Authenticate to Katapult Container Registry

When using the Katapult Container Registry, you need to authenticate to access your container images.

Authentication Options

There are two ways to authenticate with Katapult Container Registry, depending on your use case:

1. Recommended: User Email & User API Token

Use this approach for most scenarios including personal development and team workflows.

• Username: Your email address (e.g., john@company.com)
• Password: User API token from Krystal Identity Dashboard
• Best for: When you're working on your local machine, developing applications, or need personal access to container images

2. Organization Subdomain & Organization API Token

Use this approach for automated systems and CI/CD pipelines.

• Username: Your organization subdomain (e.g., my-company)
• Password: Organization API token from Katapult Dashboard
• Best for: Automated deployments, CI/CD pipelines, shared infrastructure

Get an API Token

Choose the appropriate token type based on your authentication method:

For User Email Authentication

Generate a User API Token from Krystal Identity:

1. Log in to your Krystal Identity account.
2. Navigate to Static Access Tokens.
3. Click Create new static access token.
4. Give your token a name (e.g., "Container Registry Access").
5. Select an expiration date for your token.
6. Click Create token.
7. Copy the generated token and store it securely. You will not be able to see it again.
8. After copying the token, navigate to the bottom of the page and click on Manage scopes.
9. Select the scopes you need:
   • Manage container registries for full access
   • Read-only access to container registries for read-only permissions
10. Click Save scopes.

For Organization Subdomain Authentication

Generate an Organization API Token from Katapult:

1. Log in to your Katapult account.
2. Navigate to the API Tokens section.
3. Give your token a name (e.g., "CI/CD Container Registry").
4. Optional: Set Authorized IP Addresses to restrict access to your token.
5. Select the scopes you need:
   • Core: Manage container registries for full access
   • Core: Read-only access to container registries for read-only permissions
6. Click Create API token.
7. Copy the generated token and store it securely. You will not be able to see it again.

Authenticate with Container Tools

Use your API token as the password when authenticating to kcr.io. Choose the appropriate username based on your token type:

Using User Email

Docker

docker login kcr.io \
    --username your-email@company.com \
    --password <your-user-api-token>

Podman

podman login kcr.io \
    --username your-email@company.com \
    --password <your-user-api-token>

Skopeo

skopeo login kcr.io \
    --username your-email@company.com \
    --password <your-user-api-token>

Buildah

buildah login kcr.io \
    --username your-email@company.com \
    --password <your-user-api-token>

Helm

helm registry login kcr.io \
    --username your-email@company.com \
    --password <your-user-api-token>

Using Organization Subdomain

Docker

docker login kcr.io \
    --username <your-org-subdomain> \
    --password <your-org-api-token>

Podman

podman login kcr.io \
    --username <your-org-subdomain> \
    --password <your-org-api-token>

Skopeo

skopeo login kcr.io \
    --username <your-org-subdomain> \
    --password <your-org-api-token>

Buildah

buildah login kcr.io \
    --username <your-org-subdomain> \
    --password <your-org-api-token>

Helm

helm registry login kcr.io \
    --username <your-org-subdomain> \
    --password <your-org-api-token>