To pull images from private registries, FlatRun stores reusable credentials. There are two related pieces: registry types describe a registry and how it authenticates, and credentials are the saved username/token pairs you use to log in.
Registry Types
A registry type defines a registry and its auth style. Common providers (Docker Hub, Amazon ECR, Google Artifact Registry, Azure Container Registry) are available out of the box, and you can add custom ones. A registry type carries:
- Name and slug
- URL patterns used to match an image to this registry
- Auth type
- Optional login and docs URLs
Credentials
Each saved credential records:
| Field | Notes |
|---|---|
| Name | Label you choose |
| Registry type | Which registry it authenticates against |
| Registry URL | Required for ECR / GAR / ACR and custom registries |
| Username | Account or access key |
| Password / token | Stored server-side and never returned in API responses |
| Default | Used automatically when a pull does not name a credential |
Passwords are write-only. The secret is stored on the agent and never sent
back through the API. To change it, update the credential with a new value.
Managing Credentials
Credentials are managed under Settings → Credentials. From there you can:
- Add a credential (name, registry type, optional URL, username, password, default flag)
- Mark one as the default
- Test connectivity to confirm the login works
- Delete credentials you no longer need
How Credentials Are Used
- Pulling an image — the Images pull dialog lets you pick a saved credential or enter one inline for a private image.
- Automatic matching — when an image matches a registry's URL patterns, FlatRun selects a matching credential (or the default) so deployments pull protected images without prompting.
Test before relying on it. Use the test action after adding a credential.
A bad username or expired token only surfaces at pull time otherwise, which can fail a deploy.