Skip to content

microagent registry

Last updated: 2026-06-25

microagent registry login <registry> -u <user> [--password-stdin] Store registry credentials
microagent registry logout <registry> Remove stored credentials
microagent registry list List registries with stored credentials

microagent pulls and pushes OCI images by talking to registries directly — it does not depend on Docker, Docker Desktop, or any docker-credential-* helper. Public images always pull anonymously. For private registries, credentials are resolved from static credential files only; credential helpers are never executed.

Resolved in order, first match wins — all Docker-free:

  1. $REGISTRY_AUTH_FILE — the vendor-neutral file convention shared with Podman, Skopeo, and Buildah ({"auths":{...}} JSON).
  2. ~/.microagent/auth.json — microagent’s own credential file, written by microagent registry login (mode 0600).
  3. anonymous — no credentials (public images).

Docker’s ~/.docker/config.json is never read, and credential helpers (credsStore/credHelpers) are never executed — microagent has no dependency on Docker or Docker Desktop.

Log in to GitHub Container Registry with a token piped on stdin (the password is never passed as an argument, so it cannot leak into the process table or shell history):

Terminal window
echo "$GHCR_TOKEN" | microagent registry login ghcr.io -u USERNAME --password-stdin

Log in interactively (the prompt reads the password without echo):

Terminal window
microagent registry login registry.example.com -u alice

List and remove stored credentials:

Terminal window
microagent registry list
microagent registry logout ghcr.io

Use a shared auth file instead of microagent’s own store:

Terminal window
export REGISTRY_AUTH_FILE=~/auth.json
microagent run registry.example.com/team/app
FlagCommandDescription
-u, --usernameloginRegistry username (required).
--password-stdinloginRead the password from stdin instead of prompting.
  • microagent registry login stores base64(username:password) — the standard encoding, the same one Docker/OCI config files use. This is encoding, not encryption; the file is written 0600. microagent is otherwise a secret conduit, not a store (see secret).
  • microagent never writes Docker’s ~/.docker/config.json.