Why teams use it

Managed OCI-compatible registry with role-based access and HTTPS endpoints.

Tower Registry exposes Docker Registry HTTP API V2 and OCI-compatible storage with HTTPS endpoints, JWT identity, Docker CLI login, roles, and Kubernetes-native pull secrets.

View pricing
container registryready
endpointHTTPS registry
APIOCI V2
repositoryisolated namespace
authJWT + Basic
pull secretK8s secret
workloadimage pull
ProtocolOCI / Docker V2
Accesspublic or private
AuthJWT + Basic
TLSHTTPS only
Under the hood

Gateway-routed HTTPS endpoints, JWT identity and isolated storage.

Each registry gets a per-organization endpoint (for example, myregistry.hyd.cr.tower.cloud) with TLS termination via Kubernetes Gateway API and DNS-based HTTPRoute routing.

Authentication uses JWT from the platform identity provider, mapped to organization roles. Docker CLI login uses Basic auth compatibility for seamless local and CI usage.

Repositories are isolated per registry with strict content-type validation, overwrite-tag write policy, and structured logging plus OpenTelemetry tracing for API and lifecycle operations.

HTTPS endpointGateway route
repositoryisolated namespace
manifestOCI metadata
tagversion pointer
Capabilities

What you get on Day One

OCI-compatible registry workflows with built-in auth, secure networking, and organization-level access controls.

OCI-compatible protocol

Docker Registry HTTP API V2 support for Docker CLI, Podman, Buildah, and OCI tooling.

Role-based access

Owner, Admin, Developer, Reader, and anonymous (public-only pull) permissions mapped at organization scope.

Public and private modes

Create anonymous-pull public registries or fully authenticated private registries with pull-secret support.

Gateway networking

HTTPS-only access with dedicated port mapping, HTTPRoute-based routing, TLS cert management, and rate limiting.

Technical reference

Configuration & Platform Details

A concise reference for architecture reviews, security questionnaires, and platform integration planning.

Technical reference

Protocol
Docker Registry HTTP API V2. Compatible with Docker CLI, Podman, Buildah, and all OCI-compliant tools.
Access
Per-organization HTTPS endpoint with custom domain (e.g., myregistry.hyd.cr.tower.cloud). TLS termination via Gateway API.
Authentication
JWT-based via platform identity provider. Role-based access mapped from organization roles. Basic auth for Docker CLI login.
Public registries
Anonymous pull access without credentials. Push still requires authenticated owner/admin/developer role.
Private registries
All operations require authentication. Pull credentials stored as Kubernetes secrets for seamless pod integration.
Storage
Images stored in isolated hosted repositories per registry. Strict content type validation enforced. Write policy: allow (overwrite tags supported).
Networking
HTTPS-only. Each registry gets a unique port mapping and HTTPRoute for DNS-based routing. Kubernetes Gateway API with TLS certificate management.
Security
Rate limiting (500 requests per 10 minutes per IP). Security headers via Helmet. CORS configurable. Namespace-level network isolation.
Monitoring
OpenTelemetry tracing enabled. Structured JSON logging for all API and lifecycle operations.
Role-based access
All roles are organization-wide, granting a role gives access to all registries within that organization.

Pricing

Loading SKUs...