be3dc7
% containers-auth.json(5)
be3dc7
be3dc7
# NAME
be3dc7
containers-auth.json - syntax for the registry authentication file
be3dc7
be3dc7
# DESCRIPTION
be3dc7
be3dc7
A credentials file in JSON format used to authenticate against container image registries.
be3dc7
The primary (read/write) file is stored at `${XDG_RUNTIME_DIR}/containers/auth.json` on Linux;
be3dc7
on Windows and macOS, at `$HOME/.config/containers/auth.json`.
be3dc7
be3dc7
When searching for the credential for a registry, the following files will be read in sequence until the valid credential is found:
be3dc7
first reading the primary (read/write) file, or the explicit override using an option of the calling application.
be3dc7
If credentials are not present, search in `${XDG\_CONFIG\_HOME}/containers/auth.json`, `$HOME/.docker/config.json`, `$HOME/.dockercfg`.
be3dc7
be3dc7
Except the primary (read/write) file, other files are read-only, unless the user use an option of the calling application explicitly points at it as an override.
be3dc7
be3dc7
be3dc7
## FORMAT
be3dc7
be3dc7
The auth.json file stores encrypted authentication information for the
be3dc7
user to container image registries.  The file can have zero to many entries and
be3dc7
is created by a `login` command from a container tool such as `podman login`,
be3dc7
`buildah login` or `skopeo login`.  Each entry includes the name of the registry and then an auth
be3dc7
token in the form of a base64 encoded string from the concatenation of the
be3dc7
username, a colon, and the password.
be3dc7
be3dc7
The following example shows the values found in auth.json after the user logged in to
be3dc7
their accounts on quay.io and docker.io:
be3dc7
be3dc7
```
be3dc7
{
be3dc7
	"auths": {
be3dc7
		"docker.io": {
be3dc7
			"auth": "erfi7sYi89234xJUqaqxgmzcnQ2rRFWM5aJX0EC="
be3dc7
		},
be3dc7
		"quay.io": {
be3dc7
			"auth": "juQAqGmz5eR1ipzx8Evn6KGdw8fEa1w5MWczmgY="
be3dc7
		}
be3dc7
	}
be3dc7
}
be3dc7
```
be3dc7
be3dc7
An entry can be removed by using a `logout` command from a container
be3dc7
tool such as `podman logout` or `buildah logout`.
be3dc7
be3dc7
In addition, credential helpers can be configured for specific registries and the credentials-helper
be3dc7
software can be used to manage the credentials in a more secure way than depending on the base64 encoded authentication
be3dc7
provided by `login`.  If the credential helpers are configured for specific registries, the base64 encoded authentication will not be used
be3dc7
for operations concerning credentials of the specified registries.
be3dc7
be3dc7
When the credential helper is in use on a Linux platform, the auth.json file would contain keys that specify the registry domain, and values that specify the suffix of the program to use (i.e. everything after docker-credential-).  For example:
be3dc7
be3dc7
```
be3dc7
{
be3dc7
    "auths": {
be3dc7
        "localhost:5001": {}
be3dc7
    },
be3dc7
    "credHelpers": {
be3dc7
		"registry.example.com": "secretservice"
be3dc7
	}
be3dc7
}
be3dc7
```
be3dc7
be3dc7
For more information on credential helpers, please reference the [GitHub docker-credential-helpers project](https://github.com/docker/docker-credential-helpers/releases).
be3dc7
be3dc7
# SEE ALSO
be3dc7
    buildah-login(1), buildah-logout(1), podman-login(1), podman-logout(1), skopeo-login(1), skopeo-logout(1)
be3dc7
be3dc7
# HISTORY
be3dc7
Feb 2020, Originally compiled by Tom Sweeney <tsweeney@redhat.com>