Skip to main content
Version: 1.0.x

Agent configuration

Agents are configured by the command line or environment variables. At the minimum you need the following information:

# docker-compose.yml
version: '3'

- woodpecker-agent-config:/etc/woodpecker
+ - WOODPECKER_SERVER=localhost:9000
+ - WOODPECKER_AGENT_SECRET="your-shared-secret-goes-here"

The following are automatically set and can be overridden:

  • WOODPECKER_HOSTNAME if not set, becomes the OS' hostname
  • WOODPECKER_MAX_WORKFLOWS if not set, defaults to 1

Processes per agentโ€‹

By default the maximum processes that are run per agent is 1. If required you can add WOODPECKER_MAX_WORKFLOWS to increase your parallel processing on a per-agent basis.

# docker-compose.yml
version: '3'

- WOODPECKER_SERVER=localhost:9000
- WOODPECKER_AGENT_SECRET="your-shared-secret-goes-here"

Agent registration on serverโ€‹

When the agent starts, it connects to the server using token from WOODPECKER_AGENT_SECRET. The server identifies agent and, if such agent doesn't exist, register him. There are two types of token, so would be two ways of agent registration.

Using system tokenโ€‹

System token is a token that is used system-wide, e. g. when you set the same token in WOODPECKER_AGENT_SECRET on both the server and the agents.

In that case registration process would be as follows:

  1. First time Agent communicates with Server using system token;
  2. Server registers Agent in DB, generates ID and sends this ID back to Agent;
  3. Agent stores ID in a file configured by WOODPECKER_AGENT_CONFIG_FILE.

At the following startups Agent uses system token and ID.

Using agent tokenโ€‹

Agent token is a token that is used by only particular agent. This unique token also configured by WOODPECKER_AGENT_SECRET, but only on the agent side.

In that case you probably doesn't configure WOODPECKER_AGENT_SECRET on the server side. The registration process would be as follows:

  1. Administrator registers Agent manually in Server settings - Agents - Add agent; Agent creation Agent created
  2. The token generated in previous step have to be provided to Agent in WOODPECKER_AGENT_SECRET;
  3. First time Agent communicates with Server using agent token;
  4. Server identifies Agent by the token and fills additional information provided by Agent; Agent connected

At following startups Agent uses own token only.

All agent configuration optionsโ€‹

Here is the full list of configuration options and their default variables.


Default: localhost:9000

Configures gRPC address of the server.


Default: x-oauth-basic

The gRPC username.


Default: empty

A shared secret used by server and agents to authenticate communication. A secret can be generated by openssl rand -hex 32.


Default: empty

Read the value for WOODPECKER_AGENT_SECRET from the specified filepath, e.g. /etc/woodpecker/agent-secret.conf


Default: empty

Configures the logging level. Possible values are trace, debug, info, warn, error, fatal, panic, disabled and empty.


Default: false

Enable pretty-printed debug output.


Default: true

Disable colored debug output.


Default: empty

Configures the agent hostname.


Default: /etc/woodpecker/agent.conf

Configures the path of the agent config file.


Default: 1

Configures the number of parallel workflows.


Default: empty

Configures labels to filter pipeline pick up. Use a list of key-value pairs like key=value,second-key=*. * can be used as a wildcard. By default agents provide three additional labels platform=os/arch, hostname=my-agent and repo=* which can be overwritten if needed. To learn how labels work check out the pipeline syntax page.


Default: true

Enable healthcheck endpoint.


Default: :3000

Configures healthcheck endpoint address.


Default: empty

After a duration of this time of no activity, the agent pings the server to check if the transport is still alive.


Default: 20s

After pinging for a keepalive check, the agent waits for a duration of this time before closing the connection if no activity.


Default: false

Configures if the connection to WOODPECKER_SERVER should be made using a secure transport.


Default: true

Configures if the gRPC server certificate should be verified, only valid when WOODPECKER_GRPC_SECURE is true.


Default: auto-detect

Configures the backend engine to run pipelines on. Possible values are auto-detect, docker, local, ssh or kubernetes.


See Docker backend configuration


See SSH backend configuration


See Kubernetes backend configuration

Advanced Settingsโ€‹


Only change these If you know what you do.


Default: 5

Configures number of times agent retries to connect to the server.


Default: 2s

Configures delay between agent connection retries to the server.