diff --git a/libssu/ssu.cpp b/libssu/ssu.cpp
index 30f6668..db5cf8b 100644
--- a/libssu/ssu.cpp
+++ b/libssu/ssu.cpp
@@ -79,11 +79,30 @@ QPair<QString, QString> Ssu::credentials(QString scope){
 
 QString Ssu::credentialsScope(QString repoName, bool rndRepo){
   SsuCoreConfig *settings = SsuCoreConfig::instance();
+  SsuSettings repoSettings(SSU_REPO_CONFIGURATION, QSettings::IniFormat);
 
   // hardcoded magic for doing special privileges store repositories
   if (repoName == "store" || repoName.startsWith("store-c-"))
     return "store";
 
+  // check if some repos are marked for using store-credentials
+  // in current domain, checking first for rnd/release specific
+  // settings, and if not found in generic settings
+  QString storeAuthReposKey = QString("store-auth-repos-%1")
+    .arg(rndRepo ? "rnd" : "release");
+  QStringList storeAuthRepos =
+    SsuVariables::variable(&repoSettings,
+                           domain() + "-domain",
+                           storeAuthReposKey).toStringList();
+  if (storeAuthRepos.empty())
+    storeAuthRepos =
+      SsuVariables::variable(&repoSettings,
+                             domain() + "-domain",
+                             "store-auth-repos").toStringList();
+
+  if (storeAuthRepos.contains(repoName))
+    return "store";
+
   return settings->credentialsScope(repoName, rndRepo);
 }
 
diff --git a/ssuurlresolver/ssuurlresolver.cpp b/ssuurlresolver/ssuurlresolver.cpp
index 6cb8381..7699829 100644
--- a/ssuurlresolver/ssuurlresolver.cpp
+++ b/ssuurlresolver/ssuurlresolver.cpp
@@ -125,12 +125,6 @@ void SsuUrlResolver::run(){
   } else
     ssuLog->print(LOG_DEBUG, "Device not registered -- skipping credential update");
 
-  if (repo == "store" || repo.startsWith("store-c-")){
-    ssu.updateStoreCredentials();
-    if (ssu.error())
-      error (ssu.lastError());
-  }
-
   // resolve base url
   resolvedUrl = ssu.repoUrl(repo, isRnd, repoParameters);
 
@@ -141,6 +135,15 @@ void SsuUrlResolver::run(){
     ssuLog->print(LOG_DEBUG, QString("Requesting credentials for '%1' with RND status %2...").arg(repo).arg(isRnd));
     QString credentialsScope = ssu.credentialsScope(repo, isRnd);
     if (!credentialsScope.isEmpty()){
+      // personal store repositories as well as the ones listed in the
+      // store-auth-repos domain setting use store credentials. Refresh
+      // here, as we only know after checking scope if we need to have
+      // store credentials at all
+      if (credentialsScope == "store"){
+        ssu.updateStoreCredentials();
+        if (ssu.error())
+          error (ssu.lastError());
+      }
       headerList.append(QString("credentials=%1").arg(credentialsScope));
       writeZyppCredentialsIfNeeded(credentialsScope);
     } else