aocr (aerol.ai)
Validated token auth. Hook-verified cleanup.

Push. Pull.
Deploy.

The authenticated container registry for aerol.ai workloads.

Log in with your app.aerol.ai username or email plus a validated token.The registry validates the token first, then an internal signed hook records the push and reaps older images.

~ build. login. push.
$docker build -t aocr.aerol.ai/aocr/my-image:main .
$echo "$AEROL_TOKEN" | docker login aocr.aerol.ai -u "$AEROL_LOGIN" --password-stdin
$docker push aocr.aerol.ai/aocr/my-image:main
# Users provide the app token. The Helm hook secret stays internal to the registry and hooks service.
Star on GitHubSee how it works

Trusted by engineering teams worldwide

GitHub ActionsGitLab CICircleCIJenkins

Token-based access

End users do not need the Helm hook secret. They need two things only: a token from app.aerol.ai and a login identity that matches that same app profile.

Step 1

Create a registry token in app.aerol.ai

Users sign in to app.aerol.ai and generate the token they will use as the password for Docker or Helm.

That token is what the auth service validates before it issues the registry JWT.

Step 2

Use your app identity as the login name

For `docker login -u`, use the same app.aerol.ai username shown on the account. If that account does not expose a username, use the validated email instead.

The login name is not the secret. It just has to match the token-validated user profile.

Step 3

Log in to aocr.aerol.ai and push

After login succeeds, push images or Helm charts to `aocr.aerol.ai`. The separate hook secret stays inside the cluster and is never entered by end users.

The Helm `hooks.token` only secures registry-to-hooks callbacks after a push has already been accepted.

Copyable login flow

$echo "$AEROL_TOKEN" | docker login aocr.aerol.ai -u "$AEROL_LOGIN" --password-stdin
$docker build -t aocr.aerol.ai/aocr/my-app:main .
$docker push aocr.aerol.ai/aocr/my-app:main

Important

The Helm value hooks.token is not a user login credential. It is only the internal shared secret the registry uses when it calls the hooks service after a successful push.

Screenshot Placeholder: token page

Replace this with the app.aerol.ai screen where users create or copy their registry token.

Drop your final screenshot into this panel later.

Screenshot Placeholder: username or profile page

Replace this with the app.aerol.ai screen that shows the username or email users should pass to `docker login -u`.

Drop your final screenshot into this panel later.

Why developers love it

Built for controlled delivery instead of throwaway tags.
Push a normal image and let the platform keep the current one.

Authenticated Access

Users log in with their app username or email plus a validated token, and internal signed hooks keep post-push metadata updates trusted.

Latest-only Cleanup

The reaper keeps the newest image for each repository and removes the older ones automatically.

Blazing Fast

A small service surface with registry notifications keeps image publishing and cleanup straightforward.

OCI Compatible

Works with Docker, Helm, and other OCI-native tooling. Standard tags in, standard pulls out.

S3-backed Storage

Manifests and blobs live in S3-compatible storage while PostgreSQL keeps the metadata model clean.

CI/CD Native

The repository now ships with GitHub Actions for build, GHCR publish, and SSH deployment to your server.

Ridiculously simple

Use your app.aerol.ai username, or email if no username exists, together with a validated token.
The internal hook secret never leaves the registry stack; end users only need their app login identity and token.

Authenticate with your app username or email, then push or pull a normal image tag
$echo "$AEROL_TOKEN" | docker login aocr.aerol.ai -u "$AEROL_LOGIN" --password-stdin
$docker build -t aocr.aerol.ai/aocr/my-app:main .
$docker push aocr.aerol.ai/aocr/my-app:main
$docker pull aocr.aerol.ai/aocr/my-app:main

Built for real workflows

From single servers to Kubernetes clusters,
aocr fits wherever you need a controlled OCI registry.

CI/CD Pipelines

Build once, publish a commit tag, and let your server or cluster pull the image you just shipped.

Direct deploy handoff

Release Validation

Push candidate tags during validation and keep the repository trimmed to the newest artifact automatically.

Current image stays current

Team-owned Registries

Tie repository access to your auth service and keep audit-friendly ownership in PostgreSQL metadata.

Owned access model

Local Development

Run the full stack with Docker Compose, including Postgres, Redis, Minio, hooks, auth, and the registry itself.

Single-stack dev setup

Latest-only retention

Repositories keep the newest image and clean up the rest.
Cleanup is automatic and can be scoped to selected repository IDs.

1 image

Latest kept

Per repository

cron

Cleanup loop

Configurable schedule

UUID

Scoped runs

Optional repository IDs

OCI

Standard tags

No TTL suffixes

Push a new image to the same repository and the reaper removes the older ones on its next pass.