Creating and Using Organization Access Tokens (OATs)

the following advantages over service accounts: - Access permissions are easier to manage with OATs. You can assign access permissions to OATs, while service accounts require using teams for access permissions. - OATs are easier to manage. OATs are centrally managed in the Admin Console. For service accounts, you may need to sign in to that service account to manage it. If using single sign-on enforcement and the service account is not in your IdP, you may not be able to sign in to the service account to manage it. - OATs are not associated with a single user. If a user with access to the service account leaves your organization, you may lose access to the service account. OATs can be managed by any company or organization owner. ## Create an organization access token > [!IMPORTANT] > > Treat access tokens like a password and keep them secret. Store your tokens > securely in a credential manager for example. Company or organization owners can create up to: - 10 OATs for organizations with a Team subscription - 100 OATs for organizations with a Business subscription Expired tokens count towards the total amount of tokens. To create an OAT: 1. Sign in to the [Admin Console](https://app.docker.com/admin). 2. Select the organization you want to create an access token for. 3. Under **Security and access**, select **Access tokens**. 4. Select **Generate access token**. 5. Add a label and optional description for your token. Use something that indicates the use case or purpose of the token. 6. Select the expiration date for the token. 7. Expand the **Repository** drop-down to set access permission scopes for your token. To set Repository access scopes: 1. Optional. Select **Read public repositories**. 2. Select **Add repository** and choose a repository from the drop-down. 3. Set the scopes for your repository — **Image Push** or **Image Pull**. 4. Add more repositories as needed. You can add up to 50 repositories. 8. Optional. Expand the **Organization** drop-down and select the **Allow management access to this organization's resources** checkbox. This setting enables organization management scopes for your token. The following organization management scopes are available: - **Member Edit**: Edit members of the organization - **Member Read**: Read members of the organization - **Invite Edit**: Invite members to the organization - **Invite Read**: Read invites to the organization - **Group Edit**: Edit groups of the organization - **Group Read**: Read groups of the organization 9. Select **Generate token**. Copy the token that appears on the screen and save it. You won't be able to retrieve the token once you exit the screen. ## Use an organization access token You can use an organization access token when you sign in using Docker CLI. Sign in from your Docker CLI client with the following command, replacing `YOUR_ORG` with your organization name: ```console $ docker login --username <YOUR_ORG> ``` When prompted for a password, enter your organization access token instead of a password. ## Modify existing tokens You can rename, update the description, update the repository access, deactivate, or delete a token as needed. 1. Sign in to the [Admin Console](https://app.docker.com/admin). 2. Select the organization you want to modify an access token for. 3. Under **Security and access**, select **Access tokens**. 4. Select the actions menu in the token row, then select **Deactivate**, **Edit**, or **Delete** to modify the token. For **Inactive** tokens, you can only select **Delete**. 5. If editing a token, select **Save** after specifying your modifications.

OATs are easier to manage than service accounts because they allow for easier access permission assignment, are centrally managed, and are not tied to a single user. Company or organization owners can create a limited number of OATs depending on their subscription. To create an OAT, navigate to the Admin Console, select the organization, go to Access Tokens, and generate a new token, specifying its label, description, expiration date, repository access scopes (Image Push or Image Pull), and optional organization management scopes (Member, Invite, and Group Read/Edit). The generated token should be securely saved. OATs can be used for Docker CLI login by providing the organization name as the username and the OAT as the password. Existing tokens can be modified (renamed, description updated, repository access adjusted, deactivated, or deleted) through the Admin Console.