npm
- Scoped and unscoped packages, published straight from npm publish.
- dist-tags like latest resolve exactly as npm expects; tarballs carry shasums and SRI integrity.
- A search endpoint that returns only the packages the caller may see.
Registries
A repository's type decides the protocol it speaks. docker push, gradle publish, npm install, helm repo add — the standard tools work as-is, because the registry implements each one's real protocol rather than a lookalike.
Docker & OCI
Docker repositories implement the OCI distribution API — the same endpoints Docker and every OCI-compatible client already speak.
latest and only the pointer moves.Maven
Standard Maven layout, real metadata — point a build at the registry and publish or resolve with plain coordinates, no plugins.
maven-metadata.xml is generated — version lists with latest and release, SNAPSHOT-aware..sha1, .md5, .sha256) accompany every artifact..aar, Kotlin .klib, Gradle .module metadata, and .asc signatures — Kotlin Multiplatform publishes cleanly.io/bosca/core/6.0.16/ core-6.0.16.pom core-6.0.16.jar core-6.0.16.module core-6.0.16.jar.sha256 io/bosca/core/ maven-metadata.xml ← generated
And four more
The same namespaces, permissions, and content-addressed storage behind four more repository types.
Keep exploring
Six registry formats behind one namespace and permission model.
Content-addressed blobs, digest verification, reference-counted cleanup.
Public or private namespaces, group grants, and scoped registry tokens.
Publish events, CI requirement gates, ML model serving, and admin APIs.