diff --git a/auth/registry_jwt_auth.py b/auth/registry_jwt_auth.py
index fc06c3c85..d49a7cbcf 100644
--- a/auth/registry_jwt_auth.py
+++ b/auth/registry_jwt_auth.py
@@ -127,9 +127,11 @@ def get_auth_headers(repository=None, scopes=None):
                                                               realm_auth_path,
                                                               app.config['SERVER_HOSTNAME'])
   if repository:
-    authenticate += ',scope=repository:{0}'.format(repository)
+    scopes_string = "repository:{0}".format(repository)
     if scopes:
-      authenticate += ':' + ','.join(scopes)
+      scopes_string += ':' + ','.join(scopes)
+
+    authenticate += ',scope="{0}"'.format(scopes_string)
 
   headers['WWW-Authenticate'] = authenticate
   headers['Docker-Distribution-API-Version'] = 'registry/2.0'
diff --git a/test/registry_tests.py b/test/registry_tests.py
index 120d5b8be..b9d4d8212 100644
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@@ -1327,6 +1327,13 @@ class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMix
 class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMixin,
                       RegistryTestCaseMixin, LiveServerTestCase):
   """ Tests for V2 registry. """
+  def test_proper_auth_response(self):
+    response = self.conduct('GET', '/v2/devtable/doesnotexist/tags/list', auth='jwt',
+                            expected_code=401)
+    self.assertIn('WWW-Authenticate', response.headers)
+    self.assertIn('scope="repository:devtable/doesnotexist:pull"',
+                  response.headers['WWW-Authenticate'])
+
   def test_parent_misordered(self):
     images = [
       {
@@ -1711,6 +1718,8 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
 
     # Assert 401s to non-auth endpoints also get the WWW-Authenticate header.
     self.assertIn('WWW-Authenticate', response.headers)
+    self.assertIn('scope="repository:devtable/doesnotexist:pull"',
+                  response.headers['WWW-Authenticate'])
 
   def test_one_five_blacklist(self):
     self.conduct('GET', '/v2/', expected_code=404, user_agent='Go 1.1 package http')
@@ -1735,7 +1744,7 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
     self.assertIsNotNone(response.headers.get('Link'))
 
     # Request with the next link.
-    link_url = response.headers.get('Link').split(';')[0]
+    link_url = response.headers.get('Link')[1:].split(';')[0][:-1]
     v2_index = link_url.find('/v2/')
     relative_url = link_url[v2_index:]