What Access Failed
Docker registry authentication failed because no valid credentials were sent, so you need to log in or fix the token used for that registry.
This is usually a target-and-identity problem, not a syntax problem. The request made it to the server, but the server did not like the credentials, permissions, or repository path attached to it.
Fix credentials and target access
Login to the exact registry host shown in the image reference:docker login <registry>
If this happens in CI, print the registry host and confirm the secret variables are present before the login step.
If you use a cloud registry, fetch a fresh short-lived token and retry the login.
If credentials are stored locally, run docker logout <registry> and then log in again so Docker refreshes the stored credential.
Manual authentication checks
Print the exact registry host from the image reference.
Check ~/.docker/config.json and confirm the host is covered by either auths or your configured credential helper.
If CI is involved, confirm the login step actually ran before the failing pull or push.
Why It Happens
Usually this comes down to you are not logged in to the target registry host, CI did not inject the expected token or password into docker login, or the credential helper is not returning credentials for the registry you are talking to.
Prove the Failing Environment Can Reach It
Retry the pull or push and confirm the registry no longer returns authentication required, and run a simple authenticated operation against the same registry and repository path.
How registry authentication works
Docker sends registry credentials based on the registry host in the image reference. If no valid credentials are available for that host, the registry rejects the request before Docker can read manifests or layers.
Examples
unauthorized: authentication requiredKeep Credentials and Targets Aligned
To prevent this, keep registry hostnames explicit in scripts instead of relying on ambiguous defaults, use automation tokens for CI and rotate them regularly, and document which credential helper or secret source each environment uses.