ContainerDL
Private access

Download Images from Private Registries

Use short-lived credentials to export private images. Credentials are never stored.

Base URL https://containerdl.com

Private registry best practices

Temporary credentials

Credentials are used only for the pull and never stored or logged.

Light/Pro access

Private pulls are available on Light and Pro plans.

Least privilege

Use read-only tokens with minimal scopes.

How it works

  1. Generate an API key in your account (Light/Pro).
  2. Send registry_auth with your image request.
  3. Download the TAR once the export completes.

Example

Export a private GHCR image

curl 
curl -X POST https://containerdl.com/v1/exports \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer cdl_live_xxx" \
  -d '{
    "image":"ghcr.io/myorg/private-app:1.0",
    "registry_auth":{
      "username":"token",
      "password":"ghp_xxx"
    }
  }'
  • Private registry auth is supported only for GHCR and Docker Hub today.
  • Use read-only tokens and rotate them regularly.

Common use cases

FAQs

Which private registries are supported?

Private pulls are supported only for GHCR and Docker Hub.

Do you store credentials?

No. Credentials are used only for the request and never saved.

Can I rotate tokens?

Yes. Generate a new token at any time without impacting stored data.

Related guides

GHCR downloads

Export ghcr.io images with read-only tokens.

Docker Hub downloads

Export Docker Hub images with access tokens.

Skopeo alternative

Hosted alternative for image downloads.

Guides hub

Browse all ContainerDL download guides.