diff --git a/registry/proxy/proxyauth.go b/registry/proxy/proxyauth.go
index 8cdc3ebff..adf60cb9c 100644
--- a/registry/proxy/proxyauth.go
+++ b/registry/proxy/proxyauth.go
@@ -17,14 +17,23 @@ type userpass struct {
 	password string
 }
 
+func (u userpass) Basic(_ *url.URL) (string, string) {
+	return u.username, u.password
+}
+
+func (u userpass) RefreshToken(_ *url.URL, service string) string {
+	return ""
+}
+
+func (u userpass) SetRefreshToken(_ *url.URL, service, token string) {
+}
+
 type credentials struct {
 	creds map[string]userpass
 }
 
 func (c credentials) Basic(u *url.URL) (string, string) {
-	up := c.creds[u.String()]
-
-	return up.username, up.password
+	return c.creds[u.String()].Basic(u)
 }
 
 func (c credentials) RefreshToken(u *url.URL, service string) string {
@@ -35,12 +44,12 @@ func (c credentials) SetRefreshToken(u *url.URL, service, token string) {
 }
 
 // configureAuth stores credentials for challenge responses
-func configureAuth(username, password, remoteURL string) (auth.CredentialStore, error) {
+func configureAuth(username, password, remoteURL string) (auth.CredentialStore, auth.CredentialStore, error) {
 	creds := map[string]userpass{}
 
 	authURLs, err := getAuthURLs(remoteURL)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	for _, url := range authURLs {
@@ -51,7 +60,7 @@ func configureAuth(username, password, remoteURL string) (auth.CredentialStore,
 		}
 	}
 
-	return credentials{creds: creds}, nil
+	return credentials{creds: creds}, userpass{username: username, password: password}, nil
 }
 
 func getAuthURLs(remoteURL string) ([]string, error) {
diff --git a/registry/proxy/proxyregistry.go b/registry/proxy/proxyregistry.go
index 55c8f4beb..e8bbe6bdf 100644
--- a/registry/proxy/proxyregistry.go
+++ b/registry/proxy/proxyregistry.go
@@ -8,6 +8,8 @@ import (
 	"sync"
 	"time"
 
+	"github.com/distribution/reference"
+
 	"github.com/distribution/distribution/v3"
 	"github.com/distribution/distribution/v3/configuration"
 	"github.com/distribution/distribution/v3/internal/client"
@@ -18,7 +20,6 @@ import (
 	"github.com/distribution/distribution/v3/registry/proxy/scheduler"
 	"github.com/distribution/distribution/v3/registry/storage"
 	"github.com/distribution/distribution/v3/registry/storage/driver"
-	"github.com/distribution/reference"
 )
 
 var repositoryTTL = 24 * 7 * time.Hour
@@ -30,6 +31,7 @@ type proxyingRegistry struct {
 	ttl            *time.Duration
 	remoteURL      url.URL
 	authChallenger authChallenger
+	basicAuth      auth.CredentialStore
 }
 
 // NewRegistryPullThroughCache creates a registry acting as a pull through cache
@@ -112,7 +114,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name
 		}
 	}
 
-	cs, err := configureAuth(config.Username, config.Password, config.RemoteURL)
+	cs, b, err := configureAuth(config.Username, config.Password, config.RemoteURL)
 	if err != nil {
 		return nil, err
 	}
@@ -127,6 +129,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name
 			cm:        challenge.NewSimpleManager(),
 			cs:        cs,
 		},
+		basicAuth: b,
 	}, nil
 }
 
@@ -155,7 +158,8 @@ func (pr *proxyingRegistry) Repository(ctx context.Context, name reference.Named
 
 	tr := transport.NewTransport(http.DefaultTransport,
 		auth.NewAuthorizer(c.challengeManager(),
-			auth.NewTokenHandlerWithOptions(tkopts)))
+			auth.NewTokenHandlerWithOptions(tkopts),
+			auth.NewBasicHandler(pr.basicAuth)))
 
 	localRepo, err := pr.embedded.Repository(ctx, name)
 	if err != nil {