Skip to main content
Root’s registries require authentication. This page covers credential setup for both cr.root.io (Root Image Catalog) and pkg.root.io (Root Library Catalog), including CI/CD and service account configurations.

Getting Credentials

Access to Root’s registries is provisioned during onboarding. You’ll receive:
  • A username (rootio for package registries, or your organization’s identifier)
  • A registry token - used as the password for all Root registries
Your token authenticates to both cr.root.io and pkg.root.io. Tokens are long-lived by default and can be rotated from the Root platform. To request access, contact Root.

Authenticating to cr.root.io

Docker CLI:
After logging in, Docker stores credentials in ~/.docker/config.json. All subsequent docker pull cr.root.io/... commands use these credentials automatically. containerd credential helper: For containerd (used by Kubernetes nodes), configure credentials in /etc/containerd/config.toml:
Restart containerd after making changes:
Kubernetes ImagePullSecrets:
Reference the secret in your Pod spec:
To apply credentials cluster-wide, add the secret to the default ServiceAccount in each namespace.

Authenticating to pkg.root.io

Each package manager uses its own configuration format. The token is the same across all ecosystems. pip / uv:
npm:
Maven (~/.m2/settings.xml):
See the individual integration guides for full setup instructions: pip, npm, Maven, Yarn, pnpm, Poetry, uv.

Service Accounts for CI/CD

For CI/CD pipelines, store your Root token as a secret rather than hardcoding it. Recommended environment variable name: ROOT_TOKEN GitHub Actions:
GitLab CI:
Generic shell:

Rotating Credentials

To rotate your registry token, generate a new one from the Root platform and update it in:
  1. Your CI/CD secret store (ROOT_TOKEN secret)
  2. Any ~/.netrc, .npmrc, or settings.xml files with the old token
  3. Kubernetes ImagePullSecrets: delete and recreate with the new token
Tokens can be rotated without downtime - old tokens remain valid for a short grace period after a new token is issued.