docker · craig-osterhout · May 14, 2025 · Apr 27, 2025 · Apr 29, 2025 · Apr 29, 2025
@@ -132,3 +132,42 @@
 Organizations can use OATs. OATs let you assign fine-grained repository access
 permissions to tokens. For more details, see [Organization access
 tokens](/manuals/security/for-admins/access-tokens.md).
+
+## Gated distribution
+
+{{< summary-bar feature_name="Gated distribution" >}}
+
+Gated distribution allows publishers to securely share private container images with external customers or partners, without giving them full organization access or visibility into your teams, collaborators, or other repositories.
+
+This feature is ideal for commercial software publishers who want to control who can pull specific images while preserving a clean separation between internal users and external consumers.
+
+### Key features
+
+- **Private repository distribution**: Content is stored in private repositories and only accessible to explicitly invited users.
+
+- **External access without organization membership**: External users don't need to be added to your internal organization to pull images.
+
+- **Pull-only permissions**: External users receive pull-only access and cannot push or modify repository content.
+
+- **Invite-only access**: Access is granted through authenticated email invites, managed via API.
+
+### Invite distributor members via API
+
+> [!NOTE]
+> When you invite members, you assign them a role. See [Roles and permissions](/manuals/security/for-admins/roles-and-permissions.md) for details about the access permissions for each role.
+
+Distributor members (used for gated distribution) can only be invited using the Docker Hub API. UI-based invitations are not currently supported for this role. To invite distributor members, use the Bulk create invites API endpoint.
+
+To invite distributor members:
+
+1. Use the [Authentication API](https://docs.docker.com/reference/api/hub/latest/#tag/authentication-api/operation/AuthCreateAccessToken) to generate a bearer token for your Docker Hub account.
+
+2. Create a team in the Hub UI or use the [Teams API](https://docs.docker.com/reference/api/hub/latest/#tag/groups/paths/~1v2~1orgs~1%7Borg_name%7D~1groups/post).
+
+3. Grant repository access to the team:
+   - In the Hub UI: Navigate to your repository settings and add the team with "Read-only" permissions
+   - Using the [Repository Teams API](https://docs.docker.com/reference/api/hub/latest/#tag/repositories/paths/~1v2~1repositories~1%7Bnamespace%7D~1%7Brepository%7D~1groups/post): Assign the team to your repositories with "read-only" access level
+
+4. Use the [Bulk create invites endpoint](https://docs.docker.com/reference/api/hub/latest/#tag/invites/paths/~1v2~1invites~1bulk/post) to send email invites with the distributor member role. In the request body, set the "role" field to "distributor_member".
+
+5. The invited user will receive an email with a link to accept the invite. After signing in with their Docker ID, they'll be granted pull-only access to the specified private repository as a distributor member.
diff --git a/data/summary.yaml b/data/summary.yaml
@@ -166,6 +166,8 @@ Domain audit:
 Enforce sign-in:
   subscription: [Business]
   for: Administrators
+Gated distribution:
+  availability: Early Access
 General admin:
   for: Administrators
 GitHub Actions cache: