The 'unauthorized: authentication required' error occurs when Docker cannot authenticate with a container registry. This typically happens when you haven't logged in, your credentials have expired, or you're pushing to the wrong registry URL.
This error message indicates that the Docker daemon attempted to access a container registry (such as Docker Hub, GitHub Container Registry, or a private registry) but was rejected because valid authentication credentials were not provided. The Docker registry uses a token-based authentication system. When you try to push or pull an image, the registry checks whether your request includes a valid authentication token. If the token is missing, expired, or invalid, the registry responds with this "unauthorized: authentication required" error. This error commonly occurs in several scenarios: 1. **You haven't logged in** - You need to run `docker login` before accessing private repositories 2. **Credentials have expired** - Docker Hub tokens and session credentials expire over time 3. **Wrong registry URL** - You're authenticated to one registry but trying to access another 4. **Image name mismatch** - The image name doesn't match your authenticated username/organization 5. **Private image on free tier** - You may have exceeded Docker Hub's private repository limits
The most common fix is to authenticate with the registry before pushing or pulling images.
# Log in to Docker Hub (default registry)
docker login
# You'll be prompted for username and password
# For Docker Hub, use your username (not email) and password or access tokenImportant: If you use sudo for Docker commands, you must also log in with sudo:
# Credentials are stored separately for root and your user
sudo docker loginAfter logging in successfully, you should see:
Login SucceededSometimes the default Docker Hub login doesn't work properly. Try specifying the registry URL explicitly:
# Log in with the explicit Docker Hub registry URL
docker login -u your-username https://index.docker.io/v1/This ensures Docker authenticates with the correct registry endpoint. The index.docker.io/v1/ URL is Docker Hub's official authentication endpoint.
For private registries, use their specific URL:
# AWS ECR
aws ecr get-login-password | docker login --username AWS --password-stdin 123456789.dkr.ecr.region.amazonaws.com
# Azure Container Registry
docker login myregistry.azurecr.io
# Google Container Registry
docker login gcr.ioDocker Hub requires that the image name includes your username or organization as a prefix. If you try to push an image without this prefix, authentication will fail.
# Wrong - image name doesn't include username
docker push myapp:latest
# Error: unauthorized: authentication required
# Correct - tag the image with your username first
docker tag myapp:latest yourusername/myapp:latest
docker push yourusername/myapp:latestFor organizations, use the organization name:
docker tag myapp:latest myorganization/myapp:latest
docker push myorganization/myapp:latestTo check your current Docker Hub username:
cat ~/.docker/config.json | grep -A2 "index.docker.io"If you're still seeing the error after logging in, your stored credentials may be corrupted or outdated. Clear them and log in fresh:
# Log out from Docker Hub
docker logout
# Log out from a specific registry (if applicable)
docker logout registry.example.com
# Remove the credentials file (backup first)
mv ~/.docker/config.json ~/.docker/config.json.backup
# Log in again
docker loginOn macOS and Windows, Docker Desktop stores credentials in the system keychain. You may need to clear those as well:
- macOS: Open Keychain Access, search for "docker", and delete related entries
- Windows: Use Credential Manager to remove Docker-related credentials
Docker Hub recommends using access tokens instead of your account password. Tokens are more secure and can be revoked individually.
1. Go to https://hub.docker.com/settings/security
2. Click "New Access Token"
3. Give it a descriptive name and select permissions
4. Copy the token (you won't see it again)
Use the token to log in:
docker login -u yourusername
# When prompted for password, paste your access tokenOr use stdin for automated scripts:
echo "$DOCKER_TOKEN" | docker login -u yourusername --password-stdinAuthentication tokens have expiration timestamps. If your system clock is significantly off, the registry may reject your authentication.
# Check current system time
date
# Compare with actual time
# If off by more than a few minutes, sync the clock
# On Linux with systemd
sudo timedatectl set-ntp true
sudo systemctl restart systemd-timesyncd
# On macOS
sudo sntp -sS time.apple.com
# On Windows (PowerShell as Admin)
w32tm /resyncDocker Desktop on macOS and Windows manages its own clock, which can sometimes drift from the host. Restarting Docker Desktop can help resync the time.
Docker Hub free tier has limitations on private repositories. If you're trying to push a new private image and have reached your limit, you'll see an authentication error.
Check your current usage:
1. Go to https://hub.docker.com/
2. Click on your profile > Account Settings
3. Review your subscription plan and repository limits
Free tier allows:
- Unlimited public repositories
- Limited private repositories (check current limits on Docker Hub)
If you've exceeded limits, you can:
1. Delete unused private repositories
2. Make some repositories public
3. Upgrade to a paid Docker Hub subscription
### Understanding Docker's Authentication Flow
When Docker needs to authenticate with a registry, it follows this process:
1. Client requests the image from the registry
2. Registry returns a 401 Unauthorized with a WWW-Authenticate header
3. Client requests a bearer token from the auth service
4. Auth service validates credentials and returns a token
5. Client retries the original request with the bearer token
Failures can occur at any step in this process.
### Debugging Authentication Issues
Check your stored credentials:
cat ~/.docker/config.jsonThe auths section shows stored credentials:
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "base64-encoded-credentials"
}
}
}If you see credsStore instead of credentials, Docker is using a credential helper (like macOS Keychain or Windows Credential Manager).
### CI/CD Pipeline Configuration
For CI/CD systems, ensure credentials are properly configured:
GitHub Actions:
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}GitLab CI:
before_script:
- echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY### Network and Proxy Issues
If you're behind a corporate proxy, Docker may have trouble reaching the auth service:
# Set proxy for Docker daemon (Linux)
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo cat > /etc/systemd/system/docker.service.d/http-proxy.conf << EOF
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:8080"
Environment="HTTPS_PROXY=http://proxy.example.com:8080"
Environment="NO_PROXY=localhost,127.0.0.1"
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker### Self-Hosted Registry Authentication
For self-hosted Docker registries, ensure:
1. TLS is properly configured (Docker requires HTTPS for authentication)
2. The registry is reachable from your Docker host
3. You're using the correct port in the login command
# Include the port if your registry uses a non-standard port
docker login registry.example.com:5000For registries using self-signed certificates, you may need to add them to Docker's trusted certificates or configure the registry as insecure (not recommended for production).
dockerfile parse error line 5: unknown instruction: RRUN
How to fix 'unknown instruction' Dockerfile parse error in Docker
Error response from daemon: manifest for nginx:nonexistent not found: manifest unknown: manifest unknown
How to fix 'manifest for image:tag not found' in Docker
Error response from daemon: invalid reference format: repository name must be lowercase
How to fix 'repository name must be lowercase' in Docker
Error response from daemon: No such image
How to fix 'No such image' in Docker
Error response from daemon: Container is not running
How to fix 'Container is not running' when using docker exec