Registry credentials
Some Apps run from a private container image, and the panel needs a login to pull that image on your behalf. Registry credentials are exactly that: the username and token GalaxyGate uses to authenticate to a private container registry so it can fetch the image and deploy your App. If an image is public, you do not need any of this; credentials are only for private ones.
Open the page from Security in the sidebar, then Registries. It lives at the /apps/credentials route.
Add a credential
Select New credential and fill in the login for your registry. The typical fields are:
- Registry host or URL. Where the images live, for example
ghcr.iofor GitHub Container Registry or the host of your private registry. - Username. The account the panel authenticates as.
- Access token or password. The secret that account uses. A scoped access token with read access to the images is safer than a full password.

The New credential button is circled above.
Before you add anything
When you have no credentials saved, the page shows an empty state that reads No registry credentials configured. That is expected on a new workspace. Add your first credential and it appears in the list.
Use a scoped, read-only token
Give the panel a token that can only read the images it needs to pull. It never needs to push, and a read-only token limits the damage if the credential is ever exposed.
Where these get used
Saved credentials are used when you deploy an App that pulls a private image. If the image is private and no matching credential exists, the pull fails and the deployment does not start, so add the credential first. The install walkthrough shows where this fits in a full deployment.
Related
- Install an app on a server to see credentials used in a deployment.
- Security overview