docker
diff --git a/‎docs/data-sources/org_access_token.md‎
Lines changed: 99 additions & 0 deletions b/‎docs/data-sources/org_access_token.md‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎internal/hubclient/client_org_access_token.go‎
Lines changed: 30 additions & 0 deletions b/‎internal/hubclient/client_org_access_token.go‎
Lines changed: 30 additions & 0 deletions
@@ -0,0 +1,99 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "docker_org_access_token Data Source - docker"
+subcategory: ""
+description: |-
+  Reads metadata for an existing organization access token.
+  Provide either id for a direct lookup or a filter block to resolve exactly one token by metadata. The filter block follows the common Terraform name/value pattern and currently supports label only.
+  -> Note: This data source is only available when authenticated with a username and password as an owner of the org.
+  -> Note: This data source returns metadata only. Docker Hub only returns the secret token value during creation, so token is intentionally not exposed here.
+  -> Note: Filter-based lookups scan all organization access token pages to guarantee unique matching, even if the provider max_page_results setting is lower.
+  Example Usage
+  
+  data "docker_org_access_token" "by_id" {
+    org_name = "my-organization"
+    id       = "a7a5ef25-8889-43a0-8cc7-f2a94268e861"
+  }
+  
+  data "docker_org_access_token" "by_label" {
+    org_name = "my-organization"
+  
+    filter {
+      name   = "label"
+      values = ["ci-token"]
+    }
+  }
+---
+
+# docker_org_access_token (Data Source)
+
+Reads metadata for an existing organization access token.
+
+Provide either `id` for a direct lookup or a `filter` block to resolve exactly one token by metadata. The `filter` block follows the common Terraform name/value pattern and currently supports `label` only.
+
+-> **Note**: This data source is only available when authenticated with a username and password as an owner of the org.
+
+-> **Note**: This data source returns metadata only. Docker Hub only returns the secret token value during creation, so `token` is intentionally not exposed here.
+
+-> **Note**: Filter-based lookups scan all organization access token pages to guarantee unique matching, even if the provider `max_page_results` setting is lower.
+
+## Example Usage
+
+```hcl
+data "docker_org_access_token" "by_id" {
+  org_name = "my-organization"
+  id       = "a7a5ef25-8889-43a0-8cc7-f2a94268e861"
+}
+
+data "docker_org_access_token" "by_label" {
+  org_name = "my-organization"
+
+  filter {
+    name   = "label"
+    values = ["ci-token"]
+  }
+}
+```
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `org_name` (String) The organization namespace.
+
+### Optional
+
+- `filter` (Attributes List) One or more name/value filter blocks. Exactly one of `id` or `filter` must be set. Filters are applied with OR semantics within `values` and AND semantics across blocks. Only `label` is supported in v1. (see [below for nested schema](#nestedatt--filter))
+- `id` (String) The ID of the organization access token. Set this for a direct lookup, or omit it when using `filter`.
+
+### Read-Only
+
+- `created_at` (String) The creation timestamp of the access token.
+- `created_by` (String) The user that created the access token.
+- `description` (String) The description of the access token.
+- `expires_at` (String) The expiration timestamp of the access token, if set.
+- `is_active` (Boolean) Whether the access token is active.
+- `label` (String) The label of the access token.
+- `last_used_at` (String) The last time the access token was used, if available.
+- `resources` (Attributes List) Resources this token has access to. (see [below for nested schema](#nestedatt--resources))
+
+<a id="nestedatt--filter"></a>
+### Nested Schema for `filter`
+
+Required:
+
+- `name` (String) Name of the field to filter by. Only `label` is supported.
+- `values` (List of String) Accepted values for the given filter name.
+
+
+<a id="nestedatt--resources"></a>
+### Nested Schema for `resources`
+
+Read-Only:
+
+- `path` (String) The path of the resource.
+- `scopes` (List of String) The scopes this token has access to.
+- `type` (String) The type of resource.
@@ -41,6 +41,13 @@ type OrgAccessToken struct {
 	Resources   []OrgAccessTokenResource `json:"resources,omitempty"`
 }
 
+type OrgAccessTokenPage struct {
+	Total    int              `json:"total"`
+	Next     string           `json:"next,omitempty"`
+	Previous string           `json:"previous,omitempty"`
+	Results  []OrgAccessToken `json:"results"`
+}
+
 type OrgAccessTokenResource struct {
 	Type   string   `json:"type"`
 	Path   string   `json:"path"`
@@ -75,6 +82,29 @@ func (c *Client) CreateOrgAccessToken(ctx context.Context, orgName string, param
 	return accessToken, err
 }
 
+func (c *Client) ListOrgAccessTokens(ctx context.Context, orgName string) ([]OrgAccessToken, error) {
+	if orgName == "" {
+		return nil, fmt.Errorf("orgName is required")
+	}
+
+	var accessTokens []OrgAccessToken
+	nextURL := fmt.Sprintf("/orgs/%s/access-tokens", orgName)
+
+	for nextURL != "" {
+		relativeURL := c.convertToRelativeURL(nextURL)
+
+		var page OrgAccessTokenPage
+		if err := c.sendRequest(ctx, "GET", relativeURL, nil, &page); err != nil {
+			return nil, err
+		}
+
+		accessTokens = append(accessTokens, page.Results...)
+		nextURL = page.Next
+	}
+
+	return accessTokens, nil
+}
+
 func (c *Client) GetOrgAccessToken(ctx context.Context, orgName, accessTokenID string) (OrgAccessToken, error) {
 	if orgName == "" {
 		return OrgAccessToken{}, fmt.Errorf("orgName is required")