dockerconfigjson Generator & Decoder
A Kubernetes image-pull secret (type: kubernetes.io/dockerconfigjson) holds a Base64-encoded Docker config.json. Inside it, each registry's auth field is itself Base64 of username:password — so it's Base64 twice over. Generate the full secret from a registry + credentials below, or paste one to decode it. All local; nothing is uploaded.
.dockerconfigjson as a real credential.
How to create a Kubernetes image-pull secret
Enter your registry, username, and password or token in the generator above. As you type, the tool builds a Docker config.json, Base64-encodes it into the .dockerconfigjson value, and hands you a ready-to-apply Secret YAML plus the equivalent kubectl command. Apply it with kubectl apply -f secret.yaml, or run the kubectl create secret docker-registry one-liner directly. Everything is computed locally in your browser.
What is .dockerconfigjson?
It is the Base64-encoded contents of a Docker config.json, stored under the data: field of a Secret whose type is kubernetes.io/dockerconfigjson. The config.json itself looks like this:
{
"auths": {
"https://index.docker.io/v1/": {
"username": "myuser",
"password": "mypass",
"auth": "bXl1c2VyOm15cGFzcw=="
}
}
}
There are two layers of Base64. The inner auth field is base64("username:password") — exactly the HTTP Basic Auth format — so myuser:mypass becomes bXl1c2VyOm15cGFzcw==. The outer layer Base64-encodes the entire config.json to produce the .dockerconfigjson value that Kubernetes actually stores. That is why credentials in an image-pull secret are Base64-encoded twice over.
Using it with imagePullSecrets
Once the Secret (say, regcred) exists, reference it so the kubelet can pull private images. Per Pod:
spec:
imagePullSecrets:
- name: regcred
Or attach it to a ServiceAccount so every Pod using that account inherits it automatically:
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred"}]}'
Is base64 in the secret encryption?
No. Both layers are just Base64 — a reversible encoding with no key. Anyone who can read the Secret can decode the .dockerconfigjson value, read the config.json, and decode the auth field back to your registry username and password in seconds. For a fuller explanation, see Is Base64 encryption?. To actually protect an image-pull secret, use encryption at rest (KMS), Sealed Secrets, SOPS, or an external store like Vault.
Is this private?
Yes. Both generating and decoding run entirely in your browser with JavaScript — the registry, credentials, and any secret you paste are processed locally and nothing is uploaded to any server. This matters here because these are real registry credentials: you can confirm in DevTools → Network that neither generating nor decoding fires a request. Close the tab and the data is gone.
Worked example
For Docker Hub with username myuser and password mypass, the inner auth field is base64("myuser:mypass") = bXl1c2VyOm15cGFzcw==. That goes into the config.json shown above, and the whole document is Base64-encoded once more to become the .dockerconfigjson value in the Secret. Decoding reverses both layers: Base64-decode the value to get the config.json, then Base64-decode the auth field and split on the first colon to recover myuser and mypass.
Frequently asked questions
How do I generate a .dockerconfigjson secret?
Enter your registry URL, username, and password in the generator above. It builds a Docker config.json with an auths entry, Base64-encodes the whole thing into the .dockerconfigjson value, and outputs a ready-to-apply Secret YAML plus the equivalent kubectl create secret docker-registry command — all locally.
Why is the auth field Base64 inside Base64?
Two layers. The inner auth field is base64("username:password") (the same format as HTTP Basic Auth). That sits inside the config.json, and the entire config.json is then Base64-encoded again to produce the .dockerconfigjson value stored in the Secret. So credentials are Base64-encoded twice over.
How do I decode a dockerconfigjson secret?
Switch to Decode mode above and paste either the raw Base64 .dockerconfigjson value or a full Secret YAML. The tool Base64-decodes it to the config.json, then for each registry decodes the inner auth field to recover the username and password.
What registry URL do I use for Docker Hub?
Use https://index.docker.io/v1/ as the registry key for Docker Hub. Other registries use their host — for example ghcr.io for GitHub Container Registry, or REGION-docker.pkg.dev for Google Artifact Registry.
Is the password in a dockerconfigjson secret encrypted?
No — it is only Base64-encoded, which is reversible with no key. Anyone who can read the Secret can recover your registry password in seconds. Treat a .dockerconfigjson secret as a real credential and protect it with encryption at rest, Sealed Secrets, SOPS, or Vault.
Need plain Base64 encode/decode?
The main base64.dev tool handles text, files, and URL-safe mode with auto-detect.
Open base64.dev →