diff --git a/entrypoint.go b/entrypoint.go
index 49352e8..e000480 100644
--- a/entrypoint.go
+++ b/entrypoint.go
@@ -64,6 +64,7 @@ const (
 	PURCHASE_RESOURCE                  = tools.PURCHASE_RESOURCE
 	NATIVE_TOOL                        = tools.NATIVE_TOOL
 	EXECUTION_VERIFICATION             = tools.EXECUTION_VERIFICATION
+	ALLOWED_IMAGE                      = tools.ALLOWED_IMAGE
 )
 
 func GetMySelf() (*peer.Peer, error) {
diff --git a/models/allowed_image/allowed_image.go b/models/allowed_image/allowed_image.go
new file mode 100644
index 0000000..cd37aea
--- /dev/null
+++ b/models/allowed_image/allowed_image.go
@@ -0,0 +1,56 @@
+package allowed_image
+
+import (
+	"cloud.o-forge.io/core/oc-lib/models/utils"
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+// AllowedImage représente une image de conteneur autorisée à persister
+// sur un peer après l'exécution d'un workflow.
+//
+// La décision de rétention est entièrement locale au datacenter —
+// le fournisseur de processing n'a aucun levier sur cette liste.
+//
+// Règle de matching (côté oc-datacenter) :
+//   - Registry vide  = toutes les registries
+//   - TagConstraint vide = toutes les versions
+//   - TagConstraint non vide = exact ou glob (ex: "3.*", "1.2.3")
+//
+// Les entrées IsDefault sont créées au bootstrap et ne peuvent pas
+// être supprimées via l'API.
+type AllowedImage struct {
+	utils.AbstractObject
+
+	// Registry source (ex: "docker.io", "registry.example.com").
+	// Vide = wildcard, accepte n'importe quelle registry.
+	Registry string `json:"registry,omitempty" bson:"registry,omitempty"`
+
+	// Image est le nom de l'image sans registry ni tag
+	// (ex: "natsio/nats-box", "library/alpine").
+	Image string `json:"image" bson:"image" validate:"required"`
+
+	// TagConstraint est la contrainte sur le tag.
+	// Vide = toutes les versions autorisées.
+	// Supporte exact ("1.2.3") ou glob ("3.*", "*-alpine").
+	TagConstraint string `json:"tag_constraint,omitempty" bson:"tag_constraint,omitempty"`
+
+	// IsDefault marque les entrées bootstrap insérées au démarrage.
+	// Ces entrées ne peuvent pas être supprimées via l'API.
+	IsDefault bool `json:"is_default,omitempty" bson:"is_default,omitempty"`
+}
+
+func (a *AllowedImage) StoreDraftDefault() {
+	a.IsDraft = false // les allowed images sont actives immédiatement
+}
+
+func (a *AllowedImage) CanUpdate(set utils.DBObject) (bool, utils.DBObject) {
+	return true, set
+}
+
+func (a *AllowedImage) CanDelete() bool {
+	return !a.IsDefault // les entrées bootstrap sont non supprimables
+}
+
+func (a *AllowedImage) GetAccessor(request *tools.APIRequest) utils.Accessor {
+	return NewAccessor(request)
+}
diff --git a/models/allowed_image/allowed_image_mongo_accessor.go b/models/allowed_image/allowed_image_mongo_accessor.go
new file mode 100644
index 0000000..fa6bc67
--- /dev/null
+++ b/models/allowed_image/allowed_image_mongo_accessor.go
@@ -0,0 +1,23 @@
+package allowed_image
+
+import (
+	"cloud.o-forge.io/core/oc-lib/logs"
+	"cloud.o-forge.io/core/oc-lib/models/utils"
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+type allowedImageMongoAccessor struct {
+	utils.AbstractAccessor[*AllowedImage]
+}
+
+func NewAccessor(request *tools.APIRequest) *allowedImageMongoAccessor {
+	return &allowedImageMongoAccessor{
+		AbstractAccessor: utils.AbstractAccessor[*AllowedImage]{
+			Logger:         logs.CreateLogger(tools.ALLOWED_IMAGE.String()),
+			Request:        request,
+			Type:           tools.ALLOWED_IMAGE,
+			New:            func() *AllowedImage { return &AllowedImage{} },
+			NotImplemented: []string{"CopyOne"},
+		},
+	}
+}
diff --git a/models/models.go b/models/models.go
index 04d555e..9b1f139 100644
--- a/models/models.go
+++ b/models/models.go
@@ -2,6 +2,7 @@ package models
 
 import (
 	"cloud.o-forge.io/core/oc-lib/logs"
+	"cloud.o-forge.io/core/oc-lib/models/allowed_image"
 	"cloud.o-forge.io/core/oc-lib/models/bill"
 	"cloud.o-forge.io/core/oc-lib/models/execution_verification"
 	"cloud.o-forge.io/core/oc-lib/models/live"
@@ -46,6 +47,7 @@ var ModelsCatalog = map[string]func() utils.DBObject{
 	tools.LIVE_STORAGE.String():           func() utils.DBObject { return &live.LiveStorage{} },
 	tools.BILL.String():                   func() utils.DBObject { return &bill.Bill{} },
 	tools.EXECUTION_VERIFICATION.String(): func() utils.DBObject { return &execution_verification.ExecutionVerification{} },
+	tools.ALLOWED_IMAGE.String():          func() utils.DBObject { return &allowed_image.AllowedImage{} },
 }
 
 // Model returns the model object based on the model type
diff --git a/tools/enums.go b/tools/enums.go
index cd859cf..98f54d7 100644
--- a/tools/enums.go
+++ b/tools/enums.go
@@ -32,6 +32,7 @@ const (
 	BILL
 	NATIVE_TOOL
 	EXECUTION_VERIFICATION
+	ALLOWED_IMAGE
 )
 
 var NOAPI = func() string {
@@ -88,6 +89,7 @@ var InnerDefaultAPI = [...]func() string{
 	NOAPI,
 	CATALOGAPI,
 	SCHEDULERAPI,
+	DATACENTERAPI,
 }
 
 // Bind the standard data name to the data type
@@ -114,6 +116,7 @@ var Str = [...]string{
 	"bill",
 	"native_tool",
 	"execution_verification",
+	"allowed_image",
 }
 
 func FromString(comp string) int {