Alright, let's break this down step by step—you're right that Docker Hub's surface-level docs don't spell out the full blob download flow clearly, and the Registry API auth got you stuck because you need to use Docker Hub's specific token endpoint first. Here's how to make this work:

1. Get a Valid Bearer Token for Pull Access #

Docker Hub doesn't let you use your username/password directly with the standard Registry API—you first need to fetch a short-lived bearer token with the correct permissions. Run this command (replace placeholders with your details):

# Replace <username>, <password>, and <your-repo> (e.g., myuser/my-private-image)
curl -u "<username>:<password>" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:<your-repo>:pull"

This will return a JSON object. Extract the access_token value—this is your auth token for subsequent API calls.

2. Fetch the Image Manifest (to Get Blob Digests) #

The manifest contains all the blob digests (the unique identifiers for each layer/artifact in your image). Use your token to call the Registry API's manifest endpoint, and specify the correct manifest format with the Accept header:

# Replace <token>, <your-repo>, and <tag> (e.g., latest)
curl -H "Authorization: Bearer <token>" \
     -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
     "https://registry-1.docker.io/v2/<your-repo>/manifests/<tag>"

Look for the layers array in the response—each entry has a digest field (e.g., sha256:abc123...). These are the blobs you need to download.

3. Download Individual Blobs #

With a blob's digest, use the Registry API's blob endpoint to download it. Replace the placeholders and run:

# Replace <token>, <your-repo>, <digest>, and <output-file> (e.g., layer1.tar.gz)
curl -H "Authorization: Bearer <token>" \
     -o "<output-file>" \
     "https://registry-1.docker.io/v2/<your-repo>/blobs/<digest>"

Key Notes to Avoid Auth Failures: #

• Use the correct Registry endpoint: Docker Hub's Registry API lives at registry-1.docker.io, not hub.docker.com (that's the web UI/management API endpoint).
• Scope matters: Make sure your token request includes the repository:<your-repo>:pull scope—without this, the token won't have permission to access your private repo's data.
• Manifest version: Always request the v2 manifest (application/vnd.docker.distribution.manifest.v2+json)—the older v1 format won't give you the correct blob digests.

If you want to automate this, you can chain these steps with tools like jq to parse the JSON responses automatically. For example:

# Auto-fetch token, manifest, and download all blobs
USERNAME="your-username"
PASSWORD="your-password"
REPO="your-username/your-private-repo"
TAG="latest"

# Get token
TOKEN=$(curl -s -u "$USERNAME:$PASSWORD" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO:pull" | jq -r '.access_token')

# Get manifest and extract blob digests
DIGESTS=$(curl -s -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.v2+json" "https://registry-1.docker.io/v2/$REPO/manifests/$TAG" | jq -r '.layers[].digest')

# Download each blob
for DIGEST in $DIGESTS; do
  curl -H "Authorization: Bearer $TOKEN" -o "blob-${DIGEST:7:10}.tar.gz" "https://registry-1.docker.io/v2/$REPO/blobs/$DIGEST"
done

内容的提问来源于stack exchange，提问作者user970251