diff --git a/Sources/Core/Auth/AppConfig.swift b/Sources/Core/Auth/AppConfig.swift
index 980eae1..48842b7 100644
--- a/Sources/Core/Auth/AppConfig.swift
+++ b/Sources/Core/Auth/AppConfig.swift
@@ -14,10 +14,10 @@ enum AppConfig {
 
     static let manaAppConfig: ManaAppConfig = DefaultManaAppConfig(
         authBaseURL: URL(string: "https://auth.mana.how")!,
-        keychainService: "ev.mana.zitare",
+        keychainService: ManaSharedKeychainGroup,
         // Explizit auf TeamID.BundleID, statt nil. Vermeidet Logout
         // bei TestFlight-Cert-Drift (siehe mana-swift-core v1.5.1).
-        keychainAccessGroup: "QP3GLU8PH3.ev.mana.zitare",
+        keychainAccessGroup: ManaSharedKeychainGroup,
         appGroup: appGroup
     )
 
diff --git a/project.yml b/project.yml
index d10cb7e..7c222b1 100644
--- a/project.yml
+++ b/project.yml
@@ -100,7 +100,7 @@ targets:
         com.apple.security.network.client: true
         com.apple.security.files.user-selected.read-write: true
         keychain-access-groups:
-          - $(AppIdentifierPrefix)ev.mana.zitare
+          - $(AppIdentifierPrefix)ev.mana.session
         # Universal-Link-Domains:
         # - zitare.com ist die kanonische Production-Domain (steht
         #   auch im Manifest und im AASA-File auf zitare-com).
@@ -148,6 +148,8 @@ targets:
     entitlements:
       path: ShareExtension/Resources/ZitareShareExtension.entitlements
       properties:
+        keychain-access-groups:
+          - $(AppIdentifierPrefix)ev.mana.session
         com.apple.security.application-groups:
           - group.ev.mana.zitare
     settings:
@@ -178,6 +180,8 @@ targets:
     entitlements:
       path: Widgets/ZitareWidget/Resources/ZitareWidgetExtension.entitlements
       properties:
+        keychain-access-groups:
+          - $(AppIdentifierPrefix)ev.mana.session
         com.apple.security.application-groups:
           - group.ev.mana.zitare
     dependencies: