diff --git a/ts/manager.externalregistry/classes.externalregistry.ts b/ts/manager.externalregistry/classes.externalregistry.ts
index 52c4f8c..f5f95a7 100644
--- a/ts/manager.externalregistry/classes.externalregistry.ts
+++ b/ts/manager.externalregistry/classes.externalregistry.ts
@@ -32,11 +32,11 @@ export class ExternalRegistry extends plugins.smartdata.SmartDataDbDoc<ExternalR
       type: registryDataArg.type || 'docker',
       name: registryDataArg.name || '',
       url: registryDataArg.url || '',
-      username: registryDataArg.username || '',
-      password: registryDataArg.password || '',
+      username: registryDataArg.username,
+      password: registryDataArg.password,
       description: registryDataArg.description,
       isDefault: registryDataArg.isDefault || false,
-      authType: registryDataArg.authType || 'basic',
+      authType: registryDataArg.authType || (registryDataArg.username || registryDataArg.password ? 'basic' : 'none'),
       insecure: registryDataArg.insecure || false,
       namespace: registryDataArg.namespace,
       proxy: registryDataArg.proxy,
@@ -123,26 +123,38 @@ export class ExternalRegistry extends plugins.smartdata.SmartDataDbDoc<ExternalR
       // For Docker registries, try to access the v2 API
       if (this.data.type === 'docker') {
         const registryUrl = this.data.url.replace(/\/$/, ''); // Remove trailing slash
-        const authHeader = 'Basic ' + Buffer.from(`${this.data.username}:${this.data.password}`).toString('base64');
+        
+        // Build headers based on auth type
+        const headers: any = {};
+        if (this.data.authType === 'basic' && this.data.username && this.data.password) {
+          headers['Authorization'] = 'Basic ' + Buffer.from(`${this.data.username}:${this.data.password}`).toString('base64');
+        } else if (this.data.authType === 'token' && this.data.password) {
+          // For token auth, password field contains the token
+          headers['Authorization'] = `Bearer ${this.data.password}`;
+        }
+        // For 'none' auth type or missing credentials, no auth header is added
         
         // Try to access the Docker Registry v2 API
         const response = await fetch(`${registryUrl}/v2/`, {
-          headers: {
-            'Authorization': authHeader,
-          },
+          headers,
           // Allow insecure if configured
           ...(this.data.insecure ? { rejectUnauthorized: false } : {}),
         }).catch(err => {
           throw new Error(`Failed to connect: ${err.message}`);
         });
         
-        if (response.status === 200 || response.status === 401) {
-          // 200 means successful auth, 401 means registry exists but needs auth
+        if (response.status === 200) {
+          // 200 means successful (either public or authenticated)
           this.data.status = 'active';
           this.data.lastVerified = Date.now();
           this.data.lastError = undefined;
           await this.save();
           return { success: true, message: 'Registry connection successful' };
+        } else if (response.status === 401 && this.data.authType === 'none') {
+          // 401 with no auth means registry exists but needs auth
+          throw new Error('Registry requires authentication');
+        } else if (response.status === 401) {
+          throw new Error('Authentication failed - check credentials');
         } else {
           throw new Error(`Registry returned status ${response.status}`);
         }
diff --git a/ts_interfaces/data/externalregistry.ts b/ts_interfaces/data/externalregistry.ts
index 84eac68..4ecbbc0 100644
--- a/ts_interfaces/data/externalregistry.ts
+++ b/ts_interfaces/data/externalregistry.ts
@@ -19,14 +19,14 @@ export interface IExternalRegistry {
     url: string;
     
     /**
-     * Username for authentication
+     * Username for authentication (optional for token-based or public registries)
      */
-    username: string;
+    username?: string;
     
     /**
-     * Password or access token for authentication
+     * Password, access token, or API key for authentication (optional for public registries)
      */
-    password: string;
+    password?: string;
     
     /**
      * Optional description
@@ -41,7 +41,7 @@ export interface IExternalRegistry {
     /**
      * Authentication type
      */
-    authType?: 'basic' | 'token' | 'oauth2';
+    authType?: 'none' | 'basic' | 'token' | 'oauth2';
     
     /**
      * Allow insecure registry connections (HTTP or self-signed certs)
diff --git a/ts_web/elements/cloudly-view-externalregistries.ts b/ts_web/elements/cloudly-view-externalregistries.ts
index aced428..3203aeb 100644
--- a/ts_web/elements/cloudly-view-externalregistries.ts
+++ b/ts_web/elements/cloudly-view-externalregistries.ts
@@ -90,7 +90,7 @@ export class CloudlyViewExternalRegistries extends DeesElement {
             Name: html`${registry.data.name}${registry.data.isDefault ? html`<span class="default-badge">DEFAULT</span>` : ''}`,
             Type: html`<span class="type-badge type-${registry.data.type}">${registry.data.type.toUpperCase()}</span>`,
             URL: registry.data.url,
-            Username: registry.data.username,
+            Auth: registry.data.authType === 'none' ? 'Public' : (registry.data.username || 'Token Auth'),
             Namespace: registry.data.namespace || '-',
             Status: html`<span class="status-badge status-${registry.data.status || 'unverified'}">${(registry.data.status || 'unverified').toUpperCase()}</span>`,
             'Last Verified': registry.data.lastVerified ? new Date(registry.data.lastVerified).toLocaleString() : 'Never',
@@ -130,16 +130,14 @@ export class CloudlyViewExternalRegistries extends DeesElement {
                     </dees-input-text>
                     <dees-input-text 
                       .key=${'username'} 
-                      .label=${'Username'} 
-                      .placeholder=${'username'}
-                      .required=${true}>
+                      .label=${'Username (only needed for basic auth)'} 
+                      .placeholder=${'username or leave empty for token auth'}>
                     </dees-input-text>
                     <dees-input-text 
                       .key=${'password'} 
-                      .label=${'Password / Access Token'} 
-                      .placeholder=${'••••••••'}
-                      .isPasswordBool=${true}
-                      .required=${true}>
+                      .label=${'Password / Token (NPM _authToken, Docker access token, etc.)'} 
+                      .placeholder=${'Token or password'}
+                      .isPasswordBool=${true}>
                     </dees-input-text>
                     <dees-input-text 
                       .key=${'namespace'} 
@@ -155,11 +153,12 @@ export class CloudlyViewExternalRegistries extends DeesElement {
                       .key=${'authType'} 
                       .label=${'Authentication Type'} 
                       .options=${[
-                        {key: 'basic', option: 'Basic Auth'},
-                        {key: 'token', option: 'Token'},
-                        {key: 'oauth2', option: 'OAuth2'}
+                        {key: 'none', option: 'No Authentication (Public Registry)'},
+                        {key: 'basic', option: 'Basic Auth (Username + Password)'},
+                        {key: 'token', option: 'Token Only (NPM, GitHub, GitLab tokens)'},
+                        {key: 'oauth2', option: 'OAuth2 (Advanced)'}
                       ]}
-                      .value=${'basic'}>
+                      .value=${'none'}>
                     </dees-input-dropdown>
                     <dees-input-checkbox 
                       .key=${'isDefault'} 
@@ -242,14 +241,14 @@ export class CloudlyViewExternalRegistries extends DeesElement {
                     </dees-input-text>
                     <dees-input-text 
                       .key=${'username'} 
-                      .label=${'Username'} 
-                      .value=${registry.data.username}
-                      .required=${true}>
+                      .label=${'Username (only needed for basic auth)'} 
+                      .value=${registry.data.username || ''}
+                      .placeholder=${'Leave empty for token auth'}>
                     </dees-input-text>
                     <dees-input-text 
                       .key=${'password'} 
-                      .label=${'Password / Access Token (leave empty to keep current)'} 
-                      .placeholder=${'••••••••'}
+                      .label=${'Password / Token (leave empty to keep current)'} 
+                      .placeholder=${'New token or password'}
                       .isPasswordBool=${true}>
                     </dees-input-text>
                     <dees-input-text 
@@ -266,11 +265,12 @@ export class CloudlyViewExternalRegistries extends DeesElement {
                       .key=${'authType'} 
                       .label=${'Authentication Type'} 
                       .options=${[
-                        {key: 'basic', option: 'Basic Auth'},
-                        {key: 'token', option: 'Token'},
-                        {key: 'oauth2', option: 'OAuth2'}
+                        {key: 'none', option: 'No Authentication (Public Registry)'},
+                        {key: 'basic', option: 'Basic Auth (Username + Password)'},
+                        {key: 'token', option: 'Token Only (NPM, GitHub, GitLab tokens)'},
+                        {key: 'oauth2', option: 'OAuth2 (Advanced)'}
                       ]}
-                      .value=${registry.data.authType || 'basic'}>
+                      .value=${registry.data.authType || 'none'}>
                     </dees-input-dropdown>
                     <dees-input-checkbox 
                       .key=${'isDefault'}