Skip to content
Latchkey

skopeo login: Authenticate to a Registry

skopeo login stores registry credentials so later skopeo (and podman) commands authenticate without repeating them.

Rather than passing --creds on every command, log in once. skopeo writes the token to an auth file that subsequent commands reuse, the same file podman and buildah read.

What it does

skopeo login authenticates to a registry and writes the credential to an auth file (by default $XDG_RUNTIME_DIR/containers/auth.json or a path you set with --authfile). Later skopeo copy and inspect calls pick up that credential automatically.

Common usage

Terminal
echo "$GHCR_TOKEN" | skopeo login ghcr.io \
  --username "$GITHUB_ACTOR" --password-stdin
# scope the credential to a CI-local auth file
skopeo login ghcr.io -u "$USER" --password-stdin \
  --authfile ./auth.json < token.txt

Options

FlagWhat it does
-u, --username <user>Registry username
-p, --password <pass>Password (prefer --password-stdin)
--password-stdinRead the password from stdin (safer in CI)
--authfile <file>Where to store the credential
--tls-verify=falseDisable TLS verification (testing only)

In CI

Always use --password-stdin and pipe the secret in, so the token does not appear in the process list or logs. Set --authfile to a job-local path on shared runners to avoid leaking credentials into a shared default location.

Common errors in CI

"error logging into registry: invalid username/password" means wrong credentials or an expired token. "unauthorized: authentication required" on a later copy means login wrote to a different authfile than the copy reads; set --authfile consistently or export REGISTRY_AUTH_FILE. Passing -p on the command line risks leaking the secret in logs.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →