New translations en-us.json (Spanish)

New translations en-us.json (Norwegian Bokmal)
New translations en-us.json (Chinese Simplified)
2026-03-20 01:26:37 +00:00 · 2026-03-19 14:39:09 -07:00 · 2026-03-19 14:39:07 -07:00 · 2026-03-19 14:39:06 -07:00 · 2026-03-19 14:39:04 -07:00 · 2026-03-19 14:39:03 -07:00
78 changed files with 2655 additions and 1042 deletions
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Прокси заявки чрез HTTPS, използвайки напълно квалифицирано име на домейн.",
    "resourceRaw": "Суров TCP/UDP ресурс",
    "resourceRawDescription": "Прокси заявки чрез сурови TCP/UDP, използвайки порт номер.",
-    "resourceRawDescriptionCloud": "Прокси заявките през суров TCP/UDP, използвайки номер на порт. ИЗИСКВА ИЗПОЛЗВАНЕ НА ОТДАЛЕЧЕН УЗЕЛ.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Създайте ресурс",
    "resourceCreateDescription": "Следвайте стъпките по-долу, за да създадете нов ресурс",
    "resourceSeeAll": "Вижте всички ресурси",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Име на пространство: {namespace}",
    "domainPickerShowMore": "Покажи повече",
    "regionSelectorTitle": "Избор на регион",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Изборът на регион ни помага да предоставим по-добра производителност за вашето местоположение. Не е необходимо да сте в същия регион като сървъра.",
    "regionSelectorPlaceholder": "Изберете регион",
    "regionSelectorComingSoon": "Очаква се скоро",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Край на следващата година",
    "actionLogsDescription": "Прегледайте историята на действията, извършени в тази организация",
    "accessLogsDescription": "Прегледайте заявките за удостоверяване на достъпа до ресурсите в тази организация",
-    "licenseRequiredToUse": "Изисква се лиценз за <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink>, за да използвате тази функция. Тази функция е също достъпна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "Необходимо е <enterpriseEditionLink>изданието Enterprise</enterpriseEditionLink>, за да използвате тази функция. Тази функция е също достъпна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Решавач на сертификати",
    "certResolverDescription": "Изберете решавач на сертификати за използване за този ресурс.",
    "selectCertResolver": "Изберете решавач на сертификати",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Активирайте одобрения на устройства",
    "approvalsEmptyStateStep2Description": "Редактирайте ролята и активирайте опцията 'Изискване на одобрения за устройства'. Потребители с тази роля ще трябва администраторско одобрение за нови устройства.",
    "approvalsEmptyStatePreviewDescription": "Преглед: Когато е активирано, чакащите заявки за устройства ще се появят тук за преглед",
-    "approvalsEmptyStateButtonText": "Управлявайте роли"
+    "approvalsEmptyStateButtonText": "Управлявайте роли",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy požadavky přes HTTPS pomocí plně kvalifikovaného názvu domény.",
    "resourceRaw": "Surový TCP/UDP zdroj",
    "resourceRawDescription": "Proxy požadavky přes nezpracovaný TCP/UDP pomocí čísla portu.",
-    "resourceRawDescriptionCloud": "Požadavky na proxy přes syrové TCP/UDP pomocí portového čísla. ŽÁDOSTI POUŽÍVAT POUŽITÍ Z REMOTE NODE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Vytvořit zdroj",
    "resourceCreateDescription": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili nový zdroj",
    "resourceSeeAll": "Zobrazit všechny zdroje",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Jmenný prostor: {namespace}",
    "domainPickerShowMore": "Zobrazit více",
    "regionSelectorTitle": "Vybrat region",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Výběr regionu nám pomáhá poskytovat lepší výkon pro vaši polohu. Nemusíte být ve stejném regionu jako váš server.",
    "regionSelectorPlaceholder": "Vyberte region",
    "regionSelectorComingSoon": "Již brzy",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Konec následujícího roku",
    "actionLogsDescription": "Zobrazit historii akcí provedených v této organizaci",
    "accessLogsDescription": "Zobrazit žádosti o ověření přístupu pro zdroje v této organizaci",
-    "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Tato funkce je také dostupná v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce. Tato funkce je také k dispozici v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Oddělovač certifikátů",
    "certResolverDescription": "Vyberte řešitele certifikátů pro tento dokument.",
    "selectCertResolver": "Vyberte řešič certifikátů",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Povolit schválení zařízení",
    "approvalsEmptyStateStep2Description": "Upravte roli a povolte možnost 'Vyžadovat schválení zařízení'. Uživatelé s touto rolí budou potřebovat schválení pro nová zařízení správce.",
    "approvalsEmptyStatePreviewDescription": "Náhled: Pokud je povoleno, čekající na zařízení se zde zobrazí žádosti o recenzi",
-    "approvalsEmptyStateButtonText": "Spravovat role"
+    "approvalsEmptyStateButtonText": "Spravovat role",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy-Anfragen über HTTPS mit einem voll qualifizierten Domain-Namen.",
    "resourceRaw": "Direkte TCP/UDP Ressource (raw)",
    "resourceRawDescription": "Proxy-Anfragen über rohes TCP/UDP mit einer Portnummer.",
-    "resourceRawDescriptionCloud": "Proxy-Anfragen über rohe TCP/UDP mit einer Portnummer. Erfordert die NUTZUNG eines REMOTE Knotens.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Ressource erstellen",
    "resourceCreateDescription": "Folgen Sie den Schritten unten, um eine neue Ressource zu erstellen",
    "resourceSeeAll": "Alle Ressourcen anzeigen",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Mehr anzeigen",
    "regionSelectorTitle": "Region auswählen",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Das Auswählen einer Region hilft uns, eine bessere Leistung für Ihren Standort bereitzustellen. Sie müssen sich nicht in derselben Region wie Ihr Server befinden.",
    "regionSelectorPlaceholder": "Wähle eine Region",
    "regionSelectorComingSoon": "Kommt bald",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Ende des folgenden Jahres",
    "actionLogsDescription": "Verlauf der in dieser Organisation durchgeführten Aktionen anzeigen",
    "accessLogsDescription": "Zugriffsauth-Anfragen für Ressourcen in dieser Organisation anzeigen",
-    "licenseRequiredToUse": "Um diese Funktion nutzen zu können, ist eine <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> Lizenz erforderlich. Diese Funktion ist auch in der <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> verfügbar.",
-    "ossEnterpriseEditionRequired": "Um diese Funktion nutzen zu können, ist die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> erforderlich. Diese Funktion ist auch in der <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> verfügbar.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Zertifikatsauflöser",
    "certResolverDescription": "Wählen Sie den Zertifikatslöser aus, der für diese Ressource verwendet werden soll.",
    "selectCertResolver": "Zertifikatsauflöser auswählen",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Gerätegenehmigungen aktivieren",
    "approvalsEmptyStateStep2Description": "Bearbeite eine Rolle und aktiviere die Option 'Gerätegenehmigung erforderlich'. Benutzer mit dieser Rolle benötigen Administrator-Genehmigung für neue Geräte.",
    "approvalsEmptyStatePreviewDescription": "Vorschau: Wenn aktiviert, werden ausstehende Geräteanfragen hier zur Überprüfung angezeigt",
-    "approvalsEmptyStateButtonText": "Rollen verwalten"
+    "approvalsEmptyStateButtonText": "Rollen verwalten",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy requests over HTTPS using a fully qualified domain name.",
    "resourceRaw": "Raw TCP/UDP Resource",
    "resourceRawDescription": "Proxy requests over raw TCP/UDP using a port number.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. REQUIRES THE USE OF A REMOTE NODE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Create Resource",
    "resourceCreateDescription": "Follow the steps below to create a new resource",
    "resourceSeeAll": "See All Resources",
@@ -1427,6 +1427,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Show More",
    "regionSelectorTitle": "Select Region",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Selecting a region helps us provide better performance for your location. You do not have to be in the same region as your server.",
    "regionSelectorPlaceholder": "Choose a region",
    "regionSelectorComingSoon": "Coming Soon",
@@ -2681,5 +2682,6 @@
    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "approvalsEmptyStateButtonText": "Manage Roles",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy proporciona solicitudes sobre HTTPS usando un nombre de dominio completamente calificado.",
    "resourceRaw": "Recurso TCP/UDP sin procesar",
    "resourceRawDescription": "Proxy proporciona solicitudes sobre TCP/UDP usando un número de puerto.",
-    "resourceRawDescriptionCloud": "Las peticiones de proxy sobre TCP/UDP crudas usando un número de puerto. REQUIERE EL USO DE UN NODO REMOTE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Crear Recurso",
    "resourceCreateDescription": "Siga los siguientes pasos para crear un nuevo recurso",
    "resourceSeeAll": "Ver todos los recursos",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Espacio de nombres: {namespace}",
    "domainPickerShowMore": "Mostrar más",
    "regionSelectorTitle": "Seleccionar Región",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Seleccionar una región nos ayuda a brindar un mejor rendimiento para tu ubicación. No tienes que estar en la misma región que tu servidor.",
    "regionSelectorPlaceholder": "Elige una región",
    "regionSelectorComingSoon": "Próximamente",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Fin del año siguiente",
    "actionLogsDescription": "Ver un historial de acciones realizadas en esta organización",
    "accessLogsDescription": "Ver solicitudes de acceso a los recursos de esta organización",
-    "licenseRequiredToUse": "Se requiere una licencia <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> para utilizar esta función. Esta característica también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>versión Enterprise</enterpriseEditionLink> es necesaria para utilizar esta función. Esta función también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Resolver certificado",
    "certResolverDescription": "Seleccione la resolución de certificados a utilizar para este recurso.",
    "selectCertResolver": "Seleccionar Resolver Certificado",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Habilitar aprobaciones de dispositivo",
    "approvalsEmptyStateStep2Description": "Editar un rol y habilitar la opción 'Requerir aprobaciones de dispositivos'. Los usuarios con este rol necesitarán la aprobación del administrador para nuevos dispositivos.",
    "approvalsEmptyStatePreviewDescription": "Vista previa: Cuando está habilitado, las solicitudes de dispositivo pendientes aparecerán aquí para su revisión",
-    "approvalsEmptyStateButtonText": "Administrar roles"
+    "approvalsEmptyStateButtonText": "Administrar roles",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy les demandes sur HTTPS en utilisant un nom de domaine entièrement qualifié.",
    "resourceRaw": "Ressource TCP/UDP brute",
    "resourceRawDescription": "Proxy les demandes sur TCP/UDP brut en utilisant un numéro de port.",
-    "resourceRawDescriptionCloud": "Requêtes de proxy sur TCP/UDP brute en utilisant un numéro de port. REQUISE L'UTILISATION D'UN Nœud DE REMOTE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Créer une ressource",
    "resourceCreateDescription": "Suivez les étapes ci-dessous pour créer une nouvelle ressource",
    "resourceSeeAll": "Voir toutes les ressources",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Espace de noms : {namespace}",
    "domainPickerShowMore": "Afficher plus",
    "regionSelectorTitle": "Sélectionner Région",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Sélectionner une région nous aide à offrir de meilleures performances pour votre localisation. Vous n'avez pas besoin d'être dans la même région que votre serveur.",
    "regionSelectorPlaceholder": "Choisissez une région",
    "regionSelectorComingSoon": "Bientôt disponible",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Fin de l'année suivante",
    "actionLogsDescription": "Voir l'historique des actions effectuées dans cette organisation",
    "accessLogsDescription": "Voir les demandes d'authentification d'accès aux ressources de cette organisation",
-    "licenseRequiredToUse": "Une licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> est nécessaire pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Résolveur de certificat",
    "certResolverDescription": "Sélectionnez le solveur de certificat à utiliser pour cette ressource.",
    "selectCertResolver": "Sélectionnez le résolveur de certificat",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Activer les autorisations de l'appareil",
    "approvalsEmptyStateStep2Description": "Modifier un rôle et activer l'option 'Exiger les autorisations de l'appareil'. Les utilisateurs avec ce rôle auront besoin de l'approbation de l'administrateur pour les nouveaux appareils.",
    "approvalsEmptyStatePreviewDescription": "Aperçu: Lorsque cette option est activée, les demandes de périphérique en attente apparaîtront ici pour vérification",
-    "approvalsEmptyStateButtonText": "Gérer les rôles"
+    "approvalsEmptyStateButtonText": "Gérer les rôles",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Richieste proxy su HTTPS usando un nome di dominio completo.",
    "resourceRaw": "Risorsa Raw TCP/UDP",
    "resourceRawDescription": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta.",
-    "resourceRawDescriptionCloud": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta. RICHIEDE L'USO DI UN NODO REMOTO.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Crea Risorsa",
    "resourceCreateDescription": "Segui i passaggi seguenti per creare una nuova risorsa",
    "resourceSeeAll": "Vedi Tutte Le Risorse",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Mostra Altro",
    "regionSelectorTitle": "Seleziona regione",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Selezionare una regione ci aiuta a fornire migliori performance per la tua posizione. Non devi necessariamente essere nella stessa regione del tuo server.",
    "regionSelectorPlaceholder": "Scegli una regione",
    "regionSelectorComingSoon": "Prossimamente",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Fine dell'anno successivo",
    "actionLogsDescription": "Visualizza una cronologia delle azioni eseguite in questa organizzazione",
    "accessLogsDescription": "Visualizza le richieste di autenticazione di accesso per le risorse in questa organizzazione",
-    "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Questa funzionalità è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione. Questa funzionalità è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Risolutore Di Certificato",
    "certResolverDescription": "Selezionare il risolutore di certificati da usare per questa risorsa.",
    "selectCertResolver": "Seleziona Risolutore Di Certificato",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Abilita Approvazioni Dispositivo",
    "approvalsEmptyStateStep2Description": "Modifica un ruolo e abilita l'opzione 'Richiedi l'approvazione del dispositivo'. Gli utenti con questo ruolo avranno bisogno dell'approvazione dell'amministratore per i nuovi dispositivi.",
    "approvalsEmptyStatePreviewDescription": "Anteprima: quando abilitato, le richieste di dispositivo in attesa appariranno qui per la revisione",
-    "approvalsEmptyStateButtonText": "Gestisci Ruoli"
+    "approvalsEmptyStateButtonText": "Gestisci Ruoli",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "완전한 도메인 이름을 사용해 RAW 또는 HTTPS로 프록시 요청을 수행합니다.",
    "resourceRaw": "원시 TCP/UDP 리소스",
    "resourceRawDescription": "포트 번호를 사용하여 RAW TCP/UDP로 요청을 프록시합니다.",
-    "resourceRawDescriptionCloud": "원시 TCP/UDP를 포트 번호를 사용하여 프록시 요청합니다. 원격 노드 사용이 필요합니다.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "리소스 생성",
    "resourceCreateDescription": "아래 단계를 따라 새 리소스를 생성하세요.",
    "resourceSeeAll": "모든 리소스 보기",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "이름 공간: {namespace}",
    "domainPickerShowMore": "더보기",
    "regionSelectorTitle": "지역 선택",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "지역을 선택하면 위치에 따라 더 나은 성능이 제공됩니다. 서버와 같은 지역에 있을 필요는 없습니다.",
    "regionSelectorPlaceholder": "지역 선택",
    "regionSelectorComingSoon": "곧 출시 예정",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "다음 연도 말",
    "actionLogsDescription": "이 조직에서 수행된 작업의 기록을 봅니다",
    "accessLogsDescription": "이 조직의 자원에 대한 접근 인증 요청을 확인합니다",
-    "licenseRequiredToUse": "이 기능을 사용하려면 <enterpriseLicenseLink>엔터프라이즈 에디션</enterpriseLicenseLink> 라이선스가 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다.",
-    "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>엔터프라이즈 에디션</enterpriseEditionLink>이 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "인증서 해결사",
    "certResolverDescription": "이 리소스에 사용할 인증서 해결사를 선택하세요.",
    "selectCertResolver": "인증서 해결사 선택",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "장치 승인 활성화",
    "approvalsEmptyStateStep2Description": "역할을 편집하고 '장치 승인 요구' 옵션을 활성화하세요. 이 역할을 가진 사용자는 새 장치에 대해 관리자의 승인이 필요합니다.",
    "approvalsEmptyStatePreviewDescription": "미리 보기: 활성화된 경우, 승인 대기 중인 장치 요청이 검토용으로 여기에 표시됩니다.",
-    "approvalsEmptyStateButtonText": "역할 관리"
+    "approvalsEmptyStateButtonText": "역할 관리",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy forespørsler over HTTPS ved å bruke et fullstendig kvalifisert domenenavn.",
    "resourceRaw": "Rå TCP/UDP-ressurs",
    "resourceRawDescription": "Proxy forespørsler over rå TCP/UDP ved å bruke et portnummer.",
-    "resourceRawDescriptionCloud": "Proxy ber om et portnummer. Om du vil bruke et sportsnummer.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Opprett ressurs",
    "resourceCreateDescription": "Følg trinnene nedenfor for å opprette en ny ressurs",
    "resourceSeeAll": "Se alle ressurser",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Navnerom: {namespace}",
    "domainPickerShowMore": "Vis mer",
    "regionSelectorTitle": "Velg Region",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Å velge en region hjelper oss med å gi bedre ytelse for din lokasjon. Du trenger ikke være i samme region som serveren.",
    "regionSelectorPlaceholder": "Velg en region",
    "regionSelectorComingSoon": "Kommer snart",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Slutt på neste år",
    "actionLogsDescription": "Vis historikk for handlinger som er utført i denne organisasjonen",
    "accessLogsDescription": "Vis autoriseringsforespørsler for ressurser i denne organisasjonen",
-    "licenseRequiredToUse": "En <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisens er påkrevd for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Sertifikat løser",
    "certResolverDescription": "Velg sertifikatløser som skal brukes for denne ressursen.",
    "selectCertResolver": "Velg sertifikatløser",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Aktiver enhetsgodkjenninger",
    "approvalsEmptyStateStep2Description": "Rediger en rolle og aktiver alternativet 'Kreve enhetsgodkjenninger'. Brukere med denne rollen vil trenge administratorgodkjenning for nye enheter.",
    "approvalsEmptyStatePreviewDescription": "Forhåndsvisning: Når aktivert, ventende enhets forespørsler vil vises her for vurdering",
-    "approvalsEmptyStateButtonText": "Administrer Roller"
+    "approvalsEmptyStateButtonText": "Administrer Roller",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxyverzoeken via HTTPS met een volledig gekwalificeerde domeinnaam.",
    "resourceRaw": "TCP/UDP bron",
    "resourceRawDescription": "Proxyverzoeken via ruwe TCP/UDP met een poortnummer.",
-    "resourceRawDescriptionCloud": "Proxy vraagt om onbewerkte TCP/UDP met behulp van een poortnummer. VEREIST HET GEBRUIK VAN EEN AFSTANDSBEDIENING NODE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Bron maken",
    "resourceCreateDescription": "Volg de onderstaande stappen om een nieuwe bron te maken",
    "resourceSeeAll": "Alle bronnen bekijken",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Naamruimte: {namespace}",
    "domainPickerShowMore": "Meer weergeven",
    "regionSelectorTitle": "Selecteer Regio",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Het selecteren van een regio helpt ons om betere prestaties te leveren voor uw locatie. U hoeft niet in dezelfde regio als uw server te zijn.",
    "regionSelectorPlaceholder": "Kies een regio",
    "regionSelectorComingSoon": "Komt binnenkort",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Einde van volgend jaar",
    "actionLogsDescription": "Bekijk een geschiedenis van acties die worden uitgevoerd in deze organisatie",
    "accessLogsDescription": "Toegangsverificatieverzoeken voor resources in deze organisatie bekijken",
-    "licenseRequiredToUse": "Een <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> licentie is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Certificaat Resolver",
    "certResolverDescription": "Selecteer de certificaat resolver die moet worden gebruikt voor deze resource.",
    "selectCertResolver": "Certificaat Resolver selecteren",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Toestel goedkeuringen inschakelen",
    "approvalsEmptyStateStep2Description": "Bewerk een rol en schakel de optie 'Vereist Apparaat Goedkeuringen' in. Gebruikers met deze rol hebben admin goedkeuring nodig voor nieuwe apparaten.",
    "approvalsEmptyStatePreviewDescription": "Voorbeeld: Indien ingeschakeld, zullen in afwachting van apparaatverzoeken hier verschijnen om te beoordelen",
-    "approvalsEmptyStateButtonText": "Rollen beheren"
+    "approvalsEmptyStateButtonText": "Rollen beheren",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy zapytań przez HTTPS przy użyciu w pełni kwalifikowanej nazwy domeny.",
    "resourceRaw": "Surowy zasób TCP/UDP",
    "resourceRawDescription": "Proxy zapytań przez surowe TCP/UDP przy użyciu numeru portu.",
-    "resourceRawDescriptionCloud": "Proxy żądania przesyłania danych nad surowym TCP/UDP przy użyciu numeru portu. Wymaga UŻYTKOWANIA PALIWA węzła.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Utwórz zasób",
    "resourceCreateDescription": "Wykonaj poniższe kroki, aby utworzyć nowy zasób",
    "resourceSeeAll": "Zobacz wszystkie zasoby",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Przestrzeń nazw: {namespace}",
    "domainPickerShowMore": "Pokaż więcej",
    "regionSelectorTitle": "Wybierz region",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Wybór regionu pomaga nam zapewnić lepszą wydajność dla Twojej lokalizacji. Nie musisz być w tym samym regionie co Twój serwer.",
    "regionSelectorPlaceholder": "Wybierz region",
    "regionSelectorComingSoon": "Wkrótce dostępne",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Koniec następnego roku",
    "actionLogsDescription": "Zobacz historię działań wykonywanych w tej organizacji",
    "accessLogsDescription": "Wyświetl prośby o autoryzację dostępu do zasobów w tej organizacji",
-    "licenseRequiredToUse": "Do korzystania z tej funkcji wymagana jest licencja <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji. Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Rozwiązywanie certyfikatów",
    "certResolverDescription": "Wybierz resolver certyfikatów do użycia dla tego zasobu.",
    "selectCertResolver": "Wybierz Resolver certyfikatów",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Włącz zatwierdzanie urządzenia",
    "approvalsEmptyStateStep2Description": "Edytuj rolę i włącz opcję \"Wymagaj zatwierdzenia urządzenia\". Użytkownicy z tą rolą będą potrzebowali zatwierdzenia administratora dla nowych urządzeń.",
    "approvalsEmptyStatePreviewDescription": "Podgląd: Gdy włączone, oczekujące prośby o sprawdzenie pojawią się tutaj",
-    "approvalsEmptyStateButtonText": "Zarządzaj rolami"
+    "approvalsEmptyStateButtonText": "Zarządzaj rolami",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxies requests sobre HTTPS usando um nome de domínio totalmente qualificado.",
    "resourceRaw": "Recurso TCP/UDP bruto",
    "resourceRawDescription": "Proxies solicitações sobre TCP/UDP bruto usando um número de porta.",
-    "resourceRawDescriptionCloud": "Proxy solicita sobre TCP/UDP bruto usando um número de porta. OBRIGATÓRIO O USO DE UMA NOTA REMOTA.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Criar Recurso",
    "resourceCreateDescription": "Siga os passos abaixo para criar um novo recurso",
    "resourceSeeAll": "Ver todos os recursos",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Mostrar Mais",
    "regionSelectorTitle": "Selecionar Região",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Selecionar uma região nos ajuda a fornecer melhor desempenho para sua localização. Você não precisa estar na mesma região que seu servidor.",
    "regionSelectorPlaceholder": "Escolher uma região",
    "regionSelectorComingSoon": "Em breve",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Fim do ano seguinte",
    "actionLogsDescription": "Visualizar histórico de ações realizadas nesta organização",
    "accessLogsDescription": "Ver solicitações de autenticação de recursos nesta organização",
-    "licenseRequiredToUse": "Uma licença <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> é necessária para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Resolvedor de Certificado",
    "certResolverDescription": "Selecione o resolvedor de certificados para este recurso.",
    "selectCertResolver": "Selecionar solucionador de certificado",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Habilitar Aprovações do Dispositivo",
    "approvalsEmptyStateStep2Description": "Editar uma função e habilitar a opção 'Exigir aprovação de dispositivos'. Usuários com essa função precisarão de aprovação de administrador para novos dispositivos.",
    "approvalsEmptyStatePreviewDescription": "Pré-visualização: Quando ativado, solicitações de dispositivo pendentes aparecerão aqui para revisão",
-    "approvalsEmptyStateButtonText": "Gerir Funções"
+    "approvalsEmptyStateButtonText": "Gerir Funções",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Проксировать запросы через HTTPS с использованием полного доменного имени.",
    "resourceRaw": "Сырой TCP/UDP-ресурс",
    "resourceRawDescription": "Проксировать запросы по сырому TCP/UDP с использованием номера порта.",
-    "resourceRawDescriptionCloud": "Прокси-запросы через необработанный TCP/UDP с использованием номера порта. ТРЕБУЕТЕСЬ ИСПОЛЬЗОВАТЬ НЕОБХОДИМЫ.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Создание ресурса",
    "resourceCreateDescription": "Следуйте инструкциям ниже для создания нового ресурса",
    "resourceSeeAll": "Посмотреть все ресурсы",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Пространство имен: {namespace}",
    "domainPickerShowMore": "Показать еще",
    "regionSelectorTitle": "Выберите регион",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Выбор региона помогает нам обеспечить лучшее качество обслуживания для вашего расположения. Вам необязательно находиться в том же регионе, что и ваш сервер.",
    "regionSelectorPlaceholder": "Выбор региона",
    "regionSelectorComingSoon": "Скоро будет",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Конец следующего года",
    "actionLogsDescription": "Просмотр истории действий, выполненных в этой организации",
    "accessLogsDescription": "Просмотр запросов авторизации доступа к ресурсам этой организации",
-    "licenseRequiredToUse": "Лицензия на <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> требуется для использования этой функции. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "Для использования этой функции требуется <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink>. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Резольвер сертификата",
    "certResolverDescription": "Выберите резолвер сертификата, который будет использоваться для этого ресурса.",
    "selectCertResolver": "Выберите резолвер сертификата",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Включить утверждения устройства",
    "approvalsEmptyStateStep2Description": "Редактировать роль и включить опцию 'Требовать утверждения устройств'. Пользователям с этой ролью потребуется подтверждение администратора для новых устройств.",
    "approvalsEmptyStatePreviewDescription": "Предпросмотр: Если включено, ожидающие запросы на устройство появятся здесь для проверки",
-    "approvalsEmptyStateButtonText": "Управление ролями"
+    "approvalsEmptyStateButtonText": "Управление ролями",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Tam nitelikli bir etki alanı adı kullanarak HTTPS üzerinden proxy isteklerini yönlendirin.",
    "resourceRaw": "Ham TCP/UDP Kaynağı",
    "resourceRawDescription": "Port numarası kullanarak ham TCP/UDP üzerinden proxy isteklerini yönlendirin.",
-    "resourceRawDescriptionCloud": "Bir port numarası kullanarak ham TCP/UDP üzerinden istekleri proxy ile yönlendirin. UZAKTAN BİR DÜĞÜM KULLANIMINI GEREKTİRİR.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Kaynak Oluştur",
    "resourceCreateDescription": "Yeni bir kaynak oluşturmak için aşağıdaki adımları izleyin",
    "resourceSeeAll": "Tüm Kaynakları Gör",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Ad Alanı: {namespace}",
    "domainPickerShowMore": "Daha Fazla Göster",
    "regionSelectorTitle": "Bölge Seç",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Bir bölge seçmek, konumunuz için daha iyi performans sağlamamıza yardımcı olur. Sunucunuzla aynı bölgede olmanıza gerek yoktur.",
    "regionSelectorPlaceholder": "Bölge Seçin",
    "regionSelectorComingSoon": "Yakında Geliyor",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Bir sonraki yılın sonu",
    "actionLogsDescription": "Bu organizasyondaki eylemler geçmişini görüntüleyin",
    "accessLogsDescription": "Bu organizasyondaki kaynaklar için erişim kimlik doğrulama isteklerini görüntüleyin",
-    "licenseRequiredToUse": "Bu özelliği kullanmak için bir <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisansı gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>'da da mevcuttur.",
-    "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>'da da mevcuttur.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Sertifika Çözücü",
    "certResolverDescription": "Bu kaynak için kullanılacak sertifika çözücüsünü seçin.",
    "selectCertResolver": "Sertifika Çözücü Seçin",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Cihaz Onaylarını Etkinleştir",
    "approvalsEmptyStateStep2Description": "Bir rolü düzenleyin ve 'Cihaz Onaylarını Gerektir' seçeneğini etkinleştirin. Bu role sahip kullanıcıların yeni cihazlar için yönetici onayına ihtiyacı olacaktır.",
    "approvalsEmptyStatePreviewDescription": "Önizleme: Etkinleştirildiğinde, bekleyen cihaz talepleri incelenmek üzere burada görünecektir.",
-    "approvalsEmptyStateButtonText": "Rolleri Yönet"
+    "approvalsEmptyStateButtonText": "Rolleri Yönet",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "通过使用完全限定的域名的HTTPS代理请求。",
    "resourceRaw": "TCP/UDP 资源",
    "resourceRawDescription": "通过使用端口号的原始TCP/UDP代理请求。",
-    "resourceRawDescriptionCloud": "正在使用端口号的 TCP/UDP 代理请求。请使用一个REMOTE",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "创建资源",
    "resourceCreateDescription": "按照下面的步骤创建新资源",
    "resourceSeeAll": "查看所有资源",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "命名空间：{namespace}",
    "domainPickerShowMore": "显示更多",
    "regionSelectorTitle": "选择区域",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be availble on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "选择区域以帮助提升您所在地的性能。您不必与服务器在相同的区域。",
    "regionSelectorPlaceholder": "选择一个区域",
    "regionSelectorComingSoon": "即将推出",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "下一年结束",
    "actionLogsDescription": "查看此机构执行的操作历史",
    "accessLogsDescription": "查看此机构资源的访问认证请求",
-    "licenseRequiredToUse": "需要 <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> 许可才能使用此功能。此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> 中使用。",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 需要使用此功能。此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> 中使用。",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "证书解决器",
    "certResolverDescription": "选择用于此资源的证书解析器。",
    "selectCertResolver": "选择证书解析",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "启用设备批准",
    "approvalsEmptyStateStep2Description": "编辑角色并启用“需要设备审批”选项。具有此角色的用户需要管理员批准新设备。",
    "approvalsEmptyStatePreviewDescription": "预览：如果启用，待处理设备请求将出现在这里供审核",
-    "approvalsEmptyStateButtonText": "管理角色"
+    "approvalsEmptyStateButtonText": "管理角色",
+    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/package-lock.json
+++ b/package-lock.json
@@ -16773,7 +16773,8 @@
        "node_modules/postal-mime": {
            "version": "2.7.3",
            "resolved": "https://registry.npmjs.org/postal-mime/-/postal-mime-2.7.3.tgz",
-            "integrity": "sha512-MjhXadAJaWgYzevi46+3kLak8y6gbg0ku14O1gO/LNOuay8dO+1PtcSGvAdgDR0DoIsSaiIA8y/Ddw6MnrO0Tw=="
+            "integrity": "sha512-MjhXadAJaWgYzevi46+3kLak8y6gbg0ku14O1gO/LNOuay8dO+1PtcSGvAdgDR0DoIsSaiIA8y/Ddw6MnrO0Tw==",
+            "license": "MIT-0"
        },
        "node_modules/postcss": {
            "version": "8.5.6",
@@ -17814,6 +17815,7 @@
            "version": "6.9.2",
            "resolved": "https://registry.npmjs.org/resend/-/resend-6.9.2.tgz",
            "integrity": "sha512-uIM6CQ08tS+hTCRuKBFbOBvHIGaEhqZe8s4FOgqsVXSbQLAhmNWpmUhG3UAtRnmcwTWFUqnHa/+Vux8YGPyDBA==",
+            "license": "MIT",
            "dependencies": {
                "postal-mime": "2.7.3",
                "svix": "1.84.1"
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,6 +1,10 @@
+import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
+import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";

 async function cleanup() {
+    await flushBandwidthToDb();
+    await flushSiteBandwidthToDb();
    await wsCleanup();

    process.exit(0);
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -22,7 +22,8 @@ export const domains = pgTable("domains", {
    tries: integer("tries").notNull().default(0),
    certResolver: varchar("certResolver"),
    customCertResolver: varchar("customCertResolver"),
-    preferWildcardCert: boolean("preferWildcardCert")
+    preferWildcardCert: boolean("preferWildcardCert"),
+    errorMessage: text("errorMessage")
 });

 export const dnsRecords = pgTable("dnsRecords", {
@@ -88,6 +89,7 @@ export const sites = pgTable("sites", {
    lastBandwidthUpdate: varchar("lastBandwidthUpdate"),
    type: varchar("type").notNull(), // "newt" or "wireguard"
    online: boolean("online").notNull().default(false),
+    lastPing: integer("lastPing"),
    address: varchar("address"),
    endpoint: varchar("endpoint"),
    publicKey: varchar("publicKey"),
@@ -720,6 +722,7 @@ export const clientSitesAssociationsCache = pgTable(
            .notNull(),
        siteId: integer("siteId").notNull(),
        isRelayed: boolean("isRelayed").notNull().default(false),
+        isJitMode: boolean("isJitMode").notNull().default(false),
        endpoint: varchar("endpoint"),
        publicKey: varchar("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
    }
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -13,7 +13,8 @@ export const domains = sqliteTable("domains", {
    failed: integer("failed", { mode: "boolean" }).notNull().default(false),
    tries: integer("tries").notNull().default(0),
    certResolver: text("certResolver"),
-    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" })
+    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" }),
+    errorMessage: text("errorMessage")
 });

 export const dnsRecords = sqliteTable("dnsRecords", {
@@ -89,6 +90,7 @@ export const sites = sqliteTable("sites", {
    lastBandwidthUpdate: text("lastBandwidthUpdate"),
    type: text("type").notNull(), // "newt" or "wireguard"
    online: integer("online", { mode: "boolean" }).notNull().default(false),
+    lastPing: integer("lastPing"),

    // exit node stuff that is how to connect to the site when it has a wg server
    address: text("address"), // this is the address of the wireguard interface in newt
@@ -409,6 +411,9 @@ export const clientSitesAssociationsCache = sqliteTable(
        isRelayed: integer("isRelayed", { mode: "boolean" })
            .notNull()
            .default(false),
+        isJitMode: integer("isJitMode", { mode: "boolean" })
+            .notNull()
+            .default(false),
        endpoint: text("endpoint"),
        publicKey: text("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
    }
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -107,7 +107,7 @@ export async function applyBlueprint({
                            [target],
                            matchingHealthcheck ? [matchingHealthcheck] : [],
                            result.proxyResource.protocol,
-                            result.proxyResource.proxyPort
+                            site.newt.version
                        );
                    }
                }
--- a/server/lib/cleanupLogs.ts
+++ b/server/lib/cleanupLogs.ts
@@ -4,8 +4,12 @@ import { cleanUpOldLogs as cleanUpOldActionLogs } from "#dynamic/middlewares/log
 import { cleanUpOldLogs as cleanUpOldRequestLogs } from "@server/routers/badger/logRequestAudit";
 import { gt, or } from "drizzle-orm";
 import { cleanUpOldFingerprintSnapshots } from "@server/routers/olm/fingerprintingUtils";
+import { build } from "@server/build";

 export function initLogCleanupInterval() {
+    if (build == "saas") { // skip log cleanup for saas builds
+        return null;
+    }
    return setInterval(
        async () => {
            const orgsToClean = await db
--- a/server/lib/clientVersionChecks.ts
+++ b/server/lib/clientVersionChecks.ts
@@ -0,0 +1,20 @@
+import semver from "semver";
+
+export function canCompress(
+    clientVersion: string | null | undefined,
+    type: "newt" | "olm"
+): boolean {
+    try {
+        if (!clientVersion) return false;
+        // check if it is a valid semver
+        if (!semver.valid(clientVersion)) return false;
+        if (type === "newt") {
+            return semver.gte(clientVersion, "1.10.3");
+        } else if (type === "olm") {
+            return semver.gte(clientVersion, "1.4.3");
+        }
+        return false;
+    } catch {
+        return false;
+    }
+}
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -477,6 +477,7 @@ async function handleMessagesForSiteClients(
        }

        if (isAdd) {
+            // TODO: if we are in jit mode here should we really be sending this?
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
@@ -669,7 +670,11 @@ async function handleSubnetProxyTargetUpdates(
                    `Adding ${targetsToAdd.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
                );
                proxyJobs.push(
-                    addSubnetProxyTargets(newt.newtId, targetsToAdd)
+                    addSubnetProxyTargets(
+                        newt.newtId,
+                        targetsToAdd,
+                        newt.version
+                    )
                );
            }

@@ -705,7 +710,11 @@ async function handleSubnetProxyTargetUpdates(
                    `Removing ${targetsToRemove.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
                );
                proxyJobs.push(
-                    removeSubnetProxyTargets(newt.newtId, targetsToRemove)
+                    removeSubnetProxyTargets(
+                        newt.newtId,
+                        targetsToRemove,
+                        newt.version
+                    )
                );
            }

@@ -1080,6 +1089,7 @@ async function handleMessagesForClientSites(
                continue;
            }

+            // TODO: if we are in jit mode here should we really be sending this?
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
@@ -1146,7 +1156,7 @@ async function handleMessagesForClientResources(
        // Add subnet proxy targets for each site
        for (const [siteId, resources] of addedBySite.entries()) {
            const [newt] = await trx
-                .select({ newtId: newts.newtId })
+                .select({ newtId: newts.newtId, version: newts.version })
                .from(newts)
                .where(eq(newts.siteId, siteId))
                .limit(1);
@@ -1168,7 +1178,13 @@ async function handleMessagesForClientResources(
                ]);

                if (targets.length > 0) {
-                    proxyJobs.push(addSubnetProxyTargets(newt.newtId, targets));
+                    proxyJobs.push(
+                        addSubnetProxyTargets(
+                            newt.newtId,
+                            targets,
+                            newt.version
+                        )
+                    );
                }

                try {
@@ -1217,7 +1233,7 @@ async function handleMessagesForClientResources(
        // Remove subnet proxy targets for each site
        for (const [siteId, resources] of removedBySite.entries()) {
            const [newt] = await trx
-                .select({ newtId: newts.newtId })
+                .select({ newtId: newts.newtId, version: newts.version })
                .from(newts)
                .where(eq(newts.siteId, siteId))
                .limit(1);
@@ -1240,7 +1256,11 @@ async function handleMessagesForClientResources(

                if (targets.length > 0) {
                    proxyJobs.push(
-                        removeSubnetProxyTargets(newt.newtId, targets)
+                        removeSubnetProxyTargets(
+                            newt.newtId,
+                            targets,
+                            newt.version
+                        )
                    );
                }

--- a/server/lib/resend.ts
+++ b/server/lib/resend.ts
@@ -1,16 +0,0 @@
-export enum AudienceIds {
-    SignUps = "",
-    Subscribed = "",
-    Churned = "",
-    Newsletter = ""
-}
-
-let resend;
-export default resend;
-
-export async function moveEmailToAudience(
-    email: string,
-    audienceId: AudienceIds
-) {
-    return;
-}
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -286,14 +286,12 @@ export class TraefikConfigManager {
            // Check non-wildcard certs for expiry (within 45 days to match
            // the server-side renewal window in certificate-service)
            for (const domain of domainsNeedingCerts) {
-                const localState =
-                    this.lastLocalCertificateState.get(domain);
+                const localState = this.lastLocalCertificateState.get(domain);
                if (localState?.expiresAt) {
                    const nowInSeconds = Math.floor(Date.now() / 1000);
                    const secondsUntilExpiry =
                        localState.expiresAt - nowInSeconds;
-                    const daysUntilExpiry =
-                        secondsUntilExpiry / (60 * 60 * 24);
+                    const daysUntilExpiry = secondsUntilExpiry / (60 * 60 * 24);
                    if (daysUntilExpiry < 45) {
                        logger.info(
                            `Fetching certificates due to upcoming expiry for ${domain} (${Math.round(daysUntilExpiry)} days remaining)`
@@ -306,18 +304,11 @@ export class TraefikConfigManager {
            // Also check wildcard certificates for expiry. These are not
            // included in domainsNeedingCerts since their subdomains are
            // filtered out, so we must check them separately.
-            for (const [certDomain, state] of this
-                .lastLocalCertificateState) {
-                if (
-                    state.exists &&
-                    state.wildcard &&
-                    state.expiresAt
-                ) {
+            for (const [certDomain, state] of this.lastLocalCertificateState) {
+                if (state.exists && state.wildcard && state.expiresAt) {
                    const nowInSeconds = Math.floor(Date.now() / 1000);
-                    const secondsUntilExpiry =
-                        state.expiresAt - nowInSeconds;
-                    const daysUntilExpiry =
-                        secondsUntilExpiry / (60 * 60 * 24);
+                    const secondsUntilExpiry = state.expiresAt - nowInSeconds;
+                    const daysUntilExpiry = secondsUntilExpiry / (60 * 60 * 24);
                    if (daysUntilExpiry < 45) {
                        logger.info(
                            `Fetching certificates due to upcoming expiry for wildcard cert ${certDomain} (${Math.round(daysUntilExpiry)} days remaining)`
@@ -405,14 +396,8 @@ export class TraefikConfigManager {
                    // their subdomains were filtered out above.
                    for (const [certDomain, state] of this
                        .lastLocalCertificateState) {
-                        if (
-                            state.exists &&
-                            state.wildcard &&
-                            state.expiresAt
-                        ) {
-                            const nowInSeconds = Math.floor(
-                                Date.now() / 1000
-                            );
+                        if (state.exists && state.wildcard && state.expiresAt) {
+                            const nowInSeconds = Math.floor(Date.now() / 1000);
                            const secondsUntilExpiry =
                                state.expiresAt - nowInSeconds;
                            const daysUntilExpiry =
@@ -572,11 +557,18 @@ export class TraefikConfigManager {
                                config.getRawConfig().server
                                    .session_cookie_name,

-                            // deprecated
                            accessTokenQueryParam:
                                config.getRawConfig().server
                                    .resource_access_token_param,

+                            accessTokenIdHeader:
+                                config.getRawConfig().server
+                                    .resource_access_token_headers.id,
+
+                            accessTokenHeader:
+                                config.getRawConfig().server
+                                    .resource_access_token_headers.token,
+
                            resourceSessionRequestParam:
                                config.getRawConfig().server
                                    .resource_session_request_param
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -14,7 +14,7 @@ import logger from "@server/logger";
 import config from "@server/lib/config";
 import { resources, sites, Target, targets } from "@server/db";
 import createPathRewriteMiddleware from "./middleware";
-import { sanitize, validatePathRewriteConfig } from "./utils";
+import { sanitize, encodePath, validatePathRewriteConfig } from "./utils";

 const redirectHttpsMiddlewareName = "redirect-to-https";
 const badgerMiddlewareName = "badger";
@@ -44,7 +44,7 @@ export async function getTraefikConfig(
    filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
    generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
    allowRawResources = true,
-    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
+    allowMaintenancePage = true // UNUSED BUT USED IN PRIVATE
 ): Promise<any> {
    // Get resources with their targets and sites in a single optimized query
    // Start from sites on this exit node, then join to targets and resources
@@ -127,7 +127,7 @@ export async function getTraefikConfig(
    resourcesWithTargetsAndSites.forEach((row) => {
        const resourceId = row.resourceId;
        const resourceName = sanitize(row.resourceName) || "";
-        const targetPath = sanitize(row.path) || ""; // Handle null/undefined paths
+        const targetPath = encodePath(row.path); // Use encodePath to avoid collisions (e.g. "/a/b" vs "/a-b")
        const pathMatchType = row.pathMatchType || "";
        const rewritePath = row.rewritePath || "";
        const rewritePathType = row.rewritePathType || "";
@@ -145,7 +145,7 @@ export async function getTraefikConfig(
        const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
        const key = sanitize(mapKey);

-        if (!resourcesMap.has(key)) {
+        if (!resourcesMap.has(mapKey)) {
            const validation = validatePathRewriteConfig(
                row.path,
                row.pathMatchType,
@@ -160,9 +160,10 @@ export async function getTraefikConfig(
                return;
            }

-            resourcesMap.set(key, {
+            resourcesMap.set(mapKey, {
                resourceId: row.resourceId,
                name: resourceName,
+                key: key,
                fullDomain: row.fullDomain,
                ssl: row.ssl,
                http: row.http,
@@ -190,7 +191,7 @@ export async function getTraefikConfig(
            });
        }

-        resourcesMap.get(key).targets.push({
+        resourcesMap.get(mapKey).targets.push({
            resourceId: row.resourceId,
            targetId: row.targetId,
            ip: row.ip,
@@ -227,8 +228,9 @@ export async function getTraefikConfig(
    };

    // get the key and the resource
-    for (const [key, resource] of resourcesMap.entries()) {
+    for (const [, resource] of resourcesMap.entries()) {
        const targets = resource.targets as TargetWithSite[];
+        const key = resource.key;

        const routerName = `${key}-${resource.name}-router`;
        const serviceName = `${key}-${resource.name}-service`;
--- a/server/lib/traefik/pathEncoding.test.ts
+++ b/server/lib/traefik/pathEncoding.test.ts
@@ -0,0 +1,323 @@
+import { assertEquals } from "../../../test/assert";
+
+// ── Pure function copies (inlined to avoid pulling in server dependencies) ──
+
+function sanitize(input: string | null | undefined): string | undefined {
+    if (!input) return undefined;
+    if (input.length > 50) {
+        input = input.substring(0, 50);
+    }
+    return input
+        .replace(/[^a-zA-Z0-9-]/g, "-")
+        .replace(/-+/g, "-")
+        .replace(/^-|-$/g, "");
+}
+
+function encodePath(path: string | null | undefined): string {
+    if (!path) return "";
+    return path.replace(/[^a-zA-Z0-9]/g, (ch) => {
+        return ch.charCodeAt(0).toString(16);
+    });
+}
+
+// ── Helpers ──────────────────────────────────────────────────────────
+
+/**
+ * Exact replica of the OLD key computation from upstream main.
+ * Uses sanitize() for paths — this is what had the collision bug.
+ */
+function oldKeyComputation(
+    resourceId: number,
+    path: string | null,
+    pathMatchType: string | null,
+    rewritePath: string | null,
+    rewritePathType: string | null
+): string {
+    const targetPath = sanitize(path) || "";
+    const pmt = pathMatchType || "";
+    const rp = rewritePath || "";
+    const rpt = rewritePathType || "";
+    const pathKey = [targetPath, pmt, rp, rpt].filter(Boolean).join("-");
+    const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
+    return sanitize(mapKey) || "";
+}
+
+/**
+ * Replica of the NEW key computation from our fix.
+ * Uses encodePath() for paths — collision-free.
+ */
+function newKeyComputation(
+    resourceId: number,
+    path: string | null,
+    pathMatchType: string | null,
+    rewritePath: string | null,
+    rewritePathType: string | null
+): string {
+    const targetPath = encodePath(path);
+    const pmt = pathMatchType || "";
+    const rp = rewritePath || "";
+    const rpt = rewritePathType || "";
+    const pathKey = [targetPath, pmt, rp, rpt].filter(Boolean).join("-");
+    const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
+    return sanitize(mapKey) || "";
+}
+
+// ── Tests ────────────────────────────────────────────────────────────
+
+function runTests() {
+    console.log("Running path encoding tests...\n");
+
+    let passed = 0;
+
+    // ── encodePath unit tests ────────────────────────────────────────
+
+    // Test 1: null/undefined/empty
+    {
+        assertEquals(encodePath(null), "", "null should return empty");
+        assertEquals(
+            encodePath(undefined),
+            "",
+            "undefined should return empty"
+        );
+        assertEquals(encodePath(""), "", "empty string should return empty");
+        console.log("  PASS: encodePath handles null/undefined/empty");
+        passed++;
+    }
+
+    // Test 2: root path
+    {
+        assertEquals(encodePath("/"), "2f", "/ should encode to 2f");
+        console.log("  PASS: encodePath encodes root path");
+        passed++;
+    }
+
+    // Test 3: alphanumeric passthrough
+    {
+        assertEquals(encodePath("/api"), "2fapi", "/api encodes slash only");
+        assertEquals(encodePath("/v1"), "2fv1", "/v1 encodes slash only");
+        assertEquals(encodePath("abc"), "abc", "plain alpha passes through");
+        console.log("  PASS: encodePath preserves alphanumeric chars");
+        passed++;
+    }
+
+    // Test 4: all special chars produce unique hex
+    {
+        const paths = ["/a/b", "/a-b", "/a.b", "/a_b", "/a b"];
+        const results = paths.map((p) => encodePath(p));
+        const unique = new Set(results);
+        assertEquals(
+            unique.size,
+            paths.length,
+            "all special-char paths must produce unique encodings"
+        );
+        console.log(
+            "  PASS: encodePath produces unique output for different special chars"
+        );
+        passed++;
+    }
+
+    // Test 5: output is always alphanumeric (safe for Traefik names)
+    {
+        const paths = [
+            "/",
+            "/api",
+            "/a/b",
+            "/a-b",
+            "/a.b",
+            "/complex/path/here"
+        ];
+        for (const p of paths) {
+            const e = encodePath(p);
+            assertEquals(
+                /^[a-zA-Z0-9]+$/.test(e),
+                true,
+                `encodePath("${p}") = "${e}" must be alphanumeric`
+            );
+        }
+        console.log("  PASS: encodePath output is always alphanumeric");
+        passed++;
+    }
+
+    // Test 6: deterministic
+    {
+        assertEquals(
+            encodePath("/api"),
+            encodePath("/api"),
+            "same input same output"
+        );
+        assertEquals(
+            encodePath("/a/b/c"),
+            encodePath("/a/b/c"),
+            "same input same output"
+        );
+        console.log("  PASS: encodePath is deterministic");
+        passed++;
+    }
+
+    // Test 7: many distinct paths never collide
+    {
+        const paths = [
+            "/",
+            "/api",
+            "/api/v1",
+            "/api/v2",
+            "/a/b",
+            "/a-b",
+            "/a.b",
+            "/a_b",
+            "/health",
+            "/health/check",
+            "/admin",
+            "/admin/users",
+            "/api/v1/users",
+            "/api/v1/posts",
+            "/app",
+            "/app/dashboard"
+        ];
+        const encoded = new Set(paths.map((p) => encodePath(p)));
+        assertEquals(
+            encoded.size,
+            paths.length,
+            `expected ${paths.length} unique encodings, got ${encoded.size}`
+        );
+        console.log("  PASS: 16 realistic paths all produce unique encodings");
+        passed++;
+    }
+
+    // ── Collision fix: the actual bug we're fixing ───────────────────
+
+    // Test 8: /a/b and /a-b now have different keys (THE BUG FIX)
+    {
+        const keyAB = newKeyComputation(1, "/a/b", "prefix", null, null);
+        const keyDash = newKeyComputation(1, "/a-b", "prefix", null, null);
+        assertEquals(
+            keyAB !== keyDash,
+            true,
+            "/a/b and /a-b MUST have different keys"
+        );
+        console.log("  PASS: collision fix — /a/b vs /a-b have different keys");
+        passed++;
+    }
+
+    // Test 9: demonstrate the old bug — old code maps /a/b and /a-b to same key
+    {
+        const oldKeyAB = oldKeyComputation(1, "/a/b", "prefix", null, null);
+        const oldKeyDash = oldKeyComputation(1, "/a-b", "prefix", null, null);
+        assertEquals(
+            oldKeyAB,
+            oldKeyDash,
+            "old code MUST have this collision (confirms the bug exists)"
+        );
+        console.log("  PASS: confirmed old code bug — /a/b and /a-b collided");
+        passed++;
+    }
+
+    // Test 10: /api/v1 and /api-v1 — old code collision, new code fixes it
+    {
+        const oldKey1 = oldKeyComputation(1, "/api/v1", "prefix", null, null);
+        const oldKey2 = oldKeyComputation(1, "/api-v1", "prefix", null, null);
+        assertEquals(
+            oldKey1,
+            oldKey2,
+            "old code collision for /api/v1 vs /api-v1"
+        );
+
+        const newKey1 = newKeyComputation(1, "/api/v1", "prefix", null, null);
+        const newKey2 = newKeyComputation(1, "/api-v1", "prefix", null, null);
+        assertEquals(
+            newKey1 !== newKey2,
+            true,
+            "new code must separate /api/v1 and /api-v1"
+        );
+        console.log("  PASS: collision fix — /api/v1 vs /api-v1");
+        passed++;
+    }
+
+    // Test 11: /app.v2 and /app/v2 and /app-v2 — three-way collision fixed
+    {
+        const a = newKeyComputation(1, "/app.v2", "prefix", null, null);
+        const b = newKeyComputation(1, "/app/v2", "prefix", null, null);
+        const c = newKeyComputation(1, "/app-v2", "prefix", null, null);
+        const keys = new Set([a, b, c]);
+        assertEquals(
+            keys.size,
+            3,
+            "three paths must produce three unique keys"
+        );
+        console.log(
+            "  PASS: collision fix — three-way /app.v2, /app/v2, /app-v2"
+        );
+        passed++;
+    }
+
+    // ── Edge cases ───────────────────────────────────────────────────
+
+    // Test 12: same path in different resources — always separate
+    {
+        const key1 = newKeyComputation(1, "/api", "prefix", null, null);
+        const key2 = newKeyComputation(2, "/api", "prefix", null, null);
+        assertEquals(
+            key1 !== key2,
+            true,
+            "different resources with same path must have different keys"
+        );
+        console.log("  PASS: edge case — same path, different resources");
+        passed++;
+    }
+
+    // Test 13: same resource, different pathMatchType — separate keys
+    {
+        const exact = newKeyComputation(1, "/api", "exact", null, null);
+        const prefix = newKeyComputation(1, "/api", "prefix", null, null);
+        assertEquals(
+            exact !== prefix,
+            true,
+            "exact vs prefix must have different keys"
+        );
+        console.log("  PASS: edge case — same path, different match types");
+        passed++;
+    }
+
+    // Test 14: same resource and path, different rewrite config — separate keys
+    {
+        const noRewrite = newKeyComputation(1, "/api", "prefix", null, null);
+        const withRewrite = newKeyComputation(
+            1,
+            "/api",
+            "prefix",
+            "/backend",
+            "prefix"
+        );
+        assertEquals(
+            noRewrite !== withRewrite,
+            true,
+            "with vs without rewrite must have different keys"
+        );
+        console.log("  PASS: edge case — same path, different rewrite config");
+        passed++;
+    }
+
+    // Test 15: paths with special URL characters
+    {
+        const paths = ["/api?foo", "/api#bar", "/api%20baz", "/api+qux"];
+        const keys = new Set(
+            paths.map((p) => newKeyComputation(1, p, "prefix", null, null))
+        );
+        assertEquals(
+            keys.size,
+            paths.length,
+            "special URL chars must produce unique keys"
+        );
+        console.log("  PASS: edge case — special URL characters in paths");
+        passed++;
+    }
+
+    console.log(`\nAll ${passed} tests passed!`);
+}
+
+try {
+    runTests();
+} catch (error) {
+    console.error("Test failed:", error);
+    process.exit(1);
+}
--- a/server/lib/traefik/utils.ts
+++ b/server/lib/traefik/utils.ts
@@ -13,6 +13,26 @@ export function sanitize(input: string | null | undefined): string | undefined {
        .replace(/^-|-$/g, "");
 }

+/**
+ * Encode a URL path into a collision-free alphanumeric string suitable for use
+ * in Traefik map keys.
+ *
+ * Unlike sanitize(), this preserves uniqueness by encoding each non-alphanumeric
+ * character as its hex code. Different paths always produce different outputs.
+ *
+ *   encodePath("/api")  => "2fapi"
+ *   encodePath("/a/b")  => "2fa2fb"
+ *   encodePath("/a-b")  => "2fa2db"   (different from /a/b)
+ *   encodePath("/")     => "2f"
+ *   encodePath(null)    => ""
+ */
+export function encodePath(path: string | null | undefined): string {
+    if (!path) return "";
+    return path.replace(/[^a-zA-Z0-9]/g, (ch) => {
+        return ch.charCodeAt(0).toString(16);
+    });
+}
+
 export function validatePathRewriteConfig(
    path: string | null,
    pathMatchType: string | null,
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -13,8 +13,12 @@

 import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
+import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
+import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";

 async function cleanup() {
+    await flushBandwidthToDb();
+    await flushSiteBandwidthToDb();
    await rateLimitService.cleanup();
    await wsCleanup();

--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -38,10 +38,6 @@ export const privateConfigSchema = z.object({
                .string()
                .optional()
                .transform(getEnvOrYaml("SERVER_ENCRYPTION_KEY")),
-            resend_api_key: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("RESEND_API_KEY")),
            reo_client_id: z
                .string()
                .optional()
--- a/server/private/lib/resend.ts
+++ b/server/private/lib/resend.ts
@@ -1,127 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import { Resend } from "resend";
-import privateConfig from "#private/lib/config";
-import logger from "@server/logger";
-
-export enum AudienceIds {
-    SignUps = "6c4e77b2-0851-4bd6-bac8-f51f91360f1a",
-    Subscribed = "870b43fd-387f-44de-8fc1-707335f30b20",
-    Churned = "f3ae92bd-2fdb-4d77-8746-2118afd62549",
-    Newsletter = "5500c431-191c-42f0-a5d4-8b6d445b4ea0"
-}
-
-const resend = new Resend(
-    privateConfig.getRawPrivateConfig().server.resend_api_key || "missing"
-);
-
-export default resend;
-
-export async function moveEmailToAudience(
-    email: string,
-    audienceId: AudienceIds
-) {
-    if (process.env.ENVIRONMENT !== "prod") {
-        logger.debug(
-            `Skipping moving email ${email} to audience ${audienceId} in non-prod environment`
-        );
-        return;
-    }
-    const { error, data } = await retryWithBackoff(async () => {
-        const { data, error } = await resend.contacts.create({
-            email,
-            unsubscribed: false,
-            audienceId
-        });
-        if (error) {
-            throw new Error(
-                `Error adding email ${email} to audience ${audienceId}: ${error}`
-            );
-        }
-        return { error, data };
-    });
-
-    if (error) {
-        logger.error(
-            `Error adding email ${email} to audience ${audienceId}: ${error}`
-        );
-        return;
-    }
-
-    if (data) {
-        logger.debug(
-            `Added email ${email} to audience ${audienceId} with contact ID ${data.id}`
-        );
-    }
-
-    const otherAudiences = Object.values(AudienceIds).filter(
-        (id) => id !== audienceId
-    );
-
-    for (const otherAudienceId of otherAudiences) {
-        const { error, data } = await retryWithBackoff(async () => {
-            const { data, error } = await resend.contacts.remove({
-                email,
-                audienceId: otherAudienceId
-            });
-            if (error) {
-                throw new Error(
-                    `Error removing email ${email} from audience ${otherAudienceId}: ${error}`
-                );
-            }
-            return { error, data };
-        });
-
-        if (error) {
-            logger.error(
-                `Error removing email ${email} from audience ${otherAudienceId}: ${error}`
-            );
-        }
-
-        if (data) {
-            logger.info(
-                `Removed email ${email} from audience ${otherAudienceId}`
-            );
-        }
-    }
-}
-
-type RetryOptions = {
-    retries?: number;
-    initialDelayMs?: number;
-    factor?: number;
-};
-
-export async function retryWithBackoff<T>(
-    fn: () => Promise<T>,
-    options: RetryOptions = {}
-): Promise<T> {
-    const { retries = 5, initialDelayMs = 500, factor = 2 } = options;
-
-    let attempt = 0;
-    let delay = initialDelayMs;
-
-    while (true) {
-        try {
-            return await fn();
-        } catch (err) {
-            attempt++;
-
-            if (attempt > retries) throw err;
-
-            await new Promise((resolve) => setTimeout(resolve, delay));
-            delay *= factor;
-        }
-    }
-}
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -34,7 +34,11 @@ import {
 import logger from "@server/logger";
 import config from "@server/lib/config";
 import { orgs, resources, sites, Target, targets } from "@server/db";
-import { sanitize, validatePathRewriteConfig } from "@server/lib/traefik/utils";
+import {
+    sanitize,
+    encodePath,
+    validatePathRewriteConfig
+} from "@server/lib/traefik/utils";
 import privateConfig from "#private/lib/config";
 import createPathRewriteMiddleware from "@server/lib/traefik/middleware";
 import {
@@ -170,7 +174,7 @@ export async function getTraefikConfig(
    resourcesWithTargetsAndSites.forEach((row) => {
        const resourceId = row.resourceId;
        const resourceName = sanitize(row.resourceName) || "";
-        const targetPath = sanitize(row.path) || ""; // Handle null/undefined paths
+        const targetPath = encodePath(row.path); // Use encodePath to avoid collisions (e.g. "/a/b" vs "/a-b")
        const pathMatchType = row.pathMatchType || "";
        const rewritePath = row.rewritePath || "";
        const rewritePathType = row.rewritePathType || "";
@@ -192,7 +196,7 @@ export async function getTraefikConfig(
        const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
        const key = sanitize(mapKey);

-        if (!resourcesMap.has(key)) {
+        if (!resourcesMap.has(mapKey)) {
            const validation = validatePathRewriteConfig(
                row.path,
                row.pathMatchType,
@@ -207,9 +211,10 @@ export async function getTraefikConfig(
                return;
            }

-            resourcesMap.set(key, {
+            resourcesMap.set(mapKey, {
                resourceId: row.resourceId,
                name: resourceName,
+                key: key,
                fullDomain: row.fullDomain,
                ssl: row.ssl,
                http: row.http,
@@ -243,7 +248,7 @@ export async function getTraefikConfig(
        }

        // Add target with its associated site data
-        resourcesMap.get(key).targets.push({
+        resourcesMap.get(mapKey).targets.push({
            resourceId: row.resourceId,
            targetId: row.targetId,
            ip: row.ip,
@@ -296,8 +301,9 @@ export async function getTraefikConfig(
    };

    // get the key and the resource
-    for (const [key, resource] of resourcesMap.entries()) {
+    for (const [, resource] of resourcesMap.entries()) {
        const targets = resource.targets as TargetWithSite[];
+        const key = resource.key;

        const routerName = `${key}-${resource.name}-router`;
        const serviceName = `${key}-${resource.name}-service`;
--- a/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
+++ b/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
@@ -24,7 +24,6 @@ import { eq, and } from "drizzle-orm";
 import logger from "@server/logger";
 import stripe from "#private/lib/stripe";
 import { handleSubscriptionLifesycle } from "../subscriptionLifecycle";
-import { AudienceIds, moveEmailToAudience } from "#private/lib/resend";
 import { getSubType } from "./getSubType";
 import privateConfig from "#private/lib/config";
 import { getLicensePriceSet, LicenseId } from "@server/lib/billing/licenses";
@@ -172,7 +171,7 @@ export async function handleSubscriptionCreated(
                const email = orgUserRes.user.email;

                if (email) {
-                    moveEmailToAudience(email, AudienceIds.Subscribed);
+                    // TODO: update user in Sendy
                }
            }
        } else if (type === "license") {
--- a/server/private/routers/billing/hooks/handleSubscriptionDeleted.ts
+++ b/server/private/routers/billing/hooks/handleSubscriptionDeleted.ts
@@ -23,7 +23,6 @@ import {
 import { eq, and } from "drizzle-orm";
 import logger from "@server/logger";
 import { handleSubscriptionLifesycle } from "../subscriptionLifecycle";
-import { AudienceIds, moveEmailToAudience } from "#private/lib/resend";
 import { getSubType } from "./getSubType";
 import stripe from "#private/lib/stripe";
 import privateConfig from "#private/lib/config";
@@ -109,7 +108,7 @@ export async function handleSubscriptionDeleted(
                const email = orgUserRes.user.email;

                if (email) {
-                    moveEmailToAudience(email, AudienceIds.Churned);
+                    // TODO: update user in Sendy
                }
            }
        } else if (type === "license") {
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -515,6 +515,6 @@ authenticated.post(
    verifyOrgAccess,
    verifyLimits,
    verifyUserHasAction(ActionsEnum.signSshKey),
-    logActionAudit(ActionsEnum.signSshKey),
+    // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata
    ssh.signSshKey
 );
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -14,7 +14,9 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import {
+    actionAuditLog,
    db,
+    logsDb,
    newts,
    roles,
    roundTripMessageTracker,
@@ -29,12 +31,12 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
 import { eq, or, and } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
 import { signPublicKey, getOrgCAKeys } from "@server/lib/sshCA";
 import config from "@server/lib/config";
 import { sendToClient } from "#private/routers/ws";
+import { ActionsEnum } from "@server/auth/actions";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
@@ -64,6 +66,7 @@ export type SignSshKeyResponse = {
    sshUsername: string;
    sshHost: string;
    resourceId: number;
+    siteId: number;
    keyId: string;
    validPrincipals: string[];
    validAfter: string;
@@ -446,6 +449,20 @@ export async function signSshKey(
            sshHost = resource.destination;
        }

+        await logsDb.insert(actionAuditLog).values({
+            timestamp: Math.floor(Date.now() / 1000),
+            orgId: orgId,
+            actorType: "user",
+            actor: req.user?.username ?? "",
+            actorId: req.user?.userId ?? "",
+            action: ActionsEnum.signSshKey,
+            metadata: JSON.stringify({
+                resourceId: resource.siteResourceId,
+                resource: resource.name,
+                siteId: resource.siteId,
+            })
+        });
+
        return response<SignSshKeyResponse>(res, {
            data: {
                certificate: cert.certificate,
@@ -453,6 +470,7 @@ export async function signSshKey(
                sshUsername: usernameToUse,
                sshHost: sshHost,
                resourceId: resource.siteResourceId,
+                siteId: resource.siteId,
                keyId: cert.keyId,
                validPrincipals: cert.validPrincipals,
                validAfter: cert.validAfter.toISOString(),
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -17,10 +17,13 @@ import {
    startRemoteExitNodeOfflineChecker
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
+import { build } from "@server/build";

 export const messageHandlers: Record<string, MessageHandler> = {
    "remoteExitNode/register": handleRemoteExitNodeRegisterMessage,
    "remoteExitNode/ping": handleRemoteExitNodePingMessage
 };

+if (build != "saas") {
    startRemoteExitNodeOfflineChecker(); // this is to handle the offline check for remote exit nodes
+}
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -12,6 +12,7 @@
 */

 import { Router, Request, Response } from "express";
+import zlib from "zlib";
 import { Server as HttpServer } from "http";
 import { WebSocket, WebSocketServer } from "ws";
 import { Socket } from "net";
@@ -24,7 +25,8 @@ import {
    OlmSession,
    RemoteExitNode,
    RemoteExitNodeSession,
-    remoteExitNodes
+    remoteExitNodes,
+    sites
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
@@ -57,11 +59,13 @@ const MAX_PENDING_MESSAGES = 50; // Maximum messages to queue during connection
 const processMessage = async (
    ws: AuthenticatedWebSocket,
    data: Buffer,
+    isBinary: boolean,
    clientId: string,
    clientType: ClientType
 ): Promise<void> => {
    try {
-        const message: WSMessage = JSON.parse(data.toString());
+        const messageBuffer = isBinary ? zlib.gunzipSync(data) : data;
+        const message: WSMessage = JSON.parse(messageBuffer.toString());

        // logger.debug(
        //     `Processing message from ${clientType.toUpperCase()} ID: ${clientId}, type: ${message.type}`
@@ -76,7 +80,7 @@ const processMessage = async (
            clientId,
            message.type, // Pass message type for granular limiting
            100, // max requests per window
-            20, // max requests per message type per window
+            100, // max requests per message type per window
            60 * 1000 // window in milliseconds
        );
        if (rateLimitResult.isLimited) {
@@ -163,8 +167,16 @@ const processPendingMessages = async (
    );

    const jobs = [];
-    for (const messageData of ws.pendingMessages) {
-        jobs.push(processMessage(ws, messageData, clientId, clientType));
+    for (const pending of ws.pendingMessages) {
+        jobs.push(
+            processMessage(
+                ws,
+                pending.data,
+                pending.isBinary,
+                clientId,
+                clientType
+            )
+        );
    }

    await Promise.all(jobs);
@@ -185,6 +197,12 @@ const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Config version tracking map (local to this node, resets on server restart)
 const clientConfigVersions: Map<string, number> = new Map();

+// Tracks the last Unix timestamp (seconds) at which a ping was flushed to the
+// DB for a given siteId. Resets on server restart which is fine – the first
+// ping after startup will always write, re-establishing the online state.
+const lastPingDbWrite: Map<number, number> = new Map();
+const PING_DB_WRITE_INTERVAL = 45; // seconds
+
 // Recovery tracking
 let isRedisRecoveryInProgress = false;

@@ -325,7 +343,9 @@ const addClient = async (
    // Check Redis first if enabled
    if (redisManager.isRedisEnabled()) {
        try {
-            const redisVersion = await redisManager.get(getConfigVersionKey(clientId));
+            const redisVersion = await redisManager.get(
+                getConfigVersionKey(clientId)
+            );
            if (redisVersion !== null) {
                configVersion = parseInt(redisVersion, 10);
                // Sync to local cache
@@ -337,7 +357,10 @@ const addClient = async (
            } else {
                // Use local cache version and sync to Redis
                configVersion = clientConfigVersions.get(clientId) || 0;
-                await redisManager.set(getConfigVersionKey(clientId), configVersion.toString());
+                await redisManager.set(
+                    getConfigVersionKey(clientId),
+                    configVersion.toString()
+                );
            }
        } catch (error) {
            logger.error("Failed to get/set config version in Redis:", error);
@@ -432,7 +455,9 @@ const removeClient = async (
 };

 // Helper to get the current config version for a client
-const getClientConfigVersion = async (clientId: string): Promise<number | undefined> => {
+const getClientConfigVersion = async (
+    clientId: string
+): Promise<number | undefined> => {
    // Try Redis first if available
    if (redisManager.isRedisEnabled()) {
        try {
@@ -502,11 +527,26 @@ const sendToClientLocal = async (
    };

    const messageString = JSON.stringify(messageWithVersion);
+    if (options.compress) {
+        logger.debug(
+            `Message size before compression: ${messageString.length} bytes`
+        );
+        const compressed = zlib.gzipSync(Buffer.from(messageString, "utf8"));
+        logger.debug(
+            `Message size after compression: ${compressed.length} bytes`
+        );
+        clients.forEach((client) => {
+            if (client.readyState === WebSocket.OPEN) {
+                client.send(compressed);
+            }
+        });
+    } else {
        clients.forEach((client) => {
            if (client.readyState === WebSocket.OPEN) {
                client.send(messageString);
            }
        });
+    }

    return true;
 };
@@ -532,6 +572,16 @@ const broadcastToAllExceptLocal = async (
                configVersion
            };

+            if (options.compress) {
+                const compressed = zlib.gzipSync(
+                    Buffer.from(JSON.stringify(messageWithVersion), "utf8")
+                );
+                clients.forEach((client) => {
+                    if (client.readyState === WebSocket.OPEN) {
+                        client.send(compressed);
+                    }
+                });
+            } else {
                clients.forEach((client) => {
                    if (client.readyState === WebSocket.OPEN) {
                        client.send(JSON.stringify(messageWithVersion));
@@ -539,6 +589,7 @@ const broadcastToAllExceptLocal = async (
                });
            }
        }
+    }
 };

 // Cross-node message sending (via Redis)
@@ -762,7 +813,7 @@ const setupConnection = async (
    }

    // Set up message handler FIRST to prevent race condition
-    ws.on("message", async (data) => {
+    ws.on("message", async (data, isBinary) => {
        if (!ws.isFullyConnected) {
            // Queue message for later processing with limits
            ws.pendingMessages = ws.pendingMessages || [];
@@ -777,11 +828,17 @@ const setupConnection = async (
            logger.debug(
                `Queueing message from ${clientType.toUpperCase()} ID: ${clientId} (connection not fully established)`
            );
-            ws.pendingMessages.push(data as Buffer);
+            ws.pendingMessages.push({ data: data as Buffer, isBinary });
            return;
        }

-        await processMessage(ws, data as Buffer, clientId, clientType);
+        await processMessage(
+            ws,
+            data as Buffer,
+            isBinary,
+            clientId,
+            clientType
+        );
    });

    // Set up other event handlers before async operations
@@ -796,6 +853,35 @@ const setupConnection = async (
        );
    });

+    // Handle WebSocket protocol-level pings from older newt clients that do
+    // not send application-level "newt/ping" messages. Update the site's
+    // online state and lastPing timestamp so the offline checker treats them
+    // the same as modern newt clients.
+    if (clientType === "newt") {
+        const newtClient = client as Newt;
+        ws.on("ping", async () => {
+            if (!newtClient.siteId) return;
+            const now = Math.floor(Date.now() / 1000);
+            const lastWrite = lastPingDbWrite.get(newtClient.siteId) ?? 0;
+            if (now - lastWrite < PING_DB_WRITE_INTERVAL) return;
+            lastPingDbWrite.set(newtClient.siteId, now);
+            try {
+                await db
+                    .update(sites)
+                    .set({
+                        online: true,
+                        lastPing: now
+                    })
+                    .where(eq(sites.siteId, newtClient.siteId));
+            } catch (error) {
+                logger.error(
+                    "Error updating newt site online state on WS ping",
+                    { error }
+                );
+            }
+        });
+    }
+
    ws.on("error", (error: Error) => {
        logger.error(
            `WebSocket error for ${clientType.toUpperCase()} ID ${clientId}:`,
--- a/server/routers/auth/signup.ts
+++ b/server/routers/auth/signup.ts
@@ -22,7 +22,6 @@ import { checkValidInvite } from "@server/auth/checkValidInvite";
 import { passwordSchema } from "@server/auth/passwordSchema";
 import { UserType } from "@server/types/UserTypes";
 import { build } from "@server/build";
-import resend, { AudienceIds, moveEmailToAudience } from "#dynamic/lib/resend";

 export const signupBodySchema = z.object({
    email: z.email().toLowerCase(),
@@ -237,7 +236,7 @@ export async function signup(
            logger.debug(
                `User ${email} opted in to marketing emails during signup.`
            );
-            moveEmailToAudience(email, AudienceIds.SignUps);
+            // TODO: update user in Sendy
        }

        if (config.getRawConfig().flags?.require_email_verification) {
--- a/server/routers/client/targets.ts
+++ b/server/routers/client/targets.ts
@@ -1,51 +1,38 @@
 import { sendToClient } from "#dynamic/routers/ws";
 import { db, olms, Transaction } from "@server/db";
+import { canCompress } from "@server/lib/clientVersionChecks";
 import { Alias, SubnetProxyTarget } from "@server/lib/ip";
 import logger from "@server/logger";
 import { eq } from "drizzle-orm";

-const BATCH_SIZE = 50;
-const BATCH_DELAY_MS = 50;
-
-function sleep(ms: number): Promise<void> {
-    return new Promise((resolve) => setTimeout(resolve, ms));
-}
-
-function chunkArray<T>(array: T[], size: number): T[][] {
-    const chunks: T[][] = [];
-    for (let i = 0; i < array.length; i += size) {
-        chunks.push(array.slice(i, i + size));
-    }
-    return chunks;
-}
-
-export async function addTargets(newtId: string, targets: SubnetProxyTarget[]) {
-    const batches = chunkArray(targets, BATCH_SIZE);
-    for (let i = 0; i < batches.length; i++) {
-        if (i > 0) {
-            await sleep(BATCH_DELAY_MS);
-        }
-        await sendToClient(newtId, {
+export async function addTargets(
+    newtId: string,
+    targets: SubnetProxyTarget[],
+    version?: string | null
+) {
+    await sendToClient(
+        newtId,
+        {
            type: `newt/wg/targets/add`,
-            data: batches[i]
-        }, { incrementConfigVersion: true });
-    }
+            data: targets
+        },
+        { incrementConfigVersion: true, compress: canCompress(version, "newt") }
+    );
 }

 export async function removeTargets(
    newtId: string,
-    targets: SubnetProxyTarget[]
+    targets: SubnetProxyTarget[],
+    version?: string | null
 ) {
-    const batches = chunkArray(targets, BATCH_SIZE);
-    for (let i = 0; i < batches.length; i++) {
-        if (i > 0) {
-            await sleep(BATCH_DELAY_MS);
-        }
-        await sendToClient(newtId, {
+    await sendToClient(
+        newtId,
+        {
            type: `newt/wg/targets/remove`,
-            data: batches[i]
-        },{ incrementConfigVersion: true });
-    }
+            data: targets
+        },
+        { incrementConfigVersion: true, compress: canCompress(version, "newt") }
+    );
 }

 export async function updateTargets(
@@ -53,34 +40,31 @@ export async function updateTargets(
    targets: {
        oldTargets: SubnetProxyTarget[];
        newTargets: SubnetProxyTarget[];
-    }
+    },
+    version?: string | null
 ) {
-    const oldBatches = chunkArray(targets.oldTargets, BATCH_SIZE);
-    const newBatches = chunkArray(targets.newTargets, BATCH_SIZE);
-    const maxBatches = Math.max(oldBatches.length, newBatches.length);
-
-    for (let i = 0; i < maxBatches; i++) {
-        if (i > 0) {
-            await sleep(BATCH_DELAY_MS);
-        }
-        await sendToClient(newtId, {
+    await sendToClient(
+        newtId,
+        {
            type: `newt/wg/targets/update`,
            data: {
-                oldTargets: oldBatches[i] || [],
-                newTargets: newBatches[i] || []
+                oldTargets: targets.oldTargets,
+                newTargets: targets.newTargets
            }
-        }, { incrementConfigVersion: true }).catch((error) => {
+        },
+        { incrementConfigVersion: true, compress: canCompress(version, "newt") }
+    ).catch((error) => {
        logger.warn(`Error sending message:`, error);
    });
 }
-}

 export async function addPeerData(
    clientId: number,
    siteId: number,
    remoteSubnets: string[],
    aliases: Alias[],
-    olmId?: string
+    olmId?: string,
+    version?: string | null
 ) {
    if (!olmId) {
        const [olm] = await db
@@ -92,16 +76,21 @@ export async function addPeerData(
            return; // ignore this because an olm might not be associated with the client anymore
        }
        olmId = olm.olmId;
+        version = olm.version;
    }

-    await sendToClient(olmId, {
+    await sendToClient(
+        olmId,
+        {
            type: `olm/wg/peer/data/add`,
            data: {
                siteId: siteId,
                remoteSubnets: remoteSubnets,
                aliases: aliases
            }
-    }, { incrementConfigVersion: true }).catch((error) => {
+        },
+        { incrementConfigVersion: true, compress: canCompress(version, "olm") }
+    ).catch((error) => {
        logger.warn(`Error sending message:`, error);
    });
 }
@@ -111,7 +100,8 @@ export async function removePeerData(
    siteId: number,
    remoteSubnets: string[],
    aliases: Alias[],
-    olmId?: string
+    olmId?: string,
+    version?: string | null
 ) {
    if (!olmId) {
        const [olm] = await db
@@ -123,16 +113,21 @@ export async function removePeerData(
            return;
        }
        olmId = olm.olmId;
+        version = olm.version;
    }

-    await sendToClient(olmId, {
+    await sendToClient(
+        olmId,
+        {
            type: `olm/wg/peer/data/remove`,
            data: {
                siteId: siteId,
                remoteSubnets: remoteSubnets,
                aliases: aliases
            }
-    }, { incrementConfigVersion: true }).catch((error) => {
+        },
+        { incrementConfigVersion: true, compress: canCompress(version, "olm") }
+    ).catch((error) => {
        logger.warn(`Error sending message:`, error);
    });
 }
@@ -152,7 +147,8 @@ export async function updatePeerData(
              newAliases: Alias[];
          }
        | undefined,
-    olmId?: string
+    olmId?: string,
+    version?: string | null
 ) {
    if (!olmId) {
        const [olm] = await db
@@ -164,16 +160,21 @@ export async function updatePeerData(
            return;
        }
        olmId = olm.olmId;
+        version = olm.version;
    }

-    await sendToClient(olmId, {
+    await sendToClient(
+        olmId,
+        {
            type: `olm/wg/peer/data/update`,
            data: {
                siteId: siteId,
                ...remoteSubnets,
                ...aliases
            }
-    }, { incrementConfigVersion: true }).catch((error) => {
+        },
+        { incrementConfigVersion: true, compress: canCompress(version, "olm") }
+    ).catch((error) => {
        logger.warn(`Error sending message:`, error);
    });
 }
--- a/server/routers/domain/listDomains.ts
+++ b/server/routers/domain/listDomains.ts
@@ -40,7 +40,8 @@ async function queryDomains(orgId: string, limit: number, offset: number) {
            tries: domains.tries,
            configManaged: domains.configManaged,
            certResolver: domains.certResolver,
-            preferWildcardCert: domains.preferWildcardCert
+            preferWildcardCert: domains.preferWildcardCert,
+            errorMessage: domains.errorMessage
        })
        .from(orgDomains)
        .where(eq(orgDomains.orgId, orgId))
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -1,5 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { eq, and, lt, inArray, sql } from "drizzle-orm";
+import { eq, sql } from "drizzle-orm";
 import { sites } from "@server/db";
 import { db } from "@server/db";
 import logger from "@server/logger";
@@ -11,19 +11,31 @@ import { FeatureId } from "@server/lib/billing/features";
 import { checkExitNodeOrg } from "#dynamic/lib/exitNodes";
 import { build } from "@server/build";

-// Track sites that are already offline to avoid unnecessary queries
-const offlineSites = new Set<string>();
-
-// Retry configuration for deadlock handling
-const MAX_RETRIES = 3;
-const BASE_DELAY_MS = 50;
-
 interface PeerBandwidth {
    publicKey: string;
    bytesIn: number;
    bytesOut: number;
 }

+interface AccumulatorEntry {
+    bytesIn: number;
+    bytesOut: number;
+    /** Present when the update came through a remote exit node. */
+    exitNodeId?: number;
+    /** Whether to record egress usage for billing purposes. */
+    calcUsage: boolean;
+}
+
+// Retry configuration for deadlock handling
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+// How often to flush accumulated bandwidth data to the database
+const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+
+// In-memory accumulator: publicKey -> AccumulatorEntry
+let accumulator = new Map<string, AccumulatorEntry>();
+
 /**
 * Check if an error is a deadlock error
 */
@@ -63,6 +75,220 @@ async function withDeadlockRetry<T>(
    }
 }

+/**
+ * Flush all accumulated site bandwidth data to the database.
+ *
+ * Swaps out the accumulator before writing so that any bandwidth messages
+ * received during the flush are captured in the new accumulator rather than
+ * being lost or causing contention. Entries that fail to write are re-queued
+ * back into the accumulator so they will be retried on the next flush.
+ *
+ * This function is exported so that the application's graceful-shutdown
+ * cleanup handler can call it before the process exits.
+ */
+export async function flushSiteBandwidthToDb(): Promise<void> {
+    if (accumulator.size === 0) {
+        return;
+    }
+
+    // Atomically swap out the accumulator so new data keeps flowing in
+    // while we write the snapshot to the database.
+    const snapshot = accumulator;
+    accumulator = new Map<string, AccumulatorEntry>();
+
+    const currentTime = new Date().toISOString();
+
+    // Sort by publicKey for consistent lock ordering across concurrent
+    // writers — deadlock-prevention strategy.
+    const sortedEntries = [...snapshot.entries()].sort(([a], [b]) =>
+        a.localeCompare(b)
+    );
+
+    logger.debug(
+        `Flushing accumulated bandwidth data for ${sortedEntries.length} site(s) to the database`
+    );
+
+    // Aggregate billing usage by org, collected during the DB update loop.
+    const orgUsageMap = new Map<string, number>();
+
+    for (const [publicKey, { bytesIn, bytesOut, exitNodeId, calcUsage }] of sortedEntries) {
+        try {
+            const updatedSite = await withDeadlockRetry(async () => {
+                const [result] = await db
+                    .update(sites)
+                    .set({
+                        megabytesOut: sql`COALESCE(${sites.megabytesOut}, 0) + ${bytesIn}`,
+                        megabytesIn: sql`COALESCE(${sites.megabytesIn}, 0) + ${bytesOut}`,
+                        lastBandwidthUpdate: currentTime,
+                    })
+                    .where(eq(sites.pubKey, publicKey))
+                    .returning({
+                        orgId: sites.orgId,
+                        siteId: sites.siteId
+                    });
+                return result;
+            }, `flush bandwidth for site ${publicKey}`);
+
+            if (updatedSite) {
+                if (exitNodeId) {
+                    const notAllowed = await checkExitNodeOrg(
+                        exitNodeId,
+                        updatedSite.orgId
+                    );
+                    if (notAllowed) {
+                        logger.warn(
+                            `Exit node ${exitNodeId} is not allowed for org ${updatedSite.orgId}`
+                        );
+                        // Skip usage tracking for this site but continue
+                        // processing the rest.
+                        continue;
+                    }
+                }
+
+                if (calcUsage) {
+                    const totalBandwidth = bytesIn + bytesOut;
+                    const current = orgUsageMap.get(updatedSite.orgId) ?? 0;
+                    orgUsageMap.set(updatedSite.orgId, current + totalBandwidth);
+                }
+            }
+        } catch (error) {
+            logger.error(
+                `Failed to flush bandwidth for site ${publicKey}:`,
+                error
+            );
+
+            // Re-queue the failed entry so it is retried on the next flush
+            // rather than silently dropped.
+            const existing = accumulator.get(publicKey);
+            if (existing) {
+                existing.bytesIn += bytesIn;
+                existing.bytesOut += bytesOut;
+            } else {
+                accumulator.set(publicKey, {
+                    bytesIn,
+                    bytesOut,
+                    exitNodeId,
+                    calcUsage
+                });
+            }
+        }
+    }
+
+    // Process billing usage updates outside the site-update loop to keep
+    // lock scope small and concerns separated.
+    if (orgUsageMap.size > 0) {
+        // Sort org IDs for consistent lock ordering.
+        const sortedOrgIds = [...orgUsageMap.keys()].sort();
+
+        for (const orgId of sortedOrgIds) {
+            try {
+                const totalBandwidth = orgUsageMap.get(orgId)!;
+                const bandwidthUsage = await usageService.add(
+                    orgId,
+                    FeatureId.EGRESS_DATA_MB,
+                    totalBandwidth
+                );
+                if (bandwidthUsage) {
+                    // Fire-and-forget — don't block the flush on limit checking.
+                    usageService
+                        .checkLimitSet(
+                            orgId,
+                            FeatureId.EGRESS_DATA_MB,
+                            bandwidthUsage
+                        )
+                        .catch((error: any) => {
+                            logger.error(
+                                `Error checking bandwidth limits for org ${orgId}:`,
+                                error
+                            );
+                        });
+                }
+            } catch (error) {
+                logger.error(
+                    `Error processing usage for org ${orgId}:`,
+                    error
+                );
+                // Continue with other orgs.
+            }
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Periodic flush timer
+// ---------------------------------------------------------------------------
+
+const flushTimer = setInterval(async () => {
+    try {
+        await flushSiteBandwidthToDb();
+    } catch (error) {
+        logger.error(
+            "Unexpected error during periodic site bandwidth flush:",
+            error
+        );
+    }
+}, FLUSH_INTERVAL_MS);
+
+// Allow the process to exit normally even while the timer is pending.
+// The graceful-shutdown path (see server/cleanup.ts) will call
+// flushSiteBandwidthToDb() explicitly before process.exit(), so no data
+// is lost.
+flushTimer.unref();
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Accumulate bandwidth data reported by a gerbil or remote exit node.
+ *
+ * Only peers that actually transferred data (bytesIn > 0) are added to the
+ * accumulator; peers with no activity are silently ignored, which means the
+ * flush will only write rows that have genuinely changed.
+ *
+ * The function is intentionally synchronous in its fast path so that the
+ * HTTP handler can respond immediately without waiting for any I/O.
+ */
+export async function updateSiteBandwidth(
+    bandwidthData: PeerBandwidth[],
+    calcUsageAndLimits: boolean,
+    exitNodeId?: number
+): Promise<void> {
+    for (const { publicKey, bytesIn, bytesOut } of bandwidthData) {
+        // Skip peers that haven't transferred any data — writing zeros to the
+        // database would be a no-op anyway.
+        if (bytesIn <= 0 && bytesOut <= 0) {
+            continue;
+        }
+
+        const existing = accumulator.get(publicKey);
+        if (existing) {
+            existing.bytesIn += bytesIn;
+            existing.bytesOut += bytesOut;
+            // Retain the most-recent exitNodeId for this peer.
+            if (exitNodeId !== undefined) {
+                existing.exitNodeId = exitNodeId;
+            }
+            // Once calcUsage has been requested for a peer, keep it set for
+            // the lifetime of this flush window.
+            if (calcUsageAndLimits) {
+                existing.calcUsage = true;
+            }
+        } else {
+            accumulator.set(publicKey, {
+                bytesIn,
+                bytesOut,
+                exitNodeId,
+                calcUsage: calcUsageAndLimits
+            });
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// HTTP handler
+// ---------------------------------------------------------------------------
+
 export const receiveBandwidth = async (
    req: Request,
    res: Response,
@@ -75,7 +301,9 @@ export const receiveBandwidth = async (
            throw new Error("Invalid bandwidth data");
        }

-        await updateSiteBandwidth(bandwidthData, build == "saas"); // we are checking the usage on saas only
+        // Accumulate in memory; the periodic timer (and the shutdown hook)
+        // will write to the database.
+        await updateSiteBandwidth(bandwidthData, build == "saas");

        return response(res, {
            data: {},
@@ -94,201 +322,3 @@ export const receiveBandwidth = async (
        );
    }
 };
-
-export async function updateSiteBandwidth(
-    bandwidthData: PeerBandwidth[],
-    calcUsageAndLimits: boolean,
-    exitNodeId?: number
-) {
-    const currentTime = new Date();
-    const oneMinuteAgo = new Date(currentTime.getTime() - 60000); // 1 minute ago
-
-    // Sort bandwidth data by publicKey to ensure consistent lock ordering across all instances
-    // This is critical for preventing deadlocks when multiple instances update the same sites
-    const sortedBandwidthData = [...bandwidthData].sort((a, b) =>
-        a.publicKey.localeCompare(b.publicKey)
-    );
-
-    // First, handle sites that are actively reporting bandwidth
-    const activePeers = sortedBandwidthData.filter((peer) => peer.bytesIn > 0);
-
-    // Aggregate usage data by organization (collected outside transaction)
-    const orgUsageMap = new Map<string, number>();
-
-    if (activePeers.length > 0) {
-        // Remove any active peers from offline tracking since they're sending data
-        activePeers.forEach((peer) => offlineSites.delete(peer.publicKey));
-
-        // Update each active site individually with retry logic
-        // This reduces transaction scope and allows retries per-site
-        for (const peer of activePeers) {
-            try {
-                const updatedSite = await withDeadlockRetry(async () => {
-                    const [result] = await db
-                        .update(sites)
-                        .set({
-                            megabytesOut: sql`${sites.megabytesOut} + ${peer.bytesIn}`,
-                            megabytesIn: sql`${sites.megabytesIn} + ${peer.bytesOut}`,
-                            lastBandwidthUpdate: currentTime.toISOString(),
-                            online: true
-                        })
-                        .where(eq(sites.pubKey, peer.publicKey))
-                        .returning({
-                            online: sites.online,
-                            orgId: sites.orgId,
-                            siteId: sites.siteId,
-                            lastBandwidthUpdate: sites.lastBandwidthUpdate
-                        });
-                    return result;
-                }, `update active site ${peer.publicKey}`);
-
-                if (updatedSite) {
-                    if (exitNodeId) {
-                        const notAllowed = await checkExitNodeOrg(
-                            exitNodeId,
-                            updatedSite.orgId
-                        );
-                        if (notAllowed) {
-                            logger.warn(
-                                `Exit node ${exitNodeId} is not allowed for org ${updatedSite.orgId}`
-                            );
-                            // Skip this site but continue processing others
-                            continue;
-                        }
-                    }
-
-                    // Aggregate bandwidth usage for the org
-                    const totalBandwidth = peer.bytesIn + peer.bytesOut;
-                    const currentOrgUsage =
-                        orgUsageMap.get(updatedSite.orgId) || 0;
-                    orgUsageMap.set(
-                        updatedSite.orgId,
-                        currentOrgUsage + totalBandwidth
-                    );
-                }
-            } catch (error) {
-                logger.error(
-                    `Failed to update bandwidth for site ${peer.publicKey}:`,
-                    error
-                );
-                // Continue with other sites
-            }
-        }
-    }
-
-    // Process usage updates outside of site update transactions
-    // This separates the concerns and reduces lock contention
-    if (calcUsageAndLimits && orgUsageMap.size > 0) {
-        // Sort org IDs to ensure consistent lock ordering
-        const allOrgIds = [...new Set([...orgUsageMap.keys()])].sort();
-
-        for (const orgId of allOrgIds) {
-            try {
-                // Process bandwidth usage for this org
-                const totalBandwidth = orgUsageMap.get(orgId);
-                if (totalBandwidth) {
-                    const bandwidthUsage = await usageService.add(
-                        orgId,
-                        FeatureId.EGRESS_DATA_MB,
-                        totalBandwidth
-                    );
-                    if (bandwidthUsage) {
-                        // Fire and forget - don't block on limit checking
-                        usageService
-                            .checkLimitSet(
-                                orgId,
-                                FeatureId.EGRESS_DATA_MB,
-                                bandwidthUsage
-                            )
-                            .catch((error: any) => {
-                                logger.error(
-                                    `Error checking bandwidth limits for org ${orgId}:`,
-                                    error
-                                );
-                            });
-                    }
-                }
-            } catch (error) {
-                logger.error(`Error processing usage for org ${orgId}:`, error);
-                // Continue with other orgs
-            }
-        }
-    }
-
-    // Handle sites that reported zero bandwidth but need online status updated
-    const zeroBandwidthPeers = sortedBandwidthData.filter(
-        (peer) => peer.bytesIn === 0 && !offlineSites.has(peer.publicKey)
-    );
-
-    if (zeroBandwidthPeers.length > 0) {
-        // Fetch all zero bandwidth sites in one query
-        const zeroBandwidthSites = await db
-            .select()
-            .from(sites)
-            .where(
-                inArray(
-                    sites.pubKey,
-                    zeroBandwidthPeers.map((p) => p.publicKey)
-                )
-            );
-
-        // Sort by siteId to ensure consistent lock ordering
-        const sortedZeroBandwidthSites = zeroBandwidthSites.sort(
-            (a, b) => a.siteId - b.siteId
-        );
-
-        for (const site of sortedZeroBandwidthSites) {
-            let newOnlineStatus = site.online;
-
-            // Check if site should go offline based on last bandwidth update WITH DATA
-            if (site.lastBandwidthUpdate) {
-                const lastUpdateWithData = new Date(site.lastBandwidthUpdate);
-                if (lastUpdateWithData < oneMinuteAgo) {
-                    newOnlineStatus = false;
-                }
-            } else {
-                // No previous data update recorded, set to offline
-                newOnlineStatus = false;
-            }
-
-            // Only update online status if it changed
-            if (site.online !== newOnlineStatus) {
-                try {
-                    const updatedSite = await withDeadlockRetry(async () => {
-                        const [result] = await db
-                            .update(sites)
-                            .set({
-                                online: newOnlineStatus
-                            })
-                            .where(eq(sites.siteId, site.siteId))
-                            .returning();
-                        return result;
-                    }, `update offline status for site ${site.siteId}`);
-
-                    if (updatedSite && exitNodeId) {
-                        const notAllowed = await checkExitNodeOrg(
-                            exitNodeId,
-                            updatedSite.orgId
-                        );
-                        if (notAllowed) {
-                            logger.warn(
-                                `Exit node ${exitNodeId} is not allowed for org ${updatedSite.orgId}`
-                            );
-                        }
-                    }
-
-                    // If site went offline, add it to our tracking set
-                    if (!newOnlineStatus && site.pubKey) {
-                        offlineSites.add(site.pubKey);
-                    }
-                } catch (error) {
-                    logger.error(
-                        `Failed to update offline status for site ${site.siteId}:`,
-                        error
-                    );
-                    // Continue with other sites
-                }
-            }
-        }
-    }
-}
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -309,6 +309,14 @@ authenticated.post(
    siteResource.removeClientFromSiteResource
 );

+authenticated.post(
+    "/client/:clientId/site-resources",
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
+    logActionAudit(ActionsEnum.setResourceUsers),
+    siteResource.batchAddClientToSiteResources
+);
+
 authenticated.put(
    "/org/:orgId/resource",
    verifyApiKeyOrgAccess,
--- a/server/routers/newt/buildConfiguration.ts
+++ b/server/routers/newt/buildConfiguration.ts
@@ -1,9 +1,24 @@
-import { clients, clientSiteResourcesAssociationsCache, clientSitesAssociationsCache, db, ExitNode, resources, Site, siteResources, targetHealthCheck, targets } from "@server/db";
+import {
+    clients,
+    clientSiteResourcesAssociationsCache,
+    clientSitesAssociationsCache,
+    db,
+    ExitNode,
+    resources,
+    Site,
+    siteResources,
+    targetHealthCheck,
+    targets
+} from "@server/db";
 import logger from "@server/logger";
 import { initPeerAddHandshake, updatePeer } from "../olm/peers";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
-import { generateSubnetProxyTargets, SubnetProxyTarget } from "@server/lib/ip";
+import {
+    formatEndpoint,
+    generateSubnetProxyTargets,
+    SubnetProxyTarget
+} from "@server/lib/ip";

 export async function buildClientConfigurationForNewtClient(
    site: Site,
@@ -69,6 +84,7 @@ export async function buildClientConfigurationForNewtClient(
                    //         )
                    //     );

+                    if (!client.clientSitesAssociationsCache.isJitMode) { // if we are adding sites through jit then dont add the site to the olm
                        // update the peer info on the olm
                        // if the peer has not been added yet this will be a no-op
                        await updatePeer(client.clients.clientId, {
@@ -103,6 +119,7 @@ export async function buildClientConfigurationForNewtClient(
                                }
                            }
                        );
+                    }

                    return {
                        publicKey: client.clients.pubKey!,
@@ -188,7 +205,8 @@ export async function buildTargetConfigurationForNewtClient(siteId: number) {
            hcTimeout: targetHealthCheck.hcTimeout,
            hcHeaders: targetHealthCheck.hcHeaders,
            hcMethod: targetHealthCheck.hcMethod,
-            hcTlsServerName: targetHealthCheck.hcTlsServerName
+            hcTlsServerName: targetHealthCheck.hcTlsServerName,
+            hcStatus: targetHealthCheck.hcStatus
        })
        .from(targets)
        .innerJoin(resources, eq(targets.resourceId, resources.resourceId))
@@ -205,8 +223,8 @@ export async function buildTargetConfigurationForNewtClient(siteId: number) {
                return acc;
            }

-            // Format target into string
-            const formattedTarget = `${target.internalPort}:${target.ip}:${target.port}`;
+            // Format target into string (handles IPv6 bracketing)
+            const formattedTarget = `${target.internalPort}:${formatEndpoint(target.ip, target.port)}`;

            // Add to the appropriate protocol array
            if (target.protocol === "tcp") {
@@ -229,9 +247,9 @@ export async function buildTargetConfigurationForNewtClient(siteId: number) {
            !target.hcInterval ||
            !target.hcMethod
        ) {
-            logger.debug(
-                `Skipping adding target health check ${target.targetId} due to missing health check fields`
-            );
+            // logger.debug(
+            //     `Skipping adding target health check ${target.targetId} due to missing health check fields`
+            // );
            return null; // Skip targets with missing health check fields
        }

@@ -261,7 +279,8 @@ export async function buildTargetConfigurationForNewtClient(siteId: number) {
            hcTimeout: target.hcTimeout, // in seconds
            hcHeaders: hcHeadersSend,
            hcMethod: target.hcMethod,
-            hcTlsServerName: target.hcTlsServerName
+            hcTlsServerName: target.hcTlsServerName,
+            hcStatus: target.hcStatus
        };
    });

--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -6,6 +6,7 @@ import { db, ExitNode, exitNodes, Newt, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { sendToExitNode } from "#dynamic/lib/exitNodes";
 import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
+import { canCompress } from "@server/lib/clientVersionChecks";

 const inputSchema = z.object({
    publicKey: z.string(),
@@ -135,6 +136,9 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
                targets
            }
        },
+        options: {
+            compress: canCompress(newt.version, "newt")
+        },
        broadcast: false,
        excludeSender: false
    };
--- a/server/routers/newt/handleNewtDisconnectingMessage.ts
+++ b/server/routers/newt/handleNewtDisconnectingMessage.ts
@@ -0,0 +1,34 @@
+import { MessageHandler } from "@server/routers/ws";
+import { db, Newt, sites } from "@server/db";
+import { eq } from "drizzle-orm";
+import logger from "@server/logger";
+
+/**
+ * Handles disconnecting messages from sites to show disconnected in the ui
+ */
+export const handleNewtDisconnectingMessage: MessageHandler = async (context) => {
+    const { message, client: c, sendToClient } = context;
+    const newt = c as Newt;
+
+    if (!newt) {
+        logger.warn("Newt not found");
+        return;
+    }
+
+    if (!newt.siteId) {
+        logger.warn("Newt has no client ID!");
+        return;
+    }
+
+    try {
+        // Update the client's last ping timestamp
+        await db
+            .update(sites)
+            .set({
+                online: false
+            })
+            .where(eq(sites.siteId, sites.siteId));
+    } catch (error) {
+        logger.error("Error handling disconnecting message", { error });
+    }
+};
--- a/server/routers/newt/handleNewtPingMessage.ts
+++ b/server/routers/newt/handleNewtPingMessage.ts
@@ -1,105 +1,107 @@
-import { db, sites } from "@server/db";
-import { disconnectClient, getClientConfigVersion } from "#dynamic/routers/ws";
+import { db, newts, sites } from "@server/db";
+import { hasActiveConnections, getClientConfigVersion } from "#dynamic/routers/ws";
 import { MessageHandler } from "@server/routers/ws";
-import { clients, Newt } from "@server/db";
+import { Newt } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
 import logger from "@server/logger";
-import { validateSessionToken } from "@server/auth/sessions/app";
-import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { sendTerminateClient } from "../client/terminate";
-import { encodeHexLowerCase } from "@oslojs/encoding";
-import { sha256 } from "@oslojs/crypto/sha2";
 import { sendNewtSyncMessage } from "./sync";

 // Track if the offline checker interval is running
-// let offlineCheckerInterval: NodeJS.Timeout | null = null;
-// const OFFLINE_CHECK_INTERVAL = 30 * 1000; // Check every 30 seconds
-// const OFFLINE_THRESHOLD_MS = 2 * 60 * 1000; // 2 minutes
+let offlineCheckerInterval: NodeJS.Timeout | null = null;
+const OFFLINE_CHECK_INTERVAL = 30 * 1000; // Check every 30 seconds
+const OFFLINE_THRESHOLD_MS = 2 * 60 * 1000; // 2 minutes

 /**
- * Starts the background interval that checks for clients that haven't pinged recently
- * and marks them as offline
+ * Starts the background interval that checks for newt sites that haven't
+ * pinged recently and marks them as offline. For backward compatibility,
+ * a site is only marked offline when there is no active WebSocket connection
+ * either — so older newt versions that don't send pings but remain connected
+ * continue to be treated as online.
 */
-// export const startNewtOfflineChecker = (): void => {
-//     if (offlineCheckerInterval) {
-//         return; // Already running
-//     }
+export const startNewtOfflineChecker = (): void => {
+    if (offlineCheckerInterval) {
+        return; // Already running
+    }

-//     offlineCheckerInterval = setInterval(async () => {
-//         try {
-//             const twoMinutesAgo = Math.floor(
-//                 (Date.now() - OFFLINE_THRESHOLD_MS) / 1000
-//             );
+    offlineCheckerInterval = setInterval(async () => {
+        try {
+            const twoMinutesAgo = Math.floor(
+                (Date.now() - OFFLINE_THRESHOLD_MS) / 1000
+            );

-//             // TODO: WE NEED TO MAKE SURE THIS WORKS WITH DISTRIBUTED NODES ALL DOING THE SAME THING
+            // Find all online newt-type sites that haven't pinged recently
+            // (or have never pinged at all). Join newts to obtain the newtId
+            // needed for the WebSocket connection check.
+            const staleSites = await db
+                .select({
+                    siteId: sites.siteId,
+                    newtId: newts.newtId,
+                    lastPing: sites.lastPing
+                })
+                .from(sites)
+                .innerJoin(newts, eq(newts.siteId, sites.siteId))
+                .where(
+                    and(
+                        eq(sites.online, true),
+                        eq(sites.type, "newt"),
+                        or(
+                            lt(sites.lastPing, twoMinutesAgo),
+                            isNull(sites.lastPing)
+                        )
+                    )
+                );

-//             // Find clients that haven't pinged in the last 2 minutes and mark them as offline
-//             const offlineClients = await db
-//                 .update(clients)
-//                 .set({ online: false })
-//                 .where(
-//                     and(
-//                         eq(clients.online, true),
-//                         or(
-//                             lt(clients.lastPing, twoMinutesAgo),
-//                             isNull(clients.lastPing)
-//                         )
-//                     )
-//                 )
-//                 .returning();
+            for (const staleSite of staleSites) {
+                // Backward-compatibility check: if the newt still has an
+                // active WebSocket connection (older clients that don't send
+                // pings), keep the site online.
+                const isConnected = await hasActiveConnections(staleSite.newtId);
+                if (isConnected) {
+                    logger.debug(
+                        `Newt ${staleSite.newtId} has not pinged recently but is still connected via WebSocket — keeping site ${staleSite.siteId} online`
+                    );
+                    continue;
+                }

-//             for (const offlineClient of offlineClients) {
-//                 logger.info(
-//                     `Kicking offline newt client ${offlineClient.clientId} due to inactivity`
-//                 );
+                logger.info(
+                    `Marking site ${staleSite.siteId} offline: newt ${staleSite.newtId} has no recent ping and no active WebSocket connection`
+                );

-//                 if (!offlineClient.newtId) {
-//                     logger.warn(
-//                         `Offline client ${offlineClient.clientId} has no newtId, cannot disconnect`
-//                     );
-//                     continue;
-//                 }
+                await db
+                    .update(sites)
+                    .set({ online: false })
+                    .where(eq(sites.siteId, staleSite.siteId));
+            }
+        } catch (error) {
+            logger.error("Error in newt offline checker interval", { error });
+        }
+    }, OFFLINE_CHECK_INTERVAL);

-//                 // Send a disconnect message to the client if connected
-//                 try {
-//                     await sendTerminateClient(
-//                         offlineClient.clientId,
-//                         offlineClient.newtId
-//                     ); // terminate first
-//                     // wait a moment to ensure the message is sent
-//                     await new Promise((resolve) => setTimeout(resolve, 1000));
-//                     await disconnectClient(offlineClient.newtId);
-//                 } catch (error) {
-//                     logger.error(
-//                         `Error sending disconnect to offline newt ${offlineClient.clientId}`,
-//                         { error }
-//                     );
-//                 }
-//             }
-//         } catch (error) {
-//             logger.error("Error in offline checker interval", { error });
-//         }
-//     }, OFFLINE_CHECK_INTERVAL);
-
-//     logger.debug("Started offline checker interval");
-// };
+    logger.debug("Started newt offline checker interval");
+};

 /**
- * Stops the background interval that checks for offline clients
+ * Stops the background interval that checks for offline newt sites.
 */
-// export const stopNewtOfflineChecker = (): void => {
-//     if (offlineCheckerInterval) {
-//         clearInterval(offlineCheckerInterval);
-//         offlineCheckerInterval = null;
-//         logger.info("Stopped offline checker interval");
-//     }
-// };
+export const stopNewtOfflineChecker = (): void => {
+    if (offlineCheckerInterval) {
+        clearInterval(offlineCheckerInterval);
+        offlineCheckerInterval = null;
+        logger.info("Stopped newt offline checker interval");
+    }
+};

 /**
- * Handles ping messages from clients and responds with pong
+ * Handles ping messages from newt clients.
+ *
+ * On each ping:
+ *  - Marks the associated site as online.
+ *  - Records the current timestamp as the newt's last-ping time.
+ *  - Triggers a config sync if the newt is running an outdated config version.
+ *  - Responds with a pong message.
 */
 export const handleNewtPingMessage: MessageHandler = async (context) => {
-    const { message, client: c, sendToClient } = context;
+    const { message, client: c } = context;
    const newt = c as Newt;

    if (!newt) {
@@ -112,15 +114,31 @@ export const handleNewtPingMessage: MessageHandler = async (context) => {
        return;
    }

-    // get the version
+    try {
+        // Mark the site as online and record the ping timestamp.
+        await db
+            .update(sites)
+            .set({
+                online: true,
+                lastPing: Math.floor(Date.now() / 1000)
+            })
+            .where(eq(sites.siteId, newt.siteId));
+    } catch (error) {
+        logger.error("Error updating online state on newt ping", { error });
+    }
+
+    // Check config version and sync if stale.
    const configVersion = await getClientConfigVersion(newt.newtId);

-    if (message.configVersion && configVersion != null && configVersion != message.configVersion) {
+    if (
+        message.configVersion != null &&
+        configVersion != null &&
+        configVersion !== message.configVersion
+    ) {
        logger.warn(
            `Newt ping with outdated config version: ${message.configVersion} (current: ${configVersion})`
        );

-        // get the site
        const [site] = await db
            .select()
            .from(sites)
@@ -137,19 +155,6 @@ export const handleNewtPingMessage: MessageHandler = async (context) => {
        await sendNewtSyncMessage(newt, site);
    }

-    // try {
-    //     // Update the client's last ping timestamp
-    //     await db
-    //         .update(clients)
-    //         .set({
-    //             lastPing: Math.floor(Date.now() / 1000),
-    //             online: true
-    //         })
-    //         .where(eq(clients.clientId, newt.clientId));
-    // } catch (error) {
-    //     logger.error("Error handling ping message", { error });
-    // }
-
    return {
        message: {
            type: "pong",
--- a/server/routers/newt/handleNewtRegisterMessage.ts
+++ b/server/routers/newt/handleNewtRegisterMessage.ts
@@ -5,9 +5,7 @@ import { eq } from "drizzle-orm";
 import { addPeer, deletePeer } from "../gerbil/peers";
 import logger from "@server/logger";
 import config from "@server/lib/config";
-import {
-    findNextAvailableCidr,
-} from "@server/lib/ip";
+import { findNextAvailableCidr } from "@server/lib/ip";
 import {
    selectBestExitNode,
    verifyExitNodeOrgAccess
@@ -15,6 +13,7 @@ import {
 import { fetchContainers } from "./dockerSocket";
 import { lockManager } from "#dynamic/lib/lock";
 import { buildTargetConfigurationForNewtClient } from "./buildConfiguration";
+import { canCompress } from "@server/lib/clientVersionChecks";

 export type ExitNodePingResult = {
    exitNodeId: number;
@@ -215,6 +214,9 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
                healthCheckTargets: validHealthCheckTargets
            }
        },
+        options: {
+            compress: canCompress(newt.version, "newt")
+        },
        broadcast: false, // Send to all clients
        excludeSender: false // Include sender in broadcast
    };
--- a/server/routers/newt/handleReceiveBandwidthMessage.ts
+++ b/server/routers/newt/handleReceiveBandwidthMessage.ts
@@ -10,10 +10,21 @@ interface PeerBandwidth {
    bytesOut: number;
 }

+interface BandwidthAccumulator {
+    bytesIn: number;
+    bytesOut: number;
+}
+
 // Retry configuration for deadlock handling
 const MAX_RETRIES = 3;
 const BASE_DELAY_MS = 50;

+// How often to flush accumulated bandwidth data to the database
+const FLUSH_INTERVAL_MS = 120_000; // 120 seconds
+
+// In-memory accumulator: publicKey -> { bytesIn, bytesOut }
+let accumulator = new Map<string, BandwidthAccumulator>();
+
 /**
 * Check if an error is a deadlock error
 */
@@ -53,6 +64,90 @@ async function withDeadlockRetry<T>(
    }
 }

+/**
+ * Flush all accumulated bandwidth data to the database.
+ *
+ * Swaps out the accumulator before writing so that any bandwidth messages
+ * received during the flush are captured in the new accumulator rather than
+ * being lost or causing contention. Entries that fail to write are re-queued
+ * back into the accumulator so they will be retried on the next flush.
+ *
+ * This function is exported so that the application's graceful-shutdown
+ * cleanup handler can call it before the process exits.
+ */
+export async function flushBandwidthToDb(): Promise<void> {
+    if (accumulator.size === 0) {
+        return;
+    }
+
+    // Atomically swap out the accumulator so new data keeps flowing in
+    // while we write the snapshot to the database.
+    const snapshot = accumulator;
+    accumulator = new Map<string, BandwidthAccumulator>();
+
+    const currentTime = new Date().toISOString();
+
+    // Sort by publicKey for consistent lock ordering across concurrent
+    // writers — this is the same deadlock-prevention strategy used in the
+    // original per-message implementation.
+    const sortedEntries = [...snapshot.entries()].sort(([a], [b]) =>
+        a.localeCompare(b)
+    );
+
+    logger.debug(
+        `Flushing accumulated bandwidth data for ${sortedEntries.length} client(s) to the database`
+    );
+
+    for (const [publicKey, { bytesIn, bytesOut }] of sortedEntries) {
+        try {
+            await withDeadlockRetry(async () => {
+                // Use atomic SQL increment to avoid the SELECT-then-UPDATE
+                // anti-pattern and the races it would introduce.
+                await db
+                    .update(clients)
+                    .set({
+                        // Note: bytesIn from peer goes to megabytesOut (data
+                        // sent to client) and bytesOut from peer goes to
+                        // megabytesIn (data received from client).
+                        megabytesOut: sql`COALESCE(${clients.megabytesOut}, 0) + ${bytesIn}`,
+                        megabytesIn: sql`COALESCE(${clients.megabytesIn}, 0) + ${bytesOut}`,
+                        lastBandwidthUpdate: currentTime
+                    })
+                    .where(eq(clients.pubKey, publicKey));
+            }, `flush bandwidth for client ${publicKey}`);
+        } catch (error) {
+            logger.error(
+                `Failed to flush bandwidth for client ${publicKey}:`,
+                error
+            );
+
+            // Re-queue the failed entry so it is retried on the next flush
+            // rather than silently dropped.
+            const existing = accumulator.get(publicKey);
+            if (existing) {
+                existing.bytesIn += bytesIn;
+                existing.bytesOut += bytesOut;
+            } else {
+                accumulator.set(publicKey, { bytesIn, bytesOut });
+            }
+        }
+    }
+}
+
+const flushTimer = setInterval(async () => {
+    try {
+        await flushBandwidthToDb();
+    } catch (error) {
+        logger.error("Unexpected error during periodic bandwidth flush:", error);
+    }
+}, FLUSH_INTERVAL_MS);
+
+// Calling unref() means this timer will not keep the Node.js event loop alive
+// on its own — the process can still exit normally when there is no other work
+// left.  The graceful-shutdown path (see server/cleanup.ts) will call
+// flushBandwidthToDb() explicitly before process.exit(), so no data is lost.
+flushTimer.unref();
+
 export const handleReceiveBandwidthMessage: MessageHandler = async (
    context
 ) => {
@@ -69,40 +164,21 @@ export const handleReceiveBandwidthMessage: MessageHandler = async (
        throw new Error("Invalid bandwidth data");
    }

-    // Sort bandwidth data by publicKey to ensure consistent lock ordering across all instances
-    // This is critical for preventing deadlocks when multiple instances update the same clients
-    const sortedBandwidthData = [...bandwidthData].sort((a, b) =>
-        a.publicKey.localeCompare(b.publicKey)
-    );
+    // Accumulate the incoming data in memory; the periodic timer (and the
+    // shutdown hook) will take care of writing it to the database.
+    for (const { publicKey, bytesIn, bytesOut } of bandwidthData) {
+        // Skip peers that haven't transferred any data — writing zeros to the
+        // database would be a no-op anyway.
+        if (bytesIn <= 0 && bytesOut <= 0) {
+            continue;
+        }

-    const currentTime = new Date().toISOString();
-
-    // Update each client individually with retry logic
-    // This reduces transaction scope and allows retries per-client
-    for (const peer of sortedBandwidthData) {
-        const { publicKey, bytesIn, bytesOut } = peer;
-
-        try {
-            await withDeadlockRetry(async () => {
-                // Use atomic SQL increment to avoid SELECT then UPDATE pattern
-                // This eliminates the need to read the current value first
-                await db
-                    .update(clients)
-                    .set({
-                        // Note: bytesIn from peer goes to megabytesOut (data sent to client)
-                        // and bytesOut from peer goes to megabytesIn (data received from client)
-                        megabytesOut: sql`COALESCE(${clients.megabytesOut}, 0) + ${bytesIn}`,
-                        megabytesIn: sql`COALESCE(${clients.megabytesIn}, 0) + ${bytesOut}`,
-                        lastBandwidthUpdate: currentTime
-                    })
-                    .where(eq(clients.pubKey, publicKey));
-            }, `update client bandwidth ${publicKey}`);
-        } catch (error) {
-            logger.error(
-                `Failed to update bandwidth for client ${publicKey}:`,
-                error
-            );
-            // Continue with other clients even if one fails
+        const existing = accumulator.get(publicKey);
+        if (existing) {
+            existing.bytesIn += bytesIn;
+            existing.bytesOut += bytesOut;
+        } else {
+            accumulator.set(publicKey, { bytesIn, bytesOut });
        }
    }
 };
--- a/server/routers/newt/index.ts
+++ b/server/routers/newt/index.ts
@@ -7,3 +7,4 @@ export * from "./handleSocketMessages";
 export * from "./handleNewtPingRequestMessage";
 export * from "./handleApplyBlueprintMessage";
 export * from "./handleNewtPingMessage";
+export * from "./handleNewtDisconnectingMessage";
--- a/server/routers/newt/sync.ts
+++ b/server/routers/newt/sync.ts
@@ -6,6 +6,7 @@ import {
    buildClientConfigurationForNewtClient,
    buildTargetConfigurationForNewtClient
 } from "./buildConfiguration";
+import { canCompress } from "@server/lib/clientVersionChecks";

 export async function sendNewtSyncMessage(newt: Newt, site: Site) {
    const { tcpTargets, udpTargets, validHealthCheckTargets } =
@@ -24,7 +25,9 @@ export async function sendNewtSyncMessage(newt: Newt, site: Site) {
        exitNode
    );

-    await sendToClient(newt.newtId, {
+    await sendToClient(
+        newt.newtId,
+        {
            type: "newt/sync",
            data: {
                proxyTargets: {
@@ -35,7 +38,11 @@ export async function sendNewtSyncMessage(newt: Newt, site: Site) {
                peers: peers,
                clientTargets: targets
            }
-    }).catch((error) => {
+        },
+        {
+            compress: canCompress(newt.version, "newt")
+        }
+    ).catch((error) => {
        logger.warn(`Error sending newt sync message:`, error);
    });
 }
--- a/server/routers/newt/targets.ts
+++ b/server/routers/newt/targets.ts
@@ -2,13 +2,14 @@ import { Target, TargetHealthCheck, db, targetHealthCheck } from "@server/db";
 import { sendToClient } from "#dynamic/routers/ws";
 import logger from "@server/logger";
 import { eq, inArray } from "drizzle-orm";
+import { canCompress } from "@server/lib/clientVersionChecks";

 export async function addTargets(
    newtId: string,
    targets: Target[],
    healthCheckData: TargetHealthCheck[],
    protocol: string,
-    port: number | null = null
+    version?: string | null
 ) {
    //create a list of udp and tcp targets
    const payloadTargets = targets.map((target) => {
@@ -22,7 +23,7 @@ export async function addTargets(
        data: {
            targets: payloadTargets
        }
-    }, { incrementConfigVersion: true });
+    }, { incrementConfigVersion: true, compress: canCompress(version, "newt") });

    // Create a map for quick lookup
    const healthCheckMap = new Map<number, TargetHealthCheck>();
@@ -103,14 +104,14 @@ export async function addTargets(
        data: {
            targets: validHealthCheckTargets
        }
-    }, { incrementConfigVersion: true });
+    }, { incrementConfigVersion: true, compress: canCompress(version, "newt") });
 }

 export async function removeTargets(
    newtId: string,
    targets: Target[],
    protocol: string,
-    port: number | null = null
+    version?: string | null
 ) {
    //create a list of udp and tcp targets
    const payloadTargets = targets.map((target) => {
@@ -135,5 +136,5 @@ export async function removeTargets(
        data: {
            ids: healthCheckTargets
        }
-    }, { incrementConfigVersion: true });
+    }, { incrementConfigVersion: true, compress: canCompress(version, "newt") });
 }
--- a/server/routers/olm/buildConfiguration.ts
+++ b/server/routers/olm/buildConfiguration.ts
@@ -1,5 +1,17 @@
-import { Client, clientSiteResourcesAssociationsCache, clientSitesAssociationsCache, db, exitNodes, siteResources, sites } from "@server/db";
-import { generateAliasConfig, generateRemoteSubnets } from "@server/lib/ip";
+import {
+    Client,
+    clientSiteResourcesAssociationsCache,
+    clientSitesAssociationsCache,
+    db,
+    exitNodes,
+    siteResources,
+    sites
+} from "@server/db";
+import {
+    Alias,
+    generateAliasConfig,
+    generateRemoteSubnets
+} from "@server/lib/ip";
 import logger from "@server/logger";
 import { and, eq } from "drizzle-orm";
 import { addPeer, deletePeer } from "../newt/peers";
@@ -8,9 +20,19 @@ import config from "@server/lib/config";
 export async function buildSiteConfigurationForOlmClient(
    client: Client,
    publicKey: string | null,
-    relay: boolean
+    relay: boolean,
+    jitMode: boolean = false
 ) {
-    const siteConfigurations = [];
+    const siteConfigurations: {
+        siteId: number;
+        name?: string
+        endpoint?: string
+        publicKey?: string
+        serverIP?: string | null
+        serverPort?: number | null
+        remoteSubnets?: string[];
+        aliases: Alias[];
+    }[] = [];

    // Get all sites data
    const sitesData = await db
@@ -27,6 +49,40 @@ export async function buildSiteConfigurationForOlmClient(
        sites: site,
        clientSitesAssociationsCache: association
    } of sitesData) {
+        const allSiteResources = await db // only get the site resources that this client has access to
+            .select()
+            .from(siteResources)
+            .innerJoin(
+                clientSiteResourcesAssociationsCache,
+                eq(
+                    siteResources.siteResourceId,
+                    clientSiteResourcesAssociationsCache.siteResourceId
+                )
+            )
+            .where(
+                and(
+                    eq(siteResources.siteId, site.siteId),
+                    eq(
+                        clientSiteResourcesAssociationsCache.clientId,
+                        client.clientId
+                    )
+                )
+            );
+
+        if (jitMode) {
+            // Add site configuration to the array
+            siteConfigurations.push({
+                siteId: site.siteId,
+                // remoteSubnets: generateRemoteSubnets(
+                //     allSiteResources.map(({ siteResources }) => siteResources)
+                // ),
+                aliases: generateAliasConfig(
+                    allSiteResources.map(({ siteResources }) => siteResources)
+                )
+            });
+            continue;
+        }
+
        if (!site.exitNodeId) {
            logger.warn(
                `Site ${site.siteId} does not have exit node, skipping`
@@ -42,6 +98,13 @@ export async function buildSiteConfigurationForOlmClient(
            continue;
        }

+        if (!site.publicKey || site.publicKey == "") { // the site is not ready to accept new peers
+            logger.warn(
+                `Site ${site.siteId} has no public key, skipping`
+            );
+            continue;
+        }
+
        // if (site.lastHolePunch && now - site.lastHolePunch > 6 && relay) {
        //     logger.warn(
        //         `Site ${site.siteId} last hole punch is too old, skipping`
@@ -103,26 +166,6 @@ export async function buildSiteConfigurationForOlmClient(
            relayEndpoint = `${exitNode.endpoint}:${config.getRawConfig().gerbil.clients_start_port}`;
        }

-        const allSiteResources = await db // only get the site resources that this client has access to
-            .select()
-            .from(siteResources)
-            .innerJoin(
-                clientSiteResourcesAssociationsCache,
-                eq(
-                    siteResources.siteResourceId,
-                    clientSiteResourcesAssociationsCache.siteResourceId
-                )
-            )
-            .where(
-                and(
-                    eq(siteResources.siteId, site.siteId),
-                    eq(
-                        clientSiteResourcesAssociationsCache.clientId,
-                        client.clientId
-                    )
-                )
-            );
-
        // Add site configuration to the array
        siteConfigurations.push({
            siteId: site.siteId,
--- a/server/routers/olm/handleOlmDisconnectingMessage.ts
+++ b/server/routers/olm/handleOlmDisconnectingMessage.ts
@@ -6,7 +6,7 @@ import logger from "@server/logger";
 /**
 * Handles disconnecting messages from clients to show disconnected in the ui
 */
-export const handleOlmDisconnecingMessage: MessageHandler = async (context) => {
+export const handleOlmDisconnectingMessage: MessageHandler = async (context) => {
    const { message, client: c, sendToClient } = context;
    const olm = c as Olm;

--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -17,6 +17,9 @@ import { getUserDeviceName } from "@server/db/names";
 import { buildSiteConfigurationForOlmClient } from "./buildConfiguration";
 import { OlmErrorCodes, sendOlmError } from "./error";
 import { handleFingerprintInsertion } from "./fingerprintingUtils";
+import { Alias } from "@server/lib/ip";
+import { build } from "@server/build";
+import { canCompress } from "@server/lib/clientVersionChecks";

 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    logger.info("Handling register olm message!");
@@ -207,6 +210,32 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        }
    }

+    // Get all sites data
+    const sitesCountResult = await db
+        .select({ count: count() })
+        .from(sites)
+        .innerJoin(
+            clientSitesAssociationsCache,
+            eq(sites.siteId, clientSitesAssociationsCache.siteId)
+        )
+        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
+
+    // Extract the count value from the result array
+    const sitesCount =
+        sitesCountResult.length > 0 ? sitesCountResult[0].count : 0;
+
+    // Prepare an array to store site configurations
+    logger.debug(`Found ${sitesCount} sites for client ${client.clientId}`);
+
+    let jitMode = false;
+    if (sitesCount > 250 && build == "saas") {
+        // THIS IS THE MAX ON THE BUSINESS TIER
+        // we have too many sites
+        // If we have too many sites we need to drop into fully JIT mode by not sending any of the sites
+        logger.info("Too many sites (%d), dropping into JIT mode", sitesCount);
+        jitMode = true;
+    }
+
    logger.debug(
        `Olm client ID: ${client.clientId}, Public Key: ${publicKey}, Relay: ${relay}`
    );
@@ -233,28 +262,12 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        await db
            .update(clientSitesAssociationsCache)
            .set({
-                isRelayed: relay == true
+                isRelayed: relay == true,
+                isJitMode: jitMode
            })
            .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
    }

-    // Get all sites data
-    const sitesCountResult = await db
-        .select({ count: count() })
-        .from(sites)
-        .innerJoin(
-            clientSitesAssociationsCache,
-            eq(sites.siteId, clientSitesAssociationsCache.siteId)
-        )
-        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
-
-    // Extract the count value from the result array
-    const sitesCount =
-        sitesCountResult.length > 0 ? sitesCountResult[0].count : 0;
-
-    // Prepare an array to store site configurations
-    logger.debug(`Found ${sitesCount} sites for client ${client.clientId}`);
-
    // this prevents us from accepting a register from an olm that has not hole punched yet.
    // the olm will pump the register so we can keep checking
    // TODO: I still think there is a better way to do this rather than locking it out here but ???
@@ -269,15 +282,10 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    const siteConfigurations = await buildSiteConfigurationForOlmClient(
        client,
        publicKey,
-        relay
+        relay,
+        jitMode
    );

-    // REMOVED THIS SO IT CREATES THE INTERFACE AND JUST WAITS FOR THE SITES
-    // if (siteConfigurations.length === 0) {
-    //     logger.warn("No valid site configurations found");
-    //     return;
-    // }
-
    // Return connect message with all site configurations
    return {
        message: {
@@ -288,6 +296,9 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
                utilitySubnet: org.utilitySubnet
            }
        },
+        options: {
+            compress: canCompress(olm.version, "olm")
+        },
        broadcast: false,
        excludeSender: false
    };
--- a/server/routers/olm/handleOlmRelayMessage.ts
+++ b/server/routers/olm/handleOlmRelayMessage.ts
@@ -18,7 +18,7 @@ export const handleOlmRelayMessage: MessageHandler = async (context) => {
    }

    if (!olm.clientId) {
-        logger.warn("Olm has no site!"); // TODO: Maybe we create the site here?
+        logger.warn("Olm has no client!");
        return;
    }

@@ -41,7 +41,7 @@ export const handleOlmRelayMessage: MessageHandler = async (context) => {
        return;
    }

-    const { siteId } = message.data;
+    const { siteId, chainId } = message.data;

    // Get the site
    const [site] = await db
@@ -90,7 +90,8 @@ export const handleOlmRelayMessage: MessageHandler = async (context) => {
            data: {
                siteId: siteId,
                relayEndpoint: exitNode.endpoint,
-                relayPort: config.getRawConfig().gerbil.clients_start_port
+                relayPort: config.getRawConfig().gerbil.clients_start_port,
+                chainId
            }
        },
        broadcast: false,
--- a/server/routers/olm/handleOlmServerInitAddPeerHandshake.ts
+++ b/server/routers/olm/handleOlmServerInitAddPeerHandshake.ts
@@ -0,0 +1,241 @@
+import {
+    clientSiteResourcesAssociationsCache,
+    clientSitesAssociationsCache,
+    db,
+    exitNodes,
+    Site,
+    siteResources
+} from "@server/db";
+import { MessageHandler } from "@server/routers/ws";
+import { clients, Olm, sites } from "@server/db";
+import { and, eq, or } from "drizzle-orm";
+import logger from "@server/logger";
+import { initPeerAddHandshake } from "./peers";
+
+export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
+    context
+) => {
+    logger.info("Handling register olm message!");
+    const { message, client: c, sendToClient } = context;
+    const olm = c as Olm;
+
+    if (!olm) {
+        logger.warn("Olm not found");
+        return;
+    }
+
+    if (!olm.clientId) {
+        logger.warn("Olm has no client!"); // TODO: Maybe we create the site here?
+        return;
+    }
+
+    const clientId = olm.clientId;
+
+    const [client] = await db
+        .select()
+        .from(clients)
+        .where(eq(clients.clientId, clientId))
+        .limit(1);
+
+    if (!client) {
+        logger.warn("Client not found");
+        return;
+    }
+
+    const { siteId, resourceId, chainId } = message.data;
+
+    let site: Site | null = null;
+    if (siteId) {
+        // get the site
+        const [siteRes] = await db
+            .select()
+            .from(sites)
+            .where(eq(sites.siteId, siteId))
+            .limit(1);
+        if (siteRes) {
+            site = siteRes;
+        }
+    }
+
+    if (resourceId && !site) {
+        const resources = await db
+            .select()
+            .from(siteResources)
+            .where(
+                and(
+                    or(
+                        eq(siteResources.niceId, resourceId),
+                        eq(siteResources.alias, resourceId)
+                    ),
+                    eq(siteResources.orgId, client.orgId)
+                )
+            );
+
+        if (!resources || resources.length === 0) {
+            logger.error(`handleOlmServerPeerAddMessage: Resource not found`);
+            // cancel the request from the olm side to not keep doing this
+            await sendToClient(
+                olm.olmId,
+                {
+                    type: "olm/wg/peer/chain/cancel",
+                    data: {
+                        chainId
+                    }
+                },
+                { incrementConfigVersion: false }
+            ).catch((error) => {
+                logger.warn(`Error sending message:`, error);
+            });
+            return;
+        }
+
+        if (resources.length > 1) {
+            // error but this should not happen because the nice id cant contain a dot and the alias has to have a dot and both have to be unique within the org so there should never be multiple matches
+            logger.error(
+                `handleOlmServerPeerAddMessage: Multiple resources found matching the criteria`
+            );
+            return;
+        }
+
+        const resource = resources[0];
+
+        const currentResourceAssociationCaches = await db
+            .select()
+            .from(clientSiteResourcesAssociationsCache)
+            .where(
+                and(
+                    eq(
+                        clientSiteResourcesAssociationsCache.siteResourceId,
+                        resource.siteResourceId
+                    ),
+                    eq(
+                        clientSiteResourcesAssociationsCache.clientId,
+                        client.clientId
+                    )
+                )
+            );
+
+        if (currentResourceAssociationCaches.length === 0) {
+            logger.error(
+                `handleOlmServerPeerAddMessage: Client ${client.clientId} does not have access to resource ${resource.siteResourceId}`
+            );
+            // cancel the request from the olm side to not keep doing this
+            await sendToClient(
+                olm.olmId,
+                {
+                    type: "olm/wg/peer/chain/cancel",
+                    data: {
+                        chainId
+                    }
+                },
+                { incrementConfigVersion: false }
+            ).catch((error) => {
+                logger.warn(`Error sending message:`, error);
+            });
+            return;
+        }
+
+        const siteIdFromResource = resource.siteId;
+
+        // get the site
+        const [siteRes] = await db
+            .select()
+            .from(sites)
+            .where(eq(sites.siteId, siteIdFromResource));
+        if (!siteRes) {
+            logger.error(
+                `handleOlmServerPeerAddMessage: Site with ID ${site} not found`
+            );
+            return;
+        }
+
+        site = siteRes;
+    }
+
+    if (!site) {
+        logger.error(`handleOlmServerPeerAddMessage: Site not found`);
+        return;
+    }
+
+    // check if the client can access this site using the cache
+    const currentSiteAssociationCaches = await db
+        .select()
+        .from(clientSitesAssociationsCache)
+        .where(
+            and(
+                eq(clientSitesAssociationsCache.clientId, client.clientId),
+                eq(clientSitesAssociationsCache.siteId, site.siteId)
+            )
+        );
+
+    if (currentSiteAssociationCaches.length === 0) {
+        logger.error(
+            `handleOlmServerPeerAddMessage: Client ${client.clientId} does not have access to site ${site.siteId}`
+        );
+        // cancel the request from the olm side to not keep doing this
+        await sendToClient(
+            olm.olmId,
+            {
+                type: "olm/wg/peer/chain/cancel",
+                data: {
+                    chainId
+                }
+            },
+            { incrementConfigVersion: false }
+        ).catch((error) => {
+            logger.warn(`Error sending message:`, error);
+        });
+        return;
+    }
+
+    if (!site.exitNodeId) {
+        logger.error(
+            `handleOlmServerPeerAddMessage: Site with ID ${site.siteId} has no exit node`
+        );
+        // cancel the request from the olm side to not keep doing this
+        await sendToClient(
+            olm.olmId,
+            {
+                type: "olm/wg/peer/chain/cancel",
+                data: {
+                    chainId
+                }
+            },
+            { incrementConfigVersion: false }
+        ).catch((error) => {
+            logger.warn(`Error sending message:`, error);
+        });
+        return;
+    }
+
+    // get the exit node from the side
+    const [exitNode] = await db
+        .select()
+        .from(exitNodes)
+        .where(eq(exitNodes.exitNodeId, site.exitNodeId));
+
+    if (!exitNode) {
+        logger.error(
+            `handleOlmServerPeerAddMessage: Site with ID ${site.siteId} has no exit node`
+        );
+        return;
+    }
+
+    // also trigger the peer add handshake in case the peer was not already added to the olm and we need to hole punch
+    // if it has already been added this will be a no-op
+    await initPeerAddHandshake(
+        // this will kick off the add peer process for the client
+        client.clientId,
+        {
+            siteId: site.siteId,
+            exitNode: {
+                publicKey: exitNode.publicKey,
+                endpoint: exitNode.endpoint
+            }
+        },
+        olm.olmId,
+        chainId
+    );
+
+    return;
+};
--- a/server/routers/olm/handleOlmServerPeerAddMessage.ts
+++ b/server/routers/olm/handleOlmServerPeerAddMessage.ts
@@ -54,7 +54,7 @@ export const handleOlmServerPeerAddMessage: MessageHandler = async (
        return;
    }

-    const { siteId } = message.data;
+    const { siteId, chainId } = message.data;

    // get the site
    const [site] = await db
@@ -179,7 +179,8 @@ export const handleOlmServerPeerAddMessage: MessageHandler = async (
                ),
                aliases: generateAliasConfig(
                    allSiteResources.map(({ siteResources }) => siteResources)
-                )
+                ),
+                chainId: chainId,
            }
        },
        broadcast: false,
--- a/server/routers/olm/handleOlmUnRelayMessage.ts
+++ b/server/routers/olm/handleOlmUnRelayMessage.ts
@@ -17,7 +17,7 @@ export const handleOlmUnRelayMessage: MessageHandler = async (context) => {
    }

    if (!olm.clientId) {
-        logger.warn("Olm has no site!"); // TODO: Maybe we create the site here?
+        logger.warn("Olm has no client!");
        return;
    }

@@ -40,7 +40,7 @@ export const handleOlmUnRelayMessage: MessageHandler = async (context) => {
        return;
    }

-    const { siteId } = message.data;
+    const { siteId, chainId } = message.data;

    // Get the site
    const [site] = await db
@@ -87,7 +87,8 @@ export const handleOlmUnRelayMessage: MessageHandler = async (context) => {
            type: "olm/wg/peer/unrelay",
            data: {
                siteId: siteId,
-                endpoint: site.endpoint
+                endpoint: site.endpoint,
+                chainId
            }
        },
        broadcast: false,
--- a/server/routers/olm/index.ts
+++ b/server/routers/olm/index.ts
@@ -11,3 +11,4 @@ export * from "./handleOlmServerPeerAddMessage";
 export * from "./handleOlmUnRelayMessage";
 export * from "./recoverOlmWithFingerprint";
 export * from "./handleOlmDisconnectingMessage";
+export * from "./handleOlmServerInitAddPeerHandshake";
--- a/server/routers/olm/peers.ts
+++ b/server/routers/olm/peers.ts
@@ -1,8 +1,9 @@
 import { sendToClient } from "#dynamic/routers/ws";
-import { db, olms } from "@server/db";
+import { clientSitesAssociationsCache, db, olms } from "@server/db";
+import { canCompress } from "@server/lib/clientVersionChecks";
 import config from "@server/lib/config";
 import logger from "@server/logger";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { Alias } from "yaml";

 export async function addPeer(
@@ -18,7 +19,8 @@ export async function addPeer(
        remoteSubnets: string[] | null; // optional, comma-separated list of subnets that this site can access
        aliases: Alias[];
    },
-    olmId?: string
+    olmId?: string,
+    version?: string | null
 ) {
    if (!olmId) {
        const [olm] = await db
@@ -30,6 +32,7 @@ export async function addPeer(
            return; // ignore this because an olm might not be associated with the client anymore
        }
        olmId = olm.olmId;
+        version = olm.version;
    }

    await sendToClient(
@@ -48,7 +51,7 @@ export async function addPeer(
                aliases: peer.aliases
            }
        },
-        { incrementConfigVersion: true }
+        { incrementConfigVersion: true, compress: canCompress(version, "olm") }
    ).catch((error) => {
        logger.warn(`Error sending message:`, error);
    });
@@ -60,7 +63,8 @@ export async function deletePeer(
    clientId: number,
    siteId: number,
    publicKey: string,
-    olmId?: string
+    olmId?: string,
+    version?: string | null
 ) {
    if (!olmId) {
        const [olm] = await db
@@ -72,6 +76,7 @@ export async function deletePeer(
            return;
        }
        olmId = olm.olmId;
+        version = olm.version;
    }

    await sendToClient(
@@ -83,7 +88,7 @@ export async function deletePeer(
                siteId: siteId
            }
        },
-        { incrementConfigVersion: true }
+        { incrementConfigVersion: true, compress: canCompress(version, "olm") }
    ).catch((error) => {
        logger.warn(`Error sending message:`, error);
    });
@@ -103,7 +108,8 @@ export async function updatePeer(
        remoteSubnets?: string[] | null; // optional, comma-separated list of subnets that
        aliases?: Alias[] | null;
    },
-    olmId?: string
+    olmId?: string,
+    version?: string | null
 ) {
    if (!olmId) {
        const [olm] = await db
@@ -115,6 +121,7 @@ export async function updatePeer(
            return;
        }
        olmId = olm.olmId;
+        version = olm.version;
    }

    await sendToClient(
@@ -132,7 +139,7 @@ export async function updatePeer(
                aliases: peer.aliases
            }
        },
-        { incrementConfigVersion: true }
+        { incrementConfigVersion: true, compress: canCompress(version, "olm") }
    ).catch((error) => {
        logger.warn(`Error sending message:`, error);
    });
@@ -149,7 +156,8 @@ export async function initPeerAddHandshake(
            endpoint: string;
        };
    },
-    olmId?: string
+    olmId?: string,
+    chainId?: string
 ) {
    if (!olmId) {
        const [olm] = await db
@@ -173,7 +181,8 @@ export async function initPeerAddHandshake(
                    publicKey: peer.exitNode.publicKey,
                    relayPort: config.getRawConfig().gerbil.clients_start_port,
                    endpoint: peer.exitNode.endpoint
-                }
+                },
+                chainId
            }
        },
        { incrementConfigVersion: true }
@@ -181,6 +190,17 @@ export async function initPeerAddHandshake(
        logger.warn(`Error sending message:`, error);
    });

+    // update the clientSiteAssociationsCache to make the isJitMode flag false so that JIT mode is disabled for this site if it restarts or something after the connection
+    await db
+        .update(clientSitesAssociationsCache)
+        .set({ isJitMode: false })
+        .where(
+            and(
+                eq(clientSitesAssociationsCache.clientId, clientId),
+                eq(clientSitesAssociationsCache.siteId, peer.siteId)
+            )
+        );
+
    logger.info(
        `Initiated peer add handshake for site ${peer.siteId} to olm ${olmId}`
    );
--- a/server/routers/olm/sync.ts
+++ b/server/routers/olm/sync.ts
@@ -1,9 +1,17 @@
-import { Client, db, exitNodes, Olm, sites, clientSitesAssociationsCache } from "@server/db";
+import {
+    Client,
+    db,
+    exitNodes,
+    Olm,
+    sites,
+    clientSitesAssociationsCache
+} from "@server/db";
 import { buildSiteConfigurationForOlmClient } from "./buildConfiguration";
 import { sendToClient } from "#dynamic/routers/ws";
 import logger from "@server/logger";
 import { eq, inArray } from "drizzle-orm";
 import config from "@server/lib/config";
+import { canCompress } from "@server/lib/clientVersionChecks";

 export async function sendOlmSyncMessage(olm: Olm, client: Client) {
    // NOTE: WE ARE HARDCODING THE RELAY PARAMETER TO FALSE HERE BUT IN THE REGISTER MESSAGE ITS DEFINED BY THE CLIENT
@@ -17,10 +25,7 @@ export async function sendOlmSyncMessage(olm: Olm, client: Client) {
    const clientSites = await db
        .select()
        .from(clientSitesAssociationsCache)
-        .innerJoin(
-            sites,
-            eq(sites.siteId, clientSitesAssociationsCache.siteId)
-        )
+        .innerJoin(sites, eq(sites.siteId, clientSitesAssociationsCache.siteId))
        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));

    // Extract unique exit node IDs
@@ -68,13 +73,20 @@ export async function sendOlmSyncMessage(olm: Olm, client: Client) {

    logger.debug("sendOlmSyncMessage: sending sync message");

-    await sendToClient(olm.olmId, {
+    await sendToClient(
+        olm.olmId,
+        {
            type: "olm/sync",
            data: {
                sites: siteConfigurations,
                exitNodes: exitNodesData
            }
-    }).catch((error) => {
+        },
+
+        {
+            compress: canCompress(olm.version, "olm")
+        }
+    ).catch((error) => {
        logger.warn(`Error sending olm sync message:`, error);
    });
 }
--- a/server/routers/siteResource/batchAddClientToSiteResources.ts
+++ b/server/routers/siteResource/batchAddClientToSiteResources.ts
@@ -0,0 +1,247 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    db,
+    clients,
+    clientSiteResources,
+    siteResources,
+    apiKeyOrg
+} from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { eq, and, inArray } from "drizzle-orm";
+import { OpenAPITags, registry } from "@server/openApi";
+import {
+    rebuildClientAssociationsFromClient,
+    rebuildClientAssociationsFromSiteResource
+} from "@server/lib/rebuildClientAssociations";
+
+const batchAddClientToSiteResourcesParamsSchema = z
+    .object({
+        clientId: z.string().transform(Number).pipe(z.number().int().positive())
+    })
+    .strict();
+
+const batchAddClientToSiteResourcesBodySchema = z
+    .object({
+        siteResourceIds: z
+            .array(z.number().int().positive())
+            .min(1, "At least one siteResourceId is required")
+    })
+    .strict();
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/site-resources",
+    description: "Add a machine client to multiple site resources at once.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: batchAddClientToSiteResourcesParamsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: batchAddClientToSiteResourcesBodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function batchAddClientToSiteResources(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const apiKey = req.apiKey;
+        if (!apiKey) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+            );
+        }
+
+        const parsedParams =
+            batchAddClientToSiteResourcesParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = batchAddClientToSiteResourcesBodySchema.safeParse(
+            req.body
+        );
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+        const { siteResourceIds } = parsedBody.data;
+        const uniqueSiteResourceIds = [...new Set(siteResourceIds)];
+
+        const batchSiteResources = await db
+            .select()
+            .from(siteResources)
+            .where(
+                inArray(siteResources.siteResourceId, uniqueSiteResourceIds)
+            );
+
+        if (batchSiteResources.length !== uniqueSiteResourceIds.length) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "One or more site resources not found"
+                )
+            );
+        }
+
+        if (!apiKey.isRoot) {
+            const orgIds = [
+                ...new Set(batchSiteResources.map((sr) => sr.orgId))
+            ];
+            if (orgIds.length > 1) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "All site resources must belong to the same organization"
+                    )
+                );
+            }
+            const orgId = orgIds[0];
+            const [apiKeyOrgRow] = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, orgId)
+                    )
+                )
+                .limit(1);
+
+            if (!apiKeyOrgRow) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Key does not have access to the organization of the specified site resources"
+                    )
+                );
+            }
+
+            const [clientInOrg] = await db
+                .select()
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.clientId, clientId),
+                        eq(clients.orgId, orgId)
+                    )
+                )
+                .limit(1);
+
+            if (!clientInOrg) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Key does not have access to the specified client"
+                    )
+                );
+            }
+        }
+
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Client not found")
+            );
+        }
+
+        if (client.userId !== null) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "This endpoint only supports machine (non-user) clients; the specified client is associated with a user"
+                )
+            );
+        }
+
+        const existingEntries = await db
+            .select({
+                siteResourceId: clientSiteResources.siteResourceId
+            })
+            .from(clientSiteResources)
+            .where(
+                and(
+                    eq(clientSiteResources.clientId, clientId),
+                    inArray(
+                        clientSiteResources.siteResourceId,
+                        batchSiteResources.map((sr) => sr.siteResourceId)
+                    )
+                )
+            );
+
+        const existingSiteResourceIds = new Set(
+            existingEntries.map((e) => e.siteResourceId)
+        );
+        const siteResourcesToAdd = batchSiteResources.filter(
+            (sr) => !existingSiteResourceIds.has(sr.siteResourceId)
+        );
+
+        if (siteResourcesToAdd.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.CONFLICT,
+                    "Client is already assigned to all specified site resources"
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            for (const siteResource of siteResourcesToAdd) {
+                await trx.insert(clientSiteResources).values({
+                    clientId,
+                    siteResourceId: siteResource.siteResourceId
+                });
+            }
+
+            await rebuildClientAssociationsFromClient(client, trx);
+        });
+
+        return response(res, {
+            data: {
+                addedCount: siteResourcesToAdd.length,
+                skippedCount:
+                    batchSiteResources.length - siteResourcesToAdd.length,
+                siteResourceIds: siteResourcesToAdd.map(
+                    (sr) => sr.siteResourceId
+                )
+            },
+            success: true,
+            error: false,
+            message: `Client added to ${siteResourcesToAdd.length} site resource(s) successfully`,
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/routers/siteResource/index.ts
+++ b/server/routers/siteResource/index.ts
@@ -15,4 +15,5 @@ export * from "./addUserToSiteResource";
 export * from "./removeUserFromSiteResource";
 export * from "./setSiteResourceClients";
 export * from "./addClientToSiteResource";
+export * from "./batchAddClientToSiteResources";
 export * from "./removeClientFromSiteResource";
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -620,7 +620,7 @@ export async function handleMessagingForUpdatedSiteResource(
            await updateTargets(newt.newtId, {
                oldTargets: oldTargets,
                newTargets: newTargets
-            });
+            }, newt.version);
        }

        const olmJobs: Promise<void>[] = [];
--- a/server/routers/target/createTarget.ts
+++ b/server/routers/target/createTarget.ts
@@ -264,7 +264,7 @@ export async function createTarget(
                    newTarget,
                    healthCheck,
                    resource.protocol,
-                    resource.proxyPort
+                    newt.version
                );
            }
        }
--- a/server/routers/target/updateTarget.ts
+++ b/server/routers/target/updateTarget.ts
@@ -262,7 +262,7 @@ export async function updateTarget(
                    [updatedTarget],
                    [updatedHc],
                    resource.protocol,
-                    resource.proxyPort
+                    newt.version
                );
            }
        }
--- a/server/routers/traefik/traefikConfigProvider.ts
+++ b/server/routers/traefik/traefikConfigProvider.ts
@@ -39,11 +39,18 @@ export async function traefikConfigProvider(
                        userSessionCookieName:
                            config.getRawConfig().server.session_cookie_name,

-                        // deprecated
                        accessTokenQueryParam:
                            config.getRawConfig().server
                                .resource_access_token_param,

+                        accessTokenIdHeader:
+                            config.getRawConfig().server
+                                .resource_access_token_headers.id,
+
+                        accessTokenHeader:
+                            config.getRawConfig().server
+                                .resource_access_token_headers.token,
+
                        resourceSessionRequestParam:
                            config.getRawConfig().server
                                .resource_session_request_param
--- a/server/routers/ws/messageHandlers.ts
+++ b/server/routers/ws/messageHandlers.ts
@@ -1,3 +1,4 @@
+import { build } from "@server/build";
 import {
    handleNewtRegisterMessage,
    handleReceiveBandwidthMessage,
@@ -6,7 +7,9 @@ import {
    handleDockerContainersMessage,
    handleNewtPingRequestMessage,
    handleApplyBlueprintMessage,
-    handleNewtPingMessage
+    handleNewtPingMessage,
+    startNewtOfflineChecker,
+    handleNewtDisconnectingMessage
 } from "../newt";
 import {
    handleOlmRegisterMessage,
@@ -15,7 +18,8 @@ import {
    startOlmOfflineChecker,
    handleOlmServerPeerAddMessage,
    handleOlmUnRelayMessage,
-    handleOlmDisconnecingMessage
+    handleOlmDisconnectingMessage,
+    handleOlmServerInitAddPeerHandshake
 } from "../olm";
 import { handleHealthcheckStatusMessage } from "../target";
 import { handleRoundTripMessage } from "./handleRoundTripMessage";
@@ -23,11 +27,13 @@ import { MessageHandler } from "./types";

 export const messageHandlers: Record<string, MessageHandler> = {
    "olm/wg/server/peer/add": handleOlmServerPeerAddMessage,
+    "olm/wg/server/peer/init": handleOlmServerInitAddPeerHandshake,
    "olm/wg/register": handleOlmRegisterMessage,
    "olm/wg/relay": handleOlmRelayMessage,
    "olm/wg/unrelay": handleOlmUnRelayMessage,
    "olm/ping": handleOlmPingMessage,
-    "olm/disconnecting": handleOlmDisconnecingMessage,
+    "olm/disconnecting": handleOlmDisconnectingMessage,
+    "newt/disconnecting": handleNewtDisconnectingMessage,
    "newt/ping": handleNewtPingMessage,
    "newt/wg/register": handleNewtRegisterMessage,
    "newt/wg/get-config": handleGetConfigMessage,
@@ -40,4 +46,7 @@ export const messageHandlers: Record<string, MessageHandler> = {
    "ws/round-trip/complete": handleRoundTripMessage
 };

+if (build != "saas") {
    startOlmOfflineChecker(); // this is to handle the offline check for olms
+    startNewtOfflineChecker(); // this is to handle the offline check for newts
+}
--- a/server/routers/ws/types.ts
+++ b/server/routers/ws/types.ts
@@ -24,7 +24,7 @@ export interface AuthenticatedWebSocket extends WebSocket {
    clientType?: ClientType;
    connectionId?: string;
    isFullyConnected?: boolean;
-    pendingMessages?: Buffer[];
+    pendingMessages?: { data: Buffer; isBinary: boolean }[];
    configVersion?: number;
 }

@@ -73,6 +73,7 @@ export type MessageHandler = (
 // Options for sending messages with config version tracking
 export interface SendMessageOptions {
    incrementConfigVersion?: boolean;
+    compress?: boolean;
 }

 // Redis message type for cross-node communication
--- a/server/routers/ws/ws.ts
+++ b/server/routers/ws/ws.ts
@@ -1,8 +1,9 @@
 import { Router, Request, Response } from "express";
+import zlib from "zlib";
 import { Server as HttpServer } from "http";
 import { WebSocket, WebSocketServer } from "ws";
 import { Socket } from "net";
-import { Newt, newts, NewtSession, olms, Olm, OlmSession } from "@server/db";
+import { Newt, newts, NewtSession, olms, Olm, OlmSession, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
@@ -116,11 +117,20 @@ const sendToClientLocal = async (
    };

    const messageString = JSON.stringify(messageWithVersion);
+    if (options.compress) {
+        const compressed = zlib.gzipSync(Buffer.from(messageString, "utf8"));
+        clients.forEach((client) => {
+            if (client.readyState === WebSocket.OPEN) {
+                client.send(compressed);
+            }
+        });
+    } else {
        clients.forEach((client) => {
            if (client.readyState === WebSocket.OPEN) {
                client.send(messageString);
            }
        });
+    }
    return true;
 };

@@ -147,12 +157,23 @@ const broadcastToAllExceptLocal = async (
                ...message,
                configVersion
            };
+            if (options.compress) {
+                const compressed = zlib.gzipSync(
+                    Buffer.from(JSON.stringify(messageWithVersion), "utf8")
+                );
+                clients.forEach((client) => {
+                    if (client.readyState === WebSocket.OPEN) {
+                        client.send(compressed);
+                    }
+                });
+            } else {
                clients.forEach((client) => {
                    if (client.readyState === WebSocket.OPEN) {
                        client.send(JSON.stringify(messageWithVersion));
                    }
                });
            }
+        }
    });
 };

@@ -286,9 +307,12 @@ const setupConnection = async (
        clientType === "newt" ? (client as Newt).newtId : (client as Olm).olmId;
    await addClient(clientType, clientId, ws);

-    ws.on("message", async (data) => {
+    ws.on("message", async (data, isBinary) => {
        try {
-            const message: WSMessage = JSON.parse(data.toString());
+            const messageBuffer = isBinary
+                ? zlib.gunzipSync(data as Buffer)
+                : (data as Buffer);
+            const message: WSMessage = JSON.parse(messageBuffer.toString());

            if (!message.type || typeof message.type !== "string") {
                throw new Error(
@@ -356,6 +380,31 @@ const setupConnection = async (
        );
    });

+    // Handle WebSocket protocol-level pings from older newt clients that do
+    // not send application-level "newt/ping" messages. Update the site's
+    // online state and lastPing timestamp so the offline checker treats them
+    // the same as modern newt clients.
+    if (clientType === "newt") {
+        const newtClient = client as Newt;
+        ws.on("ping", async () => {
+            if (!newtClient.siteId) return;
+            try {
+                await db
+                    .update(sites)
+                    .set({
+                        online: true,
+                        lastPing: Math.floor(Date.now() / 1000)
+                    })
+                    .where(eq(sites.siteId, newtClient.siteId));
+            } catch (error) {
+                logger.error(
+                    "Error updating newt site online state on WS ping",
+                    { error }
+                );
+            }
+        });
+    }
+
    ws.on("error", (error: Error) => {
        logger.error(
            `WebSocket error for ${clientType.toUpperCase()} ID ${clientId}:`,
--- a/src/app/[orgId]/settings/(private)/billing/page.tsx
+++ b/src/app/[orgId]/settings/(private)/billing/page.tsx
@@ -35,11 +35,7 @@ import {
 } from "@app/components/Credenza";
 import { cn } from "@app/lib/cn";
 import { CreditCard, ExternalLink, Check, AlertTriangle } from "lucide-react";
-import {
-    Alert,
-    AlertTitle,
-    AlertDescription
-} from "@app/components/ui/alert";
+import { Alert, AlertTitle, AlertDescription } from "@app/components/ui/alert";
 import {
    Tooltip,
    TooltipTrigger,
@@ -69,6 +65,7 @@ type PlanOption = {
    price: string;
    priceDetail?: string;
    tierType: Tier | null;
+    features: string[];
 };

 const planOptions: PlanOption[] = [
@@ -76,41 +73,87 @@ const planOptions: PlanOption[] = [
        id: "basic",
        name: "Basic",
        price: "Free",
-        tierType: null
+        tierType: null,
+        features: [
+            "Basic Pangolin features",
+            "Free provided domains",
+            "Web-based proxy resources",
+            "Private resources and clients",
+            "Peer-to-peer connections"
+        ]
    },
    {
        id: "home",
        name: "Home",
        price: "$12.50",
        priceDetail: "/ month",
-        tierType: "tier1"
+        tierType: "tier1",
+        features: [
+            "Everything in Basic",
+            "OAuth2/OIDC, Google, & Azure SSO",
+            "Bring your own identity provider",
+            "Pangolin SSH",
+            "Custom branding",
+            "Device admin approvals"
+        ]
    },
    {
        id: "team",
        name: "Team",
        price: "$4",
        priceDetail: "per user / month",
-        tierType: "tier2"
+        tierType: "tier2",
+        features: [
+            "Everything in Basic",
+            "Custom domains",
+            "OAuth2/OIDC, Google, & Azure SSO",
+            "Access and action audit logs",
+            "Device posture information"
+        ]
    },
    {
        id: "business",
        name: "Business",
        price: "$9",
        priceDetail: "per user / month",
-        tierType: "tier3"
+        tierType: "tier3",
+        features: [
+            "Everything in Team",
+            "Multiple organizations (multi-tenancy)",
+            "Auto-provisioning via IdP",
+            "Pangolin SSH",
+            "Device approvals",
+            "Custom branding",
+            "Business support"
+        ]
    },
    {
        id: "enterprise",
        name: "Enterprise",
        price: "Custom",
-        tierType: null
+        tierType: null,
+        features: [
+            "Everything in Business",
+            "Custom limits",
+            "Priority support and SLA",
+            "Log push and export",
+            "Private and Gov-Cloud deployment options",
+            "Dedicated, premium relay/exit nodes",
+            "Pay by invoice "
+        ]
    }
 ];

 // Tier limits mapping derived from limit sets
 const tierLimits: Record<
    Tier | "basic",
-    { users: number; sites: number; domains: number; remoteNodes: number; organizations: number }
+    {
+        users: number;
+        sites: number;
+        domains: number;
+        remoteNodes: number;
+        organizations: number;
+    }
 > = {
    basic: {
        users: freeLimitSet[FeatureId.USERS]?.value ?? 0,
@@ -463,7 +506,10 @@ export default function BillingPage() {
    const isProblematicState = hasProblematicSubscription();

    // Get user-friendly subscription status message
-    const getSubscriptionStatusMessage = (): { title: string; description: string } | null => {
+    const getSubscriptionStatusMessage = (): {
+        title: string;
+        description: string;
+    } | null => {
        if (!tierSubscription?.subscription || !isProblematicState) return null;

        const status = tierSubscription.subscription.status;
@@ -472,22 +518,31 @@ export default function BillingPage() {
            case "past_due":
                return {
                    title: t("billingPastDueTitle") || "Payment Past Due",
-                    description: t("billingPastDueDescription") || "Your payment is past due. Please update your payment method to continue using your current plan features. If not resolved, your subscription will be canceled and you'll be reverted to the free tier."
+                    description:
+                        t("billingPastDueDescription") ||
+                        "Your payment is past due. Please update your payment method to continue using your current plan features. If not resolved, your subscription will be canceled and you'll be reverted to the free tier."
                };
            case "unpaid":
                return {
                    title: t("billingUnpaidTitle") || "Subscription Unpaid",
-                    description: t("billingUnpaidDescription") || "Your subscription is unpaid and you have been reverted to the free tier. Please update your payment method to restore your subscription."
+                    description:
+                        t("billingUnpaidDescription") ||
+                        "Your subscription is unpaid and you have been reverted to the free tier. Please update your payment method to restore your subscription."
                };
            case "incomplete":
                return {
                    title: t("billingIncompleteTitle") || "Payment Incomplete",
-                    description: t("billingIncompleteDescription") || "Your payment is incomplete. Please complete the payment process to activate your subscription."
+                    description:
+                        t("billingIncompleteDescription") ||
+                        "Your payment is incomplete. Please complete the payment process to activate your subscription."
                };
            case "incomplete_expired":
                return {
-                    title: t("billingIncompleteExpiredTitle") || "Payment Expired",
-                    description: t("billingIncompleteExpiredDescription") || "Your payment was never completed and has expired. You have been reverted to the free tier. Please subscribe again to restore access to paid features."
+                    title:
+                        t("billingIncompleteExpiredTitle") || "Payment Expired",
+                    description:
+                        t("billingIncompleteExpiredDescription") ||
+                        "Your payment was never completed and has expired. You have been reverted to the free tier. Please subscribe again to restore access to paid features."
                };
            default:
                return null;
@@ -509,7 +564,11 @@ export default function BillingPage() {

        if (plan.id === currentPlanId) {
            // If it's the basic plan (basic with no subscription), show as current but disabled
-            if (plan.id === "basic" && !hasSubscription && !isProblematicState) {
+            if (
+                plan.id === "basic" &&
+                !hasSubscription &&
+                !isProblematicState
+            ) {
                return {
                    label: "Current Plan",
                    action: () => {},
@@ -632,7 +691,9 @@ export default function BillingPage() {
    };

    // Check if downgrading to a tier would violate current usage limits
-    const checkLimitViolations = (targetTier: Tier | "basic"): Array<{
+    const checkLimitViolations = (
+        targetTier: Tier | "basic"
+    ): Array<{
        feature: string;
        currentUsage: number;
        newLimit: number;
@@ -687,7 +748,10 @@ export default function BillingPage() {

        // Check organizations
        const organizationsUsage = getUsageValue(ORGINIZATIONS);
-        if (limits.organizations > 0 && organizationsUsage > limits.organizations) {
+        if (
+            limits.organizations > 0 &&
+            organizationsUsage > limits.organizations
+        ) {
            violations.push({
                feature: "Organizations",
                currentUsage: organizationsUsage,
@@ -712,17 +776,15 @@ export default function BillingPage() {
            {isProblematicState && statusMessage && (
                <Alert variant="destructive" className="mb-6">
                    <AlertTriangle className="h-4 w-4" />
-                    <AlertTitle>
-                        {statusMessage.title}
-                    </AlertTitle>
+                    <AlertTitle>{statusMessage.title}</AlertTitle>
                    <AlertDescription>
-                        {statusMessage.description}
-                        {" "}
+                        {statusMessage.description}{" "}
                        <button
                            onClick={handleModifySubscription}
                            className="underline font-semibold hover:no-underline"
                        >
-                            {t("billingManageSubscription") || "Manage your subscription"}
+                            {t("billingManageSubscription") ||
+                                "Manage your subscription"}
                        </button>
                    </AlertDescription>
                </Alert>
@@ -772,7 +834,10 @@ export default function BillingPage() {
                                        </div>
                                    </div>
                                    <div className="mt-4">
-                                        {isProblematicState && planAction.disabled && !isCurrentPlan && plan.id !== "enterprise" ? (
+                                        {isProblematicState &&
+                                        planAction.disabled &&
+                                        !isCurrentPlan &&
+                                        plan.id !== "enterprise" ? (
                                            <Tooltip>
                                                <TooltipTrigger asChild>
                                                    <div>
@@ -784,18 +849,29 @@ export default function BillingPage() {
                                                            }
                                                            size="sm"
                                                            className="w-full"
-                                                            onClick={planAction.action}
-                                                            disabled={
-                                                                isLoading || planAction.disabled
+                                                            onClick={
+                                                                planAction.action
+                                                            }
+                                                            disabled={
+                                                                isLoading ||
+                                                                planAction.disabled
+                                                            }
+                                                            loading={
+                                                                isLoading &&
+                                                                isCurrentPlan
                                                            }
-                                                            loading={isLoading && isCurrentPlan}
                                                        >
                                                            {planAction.label}
                                                        </Button>
                                                    </div>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingResolvePaymentIssue") || "Please resolve your payment issue before upgrading or downgrading"}</p>
+                                                    <p>
+                                                        {t(
+                                                            "billingResolvePaymentIssue"
+                                                        ) ||
+                                                            "Please resolve your payment issue before upgrading or downgrading"}
+                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -809,9 +885,12 @@ export default function BillingPage() {
                                                className="w-full"
                                                onClick={planAction.action}
                                                disabled={
-                                                    isLoading || planAction.disabled
+                                                    isLoading ||
+                                                    planAction.disabled
+                                                }
+                                                loading={
+                                                    isLoading && isCurrentPlan
                                                }
-                                                loading={isLoading && isCurrentPlan}
                                            >
                                                {planAction.label}
                                            </Button>
@@ -886,18 +965,38 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
+                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
+                                                        )}
+                                                    >
                                                        {getLimitValue(USERS) ??
-                                                            t("billingUnlimited") ??
+                                                            t(
+                                                                "billingUnlimited"
+                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(USERS) !== null &&
-                                                            "users"}
+                                                        {getLimitValue(
+                                                            USERS
+                                                        ) !== null && "users"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(USERS), limit: getLimitValue(USERS) ?? 0 }) || `Current usage (${getUsageValue(USERS)}) exceeds limit (${getLimitValue(USERS)})`}</p>
+                                                    <p>
+                                                        {t(
+                                                            "billingUsageExceedsLimit",
+                                                            {
+                                                                current:
+                                                                    getUsageValue(
+                                                                        USERS
+                                                                    ),
+                                                                limit:
+                                                                    getLimitValue(
+                                                                        USERS
+                                                                    ) ?? 0
+                                                            }
+                                                        ) ||
+                                                            `Current usage (${getUsageValue(USERS)}) exceeds limit (${getLimitValue(USERS)})`}
+                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -905,8 +1004,8 @@ export default function BillingPage() {
                                                {getLimitValue(USERS) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(USERS) !== null &&
-                                                    "users"}
+                                                {getLimitValue(USERS) !==
+                                                    null && "users"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -920,18 +1019,38 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
+                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
+                                                        )}
+                                                    >
                                                        {getLimitValue(SITES) ??
-                                                            t("billingUnlimited") ??
+                                                            t(
+                                                                "billingUnlimited"
+                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(SITES) !== null &&
-                                                            "sites"}
+                                                        {getLimitValue(
+                                                            SITES
+                                                        ) !== null && "sites"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(SITES), limit: getLimitValue(SITES) ?? 0 }) || `Current usage (${getUsageValue(SITES)}) exceeds limit (${getLimitValue(SITES)})`}</p>
+                                                    <p>
+                                                        {t(
+                                                            "billingUsageExceedsLimit",
+                                                            {
+                                                                current:
+                                                                    getUsageValue(
+                                                                        SITES
+                                                                    ),
+                                                                limit:
+                                                                    getLimitValue(
+                                                                        SITES
+                                                                    ) ?? 0
+                                                            }
+                                                        ) ||
+                                                            `Current usage (${getUsageValue(SITES)}) exceeds limit (${getLimitValue(SITES)})`}
+                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -939,8 +1058,8 @@ export default function BillingPage() {
                                                {getLimitValue(SITES) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(SITES) !== null &&
-                                                    "sites"}
+                                                {getLimitValue(SITES) !==
+                                                    null && "sites"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -954,18 +1073,40 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
+                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
-                                                        {getLimitValue(DOMAINS) ??
-                                                            t("billingUnlimited") ??
+                                                        )}
+                                                    >
+                                                        {getLimitValue(
+                                                            DOMAINS
+                                                        ) ??
+                                                            t(
+                                                                "billingUnlimited"
+                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(DOMAINS) !== null &&
-                                                            "domains"}
+                                                        {getLimitValue(
+                                                            DOMAINS
+                                                        ) !== null && "domains"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(DOMAINS), limit: getLimitValue(DOMAINS) ?? 0 }) || `Current usage (${getUsageValue(DOMAINS)}) exceeds limit (${getLimitValue(DOMAINS)})`}</p>
+                                                    <p>
+                                                        {t(
+                                                            "billingUsageExceedsLimit",
+                                                            {
+                                                                current:
+                                                                    getUsageValue(
+                                                                        DOMAINS
+                                                                    ),
+                                                                limit:
+                                                                    getLimitValue(
+                                                                        DOMAINS
+                                                                    ) ?? 0
+                                                            }
+                                                        ) ||
+                                                            `Current usage (${getUsageValue(DOMAINS)}) exceeds limit (${getLimitValue(DOMAINS)})`}
+                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -973,8 +1114,8 @@ export default function BillingPage() {
                                                {getLimitValue(DOMAINS) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(DOMAINS) !== null &&
-                                                    "domains"}
+                                                {getLimitValue(DOMAINS) !==
+                                                    null && "domains"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -989,18 +1130,40 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
+                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
-                                                        {getLimitValue(ORGINIZATIONS) ??
-                                                            t("billingUnlimited") ??
+                                                        )}
+                                                    >
+                                                        {getLimitValue(
+                                                            ORGINIZATIONS
+                                                        ) ??
+                                                            t(
+                                                                "billingUnlimited"
+                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(ORGINIZATIONS) !==
-                                                            null && "orgs"}
+                                                        {getLimitValue(
+                                                            ORGINIZATIONS
+                                                        ) !== null && "orgs"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(ORGINIZATIONS), limit: getLimitValue(ORGINIZATIONS) ?? 0 }) || `Current usage (${getUsageValue(ORGINIZATIONS)}) exceeds limit (${getLimitValue(ORGINIZATIONS)})`}</p>
+                                                    <p>
+                                                        {t(
+                                                            "billingUsageExceedsLimit",
+                                                            {
+                                                                current:
+                                                                    getUsageValue(
+                                                                        ORGINIZATIONS
+                                                                    ),
+                                                                limit:
+                                                                    getLimitValue(
+                                                                        ORGINIZATIONS
+                                                                    ) ?? 0
+                                                            }
+                                                        ) ||
+                                                            `Current usage (${getUsageValue(ORGINIZATIONS)}) exceeds limit (${getLimitValue(ORGINIZATIONS)})`}
+                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -1008,8 +1171,9 @@ export default function BillingPage() {
                                                {getLimitValue(ORGINIZATIONS) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(ORGINIZATIONS) !==
-                                                    null && "orgs"}
+                                                {getLimitValue(
+                                                    ORGINIZATIONS
+                                                ) !== null && "orgs"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -1024,27 +1188,52 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
+                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
-                                                        {getLimitValue(REMOTE_EXIT_NODES) ??
-                                                            t("billingUnlimited") ??
+                                                        )}
+                                                    >
+                                                        {getLimitValue(
+                                                            REMOTE_EXIT_NODES
+                                                        ) ??
+                                                            t(
+                                                                "billingUnlimited"
+                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(REMOTE_EXIT_NODES) !==
-                                                            null && "nodes"}
+                                                        {getLimitValue(
+                                                            REMOTE_EXIT_NODES
+                                                        ) !== null && "nodes"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(REMOTE_EXIT_NODES), limit: getLimitValue(REMOTE_EXIT_NODES) ?? 0 }) || `Current usage (${getUsageValue(REMOTE_EXIT_NODES)}) exceeds limit (${getLimitValue(REMOTE_EXIT_NODES)})`}</p>
+                                                    <p>
+                                                        {t(
+                                                            "billingUsageExceedsLimit",
+                                                            {
+                                                                current:
+                                                                    getUsageValue(
+                                                                        REMOTE_EXIT_NODES
+                                                                    ),
+                                                                limit:
+                                                                    getLimitValue(
+                                                                        REMOTE_EXIT_NODES
+                                                                    ) ?? 0
+                                                            }
+                                                        ) ||
+                                                            `Current usage (${getUsageValue(REMOTE_EXIT_NODES)}) exceeds limit (${getLimitValue(REMOTE_EXIT_NODES)})`}
+                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
                                            <>
-                                                {getLimitValue(REMOTE_EXIT_NODES) ??
+                                                {getLimitValue(
+                                                    REMOTE_EXIT_NODES
+                                                ) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(REMOTE_EXIT_NODES) !==
-                                                    null && "nodes"}
+                                                {getLimitValue(
+                                                    REMOTE_EXIT_NODES
+                                                ) !== null && "nodes"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -1072,7 +1261,8 @@ export default function BillingPage() {
                            <div className="flex flex-col md:flex-row items-start md:items-center justify-between gap-4 border rounded-lg p-4">
                                <div>
                                    <div className="text-sm text-muted-foreground mb-1">
-                                        {t("billingCurrentKeys") || "Current Keys"}
+                                        {t("billingCurrentKeys") ||
+                                            "Current Keys"}
                                    </div>
                                    <div className="flex items-baseline gap-2">
                                        <span className="text-3xl font-bold">
@@ -1137,61 +1327,101 @@ export default function BillingPage() {
                                    </div>
                                </div>

+                                {/* Features with check marks */}
+                                {(() => {
+                                    const plan = planOptions.find(
+                                        (p) =>
+                                            p.tierType === pendingTier.tier ||
+                                            (pendingTier.tier === "basic" &&
+                                                p.id === "basic")
+                                    );
+                                    return plan?.features?.length ? (
+                                        <div>
+                                            <h4 className="font-semibold mb-3">
+                                                {"What's included:"}
+                                            </h4>
+                                            <div className="space-y-2">
+                                                {plan.features.map(
+                                                    (feature, i) => (
+                                                        <div
+                                                            key={i}
+                                                            className="flex items-center gap-2"
+                                                        >
+                                                            <Check className="h-4 w-4 text-green-600 shrink-0" />
+                                                            <span>
+                                                                {feature}
+                                                            </span>
+                                                        </div>
+                                                    )
+                                                )}
+                                            </div>
+                                        </div>
+                                    ) : null;
+                                })()}
+
+                                {/* Limits without check marks */}
                                {tierLimits[pendingTier.tier] && (
                                    <div>
                                        <h4 className="font-semibold mb-3">
-                                            {t("billingPlanIncludes") ||
-                                                "Plan Includes:"}
+                                            {"Up to:"}
                                        </h4>
-                                        <div className="space-y-2">
+                                        <div className="space-y-2 text-sm text-muted-foreground">
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
-                                                            .users
+                                                        tierLimits[
+                                                            pendingTier.tier
+                                                        ].users
                                                    }{" "}
-                                                    {t("billingUsers") || "Users"}
+                                                    {t("billingUsers") ||
+                                                        "Users"}
                                                </span>
                                            </div>
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
-                                                            .sites
+                                                        tierLimits[
+                                                            pendingTier.tier
+                                                        ].sites
                                                    }{" "}
-                                                    {t("billingSites") || "Sites"}
+                                                    {t("billingSites") ||
+                                                        "Sites"}
                                                </span>
                                            </div>
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
-                                                            .domains
+                                                        tierLimits[
+                                                            pendingTier.tier
+                                                        ].domains
                                                    }{" "}
                                                    {t("billingDomains") ||
                                                        "Domains"}
                                                </span>
                                            </div>
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
-                                                            .organizations
+                                                        tierLimits[
+                                                            pendingTier.tier
+                                                        ].organizations
                                                    }{" "}
-                                                    {t("billingOrganizations") ||
-                                                        "Organizations"}
+                                                    {t(
+                                                        "billingOrganizations"
+                                                    ) || "Organizations"}
                                                </span>
                                            </div>
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
-                                                            .remoteNodes
+                                                        tierLimits[
+                                                            pendingTier.tier
+                                                        ].remoteNodes
                                                    }{" "}
                                                    {t("billingRemoteNodes") ||
                                                        "Remote Nodes"}
@@ -1202,26 +1432,63 @@ export default function BillingPage() {
                                )}

                                {/* Warning for limit violations when downgrading */}
-                                {pendingTier.action === "downgrade" && (() => {
-                                    const violations = checkLimitViolations(pendingTier.tier);
+                                {pendingTier.action === "downgrade" &&
+                                    (() => {
+                                        const violations = checkLimitViolations(
+                                            pendingTier.tier
+                                        );
                                        if (violations.length > 0) {
                                            return (
                                                <Alert variant="destructive">
                                                    <AlertTriangle className="h-4 w-4" />
                                                    <AlertTitle>
-                                                    {t("billingLimitViolationWarning") || "Usage Exceeds New Plan Limits"}
+                                                        {t(
+                                                            "billingLimitViolationWarning"
+                                                        ) ||
+                                                            "Usage Exceeds New Plan Limits"}
                                                    </AlertTitle>
                                                    <AlertDescription>
                                                        <p className="mb-3">
-                                                        {t("billingLimitViolationDescription") || "Your current usage exceeds the limits of this plan. The following features will be disabled until you reduce usage:"}
+                                                            {t(
+                                                                "billingLimitViolationDescription"
+                                                            ) ||
+                                                                "Your current usage exceeds the limits of this plan. The following features will be disabled until you reduce usage:"}
                                                        </p>
                                                        <ul className="space-y-2">
-                                                        {violations.map((violation, index) => (
-                                                            <li key={index} className="flex items-center gap-2">
-                                                                <span className="font-medium">{violation.feature}:</span>
-                                                                <span>Currently using {violation.currentUsage}, new limit is {violation.newLimit}</span>
+                                                            {violations.map(
+                                                                (
+                                                                    violation,
+                                                                    index
+                                                                ) => (
+                                                                    <li
+                                                                        key={
+                                                                            index
+                                                                        }
+                                                                        className="flex items-center gap-2"
+                                                                    >
+                                                                        <span className="font-medium">
+                                                                            {
+                                                                                violation.feature
+                                                                            }
+                                                                            :
+                                                                        </span>
+                                                                        <span>
+                                                                            Currently
+                                                                            using{" "}
+                                                                            {
+                                                                                violation.currentUsage
+                                                                            }
+                                                                            ,
+                                                                            new
+                                                                            limit
+                                                                            is{" "}
+                                                                            {
+                                                                                violation.newLimit
+                                                                            }
+                                                                        </span>
                                                                    </li>
-                                                        ))}
+                                                                )
+                                                            )}
                                                        </ul>
                                                    </AlertDescription>
                                                </Alert>
@@ -1235,10 +1502,14 @@ export default function BillingPage() {
                                    <Alert variant="warning">
                                        <AlertTriangle className="h-4 w-4" />
                                        <AlertTitle>
-                                            {t("billingFeatureLossWarning") || "Feature Availability Notice"}
+                                            {t("billingFeatureLossWarning") ||
+                                                "Feature Availability Notice"}
                                        </AlertTitle>
                                        <AlertDescription>
-                                            {t("billingFeatureLossDescription") || "By downgrading, features not available in the new plan will be automatically disabled. Some settings and configurations may be lost. Please review the pricing matrix to understand which features will no longer be available."}
+                                            {t(
+                                                "billingFeatureLossDescription"
+                                            ) ||
+                                                "By downgrading, features not available in the new plan will be automatically disabled. Some settings and configurations may be lost. Please review the pricing matrix to understand which features will no longer be available."}
                                        </AlertDescription>
                                    </Alert>
                                )}
--- a/src/app/[orgId]/settings/domains/[domainId]/page.tsx
+++ b/src/app/[orgId]/settings/domains/[domainId]/page.tsx
@@ -69,6 +69,7 @@ export default async function DomainSettingsPage({
                    failed={domain.failed}
                    verified={domain.verified}
                    type={domain.type}
+                    errorMessage={domain.errorMessage}
                />

                <DNSRecordsTable records={dnsRecords} type={domain.type} />
--- a/src/app/[orgId]/settings/resources/proxy/create/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
@@ -54,6 +54,7 @@ import {
    TooltipProvider,
    TooltipTrigger
 } from "@app/components/ui/tooltip";
+import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
@@ -65,6 +66,7 @@ import { build } from "@server/build";
 import { Resource } from "@server/db";
 import { isTargetValid } from "@server/lib/validators";
 import { ListTargetsResponse } from "@server/routers/target";
+import { ListRemoteExitNodesResponse } from "@server/routers/remoteExitNode/types";
 import { ArrayElement } from "@server/types/ArrayElement";
 import { useQuery } from "@tanstack/react-query";
 import {
@@ -81,6 +83,7 @@ import {
    CircleCheck,
    CircleX,
    Info,
+    InfoIcon,
    Plus,
    Settings,
    SquareArrowOutUpRight
@@ -210,6 +213,13 @@ export default function Page() {
        orgQueries.sites({ orgId: orgId as string })
    );

+    const [remoteExitNodes, setRemoteExitNodes] = useState<
+        ListRemoteExitNodesResponse["remoteExitNodes"]
+    >([]);
+    const [loadingExitNodes, setLoadingExitNodes] = useState(
+        build === "saas"
+    );
+
    const [createLoading, setCreateLoading] = useState(false);
    const [showSnippets, setShowSnippets] = useState(false);
    const [niceId, setNiceId] = useState<string>("");
@@ -224,6 +234,27 @@ export default function Page() {
        useState<LocalTarget | null>(null);
    const [healthCheckDialogOpen, setHealthCheckDialogOpen] = useState(false);

+    useEffect(() => {
+        if (build !== "saas") return;
+
+        const fetchExitNodes = async () => {
+            try {
+                const res = await api.get<
+                    AxiosResponse<ListRemoteExitNodesResponse>
+                >(`/org/${orgId}/remote-exit-nodes`);
+                if (res && res.status === 200) {
+                    setRemoteExitNodes(res.data.data.remoteExitNodes);
+                }
+            } catch (e) {
+                console.error("Failed to fetch remote exit nodes:", e);
+            } finally {
+                setLoadingExitNodes(false);
+            }
+        };
+
+        fetchExitNodes();
+    }, [orgId]);
+
    const [isAdvancedMode, setIsAdvancedMode] = useState(() => {
        if (typeof window !== "undefined") {
            const saved = localStorage.getItem("create-advanced-mode");
@@ -288,16 +319,26 @@ export default function Page() {
            description: t("resourceHTTPDescription")
        },
        ...(!env.flags.allowRawResources
+            ? []
+            : build === "saas" && remoteExitNodes.length === 0
              ? []
              : [
                    {
                        id: "raw" as ResourceType,
                        title: t("resourceRaw"),
-                      description: build == "saas" ? t("resourceRawDescriptionCloud") : t("resourceRawDescription")
+                        description:
+                            build == "saas"
+                                ? t("resourceRawDescriptionCloud")
+                                : t("resourceRawDescription")
                    }
                ])
    ];

+    // In saas mode with no exit nodes, force HTTP
+    const showTypeSelector =
+        build !== "saas" ||
+        (!loadingExitNodes && remoteExitNodes.length > 0);
+
    const baseForm = useForm({
        resolver: zodResolver(baseResourceFormSchema),
        defaultValues: {
@@ -984,7 +1025,8 @@ export default function Page() {
                                    </SettingsSectionTitle>
                                </SettingsSectionHeader>
                                <SettingsSectionBody>
-                                    {resourceTypes.length > 1 && (
+                                    {showTypeSelector &&
+                                        resourceTypes.length > 1 && (
                                            <>
                                                <div className="mb-2">
                                                    <span className="text-sm font-medium">
@@ -1067,6 +1109,9 @@ export default function Page() {
                                    <SettingsSectionBody>
                                        <DomainPicker
                                            orgId={orgId as string}
+                                            warnOnProvidedDomain={
+                                                remoteExitNodes.length >= 1
+                                            }
                                            onDomainChange={(res) => {
                                                if (!res) return;

--- a/src/components/DomainInfoCard.tsx
+++ b/src/components/DomainInfoCard.tsx
@@ -10,17 +10,20 @@ import {
 import { useTranslations } from "next-intl";
 import { Badge } from "./ui/badge";
 import { useEnvContext } from "@app/hooks/useEnvContext";
+import { AlertTriangle } from "lucide-react";

 type DomainInfoCardProps = {
    failed: boolean;
    verified: boolean;
    type: string | null;
+    errorMessage?: string | null;
 };

 export default function DomainInfoCard({
    failed,
    verified,
-    type
+    type,
+    errorMessage
 }: DomainInfoCardProps) {
    const t = useTranslations();
    const env = useEnvContext();
@@ -39,6 +42,7 @@ export default function DomainInfoCard({
    };

    return (
+        <div className="space-y-3">
        <Alert>
            <AlertDescription>
                <InfoSections cols={3}>
@@ -79,5 +83,19 @@ export default function DomainInfoCard({
                </InfoSections>
            </AlertDescription>
        </Alert>
+        {errorMessage && (failed || !verified) && (
+            <Alert variant={failed ? "destructive" : "warning"}>
+                <AlertTriangle className="h-4 w-4" />
+                <AlertTitle>
+                    {failed
+                        ? t("domainErrorTitle", { fallback: "Domain Error" })
+                        : t("domainPendingErrorTitle", { fallback: "Verification Issue" })}
+                </AlertTitle>
+                <AlertDescription className="font-mono text-xs break-all">
+                    {errorMessage}
+                </AlertDescription>
+            </Alert>
+        )}
+        </div>
    );
 }
--- a/src/components/DomainPicker.tsx
+++ b/src/components/DomainPicker.tsx
@@ -79,6 +79,7 @@ interface DomainPickerProps {
    defaultFullDomain?: string | null;
    defaultSubdomain?: string | null;
    defaultDomainId?: string | null;
+    warnOnProvidedDomain?: boolean;
 }

 export default function DomainPicker({
@@ -88,7 +89,8 @@ export default function DomainPicker({
    hideFreeDomain = false,
    defaultSubdomain,
    defaultFullDomain,
-    defaultDomainId
+    defaultDomainId,
+    warnOnProvidedDomain = false
 }: DomainPickerProps) {
    const { env } = useEnvContext();
    const api = createApiClient({ env });
@@ -689,6 +691,14 @@ export default function DomainPicker({

            {showProvidedDomainSearch && (
                <div className="space-y-4">
+                    {warnOnProvidedDomain && (
+                        <Alert variant="warning">
+                            <AlertCircle className="h-4 w-4" />
+                            <AlertDescription>
+                                {t("domainPickerRemoteExitNodeWarning")}
+                            </AlertDescription>
+                        </Alert>
+                    )}
                    {isChecking && (
                        <div className="flex items-center justify-center p-8">
                            <div className="flex items-center space-x-2 text-sm text-muted-foreground">
--- a/src/components/DomainsTable.tsx
+++ b/src/components/DomainsTable.tsx
@@ -27,6 +27,12 @@ import {
    DropdownMenuItem,
    DropdownMenuTrigger
 } from "./ui/dropdown-menu";
+import {
+    Tooltip,
+    TooltipContent,
+    TooltipProvider,
+    TooltipTrigger
+} from "./ui/tooltip";
 import Link from "next/link";

 export type DomainRow = {
@@ -39,6 +45,7 @@ export type DomainRow = {
    configManaged: boolean;
    certResolver: string;
    preferWildcardCert: boolean;
+    errorMessage?: string | null;
 };

 type Props = {
@@ -175,7 +182,7 @@ export default function DomainsTable({ domains, orgId }: Props) {
            );
        },
        cell: ({ row }) => {
-            const { verified, failed, type } = row.original;
+            const { verified, failed, type, errorMessage } = row.original;
            if (verified) {
                return type == "wildcard" ? (
                    <Badge variant="outlinePrimary">{t("manual")}</Badge>
@@ -183,12 +190,44 @@ export default function DomainsTable({ domains, orgId }: Props) {
                    <Badge variant="green">{t("verified")}</Badge>
                );
            } else if (failed) {
+                if (errorMessage) {
+                    return (
+                        <TooltipProvider>
+                            <Tooltip>
+                                <TooltipTrigger asChild>
+                                    <Badge variant="red" className="cursor-help">
+                                        {t("failed", { fallback: "Failed" })}
+                                    </Badge>
+                                </TooltipTrigger>
+                                <TooltipContent className="max-w-xs">
+                                    <p className="break-words">{errorMessage}</p>
+                                </TooltipContent>
+                            </Tooltip>
+                        </TooltipProvider>
+                    );
+                }
                return (
                    <Badge variant="red">
                        {t("failed", { fallback: "Failed" })}
                    </Badge>
                );
            } else {
+                if (errorMessage) {
+                    return (
+                        <TooltipProvider>
+                            <Tooltip>
+                                <TooltipTrigger asChild>
+                                    <Badge variant="yellow" className="cursor-help">
+                                        {t("pending")}
+                                    </Badge>
+                                </TooltipTrigger>
+                                <TooltipContent className="max-w-xs">
+                                    <p className="break-words">{errorMessage}</p>
+                                </TooltipContent>
+                            </Tooltip>
+                        </TooltipProvider>
+                    );
+                }
                return <Badge variant="yellow">{t("pending")}</Badge>;
            }
        }
--- a/src/components/MemberResourcesPortal.tsx
+++ b/src/components/MemberResourcesPortal.tsx
@@ -129,6 +129,11 @@ const ResourceInfo = ({ resource }: { resource: Resource }) => {
        resource.pincode ||
        resource.whitelist;

+    const hasAnyInfo =
+        Boolean(resource.siteName) || Boolean(hasAuthMethods) || !resource.enabled;
+
+    if (!hasAnyInfo) return null;
+
    const infoContent = (
        <div className="flex flex-col gap-3">
            {/* Site Information */}
@@ -828,6 +833,12 @@ export default function MemberResourcesPortal({
                                                                    </span>
                                                                </div>
                                                            )}
+                                                            <div>
+                                                                <span className="font-medium">Destination:</span>
+                                                                <span className="ml-2 text-muted-foreground">
+                                                                    {siteResource.destination}
+                                                                </span>
+                                                            </div>
                                                            {siteResource.alias && (
                                                                <div>
                                                                    <span className="font-medium">Alias:</span>
@@ -836,14 +847,6 @@ export default function MemberResourcesPortal({
                                                                    </span>
                                                                </div>
                                                            )}
-                                                            {siteResource.aliasAddress && (
-                                                                <div>
-                                                                    <span className="font-medium">Alias Address:</span>
-                                                                    <span className="ml-2 text-muted-foreground">
-                                                                        {siteResource.aliasAddress}
-                                                                    </span>
-                                                                </div>
-                                                            )}
                                                            <div>
                                                                <span className="font-medium">Status:</span>
                                                                <span className={`ml-2 ${siteResource.enabled ? 'text-green-600' : 'text-red-600'}`}>
Author	SHA1	Message	Date
Owen Schwartz	d9766b0f99	New translations en-us.json (Spanish)	2026-03-19 14:39:09 -07:00
Owen Schwartz	eeaa1d56ad	New translations en-us.json (Norwegian Bokmal)	2026-03-19 14:39:07 -07:00
Owen Schwartz	e7f5bc585c	New translations en-us.json (Chinese Simplified)	2026-03-19 14:39:06 -07:00
Owen Schwartz	4f26fb7750	New translations en-us.json (Turkish)	2026-03-19 14:39:04 -07:00
Owen Schwartz	cdbc190bfc	New translations en-us.json (Russian)	2026-03-19 14:39:03 -07:00
Owen Schwartz	1b1f9ab4cf	New translations en-us.json (Portuguese)	2026-03-19 14:39:02 -07:00
Owen Schwartz	2efe6cfdb3	New translations en-us.json (Polish)	2026-03-19 14:39:00 -07:00
Owen Schwartz	517c607ecf	New translations en-us.json (Dutch)	2026-03-19 14:38:59 -07:00
Owen Schwartz	802e8f7a22	New translations en-us.json (Korean)	2026-03-19 14:38:57 -07:00
Owen Schwartz	c7cfe2efcb	New translations en-us.json (Italian)	2026-03-19 14:38:56 -07:00
Owen Schwartz	ae1f36f39a	New translations en-us.json (German)	2026-03-19 14:38:54 -07:00
Owen Schwartz	a479ef28ac	New translations en-us.json (Czech)	2026-03-19 14:38:53 -07:00
Owen Schwartz	ce2cf50b5a	New translations en-us.json (Bulgarian)	2026-03-19 14:38:52 -07:00
Owen Schwartz	f48d01acde	New translations en-us.json (French)	2026-03-19 14:38:50 -07:00
Owen	991fed93ee	Add warning when creating resource with provided	2026-03-19 14:26:14 -07:00
Owen	26ab63d0e4	Adjust remote node language	2026-03-19 12:10:58 -07:00
Owen Schwartz	03288d2a60	Merge pull request #2667 from LaurenceJJones/feature/newt-ipv6-format-endpoint fix(newt): Format ipv6 targets for go	2026-03-18 15:34:36 -07:00
miloschwartz	1169b68619	fix more info content on member page	2026-03-18 12:18:18 -07:00
Laurence	d3bfd67738	fix(newt): Format ipv6 targets for go We added support https://github.com/fosrl/newt/releases/tag/1.10.3 for ipv6 targets from newt -> application, but we need to ensure that we handle if user provides a none bracketed ipv6 string	2026-03-18 13:26:38 +00:00
miloschwartz	d44292cf33	pass access token params to badger	2026-03-17 16:57:31 -07:00
miloschwartz	2c2be50b19	change route name	2026-03-16 20:02:57 -07:00
Owen Schwartz	e2db4c6246	Merge pull request #2662 from fosrl/batch-add-client-to-resources batch add client to resources	2026-03-16 19:53:47 -07:00
miloschwartz	c4839fee08	Merge branch 'dev' into batch-add-client-to-resources	2026-03-16 17:58:37 -07:00
miloschwartz	965b7026f0	add batch endpoint	2026-03-16 17:58:20 -07:00
Owen	e14e15fcbb	Revert: Also update lastPing for legacy	2026-03-16 17:47:06 -07:00
Owen Schwartz	4ca5acf158	Merge pull request #2660 from fosrl/dev Also update lastPing for legacy	2026-03-16 17:13:10 -07:00
Owen	ea41fcc566	Also update lastPing for legacy	2026-03-16 17:12:37 -07:00
Owen Schwartz	5736c1d8ce	Merge pull request #2659 from fosrl/dev Small improvements	2026-03-16 16:37:26 -07:00
Owen	d142366dd9	Merge branch 'main' into dev	2026-03-16 16:32:28 -07:00
Owen	bab09dff95	Add better metadata to ssh	2026-03-16 15:33:21 -07:00
Owen	23d3345ab9	Reduce writes	2026-03-16 14:37:27 -07:00
Owen Schwartz	09a64815d4	Merge pull request #2657 from fosrl/hotfix-jit Fix jit on by default	2026-03-15 22:02:12 -07:00
Owen	6d5f969798	Fix jit on by default	2026-03-15 22:01:39 -07:00
Owen Schwartz	9c430b37aa	Merge pull request #2655 from fosrl/dev 1.16.2-s.8	2026-03-15 16:47:09 -07:00
Owen	86bba494fe	Disable intervals in saas	2026-03-14 16:03:43 -07:00
Owen	1a43f1ef4b	Handle newt online offline with websocket	2026-03-14 11:59:20 -07:00
Owen	75ab074805	Attempt to improve handling bandwidth tracking	2026-03-13 12:06:01 -07:00
Owen	dc4e0253de	Add message compression for large messages	2026-03-13 11:46:03 -07:00
Owen	cccf236042	Add optional compression	2026-03-12 17:49:21 -07:00
Owen	63fd63c65c	Send less data down	2026-03-12 17:27:15 -07:00
Owen	beee1d692d	revert: telemetry comment	2026-03-12 17:11:13 -07:00
Owen	fde786ca84	Add todo	2026-03-12 17:10:46 -07:00
Owen	3086fdd064	Merge branch 'dev' into jit	2026-03-12 16:58:23 -07:00
Owen	6c30f6db31	Dont send site if it missing public key	2026-03-12 16:33:33 -07:00
Owen	f021b73458	Add alert about domain error	2026-03-11 18:00:23 -07:00
Owen	74f4751bcc	Dont show raw resource option unless remote node	2026-03-11 17:47:15 -07:00
Owen	e5bce4e180	Merge branch 'main' into dev	2026-03-11 15:55:59 -07:00
Owen	a3d4553d14	Merge branch 'main' into dev	2026-03-11 14:53:55 -07:00
Owen	072c89e704	Bump dompurify	2026-03-10 16:43:40 -07:00
Owen	dbdff6812d	Bump esbuild	2026-03-10 16:31:19 -07:00
Owen	cc841d5640	Add some logging to debug	2026-03-10 14:24:57 -07:00
Owen	dec358c4cd	Use native drizzle count	2026-03-10 10:03:49 -07:00
Owen	e98f873f81	Clean up	2026-03-09 21:16:37 -07:00
Owen	e9a2a7e752	Reorder delete	2026-03-09 20:46:27 -07:00
Owen	06015d5191	Handle gerbil rejecting 0 Closes #2605	2026-03-09 17:35:25 -07:00
Owen	af688d2a23	Add demo link	2026-03-09 17:35:04 -07:00
Owen	7d0b3ec6b5	Fix not pulling wildcard cert updates	2026-03-09 17:34:48 -07:00
Owen	cf5fb8dc33	Working on jit	2026-03-09 16:36:13 -07:00
Owen Schwartz	9a0a255445	Merge pull request #2524 from shreyaspapi/fix/2294-path-based-routing fix: path-based routing broken due to key collisions in sanitize()	2026-03-07 21:18:59 -08:00
Owen Schwartz	d5a37436c0	Merge pull request #2616 from LaurenceJJones/fix/issue-240-hcStatus-missing fix(newt): missing hcStatus in hc config on reconnect	2026-03-07 21:14:27 -08:00
Laurence	be609b5000	Fix missing hcStatus field in health check config on reconnect The buildTargetConfigurationForNewtClient function was not including the hcStatus field when building health check targets for the newt/wg/connect message. This caused custom expected response codes (e.g., 409) to revert to the default 2xx range check after Pangolin server restart. Added hcStatus to both the database select query and the returned health check target object, matching the behavior in targets.ts addTargets.	2026-03-07 06:28:10 +00:00
Owen	0503c6e66e	Handle JIT for ssh	2026-03-06 15:49:17 -08:00
Owen	9405b0b70a	Force jit above site limit	2026-03-06 14:09:57 -08:00
Owen	a26ee4ac1a	Adjust billing upgrade language	2026-03-06 12:17:26 -08:00
Owen	2a5c9465e9	Add chainId field passthrough	2026-03-04 22:17:58 -08:00
Owen	f36b66e397	Merge branch 'dev' into jit	2026-03-04 17:58:50 -08:00
Owen	8c6d44677d	Update lock	2026-03-04 17:48:58 -08:00
Owen	1bfff630bf	Jit working for sites	2026-03-04 17:46:58 -08:00
miloschwartz	ebcef28b05	remove resend from config	2026-03-04 17:45:48 -08:00
miloschwartz	e87e12898c	remove resend	2026-03-04 17:45:22 -08:00
miloschwartz	d60ab281cf	remove resend from package.json	2026-03-04 17:42:25 -08:00
Owen	c73a39f797	Allow JIT based on site or resource	2026-03-04 15:44:27 -08:00
Shreyas Papinwar	75a909784a	fix: simplify path encoding per review — inline utils, use single key scheme Address PR review comments: - Remove pathUtils.ts and move sanitize/encodePath directly into utils.ts - Simplify dual-key approach to single key using encodePath for map keys - Remove backward-compat logic (not needed per reviewer) - Update tests to match simplified approach	2026-03-01 15:48:26 +05:30
Shreyas	244f497a9c	test: add comprehensive backward compatibility tests for path routing fix	2026-03-01 15:48:26 +05:30
Shreyas	e58f0c9f07	fix: preserve backward-compatible router names while fixing path collisions Use encodePath only for internal map key grouping (collision-free) and sanitize for Traefik-facing router/service names (unchanged for existing users). Extract pure functions into pathUtils.ts so tests can run without DB dependencies.	2026-03-01 15:48:26 +05:30
Shreyas	5f18c06e03	fix: use collision-free path encoding for Traefik router key generation	2026-03-01 15:48:26 +05:30