Principle:Ollama Ollama Registry Authentication
| Knowledge Sources | |
|---|---|
| Domains | Security, Networking |
| Last Updated | 2026-02-14 00:00 GMT |
Overview
An SSH key-based authentication mechanism that signs challenge tokens for registry access using Ed25519 keys stored in the user's Ollama configuration directory.
Description
Registry Authentication provides identity verification for push and pull operations against the Ollama model registry. It uses an Ed25519 private key stored locally to sign challenge tokens issued by the registry server.
The authentication follows a challenge-response pattern similar to Docker registry authentication: an initial unauthenticated request receives a 401 response with a WWW-Authenticate header containing the challenge parameters. The client then signs the challenge, obtains a bearer token from the authorization endpoint, and retries the original request with the bearer token.
Usage
Use this principle when implementing authentication for a content registry that needs client identity verification without transmitting passwords. The SSH key approach provides strong cryptographic authentication using locally stored keys.
Theoretical Basis
The challenge-response flow:
- Initial Request: Client makes request to registry without credentials.
- Challenge Receipt: Registry returns 401 with WWW-Authenticate header containing realm, service, and scope.
- Challenge Signing: Client constructs a nonce from method + path + timestamp, signs it with Ed25519 private key.
- Token Exchange: Client sends signed challenge to the authorization realm endpoint.
- Bearer Token: Authorization endpoint returns a bearer token.
- Authenticated Request: Client retries the original request with the bearer token.