diff --git a/api/types/registry/authconfig.go b/api/types/registry/authconfig.go
index 3389196d71..97a924e374 100644
--- a/api/types/registry/authconfig.go
+++ b/api/types/registry/authconfig.go
@@ -33,6 +33,19 @@ type AuthConfig struct {
 	RegistryToken string `json:"registrytoken,omitempty"`
 }
 
+// EncodeAuthConfig serializes the auth configuration as a base64url encoded
+// RFC4648, section 5) JSON string for sending through the X-Registry-Auth header.
+//
+// For details on base64url encoding, see:
+// - RFC4648, section 5:   https://tools.ietf.org/html/rfc4648#section-5
+func EncodeAuthConfig(authConfig AuthConfig) (string, error) {
+	buf, err := json.Marshal(authConfig)
+	if err != nil {
+		return "", errInvalidParameter{err}
+	}
+	return base64.URLEncoding.EncodeToString(buf), nil
+}
+
 // DecodeAuthConfig decodes base64url encoded (RFC4648, section 5) JSON
 // authentication information as sent through the X-Registry-Auth header.
 //
diff --git a/api/types/registry/authconfig_test.go b/api/types/registry/authconfig_test.go
index 6070977c17..9fdea080af 100644
--- a/api/types/registry/authconfig_test.go
+++ b/api/types/registry/authconfig_test.go
@@ -51,3 +51,9 @@ func TestDecodeAuthConfigBody(t *testing.T) {
 	assert.NilError(t, err)
 	assert.Equal(t, *token, expected)
 }
+
+func TestEncodeAuthConfig(t *testing.T) {
+	token, err := EncodeAuthConfig(expected)
+	assert.NilError(t, err)
+	assert.Equal(t, token, encoded)
+}