docker: unauthorized: authentication required
This error matches known, documented patterns with reliable solutions.
Quick Fix (Most Common Solution)
- Run docker login
- Refresh access token
Seeing "docker: unauthorized: authentication required"? This error can be frustrating, but it's usually fixable. It typically affects your development workflow or system. Below you'll find clear, step-by-step solutions to resolve this issue.
What This Error Means
You need to login to access this registry.
Frequently documented in developer and vendor support forums.
Not affiliated with browser, OS, or device manufacturers.
New here? Learn why exact error messages matter →
Common Causes
- Private repository
- Expired credentials
- Rate limit exceeded
How to Fix
- Run docker login
- Refresh access token
- Wait for rate limit reset
Last reviewed: March 2026 How we review solutions
Why This Happens
Docker returns "unauthorized: authentication required" when you attempt to pull or push an image to a registry that requires credentials, and your current Docker session does not have valid authentication for that registry. Docker Hub introduced rate limits and authentication requirements for pulls in November 2020, making this error far more common than before. Anonymous pulls from Docker Hub are limited to 100 pulls per 6 hours per IP address; authenticated free accounts get 200 pulls. Once the rate limit is hit, Docker Hub returns a 401 Unauthorized response even for public images. Private registries (AWS ECR, Google GCR, Azure ACR, GitHub Container Registry) always require authentication. Docker stores credentials in ~/.docker/config.json after a successful docker login, and these credentials can expire—AWS ECR tokens, for example, expire after 12 hours by default. CI/CD pipelines are particularly vulnerable because each pipeline run starts with a fresh environment and no cached credentials. The fix depends on which registry you are using: Docker Hub needs a simple docker login, while cloud registries have their own authentication helpers that generate short-lived tokens.
Quick Diagnostic Checklist
- Run docker login to authenticate with the registry
- Check if your credentials are expired: cat ~/.docker/config.json
- For AWS ECR: run aws ecr get-login-password | docker login --username AWS --password-stdin
- Verify the image name includes the correct registry prefix
- Check Docker Hub rate limits: curl -s https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull | jq
Authentication flow for different registries
# Error:
# docker: Error response from daemon: pull access denied for myapp,
# repository does not exist or may require 'docker login'
# --- Docker Hub ---
$ docker login
# Username: your-username
# Password: ********
# Login Succeeded
$ docker pull your-username/myapp:latest
# --- AWS ECR (tokens expire after 12 hours) ---
$ aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin \
123456789.dkr.ecr.us-east-1.amazonaws.com
# Login Succeeded
$ docker pull 123456789.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
# --- GitHub Container Registry ---
$ echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
$ docker pull ghcr.io/your-org/myapp:latest
# --- Verify current auth status ---
$ cat ~/.docker/config.json
# Shows which registries have stored credentialsEdge Cases & Unusual Scenarios
Docker Hub rate limiting on shared CI IP
CI services share IP addresses across many customers. Even if your account has pulls remaining, the shared IP may have exceeded the anonymous limit. Always authenticate in CI pipelines to get per-account limits instead of per-IP limits.
Multi-stage build pulling from private registry
If your Dockerfile uses FROM private-registry.com/base:latest in a multi-stage build, Docker needs credentials for that registry even if the final image is pushed elsewhere. Use docker login for each registry referenced in the Dockerfile.
Credential helper misconfiguration
Docker can use platform-specific credential helpers (osxkeychain, wincred, pass). If the helper is configured but the credentials are not stored in it, docker pull fails silently. Check "credsStore" in ~/.docker/config.json.
Optional follow-up
Some users ask whether saving fixes for recurring errors would be useful when the same issue appears again.
Was this explanation helpful?
Frequently Asked Questions
How do I login?
Run docker login registry-url
Why rate limit?
Docker Hub limits pulls for anonymous users.
How long do Docker Hub credentials last?
Docker Hub access tokens do not expire by default, but personal access tokens can be set to expire. AWS ECR tokens expire after 12 hours. Always check the expiry policy for your specific registry.
Why does docker pull fail for a public image?
Docker Hub rate-limits anonymous pulls to 100 per 6 hours per IP. If you are behind a corporate network or shared CI, the IP may have exhausted its quota. Authenticate with docker login to get a higher per-account limit.
How do I authenticate Docker in a CI/CD pipeline?
Store registry credentials as CI secrets and run docker login in your pipeline script before any pull or push commands. For AWS ECR, use the aws-actions/amazon-ecr-login GitHub Action or equivalent for your CI platform.
Also Known As
- Docker container error
- Docker build failure
- Container runtime error
- Docker daemon error
Common Search Variations
- "docker container won't start"
- "docker build error fix"
- "docker image not found"
- "container exited with error"
- "docker daemon not responding"
- "fix docker network error"
Related Errors
Still Stuck?
Paste a different error message or upload a screenshot to get help instantly.