diff --git a/registry/handlers/app.go b/registry/handlers/app.go
index 46c5f4ba2d7..00119d3cfd9 100644
--- a/registry/handlers/app.go
+++ b/registry/handlers/app.go
@@ -847,6 +847,10 @@ func (app *App) authorized(w http.ResponseWriter, r *http.Request, context *Cont
 			if err := errcode.ServeJSON(w, errcode.ErrorCodeUnauthorized.WithDetail(accessRecords)); err != nil {
 				dcontext.GetLogger(context).Errorf("error serving error json: %v (from %v)", err, context.Errors)
 			}
+		case errcode.Error:
+			if err := errcode.ServeJSON(w, err); err != nil {
+				dcontext.GetLogger(context).Errorf("error serving error json: %v (from %v)", err, context.Errors)
+			}
 		default:
 			// This condition is a potential security problem either in
 			// the configuration or whatever is backing the access
diff --git a/registry/handlers/manifests.go b/registry/handlers/manifests.go
index e5815f3d021..1a166791ba2 100644
--- a/registry/handlers/manifests.go
+++ b/registry/handlers/manifests.go
@@ -323,7 +323,13 @@ func (imh *manifestHandler) PutManifest(w http.ResponseWriter, r *http.Request)
 		tags := imh.Repository.Tags(imh)
 		err = tags.Tag(imh, imh.Tag, desc)
 		if err != nil {
-			imh.Errors = append(imh.Errors, errcode.ErrorCodeUnknown.WithDetail(err))
+			switch err := err.(type) {
+			case errcode.Error:
+				imh.Errors = append(imh.Errors, err)
+			default:
+				imh.Errors = append(imh.Errors, errcode.ErrorCodeUnknown.WithDetail(err))
+			}
+
 			return
 		}