If you’ve been running a Docker build pipeline on the free tier of Docker Hub lately, you’ve probably noticed something peculiar. It all still works — but the rate limits are real, the API keys are getting questioned, and Docker’s business model is shifting in ways that could leave your CI/CD pipeline in limbo.
Let’s talk about what’s coming, why it matters, and what you can do about it.
The Free Tier Is Shrinking
Docker Hub’s free tier has always been generous in theory and painful in practice. The rate limiting caught a lot of people by surprise — 100 pulls per 6 hours for anonymous requests, and much lower for free authenticated accounts. Suddenly your GitHub Actions, GitLab CI and Jenkins builds were getting throttled to a crawl.
The new Personal Access Token system replaced the old username/password authentication model, but the free tier limits didn’t budge. They got tighter.
API Keys Are Getting Deprecated
Here’s the thing that caught a lot of teams off guard: Docker is actively deprecated the old API key model. The legacy “access tokens” that most tutorials, Stack Overflow answers and CI documentation have been pointing at for years? They still work for now, but there’s an explicit sunset path.
The new system uses Personal Access Tokens — longer-lived JWTs with granular permissions. Much better from a security standpoint. But the migration isn’t exactly smooth for teams managing hundreds of services.
The Real Issue: Exposure
Here’s where it gets interesting. Docker Hub API keys have been a security headache for years. They’ve been found in:
- Public GitHub repositories
- Stack Overflow posts (yes, really)
- CI configuration files committed to version control
- Build logs uploaded to public S3 buckets
Every single “fix” someone posted on public forums became a credential harvesting opportunity. Automated scrapers scan repos for Docker tokens and sell them on dark web marketplaces. I’ve seen it happen. It’s not theoretical.
This is exactly why Docker’s pushing PATs — they’re scoped, revocable, and audit-friendly. But the migration path has been unclear.
The Gitea Alternative
Meanwhile, self-hosted registries like Gitea’s Packages (or a plain Docker registry behind your firewall) are becoming the pragmatic choice for teams that don’t want their CI pipeline at the mercy of Docker’s rate-limiting policies.
Gitea’s registry integration is particularly tight — it ships with the Git hosting, uses the same credential system, and runs on a Raspberry Pi if that’s your thing. For a small team running internal containers, it eliminates the Docker Hub dependency chain entirely.
No rate limits. No API key exposure. No surprise billing changes.
What You Should Do
- Audit your repos. Search for Docker credentials in your version control history. Any tokens committed before Docker’s PAT migration are probably floating around in your repo’s git history. Use `git log –all –grep=”docker”` or similar to find them.
- Migrate to PATs. If you’re using the old API key model, set up Personal Access Tokens. They’re per-user and scoped to specific repositories — you don’t need admin-level access for a build pipeline that only pulls images.
- Rate limit locally. If you’re on the free tier, set up a local registry mirror (like Harbor or even a simple `docker-proxy`) and route your pulls through that. It’s a cache. Your builds become faster and your Docker Hub usage drops.
- Consider self-hosting. A plain Docker registry behind NGINX with basic auth costs virtually nothing to run and gives you full control. For most teams building and deploying their own images, it’s the sensible choice. Docker Hub is great for publishing images to the world. It’s less ideal as your private registry.
The Opinionated Bit
I think teams that rely on Docker Hub as their primary private registry are walking into trouble. It’s designed as a public hub with private repositories bolted on. That’s not the same thing as a proper private registry.
Rate limiting, API key churn, and policy changes are all signals that you need to diversify your container strategy. Whether that means Gitea, GitHub Container Registry, your own Docker registry or a mix — it’s a risk management decision.
Your CI pipeline shouldn’t be at the mercy of someone else’s rate-limiting policy. Start planning the migration now while it’s still smooth.