Docker Hub is the world's largest container registry, a cloud service for finding, sharing, and managing container images. Teams store and distribute images publicly or privately, automate builds through CI/CD, and collaborate using team-based access controls. As the central hub of the Docker ecosystem, it hosts millions of images from official publishers, verified vendors, and the community.
Power end-to-end data operations for your Docker Hub API with Nexla. Our bi-directional Docker Hub connector is purpose-built for Docker Hub, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Docker Hub or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Docker Hub workflows fast, secure, and fully governed.
Features
Type: API
SourceDestination
Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
Request optimization with intelligent batching, retry, and caching to minimize API calls and costs
To connect Nexla to Docker Hub, you will need a Docker Hub account and a Personal Access Token (PAT). Docker Hub PATs provide a secure, password-free method of authenticating API requests. They can be granted specific access scopes and revoked independently of your account password, making them well-suited for automated integrations.
To generate a Personal Access Token for use with Nexla:
Sign in to Docker Hub with your Docker account credentials.
Select your avatar or username in the top-right corner of the page to open the account menu.
Select Account settings from the drop-down menu.
In the left navigation, select Personal access tokens under the Security section.
Click the Generate new token button.
Enter a descriptive label in the Access Token Description field to identify the token's purpose (for example, Nexla Integration).
Set the appropriate access permissions for the token:
Read — Allows reading repository data, tags, and organization information.
Read & Write — Allows reading data and writing to repositories, including creating repositories and managing team members.
Read, Write & Delete — Allows full access including delete operations on repositories, tokens, and organization resources.
Select the minimum permission scope required for your Nexla integration. If you are only using Docker Hub as a data source to read repository, tag, audit log, and organization data, the Read scope is sufficient. If you plan to use Docker Hub as a destination (for example, to create repositories or manage team membership), select Read & Write or Read, Write & Delete as appropriate.
Click Generate to create the token.
Important
Copy the generated token immediately and store it securely. Docker Hub displays the token value only once—it cannot be retrieved after you leave this screen. Treat the token like a password and store it in a secure credential manager.
Note your Docker Hub username, which will also be required when creating the Nexla credential.
Authenticate with a Personal Access Token (PAT). Generate a PAT in Docker Hub account settings under Security. The connector exchanges the PAT at /v2/auth/token for a bearer JWT.
Field
Required
Secret
Description
Username
Yes
No
Your Docker Hub username (sent as the identifier field to /v2/auth/token).
Personal Access Token
Yes
Yes
Docker Hub Personal Access Token (PAT). Sent as the secret field to /v2/auth/token. Create one in Docker Hub > Account settings > Security.
After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.
Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.
Docker Hub uses a token-based authentication flow. Nexla sends your username and Personal Access Token to the Docker Hub authentication endpoint (/v2/auth/token) to obtain a short-lived bearer JWT, which is then used to authorize all subsequent API requests on your behalf.
Enter your Docker Hub username in the Username field. This is the username associated with your Docker Hub account (the same one you use to log in to hub.docker.com).
Enter the Personal Access Token you generated in the Personal Access Token field. This token is sent as the secret field to the Docker Hub authentication endpoint and must have the scopes required for your intended use.
The Personal Access Token field is treated as a secure/masked field. Ensure you paste the complete token value exactly as copied from Docker Hub.
Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.
To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the Docker Hub connector tile, then select the credential that will be used to connect to the Docker Hub instance, and click Next; or, create a new Docker Hub credential for use in this flow.
Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Docker Hub endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below. Click on an endpoint to see more information about it and how to configure your data source for this endpoint.
List repositories in a namespace
Returns a paginated list of all repositories within a specified Docker Hub namespace (a user account or organization). Use this endpoint to inventory repositories, audit repository visibility settings, or synchronize repository metadata with external systems.
Enter the Docker Hub namespace whose repositories you want to list in the Namespace field. A namespace is either a Docker Hub username (for personal repositories) or an organization name (for organization-owned repositories). For example, enter mycompany to list all repositories belonging to the mycompany organization.
This endpoint uses page-based pagination and fetches up to 100 repositories per page. Nexla automatically handles pagination, so all repositories in the namespace will be ingested across multiple pages as needed. The authenticated user must have read access to the specified namespace.
Get a repository
Returns detailed metadata for a single Docker Hub repository, including its name, description, visibility (public or private), pull count, star count, and the date it was last updated. Use this endpoint when you need detailed information about a specific repository.
Enter the Docker Hub namespace (username or organization name) that owns the repository in the Namespace field.
Enter the name of the repository in the Repository field. For example, if the full repository path is mycompany/my-app, enter mycompany as the namespace and my-app as the repository name.
This endpoint returns a single record for the specified repository. The authenticated user must have read access to the repository.
List repository tags
Returns all tags for a specified repository, including digest, compressed image size, architecture details, and the last-pushed timestamp for each tag. Use this endpoint to audit image versions, track release history, or monitor image freshness across a repository.
Enter the Docker Hub namespace that owns the repository in the Namespace field.
Enter the repository name whose tags you want to list in the Repository field. For example, for the repository mycompany/my-app, enter mycompany and my-app respectively.
This endpoint uses page-based pagination and fetches up to 100 tags per page. Nexla automatically handles pagination to retrieve all tags. Tags with the name latest or semantic version strings such as v1.2.3 are common values you will encounter in the results.
Get a repository tag
Returns metadata for a single image tag within a repository, including the image digest, compressed size, supported architectures, and last-pushed date. Use this endpoint when you need precise information about a specific image version.
Enter the Docker Hub namespace that owns the repository in the Namespace field.
Enter the repository name in the Repository field.
Enter the tag name to retrieve in the Tag field. Common tag values include latest, release identifiers such as v1.2.3, or environment-specific tags such as production or stable.
List audit log events
Returns a paginated list of audit log events for a Docker Hub account (organization or user namespace). Audit logs record actions such as repository pushes, image pulls, member changes, token creation, and settings updates. Use this endpoint for security monitoring, compliance reporting, and change tracking.
Enter the Docker Hub namespace (organization name or username) whose audit log events you want to retrieve in the Account (Namespace) field. For example, enter mycompany to retrieve audit events for the mycompany organization.
Audit log access requires that the authenticated user is an owner or has appropriate administrative permissions within the specified namespace. The Docker Hub API supports additional query parameters for filtering audit logs by action type, actor, resource name, and time window — these can be applied using the manual configuration mode if needed.
List organization members
Returns a paginated list of all members belonging to a Docker Hub organization. Use this endpoint to audit organization membership, synchronize user rosters with external identity systems, or track role assignments.
Enter the Docker Hub organization name whose members you want to list in the Organization Name field. The authenticated user must be a member of the organization to retrieve this data.
This endpoint uses page-based pagination and fetches up to 100 members per page. Nexla automatically handles pagination to retrieve all members.
List organization teams
Returns a paginated list of teams (referred to as "groups" in the Docker Hub API) within a Docker Hub organization. Use this endpoint to inventory teams, audit team structures, or synchronize team configurations with external systems.
Enter the Docker Hub organization name whose teams you want to list in the Organization Name field.
Docker Hub uses the term "groups" internally in the API to refer to what the UI displays as "teams." This endpoint fetches up to 100 teams per page and Nexla handles pagination automatically.
Get organization settings
Retrieves the current settings for a Docker Hub organization, such as restricted image policies and member access configurations. Use this endpoint to audit organizational governance settings or track configuration changes over time.
Enter the Docker Hub organization name whose settings you want to retrieve in the Organization Name field. The authenticated user must have owner-level access to the organization to read its settings.
Organization settings such as restricted images are available on Docker Hub Business plans. The response for organizations on lower-tier plans may return a limited set of settings fields.
List personal access tokens
Returns a paginated list of all Personal Access Tokens (PATs) associated with the authenticated Docker Hub user account, including token labels, UUIDs, scopes, and active status. Use this endpoint to audit existing tokens or track token lifecycle for security governance purposes.
No additional parameters are required for this endpoint. Nexla will automatically retrieve all PATs for the authenticated user account.
This endpoint returns token metadata only — it does not return the actual token secret values, as those are only accessible at the time of creation. This endpoint fetches up to 100 tokens per page and Nexla handles pagination automatically.
List members of an organization team
Returns a paginated list of members belonging to a specific team (group) within a Docker Hub organization. Use this endpoint to audit team membership, verify access assignments, or synchronize team rosters with external systems.
Enter the Docker Hub organization name that owns the team in the Organization Name field.
Enter the team name whose members you want to list in the Team Name field. This corresponds to the group name as it appears in Docker Hub.
This endpoint uses page-based pagination and fetches up to 100 members per page. Nexla automatically handles pagination. The endpoint also supports filtering by username, full name, or email address using manual configuration if needed.
List organization pending invites
Returns all pending membership invitations for a Docker Hub organization. Use this endpoint to audit outstanding invitations, track onboarding status, or identify invitations that have not yet been accepted.
Enter the Docker Hub organization name whose pending invites you want to retrieve in the Organization Name field. Only team owners have permission to view organization invitations.
This endpoint returns only invites that are still in a pending (unaccepted) state. Accepted or expired invitations will not appear in the results.
List organization access tokens (OATs)
Returns a paginated list of Organization Access Tokens (OATs) for a Docker Hub organization. OATs are distinct from personal PATs and are designed for organization-level automation and CI/CD pipelines. Use this endpoint to audit OAT configurations and active status across your organization.
Enter the Docker Hub organization name whose OATs you want to list in the Organization Name field. The authenticated user must have owner-level permissions within the organization to access OAT data.
Organization Access Tokens (OATs) are a Docker Hub feature for organizations that need non-human service accounts to authenticate with the Docker Hub API. OAT metadata is returned, but the token secret values are not included in API responses after initial creation.
Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.
Docker Hub data sources can also be manually configured to ingest data from any valid Docker Hub API endpoint, including endpoints not covered by the pre-built templates, chained API calls, custom audit-log filters, or custom request parameters. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.
All Docker Hub API endpoints use the base URL https://hub.docker.com/v2/. List endpoints return records nested under $.results[*] (or $.logs[*] for the audit log endpoint) — enter this as the path to data. The audit log endpoint also supports from/to timestamp parameters, making it a good candidate for date/time macros to incrementally fetch new events on each run. Nexla automatically includes the bearer token from your credential in the Authorization header, so it does not need to be added as a request header.
Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new Docker Hub data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.
Click the + icon on the Nexset that will be sent to the Docker Hub destination, and select the Send to Destination option from the menu. Select the Docker Hub connector from the list of available destination connectors, then select the credential that will be used to connect to the Docker Hub organization, and click Next; or, create a new Docker Hub credential for use in this flow.
Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Docker Hub endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.
Create a repository
Creates a new repository within a Docker Hub namespace. Use this endpoint when you want to programmatically provision new repositories in a user account or organization — for example, as part of an automated DevOps workflow or when onboarding a new service.
Enter the Docker Hub namespace (username or organization name) under which the new repository should be created in the Namespace field. For example, enter mycompany to create the repository under the mycompany organization.
The request body sent to Docker Hub should be formatted as a JSON object and must include the following fields:
name — The name of the new repository (required). Repository names must be lowercase and may contain letters, digits, underscores, periods, and hyphens.
namespace — The namespace under which to create the repository (required). This should match the namespace specified in the URL.
description — A short description of the repository (optional).
full_description — A longer Markdown-formatted description for the repository's README section (optional).
registry — The registry to use; typically docker.io for Docker Hub (optional).
is_private — Set to true to make the repository private, or false to make it public (optional, defaults to false).
Docker Hub accounts on the free plan have a limited number of private repositories. Ensure your account plan supports the desired repository visibility. For complete details, refer to the Docker Hub API reference for Create a repository.
Create a personal access token
Creates a new Personal Access Token (PAT) for the authenticated Docker Hub user. Use this endpoint to programmatically provision tokens for automated systems or CI/CD pipelines as part of a token lifecycle management workflow.
No URL parameter configuration is required for this endpoint. The request body sent to Docker Hub should include the following fields:
token_label — A descriptive label for the token (required). Use a meaningful name that identifies the token's purpose, such as nexla-integration or ci-pipeline-prod.
scopes — An array of permission scopes to grant the token (required). Valid scope values include repo:read, repo:write, and repo:admin.
The generated token secret is returned only once in the API response at the time of creation. Ensure that your Nexla flow captures and stores the token value immediately. It cannot be retrieved again through the API after this initial response.
Update a personal access token
Updates the label or active state of an existing Personal Access Token. Use this endpoint to rename tokens, enable or disable tokens as part of security rotation workflows, or manage token lifecycle programmatically.
Enter the UUID of the Personal Access Token to update in the Token UUID field. UUIDs can be obtained from the List personal access tokens endpoint.
The request body may include the following fields:
token_label — A new descriptive label for the token (optional).
is_active — Set to true to enable the token or false to disable it (optional). Disabling a token prevents it from being used for authentication without deleting it.
Delete a personal access token
Permanently deletes a Personal Access Token. Use this endpoint to revoke tokens that are no longer needed, as part of offboarding workflows, or during security incident response. This action cannot be undone.
Enter the UUID of the Personal Access Token to delete in the Token UUID field. UUIDs can be obtained from the List personal access tokens endpoint. Ensure the correct UUID is specified, as this action is irreversible.
:::warning Important
Deleting a Personal Access Token immediately and permanently revokes it. Any systems or integrations using the deleted token will lose access to Docker Hub. Verify that no active systems depend on the token before proceeding.
:::
Create an organization team
Creates a new team (group) within a Docker Hub organization. Teams allow organizations to group members and manage their repository access permissions collectively. Use this endpoint to provision teams programmatically as part of organizational onboarding workflows.
Enter the Docker Hub organization name in which to create the team in the Organization Name field.
The request body should include the following fields:
name — The name for the new team (required). Team names must be unique within the organization.
description — A description of the team's purpose (optional).
Only organization owners can create teams. The authenticated credential must belong to an account with owner-level access to the specified organization.
Update an organization team
Partially updates an organization team — typically renaming the team or updating its description. Use this endpoint to manage team names and descriptions as part of organizational restructuring workflows.
Enter the Docker Hub organization name that owns the team in the Organization Name field.
Enter the current name of the team to update in the Team Name field.
The request body may include the following fields:
name — The new name for the team (optional).
description — The updated description for the team (optional).
Delete an organization team
Permanently deletes a team from a Docker Hub organization. Deleting a team removes all team-level repository access permissions for its former members, though the members remain in the organization. This action cannot be undone.
Enter the Docker Hub organization name that owns the team in the Organization Name field.
Enter the name of the team to delete in the Team Name field. Verify the team name carefully, as this action is irreversible.
:::warning Important
Deleting a team removes all repository access permissions associated with that team. Ensure that affected members have alternative access paths before deleting the team.
:::
Add a member to an organization team
Adds an existing organization member to a specific team, granting them the repository access permissions associated with that team. Use this endpoint when onboarding new team members or adjusting access as part of role changes.
Enter the Docker Hub organization name that owns the team in the Organization Name field.
Enter the name of the team to add the member to in the Team Name field.
The request body should include the following field:
member — The Docker Hub username of the organization member to add to the team (required). The user must already be a member of the organization before they can be added to a team.
The user must already be a member of the Docker Hub organization to be added to a team. Use the Bulk-create organization invites endpoint to first invite new users to the organization if they are not yet members.
Remove a member from an organization team
Removes a member from a specific team without removing them from the organization itself. The member will lose any repository access permissions granted through that team. Use this endpoint to manage team membership as part of role transitions.
Enter the Docker Hub organization name that owns the team in the Organization Name field.
Enter the name of the team from which to remove the member in the Team Name field.
Enter the Docker Hub username of the member to remove in the Member Username field.
Update organization member role
Updates the organization-level role of an existing member. Docker Hub organization roles control the level of administrative access a member has across the entire organization. Use this endpoint to promote or demote members as part of access management workflows.
Enter the Docker Hub organization name the member belongs to in the Organization Name field.
Enter the Docker Hub username of the member whose role to update in the Member Username field.
The request body should include the following field:
role — The new role to assign to the member (required). Valid values are:
owner — Full administrative access to the organization, including the ability to manage members, teams, and settings.
editor — Can manage repositories and teams but cannot modify organization-level settings or manage owners.
member — Standard member access, limited to teams and repositories they have been explicitly granted access to.
Assigning the owner role grants full administrative control over the organization. Apply this role only to users who require top-level administrative access.
Remove member from organization
Removes a member from a Docker Hub organization, which also removes them from all teams within that organization. Use this endpoint as part of offboarding workflows to revoke all organization access for a departing user.
Enter the Docker Hub organization name to remove the member from in the Organization Name field.
Enter the Docker Hub username of the member to remove in the Member Username field.
:::warning Important
A member cannot be removed if they are the last owner of the organization. Ensure at least one other owner exists before attempting to remove the final owner. Removing a member immediately revokes their access to all organization repositories and teams.
:::
Bulk-create organization invites
Creates multiple membership invitations for a Docker Hub organization in a single API call. Invitations can be sent by email address or Docker Hub username. Use this endpoint to onboard multiple users at once, or to provision invites as part of automated user provisioning workflows.
No URL parameter configuration is required for this endpoint. The request body should include the following fields:
org — The organization name to which invitations should be sent (required).
invitees — An array of invitee objects, each specifying either an email address or Docker Hub username to invite (required).
role — The role to assign to invited users upon acceptance (optional). Valid values are member, editor, or owner.
team — The team to add invited users to upon acceptance (optional).
Only team owners can create organization invitations. The authenticated credential must belong to an account with owner-level access to the organization. Invitations for distributor roles also require owner-level access.
Create an organization access token
Creates a new Organization Access Token (OAT) for a Docker Hub organization. OATs provide organization-level service account credentials for CI/CD systems and automated workflows that require API access independent of any individual user account. Use this endpoint to provision OATs programmatically as part of infrastructure automation.
Enter the Docker Hub organization name in which to create the token in the Organization Name field.
The request body should include the following fields:
token_label — A descriptive label identifying the OAT's purpose (required), such as prod-ci-pipeline.
scopes — An array of access scopes for the token (required).
Repository access permissions as defined by the Docker Hub API specification.
The OAT secret value is returned only once in the API response at the time of creation. Ensure your Nexla flow captures and securely stores this value immediately, as it cannot be retrieved again through the API.
Update an organization access token
Partially updates an Organization Access Token — typically updating the label or enabling/disabling the token. Use this endpoint to manage OAT lifecycle, such as temporarily disabling a token during maintenance or renaming tokens for clarity.
Enter the Docker Hub organization name that owns the OAT in the Organization Name field.
Enter the ID of the Organization Access Token to update in the OAT ID field. OAT IDs can be obtained from the List organization access tokens endpoint.
The request body may include the following fields:
token_label — A new descriptive label for the token (optional).
is_active — Set to true to enable the token or false to disable it without deleting it (optional).
Delete an organization access token
Permanently deletes an Organization Access Token. This action immediately revokes the token and any systems using it will lose API access. Use this endpoint during token rotation workflows or when decommissioning automated systems. This action cannot be undone.
Enter the Docker Hub organization name that owns the OAT in the Organization Name field.
Enter the ID of the Organization Access Token to delete in the OAT ID field. Verify the correct OAT ID before proceeding, as this action is irreversible.
:::warning Important
Deleting an Organization Access Token immediately and permanently revokes it. All CI/CD pipelines and automated systems using this token will lose Docker Hub API access. Coordinate token rotation carefully to avoid service disruptions.
:::
Update organization settings
Updates an organization's settings, such as restricted image policies available on Docker Hub Business plans. Use this endpoint to enforce security policies, configure image source restrictions, or manage organization-wide access controls programmatically.
Enter the Docker Hub organization name whose settings to update in the Organization Name field. Only organization owners may modify these settings.
The request body should include the organization settings fields you want to update, such as:
restricted_images — Configuration for restricting which image sources organization members can pull from (available on Business plans).
Organization settings features such as restricted images are available only on Docker Hub Business plans. Attempting to set Business-plan-only settings on a non-Business organization will result in an API error. Refer to the Docker Hub API reference for organization settings for the complete list of configurable fields.
Docker Hub destinations can also be manually configured to send data to any valid Docker Hub API endpoint, or to automatically send the API response received after each call to a new Nexla webhook data source. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, data format, endpoint URL, request headers, attribute exclusions, record batching, and response webhooks.
All Docker Hub API endpoints use the base URL https://hub.docker.com/v2/; for update, partial-update, and delete operations, append the resource identifier (such as a token UUID, OAT ID, or team name) to the URL. Docker Hub's API accepts and returns JSON — select JSON as the content format. Nexla automatically includes the bearer token from your credential in the Authorization header, so it does not need to be added as a request header.
Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To send the data to the configured Docker Hub endpoint, open the destination resource menu, and select Activate.
The Nexset data will not be sent to the Docker Hub endpoint until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.