> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tokenfactory.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Add a tag to an image

> Adds a tag to an image. Tags are unique per namespace; if the requested tag is already
assigned to another image, it will be moved to this image.

Assigning a tag that matches a public tag to a public image will freeze that tag
to the current image - subsequent public updates to the tag will not affect it.
To make the public tag track the latest public image again, remove your tag assignment.

When a tag is removed from an image that resides in the public namespace, the API returns HTTP 200 OK.
response body contains the tag that now points to the public image
(i.e., the image that the tag is automatically re‑assigned to).

In other words, un‑tagging a public image does not delete the tag; it simply moves the tag back to the public
image and the caller receives that tag in the successful response.




## OpenAPI

````yaml https://eu-north.nebius.computer/static/api.yaml patch /images/{imageUUID}/tag
openapi: 3.0.0
info:
  title: Contree API
  description: >
    Contree is a container management system combining virtual machine isolation
    with container operational efficiency. 

    Designed for security-sensitive workloads requiring hardware-enforced
    boundaries while maintaining

    container workflow compatibility.
  version: 1.0.0
servers:
  - url: '{baseUrl}/v1'
    description: |
      Nebius IAM-fronted endpoint (use `IAMBearerAuth` + `IAMProjectHeader`).
      Override `baseUrl` to point at a different deployment.
    variables:
      baseUrl:
        default: https://api.tokenfactory.nebius.com/sandboxes
        description: |
          Base URL of the contree service. Defaults to the public Nebius
          IAM-fronted endpoint; set to your self-hosted contree origin
          (e.g. `https://contree.example.com`) when running elsewhere.
security:
  - IAMBearerAuth: []
    IAMProjectHeader: []
tags:
  - name: images
    description: Operations related to container images
  - name: files
    description: Operations related to file uploads
  - name: instances
    description: Operations related to container instances
  - name: inspect
    description: Operations related to inspecting container images
  - name: operations
    description: Operations related to long-running operations
  - name: auth
    description: Authentication and token introspection
paths:
  /images/{imageUUID}/tag:
    patch:
      tags:
        - images
      summary: Add a tag to an image
      description: >
        Adds a tag to an image. Tags are unique per namespace; if the requested
        tag is already

        assigned to another image, it will be moved to this image.


        Assigning a tag that matches a public tag to a public image will freeze
        that tag

        to the current image - subsequent public updates to the tag will not
        affect it.

        To make the public tag track the latest public image again, remove your
        tag assignment.


        When a tag is removed from an image that resides in the public
        namespace, the API returns HTTP 200 OK.

        response body contains the tag that now points to the public image

        (i.e., the image that the tag is automatically re‑assigned to).


        In other words, un‑tagging a public image does not delete the tag; it
        simply moves the tag back to the public

        image and the caller receives that tag in the successful response.
      operationId: updateImageTag
      parameters:
        - name: imageUUID
          in: path
          required: true
          description: The UUID of the image to update
          schema:
            $ref: '#/components/schemas/UUIDSchema'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - tag
              properties:
                tag:
                  type: string
                  description: New tag for the image
                  example: busybox:latest
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Image'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
components:
  schemas:
    UUIDSchema:
      type: string
      format: uuid
      description: A UUID string
      example: 12345678-9abc-baba-deda-0123456789ab
    Image:
      type: object
      properties:
        uuid:
          $ref: '#/components/schemas/UUIDSchema'
        tag:
          type: string
          nullable: true
          description: Tag to identify the image
          example: busybox:latest
        created_at:
          type: string
          description: ISO 8601 formatted timestamp of when the image was created
          example: '2024-01-01T12:00:00+00:00'
        operation_uuid:
          nullable: true
          allOf:
            - $ref: '#/components/schemas/UUIDSchema'
          description: >
            UUID of the operation that created this image.

            Returns `null` when the image belongs to a different namespace (e.g.
            public images)

            or when the image was not created by an operation (e.g. shared
            images).
    Error:
      type: object
      required:
        - error
      properties:
        error:
          oneOf:
            - type: string
            - type: object
            - type: array
              items:
                type: object
          description: Error message or structured validation errors
          example: Some error occurred, this is an example of error message
        status:
          type: integer
          description: HTTP status code
          example: 500
        traceback:
          type: array
          items:
            type: string
  responses:
    BadRequest:
      description: Bad Request - Invalid request parameters
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: |
        Unauthorized - Invalid or missing authentication credentials.
        Either the `Authorization` bearer token is missing or invalid, or
        the `Project` header is missing.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Forbidden:
      description: Forbidden - Token does not have sufficient permissions
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    NotFound:
      description: Not Found - The requested resource does not exist
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  securitySchemes:
    IAMBearerAuth:
      type: http
      scheme: bearer
      bearerFormat: IAM
      description: |
        IAM bearer token issued by the Nebius IAM service. Sent as
        `Authorization: Bearer <iam-token>`. Must be combined with the
        `Project` header (see `IAMProjectHeader`).

        This is the recommended authentication scheme for new clients.
    IAMProjectHeader:
      type: apiKey
      in: header
      name: Project
      description: |
        Nebius project ID associated with the IAM token. Required together
        with `IAMBearerAuth`. Identifies the project context the request is
        scoped to.

````