Restrict acces token to pull-only access?

With the changing terms of service we are looking into having an account for pulling images. As we have our own solution for pushing private images, I’d like to prevent the credentials to be used for pushing and thereby creating a new registry. Of course we only configure things pulling from Docker, but I’d like to prevent (accidental) misuse by pushing images as a more strict barrier.

Is there a way to limit the access token to pulling only?