Our container registry now speaks the same OAuth dialect as the rest of the DownToZero (DTZ) platform. If you already mint bearer tokens for any DTZ API, you can log in to cr.dtz.rocks with zero extra configuration. This change completes our long-term goal of one identity, one token, everywhere.
The registry originally accepted API keys only. While these keys remain supported, they lack the fine-grained scopes and short lifetimes that OAuth brings. A JWT issued by the DTZ Identity service carries role information such as containerregistry/admin/{context_id} and expires automatically, shrinking the blast radius if it ever leaks.
# 1 - Request a bearer token
curl -X POST https://identity.dtz.rocks/api/2021-02-21/token/auth -H "Content-Type: application/json" -d '{"username":"you","password":"secret"}'
# 2 - Use that token to authenticate
docker login cr.dtz.rocks -u bearer -p YOUR_ACCESS_TOKEN
The username must literally be bearer; Docker forwards the token as the password. Behind the scenes, the registry validates the JWT using the very same logic as every other DTZ service.
If your CI/CD pipeline already uses an API key, nothing breaks—docker login -u apikey -p YOUR_API_KEY cr.dtz.rocks still works. OAuth is an opt-in upgrade that unlocks shorter-lived credentials, role-based access control, and smoother secrets rotation.
Because the registry now honors the exact same HTTP headers and basic-auth conventions as our REST endpoints, you can:
Ready to try it? Grab a token, run your next docker push, and enjoy a simpler, safer login flow.