MCP server (Model Context Protocol)

Notification plugins (event push)

User and API token

User and password

What an AI agent can do in Jenkins.

Jobs

Builds

Build queue

Computers & nodes

System & plugins

Views

Every Jenkins API method.

Jobs

Builds

Build queue

Computers & nodes

System & plugins

Views

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Jenkins API, answered.

More developer API guides for agents

DigitalOcean

GitHub

Make

Datadog

LaunchDarkly

Gitea

Control what every AI agent can do in Jenkins.