diff --git a/binderhub/build.py b/binderhub/build.py
index da1f3997d..e0b5bec7c 100644
--- a/binderhub/build.py
+++ b/binderhub/build.py
@@ -87,18 +87,20 @@ class BuildExecutor(LoggingConfigurable):
 
     push_secret = Unicode(
         "",
-        help="Implementation dependent secret for pushing image to a registry.",
+        help="Implementation dependent static secret for pushing image to a registry.",
         config=True,
     )
 
-    push_secret_content = Unicode(
+    registry_credentials = Unicode(
         "",
         help=(
-            "Content of an implementation dependent secret for pushing image to a registry. "
-            "For example, if push tokens are temporary this can be used to pass the token "
-            "as an environment variable CONTAINER_ENGINE_REGISTRY_CREDENTIALS to "
-            "repo2docker."
-            "If provided this will be used instead of push_secret."
+            "Implementation dependent credentials for pushing image to a registry. "
+            "For example, if push tokens are temporary this could be used to pass "
+            "dynamically created credentials as an encoded JSON blob "
+            '`{"registry": "docker.io", "username":"user", "password":"password"}` '
+            "in the environment variable `CONTAINER_ENGINE_REGISTRY_CREDENTIALS` to "
+            "repo2docker. "
+            "If provided this will be used instead of push_secret. "
         ),
         config=True,
     )
@@ -243,7 +245,26 @@ def _default_api(self):
     # Overrides the default for BuildExecutor
     push_secret = Unicode(
         "binder-build-docker-config",
-        help="Implementation dependent secret for pushing image to a registry.",
+        help=(
+            "Name of a Kubernetes secret containing static credentials for pushing "
+            "an image to a registry."
+        ),
+        config=True,
+    )
+
+    registry_credentials = Unicode(
+        "",
+        help=(
+            "Implementation dependent credentials for pushing image to a registry. "
+            "For example, if push tokens are temporary this could be used to pass "
+            "dynamically created credentials as an encoded JSON blob "
+            '`{"registry": "docker.io", "username":"user", "password":"password"}` '
+            "in the environment variable `CONTAINER_ENGINE_REGISTRY_CREDENTIALS` to "
+            "repo2docker. "
+            "If provided this will be used instead of push_secret. "
+            "Currently this is passed to the build pod as a plan text environment "
+            "variable, though future implementations may use a Kubernetes secret."
+        ),
         config=True,
     )
 
@@ -415,11 +436,11 @@ def submit(self):
                 client.V1EnvVar(name="GIT_CREDENTIAL_ENV", value=self.git_credentials)
             )
 
-        if self.push_secret_content:
+        if self.registry_credentials:
             env.append(
                 client.V1EnvVar(
                     name="CONTAINER_ENGINE_REGISTRY_CREDENTIALS",
-                    value=self.push_secret_content,
+                    value=self.registry_credentials,
                 )
             )
         elif self.push_secret:
diff --git a/binderhub/builder.py b/binderhub/builder.py
index ad419c6a3..b414b3fe7 100644
--- a/binderhub/builder.py
+++ b/binderhub/builder.py
@@ -463,7 +463,7 @@ async def get(self, provider_prefix, _unescaped_spec):
                 image_without_tag, image_tag
             )
             if push_token:
-                build.push_secret_content = json.dumps(push_token)
+                build.registry_credentials = json.dumps(push_token)
         else:
             build.push_secret = ""