Aller au contenu principal
GROTTE
Start free
DocsComparePricing
GROTTEDocs

Troubleshooting · Templates

Build authentication error

If grotte template build fails with a Docker login or push authentication error, this page is for you.

What you're seeing

A v1 build fails partway through with one of:

Error response from daemon: Get "https://docker.<your-domain>/v2/":
unauthorized: authentication required

denied: requested access to the resource is denied

The build gets through docker build but blows up at docker push. The CLI usually falls back to a local proxy attempt before surfacing this error.

What's going on

grotte template build runs docker login docker.<your-domain> -u _grt_access_token --password-stdin against your GROTTE access token before pushing. Some Docker daemon configurations (corp Docker Desktop with credential helpers, rootless docker, fresh installs without ~/.docker/config.json) refuse to persist that login or refuse to use it for the subsequent push.

When the direct push fails, the CLI tries a local-proxy fallback — buildWithProxy opens a server on port 49984 that re-tags the image to localhost:49984/... and proxies the registry calls with an explicit Authorization header on every request. That avoids the docker daemon's credential store entirely.

The workaround

  1. Check ~/.docker/config.json. If the file is missing or empty, create it with {} so docker login has somewhere to write. If credsStore or credHelpers is set to a value docker can't invoke (osxkeychain on a headless mac, secretservice without the service installed), remove those entries.

  2. Ensure port 49984 is free on your machine. The CLI's proxy fallback binds to it. Lsof or netstat will show what's holding it:

    bash
    lsof -i :49984
# or
ss -tlnp | grep :49984

  3. Re-run grotte template build. When the first docker push fails, the CLI prompts:

    Have you completed the steps from the workaround guide?

    Confirm Y — the proxy fallback then takes over and pushes via localhost:49984 with the explicit auth header.

  4. (Optional) suppress the prompt next time by setting the dockerProxySet flag in your user config at ~/.grotte/config.json:

    json
    {
  "dockerProxySet": true
}

    The CLI writes this automatically on first successful proxy push, so you only see the prompt once per machine.

Still stuck?

  • If lsof -i :49984 shows the proxy is running but the push still fails, the issue is upstream of the CLI — check that docker.<your-domain> is actually reachable and serving a v2 registry API at /v2/.
  • If you're on the managed GROTTE deployment, you shouldn't be running this flow at all. Switch to grotte template create or build via the dashboard.
  • File a bug at github.com/parallactic-ai/grotte-sdk with the full error output, your platform, and your docker version (docker version).