Implementation:Ollama Ollama Auth Sign
| Knowledge Sources | |
|---|---|
| Domains | Security, Networking |
| Last Updated | 2026-02-14 00:00 GMT |
Overview
Concrete tool for signing registry authentication challenges with Ed25519 keys provided by the auth package.
Description
auth.Sign reads the Ed25519 private key from ~/.ollama/id_ed25519, signs the provided challenge bytes, and returns the signature as a base64-encoded string for use in the Authorization header.
getAuthorizationToken handles the complete challenge-response flow: parses the WWW-Authenticate header, signs the challenge, exchanges it for a bearer token at the authorization realm, and returns the bearer token for subsequent requests.
Usage
Called internally by PullModel and PushModel when the registry returns a 401 authentication challenge.
Code Reference
Source Location
- Repository: ollama
- File: auth/auth.go (Sign), server/auth.go (getAuthorizationToken)
- Lines: auth.go:L53-85 (Sign), auth.go:L53-100 (getAuthorizationToken)
Signature
func Sign(ctx context.Context, bts []byte) (string, error)
func getAuthorizationToken(ctx context.Context, challenge registryChallenge, originalHost string) (string, error)
Import
import "github.com/ollama/ollama/auth"
I/O Contract
Inputs (Sign)
| Name | Type | Required | Description |
|---|---|---|---|
| ctx | context.Context | Yes | Request context |
| bts | []byte | Yes | Challenge bytes to sign (method + path + timestamp) |
Outputs (Sign)
| Name | Type | Description |
|---|---|---|
| string | string | Base64-encoded Ed25519 signature |
| error | error | Non-nil if key file missing or signing fails |
Usage Examples
Internal Usage
import "github.com/ollama/ollama/auth"
challenge := []byte("GET /v2/library/llama3/manifests/latest 2024-01-01T00:00:00Z")
signature, err := auth.Sign(ctx, challenge)
if err != nil {
// handle missing key or signing error
}
// Use signature in Authorization header