diff --git a/content/manuals/scout/explore/metrics-exporter.md b/content/manuals/scout/explore/metrics-exporter.md
index 5426d265a8b..526da7f71a0 100644
--- a/content/manuals/scout/explore/metrics-exporter.md
+++ b/content/manuals/scout/explore/metrics-exporter.md
@@ -36,13 +36,18 @@ The metrics endpoint exposes the following metrics:
## Creating an access token
-To export metrics from your organization, first make sure your organization is enrolled in Docker Scout.
-Then, create a Personal Access Token (PAT) - a secret token that allows the exporter to authenticate with the Docker Scout API.
+To export metrics from your organization, first make sure your organization is
+enrolled in Docker Scout. Then, create either an organization access token or a
+personal access token. These tokens are used to authenticate to Docker Scout.
-The PAT does not require any specific permissions, but it must be created by a user who is an owner of the Docker organization.
-To create a PAT, follow the steps in [Create an access token](/security/for-developers/access-tokens/#create-an-access-token).
+The access token does not require any specific permissions, but if you choose
+to use a personal access token, it must be created by a user who is an owner of
+the Docker organization.
-Once you have created the PAT, store it in a secure location.
+For instructions on how to create an access token, follow the steps in [Create
+an access token](/security/for-developers/access-tokens/#create-an-access-token).
+
+Once you have created the access token, store it in a secure location.
You will need to provide this token to the exporter when scraping metrics.
## Prometheus
@@ -70,11 +75,11 @@ Make sure that there's no firewall rule in place preventing the server from comm
### Add bearer token authentication
-To scrape metrics from the Docker Scout Exporter endpoint using Prometheus, you need to configure Prometheus to use the PAT as a bearer token.
-The exporter requires the PAT to be passed in the `Authorization` header of the request.
+To scrape metrics from the Docker Scout Exporter endpoint using Prometheus, you need to configure Prometheus to use the Docker access token as a bearer token.
+The exporter requires the access token to be passed in the `Authorization` header of the request.
Update the Prometheus configuration file to include the `authorization` configuration block.
-This block defines the PAT as a bearer token stored in a file:
+This block defines the access token as a bearer token stored in a file:
```yaml
scrape_configs:
@@ -84,10 +89,10 @@ scrape_configs:
credentials_file: /etc/prometheus/token
```
-The content of the file should be the PAT in plain text:
+The content of the file should be the access token in plain text:
```console
-dckr_pat_...
+dckr_oat_...
```
If you are running Prometheus in a Docker container or Kubernetes pod, mount the file into the container using a volume or secret.
@@ -112,7 +117,7 @@ alongside Grafana with a pre-configured dashboard to visualize the vulnerability
and store it in a plain text file at `/prometheus/prometheus/token` under the template directory.
```plaintext {title=token}
- $ echo $DOCKER_PAT > ./prometheus/token
+ $ echo $DOCKER_TOKEN > ./prometheus/token
```
3. In the Prometheus configuration file at `/prometheus/prometheus/prometheus.yml`,
@@ -245,7 +250,7 @@ and a Datadog site.
and store it in a plain text file at `/datadog/token` under the template directory.
```plaintext {title=token}
- $ echo $DOCKER_PAT > ./token
+ $ echo $DOCKER_TOKEN > ./token
```
3. In the `/datadog/compose.yaml` file, update the `DD_API_KEY` and `DD_SITE` environment variables
@@ -346,8 +351,8 @@ To change the scrape interval:
## Revoke an access token
-If you suspect that your PAT has been compromised or is no longer needed, you can revoke it at any time.
-To revoke a PAT, follow the steps in the [Create and manage access tokens](/security/for-developers/access-tokens/#modify-existing-tokens).
+If you suspect that your access token has been compromised or is no longer needed, you can revoke it at any time.
+To revoke an access token, follow the steps in the [Create and manage access tokens](/security/for-developers/access-tokens/#modify-existing-tokens).
-Revoking a PAT immediately invalidates the token, and prevents Prometheus from scraping metrics using that token.
-You will need to create a new PAT and update the Prometheus configuration to use the new token.
+Revoking an access token immediately invalidates the token, and prevents Prometheus from scraping metrics using that token.
+You will need to create a new access token and update the Prometheus configuration to use the new token.
diff --git a/content/manuals/scout/how-tos/configure-cli.md b/content/manuals/scout/how-tos/configure-cli.md
index d65cc660840..49b57c311cf 100644
--- a/content/manuals/scout/how-tos/configure-cli.md
+++ b/content/manuals/scout/how-tos/configure-cli.md
@@ -18,9 +18,9 @@ CLI commands, and the corresponding `docker/scout-cli` container image:
| DOCKER_SCOUT_OFFLINE | Boolean | Use [offline mode](#offline-mode) when indexing SBOM |
| DOCKER_SCOUT_REGISTRY_TOKEN | String | Token for authenticating to a registry when pulling images |
| DOCKER_SCOUT_REGISTRY_USER | String | Username for authenticating to a registry when pulling images |
-| DOCKER_SCOUT_REGISTRY_PASSWORD | String | Password or personal access token for authenticating to a registry when pulling images |
+| DOCKER_SCOUT_REGISTRY_PASSWORD | String | Password or access token for authenticating to a registry when pulling images |
| DOCKER_SCOUT_HUB_USER | String | Docker Hub username for authenticating to the Docker Scout backend |
-| DOCKER_SCOUT_HUB_PASSWORD | String | Docker Hub password or personal access token for authenticating to the Docker Scout backend |
+| DOCKER_SCOUT_HUB_PASSWORD | String | Docker Hub password or access token for authenticating to the Docker Scout backend |
| DOCKER_SCOUT_NEW_VERSION_WARN | Boolean | Warn about new versions of the Docker Scout CLI |
| DOCKER_SCOUT_EXPERIMENTAL_WARN | Boolean | Warn about experimental features |
| DOCKER_SCOUT_EXPERIMENTAL_POLICY_OUTPUT | Boolean | Disable experimental output for policy evaluation |
diff --git a/content/manuals/scout/install.md b/content/manuals/scout/install.md
index eeb546ad4e5..5b33517a286 100644
--- a/content/manuals/scout/install.md
+++ b/content/manuals/scout/install.md
@@ -115,8 +115,8 @@ Use the `docker/scout-cli` to run `docker scout` commands without installing the
```console
$ docker run -it \
- -e DOCKER_SCOUT_HUB_USER=<your Docker Hub user name> \
- -e DOCKER_SCOUT_HUB_PASSWORD=<your Docker Hub PAT> \
+ -e DOCKER_SCOUT_HUB_USER=<your-docker-username> \
+ -e DOCKER_SCOUT_HUB_PASSWORD=<your-docker-token> \
docker/scout-cli <command>
```
diff --git a/content/manuals/scout/integrations/environment/cli.md b/content/manuals/scout/integrations/environment/cli.md
index 8ebb44ae347..fe9176d09ce 100644
--- a/content/manuals/scout/integrations/environment/cli.md
+++ b/content/manuals/scout/integrations/environment/cli.md
@@ -20,7 +20,7 @@ refer to the [CLI reference](/reference/cli/docker/scout/environment.md).
Before you start, set the following environment variables in your CI system:
- `DOCKER_SCOUT_HUB_USER`: your Docker Hub username
-- `DOCKER_SCOUT_HUB_PASSWORD`: your Docker Hub personal access token
+- `DOCKER_SCOUT_HUB_PASSWORD`: your Docker Hub access token
Make sure the variables are accessible to your project.
diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md
index cc0d1774e5f..cf72876d69c 100644
--- a/content/manuals/scout/integrations/registry/artifactory.md
+++ b/content/manuals/scout/integrations/registry/artifactory.md
@@ -90,13 +90,19 @@ The configuration file includes the following properties:
| --------------------------- | ------------------------------------------------------------------------------- |
| `agent_id` | Unique identifier for the agent. |
| `docker.organization_name` | Name of the Docker organization. |
-| `docker.username` | Username of the admin user in the Docker organization. |
-| `docker.pat` | Personal access token of the admin user with read and write permissions. |
+| `docker.username` | Docker organization, or the username of a Docker organization owner. |
+| `docker.pat` | Docker access token. [^1] |
| `artifactory.base_url` | Base URL of the Artifactory instance. |
| `artifactory.username` | Username of the Artifactory user with read permissions that the agent will use. |
| `artifactory.password` | Password or API token for the Artifactory user. |
| `artifactory.image_filters` | Optional: List of repositories and images to analyze. |
+[^1]:
+ If you specify a Docker organization as `docker.username`, you must use an
+ organization access token for `docker.pat`. If `docker.username` refers to
+ the username of an organization owner, `docker.pat` must be a personal
+ access token created for that user.
+
If you don't specify any repositories in `artifactory.image_filters`, the agent
runs image analysis on all images in your Artifactory instance.
diff --git a/content/manuals/security/for-admins/access-tokens.md b/content/manuals/security/for-admins/access-tokens.md
index f19bcedb9d9..133072804cb 100644
--- a/content/manuals/security/for-admins/access-tokens.md
+++ b/content/manuals/security/for-admins/access-tokens.md
@@ -15,7 +15,6 @@ The organization access tokens feature is currently in [Beta](../../release-life
> Organization access tokens aren't currently compatible with the following services:
>
> - Docker Build Cloud
-> - Docker Scout
> - Docker REST APIs
>
> If you use these services, you must use personal access tokens instead.