diff --git a/api/api.go b/api/api.go
index d7ccc95..38e4bfa 100644
--- a/api/api.go
+++ b/api/api.go
@@ -13,7 +13,8 @@ type MetalConfig struct {
 	NTPServers  []string `json:"ntp_servers,omitempty"`
 	Partition   string   `json:"partition"`
 	// Logging contains logging configurations passed to metal-hammer
-	Logging *Logging `json:"logging,omitempty"`
+	Logging   *Logging                   `json:"logging,omitempty"`
+	OciConfigs map[string]*OciCredentials `json:"oci_config,omitempty"`
 }
 
 type Logging struct {
@@ -45,6 +46,13 @@ type CertificateAuth struct {
 	InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty"`
 }
 
+type OciCredentials struct {
+	// Username that is capable of logging in to the registry
+	Username string `json:"username,omitempty" yaml:"username,omitempty"`
+	// Password for the user
+	Password string `json:"password,omitempty" yaml:"password,omitempty"`
+}
+
 // LogType defines which logging backend should be used
 type LogType string
 
diff --git a/go.mod b/go.mod
index 5d6e029..2ee4f6e 100644
--- a/go.mod
+++ b/go.mod
@@ -3,6 +3,7 @@ module github.com/metal-stack/pixie
 go 1.25
 
 require (
+	github.com/goccy/go-yaml v1.19.2
 	github.com/metal-stack/metal-api v0.42.4
 	github.com/metal-stack/v v1.0.3
 	github.com/pin/tftp/v3 v3.1.0
diff --git a/go.sum b/go.sum
index d09cf22..ca58f15 100644
--- a/go.sum
+++ b/go.sum
@@ -15,6 +15,8 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
+github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
diff --git a/pixiecore/cli/grpccmd.go b/pixiecore/cli/grpccmd.go
index 8d36001..3806fc3 100644
--- a/pixiecore/cli/grpccmd.go
+++ b/pixiecore/cli/grpccmd.go
@@ -20,6 +20,7 @@ import (
 	"os"
 	"strings"
 
+	yaml "github.com/goccy/go-yaml"
 	"github.com/metal-stack/pixie/api"
 	"github.com/metal-stack/pixie/pixiecore"
 	"github.com/spf13/cobra"
@@ -85,6 +86,9 @@ func init() {
 	grpcCmd.Flags().String("metal-hammer-logging-key", "", "set metal-hammer to send logs to a remote endpoint and authenticate with this key")
 	grpcCmd.Flags().Bool("metal-hammer-logging-tls-insecure", false, "set metal-hammer to send logs to a remote endpoint without verifying the tls certificate")
 	grpcCmd.Flags().String("metal-hammer-logging-type", "loki", "set metal-hammer to send logs to a remote endpoint with this logging type")
+
+	// metal-hammer oci configs
+	grpcCmd.Flags().StringSlice("metal-hammer-oci-configs", nil, "multiple metal-hammer oci configs. comma-separated key-value pairs (registry_url=...,username=...,password=...). registry URL is mandatory, login credentials are optional depending on whether the oci image is public.")
 }
 
 func getMetalAPIConfig(cmd *cobra.Command) (*api.MetalConfig, error) {
@@ -219,6 +223,40 @@ func getMetalAPIConfig(cmd *cobra.Command) (*api.MetalConfig, error) {
 		}
 	}
 
+	metalHammerOciConfigFilePath, err := cmd.Flags().GetString("metal-hammer-oci-config-file-path")
+	if err != nil {
+		return nil, fmt.Errorf("error reading flag: %w", err)
+	}
+
+	ociConfigs := make(map[string]*api.OciCredentials)
+	if metalHammerOciConfigFilePath != "" {
+		metalHammerOciConfigFileContent, err := os.ReadFile(metalHammerOciConfigFilePath)
+		if err != nil {
+			return nil, fmt.Errorf("error retrieving oci configs file: %w", err)
+		}
+
+		type MetalHammerOciConfig struct {
+			RegistryURL string `yaml:"registry-url"`
+			Credentials *api.OciCredentials
+		}
+		type MetalHammerOciConfigs struct {
+			OciConfigs []MetalHammerOciConfig `yaml:"oci-configs"`
+		}
+		var metalHammerOciConfigs MetalHammerOciConfigs
+		err = yaml.Unmarshal(metalHammerOciConfigFileContent, &metalHammerOciConfigs)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing oci configs: %w", err)
+		}
+
+		for _, config := range metalHammerOciConfigs.OciConfigs {
+			if config.RegistryURL == "" {
+				return nil, fmt.Errorf("no registry url specified for oci config: %+v", config)
+			}
+
+			ociConfigs[config.RegistryURL] = config.Credentials
+		}
+	}
+
 	return &api.MetalConfig{
 		Debug:       metalHammerDebug,
 		GRPCAddress: grpcAddress,
@@ -231,5 +269,6 @@ func getMetalAPIConfig(cmd *cobra.Command) (*api.MetalConfig, error) {
 		NTPServers:  ntpServers,
 		Logging:     logging,
 		Partition:   partition,
+		OciConfigs:  ociConfigs,
 	}, nil
 }