Home Explore Blog CI



docker
1st chunk of `content/manuals/security/for-admins/access-tokens.md`
a4f4b2cac527ab0c4ff08834ac5adf6d5a13f599869b65c80000000100000a79
---
title: Organization access tokens
description: Learn how to create and manage organization access tokens
  to securely push and pull images programmatically.
keywords: docker hub, security, OAT, organization access token
linkTitle: Organization access tokens
---

{{< summary-bar feature_name="OATs" >}}

> [!WARNING]
>
> Organization access tokens (OATs) are not intended to be used with Docker
> Desktop or Docker Scout, and are incompatible.
>
> If you use Docker Desktop or Docker Scout, you must use personal
> access tokens instead.

An organization access token (OAT) is like a [personal access token
(PAT)](/security/for-developers/access-tokens/), but an OAT is associated with
an organization and not a single user account. Use an OAT instead of a PAT to
let business-critical tasks access Docker Hub repositories without connecting
the token to single user. You must have a [Docker Team or Business
subscription](/subscription/core-subscription/details/) to use OATs.

OATs provide the following advantages:

- You can investigate when the OAT was last used and then disable or delete it
  if you find any suspicious activity.
- You can limit what each OAT has access to, which limits the impact if an OAT
  is compromised.
- All company or organization owners can manage OATs. If one owner leaves the
  organization, the remaining owners can still manage the OATs.
- OATs have their own Docker Hub usage limits that don't count towards your
  personal account's limits.

If you have existing [service accounts](/docker-hub/service-accounts/),
Docker recommends that you replace the service accounts with OATs. OATs offer
the following advantages over service accounts:

- Access permissions are easier to manage with OATs. You can assign access
  permissions to OATs, while service accounts require using teams for access
  permissions.
- OATs are easier to manage. OATs are centrally managed in the Admin Console.
  For service accounts, you may need to sign in to that service account to
  manage it. If using single sign-on enforcement and the service account is not
  in your IdP, you may not be able to sign in to the service account to manage
  it.
- OATs are not associated with a single user. If a user with access to the
  service account leaves your organization, you may lose access to the service
  account. OATs can be managed by any company or organization owner.

## Create an organization access token

> [!IMPORTANT]
>
> Treat access tokens like a password and keep them secret. Store your tokens
> securely in a credential manager for example.

Company or organization owners can create up to:
- 10 OATs for organizations with a Team subscription
Title: Introduction to Organization Access Tokens (OATs)
Summary
Organization Access Tokens (OATs) are similar to Personal Access Tokens (PATs) but are associated with an organization rather than a single user, requiring a Docker Team or Business subscription. OATs offer advantages like usage tracking, limited access scope, centralized management, and independent usage limits. Docker recommends replacing service accounts with OATs due to their easier access management and user independence. Organization owners can create a limited number of OATs, treating them as passwords and storing them securely.