content/manuals/docker-hub/repos/manage/access.md
In this topic learn about the features available to manage access to your repositories. This includes visibility, collaborators, roles, teams, and organization access tokens.
The most basic repository access is controlled via the visibility. A repository's visibility can be public or private.
With public visibility, the repository appears in Docker Hub search results and can be pulled by everyone. To manage push access to public personal repositories, you can use collaborators. To manage push access to public organization repositories, you can use roles, teams, or organization access tokens.
With private visibility, the repository doesn't appear in Docker Hub search results and is only accessible to those with granted permission. To manage push and pull access to private personal repositories, you can use collaborators. To manage push and pull access to private organization repositories, you can use roles, teams, or organization access tokens.
When creating a repository in Docker Hub, you can set the repository visibility. In addition, you can set the default repository visibility when a repository is created in your personal repository settings. The following describes how to change the visibility after the repository has been created.
To change repository visibility:
Sign in to Docker Hub.
Select My Hub > Repositories.
Select a repository.
The General page for the repository appears.
Select the Settings tab.
Under Visibility settings, select one of the following:
Type the repository's name to verify the change.
Select Make public or Make private.
A collaborator is someone you want to give push and pull access to a
personal repository. Collaborators aren't able to perform any administrative
tasks such as deleting the repository or changing its visibility from private to
public. In addition, collaborators can't add other collaborators.
Only personal repositories can use collaborators. You can add unlimited collaborators to public repositories, and Docker Pro accounts can add up to 1 collaborator on private repositories.
Organization repositories can't use collaborators, but can use member roles, teams, or organization access tokens to manage access.
Sign in to Docker Hub.
Select My Hub > Repositories.
A list of your repositories appears.
Select a repository.
The General page for the repository appears.
Select the Collaborators tab.
Add or remove collaborators based on their Docker username.
You can choose collaborators and manage their access to a private repository from that repository's Settings page.
Organizations can use roles for individuals, giving them different permissions in the organization. For more details, see Roles and permissions.
Organizations can use teams. A team can be assigned fine-grained repository access.
You must create a team before you are able to configure repository permissions. For more details, see Create and manage a team.
To configure team repository permissions:
Sign in to Docker Hub.
Select My Hub > Repositories.
A list of your repositories appears.
Select a repository.
The General page for the repository appears.
Select the Permissions tab.
Add, modify, or remove a team's repository permissions.
Organizations can use OATs. OATs let you assign fine-grained repository access permissions to tokens. For more details, see Organization access tokens.
{{< summary-bar feature_name="Gated distribution" >}}
Gated distribution allows publishers to securely share private container images with external customers or partners, without giving them full organization access or visibility into your teams, collaborators, or other repositories.
This feature is ideal for commercial software publishers who want to control who can pull specific images while preserving a clean separation between internal users and external consumers.
If you are interested in Gated Distribution contact the Docker Sales Team for more information.
Private repository distribution: Content is stored in private repositories and only accessible to explicitly invited users.
External access without organization membership: External users don't need to be added to your internal organization to pull images.
Pull-only permissions: External users receive pull-only access and cannot push or modify repository content.
Invite-only access: Access is granted through authenticated email invites, managed via API.
[!NOTE] When you invite members, you assign them a role. See Roles and permissions for details about the access permissions for each role.
Distributor members (used for gated distribution) can only be invited using the Docker Hub API. UI-based invitations are not currently supported for this role. To invite distributor members, use the Bulk create invites API endpoint.
To invite distributor members:
Use the Authentication API to generate a bearer token for your Docker Hub account.
Create a team in the Hub UI or use the Teams API.
Grant repository access to the team:
Use the Bulk create invites endpoint to send email invites with the distributor member role. In the request body, set the "role" field to "distributor_member".
The invited user will receive an email with a link to accept the invite. After signing in with their Docker ID, they'll be granted pull-only access to the specified private repository as a distributor member.