diff --git a/lib/modules/datasource/docker/index.spec.ts b/lib/modules/datasource/docker/index.spec.ts
index 53ca35211df1f258f161bfff014d359798fabe79..10a417c0c215e7df5e35ad0d8b07a0b5c98749ef 100644
--- a/lib/modules/datasource/docker/index.spec.ts
+++ b/lib/modules/datasource/docker/index.spec.ts
@@ -545,6 +545,27 @@ describe('modules/datasource/docker/index', () => {
       expect(res).toBe('some-digest');
     });
 
+    it('supports token with no service', async () => {
+      httpMock
+        .scope(baseUrl)
+        .get('/')
+        .reply(401, '', {
+          'www-authenticate':
+            'Bearer realm="https://auth.docker.io/token",scope=""',
+        })
+        .head('/library/some-other-dep/manifests/8.0.0-alpine')
+        .reply(200, {}, { 'docker-content-digest': 'some-digest' });
+      httpMock
+        .scope(authUrl)
+        .get('/token?service=&scope=repository:library/some-other-dep:pull')
+        .reply(200, { access_token: 'test' });
+      const res = await getDigest(
+        { datasource: 'docker', depName: 'some-other-dep' },
+        '8.0.0-alpine'
+      );
+      expect(res).toBe('some-digest');
+    });
+
     it('supports scoped names', async () => {
       httpMock
         .scope(baseUrl)
diff --git a/lib/modules/datasource/docker/index.ts b/lib/modules/datasource/docker/index.ts
index cd8b62ea5031d7c3849e2f58f9e95407dda7029e..c1786ba836c9efe5a09a145017177b45f12e12e0 100644
--- a/lib/modules/datasource/docker/index.ts
+++ b/lib/modules/datasource/docker/index.ts
@@ -140,7 +140,6 @@ export async function getAuthHeaders(
     if (
       authenticateHeader.scheme.toUpperCase() !== 'BEARER' ||
       !is.string(authenticateHeader.params.realm) ||
-      !is.string(authenticateHeader.params.service) ||
       parseUrl(authenticateHeader.params.realm) === null
     ) {
       logger.trace(
@@ -159,7 +158,11 @@ export async function getAuthHeaders(
       scope = authenticateHeader.params.scope;
     }
 
-    const authUrl = `${authenticateHeader.params.realm}?service=${authenticateHeader.params.service}&scope=${scope}`;
+    let service = authenticateHeader.params.service;
+    if (!is.string(service)) {
+      service = '';
+    }
+    const authUrl = `${authenticateHeader.params.realm}?service=${service}&scope=${scope}`;
     logger.trace(
       { registryHost, dockerRepository, authUrl },
       `Obtaining docker registry token`