diff --git a/pkg/dagger.io/dagger/engine/image.cue b/pkg/dagger.io/dagger/engine/image.cue
index ae346903..dbd5d63a 100644
--- a/pkg/dagger.io/dagger/engine/image.cue
+++ b/pkg/dagger.io/dagger/engine/image.cue
@@ -14,11 +14,10 @@ package engine
 	config: #ImageConfig
 
 	// Authentication
-	auth: [...{
-		target:   string
+	auth?: {
 		username: string
-		secret:   string | #Secret
-	}]
+		secret:   #Secret
+	}
 
 	// Complete ref of the pushed image, including digest
 	result: #Ref
@@ -68,11 +67,10 @@ package engine
 	source: #Ref
 
 	// Authentication
-	auth: [...{
-		target:   string
+	auth?: {
 		username: string
 		secret:   string | #Secret
-	}]
+	}
 
 	// Root filesystem of downloaded image
 	output: #FS
diff --git a/pkg/universe.dagger.io/docker/pull.cue b/pkg/universe.dagger.io/docker/pull.cue
index b670f414..5a0b4d64 100644
--- a/pkg/universe.dagger.io/docker/pull.cue
+++ b/pkg/universe.dagger.io/docker/pull.cue
@@ -12,18 +12,16 @@ import (
 	source: #Ref
 
 	// Registry authentication
-	// Key must be registry address, for example "index.docker.io"
-	auth: [registry=string]: {
+	auth?: {
 		username: string
 		secret:   dagger.#Secret
 	}
 
 	_op: engine.#Pull & {
 		"source": source
-		"auth": [ for target, creds in auth {
-			"target": target
-			creds
-		}]
+		if auth != _|_ {
+			"auth": auth
+		}
 	}
 
 	// Downloaded image
diff --git a/pkg/universe.dagger.io/docker/push.cue b/pkg/universe.dagger.io/docker/push.cue
index 391a3da7..9d29cf9f 100644
--- a/pkg/universe.dagger.io/docker/push.cue
+++ b/pkg/universe.dagger.io/docker/push.cue
@@ -14,8 +14,7 @@ import (
 	result: #Ref & _push.result
 
 	// Registry authentication
-	// Key must be registry address
-	auth: [registry=string]: {
+	auth?: {
 		username: string
 		secret:   dagger.#Secret
 	}
@@ -25,10 +24,9 @@ import (
 
 	_push: engine.#Push & {
 		"dest": dest
-		"auth": [ for target, creds in auth {
-			"target": target
-			creds
-		}]
+		if auth != _|_ {
+			"auth": auth
+		}
 		input:  image.rootfs
 		config: image.config
 	}
diff --git a/plan/task/auth.go b/plan/task/auth.go
index 8fc7e44c..1d8983e5 100644
--- a/plan/task/auth.go
+++ b/plan/task/auth.go
@@ -6,7 +6,6 @@ import (
 )
 
 type authValue struct {
-	Target   string
 	Username string
 	Secret   *plancontext.Secret
 }
@@ -14,41 +13,23 @@ type authValue struct {
 // Decodes an auth field value
 //
 // Cue format:
-//   auth: [...{
-//     target:   string
+//   auth: {
 //     username: string
 //     secret:   string | #Secret
-//   }]
-func decodeAuthValue(pctx *plancontext.Context, v *compiler.Value) ([]*authValue, error) {
-	vals, err := v.List()
+//   }
+func decodeAuthValue(pctx *plancontext.Context, v *compiler.Value) (*authValue, error) {
+	authVal := authValue{}
+	username, err := v.Lookup("username").String()
 	if err != nil {
 		return nil, err
 	}
+	authVal.Username = username
 
-	authVals := []*authValue{}
-	for _, val := range vals {
-		authVal := authValue{}
-
-		target, err := val.Lookup("target").String()
-		if err != nil {
-			return nil, err
-		}
-		authVal.Target = target
-
-		username, err := val.Lookup("username").String()
-		if err != nil {
-			return nil, err
-		}
-		authVal.Username = username
-
-		secret, err := pctx.Secrets.FromValue(val.Lookup("secret"))
-		if err != nil {
-			return nil, err
-		}
-		authVal.Secret = secret
-
-		authVals = append(authVals, &authVal)
+	secret, err := pctx.Secrets.FromValue(v.Lookup("secret"))
+	if err != nil {
+		return nil, err
 	}
+	authVal.Secret = secret
 
-	return authVals, nil
+	return &authVal, nil
 }
diff --git a/plan/task/pull.go b/plan/task/pull.go
index d4dede0f..d374ff5c 100644
--- a/plan/task/pull.go
+++ b/plan/task/pull.go
@@ -28,13 +28,18 @@ func (c *pullTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.
 	}
 
 	// Read auth info
-	auth, err := decodeAuthValue(pctx, v.Lookup("auth"))
-	if err != nil {
-		return nil, err
-	}
-	for _, a := range auth {
-		s.AddCredentials(a.Target, a.Username, a.Secret.PlainText())
-		lg.Debug().Str("target", a.Target).Msg("add target credentials")
+	if auth := v.Lookup("auth"); auth.Exists() {
+		a, err := decodeAuthValue(pctx, auth)
+		if err != nil {
+			return nil, err
+		}
+		// Extract registry target from source
+		target, err := solver.ParseAuthHost(rawRef)
+		if err != nil {
+			return nil, err
+		}
+		s.AddCredentials(target, a.Username, a.Secret.PlainText())
+		lg.Debug().Str("target", target).Msg("add target credentials")
 	}
 
 	ref, err := reference.ParseNormalizedNamed(rawRef)
diff --git a/plan/task/push.go b/plan/task/push.go
index 300b21a8..5e34fcfc 100644
--- a/plan/task/push.go
+++ b/plan/task/push.go
@@ -36,13 +36,19 @@ func (c *pushTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.
 	dest = reference.TagNameOnly(dest)
 
 	// Read auth info
-	auth, err := decodeAuthValue(pctx, v.Lookup("auth"))
-	if err != nil {
-		return nil, err
-	}
-	for _, a := range auth {
-		s.AddCredentials(a.Target, a.Username, a.Secret.PlainText())
-		lg.Debug().Str("target", a.Target).Msg("add target credentials")
+	if auth := v.Lookup("auth"); auth.Exists() {
+		// Read auth info
+		a, err := decodeAuthValue(pctx, auth)
+		if err != nil {
+			return nil, err
+		}
+		// Extract registry target from dest
+		target, err := solver.ParseAuthHost(rawDest)
+		if err != nil {
+			return nil, err
+		}
+		s.AddCredentials(target, a.Username, a.Secret.PlainText())
+		lg.Debug().Str("target", target).Msg("add target credentials")
 	}
 
 	// Get input state