diff --git a/lib/modules/datasource/docker/common.ts b/lib/modules/datasource/docker/common.ts
index 6f6b6cdb8fcdb1fbf7ee55c16c1339a9c1c478d1..5dc02fb40606002d6feebe7f062f70b9850d3f35 100644
--- a/lib/modules/datasource/docker/common.ts
+++ b/lib/modules/datasource/docker/common.ts
@@ -136,31 +136,33 @@ export async function getAuthHeaders(
       return opts.headers ?? null;
     }
 
-    let scope = `repository:${dockerRepository}:pull`;
+    const authUrl = new URL(`${authenticateHeader.params.realm}`);
+
     // repo isn't known to server yet, so causing wrong scope `repository:user/image:pull`
     if (
       is.string(authenticateHeader.params.scope) &&
       !apiCheckUrl.endsWith('/v2/')
     ) {
-      scope = authenticateHeader.params.scope;
+      authUrl.searchParams.append('scope', authenticateHeader.params.scope);
+    } else {
+      authUrl.searchParams.append(
+        'scope',
+        `repository:${dockerRepository}:pull`
+      );
     }
 
-    let service = authenticateHeader.params.service;
-    if (is.string(service)) {
-      service = `service=${service}&`;
-    } else {
-      service = ``;
+    if (is.string(authenticateHeader.params.service)) {
+      authUrl.searchParams.append('service', authenticateHeader.params.service);
     }
 
-    const authUrl = `${authenticateHeader.params.realm}?${service}scope=${scope}`;
     logger.trace(
-      { registryHost, dockerRepository, authUrl },
+      { registryHost, dockerRepository, authUrl: authUrl.href },
       `Obtaining docker registry token`
     );
     opts.noAuth = true;
     const authResponse = (
       await http.getJson<{ token?: string; access_token?: string }>(
-        authUrl,
+        authUrl.href,
         opts
       )
     ).body;