diff --git a/pkg/depsolvednf/depsolvednf.go b/pkg/depsolvednf/depsolvednf.go
index 46c6e791e5..41743ca1c9 100644
--- a/pkg/depsolvednf/depsolvednf.go
+++ b/pkg/depsolvednf/depsolvednf.go
@@ -506,11 +506,13 @@ func validatePackageSetRepoChain(pkgSets []rpmmd.PackageSet) error {
 }
 
 // validateSubscriptionsForRepos checks that RHSM subscriptions are available
-// for any repositories that require them.
+// for any repositories that require them. Repositories with RHUI set to true
+// are skipped since they use cloud instance identity for authentication
+// instead of RHSM entitlement certificates.
 func validateSubscriptionsForRepos(pkgSets []rpmmd.PackageSet, haveSubscriptions bool, subsErr error) error {
 	for _, ps := range pkgSets {
 		for _, repo := range ps.Repositories {
-			if repo.RHSM && !haveSubscriptions {
+			if repo.RHSM && !repo.RHUI && !haveSubscriptions {
 				return fmt.Errorf("This system does not have any valid subscriptions. Subscribe it before specifying rhsm: true in sources (error details: %w)", subsErr)
 			}
 		}
diff --git a/pkg/depsolvednf/v2.go b/pkg/depsolvednf/v2.go
index 848613efd9..ed60013f74 100644
--- a/pkg/depsolvednf/v2.go
+++ b/pkg/depsolvednf/v2.go
@@ -47,6 +47,7 @@ type v2Repository struct {
 	MetadataExpire string   `json:"metadata_expire,omitempty"`
 	ModuleHotfixes *bool    `json:"module_hotfixes,omitempty"`
 	RHSM           bool     `json:"rhsm,omitempty"`
+	RHUI           bool     `json:"rhui,omitempty"`
 }
 
 // v2Package represents an RPM package with full metadata.
@@ -429,7 +430,12 @@ func (h *v2Handler) reposFromRPMMD(cfg *solverConfig, rpmRepos []rpmmd.RepoConfi
 			dr.SSLVerify = common.ToPtr(!*rr.IgnoreSSL)
 		}
 
-		if rr.RHSM {
+		if rr.RHUI {
+			// RHUI repos delegate secret discovery to osbuild-depsolve-dnf.
+			// The Python solver reads the host RHUI repo files and discovers
+			// SSL certs from /etc/pki/rhui/ directly.
+			dr.RHUI = true
+		} else if rr.RHSM {
 			// TODO: Enable V2 RHSM secrets discovery by setting dr.RHSM = true
 			// and removing the client-side secrets resolution below.
 			// This requires functional testing to ensure RHSM secrets discovery
@@ -539,9 +545,14 @@ func (h *v2Handler) toRPMMDPackage(pkg v2Package, repo *rpmmd.RepoConfig) (rpmmd
 		rpmPkg.IgnoreSSL = *repo.IgnoreSSL
 	}
 
-	// Set mTLS secrets if SSLClientKey is set.
-	// The Solver will override secrets to 'org.osbuild.rhsm' if the repo needs RHSM secrets.
-	if repo.SSLClientKey != "" {
+	// Set secrets based on the repository's authentication type.
+	// The solver response includes rhui/rhsm flags indicating which
+	// secrets provider to use for packages from this repo.
+	if repo.RHUI {
+		rpmPkg.Secrets = "org.osbuild.rhui"
+	} else if repo.RHSM {
+		rpmPkg.Secrets = "org.osbuild.rhsm"
+	} else if repo.SSLClientKey != "" {
 		rpmPkg.Secrets = "org.osbuild.mtls"
 	}
 
@@ -604,6 +615,7 @@ func (h *v2Handler) toRPMMDRepoConfig(repo v2Repository) rpmmd.RepoConfig {
 		SSLClientKey:   repo.SSLClientKey,
 		SSLClientCert:  repo.SSLClientCert,
 		RHSM:           repo.RHSM,
+		RHUI:           repo.RHUI,
 	}
 }
 
diff --git a/pkg/osbuild/curl_source.go b/pkg/osbuild/curl_source.go
index 32f1c9e1d4..c59a2014a1 100644
--- a/pkg/osbuild/curl_source.go
+++ b/pkg/osbuild/curl_source.go
@@ -45,6 +45,10 @@ func NewCurlPackageItem(pkg rpmmd.Package) (CurlSourceItem, error) {
 		item.Secrets = &URLSecrets{
 			Name: "org.osbuild.rhsm",
 		}
+	case "org.osbuild.rhui":
+		item.Secrets = &URLSecrets{
+			Name: "org.osbuild.rhui",
+		}
 	case "org.osbuild.mtls":
 		item.Secrets = &URLSecrets{
 			Name: "org.osbuild.mtls",
diff --git a/pkg/rpmmd/repository.go b/pkg/rpmmd/repository.go
index f1df82eab6..1108748032 100644
--- a/pkg/rpmmd/repository.go
+++ b/pkg/rpmmd/repository.go
@@ -24,6 +24,7 @@ type repository struct {
 	CheckGPG       bool     `json:"check_gpg,omitempty"`
 	IgnoreSSL      bool     `json:"ignore_ssl,omitempty"`
 	RHSM           bool     `json:"rhsm,omitempty"`
+	RHUI           bool     `json:"rhui,omitempty"`
 	ModuleHotfixes *bool    `json:"module_hotfixes,omitempty"`
 	MetadataExpire string   `json:"metadata_expire,omitempty"`
 	ImageTypeTags  []string `json:"image_type_tags,omitempty"`
@@ -83,6 +84,7 @@ type RepoConfig struct {
 	MetadataExpire string   `json:"metadata_expire,omitempty"`
 	ModuleHotfixes *bool    `json:"module_hotfixes,omitempty"`
 	RHSM           bool     `json:"rhsm,omitempty"`
+	RHUI           bool     `json:"rhui,omitempty"`
 	Enabled        *bool    `json:"enabled,omitempty"`
 	ImageTypeTags  []string `json:"image_type_tags,omitempty"`
 	PackageSets    []string `json:"package_sets,omitempty"`
@@ -119,6 +121,7 @@ func (r *RepoConfig) Hash() string {
 		bpts(r.IgnoreSSL)+
 		r.MetadataExpire+
 		bts(r.RHSM)+
+		bts(r.RHUI)+
 		bpts(r.ModuleHotfixes)+
 		r.SSLCACert+
 		r.SSLClientKey+
@@ -164,6 +167,7 @@ func LoadRepositoriesFromReader(r io.Reader) (map[string][]RepoConfig, error) {
 				GPGKeys:        keys,
 				CheckGPG:       &repo.CheckGPG,
 				RHSM:           repo.RHSM,
+				RHUI:           repo.RHUI,
 				MetadataExpire: repo.MetadataExpire,
 				ModuleHotfixes: repo.ModuleHotfixes,
 				ImageTypeTags:  repo.ImageTypeTags,