Skip to main content

Docker Hub Destination

Nexla's bi-directional connectors allow data to flow both to and from any location, making it simple to create a FlexFlow data flow that sends data to a Docker Hub location.
dockerhub_api.png

Docker Hub

Create a Docker Hub Destination

  1. Click the + icon on the Nexset that will be sent to the Docker Hub destination, and select the Send to Destination option from the menu.

  2. Select the Docker Hub connector from the list of available destination connectors. Then, select the credential that will be used to connect to the Docker Hub organization, and click Next; or, create a new Docker Hub credential for use in this flow.

  3. In Nexla, Docker Hub destinations can be created using pre-built endpoint templates, which expedite destination setup for common Docker Hub endpoints. Each template is designed specifically for the corresponding Docker Hub API endpoint, making destination configuration easy and efficient.
    • To configure this destination using a template, follow the instructions in Configure Using a Template.

    Docker Hub destinations can also be configured manually, allowing you to send data to Docker Hub endpoints not included in the pre-built templates or apply further customizations to exactly suit your needs.
    • To configure this destination manually, follow the instructions in Configure Manually.

Configure Using a Template

Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Docker Hub endpoints. Each template is designed specifically for the corresponding Docker Hub API endpoint, making destination setup easy and efficient.

  • To configure this destination using a template, select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.

    Create a repository

    Creates a new repository within a Docker Hub namespace. Use this endpoint when you want to programmatically provision new repositories in a user account or organization — for example, as part of an automated DevOps workflow or when onboarding a new service.

    • Enter the Docker Hub namespace (username or organization name) under which the new repository should be created in the Namespace field. For example, enter mycompany to create the repository under the mycompany organization.

    • The request body sent to Docker Hub should be formatted as a JSON object and must include the following fields:

      • name — The name of the new repository (required). Repository names must be lowercase and may contain letters, digits, underscores, periods, and hyphens.
      • namespace — The namespace under which to create the repository (required). This should match the namespace specified in the URL.
      • description — A short description of the repository (optional).
      • full_description — A longer Markdown-formatted description for the repository's README section (optional).
      • registry — The registry to use; typically docker.io for Docker Hub (optional).
      • is_private — Set to true to make the repository private, or false to make it public (optional, defaults to false).

    Docker Hub accounts on the free plan have a limited number of private repositories. Ensure your account plan supports the desired repository visibility. For complete details, refer to the Docker Hub API reference for Create a repository.

    Create a personal access token

    Creates a new Personal Access Token (PAT) for the authenticated Docker Hub user. Use this endpoint to programmatically provision tokens for automated systems or CI/CD pipelines as part of a token lifecycle management workflow.

    • No URL parameter configuration is required for this endpoint. The request body sent to Docker Hub should include the following fields:

      • token_label — A descriptive label for the token (required). Use a meaningful name that identifies the token's purpose, such as nexla-integration or ci-pipeline-prod.
      • scopes — An array of permission scopes to grant the token (required). Valid scope values include repo:read, repo:write, and repo:admin.

    The generated token secret is returned only once in the API response at the time of creation. Ensure that your Nexla flow captures and stores the token value immediately. It cannot be retrieved again through the API after this initial response.

    Update a personal access token

    Updates the label or active state of an existing Personal Access Token. Use this endpoint to rename tokens, enable or disable tokens as part of security rotation workflows, or manage token lifecycle programmatically.

    • Enter the UUID of the Personal Access Token to update in the Token UUID field. UUIDs can be obtained from the List personal access tokens endpoint.

    • The request body may include the following fields:

      • token_label — A new descriptive label for the token (optional).
      • is_active — Set to true to enable the token or false to disable it (optional). Disabling a token prevents it from being used for authentication without deleting it.

    Delete a personal access token

    Permanently deletes a Personal Access Token. Use this endpoint to revoke tokens that are no longer needed, as part of offboarding workflows, or during security incident response. This action cannot be undone.

    • Enter the UUID of the Personal Access Token to delete in the Token UUID field. UUIDs can be obtained from the List personal access tokens endpoint. Ensure the correct UUID is specified, as this action is irreversible.

    :::warning Important Deleting a Personal Access Token immediately and permanently revokes it. Any systems or integrations using the deleted token will lose access to Docker Hub. Verify that no active systems depend on the token before proceeding. :::

    Create an organization team

    Creates a new team (group) within a Docker Hub organization. Teams allow organizations to group members and manage their repository access permissions collectively. Use this endpoint to provision teams programmatically as part of organizational onboarding workflows.

    • Enter the Docker Hub organization name in which to create the team in the Organization Name field.

    • The request body should include the following fields:

      • name — The name for the new team (required). Team names must be unique within the organization.
      • description — A description of the team's purpose (optional).

    Only organization owners can create teams. The authenticated credential must belong to an account with owner-level access to the specified organization.

    Update an organization team

    Partially updates an organization team — typically renaming the team or updating its description. Use this endpoint to manage team names and descriptions as part of organizational restructuring workflows.

    • Enter the Docker Hub organization name that owns the team in the Organization Name field.
    • Enter the current name of the team to update in the Team Name field.

    • The request body may include the following fields:

      • name — The new name for the team (optional).
      • description — The updated description for the team (optional).

    Delete an organization team

    Permanently deletes a team from a Docker Hub organization. Deleting a team removes all team-level repository access permissions for its former members, though the members remain in the organization. This action cannot be undone.

    • Enter the Docker Hub organization name that owns the team in the Organization Name field.
    • Enter the name of the team to delete in the Team Name field. Verify the team name carefully, as this action is irreversible.

    :::warning Important Deleting a team removes all repository access permissions associated with that team. Ensure that affected members have alternative access paths before deleting the team. :::

    Add a member to an organization team

    Adds an existing organization member to a specific team, granting them the repository access permissions associated with that team. Use this endpoint when onboarding new team members or adjusting access as part of role changes.

    • Enter the Docker Hub organization name that owns the team in the Organization Name field.
    • Enter the name of the team to add the member to in the Team Name field.

    • The request body should include the following field:

      • member — The Docker Hub username of the organization member to add to the team (required). The user must already be a member of the organization before they can be added to a team.

    The user must already be a member of the Docker Hub organization to be added to a team. Use the Bulk-create organization invites endpoint to first invite new users to the organization if they are not yet members.

    Remove a member from an organization team

    Removes a member from a specific team without removing them from the organization itself. The member will lose any repository access permissions granted through that team. Use this endpoint to manage team membership as part of role transitions.

    • Enter the Docker Hub organization name that owns the team in the Organization Name field.
    • Enter the name of the team from which to remove the member in the Team Name field.
    • Enter the Docker Hub username of the member to remove in the Member Username field.

    Update organization member role

    Updates the organization-level role of an existing member. Docker Hub organization roles control the level of administrative access a member has across the entire organization. Use this endpoint to promote or demote members as part of access management workflows.

    • Enter the Docker Hub organization name the member belongs to in the Organization Name field.
    • Enter the Docker Hub username of the member whose role to update in the Member Username field.

    • The request body should include the following field:

      • role — The new role to assign to the member (required). Valid values are:

        • owner — Full administrative access to the organization, including the ability to manage members, teams, and settings.
        • editor — Can manage repositories and teams but cannot modify organization-level settings or manage owners.
        • member — Standard member access, limited to teams and repositories they have been explicitly granted access to.

    Assigning the owner role grants full administrative control over the organization. Apply this role only to users who require top-level administrative access.

    Remove member from organization

    Removes a member from a Docker Hub organization, which also removes them from all teams within that organization. Use this endpoint as part of offboarding workflows to revoke all organization access for a departing user.

    • Enter the Docker Hub organization name to remove the member from in the Organization Name field.
    • Enter the Docker Hub username of the member to remove in the Member Username field.

    :::warning Important A member cannot be removed if they are the last owner of the organization. Ensure at least one other owner exists before attempting to remove the final owner. Removing a member immediately revokes their access to all organization repositories and teams. :::

    Bulk-create organization invites

    Creates multiple membership invitations for a Docker Hub organization in a single API call. Invitations can be sent by email address or Docker Hub username. Use this endpoint to onboard multiple users at once, or to provision invites as part of automated user provisioning workflows.

    • No URL parameter configuration is required for this endpoint. The request body should include the following fields:

      • org — The organization name to which invitations should be sent (required).
      • invitees — An array of invitee objects, each specifying either an email address or Docker Hub username to invite (required).
      • role — The role to assign to invited users upon acceptance (optional). Valid values are member, editor, or owner.
      • team — The team to add invited users to upon acceptance (optional).

    Only team owners can create organization invitations. The authenticated credential must belong to an account with owner-level access to the organization. Invitations for distributor roles also require owner-level access.

    Create an organization access token

    Creates a new Organization Access Token (OAT) for a Docker Hub organization. OATs provide organization-level service account credentials for CI/CD systems and automated workflows that require API access independent of any individual user account. Use this endpoint to provision OATs programmatically as part of infrastructure automation.

    • Enter the Docker Hub organization name in which to create the token in the Organization Name field.

    • The request body should include the following fields:

      • token_label — A descriptive label identifying the OAT's purpose (required), such as prod-ci-pipeline.
      • scopes — An array of access scopes for the token (required).
      • Repository access permissions as defined by the Docker Hub API specification.

    The OAT secret value is returned only once in the API response at the time of creation. Ensure your Nexla flow captures and securely stores this value immediately, as it cannot be retrieved again through the API.

    Update an organization access token

    Partially updates an Organization Access Token — typically updating the label or enabling/disabling the token. Use this endpoint to manage OAT lifecycle, such as temporarily disabling a token during maintenance or renaming tokens for clarity.

    • Enter the Docker Hub organization name that owns the OAT in the Organization Name field.
    • Enter the ID of the Organization Access Token to update in the OAT ID field. OAT IDs can be obtained from the List organization access tokens endpoint.

    • The request body may include the following fields:

      • token_label — A new descriptive label for the token (optional).
      • is_active — Set to true to enable the token or false to disable it without deleting it (optional).

    Delete an organization access token

    Permanently deletes an Organization Access Token. This action immediately revokes the token and any systems using it will lose API access. Use this endpoint during token rotation workflows or when decommissioning automated systems. This action cannot be undone.

    • Enter the Docker Hub organization name that owns the OAT in the Organization Name field.
    • Enter the ID of the Organization Access Token to delete in the OAT ID field. Verify the correct OAT ID before proceeding, as this action is irreversible.

    :::warning Important Deleting an Organization Access Token immediately and permanently revokes it. All CI/CD pipelines and automated systems using this token will lose Docker Hub API access. Coordinate token rotation carefully to avoid service disruptions. :::

    Update organization settings

    Updates an organization's settings, such as restricted image policies available on Docker Hub Business plans. Use this endpoint to enforce security policies, configure image source restrictions, or manage organization-wide access controls programmatically.

    • Enter the Docker Hub organization name whose settings to update in the Organization Name field. Only organization owners may modify these settings.

    • The request body should include the organization settings fields you want to update, such as:

      • restricted_images — Configuration for restricting which image sources organization members can pull from (available on Business plans).

    Organization settings features such as restricted images are available only on Docker Hub Business plans. Attempting to set Business-plan-only settings on a non-Business organization will result in an API error. Refer to the Docker Hub API reference for organization settings for the complete list of configurable fields.

Configure Manually

Docker Hub destinations can be manually configured to send data to any valid Docker Hub API endpoint. Using manual configuration, you can also configure Nexla to automatically send the response received from the Docker Hub API after each call to a new Nexla webhook data source.

API Method

  1. To manually configure this destination, select the Advanced tab at the top of the configuration screen.

  2. Select the API method that will be used for calls to the Docker Hub API from the Method pulldown menu. Common methods for Docker Hub write operations include:

    • POST: For creating new resources (repositories, tokens, teams, invitations).
    • PUT: For replacing or fully updating an existing resource (e.g., updating a member's organization role).
    • PATCH: For partial updates to an existing resource (e.g., updating a token's label or active state).
    • DELETE: For permanently removing a resource (e.g., deleting a token or team).

Data Format

  1. Select the format in which the Nexset data will be sent to the Docker Hub API from the Content Format pulldown menu. Docker Hub's API accepts and returns data in JSON format — select JSON as the content format. Nexla will automatically convert the Nexset data to JSON for each API call.

API Endpoint URL

  1. Enter the URL of the Docker Hub API endpoint to which you want to send the Nexset data in the URL field. All Docker Hub API endpoints use the base URL https://hub.docker.com/v2/. For update or delete operations, include the resource identifier at the end of the URL. For example:
    • https://hub.docker.com/v2/namespaces/myorg/repositories — creates a repository under myorg.
    • https://hub.docker.com/v2/orgs/myorg/members/username — updates a member in myorg.
    • https://hub.docker.com/v2/access-tokens/token-uuid — updates or deletes a specific personal access token.

The complete Docker Hub API reference, including all available endpoint URLs and their required parameters, is available at https://docs.docker.com/reference/api/hub/latest/.

Request Headers

Optional

  • If Nexla should include any additional request headers in API calls to this destination, enter the headers & corresponding values as comma-separated pairs in the Request Headers field (e.g., header1:value1,header2:value2).

    You do not need to include the Authorization header — Nexla automatically includes the bearer token from your Docker Hub credential in every API request.

Exclude Attributes from the Call

Optional

  • If any record attributes in the Nexset should be omitted when sending data to this Docker Hub destination, select the attributes from the Exclude Attributes pulldown menu.

  • Any number of attributes can be selected for exclusion, and all excluded attributes will be shown in the field. To remove an attribute from the list, click the X icon next to the attribute name.

Record Batching

Optional

  1. If records should be sent to this destination in batched API calls, check the box next to Would you like to batch your records together? to enable record batching.

  2. Enter the maximum number of records that should be batched together in a single API call in the Batch Size field. By default, this value is set to 100.

  3. Select the algorithm that will be used to group records into batches from the Grouping Algorithm pulldown menu. The sample request shown in the panel on the right will be updated to reflect the current batching settings. Some algorithms require additional settings—click on an algorithm listed below to view instructions for configuring these settings.

Property Inside JSON Object

  1. Enter the name of the JSON property that should contain the batched records in the Property Name field.
  2. If any additional properties should be included in the request, enter the properties in the Other Props field in JSON format.

Code

  1. Enter the code that will be used to create the batched request in the code editor below the Grouping Algorithm field.

Response Webhook

Optional

Nexla can automatically send the response received from the Docker Hub API after each call to a new Nexla webhook data source. This option allows you to keep track of the status of each API call and any additional information returned after each call — for example, to capture the generated token value returned by the Create a personal access token endpoint, or to capture the created repository ID for downstream processing.

  • To enable this option, check the box next to Would you like to process the API response as a Nexla Webhook source?.

Sample Request Payload

Sample request payloads containing a portion of the Nexset data that will be sent to the Docker Hub API endpoint based on the current settings are shown in the Sample Payload panel on the right. These samples can be referenced to ensure that the destination and request settings are correctly configured.

  • Click on a sample request payload to expand it and view the complete payload content.
  • Sample payloads are automatically updated with each setting change, making it easy to verify that changes achieve the desired effect.

Endpoint Testing (Manual Configuration)

After all endpoint settings have been configured, Nexla can send a test payload to the Docker Hub API to ensure that the destination is configured correctly.

  1. To send a test payload, select the Test button at the top of the Sample Payload panel, and click on a listed sample payload to expand it.

  2. If any modifications to the sample payload are needed, make the necessary changes directly within the sample window.

  3. Click the Send Test Data button at the top of a sample payload to send the test payload to the Docker Hub API using the current settings.

Save & Activate the Destination

  • Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To begin sending data to the configured Docker Hub endpoint, open the destination resource menu, and select Activate.

    The Nexset data will not be sent to the Docker Hub endpoint until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.