diff --git a/binderhub/registry.py b/binderhub/registry.py
index eaa13dba3..8891041b2 100644
--- a/binderhub/registry.py
+++ b/binderhub/registry.py
@@ -188,26 +188,32 @@ def _default_password(self):
     @gen.coroutine
     def get_image_manifest(self, image, tag):
         client = httpclient.AsyncHTTPClient()
+        url = "{}/v2/{}/manifests/{}".format(self.url, image, tag)
         # first, get a token to perform the manifest request
-        if not self.token_url:
-            raise ValueError("No token URL for authenticating with {}".format(self.url))
-        auth_req = httpclient.HTTPRequest(
-            url_concat(self.token_url, {"scope": "repository:{}:pull".format(image)}),
-            auth_username=self.username,
-            auth_password=self.password,
-        )
-        auth_resp = yield client.fetch(auth_req)
-        response_body = json.loads(auth_resp.body.decode("utf-8", "replace"))
-    
-        if "token" in response_body.keys():
-            token = response_body["token"]
-        elif "access_token" in response_body.keys(): 
-            token = response_body["access_token"]
-        
-        req = httpclient.HTTPRequest(
-            "{}/v2/{}/manifests/{}".format(self.url, image, tag),
-            headers={"Authorization": "Bearer {}".format(token)},
-        )
+        if self.token_url:
+            auth_req = httpclient.HTTPRequest(
+                url_concat(self.token_url, {"scope": "repository:{}:pull".format(image)}),
+                auth_username=self.username,
+                auth_password=self.password,
+            )
+            auth_resp = yield client.fetch(auth_req)
+            response_body = json.loads(auth_resp.body.decode("utf-8", "replace"))
+
+            if "token" in response_body.keys():
+                token = response_body["token"]
+            elif "access_token" in response_body.keys():
+                token = response_body["access_token"]
+
+            req = httpclient.HTTPRequest(url,
+                headers={"Authorization": "Bearer {}".format(token)},
+            )
+        else:
+            # Use basic HTTP auth (htpasswd)
+            req = httpclient.HTTPRequest(url,
+                auth_username=self.username,
+                auth_password=self.password,
+            )
+
         try:
             resp = yield client.fetch(req)
         except httpclient.HTTPError as e:
diff --git a/doc/setup-binderhub.rst b/doc/setup-binderhub.rst
index 6f25b2b44..49d806ab3 100644
--- a/doc/setup-binderhub.rst
+++ b/doc/setup-binderhub.rst
@@ -177,6 +177,10 @@ Second, you will need to instruct BinderHub about the token URL::
       DockerRegistry:
         token_url: "https://myregistry.io/v2/token?service="
 
+If you setup your own local registry using
+`native basic HTTP authentication <https://docs.docker.com/registry/deploying/#native-basic-auth>`__
+(htpasswd), you can set ``token_url`` to ``None``.
+
 .. note::
 
     There is one additional URL to set in the unlikely event that docker config.json