Authentication

Access tokens

Access tokens authenticate the CLI with the registry. Create them from your access tokens page.

Scopes

Scope	Description
`image:pull`	Pull images
`image:push`	Push images
`repo:create`	Auto-create repositories on push

For read-only access, image:pull is sufficient.

Org tokens

Organizations can have their own tokens, separate from personal tokens. Org tokens survive when the creating member leaves. Create them from the org settings page.

Org tokens inherit scope limits based on the creator’s role: an admin can create tokens with pull and push, but only an owner can create tokens with all scopes.

Environment variable

Set CLIPPER_CREDENTIALS to authenticate without a credentials file. This is the simplest option for containers and CI:

# Bare token (assumes clipper.dev)
CLIPPER_CREDENTIALS=clp_your_token
 
# JSON (for custom registries)
CLIPPER_CREDENTIALS='{"registries":{"clipper.dev":{"token":"clp_your_token"}}}'

The bare token format is convenient for single-registry setups. The JSON format supports multiple registries.

CLIPPER_CREDENTIALS takes precedence over the credentials file.

clipper login

Paste your token when prompted. Credentials are saved to ~/.config/clipper/credentials.json.

Credentials file

The credentials file maps registries to tokens:

{
  "registries": {
    "clipper.dev": {
      "token": "clp_your_token_here"
    }
  }
}

Custom path

Set CLIPPER_CREDENTIALS_FILE to use a different location:

export CLIPPER_CREDENTIALS_FILE=/path/to/credentials.json
clipper push myimage:latest myuser/myimage:latest

This is useful for CI environments where you can’t run clipper login interactively.