diff --git a/components/cli/cli/command/image/pull.go b/components/cli/cli/command/image/pull.go
index 60db336e4d..84bf804165 100644
--- a/components/cli/cli/command/image/pull.go
+++ b/components/cli/cli/command/image/pull.go
@@ -13,7 +13,8 @@ import (
 	"golang.org/x/net/context"
 )
 
-type pullOptions struct {
+// PullOptions defines what and how to pull
+type PullOptions struct {
 	remote    string
 	all       bool
 	platform  string
@@ -22,7 +23,7 @@ type pullOptions struct {
 
 // NewPullCommand creates a new `docker pull` command
 func NewPullCommand(dockerCli command.Cli) *cobra.Command {
-	var opts pullOptions
+	var opts PullOptions
 
 	cmd := &cobra.Command{
 		Use:   "pull [OPTIONS] NAME[:TAG|@DIGEST]",
@@ -30,7 +31,7 @@ func NewPullCommand(dockerCli command.Cli) *cobra.Command {
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.remote = args[0]
-			return runPull(dockerCli, opts)
+			return RunPull(dockerCli, opts)
 		},
 	}
 
@@ -44,7 +45,8 @@ func NewPullCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runPull(cli command.Cli, opts pullOptions) error {
+// RunPull performs a pull against the engine based on the specified options
+func RunPull(cli command.Cli, opts PullOptions) error {
 	distributionRef, err := reference.ParseNormalizedNamed(opts.remote)
 	switch {
 	case err != nil:
diff --git a/components/cli/cli/registry/client/endpoint.go b/components/cli/cli/registry/client/endpoint.go
index a2d9c3359d..5af00ca70d 100644
--- a/components/cli/cli/registry/client/endpoint.go
+++ b/components/cli/cli/registry/client/endpoint.go
@@ -102,7 +102,7 @@ func getHTTPTransport(authConfig authtypes.AuthConfig, endpoint registry.APIEndp
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
 	} else {
 		creds := registry.NewStaticCredentialStore(&authConfig)
-		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, "*")
+		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, "push", "pull")
 		basicHandler := auth.NewBasicHandler(creds)
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
 	}