|
| 1 | +--- |
| 2 | +title: Organization access tokens |
| 3 | +description: Learn how to create and manage organization access tokens |
| 4 | + to securely push and pull images programmatically. |
| 5 | +keywords: docker hub, security, OAT, organization access token |
| 6 | +--- |
| 7 | + |
| 8 | +> [!NOTE] |
| 9 | +> |
| 10 | +> Organization access tokens require a |
| 11 | +> [Docker Team, or Business subscription](/subscription/core-subscription/details/). |
| 12 | +
|
| 13 | +Organization access tokens (OATs) are like [personal access tokens |
| 14 | +(PATs)](/security/for-developers/access-tokens/), but are associated with an |
| 15 | +organization and not a single user account. Use OATs instead of PATs to let |
| 16 | +business-critical tasks access Docker Hub repositories without connecting the |
| 17 | +access token to single user. Common use cases for OATs include mirroring content on Docker Hub, or tying in image pulls from your CI/CD process. |
| 18 | + |
| 19 | +OATs provide the following advantages: |
| 20 | + |
| 21 | +- You can investigate when the OAT was last used and then disable or delete it |
| 22 | + if you find any suspicious activity. |
| 23 | +- You can limit what each OAT has access to, which limits the impact if an OAT |
| 24 | + is compromised. |
| 25 | +- All organization owners can manage OATs. If one owner leaves the organization, |
| 26 | + the remaining owners can still manage the OATs. |
| 27 | +- OATs have their own Docker Hub usage limits that don't count towards your |
| 28 | + personal account's limits. |
| 29 | + |
| 30 | +If you have existing [service accounts](/docker-hub/service-accounts/), Docker recommends that you replace the service accounts with OATs. OATs offer the following advantages over service accounts: |
| 31 | + |
| 32 | +- Access permissions are easier to manage with OATs. You can assign access |
| 33 | + permissions to OATs, while service accounts require using teams for access |
| 34 | + permissions. |
| 35 | +- OATs are easier to manage. OATs are centrally managed in the Admin Console. |
| 36 | + For service accounts, you may need to sign in to that service account to |
| 37 | + manage it. If using single sign-on enforcement and the service account is not |
| 38 | + in your IdP, you may not be able to sign in to the service account to manage |
| 39 | + it. |
| 40 | +- OATs are not associated with a single user. If a user with access to the |
| 41 | + service account leaves your organization, you may lose access to the service |
| 42 | + account. OATs can be managed by any organization owner. |
| 43 | + |
| 44 | +## Create an organization access token |
| 45 | + |
| 46 | +> [!IMPORTANT] |
| 47 | +> |
| 48 | +> Treat access tokens like a password and keep them secret. Store your tokens securely in a credential manager for example. |
| 49 | +
|
| 50 | +Organization owners can create up to 3 organization access tokens (OATs) for |
| 51 | +organizations with a Team subscription and up to 100 OATs for organizations with |
| 52 | +a Business subscription. Expired tokens count towards the total amount of |
| 53 | +tokens. |
| 54 | + |
| 55 | +To create an OAT: |
| 56 | + |
| 57 | +1. Sign in to the [Admin Console](https://app.docker.com/login). |
| 58 | + |
| 59 | +2. Select the organization you want to create an access token for. |
| 60 | + |
| 61 | +3. Under **Security and access**, select **Access tokens**. |
| 62 | + |
| 63 | +4. Select **Generate access token**. |
| 64 | + |
| 65 | +5. Add a label and optional description for your token. Use something that indicates the use case or purpose of the token. |
| 66 | + |
| 67 | +6. Select the expiration date for the token. |
| 68 | + |
| 69 | +7. Select the repository access for the token. |
| 70 | + |
| 71 | + The access permissions are scopes that set restrictions in your repositories. |
| 72 | + For example, for Read & Write permissions, an automation pipeline can build |
| 73 | + an image and then push it to a repository. However, it can't delete the |
| 74 | + repository. You can select one of the following options: |
| 75 | + |
| 76 | + - **Public repositories (read only)** |
| 77 | + - **All repositories**: You can select read access, or read and write access. |
| 78 | + - **Select repositories**: You can select up to 50 repositories, and then |
| 79 | + select read access, or read and write access for each repository. |
| 80 | + |
| 81 | +8. Select **Generate token** and then copy the token that appears on the screen |
| 82 | + and save it. You won't be able to retrieve the token once you exit the |
| 83 | + screen. |
| 84 | + |
| 85 | +## Use an organization access token |
| 86 | + |
| 87 | +You can use an organization access token when you sign in using Docker CLI. |
| 88 | + |
| 89 | +Sign in from your Docker CLI client with the following command, replacing |
| 90 | +`YOUR_ORG` with your organization name: |
| 91 | + |
| 92 | +```console |
| 93 | +$ docker login --username <YOUR_ORG> |
| 94 | +``` |
| 95 | + |
| 96 | +When prompted for a password, enter your organization access token instead of a |
| 97 | +password. |
| 98 | + |
| 99 | +## Modify existing tokens |
| 100 | + |
| 101 | +You can rename, update the description, update the repository access, |
| 102 | +deactivate, or delete a token as needed. |
| 103 | + |
| 104 | +1. Sign in to the [Admin Console](https://app.docker.com/login). |
| 105 | + |
| 106 | +2. Select the organization you want to modify an access token for. |
| 107 | + |
| 108 | +3. Under **Security and access**, select **Access tokens**. |
| 109 | + |
| 110 | +4. Select the actions menu on the far right of a token row, then select |
| 111 | + **Deactivate**, **Edit**, or **Delete** to modify the token. For **Inactive** |
| 112 | + tokens, you can only select **Delete**. |
| 113 | + |
| 114 | +5. If editing a token, select **Save** after specifying your modifications. |
0 commit comments