What does docker:unauthorized_incorrect_password mean?

Docker login failed because the registry rejected the username or password, so the stored credentials or access token are wrong.

unauthorized: incorrect username or password

Q: How do I prevent docker:unauthorized_incorrect_password in CI?

Prefer scoped tokens over long-lived passwords for automation. Rotate registry tokens on a schedule and update all consuming jobs together. Avoid sharing one mutable credential across unrelated environments.

Fix it fast

Most likely: Docker is sending a credential for the registry, but the registry rejects that username/password or token as wrong, expired, or stale.

1. Confirm this is your error

unauthorized: incorrect username or password

2. Check the cause

docker logout <registry>
docker login <registry>
docker manifest inspect <registry>/<namespace>/<repository>:<tag>

3. Apply the safe fix

# Clear the stale credential, then log in with a fresh token for the correct account.
docker logout <registry>
docker login <registry>
docker pull <registry>/<namespace>/<repository>:<tag>

4. Verify it works

docker login <registry>
docker pull <registry>/<namespace>/<repository>:<tag>

Don't use unsafe shortcuts

Do not keep retrying the same cached credential, clear it first.
Do not pass passwords directly in command arguments or CI logs.
Do not assume a token for one registry, organization, or account can authenticate another.

What Access Failed

This is usually a target-and-identity problem, not a syntax problem. The request made it to the server, but the server did not like the credentials, permissions, or repository path attached to it.

Fix credentials and target access

Clear the bad credential first:docker logout <registry>

If you use a credential helper or OS keychain, remove the stale entry there as well before retrying.

If this fails in CI only, rotate the secret and verify the job is using the updated value.

Manual authentication checks

Check whether Docker is pulling credentials from a keychain helper instead of plain auths in ~/.docker/config.json.

Verify the registry username matches the account that owns or can access the repository.

If the secret was rotated recently, confirm the old value is not still cached in CI.

Why It Happens

Usually this comes down to the username, password, or access token is wrong, a credential helper returned stale credentials after the token was rotated, or CI is using the wrong secret or the wrong account for the target registry.

Prove the Failing Environment Can Reach It

Retry the same pull or push and confirm the incorrect-password error is gone, and perform a fresh docker login <registry> and confirm it succeeds without reusing cached credentials.

How registry authentication works

Docker attaches stored credentials for the target registry host when it authenticates. If those credentials are stale or wrong, the registry rejects the login or repository request immediately.

Keep Credentials and Targets Aligned

To prevent this, prefer scoped tokens over long-lived passwords for automation, rotate registry tokens on a schedule and update all consuming jobs together, and avoid sharing one mutable credential across unrelated environments.