Overview
Guides
Tutorials
Reference
Maturity
Migration
Community

Private Registries

Railway supports deploying Docker images from private container registries. This allows you to use proprietary images, internal tools, or images stored in your organization's private registry.

Supported Registries

Any registry that supports standard Docker authentication works with Railway. Here are a few:

RegistryDomain
Docker Hubdocker.io (default)
GitHub Container Registryghcr.io
GitLab Container Registryregistry.gitlab.com
Quay.ioquay.io
AWS ECR Publicpublic.ecr.aws
Google Artifact Registryus-west1-docker.pkg.dev
Microsoft Container Registrymcr.microsoft.com

Requirements

Private registry credentials are available on the Pro plan. If you're on a Free, Trial, or Hobby plan, you'll need to upgrade to use private registries.

Configure Registry Credentials

To deploy from a private registry:

  1. Navigate to your service's Settings page
  2. Under the Source section, locate Registry Credentials
  3. Enter your credentials and save

GitHub Container Registry (GHCR)

For images hosted on ghcr.io, Railway provides a simplified authentication flow:

  1. Create a GitHub Personal Access Token with the read:packages scope
  2. Enter your token in the GitHub Access Token field

Railway automatically handles the username configuration for GHCR.

Other Registries

For all other registries, provide:

FieldDescription
UsernameYour registry username or service account name/id
PasswordYour registry password, access token, or API key

The exact credentials depend on your registry provider:

  • Docker Hub - Docker ID and personal access token
  • GitLab - Username and personal access token with read_registry scope (add write_registry for push access)
  • Quay.io - Robot account username in format namespace+robotname and the generated robot token
  • AWS ECR - Use AWS as username and an authentication token as password, generated via aws ecr get-login-password (tokens expire after 12 hours)
  • Google Artifact Registry - Use _json_key as username and your service account JSON key contents as password

Security

Registry credentials are encrypted at rest using envelope encryption. Credentials are only decrypted at deployment time when pulling your image.

Image Format

When specifying a private image, use the full image path including the registry domain:

ghcr.io/your-org/your-image:tag
registry.gitlab.com/your-group/your-project:tag
your-dockerhub-username/private-repo:tag

For Docker Hub private images, you can omit the domain:

your-username/private-image:latest
Prev
Dockerfiles
Next
Deployments
Edit this file on GitHub