Can I use Docker Hub as a CLI?

Yes. KosmoKrator exposes a Docker Hub CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose Docker Hub through MCP?

Yes. The KosmoKrator MCP gateway can expose selected Docker Hub tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are Docker Hub credentials stored?

Docker Hub credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for Docker Hub MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

productivity

Docker Hub MCP, CLI, and Lua Integration for AI Agents

Docker Hub integration docs for AI agents: MCP gateway setup, Docker Hub CLI commands, Lua API reference, credentials, and function schemas.

Docker Hub for agents

Credentials can be configured manually in web or CLI hosts.

Use this integration from Lua code mode, the headless integrations CLI, or the KosmoKrator MCP gateway. The same package metadata powers all three surfaces.

Agent Surfaces

Docker Hub CLIHeadless setup, JSON output, direct function calls. Docker Hub MCPExpose selected tools to local MCP clients. Docker Hub LuaAgent-facing namespace and Lua reference. FeedbackReport missing tools, auth issues, or bad metadata.

Machine-Readable Metadata

integration_slug: docker
route_slug: docker
package: docker
auth_strategy: bearer_token
cli_setup_supported: true
cli_runtime_supported: true
mcp_gateway_supported: true
lua_supported: true

Function Catalog

Function	Type	Description
`docker.docker_post_users_login`	Write `write`	Creates and returns a bearer token in JWT format that you can use to authenticate with Docker Hub APIs. The returned token is used in the HTTP Authorization header like `Authorization: Bearer {TOKEN}`. _As of September 16, 2024, this route requires a personal access token (PAT) instead of a password if your organization has SSO enforced._ <div style="background-color:rgb(255, 165, 0, .25); padding:5px; border-radius:4px"> <strong>Deprecated</strong>: Use [<a href="#tag/authentication-api/operation/AuthCreateAccessToken">Create access token</a>] instead. </div>
`docker.docker_post_users2_f_a_login`	Write `write`	When a user has two-factor authentication (2FA) enabled, this is the second call to perform after `/v2/users/login` call. Creates and returns a bearer token in JWT format that you can use to authenticate with Docker Hub APIs. The returned token is used in the HTTP Authorization header like `Authorization: Bearer {TOKEN}`. Most Docker Hub APIs require this token either to consume or to get detailed information. For example, to list images in a private repository.
`docker.docker_auth_create_access_token`	Write `write`	Creates and returns a short-lived access token in JWT format for use as a bearer when calling Docker APIs. If successful, the access token returned should be used in the HTTP Authorization header like `Authorization: Bearer {access_token}`. _If your organization has SSO enforced, you must use a personal access token (PAT) instead of a password._
`docker.docker_get_v2_access_tokens`	Read `read`	Returns a paginated list of personal access tokens.
`docker.docker_post_v2_access_tokens`	Write `write`	Creates and returns a personal access token.
`docker.docker_get_v2_access_tokens_by_uuid`	Read `read`	Returns a personal access token by UUID.
`docker.docker_patch_v2_access_tokens_by_uuid`	Write `write`	Updates a personal access token partially. You can either update the token's label or enable/disable it.
`docker.docker_delete_v2_access_tokens_by_uuid`	Write `write`	Deletes a personal access token permanently. This cannot be undone.
`docker.docker_audit_logs_list_audit_actions`	Read `read`	List audit log actions for a namespace to be used as a filter for querying audit log events. <span class="oat"></span>
`docker.docker_audit_logs_list_audit_logs`	Read `read`	List audit log events for a given namespace. <span class="oat"></span>
`docker.docker_get_v2_orgs_by_name_settings`	Read `read`	Returns organization settings by name.
`docker.docker_put_v2_orgs_by_name_settings`	Write `write`	Updates an organization's settings. Some settings are only used when the organization is on a business subscription. *Only users with administrative privileges for the organization (owner role) can modify these settings.* The following settings are only used on a business subscription: - `restricted_images`
`docker.docker_get_v2_orgs_by_name_access_tokens`	Read `read`	List access tokens for an organization.
`docker.docker_post_v2_orgs_by_name_access_tokens`	Write `write`	Create an access token for an organization.
`docker.docker_get_v2_orgs_by_org_name_access_tokens_by_access_token_id`	Read `read`	Get details of a specific access token for an organization.
`docker.docker_patch_v2_orgs_by_org_name_access_tokens_by_access_token_id`	Write `write`	Update a specific access token for an organization.
`docker.docker_delete_v2_orgs_by_org_name_access_tokens_by_access_token_id`	Write `write`	Delete a specific access token for an organization. This action cannot be undone.
`docker.docker_list_tags`	Read `read`	List repository tags (GET /v2/namespaces/{namespace}/repositories/{repository}/tags).
`docker.docker_get_tag`	Read `read`	Read repository tag (GET /v2/namespaces/{namespace}/repositories/{repository}/tags/{tag}).
`docker.docker_update_repository_immutable_tags`	Write `write`	Updates the immutable tags configuration for this repository. Only users with administrative privileges for the repository can modify these settings.
`docker.docker_verify_repository_immutable_tags`	Write `write`	Validates the immutable tags regex pass in parameter and returns a list of tags matching it in this repository. Only users with administrative privileges for the repository call this endpoint.
`docker.docker_create_repository_group`	Write `write`	Assign a group (Team) to a repository for access (POST /v2/repositories/{namespace}/{repository}/groups).
`docker.docker_list_repositories`	Read `read`	Returns a list of repositories within the specified namespace (organization or user). Public repositories are accessible to everyone, while private repositories require appropriate authentication and permissions.
`docker.docker_create_repository`	Write `write`	Creates a new repository within the specified namespace. The repository will be created with the provided metadata including name, description, and privacy settings.
`docker.docker_get_repository`	Read `read`	Returns a repository within the specified namespace (organization or user). Public repositories are accessible to everyone, while private repositories require appropriate authentication and permissions.
`docker.docker_get_v2_orgs_by_org_name_members`	Read `read`	Returns a list of members for an organization. _The following fields are only visible to orgs with insights enabled._ - `last_logged_in_at` - `last_seen_at` - `last_desktop_version` To make visible, please see [View Insights for organization users](https://docs.docker.com/admin/insights/#view-insights-for-organization-users). <span class="oat"></span>
`docker.docker_get_v2_orgs_by_org_name_members_export`	Read `read`	Export members of an organization as a CSV <span class="oat"></span>
`docker.docker_put_v2_orgs_by_org_name_members_by_username`	Write `write`	Updates the role of a member in the organization. *Only users in the "owners" group of the organization can use this endpoint.* <span class="oat"></span>
`docker.docker_delete_v2_orgs_by_org_name_members_by_username`	Write `write`	Removes the member from the org, ie. all groups in the org, unless they're the last owner <span class="oat"></span>
`docker.docker_get_v2_orgs_by_org_name_invites`	Read `read`	Return all pending invites for a given org, only team owners can call this endpoint <span class="oat"></span>
`docker.docker_get_v2_orgs_by_org_name_groups`	Read `read`	<span class="oat"></span>
`docker.docker_post_v2_orgs_by_org_name_groups`	Write `write`	Create a new group within an organization. <span class="oat"></span>
`docker.docker_get_v2_orgs_by_org_name_groups_by_group_name`	Read `read`	<span class="oat"></span>
`docker.docker_put_v2_orgs_by_org_name_groups_by_group_name`	Write `write`	<span class="oat"></span>
`docker.docker_patch_v2_orgs_by_org_name_groups_by_group_name`	Write `write`	<span class="oat"></span>
`docker.docker_delete_v2_orgs_by_org_name_groups_by_group_name`	Write `write`	<span class="oat"></span>
`docker.docker_get_v2_orgs_by_org_name_groups_by_group_name_members`	Read `read`	List the members (users) that are in a group. If user is owner of the org or has otherwise elevated permissions, they can search by email and the result will also contain emails. <span class="oat"></span>
`docker.docker_post_v2_orgs_by_org_name_groups_by_group_name_members`	Write `write`	<span class="oat"></span>
`docker.docker_delete_v2_orgs_by_org_name_groups_by_group_name_members_by_username`	Write `write`	<span class="oat"></span>
`docker.docker_delete_v2_invites_by_id`	Write `write`	Mark the invite as cancelled so it doesn't show up on the list of pending invites <span class="oat"></span>
`docker.docker_patch_v2_invites_by_id_resend`	Write `write`	Resend a pending invite to the user, any org owner can resend an invite <span class="oat"></span>
`docker.docker_post_v2_invites_bulk`	Write `write`	Create multiple invites by emails or DockerIDs. Only a team owner can create invites. <span class="oat"></span>
`docker.docker_get_v2_scim_2_0_service_provider_config`	Read `read`	Returns a service provider config for Docker's configuration.
`docker.docker_get_v2_scim_2_0_resource_types`	Read `read`	Returns all resource types supported for the SCIM configuration.
`docker.docker_get_v2_scim_2_0_resource_types_by_name`	Read `read`	Returns a resource type by name.
`docker.docker_get_v2_scim_2_0_schemas`	Read `read`	Returns all schemas supported for the SCIM configuration.
`docker.docker_get_v2_scim_2_0_schemas_by_id`	Read `read`	Returns a schema by ID.
`docker.docker_get_v2_scim_2_0_users`	Read `read`	Returns paginated users for an organization. Use `startIndex` and `count` query parameters to receive paginated results. Sorting: Sorting allows you to specify the order in which resources are returned by specifying a combination of `sortBy` and `sortOrder` query parameters. The `sortBy` parameter specifies the attribute whose value will be used to order the returned responses. The `sortOrder` parameter defines the order in which the `sortBy` parameter is applied. Allowed values are "ascending" and "descending". Filtering: You can request a subset of resources by specifying the `filter` query parameter containing a filter expression. Attribute names and attribute operators used in filters are case insensitive. The filter parameter must contain at least one valid expression. Each expression must contain an attribute name followed by an attribute operator and an optional value. Supported operators are listed below. - `eq` equal - `ne` not equal - `co` contains - `sw` starts with - `and` Logical "and" - `or` Logical "or" - `not` "Not" function - `()` Precedence grouping
`docker.docker_post_v2_scim_2_0_users`	Write `write`	Creates a user. If the user already exists by email, they are assigned to the organization on the "company" team.
`docker.docker_get_v2_scim_2_0_users_by_id`	Read `read`	Returns a user by ID.
`docker.docker_put_v2_scim_2_0_users_by_id`	Write `write`	Updates a user. This route is used to change the user's name, activate, and deactivate the user.