diff --git a/config/curvenote.yaml b/config/curvenote.yaml
index 5f70d6d3df..feb042ca6d 100644
--- a/config/curvenote.yaml
+++ b/config/curvenote.yaml
@@ -18,6 +18,16 @@ binderhub:
     LaunchQuota:
       total_quota: 10
 
+    ExternalRegistryHelper:
+      service_url: http://curvenote-binderhub-container-registry-helper:8080
+
+  extraEnv:
+    BINDERHUB_CONTAINER_REGISTRY_HELPER_AUTH_TOKEN:
+      valueFrom:
+        secretKeyRef:
+          name: curvenote-binderhub-container-registry-helper
+          key: auth_token
+
   registry:
     url: 166088433508.dkr.ecr.us-east-2.amazonaws.com
     username: ""
@@ -40,15 +50,14 @@ binderhub:
       # and secrets/events-archiver/curvenote.json is created
 
     10-external-registry-helper: |
-      # from binderhub.registry import ExternalRegistryHelper
       import json
+      from os import getenv
       from tornado import httpclient
       from traitlets import Unicode
       from binderhub.registry import DockerRegistry
 
 
       class ExternalRegistryHelper(DockerRegistry):
-
           service_url = Unicode(
               "http://binderhub-container-registry-helper:8080",
               allow_none=False,
@@ -57,7 +66,7 @@ binderhub:
           )
 
           auth_token = Unicode(
-              "secret-token",
+              getenv("BINDERHUB_CONTAINER_REGISTRY_HELPER_AUTH_TOKEN"),
               help="The auth token to use when accessing the registry helper micro-service.",
               config=True,
           )
@@ -117,6 +126,12 @@ binderhub:
                   return None
 
           async def get_credentials(self, image, tag):
+              """
+              Get the registry credentials for the given image and tag if supported
+              by the remote helper, otherwise returns None
+
+              Returns a dictionary of login fields.
+              """
               token_url = f"/token/{image}:{tag}"
               self.log.debug(f"Getting registry token: {token_url}")
               token_json = None
@@ -125,13 +140,16 @@ binderhub:
               except httpclient.HTTPError as e:
                   if e.code != 404:
                       raise
-              token = dict((k, v) for (k, v) in token_json.items() if k in ["username", "password", "registry"])
-              self.log.debug(f"Returning registry token: {token}")
+              self.log.debug(f"Token: {*token_json.keys(),}")
+              token = dict(
+                  (k, v)
+                  for (k, v) in token_json.items()
+                  if k in ["username", "password", "registry"]
+              )
               return token
 
+
       c.BinderHub.registry_class = ExternalRegistryHelper
-      c.ExternalRegistryHelper.service_url = "http://curvenote-binderhub-container-registry-helper:8080"
-      c.ExternalRegistryHelper.auth_token = "secret-token-use-existing-secret-instead"
 
   ingress:
     hosts:
@@ -312,8 +330,7 @@ priorityClasses:
 
 binderhub-container-registry-helper:
   enabled: true
-  auth_token: secret-token-use-existing-secret-instead
-  # auth_existing_secret_name:
+  # auth_token: Autogenerated
   replicaCount: 2
   serviceAccount:
     name: binderhub-container-registry-helper
diff --git a/mybinder/Chart.yaml b/mybinder/Chart.yaml
index e7c1ffd5ca..2d2903b513 100644
--- a/mybinder/Chart.yaml
+++ b/mybinder/Chart.yaml
@@ -67,6 +67,6 @@ dependencies:
   # Registry helper, used to create container repositories before pushing and to
   # fetch dynamic registry credentials
   - name: binderhub-container-registry-helper
-    version: 0.2.2
+    version: 0.2.3
     repository: oci://quay.io/manics/helm-charts
     condition: binderhub-container-registry-helper.enabled