concat host and path for search and add a status filter

- Add wasCredentialSubmitted helper to detect when credentials were
  submitted but authentication failed
- Set auth method in CapturedData when wrong PIN/password is entered
- Set auth method for OAuth callback errors and token validation errors
- Add tests for failed auth method capture

.gitignore

@@ -2,6 +2,7 @@
 .run
 *.iml
 dist/
+!proxy/web/dist/
 bin/
 .env
 conf.json

README.md

@@ -60,8 +60,8 @@
 
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
 
-### NetBird on Lawrence Systems (Video)
-[![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)
+### Self-Host NetBird (Video)
+[![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
 
 ### Key features
 

client/embed/embed.go

@@ -71,6 +71,8 @@ type Options struct {
 	DisableClientRoutes bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
+	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
+	WireguardPort *int
 }
 
 // validateCredentials checks that exactly one credential type is provided
@@ -140,6 +142,7 @@ func New(opts Options) (*Client, error) {
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		BlockInbound:        &opts.BlockInbound,
+		WireguardPort:       opts.WireguardPort,
 	}
 	if opts.ConfigPath != "" {
 		config, err = profilemanager.UpdateOrCreateConfig(input)
@@ -159,6 +162,7 @@ func New(opts Options) (*Client, error) {
 		setupKey:   opts.SetupKey,
 		jwtToken:   opts.JWTToken,
 		config:     config,
+		recorder:   peer.NewRecorder(config.ManagementURL.String()),
 	}, nil
 }
 
@@ -180,6 +184,7 @@ func (c *Client) Start(startCtx context.Context) error {
 
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
+
 	authClient, err := auth.NewAuth(ctx, c.config.PrivateKey, c.config.ManagementURL, c.config)
 	if err != nil {
 		return fmt.Errorf("create auth client: %w", err)
@@ -189,10 +194,7 @@ func (c *Client) Start(startCtx context.Context) error {
 	if err, _ := authClient.Login(ctx, c.setupKey, c.jwtToken); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
-
-	recorder := peer.NewRecorder(c.config.ManagementURL.String())
-	c.recorder = recorder
-	client := internal.NewConnectClient(ctx, c.config, recorder, false)
+	client := internal.NewConnectClient(ctx, c.config, c.recorder, false)
 	client.SetSyncResponsePersistence(true)
 
 	// either startup error (permanent backoff err) or nil err (successful engine up)
@@ -345,14 +347,9 @@ func (c *Client) NewHTTPClient() *http.Client {
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
-	recorder := c.recorder
 	connect := c.connect
 	c.mu.Unlock()
 
-	if recorder == nil {
-		return peer.FullStatus{}, errors.New("client not started")
-	}
-
 	if connect != nil {
 		engine := connect.Engine()
 		if engine != nil {
@@ -360,7 +357,7 @@ func (c *Client) Status() (peer.FullStatus, error) {
 		}
 	}
 
-	return recorder.GetFullStatus(), nil
+	return c.recorder.GetFullStatus(), nil
 }
 
 // GetLatestSyncResponse returns the latest sync response from the management server.

client/firewall/uspfilter/allow_netbird.go

@@ -3,12 +3,6 @@
 package uspfilter
 
 import (
-	"context"
-	"net/netip"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
@@ -17,33 +11,7 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	m.outgoingRules = make(map[netip.Addr]RuleSet)
-	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
-	m.incomingRules = make(map[netip.Addr]RuleSet)
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
+	m.resetState()
 
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)

client/firewall/uspfilter/allow_netbird_windows.go

@@ -1,12 +1,9 @@
 package uspfilter
 
 import (
-	"context"
 	"fmt"
-	"net/netip"
 	"os/exec"
 	"syscall"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 
@@ -26,33 +23,7 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	m.outgoingRules = make(map[netip.Addr]RuleSet)
-	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
-	m.incomingRules = make(map[netip.Addr]RuleSet)
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
+	m.resetState()
 
 	if !isWindowsFirewallReachable() {
 		return nil

client/firewall/uspfilter/filter.go

@@ -1,6 +1,7 @@
 package uspfilter
 
 import (
+	"context"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -12,11 +13,13 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
+	"time"
 
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
@@ -24,6 +27,7 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	"github.com/netbirdio/netbird/client/iface/netstack"
+	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -89,6 +93,7 @@ type Manager struct {
 	incomingDenyRules map[netip.Addr]RuleSet
 	incomingRules     map[netip.Addr]RuleSet
 	routeRules        RouteRules
+	routeRulesMap     map[nbid.RuleID]*RouteRule
 	decoders          sync.Pool
 	wgIface           common.IFaceMapper
 	nativeFirewall    firewall.Manager
@@ -229,6 +234,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
+		routeRulesMap:       make(map[nbid.RuleID]*RouteRule),
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
 		netstackServices:    make(map[serviceKey]struct{}),
@@ -480,11 +486,15 @@ func (m *Manager) addRouteFiltering(
 		return m.nativeFirewall.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}
 
-	ruleID := uuid.New().String()
+	ruleKey := nbid.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
+
+	if existingRule, ok := m.routeRulesMap[ruleKey]; ok {
+		return existingRule, nil
+	}
 
 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:         ruleID,
+		id:         string(ruleKey),
 		mgmtId:     id,
 		sources:    sources,
 		dstSet:     destination.Set,
@@ -499,6 +509,7 @@ func (m *Manager) addRouteFiltering(
 
 	m.routeRules = append(m.routeRules, &rule)
 	m.routeRules.Sort()
+	m.routeRulesMap[ruleKey] = &rule
 
 	return &rule, nil
 }
@@ -515,15 +526,20 @@ func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}
 
-	ruleID := rule.ID()
+	ruleKey := nbid.RuleID(rule.ID())
+	if _, ok := m.routeRulesMap[ruleKey]; !ok {
+		return fmt.Errorf("route rule not found: %s", ruleKey)
+	}
+
 	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
-		return r.id == ruleID
+		return r.id == string(ruleKey)
 	})
 	if idx < 0 {
-		return fmt.Errorf("route rule not found: %s", ruleID)
+		return fmt.Errorf("route rule not found in slice: %s", ruleKey)
 	}
 
 	m.routeRules = slices.Delete(m.routeRules, idx, idx+1)
+	delete(m.routeRulesMap, ruleKey)
 	return nil
 }
 
@@ -570,6 +586,40 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
 
+// resetState clears all firewall rules and closes connection trackers.
+// Must be called with m.mutex held.
+func (m *Manager) resetState() {
+	maps.Clear(m.outgoingRules)
+	maps.Clear(m.incomingDenyRules)
+	maps.Clear(m.incomingRules)
+	maps.Clear(m.routeRulesMap)
+	m.routeRules = m.routeRules[:0]
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}
+}
+
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	if m.nativeFirewall == nil {

client/firewall/uspfilter/filter_routeacl_test.go

@@ -0,0 +1,376 @@
+package uspfilter
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	wgdevice "golang.zx2c4.com/wireguard/device"
+
+	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/mocks"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+)
+
+// TestAddRouteFilteringReturnsExistingRule verifies that adding the same route
+// filtering rule twice returns the same rule ID (idempotent behavior).
+func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{
+		netip.MustParsePrefix("100.64.1.0/24"),
+		netip.MustParsePrefix("100.64.2.0/24"),
+	}
+	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
+
+	// Add rule first time
+	rule1, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+	require.NotNil(t, rule1)
+
+	// Add the same rule again
+	rule2, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+	require.NotNil(t, rule2)
+
+	// These should be the same (idempotent) like nftables/iptables implementations
+	assert.Equal(t, rule1.ID(), rule2.ID(),
+		"Adding the same rule twice should return the same rule ID (idempotent)")
+
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 2, ruleCount,
+		"Should have exactly 2 rules (1 user rule + 1 block rule)")
+}
+
+// TestAddRouteFilteringDifferentRulesGetDifferentIDs verifies that rules with
+// different parameters get distinct IDs.
+func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
+
+	// Add first rule
+	rule1, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	// Add different rule (different destination)
+	rule2, err := manager.AddRouteFiltering(
+		[]byte("policy-2"),
+		sources,
+		fw.Network{Prefix: netip.MustParsePrefix("192.168.2.0/24")}, // Different!
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	assert.NotEqual(t, rule1.ID(), rule2.ID(),
+		"Different rules should have different IDs")
+
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 3, ruleCount, "Should have 3 rules (2 user rules + 1 block rule)")
+}
+
+// TestRouteRuleUpdateDoesNotCauseGap verifies that re-adding the same route
+// rule during a network map update does not disrupt existing traffic.
+func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
+	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
+
+	rule1, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		nil,
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	srcIP := netip.MustParseAddr("100.64.1.5")
+	dstIP := netip.MustParseAddr("192.168.1.10")
+	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
+	require.True(t, pass, "Traffic should pass with rule in place")
+
+	// Re-add same rule (simulates network map update)
+	rule2, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		nil,
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	// Idempotent IDs mean rule1.ID() == rule2.ID(), so the ACL manager
+	// won't delete rule1 during cleanup. If IDs differed, deleting rule1
+	// would remove the only matching rule and cause a traffic gap.
+	if rule1.ID() != rule2.ID() {
+		err = manager.DeleteRouteRule(rule1)
+		require.NoError(t, err)
+	}
+
+	_, passAfter := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
+	assert.True(t, passAfter,
+		"Traffic should still pass after rule update - no gap should occur")
+}
+
+// TestBlockInvalidRoutedIdempotent verifies that blockInvalidRouted creates
+// exactly one drop rule for the WireGuard network prefix, and calling it again
+// returns the same rule without duplicating.
+func TestBlockInvalidRoutedIdempotent(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	dev := mocks.NewMockDevice(ctrl)
+	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
+
+	wgNet := netip.MustParsePrefix("100.64.0.1/16")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      wgNet.Addr(),
+				Network: wgNet,
+			}
+		},
+		GetDeviceFunc: func() *device.FilteredDevice {
+			return &device.FilteredDevice{Device: dev}
+		},
+		GetWGDeviceFunc: func() *wgdevice.Device {
+			return &wgdevice.Device{}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil))
+	})
+
+	// Call blockInvalidRouted directly multiple times
+	rule1, err := manager.blockInvalidRouted(ifaceMock)
+	require.NoError(t, err)
+	require.NotNil(t, rule1)
+
+	rule2, err := manager.blockInvalidRouted(ifaceMock)
+	require.NoError(t, err)
+	require.NotNil(t, rule2)
+
+	rule3, err := manager.blockInvalidRouted(ifaceMock)
+	require.NoError(t, err)
+	require.NotNil(t, rule3)
+
+	// All should return the same rule
+	assert.Equal(t, rule1.ID(), rule2.ID(), "Second call should return same rule")
+	assert.Equal(t, rule2.ID(), rule3.ID(), "Third call should return same rule")
+
+	// Should have exactly 1 route rule
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 1, ruleCount, "Should have exactly 1 block rule after 3 calls")
+
+	// Verify the rule blocks traffic to the WG network
+	srcIP := netip.MustParseAddr("10.0.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.50")
+	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 80)
+	assert.False(t, pass, "Block rule should deny traffic to WG prefix")
+}
+
+// TestBlockRuleNotAccumulatedOnRepeatedEnableRouting verifies that calling
+// EnableRouting multiple times (as happens on each route update) does not
+// accumulate duplicate block rules in the routeRules slice.
+func TestBlockRuleNotAccumulatedOnRepeatedEnableRouting(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	dev := mocks.NewMockDevice(ctrl)
+	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
+
+	wgNet := netip.MustParsePrefix("100.64.0.1/16")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      wgNet.Addr(),
+				Network: wgNet,
+			}
+		},
+		GetDeviceFunc: func() *device.FilteredDevice {
+			return &device.FilteredDevice{Device: dev}
+		},
+		GetWGDeviceFunc: func() *wgdevice.Device {
+			return &wgdevice.Device{}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil))
+	})
+
+	// Call EnableRouting multiple times (simulating repeated route updates)
+	for i := 0; i < 5; i++ {
+		require.NoError(t, manager.EnableRouting())
+	}
+
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 1, ruleCount,
+		"Repeated EnableRouting should not accumulate block rules")
+}
+
+// TestRouteRuleCountStableAcrossUpdates verifies that adding the same route
+// rule multiple times does not create duplicate entries.
+func TestRouteRuleCountStableAcrossUpdates(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
+	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
+
+	// Simulate 5 network map updates with the same route rule
+	for i := 0; i < 5; i++ {
+		rule, err := manager.AddRouteFiltering(
+			[]byte("policy-1"),
+			sources,
+			destination,
+			fw.ProtocolTCP,
+			nil,
+			&fw.Port{Values: []uint16{443}},
+			fw.ActionAccept,
+		)
+		require.NoError(t, err)
+		require.NotNil(t, rule)
+	}
+
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 2, ruleCount,
+		"Should have exactly 2 rules (1 user rule + 1 block rule) after 5 updates")
+}
+
+// TestDeleteRouteRuleAfterIdempotentAdd verifies that deleting a route rule
+// after adding it multiple times works correctly.
+func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
+	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
+
+	// Add same rule twice
+	rule1, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		nil,
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	rule2, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		nil,
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	require.Equal(t, rule1.ID(), rule2.ID(), "Should return same rule ID")
+
+	// Delete using first reference
+	err = manager.DeleteRouteRule(rule1)
+	require.NoError(t, err)
+
+	// Verify traffic no longer passes
+	srcIP := netip.MustParseAddr("100.64.1.5")
+	dstIP := netip.MustParseAddr("192.168.1.10")
+	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
+	assert.False(t, pass, "Traffic should not pass after rule deletion")
+}
+
+func setupTestManager(t *testing.T) *Manager {
+	t.Helper()
+
+	ctrl := gomock.NewController(t)
+	dev := mocks.NewMockDevice(ctrl)
+	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
+
+	wgNet := netip.MustParsePrefix("100.64.0.1/16")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      wgNet.Addr(),
+				Network: wgNet,
+			}
+		},
+		GetDeviceFunc: func() *device.FilteredDevice {
+			return &device.FilteredDevice{Device: dev}
+		},
+		GetWGDeviceFunc: func() *wgdevice.Device {
+			return &wgdevice.Device{}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	require.NoError(t, manager.EnableRouting())
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil))
+	})
+
+	return manager
+}

client/firewall/uspfilter/filter_test.go

@@ -263,6 +263,158 @@ func TestAddUDPPacketHook(t *testing.T) {
 	}
 }
 
+// TestPeerRuleLifecycleDenyRules verifies that deny rules are correctly added
+// to the deny map and can be cleanly deleted without leaving orphans.
+func TestPeerRuleLifecycleDenyRules(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, m.Close(nil))
+	}()
+
+	ip := net.ParseIP("192.168.1.1")
+	addr := netip.MustParseAddr("192.168.1.1")
+
+	// Add multiple deny rules for different ports
+	rule1, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+	require.NoError(t, err)
+
+	rule2, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+		&fw.Port{Values: []uint16{80}}, fw.ActionDrop, "")
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	denyCount := len(m.incomingDenyRules[addr])
+	m.mutex.RUnlock()
+	require.Equal(t, 2, denyCount, "Should have exactly 2 deny rules")
+
+	// Delete the first deny rule
+	err = m.DeletePeerRule(rule1[0])
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	denyCount = len(m.incomingDenyRules[addr])
+	m.mutex.RUnlock()
+	require.Equal(t, 1, denyCount, "Should have 1 deny rule after deleting first")
+
+	// Delete the second deny rule
+	err = m.DeletePeerRule(rule2[0])
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	_, exists := m.incomingDenyRules[addr]
+	m.mutex.RUnlock()
+	require.False(t, exists, "Deny rules IP entry should be cleaned up when empty")
+}
+
+// TestPeerRuleAddAndDeleteDontLeak verifies that repeatedly adding and deleting
+// peer rules (simulating network map updates) does not leak rules in the maps.
+func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, m.Close(nil))
+	}()
+
+	ip := net.ParseIP("192.168.1.1")
+	addr := netip.MustParseAddr("192.168.1.1")
+
+	// Simulate 10 network map updates: add rule, delete old, add new
+	for i := 0; i < 10; i++ {
+		// Add a deny rule
+		rules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+			&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+		require.NoError(t, err)
+
+		// Add an allow rule
+		allowRules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+			&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+		require.NoError(t, err)
+
+		// Delete them (simulating ACL manager cleanup)
+		for _, r := range rules {
+			require.NoError(t, m.DeletePeerRule(r))
+		}
+		for _, r := range allowRules {
+			require.NoError(t, m.DeletePeerRule(r))
+		}
+	}
+
+	m.mutex.RLock()
+	denyCount := len(m.incomingDenyRules[addr])
+	allowCount := len(m.incomingRules[addr])
+	m.mutex.RUnlock()
+
+	require.Equal(t, 0, denyCount, "No deny rules should remain after cleanup")
+	require.Equal(t, 0, allowCount, "No allow rules should remain after cleanup")
+}
+
+// TestMixedAllowDenyRulesSameIP verifies that allow and deny rules for the same
+// IP are stored in separate maps and don't interfere with each other.
+func TestMixedAllowDenyRulesSameIP(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, m.Close(nil))
+	}()
+
+	ip := net.ParseIP("192.168.1.1")
+
+	// Add allow rule for port 80
+	allowRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+		&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	require.NoError(t, err)
+
+	// Add deny rule for port 22
+	denyRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+	require.NoError(t, err)
+
+	addr := netip.MustParseAddr("192.168.1.1")
+	m.mutex.RLock()
+	allowCount := len(m.incomingRules[addr])
+	denyCount := len(m.incomingDenyRules[addr])
+	m.mutex.RUnlock()
+
+	require.Equal(t, 1, allowCount, "Should have 1 allow rule")
+	require.Equal(t, 1, denyCount, "Should have 1 deny rule")
+
+	// Delete allow rule should not affect deny rule
+	err = m.DeletePeerRule(allowRule[0])
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	denyCountAfter := len(m.incomingDenyRules[addr])
+	m.mutex.RUnlock()
+
+	require.Equal(t, 1, denyCountAfter, "Deny rule should still exist after deleting allow rule")
+
+	// Delete deny rule
+	err = m.DeletePeerRule(denyRule[0])
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	_, denyExists := m.incomingDenyRules[addr]
+	_, allowExists := m.incomingRules[addr]
+	m.mutex.RUnlock()
+
+	require.False(t, denyExists, "Deny rules should be empty")
+	require.False(t, allowExists, "Allow rules should be empty")
+}
+
 func TestManagerReset(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },

client/iface/iface.go

@@ -18,6 +18,7 @@ import (
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
+	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
@@ -228,6 +229,10 @@ func (w *WGIface) Close() error {
 		result = multierror.Append(result, fmt.Errorf("failed to close wireguard interface %s: %w", w.Name(), err))
 	}
 
+	if nbnetstack.IsEnabled() {
+		return errors.FormatErrorOrNil(result)
+	}
+
 	if err := w.waitUntilRemoved(); err != nil {
 		log.Warnf("failed to remove WireGuard interface %s: %v", w.Name(), err)
 		if err := w.Destroy(); err != nil {

client/internal/acl/manager_test.go

@@ -189,6 +189,212 @@ func TestDefaultManagerStateless(t *testing.T) {
 	})
 }
 
+// TestDenyRulesNotAccumulatedOnRepeatedApply verifies that applying the same
+// deny rules repeatedly does not accumulate duplicate rules in the uspfilter.
+// This tests the full ACL manager -> uspfilter integration.
+func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
+	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+
+	networkMap := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_DROP,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "22",
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_DROP,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "80",
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "443",
+			},
+		},
+		FirewallRulesIsEmpty: false,
+	}
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
+	network := netip.MustParsePrefix("172.0.0.1/32")
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
+		IP:      network.Addr(),
+		Network: network,
+	}).AnyTimes()
+	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
+
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, fw.Close(nil))
+	}()
+
+	acl := NewDefaultManager(fw)
+
+	// Apply the same rules 5 times (simulating repeated network map updates)
+	for i := 0; i < 5; i++ {
+		acl.ApplyFiltering(networkMap, false)
+	}
+
+	// The ACL manager should track exactly 3 rule pairs (2 deny + 1 accept inbound)
+	assert.Equal(t, 3, len(acl.peerRulesPairs),
+		"Should have exactly 3 rule pairs after 5 identical updates")
+}
+
+// TestDenyRulesCleanedUpOnRemoval verifies that deny rules are properly cleaned
+// up when they're removed from the network map in a subsequent update.
+func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
+	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
+	network := netip.MustParsePrefix("172.0.0.1/32")
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
+		IP:      network.Addr(),
+		Network: network,
+	}).AnyTimes()
+	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
+
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, fw.Close(nil))
+	}()
+
+	acl := NewDefaultManager(fw)
+
+	// First update: add deny and accept rules
+	networkMap1 := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_DROP,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "22",
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "443",
+			},
+		},
+		FirewallRulesIsEmpty: false,
+	}
+
+	acl.ApplyFiltering(networkMap1, false)
+	assert.Equal(t, 2, len(acl.peerRulesPairs), "Should have 2 rules after first update")
+
+	// Second update: remove the deny rule, keep only accept
+	networkMap2 := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "443",
+			},
+		},
+		FirewallRulesIsEmpty: false,
+	}
+
+	acl.ApplyFiltering(networkMap2, false)
+	assert.Equal(t, 1, len(acl.peerRulesPairs),
+		"Should have 1 rule after removing deny rule")
+
+	// Third update: remove all rules
+	networkMap3 := &mgmProto.NetworkMap{
+		FirewallRules:        []*mgmProto.FirewallRule{},
+		FirewallRulesIsEmpty: true,
+	}
+
+	acl.ApplyFiltering(networkMap3, false)
+	assert.Equal(t, 0, len(acl.peerRulesPairs),
+		"Should have 0 rules after removing all rules")
+}
+
+// TestRuleUpdateChangingAction verifies that when a rule's action changes from
+// accept to deny (or vice versa), the old rule is properly removed and the new
+// one added without leaking.
+func TestRuleUpdateChangingAction(t *testing.T) {
+	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
+	network := netip.MustParsePrefix("172.0.0.1/32")
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
+		IP:      network.Addr(),
+		Network: network,
+	}).AnyTimes()
+	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
+
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, fw.Close(nil))
+	}()
+
+	acl := NewDefaultManager(fw)
+
+	// First update: accept rule
+	networkMap := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "22",
+			},
+		},
+		FirewallRulesIsEmpty: false,
+	}
+	acl.ApplyFiltering(networkMap, false)
+	assert.Equal(t, 1, len(acl.peerRulesPairs))
+
+	// Second update: change to deny (same IP/port/proto, different action)
+	networkMap.FirewallRules = []*mgmProto.FirewallRule{
+		{
+			PeerIP:    "10.93.0.1",
+			Direction: mgmProto.RuleDirection_IN,
+			Action:    mgmProto.RuleAction_DROP,
+			Protocol:  mgmProto.RuleProtocol_TCP,
+			Port:      "22",
+		},
+	}
+	acl.ApplyFiltering(networkMap, false)
+
+	// Should still have exactly 1 rule (the old accept removed, new deny added)
+	assert.Equal(t, 1, len(acl.peerRulesPairs),
+		"Changing action should result in exactly 1 rule, not 2")
+}
+
 func TestPortInfoEmpty(t *testing.T) {
 	tests := []struct {
 		name     string

client/internal/connect.go

@@ -20,6 +20,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -244,7 +245,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		localPeerState := peer.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
 			PubKey:          myPrivateKey.PublicKey().String(),
-			KernelInterface: device.WireGuardModuleIsLoaded(),
+			KernelInterface: device.WireGuardModuleIsLoaded() && !netstack.IsEnabled(),
 			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
 		}
 		c.statusRecorder.UpdateLocalPeerState(localPeerState)

client/internal/dns/server.go

@@ -6,7 +6,9 @@ import (
 	"fmt"
 	"net/netip"
 	"net/url"
+	"os"
 	"runtime"
+	"strconv"
 	"strings"
 	"sync"
 
@@ -27,6 +29,8 @@ import (
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
+const envSkipDNSProbe = "NB_SKIP_DNS_PROBE"
+
 // ReadyListener is a notification mechanism what indicate the server is ready to handle host dns address changes
 type ReadyListener interface {
 	OnReady()
@@ -439,6 +443,17 @@ func (s *DefaultServer) SearchDomains() []string {
 // ProbeAvailability tests each upstream group's servers for availability
 // and deactivates the group if no server responds
 func (s *DefaultServer) ProbeAvailability() {
+	if val := os.Getenv(envSkipDNSProbe); val != "" {
+		skipProbe, err := strconv.ParseBool(val)
+		if err != nil {
+			log.Warnf("failed to parse %s: %v", envSkipDNSProbe, err)
+		}
+		if skipProbe {
+			log.Infof("skipping DNS probe due to %s", envSkipDNSProbe)
+			return
+		}
+	}
+
 	var wg sync.WaitGroup
 	for _, mux := range s.dnsMuxMap {
 		wg.Add(1)

client/internal/dnsfwd/forwarder.go

@@ -190,50 +190,75 @@ func (f *DNSForwarder) Close(ctx context.Context) error {
 	return nberrors.FormatErrorOrNil(result)
 }
 
-func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, query *dns.Msg) *dns.Msg {
+func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, query *dns.Msg, startTime time.Time) {
 	if len(query.Question) == 0 {
-		return nil
+		return
 	}
 	question := query.Question[0]
-	logger.Tracef("received DNS request for DNS forwarder: domain=%s type=%s class=%s",
-		question.Name, dns.TypeToString[question.Qtype], dns.ClassToString[question.Qclass])
+	qname := strings.ToLower(question.Name)
 
-	domain := strings.ToLower(question.Name)
+	logger.Tracef("question: domain=%s type=%s class=%s",
+		qname, dns.TypeToString[question.Qtype], dns.ClassToString[question.Qclass])
 
 	resp := query.SetReply(query)
 	network := resutil.NetworkForQtype(question.Qtype)
 	if network == "" {
 		resp.Rcode = dns.RcodeNotImplemented
-		if err := w.WriteMsg(resp); err != nil {
-			logger.Errorf("failed to write DNS response: %v", err)
-		}
-		return nil
+		f.writeResponse(logger, w, resp, qname, startTime)
+		return
 	}
 
-	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
-	// query doesn't match any configured domain
+	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(qname, "."))
 	if mostSpecificResId == "" {
 		resp.Rcode = dns.RcodeRefused
-		if err := w.WriteMsg(resp); err != nil {
-			logger.Errorf("failed to write DNS response: %v", err)
-		}
-		return nil
+		f.writeResponse(logger, w, resp, qname, startTime)
+		return
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), upstreamTimeout)
 	defer cancel()
 
-	result := resutil.LookupIP(ctx, f.resolver, network, domain, question.Qtype)
+	result := resutil.LookupIP(ctx, f.resolver, network, qname, question.Qtype)
 	if result.Err != nil {
-		f.handleDNSError(ctx, logger, w, question, resp, domain, result)
-		return nil
+		f.handleDNSError(ctx, logger, w, question, resp, qname, result, startTime)
+		return
 	}
 
 	f.updateInternalState(result.IPs, mostSpecificResId, matchingEntries)
-	resp.Answer = append(resp.Answer, resutil.IPsToRRs(domain, result.IPs, f.ttl)...)
-	f.cache.set(domain, question.Qtype, result.IPs)
+	resp.Answer = append(resp.Answer, resutil.IPsToRRs(qname, result.IPs, f.ttl)...)
+	f.cache.set(qname, question.Qtype, result.IPs)
 
-	return resp
+	f.writeResponse(logger, w, resp, qname, startTime)
+}
+
+func (f *DNSForwarder) writeResponse(logger *log.Entry, w dns.ResponseWriter, resp *dns.Msg, qname string, startTime time.Time) {
+	if err := w.WriteMsg(resp); err != nil {
+		logger.Errorf("failed to write DNS response: %v", err)
+		return
+	}
+
+	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
+		qname, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
+}
+
+// udpResponseWriter wraps a dns.ResponseWriter to handle UDP-specific truncation.
+type udpResponseWriter struct {
+	dns.ResponseWriter
+	query *dns.Msg
+}
+
+func (u *udpResponseWriter) WriteMsg(resp *dns.Msg) error {
+	opt := u.query.IsEdns0()
+	maxSize := dns.MinMsgSize
+	if opt != nil {
+		maxSize = int(opt.UDPSize())
+	}
+
+	if resp.Len() > maxSize {
+		resp.Truncate(maxSize)
+	}
+
+	return u.ResponseWriter.WriteMsg(resp)
 }
 
 func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
@@ -243,30 +268,7 @@ func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
 	})
 
-	resp := f.handleDNSQuery(logger, w, query)
-	if resp == nil {
-		return
-	}
-
-	opt := query.IsEdns0()
-	maxSize := dns.MinMsgSize
-	if opt != nil {
-		// client advertised a larger EDNS0 buffer
-		maxSize = int(opt.UDPSize())
-	}
-
-	// if our response is too big, truncate and set the TC bit
-	if resp.Len() > maxSize {
-		resp.Truncate(maxSize)
-	}
-
-	if err := w.WriteMsg(resp); err != nil {
-		logger.Errorf("failed to write DNS response: %v", err)
-		return
-	}
-
-	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
-		query.Question[0].Name, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
+	f.handleDNSQuery(logger, &udpResponseWriter{ResponseWriter: w, query: query}, query, startTime)
 }
 
 func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
@@ -276,18 +278,7 @@ func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
 	})
 
-	resp := f.handleDNSQuery(logger, w, query)
-	if resp == nil {
-		return
-	}
-
-	if err := w.WriteMsg(resp); err != nil {
-		logger.Errorf("failed to write DNS response: %v", err)
-		return
-	}
-
-	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
-		query.Question[0].Name, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
+	f.handleDNSQuery(logger, w, query, startTime)
 }
 
 func (f *DNSForwarder) updateInternalState(ips []netip.Addr, mostSpecificResId route.ResID, matchingEntries []*ForwarderEntry) {
@@ -334,6 +325,7 @@ func (f *DNSForwarder) handleDNSError(
 	resp *dns.Msg,
 	domain string,
 	result resutil.LookupResult,
+	startTime time.Time,
 ) {
 	qType := question.Qtype
 	qTypeName := dns.TypeToString[qType]
@@ -343,9 +335,7 @@ func (f *DNSForwarder) handleDNSError(
 	// NotFound: cache negative result and respond
 	if result.Rcode == dns.RcodeNameError || result.Rcode == dns.RcodeSuccess {
 		f.cache.set(domain, question.Qtype, nil)
-		if writeErr := w.WriteMsg(resp); writeErr != nil {
-			logger.Errorf("failed to write failure DNS response: %v", writeErr)
-		}
+		f.writeResponse(logger, w, resp, domain, startTime)
 		return
 	}
 
@@ -355,9 +345,7 @@ func (f *DNSForwarder) handleDNSError(
 			logger.Debugf("serving cached DNS response after upstream failure: domain=%s type=%s", domain, qTypeName)
 			resp.Answer = append(resp.Answer, resutil.IPsToRRs(domain, ips, f.ttl)...)
 			resp.Rcode = dns.RcodeSuccess
-			if writeErr := w.WriteMsg(resp); writeErr != nil {
-				logger.Errorf("failed to write cached DNS response: %v", writeErr)
-			}
+			f.writeResponse(logger, w, resp, domain, startTime)
 			return
 		}
 
@@ -365,9 +353,7 @@ func (f *DNSForwarder) handleDNSError(
 		verifyResult := resutil.LookupIP(ctx, f.resolver, resutil.NetworkForQtype(qType), domain, qType)
 		if verifyResult.Rcode == dns.RcodeNameError || verifyResult.Rcode == dns.RcodeSuccess {
 			resp.Rcode = verifyResult.Rcode
-			if writeErr := w.WriteMsg(resp); writeErr != nil {
-				logger.Errorf("failed to write failure DNS response: %v", writeErr)
-			}
+			f.writeResponse(logger, w, resp, domain, startTime)
 			return
 		}
 	}
@@ -375,15 +361,12 @@ func (f *DNSForwarder) handleDNSError(
 	// No cache or verification failed. Log with or without the server field for more context.
 	var dnsErr *net.DNSError
 	if errors.As(result.Err, &dnsErr) && dnsErr.Server != "" {
-		logger.Warnf("failed to resolve: type=%s domain=%s server=%s: %v", qTypeName, domain, dnsErr.Server, result.Err)
+		logger.Warnf("upstream failure: type=%s domain=%s server=%s: %v", qTypeName, domain, dnsErr.Server, result.Err)
 	} else {
 		logger.Warnf(errResolveFailed, domain, result.Err)
 	}
 
-	// Write final failure response.
-	if writeErr := w.WriteMsg(resp); writeErr != nil {
-		logger.Errorf("failed to write failure DNS response: %v", writeErr)
-	}
+	f.writeResponse(logger, w, resp, domain, startTime)
 }
 
 // getMatchingEntries retrieves the resource IDs for a given domain.

client/internal/dnsfwd/forwarder_test.go

@@ -318,8 +318,9 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 			query.SetQuestion(dns.Fqdn(tt.queryDomain), dns.TypeA)
 
 			mockWriter := &test.MockResponseWriter{}
-			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
 
+			resp := mockWriter.GetLastResponse()
 			if tt.shouldResolve {
 				require.NotNil(t, resp, "Expected response for authorized domain")
 				require.Equal(t, dns.RcodeSuccess, resp.Rcode, "Expected successful response")
@@ -329,10 +330,9 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 				mockFirewall.AssertExpectations(t)
 				mockResolver.AssertExpectations(t)
 			} else {
-				if resp != nil {
-					assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
-						"Unauthorized domain should not return successful answers")
-				}
+				require.NotNil(t, resp, "Expected response")
+				assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
+					"Unauthorized domain should not return successful answers")
 				mockFirewall.AssertNotCalled(t, "UpdateSet")
 				mockResolver.AssertNotCalled(t, "LookupNetIP")
 			}
@@ -466,14 +466,16 @@ func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
 			dnsQuery.SetQuestion(dns.Fqdn(tt.query), dns.TypeA)
 
 			mockWriter := &test.MockResponseWriter{}
-			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, dnsQuery)
+			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, dnsQuery, time.Now())
 
 			// Verify response
+			resp := mockWriter.GetLastResponse()
 			if tt.shouldResolve {
 				require.NotNil(t, resp, "Expected response for authorized domain")
 				require.Equal(t, dns.RcodeSuccess, resp.Rcode)
 				require.NotEmpty(t, resp.Answer)
-			} else if resp != nil {
+			} else {
+				require.NotNil(t, resp, "Expected response")
 				assert.True(t, resp.Rcode == dns.RcodeRefused || len(resp.Answer) == 0,
 					"Unauthorized domain should be refused or have no answers")
 			}
@@ -528,9 +530,10 @@ func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
 	query.SetQuestion("example.com.", dns.TypeA)
 
 	mockWriter := &test.MockResponseWriter{}
-	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
 
 	// Verify response contains all IPs
+	resp := mockWriter.GetLastResponse()
 	require.NotNil(t, resp)
 	require.Equal(t, dns.RcodeSuccess, resp.Rcode)
 	require.Len(t, resp.Answer, 3, "Should have 3 answer records")
@@ -605,7 +608,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 				},
 			}
 
-			_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
 
 			// Check the response written to the writer
 			require.NotNil(t, writtenResp, "Expected response to be written")
@@ -675,7 +678,8 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	q1 := &dns.Msg{}
 	q1.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
 	w1 := &test.MockResponseWriter{}
-	resp1 := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1)
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1, time.Now())
+	resp1 := w1.GetLastResponse()
 	require.NotNil(t, resp1)
 	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
 	require.Len(t, resp1.Answer, 1)
@@ -683,13 +687,13 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	// Second query: serve from cache after upstream failure
 	q2 := &dns.Msg{}
 	q2.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
-	var writtenResp *dns.Msg
-	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
-	_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2)
+	w2 := &test.MockResponseWriter{}
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2, time.Now())
 
-	require.NotNil(t, writtenResp, "expected response to be written")
-	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
-	require.Len(t, writtenResp.Answer, 1)
+	resp2 := w2.GetLastResponse()
+	require.NotNil(t, resp2, "expected response to be written")
+	require.Equal(t, dns.RcodeSuccess, resp2.Rcode)
+	require.Len(t, resp2.Answer, 1)
 
 	mockResolver.AssertExpectations(t)
 }
@@ -715,7 +719,8 @@ func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 	q1 := &dns.Msg{}
 	q1.SetQuestion(mixedQuery+".", dns.TypeA)
 	w1 := &test.MockResponseWriter{}
-	resp1 := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1)
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1, time.Now())
+	resp1 := w1.GetLastResponse()
 	require.NotNil(t, resp1)
 	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
 	require.Len(t, resp1.Answer, 1)
@@ -727,13 +732,13 @@ func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 
 	q2 := &dns.Msg{}
 	q2.SetQuestion("EXAMPLE.COM", dns.TypeA)
-	var writtenResp *dns.Msg
-	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
-	_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2)
+	w2 := &test.MockResponseWriter{}
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2, time.Now())
 
-	require.NotNil(t, writtenResp)
-	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
-	require.Len(t, writtenResp.Answer, 1)
+	resp2 := w2.GetLastResponse()
+	require.NotNil(t, resp2)
+	require.Equal(t, dns.RcodeSuccess, resp2.Rcode)
+	require.Len(t, resp2.Answer, 1)
 
 	mockResolver.AssertExpectations(t)
 }
@@ -784,8 +789,9 @@ func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	query.SetQuestion("smtp.mail.example.com.", dns.TypeA)
 
 	mockWriter := &test.MockResponseWriter{}
-	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
 
+	resp := mockWriter.GetLastResponse()
 	require.NotNil(t, resp)
 	assert.Equal(t, dns.RcodeSuccess, resp.Rcode)
 
@@ -897,26 +903,15 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 			query := &dns.Msg{}
 			query.SetQuestion(dns.Fqdn("example.com"), tt.queryType)
 
-			var writtenResp *dns.Msg
-			mockWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					writtenResp = m
-					return nil
-				},
-			}
+			mockWriter := &test.MockResponseWriter{}
+			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
 
-			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
-
-			// If a response was returned, it means it should be written (happens in wrapper functions)
-			if resp != nil && writtenResp == nil {
-				writtenResp = resp
-			}
-
-			require.NotNil(t, writtenResp, "Expected response to be written")
-			assert.Equal(t, tt.expectedCode, writtenResp.Rcode, tt.description)
+			resp := mockWriter.GetLastResponse()
+			require.NotNil(t, resp, "Expected response to be written")
+			assert.Equal(t, tt.expectedCode, resp.Rcode, tt.description)
 
 			if tt.expectNoAnswer {
-				assert.Empty(t, writtenResp.Answer, "Response should have no answer records")
+				assert.Empty(t, resp.Answer, "Response should have no answer records")
 			}
 
 			mockResolver.AssertExpectations(t)
@@ -931,15 +926,8 @@ func TestDNSForwarder_EmptyQuery(t *testing.T) {
 	query := &dns.Msg{}
 	// Don't set any question
 
-	writeCalled := false
-	mockWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			writeCalled = true
-			return nil
-		},
-	}
-	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+	mockWriter := &test.MockResponseWriter{}
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
 
-	assert.Nil(t, resp, "Should return nil for empty query")
-	assert.False(t, writeCalled, "Should not write response for empty query")
+	assert.Nil(t, mockWriter.GetLastResponse(), "Should not write response for empty query")
 }

client/internal/engine.go

@@ -828,6 +828,10 @@ func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdate
 }
 
 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
+	started := time.Now()
+	defer func() {
+		log.Infof("sync finished in %s", time.Since(started))
+	}()
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
@@ -1017,7 +1021,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	state := e.statusRecorder.GetLocalPeerState()
 	state.IP = e.wgInterface.Address().String()
 	state.PubKey = e.config.WgPrivateKey.PublicKey().String()
-	state.KernelInterface = device.WireGuardModuleIsLoaded()
+	state.KernelInterface = !e.wgInterface.IsUserspaceBind()
 	state.FQDN = conf.GetFqdn()
 
 	e.statusRecorder.UpdateLocalPeerState(state)

client/internal/engine_ssh.go

@@ -10,6 +10,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
@@ -94,6 +95,10 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 
 // updateSSHClientConfig updates the SSH client configuration with peer information
 func (e *Engine) updateSSHClientConfig(remotePeers []*mgmProto.RemotePeerConfig) error {
+	if netstack.IsEnabled() {
+		return nil
+	}
+
 	peerInfo := e.extractPeerSSHInfo(remotePeers)
 	if len(peerInfo) == 0 {
 		log.Debug("no SSH-enabled peers found, skipping SSH config update")
@@ -216,6 +221,10 @@ func (e *Engine) GetPeerSSHKey(peerAddress string) ([]byte, bool) {
 
 // cleanupSSHConfig removes NetBird SSH client configuration on shutdown
 func (e *Engine) cleanupSSHConfig() {
+	if netstack.IsEnabled() {
+		return
+	}
+
 	configMgr := sshconfig.New()
 
 	if err := configMgr.RemoveSSHClientConfig(); err != nil {

client/internal/lazyconn/activity/manager.go

@@ -11,6 +11,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
@@ -74,12 +75,13 @@ func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error)
 		return NewUDPListener(m.wgIface, peerCfg)
 	}
 
-	// BindListener is only used on Windows and JS platforms:
+	// BindListener is used on Windows, JS, and netstack platforms:
 	// - JS: Cannot listen to UDP sockets
 	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
 	//   gateway points to, preventing them from reaching the loopback interface.
-	//   BindListener bypasses this by passing data directly through the bind.
-	if runtime.GOOS != "windows" && runtime.GOOS != "js" {
+	// - Netstack: Allows multiple instances on the same host without port conflicts.
+	// BindListener bypasses these issues by passing data directly through the bind.
+	if runtime.GOOS != "windows" && runtime.GOOS != "js" && !netstack.IsEnabled() {
 		return NewUDPListener(m.wgIface, peerCfg)
 	}
 

client/internal/peer/ice/agent.go

@@ -2,6 +2,7 @@ package ice
 
 import (
 	"context"
+	"fmt"
 	"sync"
 	"time"
 
@@ -32,24 +33,6 @@ type ThreadSafeAgent struct {
 	once sync.Once
 }
 
-func (a *ThreadSafeAgent) Close() error {
-	var err error
-	a.once.Do(func() {
-		done := make(chan error, 1)
-		go func() {
-			done <- a.Agent.Close()
-		}()
-
-		select {
-		case err = <-done:
-		case <-time.After(iceAgentCloseTimeout):
-			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
-			err = nil
-		}
-	})
-	return err
-}
-
 func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
@@ -93,9 +76,41 @@ func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, c
 		return nil, err
 	}
 
+	if agent == nil {
+		return nil, fmt.Errorf("ice.NewAgent returned nil agent without error")
+	}
+
 	return &ThreadSafeAgent{Agent: agent}, nil
 }
 
+func (a *ThreadSafeAgent) Close() error {
+	var err error
+	a.once.Do(func() {
+		// Defensive check to prevent nil pointer dereference
+		// This can happen during sleep/wake transitions or memory corruption scenarios
+		// github.com/netbirdio/netbird/client/internal/peer/ice.(*ThreadSafeAgent).Close(0x40006883f0?)
+		//  [signal 0xc0000005 code=0x0 addr=0x0 pc=0x7ff7e73af83c]
+		agent := a.Agent
+		if agent == nil {
+			log.Warnf("ICE agent is nil during close, skipping")
+			return
+		}
+
+		done := make(chan error, 1)
+		go func() {
+			done <- agent.Close()
+		}()
+
+		select {
+		case err = <-done:
+		case <-time.After(iceAgentCloseTimeout):
+			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
+			err = nil
+		}
+	})
+	return err
+}
+
 func GenerateICECredentials() (string, string, error) {
 	ufrag, err := randutil.GenerateCryptoRandomString(lenUFrag, runesAlpha)
 	if err != nil {

client/internal/peer/worker_ice.go

@@ -107,8 +107,10 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 		}
 		w.log.Debugf("agent already exists, recreate the connection")
 		w.agentDialerCancel()
-		if err := w.agent.Close(); err != nil {
-			w.log.Warnf("failed to close ICE agent: %s", err)
+		if w.agent != nil {
+			if err := w.agent.Close(); err != nil {
+				w.log.Warnf("failed to close ICE agent: %s", err)
+			}
 		}
 
 		sessionID, err := NewICESessionID()

client/internal/profilemanager/config.go

@@ -252,7 +252,7 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 	}
 
 	if config.AdminURL == nil {
-		log.Infof("using default Admin URL %s", DefaultManagementURL)
+		log.Infof("using default Admin URL %s", DefaultAdminURL)
 		config.AdminURL, err = parseURL("Admin URL", DefaultAdminURL)
 		if err != nil {
 			return false, err

client/internal/routemanager/manager.go

@@ -173,12 +173,21 @@ func (m *DefaultManager) setupAndroidRoutes(config ManagerConfig) {
 }
 
 func (m *DefaultManager) setupRefCounters(useNoop bool) {
+	var once sync.Once
+	var wgIface *net.Interface
+	toInterface := func() *net.Interface {
+		once.Do(func() {
+			wgIface = m.wgInterface.ToInterface()
+		})
+		return wgIface
+	}
+
 	m.routeRefCounter = refcounter.New(
 		func(prefix netip.Prefix, _ struct{}) (struct{}, error) {
-			return struct{}{}, m.sysOps.AddVPNRoute(prefix, m.wgInterface.ToInterface())
+			return struct{}{}, m.sysOps.AddVPNRoute(prefix, toInterface())
 		},
 		func(prefix netip.Prefix, _ struct{}) error {
-			return m.sysOps.RemoveVPNRoute(prefix, m.wgInterface.ToInterface())
+			return m.sysOps.RemoveVPNRoute(prefix, toInterface())
 		},
 	)
 

client/internal/routemanager/systemops/routeflags_bsd.go

@@ -4,16 +4,17 @@ package systemops
 
 import (
 	"strings"
-	"syscall"
+
+	"golang.org/x/sys/unix"
 )
 
 // filterRoutesByFlags returns true if the route message should be ignored based on its flags.
 func filterRoutesByFlags(routeMessageFlags int) bool {
-	if routeMessageFlags&syscall.RTF_UP == 0 {
+	if routeMessageFlags&unix.RTF_UP == 0 {
 		return true
 	}
 
-	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE|syscall.RTF_WASCLONED) != 0 {
+	if routeMessageFlags&(unix.RTF_REJECT|unix.RTF_BLACKHOLE|unix.RTF_WASCLONED) != 0 {
 		return true
 	}
 
@@ -24,42 +25,51 @@ func filterRoutesByFlags(routeMessageFlags int) bool {
 func formatBSDFlags(flags int) string {
 	var flagStrs []string
 
-	if flags&syscall.RTF_UP != 0 {
+	if flags&unix.RTF_UP != 0 {
 		flagStrs = append(flagStrs, "U")
 	}
-	if flags&syscall.RTF_GATEWAY != 0 {
+	if flags&unix.RTF_GATEWAY != 0 {
 		flagStrs = append(flagStrs, "G")
 	}
-	if flags&syscall.RTF_HOST != 0 {
+	if flags&unix.RTF_HOST != 0 {
 		flagStrs = append(flagStrs, "H")
 	}
-	if flags&syscall.RTF_REJECT != 0 {
+	if flags&unix.RTF_REJECT != 0 {
 		flagStrs = append(flagStrs, "R")
 	}
-	if flags&syscall.RTF_DYNAMIC != 0 {
+	if flags&unix.RTF_DYNAMIC != 0 {
 		flagStrs = append(flagStrs, "D")
 	}
-	if flags&syscall.RTF_MODIFIED != 0 {
+	if flags&unix.RTF_MODIFIED != 0 {
 		flagStrs = append(flagStrs, "M")
 	}
-	if flags&syscall.RTF_STATIC != 0 {
+	if flags&unix.RTF_STATIC != 0 {
 		flagStrs = append(flagStrs, "S")
 	}
-	if flags&syscall.RTF_LLINFO != 0 {
+	if flags&unix.RTF_LLINFO != 0 {
 		flagStrs = append(flagStrs, "L")
 	}
-	if flags&syscall.RTF_LOCAL != 0 {
+	if flags&unix.RTF_LOCAL != 0 {
 		flagStrs = append(flagStrs, "l")
 	}
-	if flags&syscall.RTF_BLACKHOLE != 0 {
+	if flags&unix.RTF_BLACKHOLE != 0 {
 		flagStrs = append(flagStrs, "B")
 	}
-	if flags&syscall.RTF_CLONING != 0 {
+	if flags&unix.RTF_CLONING != 0 {
 		flagStrs = append(flagStrs, "C")
 	}
-	if flags&syscall.RTF_WASCLONED != 0 {
+	if flags&unix.RTF_WASCLONED != 0 {
 		flagStrs = append(flagStrs, "W")
 	}
+	if flags&unix.RTF_PROTO1 != 0 {
+		flagStrs = append(flagStrs, "1")
+	}
+	if flags&unix.RTF_PROTO2 != 0 {
+		flagStrs = append(flagStrs, "2")
+	}
+	if flags&unix.RTF_PROTO3 != 0 {
+		flagStrs = append(flagStrs, "3")
+	}
 
 	if len(flagStrs) == 0 {
 		return "-"

client/internal/routemanager/systemops/routeflags_freebsd.go

@@ -4,17 +4,18 @@ package systemops
 
 import (
 	"strings"
-	"syscall"
+
+	"golang.org/x/sys/unix"
 )
 
 // filterRoutesByFlags returns true if the route message should be ignored based on its flags.
 func filterRoutesByFlags(routeMessageFlags int) bool {
-	if routeMessageFlags&syscall.RTF_UP == 0 {
+	if routeMessageFlags&unix.RTF_UP == 0 {
 		return true
 	}
 
-	// NOTE: syscall.RTF_WASCLONED deprecated in FreeBSD 8.0
-	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE) != 0 {
+	// NOTE: RTF_WASCLONED deprecated in FreeBSD 8.0
+	if routeMessageFlags&(unix.RTF_REJECT|unix.RTF_BLACKHOLE) != 0 {
 		return true
 	}
 
@@ -25,37 +26,46 @@ func filterRoutesByFlags(routeMessageFlags int) bool {
 func formatBSDFlags(flags int) string {
 	var flagStrs []string
 
-	if flags&syscall.RTF_UP != 0 {
+	if flags&unix.RTF_UP != 0 {
 		flagStrs = append(flagStrs, "U")
 	}
-	if flags&syscall.RTF_GATEWAY != 0 {
+	if flags&unix.RTF_GATEWAY != 0 {
 		flagStrs = append(flagStrs, "G")
 	}
-	if flags&syscall.RTF_HOST != 0 {
+	if flags&unix.RTF_HOST != 0 {
 		flagStrs = append(flagStrs, "H")
 	}
-	if flags&syscall.RTF_REJECT != 0 {
+	if flags&unix.RTF_REJECT != 0 {
 		flagStrs = append(flagStrs, "R")
 	}
-	if flags&syscall.RTF_DYNAMIC != 0 {
+	if flags&unix.RTF_DYNAMIC != 0 {
 		flagStrs = append(flagStrs, "D")
 	}
-	if flags&syscall.RTF_MODIFIED != 0 {
+	if flags&unix.RTF_MODIFIED != 0 {
 		flagStrs = append(flagStrs, "M")
 	}
-	if flags&syscall.RTF_STATIC != 0 {
+	if flags&unix.RTF_STATIC != 0 {
 		flagStrs = append(flagStrs, "S")
 	}
-	if flags&syscall.RTF_LLINFO != 0 {
+	if flags&unix.RTF_LLINFO != 0 {
 		flagStrs = append(flagStrs, "L")
 	}
-	if flags&syscall.RTF_LOCAL != 0 {
+	if flags&unix.RTF_LOCAL != 0 {
 		flagStrs = append(flagStrs, "l")
 	}
-	if flags&syscall.RTF_BLACKHOLE != 0 {
+	if flags&unix.RTF_BLACKHOLE != 0 {
 		flagStrs = append(flagStrs, "B")
 	}
 	// Note: RTF_CLONING and RTF_WASCLONED deprecated in FreeBSD 8.0
+	if flags&unix.RTF_PROTO1 != 0 {
+		flagStrs = append(flagStrs, "1")
+	}
+	if flags&unix.RTF_PROTO2 != 0 {
+		flagStrs = append(flagStrs, "2")
+	}
+	if flags&unix.RTF_PROTO3 != 0 {
+		flagStrs = append(flagStrs, "3")
+	}
 
 	if len(flagStrs) == 0 {
 		return "-"

go.mod

@@ -42,6 +42,7 @@ require (
 	github.com/cilium/ebpf v0.15.0
 	github.com/coder/websocket v1.8.13
 	github.com/coreos/go-iptables v0.7.0
+	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/creack/pty v1.1.24
 	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
@@ -167,7 +168,6 @@ require (
 	github.com/containerd/containerd v1.7.29 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
-	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect

idp/dex/connector.go

@@ -327,6 +327,60 @@ func ensureLocalConnector(ctx context.Context, stor storage.Storage) error {
 	return nil
 }
 
+// HasNonLocalConnectors checks if there are any connectors other than the local connector.
+func (p *Provider) HasNonLocalConnectors(ctx context.Context) (bool, error) {
+	connectors, err := p.storage.ListConnectors(ctx)
+	if err != nil {
+		return false, fmt.Errorf("failed to list connectors: %w", err)
+	}
+
+	p.logger.Info("checking for non-local connectors", "total_connectors", len(connectors))
+	for _, conn := range connectors {
+		p.logger.Info("found connector in storage", "id", conn.ID, "type", conn.Type, "name", conn.Name)
+		if conn.ID != "local" || conn.Type != "local" {
+			p.logger.Info("found non-local connector", "id", conn.ID)
+			return true, nil
+		}
+	}
+	p.logger.Info("no non-local connectors found")
+	return false, nil
+}
+
+// DisableLocalAuth removes the local (password) connector.
+// Returns an error if no other connectors are configured.
+func (p *Provider) DisableLocalAuth(ctx context.Context) error {
+	hasOthers, err := p.HasNonLocalConnectors(ctx)
+	if err != nil {
+		return err
+	}
+	if !hasOthers {
+		return fmt.Errorf("cannot disable local authentication: no other identity providers configured")
+	}
+
+	// Check if local connector exists
+	_, err = p.storage.GetConnector(ctx, "local")
+	if errors.Is(err, storage.ErrNotFound) {
+		// Already disabled
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("failed to check local connector: %w", err)
+	}
+
+	// Delete the local connector
+	if err := p.storage.DeleteConnector(ctx, "local"); err != nil {
+		return fmt.Errorf("failed to delete local connector: %w", err)
+	}
+
+	p.logger.Info("local authentication disabled")
+	return nil
+}
+
+// EnableLocalAuth creates the local (password) connector if it doesn't exist.
+func (p *Provider) EnableLocalAuth(ctx context.Context) error {
+	return ensureLocalConnector(ctx, p.storage)
+}
+
 // ensureStaticConnectors creates or updates static connectors in storage
 func ensureStaticConnectors(ctx context.Context, stor storage.Storage, connectors []Connector) error {
 	for _, conn := range connectors {

management/cmd/management.go

@@ -19,6 +19,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/netbirdio/netbird/management/server/types"
+
 	"github.com/netbirdio/netbird/formatter/hook"
 	"github.com/netbirdio/netbird/management/internals/server"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
@@ -213,11 +215,14 @@ func applyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	// Set HttpConfig values from EmbeddedIdP
 	cfg.HttpConfig.AuthIssuer = issuer
 	cfg.HttpConfig.AuthAudience = "netbird-dashboard"
+	cfg.HttpConfig.AuthClientID = cfg.HttpConfig.AuthAudience
 	cfg.HttpConfig.CLIAuthAudience = "netbird-cli"
 	cfg.HttpConfig.AuthUserIDClaim = "sub"
 	cfg.HttpConfig.AuthKeysLocation = issuer + "/keys"
 	cfg.HttpConfig.OIDCConfigEndpoint = issuer + "/.well-known/openid-configuration"
 	cfg.HttpConfig.IdpSignKeyRefreshEnabled = true
+	callbackURL := strings.TrimSuffix(cfg.HttpConfig.AuthIssuer, "/oauth2")
+	cfg.HttpConfig.AuthCallbackURL = callbackURL + types.ProxyCallbackEndpointFull
 
 	return nil
 }

management/cmd/root.go

@@ -80,4 +80,10 @@ func init() {
 	migrationCmd.AddCommand(upCmd)
 
 	rootCmd.AddCommand(migrationCmd)
+
+	tokenCmd.PersistentFlags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location")
+	tokenCmd.AddCommand(tokenCreateCmd)
+	tokenCmd.AddCommand(tokenListCmd)
+	tokenCmd.AddCommand(tokenRevokeCmd)
+	rootCmd.AddCommand(tokenCmd)
 }

management/cmd/token.go

@@ -0,0 +1,208 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strconv"
+	"text/tabwriter"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/formatter/hook"
+	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/util"
+)
+
+var (
+	tokenName     string
+	tokenExpireIn string
+	tokenDatadir  string
+
+	tokenCmd = &cobra.Command{
+		Use:   "token",
+		Short: "Manage proxy access tokens",
+		Long:  "Commands for creating, listing, and revoking proxy access tokens used by reverse proxy instances to authenticate with the management server.",
+	}
+
+	tokenCreateCmd = &cobra.Command{
+		Use:   "create",
+		Short: "Create a new proxy access token",
+		Long:  "Creates a new proxy access token. The plain text token is displayed only once at creation time.",
+		RunE:  tokenCreateRun,
+	}
+
+	tokenListCmd = &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Short:   "List all proxy access tokens",
+		Long:    "Lists all proxy access tokens with their IDs, names, creation dates, expiration, and revocation status.",
+		RunE:    tokenListRun,
+	}
+
+	tokenRevokeCmd = &cobra.Command{
+		Use:   "revoke [token-id]",
+		Short: "Revoke a proxy access token",
+		Long:  "Revokes a proxy access token by its ID. Revoked tokens can no longer be used for authentication.",
+		Args:  cobra.ExactArgs(1),
+		RunE:  tokenRevokeRun,
+	}
+)
+
+func init() {
+	tokenCmd.PersistentFlags().StringVar(&tokenDatadir, "datadir", "", "Override the data directory from config (where store.db is located)")
+
+	tokenCreateCmd.Flags().StringVar(&tokenName, "name", "", "Name for the token (required)")
+	tokenCreateCmd.Flags().StringVar(&tokenExpireIn, "expires-in", "", "Token expiration duration (e.g., 365d, 24h, 30d). Empty means no expiration")
+	tokenCreateCmd.MarkFlagRequired("name") //nolint
+}
+
+// withTokenStore initializes logging, loads config, opens the store, and calls fn.
+func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
+	if err := util.InitLog("error", "console"); err != nil {
+		return fmt.Errorf("init log: %w", err)
+	}
+
+	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource)
+
+	config, err := loadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
+	if err != nil {
+		return fmt.Errorf("load config: %w", err)
+	}
+
+	datadir := config.Datadir
+	if tokenDatadir != "" {
+		datadir = tokenDatadir
+	}
+
+	s, err := store.NewStore(ctx, config.StoreConfig.Engine, datadir, nil, true)
+	if err != nil {
+		return fmt.Errorf("create store: %w", err)
+	}
+	defer func() {
+		if err := s.Close(ctx); err != nil {
+			log.Debugf("close store: %v", err)
+		}
+	}()
+
+	return fn(ctx, s)
+}
+
+func tokenCreateRun(cmd *cobra.Command, _ []string) error {
+	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
+		expiresIn, err := parseDuration(tokenExpireIn)
+		if err != nil {
+			return fmt.Errorf("parse expiration: %w", err)
+		}
+
+		generated, err := types.CreateNewProxyAccessToken(tokenName, expiresIn, nil, "CLI")
+		if err != nil {
+			return fmt.Errorf("generate token: %w", err)
+		}
+
+		if err := s.SaveProxyAccessToken(ctx, &generated.ProxyAccessToken); err != nil {
+			return fmt.Errorf("save token: %w", err)
+		}
+
+		fmt.Println("Token created successfully!")
+		fmt.Printf("Token: %s\n", generated.PlainToken)
+		fmt.Println()
+		fmt.Println("IMPORTANT: Save this token now. It will not be shown again.")
+		fmt.Printf("Token ID: %s\n", generated.ID)
+
+		return nil
+	})
+}
+
+func tokenListRun(cmd *cobra.Command, _ []string) error {
+	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
+		tokens, err := s.GetAllProxyAccessTokens(ctx, store.LockingStrengthNone)
+		if err != nil {
+			return fmt.Errorf("list tokens: %w", err)
+		}
+
+		if len(tokens) == 0 {
+			fmt.Println("No proxy access tokens found.")
+			return nil
+		}
+
+		w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+		fmt.Fprintln(w, "ID\tNAME\tCREATED\tEXPIRES\tLAST USED\tREVOKED")
+		fmt.Fprintln(w, "--\t----\t-------\t-------\t---------\t-------")
+
+		for _, t := range tokens {
+			expires := "never"
+			if t.ExpiresAt != nil {
+				expires = t.ExpiresAt.Format("2006-01-02")
+			}
+
+			lastUsed := "never"
+			if t.LastUsed != nil {
+				lastUsed = t.LastUsed.Format("2006-01-02 15:04")
+			}
+
+			revoked := "no"
+			if t.Revoked {
+				revoked = "yes"
+			}
+
+			fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
+				t.ID,
+				t.Name,
+				t.CreatedAt.Format("2006-01-02"),
+				expires,
+				lastUsed,
+				revoked,
+			)
+		}
+
+		w.Flush()
+
+		return nil
+	})
+}
+
+func tokenRevokeRun(cmd *cobra.Command, args []string) error {
+	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
+		tokenID := args[0]
+
+		if err := s.RevokeProxyAccessToken(ctx, tokenID); err != nil {
+			return fmt.Errorf("revoke token: %w", err)
+		}
+
+		fmt.Printf("Token %s revoked successfully.\n", tokenID)
+		return nil
+	})
+}
+
+// parseDuration parses a duration string with support for days (e.g., "30d", "365d").
+// An empty string returns zero duration (no expiration).
+func parseDuration(s string) (time.Duration, error) {
+	if len(s) == 0 {
+		return 0, nil
+	}
+
+	if s[len(s)-1] == 'd' {
+		d, err := strconv.Atoi(s[:len(s)-1])
+		if err != nil {
+			return 0, fmt.Errorf("invalid day format: %s", s)
+		}
+		if d <= 0 {
+			return 0, fmt.Errorf("duration must be positive: %s", s)
+		}
+		return time.Duration(d) * 24 * time.Hour, nil
+	}
+
+	d, err := time.ParseDuration(s)
+	if err != nil {
+		return 0, err
+	}
+	if d <= 0 {
+		return 0, fmt.Errorf("duration must be positive: %s", s)
+	}
+	return d, nil
+}

management/cmd/token_test.go

@@ -0,0 +1,101 @@
+package cmd
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseDuration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected time.Duration
+		wantErr  bool
+	}{
+		{
+			name:     "empty string returns zero",
+			input:    "",
+			expected: 0,
+		},
+		{
+			name:     "days suffix",
+			input:    "30d",
+			expected: 30 * 24 * time.Hour,
+		},
+		{
+			name:     "one day",
+			input:    "1d",
+			expected: 24 * time.Hour,
+		},
+		{
+			name:     "365 days",
+			input:    "365d",
+			expected: 365 * 24 * time.Hour,
+		},
+		{
+			name:     "hours via Go duration",
+			input:    "24h",
+			expected: 24 * time.Hour,
+		},
+		{
+			name:     "minutes via Go duration",
+			input:    "30m",
+			expected: 30 * time.Minute,
+		},
+		{
+			name:     "complex Go duration",
+			input:    "1h30m",
+			expected: 90 * time.Minute,
+		},
+		{
+			name:    "invalid day format",
+			input:   "abcd",
+			wantErr: true,
+		},
+		{
+			name:    "negative days",
+			input:   "-1d",
+			wantErr: true,
+		},
+		{
+			name:    "zero days",
+			input:   "0d",
+			wantErr: true,
+		},
+		{
+			name:    "non-numeric days",
+			input:   "xyzd",
+			wantErr: true,
+		},
+		{
+			name:    "negative Go duration",
+			input:   "-24h",
+			wantErr: true,
+		},
+		{
+			name:    "zero Go duration",
+			input:   "0s",
+			wantErr: true,
+		},
+		{
+			name:    "invalid Go duration",
+			input:   "notaduration",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := parseDuration(tt.input)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}

management/internals/controllers/network_map/controller/controller.go

@@ -174,6 +174,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	var wg sync.WaitGroup
 	semaphore := make(chan struct{}, 10)
 
+	account.InjectProxyPolicies(ctx)
 	dnsCache := &cache.DNSConfigCache{}
 	dnsDomain := c.GetDNSDomain(account.Settings)
 	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
@@ -247,7 +248,10 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 			update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
 			c.metrics.CountToSyncResponseDuration(time.Since(start))
 
-			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{Update: update})
+			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{
+				Update:      update,
+				MessageType: network_map.MessageTypeNetworkMap,
+			})
 		}(peer)
 	}
 
@@ -323,6 +327,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 		return fmt.Errorf("failed to get validated peers: %v", err)
 	}
 
+	account.InjectProxyPolicies(ctx)
 	dnsCache := &cache.DNSConfigCache{}
 	dnsDomain := c.GetDNSDomain(account.Settings)
 	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
@@ -370,7 +375,10 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
 
 	update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
-	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{Update: update})
+	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{
+		Update:      update,
+		MessageType: network_map.MessageTypeNetworkMap,
+	})
 
 	return nil
 }
@@ -435,6 +443,8 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		}
 	}
 
+	account.InjectProxyPolicies(ctx)
+
 	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
 	if err != nil {
 		return nil, nil, nil, 0, err
@@ -778,6 +788,7 @@ func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerI
 					},
 				},
 			},
+			MessageType: network_map.MessageTypeNetworkMap,
 		})
 		c.peersUpdateManager.CloseChannel(ctx, peerID)
 
@@ -840,6 +851,7 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 	if c.experimentalNetworkMap(peer.AccountID) {
 		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, peersCustomZone, accountZones, nil)
 	} else {
+		account.InjectProxyPolicies(ctx)
 		resourcePolicies := account.GetResourcePoliciesMap()
 		routers := account.GetResourceRoutersMap()
 		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, account.GetActiveGroupUsers())

management/internals/controllers/network_map/update_channel/updatechannel_test.go

@@ -25,11 +25,14 @@ func TestCreateChannel(t *testing.T) {
 func TestSendUpdate(t *testing.T) {
 	peer := "test-sendupdate"
 	peersUpdater := NewPeersUpdateManager(nil)
-	update1 := &network_map.UpdateMessage{Update: &proto.SyncResponse{
-		NetworkMap: &proto.NetworkMap{
-			Serial: 0,
+	update1 := &network_map.UpdateMessage{
+		Update: &proto.SyncResponse{
+			NetworkMap: &proto.NetworkMap{
+				Serial: 0,
+			},
 		},
-	}}
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
 	_ = peersUpdater.CreateChannel(context.Background(), peer)
 	if _, ok := peersUpdater.peerChannels[peer]; !ok {
 		t.Error("Error creating the channel")
@@ -45,11 +48,14 @@ func TestSendUpdate(t *testing.T) {
 		peersUpdater.SendUpdate(context.Background(), peer, update1)
 	}
 
-	update2 := &network_map.UpdateMessage{Update: &proto.SyncResponse{
-		NetworkMap: &proto.NetworkMap{
-			Serial: 10,
+	update2 := &network_map.UpdateMessage{
+		Update: &proto.SyncResponse{
+			NetworkMap: &proto.NetworkMap{
+				Serial: 10,
+			},
 		},
-	}}
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
 
 	peersUpdater.SendUpdate(context.Background(), peer, update2)
 	timeout := time.After(5 * time.Second)

management/internals/controllers/network_map/update_message.go

@@ -4,6 +4,19 @@ import (
 	"github.com/netbirdio/netbird/shared/management/proto"
 )
 
+// MessageType indicates the type of update message for debouncing strategy
+type MessageType int
+
+const (
+	// MessageTypeNetworkMap represents network map updates (peers, routes, DNS, firewall)
+	// These updates can be safely debounced - only the latest state matters
+	MessageTypeNetworkMap MessageType = iota
+	// MessageTypeControlConfig represents control/config updates (tokens, peer expiration)
+	// These updates should not be dropped as they contain time-sensitive information
+	MessageTypeControlConfig
+)
+
 type UpdateMessage struct {
-	Update *proto.SyncResponse
+	Update      *proto.SyncResponse
+	MessageType MessageType
 }

management/internals/modules/peers/manager.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
@@ -32,6 +33,7 @@ type Manager interface {
 	SetIntegratedPeerValidator(integratedPeerValidator integrated_validator.IntegratedValidator)
 	SetAccountManager(accountManager account.Manager)
 	GetPeerID(ctx context.Context, peerKey string) (string, error)
+	CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error
 }
 
 type managerImpl struct {
@@ -182,3 +184,36 @@ func (m *managerImpl) DeletePeers(ctx context.Context, accountID string, peerIDs
 func (m *managerImpl) GetPeerID(ctx context.Context, peerKey string) (string, error) {
 	return m.store.GetPeerIDByKey(ctx, store.LockingStrengthNone, peerKey)
 }
+
+func (m *managerImpl) CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error {
+	existingPeerID, err := m.store.GetPeerIDByKey(ctx, store.LockingStrengthNone, peerKey)
+	if err == nil && existingPeerID != "" {
+		// Peer already exists
+		return nil
+	}
+
+	name := fmt.Sprintf("proxy-%s", xid.New().String())
+	peer := &peer.Peer{
+		Ephemeral: true,
+		ProxyMeta: peer.ProxyMeta{
+			Cluster:  cluster,
+			Embedded: true,
+		},
+		Name:                        name,
+		Key:                         peerKey,
+		LoginExpirationEnabled:      false,
+		InactivityExpirationEnabled: false,
+		Meta: peer.PeerSystemMeta{
+			Hostname: name,
+			GoOS:     "proxy",
+			OS:       "proxy",
+		},
+	}
+
+	_, _, _, err = m.accountManager.AddPeer(ctx, accountID, "", "", peer, false)
+	if err != nil {
+		return fmt.Errorf("failed to create proxy peer: %w", err)
+	}
+
+	return nil
+}

management/internals/modules/reverseproxy/accesslogs/accesslogentry.go

@@ -0,0 +1,105 @@
+package accesslogs
+
+import (
+	"net"
+	"net/netip"
+	"time"
+
+	"github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+type AccessLogEntry struct {
+	ID             string        `gorm:"primaryKey"`
+	AccountID      string        `gorm:"index"`
+	ProxyID        string        `gorm:"index"`
+	Timestamp      time.Time     `gorm:"index"`
+	GeoLocation    peer.Location `gorm:"embedded;embeddedPrefix:location_"`
+	Method         string        `gorm:"index"`
+	Host           string        `gorm:"index"`
+	Path           string        `gorm:"index"`
+	Duration       time.Duration `gorm:"index"`
+	StatusCode     int           `gorm:"index"`
+	Reason         string
+	UserId         string `gorm:"index"`
+	AuthMethodUsed string `gorm:"index"`
+}
+
+// FromProto creates an AccessLogEntry from a proto.AccessLog
+func (a *AccessLogEntry) FromProto(proxyLog *proto.AccessLog) {
+	a.ID = proxyLog.GetLogId()
+	a.ProxyID = proxyLog.GetServiceId()
+	a.Timestamp = proxyLog.GetTimestamp().AsTime()
+	a.Method = proxyLog.GetMethod()
+	a.Host = proxyLog.GetHost()
+	a.Path = proxyLog.GetPath()
+	a.Duration = time.Duration(proxyLog.GetDurationMs()) * time.Millisecond
+	a.StatusCode = int(proxyLog.GetResponseCode())
+	a.UserId = proxyLog.GetUserId()
+	a.AuthMethodUsed = proxyLog.GetAuthMechanism()
+	a.AccountID = proxyLog.GetAccountId()
+
+	if sourceIP := proxyLog.GetSourceIp(); sourceIP != "" {
+		if ip, err := netip.ParseAddr(sourceIP); err == nil {
+			a.GeoLocation.ConnectionIP = net.IP(ip.AsSlice())
+		}
+	}
+
+	if !proxyLog.GetAuthSuccess() {
+		a.Reason = "Authentication failed"
+	} else if proxyLog.GetResponseCode() >= 400 {
+		a.Reason = "Request failed"
+	}
+}
+
+// ToAPIResponse converts an AccessLogEntry to the API ProxyAccessLog type
+func (a *AccessLogEntry) ToAPIResponse() *api.ProxyAccessLog {
+	var sourceIP *string
+	if a.GeoLocation.ConnectionIP != nil {
+		ip := a.GeoLocation.ConnectionIP.String()
+		sourceIP = &ip
+	}
+
+	var reason *string
+	if a.Reason != "" {
+		reason = &a.Reason
+	}
+
+	var userID *string
+	if a.UserId != "" {
+		userID = &a.UserId
+	}
+
+	var authMethod *string
+	if a.AuthMethodUsed != "" {
+		authMethod = &a.AuthMethodUsed
+	}
+
+	var countryCode *string
+	if a.GeoLocation.CountryCode != "" {
+		countryCode = &a.GeoLocation.CountryCode
+	}
+
+	var cityName *string
+	if a.GeoLocation.CityName != "" {
+		cityName = &a.GeoLocation.CityName
+	}
+
+	return &api.ProxyAccessLog{
+		Id:             a.ID,
+		ProxyId:        a.ProxyID,
+		Timestamp:      a.Timestamp,
+		Method:         a.Method,
+		Host:           a.Host,
+		Path:           a.Path,
+		DurationMs:     int(a.Duration.Milliseconds()),
+		StatusCode:     a.StatusCode,
+		SourceIp:       sourceIP,
+		Reason:         reason,
+		UserId:         userID,
+		AuthMethodUsed: authMethod,
+		CountryCode:    countryCode,
+		CityName:       cityName,
+	}
+}

management/internals/modules/reverseproxy/accesslogs/filter.go

@@ -0,0 +1,124 @@
+package accesslogs
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+)
+
+const (
+	// DefaultPageSize is the default number of records per page
+	DefaultPageSize = 50
+	// MaxPageSize is the maximum number of records allowed per page
+	MaxPageSize = 100
+)
+
+// AccessLogFilter holds pagination and filtering parameters for access logs
+type AccessLogFilter struct {
+	// Page is the current page number (1-indexed)
+	Page int
+	// PageSize is the number of records per page
+	PageSize int
+
+	// Filtering parameters
+	Search     *string    // General search across host, path, source IP, and user fields
+	SourceIP   *string    // Filter by source IP address
+	Host       *string    // Filter by host header
+	Path       *string    // Filter by request path (supports LIKE pattern)
+	UserID     *string    // Filter by authenticated user ID
+	UserEmail  *string    // Filter by user email (requires user lookup)
+	UserName   *string    // Filter by user name (requires user lookup)
+	Method     *string    // Filter by HTTP method
+	Status     *string    // Filter by status: "success" (2xx/3xx) or "failed" (1xx/4xx/5xx)
+	StatusCode *int       // Filter by HTTP status code
+	StartDate  *time.Time // Filter by timestamp >= start_date
+	EndDate    *time.Time // Filter by timestamp <= end_date
+}
+
+// ParseFromRequest parses pagination and filter parameters from HTTP request query parameters
+func (f *AccessLogFilter) ParseFromRequest(r *http.Request) {
+	queryParams := r.URL.Query()
+
+	f.Page = 1
+	if pageStr := queryParams.Get("page"); pageStr != "" {
+		if page, err := strconv.Atoi(pageStr); err == nil && page > 0 {
+			f.Page = page
+		}
+	}
+
+	f.PageSize = DefaultPageSize
+	if pageSizeStr := queryParams.Get("page_size"); pageSizeStr != "" {
+		if pageSize, err := strconv.Atoi(pageSizeStr); err == nil && pageSize > 0 {
+			f.PageSize = pageSize
+			if f.PageSize > MaxPageSize {
+				f.PageSize = MaxPageSize
+			}
+		}
+	}
+
+	if search := queryParams.Get("search"); search != "" {
+		f.Search = &search
+	}
+
+	if sourceIP := queryParams.Get("source_ip"); sourceIP != "" {
+		f.SourceIP = &sourceIP
+	}
+
+	if host := queryParams.Get("host"); host != "" {
+		f.Host = &host
+	}
+
+	if path := queryParams.Get("path"); path != "" {
+		f.Path = &path
+	}
+
+	if userID := queryParams.Get("user_id"); userID != "" {
+		f.UserID = &userID
+	}
+
+	if userEmail := queryParams.Get("user_email"); userEmail != "" {
+		f.UserEmail = &userEmail
+	}
+
+	if userName := queryParams.Get("user_name"); userName != "" {
+		f.UserName = &userName
+	}
+
+	if method := queryParams.Get("method"); method != "" {
+		f.Method = &method
+	}
+
+	if status := queryParams.Get("status"); status != "" {
+		f.Status = &status
+	}
+
+	if statusCodeStr := queryParams.Get("status_code"); statusCodeStr != "" {
+		if statusCode, err := strconv.Atoi(statusCodeStr); err == nil && statusCode > 0 {
+			f.StatusCode = &statusCode
+		}
+	}
+
+	if startDate := queryParams.Get("start_date"); startDate != "" {
+		parsedStartDate, err := time.Parse(time.RFC3339, startDate)
+		if err == nil {
+			f.StartDate = &parsedStartDate
+		}
+	}
+
+	if endDate := queryParams.Get("end_date"); endDate != "" {
+		parsedEndDate, err := time.Parse(time.RFC3339, endDate)
+		if err == nil {
+			f.EndDate = &parsedEndDate
+		}
+	}
+}
+
+// GetOffset calculates the database offset for pagination
+func (f *AccessLogFilter) GetOffset() int {
+	return (f.Page - 1) * f.PageSize
+}
+
+// GetLimit returns the page size for database queries
+func (f *AccessLogFilter) GetLimit() int {
+	return f.PageSize
+}

management/internals/modules/reverseproxy/accesslogs/filter_test.go

@@ -0,0 +1,161 @@
+package accesslogs
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAccessLogFilter_ParseFromRequest(t *testing.T) {
+	tests := []struct {
+		name             string
+		queryParams      map[string]string
+		expectedPage     int
+		expectedPageSize int
+	}{
+		{
+			name:             "default values when no params provided",
+			queryParams:      map[string]string{},
+			expectedPage:     1,
+			expectedPageSize: DefaultPageSize,
+		},
+		{
+			name: "valid page and page_size",
+			queryParams: map[string]string{
+				"page":      "2",
+				"page_size": "25",
+			},
+			expectedPage:     2,
+			expectedPageSize: 25,
+		},
+		{
+			name: "page_size exceeds max, should cap at MaxPageSize",
+			queryParams: map[string]string{
+				"page":      "1",
+				"page_size": "200",
+			},
+			expectedPage:     1,
+			expectedPageSize: MaxPageSize,
+		},
+		{
+			name: "invalid page number, should use default",
+			queryParams: map[string]string{
+				"page":      "invalid",
+				"page_size": "10",
+			},
+			expectedPage:     1,
+			expectedPageSize: 10,
+		},
+		{
+			name: "invalid page_size, should use default",
+			queryParams: map[string]string{
+				"page":      "2",
+				"page_size": "invalid",
+			},
+			expectedPage:     2,
+			expectedPageSize: DefaultPageSize,
+		},
+		{
+			name: "zero page number, should use default",
+			queryParams: map[string]string{
+				"page":      "0",
+				"page_size": "10",
+			},
+			expectedPage:     1,
+			expectedPageSize: 10,
+		},
+		{
+			name: "negative page number, should use default",
+			queryParams: map[string]string{
+				"page":      "-1",
+				"page_size": "10",
+			},
+			expectedPage:     1,
+			expectedPageSize: 10,
+		},
+		{
+			name: "zero page_size, should use default",
+			queryParams: map[string]string{
+				"page":      "1",
+				"page_size": "0",
+			},
+			expectedPage:     1,
+			expectedPageSize: DefaultPageSize,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, "/test", nil)
+			q := req.URL.Query()
+			for key, value := range tt.queryParams {
+				q.Set(key, value)
+			}
+			req.URL.RawQuery = q.Encode()
+
+			filter := &AccessLogFilter{}
+			filter.ParseFromRequest(req)
+
+			assert.Equal(t, tt.expectedPage, filter.Page, "Page mismatch")
+			assert.Equal(t, tt.expectedPageSize, filter.PageSize, "PageSize mismatch")
+		})
+	}
+}
+
+func TestAccessLogFilter_GetOffset(t *testing.T) {
+	tests := []struct {
+		name           string
+		page           int
+		pageSize       int
+		expectedOffset int
+	}{
+		{
+			name:           "first page",
+			page:           1,
+			pageSize:       50,
+			expectedOffset: 0,
+		},
+		{
+			name:           "second page",
+			page:           2,
+			pageSize:       50,
+			expectedOffset: 50,
+		},
+		{
+			name:           "third page with page size 25",
+			page:           3,
+			pageSize:       25,
+			expectedOffset: 50,
+		},
+		{
+			name:           "page 10 with page size 10",
+			page:           10,
+			pageSize:       10,
+			expectedOffset: 90,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			filter := &AccessLogFilter{
+				Page:     tt.page,
+				PageSize: tt.pageSize,
+			}
+
+			offset := filter.GetOffset()
+			assert.Equal(t, tt.expectedOffset, offset)
+		})
+	}
+}
+
+func TestAccessLogFilter_GetLimit(t *testing.T) {
+	filter := &AccessLogFilter{
+		Page:     2,
+		PageSize: 25,
+	}
+
+	limit := filter.GetLimit()
+	assert.Equal(t, 25, limit, "GetLimit should return PageSize")
+}

management/internals/modules/reverseproxy/accesslogs/interface.go

@@ -0,0 +1,10 @@
+package accesslogs
+
+import (
+	"context"
+)
+
+type Manager interface {
+	SaveAccessLog(ctx context.Context, proxyLog *AccessLogEntry) error
+	GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *AccessLogFilter) ([]*AccessLogEntry, int64, error)
+}

management/internals/modules/reverseproxy/accesslogs/manager/api.go

@@ -0,0 +1,64 @@
+package manager
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+	"github.com/netbirdio/netbird/shared/management/http/util"
+)
+
+type handler struct {
+	manager accesslogs.Manager
+}
+
+func RegisterEndpoints(router *mux.Router, manager accesslogs.Manager) {
+	h := &handler{
+		manager: manager,
+	}
+
+	router.HandleFunc("/events/proxy", h.getAccessLogs).Methods("GET", "OPTIONS")
+}
+
+func (h *handler) getAccessLogs(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	var filter accesslogs.AccessLogFilter
+	filter.ParseFromRequest(r)
+
+	logs, totalCount, err := h.manager.GetAllAccessLogs(r.Context(), userAuth.AccountId, userAuth.UserId, &filter)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	apiLogs := make([]api.ProxyAccessLog, 0, len(logs))
+	for _, log := range logs {
+		apiLogs = append(apiLogs, *log.ToAPIResponse())
+	}
+
+	response := &api.ProxyAccessLogsResponse{
+		Data:         apiLogs,
+		Page:         filter.Page,
+		PageSize:     filter.PageSize,
+		TotalRecords: int(totalCount),
+		TotalPages:   getTotalPageCount(int(totalCount), filter.PageSize),
+	}
+
+	util.WriteJSONObject(r.Context(), w, response)
+}
+
+// getTotalPageCount calculates the total number of pages
+func getTotalPageCount(totalCount, pageSize int) int {
+	if pageSize <= 0 {
+		return 0
+	}
+	return (totalCount + pageSize - 1) / pageSize
+}

management/internals/modules/reverseproxy/accesslogs/manager/manager.go

@@ -0,0 +1,108 @@
+package manager
+
+import (
+	"context"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/server/geolocation"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/shared/management/status"
+)
+
+type managerImpl struct {
+	store              store.Store
+	permissionsManager permissions.Manager
+	geo                geolocation.Geolocation
+}
+
+func NewManager(store store.Store, permissionsManager permissions.Manager, geo geolocation.Geolocation) accesslogs.Manager {
+	return &managerImpl{
+		store:              store,
+		permissionsManager: permissionsManager,
+		geo:                geo,
+	}
+}
+
+// SaveAccessLog saves an access log entry to the database after enriching it
+func (m *managerImpl) SaveAccessLog(ctx context.Context, logEntry *accesslogs.AccessLogEntry) error {
+	if m.geo != nil && logEntry.GeoLocation.ConnectionIP != nil {
+		location, err := m.geo.Lookup(logEntry.GeoLocation.ConnectionIP)
+		if err != nil {
+			log.WithContext(ctx).Warnf("failed to get location for access log source IP [%s]: %v", logEntry.GeoLocation.ConnectionIP.String(), err)
+		} else {
+			logEntry.GeoLocation.CountryCode = location.Country.ISOCode
+			logEntry.GeoLocation.CityName = location.City.Names.En
+			logEntry.GeoLocation.GeoNameID = location.City.GeonameID
+		}
+	}
+
+	if err := m.store.CreateAccessLog(ctx, logEntry); err != nil {
+		log.WithContext(ctx).WithFields(log.Fields{
+			"proxy_id": logEntry.ProxyID,
+			"method":   logEntry.Method,
+			"host":     logEntry.Host,
+			"path":     logEntry.Path,
+			"status":   logEntry.StatusCode,
+		}).Errorf("failed to save access log: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+// GetAllAccessLogs retrieves access logs for an account with pagination and filtering
+func (m *managerImpl) GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, 0, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, 0, status.NewPermissionDeniedError()
+	}
+
+	if err := m.resolveUserFilters(ctx, accountID, filter); err != nil {
+		log.WithContext(ctx).Warnf("failed to resolve user filters: %v", err)
+	}
+
+	logs, totalCount, err := m.store.GetAccountAccessLogs(ctx, store.LockingStrengthNone, accountID, *filter)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return logs, totalCount, nil
+}
+
+// resolveUserFilters converts user email/name filters to user ID filter
+func (m *managerImpl) resolveUserFilters(ctx context.Context, accountID string, filter *accesslogs.AccessLogFilter) error {
+	if filter.UserEmail == nil && filter.UserName == nil {
+		return nil
+	}
+
+	users, err := m.store.GetAccountUsers(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return err
+	}
+
+	var matchingUserIDs []string
+	for _, user := range users {
+		if filter.UserEmail != nil && strings.Contains(strings.ToLower(user.Email), strings.ToLower(*filter.UserEmail)) {
+			matchingUserIDs = append(matchingUserIDs, user.Id)
+			continue
+		}
+		if filter.UserName != nil && strings.Contains(strings.ToLower(user.Name), strings.ToLower(*filter.UserName)) {
+			matchingUserIDs = append(matchingUserIDs, user.Id)
+		}
+	}
+
+	if len(matchingUserIDs) > 0 {
+		filter.UserID = &matchingUserIDs[0]
+	}
+
+	return nil
+}

management/internals/modules/reverseproxy/domain/api.go

@@ -0,0 +1,134 @@
+package domain
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/gorilla/mux"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+	"github.com/netbirdio/netbird/shared/management/http/util"
+	"github.com/netbirdio/netbird/shared/management/status"
+)
+
+type handler struct {
+	manager Manager
+}
+
+func RegisterEndpoints(router *mux.Router, manager Manager) {
+	h := &handler{
+		manager: manager,
+	}
+
+	router.HandleFunc("/domains", h.getAllDomains).Methods("GET", "OPTIONS")
+	router.HandleFunc("/domains", h.createCustomDomain).Methods("POST", "OPTIONS")
+	router.HandleFunc("/domains/{domainId}", h.deleteCustomDomain).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/domains/{domainId}/validate", h.triggerCustomDomainValidation).Methods("GET", "OPTIONS")
+}
+
+func domainTypeToApi(t domainType) api.ReverseProxyDomainType {
+	switch t {
+	case TypeCustom:
+		return api.ReverseProxyDomainTypeCustom
+	case TypeFree:
+		return api.ReverseProxyDomainTypeFree
+	}
+	// By default return as a "free" domain as that is more restrictive.
+	// TODO: is this correct?
+	return api.ReverseProxyDomainTypeFree
+}
+
+func domainToApi(d *Domain) api.ReverseProxyDomain {
+	resp := api.ReverseProxyDomain{
+		Domain:    d.Domain,
+		Id:        d.ID,
+		Type:      domainTypeToApi(d.Type),
+		Validated: d.Validated,
+	}
+	if d.TargetCluster != "" {
+		resp.TargetCluster = &d.TargetCluster
+	}
+	return resp
+}
+
+func (h *handler) getAllDomains(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	domains, err := h.manager.GetDomains(r.Context(), userAuth.AccountId)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	ret := make([]api.ReverseProxyDomain, 0)
+	for _, d := range domains {
+		ret = append(ret, domainToApi(d))
+	}
+
+	util.WriteJSONObject(r.Context(), w, ret)
+}
+
+func (h *handler) createCustomDomain(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	var req api.PostApiReverseProxiesDomainsJSONRequestBody
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
+		return
+	}
+
+	domain, err := h.manager.CreateDomain(r.Context(), userAuth.AccountId, req.Domain, req.TargetCluster)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	util.WriteJSONObject(r.Context(), w, domainToApi(domain))
+}
+
+func (h *handler) deleteCustomDomain(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	domainID := mux.Vars(r)["domainId"]
+	if domainID == "" {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "domain ID is required"), w)
+		return
+	}
+
+	if err := h.manager.DeleteDomain(r.Context(), userAuth.AccountId, domainID); err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func (h *handler) triggerCustomDomainValidation(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	domainID := mux.Vars(r)["domainId"]
+	if domainID == "" {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "domain ID is required"), w)
+		return
+	}
+
+	go h.manager.ValidateDomain(userAuth.AccountId, domainID)
+
+	w.WriteHeader(http.StatusAccepted)
+}

management/internals/modules/reverseproxy/domain/manager.go

@@ -0,0 +1,262 @@
+package domain
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+
+	"github.com/netbirdio/netbird/management/server/types"
+	log "github.com/sirupsen/logrus"
+)
+
+type domainType string
+
+const (
+	TypeFree   domainType = "free"
+	TypeCustom domainType = "custom"
+)
+
+type Domain struct {
+	ID            string     `gorm:"unique;primaryKey;autoIncrement"`
+	Domain        string     `gorm:"unique"` // Domain records must be unique, this avoids domain reuse across accounts.
+	AccountID     string     `gorm:"index"`
+	TargetCluster string     // The proxy cluster this domain should be validated against
+	Type          domainType `gorm:"-"`
+	Validated     bool
+}
+
+type store interface {
+	GetAccount(ctx context.Context, accountID string) (*types.Account, error)
+
+	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*Domain, error)
+	ListFreeDomains(ctx context.Context, accountID string) ([]string, error)
+	ListCustomDomains(ctx context.Context, accountID string) ([]*Domain, error)
+	CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*Domain, error)
+	UpdateCustomDomain(ctx context.Context, accountID string, d *Domain) (*Domain, error)
+	DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error
+}
+
+type proxyURLProvider interface {
+	GetConnectedProxyURLs() []string
+}
+
+type Manager struct {
+	store            store
+	validator        Validator
+	proxyURLProvider proxyURLProvider
+}
+
+func NewManager(store store, proxyURLProvider proxyURLProvider) Manager {
+	return Manager{
+		store:            store,
+		proxyURLProvider: proxyURLProvider,
+		validator: Validator{
+			resolver: net.DefaultResolver,
+		},
+	}
+}
+
+func (m Manager) GetDomains(ctx context.Context, accountID string) ([]*Domain, error) {
+	domains, err := m.store.ListCustomDomains(ctx, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("list custom domains: %w", err)
+	}
+
+	var ret []*Domain
+
+	// Add connected proxy clusters as free domains.
+	// The cluster address itself is the free domain base (e.g., "eu.proxy.netbird.io").
+	allowList := m.proxyURLAllowList()
+	log.WithFields(log.Fields{
+		"accountID":      accountID,
+		"proxyAllowList": allowList,
+	}).Debug("getting domains with proxy allow list")
+
+	for _, cluster := range allowList {
+		ret = append(ret, &Domain{
+			Domain:    cluster,
+			AccountID: accountID,
+			Type:      TypeFree,
+			Validated: true,
+		})
+	}
+
+	// Add custom domains.
+	for _, domain := range domains {
+		ret = append(ret, &Domain{
+			ID:            domain.ID,
+			Domain:        domain.Domain,
+			AccountID:     accountID,
+			TargetCluster: domain.TargetCluster,
+			Type:          TypeCustom,
+			Validated:     domain.Validated,
+		})
+	}
+
+	return ret, nil
+}
+
+func (m Manager) CreateDomain(ctx context.Context, accountID, domainName, targetCluster string) (*Domain, error) {
+
+	// Verify the target cluster is in the available clusters
+	allowList := m.proxyURLAllowList()
+	clusterValid := false
+	for _, cluster := range allowList {
+		if cluster == targetCluster {
+			clusterValid = true
+			break
+		}
+	}
+	if !clusterValid {
+		return nil, fmt.Errorf("target cluster %s is not available", targetCluster)
+	}
+
+	// Attempt an initial validation against the specified cluster only
+	var validated bool
+	if m.validator.IsValid(ctx, domainName, []string{targetCluster}) {
+		validated = true
+	}
+
+	d, err := m.store.CreateCustomDomain(ctx, accountID, domainName, targetCluster, validated)
+	if err != nil {
+		return d, fmt.Errorf("create domain in store: %w", err)
+	}
+	return d, nil
+}
+
+func (m Manager) DeleteDomain(ctx context.Context, accountID, domainID string) error {
+	if err := m.store.DeleteCustomDomain(ctx, accountID, domainID); err != nil {
+		// TODO: check for "no records" type error. Because that is a success condition.
+		return fmt.Errorf("delete domain from store: %w", err)
+	}
+	return nil
+}
+
+func (m Manager) ValidateDomain(accountID, domainID string) {
+	log.WithFields(log.Fields{
+		"accountID": accountID,
+		"domainID":  domainID,
+	}).Info("starting domain validation")
+
+	d, err := m.store.GetCustomDomain(context.Background(), accountID, domainID)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"accountID": accountID,
+			"domainID":  domainID,
+		}).WithError(err).Error("get custom domain from store")
+		return
+	}
+
+	// Validate only against the domain's target cluster
+	targetCluster := d.TargetCluster
+	if targetCluster == "" {
+		log.WithFields(log.Fields{
+			"accountID": accountID,
+			"domainID":  domainID,
+			"domain":    d.Domain,
+		}).Warn("domain has no target cluster set, skipping validation")
+		return
+	}
+
+	log.WithFields(log.Fields{
+		"accountID":     accountID,
+		"domainID":      domainID,
+		"domain":        d.Domain,
+		"targetCluster": targetCluster,
+	}).Info("validating domain against target cluster")
+
+	if m.validator.IsValid(context.Background(), d.Domain, []string{targetCluster}) {
+		log.WithFields(log.Fields{
+			"accountID": accountID,
+			"domainID":  domainID,
+			"domain":    d.Domain,
+		}).Info("domain validated successfully")
+		d.Validated = true
+		if _, err := m.store.UpdateCustomDomain(context.Background(), accountID, d); err != nil {
+			log.WithFields(log.Fields{
+				"accountID": accountID,
+				"domainID":  domainID,
+				"domain":    d.Domain,
+			}).WithError(err).Error("update custom domain in store")
+			return
+		}
+	} else {
+		log.WithFields(log.Fields{
+			"accountID":     accountID,
+			"domainID":      domainID,
+			"domain":        d.Domain,
+			"targetCluster": targetCluster,
+		}).Warn("domain validation failed - CNAME does not match target cluster")
+	}
+}
+
+// proxyURLAllowList retrieves a list of currently connected proxies and
+// their URLs (as reported by the proxy servers). It performs some clean
+// up on those URLs to attempt to retrieve domain names as we would
+// expect to see them in a validation check.
+func (m Manager) proxyURLAllowList() []string {
+	var reverseProxyAddresses []string
+	if m.proxyURLProvider != nil {
+		reverseProxyAddresses = m.proxyURLProvider.GetConnectedProxyURLs()
+	}
+	var allowedProxyURLs []string
+	for _, addr := range reverseProxyAddresses {
+		if addr == "" {
+			continue
+		}
+		host := extractHostFromAddress(addr)
+		if host != "" {
+			allowedProxyURLs = append(allowedProxyURLs, host)
+		}
+	}
+	return allowedProxyURLs
+}
+
+// extractHostFromAddress extracts the hostname from an address string.
+// It handles both URL format (https://host:port) and plain hostname (host or host:port).
+func extractHostFromAddress(addr string) string {
+	// If it looks like a URL with a scheme, parse it
+	if strings.Contains(addr, "://") {
+		proxyUrl, err := url.Parse(addr)
+		if err != nil {
+			log.WithError(err).Debugf("failed to parse proxy URL %s", addr)
+			return ""
+		}
+		host, _, err := net.SplitHostPort(proxyUrl.Host)
+		if err != nil {
+			return proxyUrl.Host
+		}
+		return host
+	}
+
+	// Otherwise treat as hostname or host:port
+	host, _, err := net.SplitHostPort(addr)
+	if err != nil {
+		// No port, use as-is
+		return addr
+	}
+	return host
+}
+
+// DeriveClusterFromDomain determines the proxy cluster for a given domain.
+// For free domains (those ending with a known cluster suffix), the cluster is extracted from the domain.
+// For custom domains, the cluster is determined by looking up the CNAME target.
+func (m Manager) DeriveClusterFromDomain(ctx context.Context, domain string) (string, error) {
+	allowList := m.proxyURLAllowList()
+	if len(allowList) == 0 {
+		return "", fmt.Errorf("no proxy clusters available")
+	}
+
+	if cluster, ok := ExtractClusterFromFreeDomain(domain, allowList); ok {
+		return cluster, nil
+	}
+
+	cluster, valid := m.validator.ValidateWithCluster(ctx, domain, allowList)
+	if valid {
+		return cluster, nil
+	}
+
+	return "", fmt.Errorf("domain %s does not match any available proxy cluster", domain)
+}

management/internals/modules/reverseproxy/domain/validator.go

@@ -0,0 +1,100 @@
+package domain
+
+import (
+	"context"
+	"net"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+type resolver interface {
+	LookupCNAME(context.Context, string) (string, error)
+}
+
+type Validator struct {
+	resolver resolver
+}
+
+// NewValidator initializes a validator with a specific DNS resolver.
+// If a Validator is used without specifying a resolver, then it will
+// use the net.DefaultResolver.
+func NewValidator(resolver resolver) *Validator {
+	return &Validator{
+		resolver: resolver,
+	}
+}
+
+// IsValid looks up the CNAME record for the passed domain with a prefix
+// and compares it against the acceptable domains.
+// If the returned CNAME matches any accepted domain, it will return true,
+// otherwise, including in the event of a DNS error, it will return false.
+// The comparison is very simple, so wildcards will not match if included
+// in the acceptable domain list.
+func (v *Validator) IsValid(ctx context.Context, domain string, accept []string) bool {
+	_, valid := v.ValidateWithCluster(ctx, domain, accept)
+	return valid
+}
+
+// ValidateWithCluster validates a custom domain and returns the matched cluster address.
+// Returns the cluster address and true if valid, or empty string and false if invalid.
+func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, accept []string) (string, bool) {
+	if v.resolver == nil {
+		v.resolver = net.DefaultResolver
+	}
+
+	lookupDomain := "validation." + domain
+	log.WithFields(log.Fields{
+		"domain":       domain,
+		"lookupDomain": lookupDomain,
+		"acceptList":   accept,
+	}).Debug("looking up CNAME for domain validation")
+
+	cname, err := v.resolver.LookupCNAME(ctx, lookupDomain)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"domain":       domain,
+			"lookupDomain": lookupDomain,
+		}).WithError(err).Warn("CNAME lookup failed for domain validation")
+		return "", false
+	}
+
+	nakedCNAME := strings.TrimSuffix(cname, ".")
+	log.WithFields(log.Fields{
+		"domain":     domain,
+		"cname":      cname,
+		"nakedCNAME": nakedCNAME,
+		"acceptList": accept,
+	}).Debug("CNAME lookup result for domain validation")
+
+	for _, acceptDomain := range accept {
+		normalizedAccept := strings.TrimSuffix(acceptDomain, ".")
+		if nakedCNAME == normalizedAccept {
+			log.WithFields(log.Fields{
+				"domain":  domain,
+				"cname":   nakedCNAME,
+				"cluster": acceptDomain,
+			}).Info("domain CNAME matched cluster")
+			return acceptDomain, true
+		}
+	}
+
+	log.WithFields(log.Fields{
+		"domain":     domain,
+		"cname":      nakedCNAME,
+		"acceptList": accept,
+	}).Warn("domain CNAME does not match any accepted cluster")
+	return "", false
+}
+
+// ExtractClusterFromFreeDomain extracts the cluster address from a free domain.
+// Free domains have the format: <name>.<nonce>.<cluster> (e.g., myapp.abc123.eu.proxy.netbird.io)
+// It matches the domain suffix against available clusters and returns the matching cluster.
+func ExtractClusterFromFreeDomain(domain string, availableClusters []string) (string, bool) {
+	for _, cluster := range availableClusters {
+		if strings.HasSuffix(domain, "."+cluster) {
+			return cluster, true
+		}
+	}
+	return "", false
+}

management/internals/modules/reverseproxy/domain/validator_test.go

@@ -0,0 +1,56 @@
+package domain_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
+)
+
+type resolver struct {
+	CNAME string
+}
+
+func (r resolver) LookupCNAME(_ context.Context, _ string) (string, error) {
+	return r.CNAME, nil
+}
+
+func TestIsValid(t *testing.T) {
+	tests := map[string]struct {
+		resolver interface {
+			LookupCNAME(context.Context, string) (string, error)
+		}
+		domain string
+		accept []string
+		expect bool
+	}{
+		"match": {
+			resolver: resolver{"bar.example.com."}, // Including trailing "." in response.
+			domain:   "foo.example.com",
+			accept:   []string{"bar.example.com"},
+			expect:   true,
+		},
+		"no match": {
+			resolver: resolver{"invalid"},
+			domain:   "foo.example.com",
+			accept:   []string{"bar.example.com"},
+			expect:   false,
+		},
+		"accept trailing dot": {
+			resolver: resolver{"bar.example.com."},
+			domain:   "foo.example.com",
+			accept:   []string{"bar.example.com."}, // Including trailing "." in accept.
+			expect:   true,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			validator := domain.NewValidator(test.resolver)
+			actual := validator.IsValid(t.Context(), test.domain, test.accept)
+			if test.expect != actual {
+				t.Errorf("Incorrect return value:\nexpect: %v\nactual: %v", test.expect, actual)
+			}
+		})
+	}
+}

management/internals/modules/reverseproxy/interface.go

@@ -0,0 +1,21 @@
+package reverseproxy
+
+import (
+	"context"
+)
+
+type Manager interface {
+	GetAllReverseProxies(ctx context.Context, accountID, userID string) ([]*ReverseProxy, error)
+	GetReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) (*ReverseProxy, error)
+	CreateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *ReverseProxy) (*ReverseProxy, error)
+	UpdateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *ReverseProxy) (*ReverseProxy, error)
+	DeleteReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) error
+	SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error
+	SetStatus(ctx context.Context, accountID, reverseProxyID string, status ProxyStatus) error
+	ReloadAllReverseProxiesForAccount(ctx context.Context, accountID string) error
+	ReloadReverseProxy(ctx context.Context, accountID, reverseProxyID string) error
+	GetGlobalReverseProxies(ctx context.Context) ([]*ReverseProxy, error)
+	GetProxyByID(ctx context.Context, accountID, reverseProxyID string) (*ReverseProxy, error)
+	GetAccountReverseProxies(ctx context.Context, accountID string) ([]*ReverseProxy, error)
+	GetProxyIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error)
+}

management/internals/modules/reverseproxy/manager/api.go

@@ -0,0 +1,170 @@
+package manager
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/gorilla/mux"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+	"github.com/netbirdio/netbird/shared/management/http/util"
+	"github.com/netbirdio/netbird/shared/management/status"
+)
+
+type handler struct {
+	manager reverseproxy.Manager
+}
+
+// RegisterEndpoints registers all reverse proxy HTTP endpoints.
+func RegisterEndpoints(manager reverseproxy.Manager, domainManager domain.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
+	h := &handler{
+		manager: manager,
+	}
+
+	domainRouter := router.PathPrefix("/reverse-proxies").Subrouter()
+	domain.RegisterEndpoints(domainRouter, domainManager)
+
+	accesslogsmanager.RegisterEndpoints(router, accessLogsManager)
+
+	router.HandleFunc("/reverse-proxies", h.getAllReverseProxies).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies", h.createReverseProxy).Methods("POST", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/{proxyId}", h.getReverseProxy).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/{proxyId}", h.updateReverseProxy).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/{proxyId}", h.deleteReverseProxy).Methods("DELETE", "OPTIONS")
+}
+
+func (h *handler) getAllReverseProxies(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	allReverseProxies, err := h.manager.GetAllReverseProxies(r.Context(), userAuth.AccountId, userAuth.UserId)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	apiReverseProxies := make([]*api.ReverseProxy, 0, len(allReverseProxies))
+	for _, reverseProxy := range allReverseProxies {
+		apiReverseProxies = append(apiReverseProxies, reverseProxy.ToAPIResponse())
+	}
+
+	util.WriteJSONObject(r.Context(), w, apiReverseProxies)
+}
+
+func (h *handler) createReverseProxy(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	var req api.ReverseProxyRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
+		return
+	}
+
+	reverseProxy := new(reverseproxy.ReverseProxy)
+	reverseProxy.FromAPIRequest(&req, userAuth.AccountId)
+
+	if err = reverseProxy.Validate(); err != nil {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
+		return
+	}
+
+	createdReverseProxy, err := h.manager.CreateReverseProxy(r.Context(), userAuth.AccountId, userAuth.UserId, reverseProxy)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	util.WriteJSONObject(r.Context(), w, createdReverseProxy.ToAPIResponse())
+}
+
+func (h *handler) getReverseProxy(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	reverseProxyID := mux.Vars(r)["proxyId"]
+	if reverseProxyID == "" {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "reverse proxy ID is required"), w)
+		return
+	}
+
+	reverseProxy, err := h.manager.GetReverseProxy(r.Context(), userAuth.AccountId, userAuth.UserId, reverseProxyID)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	util.WriteJSONObject(r.Context(), w, reverseProxy.ToAPIResponse())
+}
+
+func (h *handler) updateReverseProxy(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	reverseProxyID := mux.Vars(r)["proxyId"]
+	if reverseProxyID == "" {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "reverse proxy ID is required"), w)
+		return
+	}
+
+	var req api.ReverseProxyRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
+		return
+	}
+
+	reverseProxy := new(reverseproxy.ReverseProxy)
+	reverseProxy.ID = reverseProxyID
+	reverseProxy.FromAPIRequest(&req, userAuth.AccountId)
+
+	if err = reverseProxy.Validate(); err != nil {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
+		return
+	}
+
+	updatedReverseProxy, err := h.manager.UpdateReverseProxy(r.Context(), userAuth.AccountId, userAuth.UserId, reverseProxy)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	util.WriteJSONObject(r.Context(), w, updatedReverseProxy.ToAPIResponse())
+}
+
+func (h *handler) deleteReverseProxy(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	reverseProxyID := mux.Vars(r)["proxyId"]
+	if reverseProxyID == "" {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "reverse proxy ID is required"), w)
+		return
+	}
+
+	if err := h.manager.DeleteReverseProxy(r.Context(), userAuth.AccountId, userAuth.UserId, reverseProxyID); err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
+}

management/internals/modules/reverseproxy/manager/manager.go

@@ -0,0 +1,508 @@
+package manager
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+	"github.com/netbirdio/netbird/management/server/account"
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/shared/management/status"
+)
+
+const unknownHostPlaceholder = "unknown"
+
+// ClusterDeriver derives the proxy cluster from a domain.
+type ClusterDeriver interface {
+	DeriveClusterFromDomain(ctx context.Context, domain string) (string, error)
+}
+
+type managerImpl struct {
+	store              store.Store
+	accountManager     account.Manager
+	permissionsManager permissions.Manager
+	proxyGRPCServer    *nbgrpc.ProxyServiceServer
+	tokenStore         *nbgrpc.OneTimeTokenStore
+	clusterDeriver     ClusterDeriver
+}
+
+// NewManager creates a new reverse proxy manager.
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, tokenStore *nbgrpc.OneTimeTokenStore, clusterDeriver ClusterDeriver) reverseproxy.Manager {
+	return &managerImpl{
+		store:              store,
+		accountManager:     accountManager,
+		permissionsManager: permissionsManager,
+		proxyGRPCServer:    proxyGRPCServer,
+		tokenStore:         tokenStore,
+		clusterDeriver:     clusterDeriver,
+	}
+}
+
+func (m *managerImpl) GetAllReverseProxies(ctx context.Context, accountID, userID string) ([]*reverseproxy.ReverseProxy, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	proxies, err := m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		err = m.replaceHostByLookup(ctx, accountID, proxy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+		}
+	}
+
+	return proxies, nil
+}
+
+func (m *managerImpl) replaceHostByLookup(ctx context.Context, accountID string, proxy *reverseproxy.ReverseProxy) error {
+	for _, target := range proxy.Targets {
+		switch target.TargetType {
+		case reverseproxy.TargetTypePeer:
+			peer, err := m.store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
+			if err != nil {
+				log.WithContext(ctx).Warnf("failed to get peer by id %s for reverse proxy %s: %v", target.TargetId, proxy.ID, err)
+				target.Host = unknownHostPlaceholder
+				continue
+			}
+			target.Host = peer.IP.String()
+		case reverseproxy.TargetTypeHost:
+			resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
+			if err != nil {
+				log.WithContext(ctx).Warnf("failed to get resource by id %s for reverse proxy %s: %v", target.TargetId, proxy.ID, err)
+				target.Host = unknownHostPlaceholder
+				continue
+			}
+			target.Host = resource.Prefix.Addr().String()
+		case reverseproxy.TargetTypeDomain:
+			resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
+			if err != nil {
+				log.WithContext(ctx).Warnf("failed to get resource by id %s for reverse proxy %s: %v", target.TargetId, proxy.ID, err)
+				target.Host = unknownHostPlaceholder
+				continue
+			}
+			target.Host = resource.Domain
+		case reverseproxy.TargetTypeSubnet:
+			// For subnets we do not do any lookups on the resource
+		default:
+			return fmt.Errorf("unknown target type: %s", target.TargetType)
+		}
+	}
+	return nil
+}
+
+func (m *managerImpl) GetReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) (*reverseproxy.ReverseProxy, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	proxy, err := m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, reverseProxyID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxy: %w", err)
+	}
+
+	err = m.replaceHostByLookup(ctx, accountID, proxy)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+	}
+	return proxy, nil
+}
+
+func (m *managerImpl) CreateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	var proxyCluster string
+	if m.clusterDeriver != nil {
+		proxyCluster, err = m.clusterDeriver.DeriveClusterFromDomain(ctx, reverseProxy.Domain)
+		if err != nil {
+			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxies", reverseProxy.Domain)
+		}
+	}
+
+	reverseProxy.AccountID = accountID
+	reverseProxy.ProxyCluster = proxyCluster
+	reverseProxy.InitNewRecord()
+	err = reverseProxy.Auth.HashSecrets()
+	if err != nil {
+		return nil, fmt.Errorf("hash secrets: %w", err)
+	}
+
+	// Generate session JWT signing keys
+	keyPair, err := sessionkey.GenerateKeyPair()
+	if err != nil {
+		return nil, fmt.Errorf("generate session keys: %w", err)
+	}
+	reverseProxy.SessionPrivateKey = keyPair.PrivateKey
+	reverseProxy.SessionPublicKey = keyPair.PublicKey
+
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		// Check for duplicate domain
+		existingReverseProxy, err := transaction.GetReverseProxyByDomain(ctx, accountID, reverseProxy.Domain)
+		if err != nil {
+			if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
+				return fmt.Errorf("failed to check existing reverse proxy: %w", err)
+			}
+		}
+		if existingReverseProxy != nil {
+			return status.Errorf(status.AlreadyExists, "reverse proxy with domain %s already exists", reverseProxy.Domain)
+		}
+
+		if err = validateTargetReferences(ctx, transaction, accountID, reverseProxy.Targets); err != nil {
+			return err
+		}
+
+		if err = transaction.CreateReverseProxy(ctx, reverseProxy); err != nil {
+			return fmt.Errorf("failed to create reverse proxy: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	token, err := m.tokenStore.GenerateToken(accountID, reverseProxy.ID, 5*time.Minute)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, reverseProxy.ID, accountID, activity.ReverseProxyCreated, reverseProxy.EventMeta())
+
+	err = m.replaceHostByLookup(ctx, accountID, reverseProxy)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", reverseProxy.ID, err)
+	}
+
+	m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return reverseProxy, nil
+}
+
+func (m *managerImpl) UpdateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Update)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	var oldCluster string
+	var domainChanged bool
+	var reverseProxyEnabledChanged bool
+
+	err = reverseProxy.Auth.HashSecrets()
+	if err != nil {
+		return nil, fmt.Errorf("hash secrets: %w", err)
+	}
+
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		existingReverseProxy, err := transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxy.ID)
+		if err != nil {
+			return err
+		}
+
+		oldCluster = existingReverseProxy.ProxyCluster
+
+		if existingReverseProxy.Domain != reverseProxy.Domain {
+			domainChanged = true
+			conflictReverseProxy, err := transaction.GetReverseProxyByDomain(ctx, accountID, reverseProxy.Domain)
+			if err != nil {
+				if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
+					return fmt.Errorf("check existing reverse proxy: %w", err)
+				}
+			}
+			if conflictReverseProxy != nil && conflictReverseProxy.ID != reverseProxy.ID {
+				return status.Errorf(status.AlreadyExists, "reverse proxy with domain %s already exists", reverseProxy.Domain)
+			}
+
+			if m.clusterDeriver != nil {
+				newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, reverseProxy.Domain)
+				if err != nil {
+					log.WithError(err).Warnf("could not derive cluster from domain %s", reverseProxy.Domain)
+				}
+				reverseProxy.ProxyCluster = newCluster
+			}
+		} else {
+			reverseProxy.ProxyCluster = existingReverseProxy.ProxyCluster
+		}
+
+		if reverseProxy.Auth.PasswordAuth != nil && reverseProxy.Auth.PasswordAuth.Enabled &&
+			existingReverseProxy.Auth.PasswordAuth != nil && existingReverseProxy.Auth.PasswordAuth.Enabled &&
+			reverseProxy.Auth.PasswordAuth.Password == "" {
+			reverseProxy.Auth.PasswordAuth = existingReverseProxy.Auth.PasswordAuth
+		}
+
+		if reverseProxy.Auth.PinAuth != nil && reverseProxy.Auth.PinAuth.Enabled &&
+			existingReverseProxy.Auth.PinAuth != nil && existingReverseProxy.Auth.PinAuth.Enabled &&
+			reverseProxy.Auth.PinAuth.Pin == "" {
+			reverseProxy.Auth.PinAuth = existingReverseProxy.Auth.PinAuth
+		}
+
+		reverseProxy.Meta = existingReverseProxy.Meta
+		reverseProxy.SessionPrivateKey = existingReverseProxy.SessionPrivateKey
+		reverseProxy.SessionPublicKey = existingReverseProxy.SessionPublicKey
+		reverseProxyEnabledChanged = existingReverseProxy.Enabled != reverseProxy.Enabled
+
+		if err = validateTargetReferences(ctx, transaction, accountID, reverseProxy.Targets); err != nil {
+			return err
+		}
+
+		if err = transaction.UpdateReverseProxy(ctx, reverseProxy); err != nil {
+			return fmt.Errorf("update reverse proxy: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, reverseProxy.ID, accountID, activity.ReverseProxyUpdated, reverseProxy.EventMeta())
+
+	err = m.replaceHostByLookup(ctx, accountID, reverseProxy)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", reverseProxy.ID, err)
+	}
+
+	token, err := m.tokenStore.GenerateToken(accountID, reverseProxy.ID, 5*time.Minute)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
+	}
+
+	switch {
+	case domainChanged && oldCluster != reverseProxy.ProxyCluster:
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), oldCluster)
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
+	case !reverseProxy.Enabled && reverseProxyEnabledChanged:
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
+	case reverseProxy.Enabled && reverseProxyEnabledChanged:
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
+	default:
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
+
+	}
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return reverseProxy, nil
+}
+
+// validateTargetReferences checks that all target IDs reference existing peers or resources in the account.
+func validateTargetReferences(ctx context.Context, transaction store.Store, accountID string, targets []*reverseproxy.Target) error {
+	for _, target := range targets {
+		switch target.TargetType {
+		case reverseproxy.TargetTypePeer:
+			if _, err := transaction.GetPeerByID(ctx, store.LockingStrengthShare, accountID, target.TargetId); err != nil {
+				if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
+					return status.Errorf(status.InvalidArgument, "peer target %q not found in account", target.TargetId)
+				}
+				return fmt.Errorf("look up peer target %q: %w", target.TargetId, err)
+			}
+		case reverseproxy.TargetTypeHost, reverseproxy.TargetTypeSubnet, reverseproxy.TargetTypeDomain:
+			if _, err := transaction.GetNetworkResourceByID(ctx, store.LockingStrengthShare, accountID, target.TargetId); err != nil {
+				if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
+					return status.Errorf(status.InvalidArgument, "resource target %q not found in account", target.TargetId)
+				}
+				return fmt.Errorf("look up resource target %q: %w", target.TargetId, err)
+			}
+		}
+	}
+	return nil
+}
+
+func (m *managerImpl) DeleteReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
+	var reverseProxy *reverseproxy.ReverseProxy
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		var err error
+		reverseProxy, err = transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxyID)
+		if err != nil {
+			return err
+		}
+
+		if err = transaction.DeleteReverseProxy(ctx, accountID, reverseProxyID); err != nil {
+			return fmt.Errorf("failed to delete reverse proxy: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, reverseProxyID, accountID, activity.ReverseProxyDeleted, reverseProxy.EventMeta())
+
+	m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+// SetCertificateIssuedAt sets the certificate issued timestamp to the current time.
+// Call this when receiving a gRPC notification that the certificate was issued.
+func (m *managerImpl) SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error {
+	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		proxy, err := transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxyID)
+		if err != nil {
+			return fmt.Errorf("failed to get reverse proxy: %w", err)
+		}
+
+		proxy.Meta.CertificateIssuedAt = time.Now()
+
+		if err = transaction.UpdateReverseProxy(ctx, proxy); err != nil {
+			return fmt.Errorf("failed to update reverse proxy certificate timestamp: %w", err)
+		}
+
+		return nil
+	})
+}
+
+// SetStatus updates the status of the reverse proxy (e.g., "active", "tunnel_not_created", etc.)
+func (m *managerImpl) SetStatus(ctx context.Context, accountID, reverseProxyID string, status reverseproxy.ProxyStatus) error {
+	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		proxy, err := transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxyID)
+		if err != nil {
+			return fmt.Errorf("failed to get reverse proxy: %w", err)
+		}
+
+		proxy.Meta.Status = string(status)
+
+		if err = transaction.UpdateReverseProxy(ctx, proxy); err != nil {
+			return fmt.Errorf("failed to update reverse proxy status: %w", err)
+		}
+
+		return nil
+	})
+}
+
+func (m *managerImpl) ReloadReverseProxy(ctx context.Context, accountID, reverseProxyID string) error {
+	proxy, err := m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, reverseProxyID)
+	if err != nil {
+		return fmt.Errorf("failed to get reverse proxy: %w", err)
+	}
+
+	err = m.replaceHostByLookup(ctx, accountID, proxy)
+	if err != nil {
+		return fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+	}
+
+	m.proxyGRPCServer.SendReverseProxyUpdateToCluster(proxy.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), proxy.ProxyCluster)
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+func (m *managerImpl) ReloadAllReverseProxiesForAccount(ctx context.Context, accountID string) error {
+	proxies, err := m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return fmt.Errorf("failed to get reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		err = m.replaceHostByLookup(ctx, accountID, proxy)
+		if err != nil {
+			return fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+		}
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(proxy.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), proxy.ProxyCluster)
+	}
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+func (m *managerImpl) GetGlobalReverseProxies(ctx context.Context) ([]*reverseproxy.ReverseProxy, error) {
+	proxies, err := m.store.GetReverseProxies(ctx, store.LockingStrengthNone)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		err = m.replaceHostByLookup(ctx, proxy.AccountID, proxy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+		}
+	}
+
+	return proxies, nil
+}
+
+func (m *managerImpl) GetProxyByID(ctx context.Context, accountID, reverseProxyID string) (*reverseproxy.ReverseProxy, error) {
+	proxy, err := m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, reverseProxyID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxy: %w", err)
+	}
+
+	err = m.replaceHostByLookup(ctx, accountID, proxy)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+	}
+
+	return proxy, nil
+}
+
+func (m *managerImpl) GetAccountReverseProxies(ctx context.Context, accountID string) ([]*reverseproxy.ReverseProxy, error) {
+	proxies, err := m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		err = m.replaceHostByLookup(ctx, accountID, proxy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+		}
+	}
+
+	return proxies, nil
+}
+
+func (m *managerImpl) GetProxyIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error) {
+	target, err := m.store.GetReverseProxyTargetByTargetID(ctx, store.LockingStrengthNone, accountID, resourceID)
+	if err != nil {
+		return "", fmt.Errorf("failed to get reverse proxy target by resource ID: %w", err)
+	}
+
+	if target == nil {
+		return "", nil
+	}
+
+	return target.ReverseProxyID, nil
+}

management/internals/modules/reverseproxy/reverseproxy.go

@@ -0,0 +1,463 @@
+package reverseproxy
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/shared/hash/argon2id"
+	"github.com/netbirdio/netbird/util/crypt"
+
+	"github.com/netbirdio/netbird/shared/management/http/api"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+type Operation string
+
+const (
+	Create Operation = "create"
+	Update Operation = "update"
+	Delete Operation = "delete"
+)
+
+type ProxyStatus string
+
+const (
+	StatusPending            ProxyStatus = "pending"
+	StatusActive             ProxyStatus = "active"
+	StatusTunnelNotCreated   ProxyStatus = "tunnel_not_created"
+	StatusCertificatePending ProxyStatus = "certificate_pending"
+	StatusCertificateFailed  ProxyStatus = "certificate_failed"
+	StatusError              ProxyStatus = "error"
+
+	TargetTypePeer   = "peer"
+	TargetTypeHost   = "host"
+	TargetTypeDomain = "domain"
+	TargetTypeSubnet = "subnet"
+)
+
+type Target struct {
+	ID             uint    `gorm:"primaryKey" json:"-"`
+	AccountID      string  `gorm:"index:idx_target_account;not null" json:"-"`
+	ReverseProxyID string  `gorm:"index:idx_reverse_proxy_targets;not null" json:"-"`
+	Path           *string `json:"path,omitempty"`
+	Host           string  `json:"host"` // the Host field is only used for subnet targets, otherwise ignored
+	Port           int     `gorm:"index:idx_target_port" json:"port"`
+	Protocol       string  `gorm:"index:idx_target_protocol" json:"protocol"`
+	TargetId       string  `gorm:"index:idx_target_id" json:"target_id"`
+	TargetType     string  `gorm:"index:idx_target_type" json:"target_type"`
+	Enabled        bool    `gorm:"index:idx_target_enabled" json:"enabled"`
+}
+
+type PasswordAuthConfig struct {
+	Enabled  bool   `json:"enabled"`
+	Password string `json:"password"`
+}
+
+type PINAuthConfig struct {
+	Enabled bool   `json:"enabled"`
+	Pin     string `json:"pin"`
+}
+
+type BearerAuthConfig struct {
+	Enabled            bool     `json:"enabled"`
+	DistributionGroups []string `json:"distribution_groups,omitempty" gorm:"serializer:json"`
+}
+
+type AuthConfig struct {
+	PasswordAuth *PasswordAuthConfig `json:"password_auth,omitempty" gorm:"serializer:json"`
+	PinAuth      *PINAuthConfig      `json:"pin_auth,omitempty" gorm:"serializer:json"`
+	BearerAuth   *BearerAuthConfig   `json:"bearer_auth,omitempty" gorm:"serializer:json"`
+}
+
+func (a *AuthConfig) HashSecrets() error {
+	if a.PasswordAuth != nil && a.PasswordAuth.Enabled && a.PasswordAuth.Password != "" {
+		hashedPassword, err := argon2id.Hash(a.PasswordAuth.Password)
+		if err != nil {
+			return fmt.Errorf("hash password: %w", err)
+		}
+		a.PasswordAuth.Password = hashedPassword
+	}
+
+	if a.PinAuth != nil && a.PinAuth.Enabled && a.PinAuth.Pin != "" {
+		hashedPin, err := argon2id.Hash(a.PinAuth.Pin)
+		if err != nil {
+			return fmt.Errorf("hash pin: %w", err)
+		}
+		a.PinAuth.Pin = hashedPin
+	}
+
+	return nil
+}
+
+func (a *AuthConfig) ClearSecrets() {
+	if a.PasswordAuth != nil {
+		a.PasswordAuth.Password = ""
+	}
+	if a.PinAuth != nil {
+		a.PinAuth.Pin = ""
+	}
+}
+
+type OIDCValidationConfig struct {
+	Issuer             string
+	Audiences          []string
+	KeysLocation       string
+	MaxTokenAgeSeconds int64
+}
+
+type ReverseProxyMeta struct {
+	CreatedAt           time.Time
+	CertificateIssuedAt time.Time
+	Status              string
+}
+
+type ReverseProxy struct {
+	ID                string `gorm:"primaryKey"`
+	AccountID         string `gorm:"index"`
+	Name              string
+	Domain            string    `gorm:"index"`
+	ProxyCluster      string    `gorm:"index"`
+	Targets           []*Target `gorm:"foreignKey:ReverseProxyID;constraint:OnDelete:CASCADE"`
+	Enabled           bool
+	PassHostHeader    bool
+	RewriteRedirects  bool
+	Auth              AuthConfig       `gorm:"serializer:json"`
+	Meta              ReverseProxyMeta `gorm:"embedded;embeddedPrefix:meta_"`
+	SessionPrivateKey string           `gorm:"column:session_private_key"`
+	SessionPublicKey  string           `gorm:"column:session_public_key"`
+}
+
+func NewReverseProxy(accountID, name, domain, proxyCluster string, targets []*Target, enabled bool) *ReverseProxy {
+	for _, target := range targets {
+		target.AccountID = accountID
+	}
+
+	rp := &ReverseProxy{
+		AccountID:    accountID,
+		Name:         name,
+		Domain:       domain,
+		ProxyCluster: proxyCluster,
+		Targets:      targets,
+		Enabled:      enabled,
+	}
+	rp.InitNewRecord()
+	return rp
+}
+
+// InitNewRecord generates a new unique ID and resets metadata for a newly created
+// ReverseProxy record. This overwrites any existing ID and Meta fields and should
+// only be called during initial creation, not for updates.
+func (r *ReverseProxy) InitNewRecord() {
+	r.ID = xid.New().String()
+	r.Meta = ReverseProxyMeta{
+		CreatedAt: time.Now(),
+		Status:    string(StatusPending),
+	}
+}
+
+func (r *ReverseProxy) ToAPIResponse() *api.ReverseProxy {
+	r.Auth.ClearSecrets()
+
+	authConfig := api.ReverseProxyAuthConfig{}
+
+	if r.Auth.PasswordAuth != nil {
+		authConfig.PasswordAuth = &api.PasswordAuthConfig{
+			Enabled:  r.Auth.PasswordAuth.Enabled,
+			Password: r.Auth.PasswordAuth.Password,
+		}
+	}
+
+	if r.Auth.PinAuth != nil {
+		authConfig.PinAuth = &api.PINAuthConfig{
+			Enabled: r.Auth.PinAuth.Enabled,
+			Pin:     r.Auth.PinAuth.Pin,
+		}
+	}
+
+	if r.Auth.BearerAuth != nil {
+		authConfig.BearerAuth = &api.BearerAuthConfig{
+			Enabled:            r.Auth.BearerAuth.Enabled,
+			DistributionGroups: &r.Auth.BearerAuth.DistributionGroups,
+		}
+	}
+
+	// Convert internal targets to API targets
+	apiTargets := make([]api.ReverseProxyTarget, 0, len(r.Targets))
+	for _, target := range r.Targets {
+		apiTargets = append(apiTargets, api.ReverseProxyTarget{
+			Path:       target.Path,
+			Host:       &target.Host,
+			Port:       target.Port,
+			Protocol:   api.ReverseProxyTargetProtocol(target.Protocol),
+			TargetId:   target.TargetId,
+			TargetType: api.ReverseProxyTargetTargetType(target.TargetType),
+			Enabled:    target.Enabled,
+		})
+	}
+
+	meta := api.ReverseProxyMeta{
+		CreatedAt: r.Meta.CreatedAt,
+		Status:    api.ReverseProxyMetaStatus(r.Meta.Status),
+	}
+
+	if !r.Meta.CertificateIssuedAt.IsZero() {
+		meta.CertificateIssuedAt = &r.Meta.CertificateIssuedAt
+	}
+
+	resp := &api.ReverseProxy{
+		Id:               r.ID,
+		Name:             r.Name,
+		Domain:           r.Domain,
+		Targets:          apiTargets,
+		Enabled:          r.Enabled,
+		PassHostHeader:   &r.PassHostHeader,
+		RewriteRedirects: &r.RewriteRedirects,
+		Auth:             authConfig,
+		Meta:             meta,
+	}
+
+	if r.ProxyCluster != "" {
+		resp.ProxyCluster = &r.ProxyCluster
+	}
+
+	return resp
+}
+
+func (r *ReverseProxy) ToProtoMapping(operation Operation, authToken string, oidcConfig OIDCValidationConfig) *proto.ProxyMapping {
+	pathMappings := make([]*proto.PathMapping, 0, len(r.Targets))
+	for _, target := range r.Targets {
+		if !target.Enabled {
+			continue
+		}
+
+		// TODO: Make path prefix stripping configurable per-target.
+		// Currently the matching prefix is baked into the target URL path,
+		// so the proxy strips-then-re-adds it (effectively a no-op).
+		targetURL := url.URL{
+			Scheme: target.Protocol,
+			Host:   target.Host,
+			Path:   "/", // TODO: support service path
+		}
+		if target.Port > 0 && !isDefaultPort(target.Protocol, target.Port) {
+			targetURL.Host = net.JoinHostPort(targetURL.Host, strconv.Itoa(target.Port))
+		}
+
+		path := "/"
+		if target.Path != nil {
+			path = *target.Path
+		}
+		pathMappings = append(pathMappings, &proto.PathMapping{
+			Path:   path,
+			Target: targetURL.String(),
+		})
+	}
+
+	auth := &proto.Authentication{
+		SessionKey:           r.SessionPublicKey,
+		MaxSessionAgeSeconds: int64((time.Hour * 24).Seconds()),
+	}
+
+	if r.Auth.PasswordAuth != nil && r.Auth.PasswordAuth.Enabled {
+		auth.Password = true
+	}
+
+	if r.Auth.PinAuth != nil && r.Auth.PinAuth.Enabled {
+		auth.Pin = true
+	}
+
+	if r.Auth.BearerAuth != nil && r.Auth.BearerAuth.Enabled {
+		auth.Oidc = true
+	}
+
+	return &proto.ProxyMapping{
+		Type:             operationToProtoType(operation),
+		Id:               r.ID,
+		Domain:           r.Domain,
+		Path:             pathMappings,
+		AuthToken:        authToken,
+		Auth:             auth,
+		AccountId:        r.AccountID,
+		PassHostHeader:   r.PassHostHeader,
+		RewriteRedirects: r.RewriteRedirects,
+	}
+}
+
+func operationToProtoType(op Operation) proto.ProxyMappingUpdateType {
+	switch op {
+	case Create:
+		return proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED
+	case Update:
+		return proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED
+	case Delete:
+		return proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED
+	default:
+		log.Fatalf("unknown operation type: %v", op)
+		return proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED
+	}
+}
+
+// isDefaultPort reports whether port is the standard default for the given scheme
+// (443 for https, 80 for http).
+func isDefaultPort(scheme string, port int) bool {
+	return (scheme == "https" && port == 443) || (scheme == "http" && port == 80)
+}
+
+func (r *ReverseProxy) FromAPIRequest(req *api.ReverseProxyRequest, accountID string) {
+	r.Name = req.Name
+	r.Domain = req.Domain
+	r.AccountID = accountID
+
+	targets := make([]*Target, 0, len(req.Targets))
+	for _, apiTarget := range req.Targets {
+		target := &Target{
+			AccountID:  accountID,
+			Path:       apiTarget.Path,
+			Port:       apiTarget.Port,
+			Protocol:   string(apiTarget.Protocol),
+			TargetId:   apiTarget.TargetId,
+			TargetType: string(apiTarget.TargetType),
+			Enabled:    apiTarget.Enabled,
+		}
+		if apiTarget.Host != nil {
+			target.Host = *apiTarget.Host
+		}
+		targets = append(targets, target)
+	}
+	r.Targets = targets
+
+	r.Enabled = req.Enabled
+
+	if req.PassHostHeader != nil {
+		r.PassHostHeader = *req.PassHostHeader
+	}
+
+	if req.RewriteRedirects != nil {
+		r.RewriteRedirects = *req.RewriteRedirects
+	}
+
+	if req.Auth.PasswordAuth != nil {
+		r.Auth.PasswordAuth = &PasswordAuthConfig{
+			Enabled:  req.Auth.PasswordAuth.Enabled,
+			Password: req.Auth.PasswordAuth.Password,
+		}
+	}
+
+	if req.Auth.PinAuth != nil {
+		r.Auth.PinAuth = &PINAuthConfig{
+			Enabled: req.Auth.PinAuth.Enabled,
+			Pin:     req.Auth.PinAuth.Pin,
+		}
+	}
+
+	if req.Auth.BearerAuth != nil {
+		bearerAuth := &BearerAuthConfig{
+			Enabled: req.Auth.BearerAuth.Enabled,
+		}
+		if req.Auth.BearerAuth.DistributionGroups != nil {
+			bearerAuth.DistributionGroups = *req.Auth.BearerAuth.DistributionGroups
+		}
+		r.Auth.BearerAuth = bearerAuth
+	}
+}
+
+func (r *ReverseProxy) Validate() error {
+	if r.Name == "" {
+		return errors.New("reverse proxy name is required")
+	}
+	if len(r.Name) > 255 {
+		return errors.New("reverse proxy name exceeds maximum length of 255 characters")
+	}
+
+	if r.Domain == "" {
+		return errors.New("reverse proxy domain is required")
+	}
+
+	if len(r.Targets) == 0 {
+		return errors.New("at least one target is required")
+	}
+
+	for i, target := range r.Targets {
+		switch target.TargetType {
+		case TargetTypePeer, TargetTypeHost, TargetTypeDomain:
+			// host field will be ignored
+		case TargetTypeSubnet:
+			if target.Host == "" {
+				return fmt.Errorf("target %d has empty host but target_type is %q", i, target.TargetType)
+			}
+		default:
+			return fmt.Errorf("target %d has invalid target_type %q", i, target.TargetType)
+		}
+		if target.TargetId == "" {
+			return fmt.Errorf("target %d has empty target_id", i)
+		}
+	}
+
+	return nil
+}
+
+func (r *ReverseProxy) EventMeta() map[string]any {
+	return map[string]any{"name": r.Name, "domain": r.Domain, "proxy_cluster": r.ProxyCluster}
+}
+
+func (r *ReverseProxy) Copy() *ReverseProxy {
+	targets := make([]*Target, len(r.Targets))
+	for i, target := range r.Targets {
+		targetCopy := *target
+		targets[i] = &targetCopy
+	}
+
+	return &ReverseProxy{
+		ID:                r.ID,
+		AccountID:         r.AccountID,
+		Name:              r.Name,
+		Domain:            r.Domain,
+		ProxyCluster:      r.ProxyCluster,
+		Targets:           targets,
+		Enabled:           r.Enabled,
+		PassHostHeader:    r.PassHostHeader,
+		RewriteRedirects:  r.RewriteRedirects,
+		Auth:              r.Auth,
+		Meta:              r.Meta,
+		SessionPrivateKey: r.SessionPrivateKey,
+		SessionPublicKey:  r.SessionPublicKey,
+	}
+}
+
+func (r *ReverseProxy) EncryptSensitiveData(enc *crypt.FieldEncrypt) error {
+	if enc == nil {
+		return nil
+	}
+
+	if r.SessionPrivateKey != "" {
+		var err error
+		r.SessionPrivateKey, err = enc.Encrypt(r.SessionPrivateKey)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (r *ReverseProxy) DecryptSensitiveData(enc *crypt.FieldEncrypt) error {
+	if enc == nil {
+		return nil
+	}
+
+	if r.SessionPrivateKey != "" {
+		var err error
+		r.SessionPrivateKey, err = enc.Decrypt(r.SessionPrivateKey)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

management/internals/modules/reverseproxy/reverseproxy_test.go

@@ -0,0 +1,405 @@
+package reverseproxy
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/shared/hash/argon2id"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+func validProxy() *ReverseProxy {
+	return &ReverseProxy{
+		Name:   "test",
+		Domain: "example.com",
+		Targets: []*Target{
+			{TargetId: "peer-1", TargetType: TargetTypePeer, Host: "10.0.0.1", Port: 80, Protocol: "http", Enabled: true},
+		},
+	}
+}
+
+func TestValidate_Valid(t *testing.T) {
+	require.NoError(t, validProxy().Validate())
+}
+
+func TestValidate_EmptyName(t *testing.T) {
+	rp := validProxy()
+	rp.Name = ""
+	assert.ErrorContains(t, rp.Validate(), "name is required")
+}
+
+func TestValidate_EmptyDomain(t *testing.T) {
+	rp := validProxy()
+	rp.Domain = ""
+	assert.ErrorContains(t, rp.Validate(), "domain is required")
+}
+
+func TestValidate_NoTargets(t *testing.T) {
+	rp := validProxy()
+	rp.Targets = nil
+	assert.ErrorContains(t, rp.Validate(), "at least one target")
+}
+
+func TestValidate_EmptyTargetId(t *testing.T) {
+	rp := validProxy()
+	rp.Targets[0].TargetId = ""
+	assert.ErrorContains(t, rp.Validate(), "empty target_id")
+}
+
+func TestValidate_InvalidTargetType(t *testing.T) {
+	rp := validProxy()
+	rp.Targets[0].TargetType = "invalid"
+	assert.ErrorContains(t, rp.Validate(), "invalid target_type")
+}
+
+func TestValidate_ResourceTarget(t *testing.T) {
+	rp := validProxy()
+	rp.Targets = append(rp.Targets, &Target{
+		TargetId:   "resource-1",
+		TargetType: TargetTypeHost,
+		Host:       "example.org",
+		Port:       443,
+		Protocol:   "https",
+		Enabled:    true,
+	})
+	require.NoError(t, rp.Validate())
+}
+
+func TestValidate_MultipleTargetsOneInvalid(t *testing.T) {
+	rp := validProxy()
+	rp.Targets = append(rp.Targets, &Target{
+		TargetId:   "",
+		TargetType: TargetTypePeer,
+		Host:       "10.0.0.2",
+		Port:       80,
+		Protocol:   "http",
+		Enabled:    true,
+	})
+	err := rp.Validate()
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "target 1")
+	assert.Contains(t, err.Error(), "empty target_id")
+}
+
+func TestIsDefaultPort(t *testing.T) {
+	tests := []struct {
+		scheme string
+		port   int
+		want   bool
+	}{
+		{"http", 80, true},
+		{"https", 443, true},
+		{"http", 443, false},
+		{"https", 80, false},
+		{"http", 8080, false},
+		{"https", 8443, false},
+		{"http", 0, false},
+		{"https", 0, false},
+	}
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("%s/%d", tt.scheme, tt.port), func(t *testing.T) {
+			assert.Equal(t, tt.want, isDefaultPort(tt.scheme, tt.port))
+		})
+	}
+}
+
+func TestToProtoMapping_PortInTargetURL(t *testing.T) {
+	oidcConfig := OIDCValidationConfig{}
+
+	tests := []struct {
+		name       string
+		protocol   string
+		host       string
+		port       int
+		wantTarget string
+	}{
+		{
+			name:       "http with default port 80 omits port",
+			protocol:   "http",
+			host:       "10.0.0.1",
+			port:       80,
+			wantTarget: "http://10.0.0.1/",
+		},
+		{
+			name:       "https with default port 443 omits port",
+			protocol:   "https",
+			host:       "10.0.0.1",
+			port:       443,
+			wantTarget: "https://10.0.0.1/",
+		},
+		{
+			name:       "port 0 omits port",
+			protocol:   "http",
+			host:       "10.0.0.1",
+			port:       0,
+			wantTarget: "http://10.0.0.1/",
+		},
+		{
+			name:       "non-default port is included",
+			protocol:   "http",
+			host:       "10.0.0.1",
+			port:       8080,
+			wantTarget: "http://10.0.0.1:8080/",
+		},
+		{
+			name:       "https with non-default port is included",
+			protocol:   "https",
+			host:       "10.0.0.1",
+			port:       8443,
+			wantTarget: "https://10.0.0.1:8443/",
+		},
+		{
+			name:       "http port 443 is included",
+			protocol:   "http",
+			host:       "10.0.0.1",
+			port:       443,
+			wantTarget: "http://10.0.0.1:443/",
+		},
+		{
+			name:       "https port 80 is included",
+			protocol:   "https",
+			host:       "10.0.0.1",
+			port:       80,
+			wantTarget: "https://10.0.0.1:80/",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rp := &ReverseProxy{
+				ID:        "test-id",
+				AccountID: "acc-1",
+				Domain:    "example.com",
+				Targets: []*Target{
+					{
+						TargetId:   "peer-1",
+						TargetType: TargetTypePeer,
+						Host:       tt.host,
+						Port:       tt.port,
+						Protocol:   tt.protocol,
+						Enabled:    true,
+					},
+				},
+			}
+			pm := rp.ToProtoMapping(Create, "token", oidcConfig)
+			require.Len(t, pm.Path, 1, "should have one path mapping")
+			assert.Equal(t, tt.wantTarget, pm.Path[0].Target)
+		})
+	}
+}
+
+func TestToProtoMapping_DisabledTargetSkipped(t *testing.T) {
+	rp := &ReverseProxy{
+		ID:        "test-id",
+		AccountID: "acc-1",
+		Domain:    "example.com",
+		Targets: []*Target{
+			{TargetId: "peer-1", TargetType: TargetTypePeer, Host: "10.0.0.1", Port: 8080, Protocol: "http", Enabled: false},
+			{TargetId: "peer-2", TargetType: TargetTypePeer, Host: "10.0.0.2", Port: 9090, Protocol: "http", Enabled: true},
+		},
+	}
+	pm := rp.ToProtoMapping(Create, "token", OIDCValidationConfig{})
+	require.Len(t, pm.Path, 1)
+	assert.Equal(t, "http://10.0.0.2:9090/", pm.Path[0].Target)
+}
+
+func TestToProtoMapping_OperationTypes(t *testing.T) {
+	rp := validProxy()
+	tests := []struct {
+		op   Operation
+		want proto.ProxyMappingUpdateType
+	}{
+		{Create, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED},
+		{Update, proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED},
+		{Delete, proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED},
+	}
+	for _, tt := range tests {
+		t.Run(string(tt.op), func(t *testing.T) {
+			pm := rp.ToProtoMapping(tt.op, "", OIDCValidationConfig{})
+			assert.Equal(t, tt.want, pm.Type)
+		})
+	}
+}
+
+func TestAuthConfig_HashSecrets(t *testing.T) {
+	tests := []struct {
+		name     string
+		config   *AuthConfig
+		wantErr  bool
+		validate func(*testing.T, *AuthConfig)
+	}{
+		{
+			name: "hash password successfully",
+			config: &AuthConfig{
+				PasswordAuth: &PasswordAuthConfig{
+					Enabled:  true,
+					Password: "testPassword123",
+				},
+			},
+			wantErr: false,
+			validate: func(t *testing.T, config *AuthConfig) {
+				if !strings.HasPrefix(config.PasswordAuth.Password, "$argon2id$") {
+					t.Errorf("Password not hashed with argon2id, got: %s", config.PasswordAuth.Password)
+				}
+				// Verify the hash can be verified
+				if err := argon2id.Verify("testPassword123", config.PasswordAuth.Password); err != nil {
+					t.Errorf("Hash verification failed: %v", err)
+				}
+			},
+		},
+		{
+			name: "hash PIN successfully",
+			config: &AuthConfig{
+				PinAuth: &PINAuthConfig{
+					Enabled: true,
+					Pin:     "123456",
+				},
+			},
+			wantErr: false,
+			validate: func(t *testing.T, config *AuthConfig) {
+				if !strings.HasPrefix(config.PinAuth.Pin, "$argon2id$") {
+					t.Errorf("PIN not hashed with argon2id, got: %s", config.PinAuth.Pin)
+				}
+				// Verify the hash can be verified
+				if err := argon2id.Verify("123456", config.PinAuth.Pin); err != nil {
+					t.Errorf("Hash verification failed: %v", err)
+				}
+			},
+		},
+		{
+			name: "hash both password and PIN",
+			config: &AuthConfig{
+				PasswordAuth: &PasswordAuthConfig{
+					Enabled:  true,
+					Password: "password",
+				},
+				PinAuth: &PINAuthConfig{
+					Enabled: true,
+					Pin:     "9999",
+				},
+			},
+			wantErr: false,
+			validate: func(t *testing.T, config *AuthConfig) {
+				if !strings.HasPrefix(config.PasswordAuth.Password, "$argon2id$") {
+					t.Errorf("Password not hashed with argon2id")
+				}
+				if !strings.HasPrefix(config.PinAuth.Pin, "$argon2id$") {
+					t.Errorf("PIN not hashed with argon2id")
+				}
+				if err := argon2id.Verify("password", config.PasswordAuth.Password); err != nil {
+					t.Errorf("Password hash verification failed: %v", err)
+				}
+				if err := argon2id.Verify("9999", config.PinAuth.Pin); err != nil {
+					t.Errorf("PIN hash verification failed: %v", err)
+				}
+			},
+		},
+		{
+			name: "skip disabled password auth",
+			config: &AuthConfig{
+				PasswordAuth: &PasswordAuthConfig{
+					Enabled:  false,
+					Password: "password",
+				},
+			},
+			wantErr: false,
+			validate: func(t *testing.T, config *AuthConfig) {
+				if config.PasswordAuth.Password != "password" {
+					t.Errorf("Disabled password auth should not be hashed")
+				}
+			},
+		},
+		{
+			name: "skip empty password",
+			config: &AuthConfig{
+				PasswordAuth: &PasswordAuthConfig{
+					Enabled:  true,
+					Password: "",
+				},
+			},
+			wantErr: false,
+			validate: func(t *testing.T, config *AuthConfig) {
+				if config.PasswordAuth.Password != "" {
+					t.Errorf("Empty password should remain empty")
+				}
+			},
+		},
+		{
+			name: "skip nil password auth",
+			config: &AuthConfig{
+				PasswordAuth: nil,
+				PinAuth: &PINAuthConfig{
+					Enabled: true,
+					Pin:     "1234",
+				},
+			},
+			wantErr: false,
+			validate: func(t *testing.T, config *AuthConfig) {
+				if config.PasswordAuth != nil {
+					t.Errorf("PasswordAuth should remain nil")
+				}
+				if !strings.HasPrefix(config.PinAuth.Pin, "$argon2id$") {
+					t.Errorf("PIN should still be hashed")
+				}
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.config.HashSecrets()
+			if (err != nil) != tt.wantErr {
+				t.Errorf("HashSecrets() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if tt.validate != nil {
+				tt.validate(t, tt.config)
+			}
+		})
+	}
+}
+
+func TestAuthConfig_HashSecrets_VerifyIncorrectSecret(t *testing.T) {
+	config := &AuthConfig{
+		PasswordAuth: &PasswordAuthConfig{
+			Enabled:  true,
+			Password: "correctPassword",
+		},
+	}
+
+	if err := config.HashSecrets(); err != nil {
+		t.Fatalf("HashSecrets() error = %v", err)
+	}
+
+	// Verify with wrong password should fail
+	err := argon2id.Verify("wrongPassword", config.PasswordAuth.Password)
+	if !errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
+		t.Errorf("Expected ErrMismatchedHashAndPassword, got %v", err)
+	}
+}
+
+func TestAuthConfig_ClearSecrets(t *testing.T) {
+	config := &AuthConfig{
+		PasswordAuth: &PasswordAuthConfig{
+			Enabled:  true,
+			Password: "hashedPassword",
+		},
+		PinAuth: &PINAuthConfig{
+			Enabled: true,
+			Pin:     "hashedPin",
+		},
+	}
+
+	config.ClearSecrets()
+
+	if config.PasswordAuth.Password != "" {
+		t.Errorf("Password not cleared, got: %s", config.PasswordAuth.Password)
+	}
+	if config.PinAuth.Pin != "" {
+		t.Errorf("PIN not cleared, got: %s", config.PinAuth.Pin)
+	}
+}

management/internals/modules/reverseproxy/sessionkey/sessionkey.go

@@ -0,0 +1,69 @@
+package sessionkey
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+
+	"github.com/netbirdio/netbird/proxy/auth"
+)
+
+type KeyPair struct {
+	PrivateKey string
+	PublicKey  string
+}
+
+type Claims struct {
+	jwt.RegisteredClaims
+	Method auth.Method `json:"method"`
+}
+
+func GenerateKeyPair() (*KeyPair, error) {
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("generate ed25519 key: %w", err)
+	}
+
+	return &KeyPair{
+		PrivateKey: base64.StdEncoding.EncodeToString(priv),
+		PublicKey:  base64.StdEncoding.EncodeToString(pub),
+	}, nil
+}
+
+func SignToken(privKeyB64, userID, domain string, method auth.Method, expiration time.Duration) (string, error) {
+	privKeyBytes, err := base64.StdEncoding.DecodeString(privKeyB64)
+	if err != nil {
+		return "", fmt.Errorf("decode private key: %w", err)
+	}
+
+	if len(privKeyBytes) != ed25519.PrivateKeySize {
+		return "", fmt.Errorf("invalid private key size: got %d, want %d", len(privKeyBytes), ed25519.PrivateKeySize)
+	}
+
+	privKey := ed25519.PrivateKey(privKeyBytes)
+
+	now := time.Now()
+	claims := Claims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    auth.SessionJWTIssuer,
+			Subject:   userID,
+			Audience:  jwt.ClaimStrings{domain},
+			ExpiresAt: jwt.NewNumericDate(now.Add(expiration)),
+			IssuedAt:  jwt.NewNumericDate(now),
+			NotBefore: jwt.NewNumericDate(now),
+		},
+		Method: method,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
+	signedToken, err := token.SignedString(privKey)
+	if err != nil {
+		return "", fmt.Errorf("sign token: %w", err)
+	}
+
+	return signedToken, nil
+}

management/internals/server/boot.go

@@ -21,6 +21,8 @@ import (
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/formatter/hook"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbContext "github.com/netbirdio/netbird/management/server/context"
@@ -92,7 +94,7 @@ func (s *BaseServer) EventStore() activity.Store {
 
 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager())
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ReverseProxyManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer())
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -120,11 +122,13 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 			realip.WithTrustedProxiesCount(trustedProxiesCount),
 			realip.WithHeaders([]string{realip.XForwardedFor, realip.XRealIp}),
 		}
+		proxyUnary, proxyStream, proxyAuthClose := nbgrpc.NewProxyAuthInterceptors(s.Store())
+		s.proxyAuthClose = proxyAuthClose
 		gRPCOpts := []grpc.ServerOption{
 			grpc.KeepaliveEnforcementPolicy(kaep),
 			grpc.KeepaliveParams(kasp),
-			grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor),
-			grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor),
+			grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor, proxyUnary),
+			grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor, proxyStream),
 		}
 
 		if s.Config.HttpConfig.LetsEncryptDomain != "" {
@@ -150,10 +154,53 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 		}
 		mgmtProto.RegisterManagementServiceServer(gRPCAPIHandler, srv)
 
+		mgmtProto.RegisterProxyServiceServer(gRPCAPIHandler, s.ReverseProxyGRPCServer())
+		log.Info("ProxyService registered on gRPC server")
+
 		return gRPCAPIHandler
 	})
 }
 
+func (s *BaseServer) ReverseProxyGRPCServer() *nbgrpc.ProxyServiceServer {
+	return Create(s, func() *nbgrpc.ProxyServiceServer {
+		proxyService := nbgrpc.NewProxyServiceServer(s.AccessLogsManager(), s.ProxyTokenStore(), s.proxyOIDCConfig(), s.PeersManager(), s.UsersManager())
+		s.AfterInit(func(s *BaseServer) {
+			proxyService.SetProxyManager(s.ReverseProxyManager())
+		})
+		return proxyService
+	})
+}
+
+func (s *BaseServer) proxyOIDCConfig() nbgrpc.ProxyOIDCConfig {
+	return Create(s, func() nbgrpc.ProxyOIDCConfig {
+		return nbgrpc.ProxyOIDCConfig{
+			Issuer: s.Config.HttpConfig.AuthIssuer,
+			// todo: double check auth clientID value
+			ClientID:     s.Config.HttpConfig.AuthClientID, // Reuse dashboard client
+			Scopes:       []string{"openid", "profile", "email"},
+			CallbackURL:  s.Config.HttpConfig.AuthCallbackURL,
+			HMACKey:      []byte(s.Config.DataStoreEncryptionKey), // Use the datastore encryption key for OIDC state HMACs, this should ensure all management instances are using the same key.
+			Audience:     s.Config.HttpConfig.AuthAudience,
+			KeysLocation: s.Config.HttpConfig.AuthKeysLocation,
+		}
+	})
+}
+
+func (s *BaseServer) ProxyTokenStore() *nbgrpc.OneTimeTokenStore {
+	return Create(s, func() *nbgrpc.OneTimeTokenStore {
+		tokenStore := nbgrpc.NewOneTimeTokenStore(1 * time.Minute)
+		log.Info("One-time token store initialized for proxy authentication")
+		return tokenStore
+	})
+}
+
+func (s *BaseServer) AccessLogsManager() accesslogs.Manager {
+	return Create(s, func() accesslogs.Manager {
+		accessLogManager := accesslogsmanager.NewManager(s.Store(), s.PermissionsManager(), s.GeoLocationManager())
+		return accessLogManager
+	})
+}
+
 func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) {
 	// Load server's certificate and private key
 	serverCert, err := tls.LoadX509KeyPair(certFile, certKey)

management/internals/server/config/config.go

@@ -100,6 +100,8 @@ type HttpServerConfig struct {
 	CertFile string
 	// CertKey is the location of the certificate private key
 	CertKey string
+	// AuthClientID is the client id used for proxy SSO auth
+	AuthClientID string
 	// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
 	AuthAudience string
 	// CLIAuthAudience identifies the client app recipients that the JWT is intended for (aud in JWT)
@@ -117,6 +119,8 @@ type HttpServerConfig struct {
 	IdpSignKeyRefreshEnabled bool
 	// Extra audience
 	ExtraAuthAudience string
+	// AuthCallbackDomain contains the callback domain
+	AuthCallbackURL string
 }
 
 // Host represents a Netbird host (e.g. STUN, TURN, Signal)

management/internals/server/modules.go

@@ -8,6 +8,9 @@ import (
 
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
+	nbreverseproxy "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
@@ -69,7 +72,14 @@ func (s *BaseServer) UsersManager() users.Manager {
 func (s *BaseServer) SettingsManager() settings.Manager {
 	return Create(s, func() settings.Manager {
 		extraSettingsManager := integrations.NewManager(s.EventStore())
-		return settings.NewManager(s.Store(), s.UsersManager(), extraSettingsManager, s.PermissionsManager())
+
+		idpConfig := settings.IdpConfig{}
+		if s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled {
+			idpConfig.EmbeddedIdpEnabled = true
+			idpConfig.LocalAuthDisabled = s.Config.EmbeddedIdP.LocalAuthDisabled
+		}
+
+		return settings.NewManager(s.Store(), s.UsersManager(), extraSettingsManager, s.PermissionsManager(), idpConfig)
 	})
 }
 
@@ -91,6 +101,11 @@ func (s *BaseServer) AccountManager() account.Manager {
 		if err != nil {
 			log.Fatalf("failed to create account manager: %v", err)
 		}
+
+		s.AfterInit(func(s *BaseServer) {
+			accountManager.SetReverseProxyManager(s.ReverseProxyManager())
+		})
+
 		return accountManager
 	})
 }
@@ -147,7 +162,7 @@ func (s *BaseServer) GroupsManager() groups.Manager {
 
 func (s *BaseServer) ResourcesManager() resources.Manager {
 	return Create(s, func() resources.Manager {
-		return resources.NewManager(s.Store(), s.PermissionsManager(), s.GroupsManager(), s.AccountManager())
+		return resources.NewManager(s.Store(), s.PermissionsManager(), s.GroupsManager(), s.AccountManager(), s.ReverseProxyManager())
 	})
 }
 
@@ -174,3 +189,16 @@ func (s *BaseServer) RecordsManager() records.Manager {
 		return recordsManager.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager())
 	})
 }
+
+func (s *BaseServer) ReverseProxyManager() reverseproxy.Manager {
+	return Create(s, func() reverseproxy.Manager {
+		return nbreverseproxy.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager(), s.ReverseProxyGRPCServer(), s.ProxyTokenStore(), s.ReverseProxyDomainManager())
+	})
+}
+
+func (s *BaseServer) ReverseProxyDomainManager() *domain.Manager {
+	return Create(s, func() *domain.Manager {
+		m := domain.NewManager(s.Store(), s.ReverseProxyGRPCServer())
+		return &m
+	})
+}

management/internals/server/server.go

@@ -11,7 +11,6 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	"github.com/netbirdio/netbird/management/server/idp"
 	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/otel/metric"
 	"golang.org/x/crypto/acme/autocert"
@@ -21,6 +20,7 @@ import (
 
 	"github.com/netbirdio/netbird/encryption"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
+	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/metrics"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/util/wsproxy"
@@ -58,6 +58,8 @@ type BaseServer struct {
 	mgmtMetricsPort          int
 	mgmtPort                 int
 
+	proxyAuthClose func()
+
 	listener    net.Listener
 	certManager *autocert.Manager
 	update      *version.Update
@@ -215,6 +217,10 @@ func (s *BaseServer) Stop() error {
 		_ = s.certManager.Listener().Close()
 	}
 	s.GRPCServer().Stop()
+	if s.proxyAuthClose != nil {
+		s.proxyAuthClose()
+		s.proxyAuthClose = nil
+	}
 	_ = s.Store().Close(ctx)
 	_ = s.EventStore().Close(ctx)
 	if s.update != nil {

management/internals/shared/grpc/onetime_token.go

@@ -0,0 +1,167 @@
+package grpc
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"fmt"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// OneTimeTokenStore manages short-lived, single-use authentication tokens
+// for proxy-to-management RPC authentication. Tokens are generated when
+// a reverse proxy is created and must be used exactly once by the proxy
+// to authenticate a subsequent RPC call.
+type OneTimeTokenStore struct {
+	tokens      map[string]*tokenMetadata
+	mu          sync.RWMutex
+	cleanup     *time.Ticker
+	cleanupDone chan struct{}
+}
+
+// tokenMetadata stores information about a one-time token
+type tokenMetadata struct {
+	ReverseProxyID string
+	AccountID      string
+	ExpiresAt      time.Time
+	CreatedAt      time.Time
+}
+
+// NewOneTimeTokenStore creates a new token store with automatic cleanup
+// of expired tokens. The cleanupInterval determines how often expired
+// tokens are removed from memory.
+func NewOneTimeTokenStore(cleanupInterval time.Duration) *OneTimeTokenStore {
+	store := &OneTimeTokenStore{
+		tokens:      make(map[string]*tokenMetadata),
+		cleanup:     time.NewTicker(cleanupInterval),
+		cleanupDone: make(chan struct{}),
+	}
+
+	// Start background cleanup goroutine
+	go store.cleanupExpired()
+
+	return store
+}
+
+// GenerateToken creates a new cryptographically secure one-time token
+// with the specified TTL. The token is associated with a specific
+// accountID and reverseProxyID for validation purposes.
+//
+// Returns the generated token string or an error if random generation fails.
+func (s *OneTimeTokenStore) GenerateToken(accountID, reverseProxyID string, ttl time.Duration) (string, error) {
+	// Generate 32 bytes (256 bits) of cryptographically secure random data
+	randomBytes := make([]byte, 32)
+	if _, err := rand.Read(randomBytes); err != nil {
+		return "", fmt.Errorf("failed to generate random token: %w", err)
+	}
+
+	// Encode as URL-safe base64 for easy transmission in gRPC
+	token := base64.URLEncoding.EncodeToString(randomBytes)
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.tokens[token] = &tokenMetadata{
+		ReverseProxyID: reverseProxyID,
+		AccountID:      accountID,
+		ExpiresAt:      time.Now().Add(ttl),
+		CreatedAt:      time.Now(),
+	}
+
+	log.Debugf("Generated one-time token for proxy %s in account %s (expires in %s)",
+		reverseProxyID, accountID, ttl)
+
+	return token, nil
+}
+
+// ValidateAndConsume verifies the token against the provided accountID and
+// reverseProxyID, checks expiration, and then deletes it to enforce single-use.
+//
+// This method uses constant-time comparison to prevent timing attacks.
+//
+// Returns nil on success, or an error if:
+// - Token doesn't exist
+// - Token has expired
+// - Account ID doesn't match
+// - Reverse proxy ID doesn't match
+func (s *OneTimeTokenStore) ValidateAndConsume(token, accountID, reverseProxyID string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	metadata, exists := s.tokens[token]
+	if !exists {
+		log.Warnf("Token validation failed: token not found (proxy: %s, account: %s)",
+			reverseProxyID, accountID)
+		return fmt.Errorf("invalid token")
+	}
+
+	// Check expiration
+	if time.Now().After(metadata.ExpiresAt) {
+		delete(s.tokens, token)
+		log.Warnf("Token validation failed: token expired (proxy: %s, account: %s)",
+			reverseProxyID, accountID)
+		return fmt.Errorf("token expired")
+	}
+
+	// Validate account ID using constant-time comparison (prevents timing attacks)
+	if subtle.ConstantTimeCompare([]byte(metadata.AccountID), []byte(accountID)) != 1 {
+		log.Warnf("Token validation failed: account ID mismatch (expected: %s, got: %s)",
+			metadata.AccountID, accountID)
+		return fmt.Errorf("account ID mismatch")
+	}
+
+	// Validate reverse proxy ID using constant-time comparison
+	if subtle.ConstantTimeCompare([]byte(metadata.ReverseProxyID), []byte(reverseProxyID)) != 1 {
+		log.Warnf("Token validation failed: reverse proxy ID mismatch (expected: %s, got: %s)",
+			metadata.ReverseProxyID, reverseProxyID)
+		return fmt.Errorf("reverse proxy ID mismatch")
+	}
+
+	// Delete token immediately to enforce single-use
+	delete(s.tokens, token)
+
+	log.Infof("Token validated and consumed for proxy %s in account %s",
+		reverseProxyID, accountID)
+
+	return nil
+}
+
+// cleanupExpired removes expired tokens in the background to prevent memory leaks
+func (s *OneTimeTokenStore) cleanupExpired() {
+	for {
+		select {
+		case <-s.cleanup.C:
+			s.mu.Lock()
+			now := time.Now()
+			removed := 0
+			for token, metadata := range s.tokens {
+				if now.After(metadata.ExpiresAt) {
+					delete(s.tokens, token)
+					removed++
+				}
+			}
+			if removed > 0 {
+				log.Debugf("Cleaned up %d expired one-time tokens", removed)
+			}
+			s.mu.Unlock()
+		case <-s.cleanupDone:
+			return
+		}
+	}
+}
+
+// Close stops the cleanup goroutine and releases resources
+func (s *OneTimeTokenStore) Close() {
+	s.cleanup.Stop()
+	close(s.cleanupDone)
+}
+
+// GetTokenCount returns the current number of tokens in the store (for debugging/metrics)
+func (s *OneTimeTokenStore) GetTokenCount() int {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return len(s.tokens)
+}

management/internals/shared/grpc/proxy.go

@@ -0,0 +1,956 @@
+package grpc
+
+import (
+	"context"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/oauth2"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/peer"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/management/internals/modules/peers"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/management/server/users"
+	proxyauth "github.com/netbirdio/netbird/proxy/auth"
+	"github.com/netbirdio/netbird/shared/hash/argon2id"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+type ProxyOIDCConfig struct {
+	Issuer      string
+	ClientID    string
+	Scopes      []string
+	CallbackURL string
+	HMACKey     []byte
+
+	Audience     string
+	KeysLocation string
+}
+
+// ClusterInfo contains information about a proxy cluster.
+type ClusterInfo struct {
+	Address          string
+	ConnectedProxies int
+}
+
+// ProxyServiceServer implements the ProxyService gRPC server
+type ProxyServiceServer struct {
+	proto.UnimplementedProxyServiceServer
+
+	// Map of connected proxies: proxy_id -> proxy connection
+	connectedProxies sync.Map
+
+	// Map of cluster address -> set of proxy IDs
+	clusterProxies sync.Map
+
+	// Channel for broadcasting reverse proxy updates to all proxies
+	updatesChan chan *proto.ProxyMapping
+
+	// Manager for access logs
+	accessLogManager accesslogs.Manager
+
+	// Manager for reverse proxy operations
+	reverseProxyManager reverseproxy.Manager
+
+	// Manager for peers
+	peersManager peers.Manager
+
+	// Manager for users
+	usersManager users.Manager
+
+	// Store for one-time authentication tokens
+	tokenStore *OneTimeTokenStore
+
+	// OIDC configuration for proxy authentication
+	oidcConfig ProxyOIDCConfig
+
+	// TODO: use database to store these instead?
+	pkceVerifiers sync.Map
+}
+
+// proxyConnection represents a connected proxy
+type proxyConnection struct {
+	proxyID  string
+	address  string
+	stream   proto.ProxyService_GetMappingUpdateServer
+	sendChan chan *proto.ProxyMapping
+	ctx      context.Context
+	cancel   context.CancelFunc
+	mu       sync.RWMutex
+}
+
+// NewProxyServiceServer creates a new proxy service server.
+func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeTokenStore, oidcConfig ProxyOIDCConfig, peersManager peers.Manager, usersManager users.Manager) *ProxyServiceServer {
+	return &ProxyServiceServer{
+		updatesChan:      make(chan *proto.ProxyMapping, 100),
+		accessLogManager: accessLogMgr,
+		oidcConfig:       oidcConfig,
+		tokenStore:       tokenStore,
+		peersManager:     peersManager,
+		usersManager:     usersManager,
+	}
+}
+
+func (s *ProxyServiceServer) SetProxyManager(manager reverseproxy.Manager) {
+	s.reverseProxyManager = manager
+}
+
+// GetMappingUpdate handles the control stream with proxy clients
+func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest, stream proto.ProxyService_GetMappingUpdateServer) error {
+	ctx := stream.Context()
+
+	peerInfo := ""
+	if p, ok := peer.FromContext(ctx); ok {
+		peerInfo = p.Addr.String()
+	}
+
+	log.Infof("New proxy connection from %s", peerInfo)
+
+	proxyID := req.GetProxyId()
+	if proxyID == "" {
+		return status.Errorf(codes.InvalidArgument, "proxy_id is required")
+	}
+
+	proxyAddress := req.GetAddress()
+	log.WithFields(log.Fields{
+		"proxy_id": proxyID,
+		"address":  proxyAddress,
+		"version":  req.GetVersion(),
+		"started":  req.GetStartedAt().AsTime(),
+	}).Info("Proxy connected")
+
+	connCtx, cancel := context.WithCancel(ctx)
+	conn := &proxyConnection{
+		proxyID:  proxyID,
+		address:  proxyAddress,
+		stream:   stream,
+		sendChan: make(chan *proto.ProxyMapping, 100),
+		ctx:      connCtx,
+		cancel:   cancel,
+	}
+
+	s.connectedProxies.Store(proxyID, conn)
+	s.addToCluster(conn.address, proxyID)
+	log.WithFields(log.Fields{
+		"proxy_id":      proxyID,
+		"address":       proxyAddress,
+		"cluster_addr":  extractClusterAddr(proxyAddress),
+		"total_proxies": len(s.GetConnectedProxies()),
+	}).Info("Proxy registered in cluster")
+	defer func() {
+		s.connectedProxies.Delete(proxyID)
+		s.removeFromCluster(conn.address, proxyID)
+		cancel()
+		log.Infof("Proxy %s disconnected", proxyID)
+	}()
+
+	if err := s.sendSnapshot(ctx, conn); err != nil {
+		log.Errorf("Failed to send snapshot to proxy %s: %v", proxyID, err)
+		return err
+	}
+
+	errChan := make(chan error, 2)
+	go s.sender(conn, errChan)
+
+	select {
+	case err := <-errChan:
+		return err
+	case <-connCtx.Done():
+		return connCtx.Err()
+	}
+}
+
+// sendSnapshot sends the initial snapshot of reverse proxies to the connecting proxy.
+// Only reverse proxies matching the proxy's cluster address are sent.
+func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnection) error {
+	reverseProxies, err := s.reverseProxyManager.GetGlobalReverseProxies(ctx)
+	if err != nil {
+		return fmt.Errorf("get reverse proxies from store: %w", err)
+	}
+
+	proxyClusterAddr := extractClusterAddr(conn.address)
+
+	for _, rp := range reverseProxies {
+		if !rp.Enabled {
+			continue
+		}
+
+		if rp.ProxyCluster != "" && proxyClusterAddr != "" && rp.ProxyCluster != proxyClusterAddr {
+			continue
+		}
+
+		// Generate one-time authentication token for each proxy in the snapshot
+		// Tokens are not persistent on the proxy, so we need to generate new ones on reconnection
+		token, err := s.tokenStore.GenerateToken(rp.AccountID, rp.ID, 5*time.Minute)
+		if err != nil {
+			log.WithFields(log.Fields{
+				"proxy":   rp.Name,
+				"account": rp.AccountID,
+			}).WithError(err).Error("Failed to generate auth token for snapshot")
+			continue
+		}
+
+		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
+			Mapping: []*proto.ProxyMapping{
+				rp.ToProtoMapping(
+					reverseproxy.Create, // Initial snapshot, all records are "new" for the proxy.
+					token,
+					s.GetOIDCValidationConfig(),
+				),
+			},
+		}); err != nil {
+			log.WithError(err).Error("Failed to send proxy mapping")
+			continue
+		}
+	}
+
+	return nil
+}
+
+// extractClusterAddr extracts the host from a proxy address URL.
+func extractClusterAddr(addr string) string {
+	if addr == "" {
+		return ""
+	}
+	u, err := url.Parse(addr)
+	if err != nil {
+		return addr
+	}
+	host := u.Host
+	if h, _, err := net.SplitHostPort(host); err == nil {
+		return h
+	}
+	return host
+}
+
+// sender handles sending messages to proxy
+func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error) {
+	for {
+		select {
+		case msg := <-conn.sendChan:
+			if err := conn.stream.Send(&proto.GetMappingUpdateResponse{Mapping: []*proto.ProxyMapping{msg}}); err != nil {
+				log.Errorf("Failed to send message to proxy %s: %v", conn.proxyID, err)
+				errChan <- err
+				return
+			}
+		case <-conn.ctx.Done():
+			return
+		}
+	}
+}
+
+// SendAccessLog processes access log from proxy
+func (s *ProxyServiceServer) SendAccessLog(ctx context.Context, req *proto.SendAccessLogRequest) (*proto.SendAccessLogResponse, error) {
+	accessLog := req.GetLog()
+
+	fields := log.Fields{
+		"reverse_proxy_id": accessLog.GetServiceId(),
+		"account_id":       accessLog.GetAccountId(),
+		"host":             accessLog.GetHost(),
+		"source_ip":        accessLog.GetSourceIp(),
+	}
+	if mechanism := accessLog.GetAuthMechanism(); mechanism != "" {
+		fields["auth_mechanism"] = mechanism
+	}
+	if userID := accessLog.GetUserId(); userID != "" {
+		fields["user_id"] = userID
+	}
+	if !accessLog.GetAuthSuccess() {
+		fields["auth_success"] = false
+	}
+	log.WithFields(fields).Debugf("%s %s %d (%dms)",
+		accessLog.GetMethod(),
+		accessLog.GetPath(),
+		accessLog.GetResponseCode(),
+		accessLog.GetDurationMs(),
+	)
+
+	logEntry := &accesslogs.AccessLogEntry{}
+	logEntry.FromProto(accessLog)
+
+	if err := s.accessLogManager.SaveAccessLog(ctx, logEntry); err != nil {
+		log.WithContext(ctx).Errorf("failed to save access log: %v", err)
+		return nil, status.Errorf(codes.Internal, "failed to save access log: %v", err)
+	}
+
+	return &proto.SendAccessLogResponse{}, nil
+}
+
+// SendReverseProxyUpdate broadcasts a reverse proxy update to all connected proxies.
+// Management should call this when reverse proxies are created/updated/removed
+func (s *ProxyServiceServer) SendReverseProxyUpdate(update *proto.ProxyMapping) {
+	// Send it to all connected proxies
+	log.Debugf("Broadcasting reverse proxy update to all connected proxies")
+	s.connectedProxies.Range(func(key, value interface{}) bool {
+		conn := value.(*proxyConnection)
+		select {
+		case conn.sendChan <- update:
+			log.Debugf("Sent reverse proxy update with id %s to proxy %s", update.Id, conn.proxyID)
+		default:
+			log.Warnf("Failed to send reverse proxy update to proxy %s (channel full)", conn.proxyID)
+		}
+		return true
+	})
+}
+
+// GetConnectedProxies returns a list of connected proxy IDs
+func (s *ProxyServiceServer) GetConnectedProxies() []string {
+	var proxies []string
+	s.connectedProxies.Range(func(key, value interface{}) bool {
+		proxies = append(proxies, key.(string))
+		return true
+	})
+	return proxies
+}
+
+// GetConnectedProxyURLs returns a deduplicated list of URLs from all connected proxies.
+func (s *ProxyServiceServer) GetConnectedProxyURLs() []string {
+	seenUrls := make(map[string]struct{})
+	var urls []string
+	var proxyCount int
+	s.connectedProxies.Range(func(key, value interface{}) bool {
+		proxyCount++
+		conn := value.(*proxyConnection)
+		log.WithFields(log.Fields{
+			"proxy_id": conn.proxyID,
+			"address":  conn.address,
+		}).Debug("checking connected proxy for URL")
+		if _, seen := seenUrls[conn.address]; conn.address != "" && !seen {
+			seenUrls[conn.address] = struct{}{}
+			urls = append(urls, conn.address)
+		}
+		return true
+	})
+	log.WithFields(log.Fields{
+		"total_proxies":  proxyCount,
+		"unique_urls":    len(urls),
+		"connected_urls": urls,
+	}).Debug("GetConnectedProxyURLs result")
+	return urls
+}
+
+// addToCluster registers a proxy in a cluster.
+func (s *ProxyServiceServer) addToCluster(clusterAddr, proxyID string) {
+	if clusterAddr == "" {
+		return
+	}
+	proxySet, _ := s.clusterProxies.LoadOrStore(clusterAddr, &sync.Map{})
+	proxySet.(*sync.Map).Store(proxyID, struct{}{})
+	log.Debugf("Added proxy %s to cluster %s", proxyID, clusterAddr)
+}
+
+// removeFromCluster removes a proxy from a cluster.
+func (s *ProxyServiceServer) removeFromCluster(clusterAddr, proxyID string) {
+	if clusterAddr == "" {
+		return
+	}
+	if proxySet, ok := s.clusterProxies.Load(clusterAddr); ok {
+		proxySet.(*sync.Map).Delete(proxyID)
+		log.Debugf("Removed proxy %s from cluster %s", proxyID, clusterAddr)
+	}
+}
+
+// SendReverseProxyUpdateToCluster sends a reverse proxy update to all proxies in a specific cluster.
+// If clusterAddr is empty, broadcasts to all connected proxies (backward compatibility).
+func (s *ProxyServiceServer) SendReverseProxyUpdateToCluster(update *proto.ProxyMapping, clusterAddr string) {
+	if clusterAddr == "" {
+		s.SendReverseProxyUpdate(update)
+		return
+	}
+
+	proxySet, ok := s.clusterProxies.Load(clusterAddr)
+	if !ok {
+		log.Debugf("No proxies connected for cluster %s", clusterAddr)
+		return
+	}
+
+	log.Debugf("Sending reverse proxy update to cluster %s", clusterAddr)
+	proxySet.(*sync.Map).Range(func(key, _ interface{}) bool {
+		proxyID := key.(string)
+		if connVal, ok := s.connectedProxies.Load(proxyID); ok {
+			conn := connVal.(*proxyConnection)
+			select {
+			case conn.sendChan <- update:
+				log.Debugf("Sent reverse proxy update with id %s to proxy %s in cluster %s", update.Id, proxyID, clusterAddr)
+			default:
+				log.Warnf("Failed to send reverse proxy update to proxy %s in cluster %s (channel full)", proxyID, clusterAddr)
+			}
+		}
+		return true
+	})
+}
+
+// GetAvailableClusters returns information about all connected proxy clusters.
+func (s *ProxyServiceServer) GetAvailableClusters() []ClusterInfo {
+	clusterCounts := make(map[string]int)
+	s.clusterProxies.Range(func(key, value interface{}) bool {
+		clusterAddr := key.(string)
+		proxySet := value.(*sync.Map)
+		count := 0
+		proxySet.Range(func(_, _ interface{}) bool {
+			count++
+			return true
+		})
+		if count > 0 {
+			clusterCounts[clusterAddr] = count
+		}
+		return true
+	})
+
+	clusters := make([]ClusterInfo, 0, len(clusterCounts))
+	for addr, count := range clusterCounts {
+		clusters = append(clusters, ClusterInfo{
+			Address:          addr,
+			ConnectedProxies: count,
+		})
+	}
+	return clusters
+}
+
+func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.AuthenticateRequest) (*proto.AuthenticateResponse, error) {
+	proxy, err := s.reverseProxyManager.GetProxyByID(ctx, req.GetAccountId(), req.GetId())
+	if err != nil {
+		// TODO: log the error
+		return nil, status.Errorf(codes.FailedPrecondition, "failed to get reverse proxy from store: %v", err)
+	}
+
+	var authenticated bool
+	var userId string
+	var method proxyauth.Method
+	switch v := req.GetRequest().(type) {
+	case *proto.AuthenticateRequest_Pin:
+		auth := proxy.Auth.PinAuth
+		if auth == nil || !auth.Enabled {
+			// TODO: log
+			// Break here and use the default authenticated == false.
+			break
+		}
+		err = argon2id.Verify(v.Pin.GetPin(), auth.Pin)
+		if err != nil {
+			if errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
+				log.WithContext(ctx).Tracef("PIN authentication failed: invalid PIN")
+			} else {
+				log.WithContext(ctx).Errorf("PIN authentication error: %v", err)
+			}
+			break
+		}
+		authenticated = true
+		userId = "pin-user"
+		method = proxyauth.MethodPIN
+	case *proto.AuthenticateRequest_Password:
+		auth := proxy.Auth.PasswordAuth
+		if auth == nil || !auth.Enabled {
+			// TODO: log
+			// Break here and use the default authenticated == false.
+			break
+		}
+		err = argon2id.Verify(v.Password.GetPassword(), auth.Password)
+		if err != nil {
+			if errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
+				log.WithContext(ctx).Tracef("Password authentication failed: invalid password")
+			} else {
+				log.WithContext(ctx).Errorf("Password authentication error: %v", err)
+			}
+			break
+		}
+		authenticated = true
+		userId = "password-user"
+		method = proxyauth.MethodPassword
+	}
+
+	var token string
+	if authenticated && proxy.SessionPrivateKey != "" {
+		token, err = sessionkey.SignToken(
+			proxy.SessionPrivateKey,
+			userId,
+			proxy.Domain,
+			method,
+			proxyauth.DefaultSessionExpiry,
+		)
+		if err != nil {
+			log.WithError(err).Error("Failed to sign session token")
+			authenticated = false
+		}
+	}
+
+	return &proto.AuthenticateResponse{
+		Success:      authenticated,
+		SessionToken: token,
+	}, nil
+}
+
+// SendStatusUpdate handles status updates from proxy clients
+func (s *ProxyServiceServer) SendStatusUpdate(ctx context.Context, req *proto.SendStatusUpdateRequest) (*proto.SendStatusUpdateResponse, error) {
+	accountID := req.GetAccountId()
+	reverseProxyID := req.GetReverseProxyId()
+	protoStatus := req.GetStatus()
+	certificateIssued := req.GetCertificateIssued()
+
+	log.WithFields(log.Fields{
+		"reverse_proxy_id":   reverseProxyID,
+		"account_id":         accountID,
+		"status":             protoStatus,
+		"certificate_issued": certificateIssued,
+		"error_message":      req.GetErrorMessage(),
+	}).Debug("Status update from proxy")
+
+	if reverseProxyID == "" || accountID == "" {
+		return nil, status.Errorf(codes.InvalidArgument, "reverse_proxy_id and account_id are required")
+	}
+
+	if certificateIssued {
+		if err := s.reverseProxyManager.SetCertificateIssuedAt(ctx, accountID, reverseProxyID); err != nil {
+			log.WithContext(ctx).WithError(err).Error("Failed to set certificate issued timestamp")
+			return nil, status.Errorf(codes.Internal, "failed to update certificate timestamp: %v", err)
+		}
+		log.WithFields(log.Fields{
+			"reverse_proxy_id": reverseProxyID,
+			"account_id":       accountID,
+		}).Info("Certificate issued timestamp updated")
+	}
+
+	internalStatus := protoStatusToInternal(protoStatus)
+
+	if err := s.reverseProxyManager.SetStatus(ctx, accountID, reverseProxyID, internalStatus); err != nil {
+		log.WithContext(ctx).WithError(err).Error("Failed to set proxy status")
+		return nil, status.Errorf(codes.Internal, "failed to update proxy status: %v", err)
+	}
+
+	log.WithFields(log.Fields{
+		"reverse_proxy_id": reverseProxyID,
+		"account_id":       accountID,
+		"status":           internalStatus,
+	}).Info("Proxy status updated")
+
+	return &proto.SendStatusUpdateResponse{}, nil
+}
+
+// protoStatusToInternal maps proto status to internal status
+func protoStatusToInternal(protoStatus proto.ProxyStatus) reverseproxy.ProxyStatus {
+	switch protoStatus {
+	case proto.ProxyStatus_PROXY_STATUS_PENDING:
+		return reverseproxy.StatusPending
+	case proto.ProxyStatus_PROXY_STATUS_ACTIVE:
+		return reverseproxy.StatusActive
+	case proto.ProxyStatus_PROXY_STATUS_TUNNEL_NOT_CREATED:
+		return reverseproxy.StatusTunnelNotCreated
+	case proto.ProxyStatus_PROXY_STATUS_CERTIFICATE_PENDING:
+		return reverseproxy.StatusCertificatePending
+	case proto.ProxyStatus_PROXY_STATUS_CERTIFICATE_FAILED:
+		return reverseproxy.StatusCertificateFailed
+	case proto.ProxyStatus_PROXY_STATUS_ERROR:
+		return reverseproxy.StatusError
+	default:
+		return reverseproxy.StatusError
+	}
+}
+
+// CreateProxyPeer handles proxy peer creation with one-time token authentication
+func (s *ProxyServiceServer) CreateProxyPeer(ctx context.Context, req *proto.CreateProxyPeerRequest) (*proto.CreateProxyPeerResponse, error) {
+	reverseProxyID := req.GetReverseProxyId()
+	accountID := req.GetAccountId()
+	token := req.GetToken()
+	cluster := req.GetCluster()
+	key := req.WireguardPublicKey
+
+	log.WithFields(log.Fields{
+		"reverse_proxy_id": reverseProxyID,
+		"account_id":       accountID,
+		"cluster":          cluster,
+	}).Debug("CreateProxyPeer request received")
+
+	if reverseProxyID == "" || accountID == "" || token == "" {
+		log.Warn("CreateProxyPeer: missing required fields")
+		return &proto.CreateProxyPeerResponse{
+			Success:      false,
+			ErrorMessage: strPtr("missing required fields: reverse_proxy_id, account_id, and token are required"),
+		}, nil
+	}
+
+	if err := s.tokenStore.ValidateAndConsume(token, accountID, reverseProxyID); err != nil {
+		log.WithFields(log.Fields{
+			"reverse_proxy_id": reverseProxyID,
+			"account_id":       accountID,
+		}).WithError(err).Warn("CreateProxyPeer: token validation failed")
+		return &proto.CreateProxyPeerResponse{
+			Success:      false,
+			ErrorMessage: strPtr("authentication failed: invalid or expired token"),
+		}, status.Errorf(codes.Unauthenticated, "token validation failed: %v", err)
+	}
+
+	err := s.peersManager.CreateProxyPeer(ctx, accountID, key, cluster)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"reverse_proxy_id": reverseProxyID,
+			"account_id":       accountID,
+		}).WithError(err).Error("CreateProxyPeer: failed to create proxy peer")
+		return &proto.CreateProxyPeerResponse{
+			Success:      false,
+			ErrorMessage: strPtr(fmt.Sprintf("failed to create proxy peer: %v", err)),
+		}, status.Errorf(codes.Internal, "failed to create proxy peer: %v", err)
+	}
+
+	return &proto.CreateProxyPeerResponse{
+		Success: true,
+	}, nil
+}
+
+// strPtr is a helper to create a string pointer for optional proto fields
+func strPtr(s string) *string {
+	return &s
+}
+
+func (s *ProxyServiceServer) GetOIDCURL(ctx context.Context, req *proto.GetOIDCURLRequest) (*proto.GetOIDCURLResponse, error) {
+	redirectURL, err := url.Parse(req.GetRedirectUrl())
+	if err != nil {
+		// TODO: log
+		return nil, status.Errorf(codes.InvalidArgument, "failed to parse redirect url: %v", err)
+	}
+	// Validate redirectURL against known proxy endpoints to avoid abuse of OIDC redirection.
+	proxies, err := s.reverseProxyManager.GetAccountReverseProxies(ctx, req.GetAccountId())
+	if err != nil {
+		// TODO: log
+		return nil, status.Errorf(codes.FailedPrecondition, "failed to get reverse proxy from store: %v", err)
+	}
+	var found bool
+	for _, proxy := range proxies {
+		if proxy.Domain == redirectURL.Hostname() {
+			found = true
+			break
+		}
+	}
+	if !found {
+		// TODO: log
+		return nil, status.Errorf(codes.FailedPrecondition, "reverse proxy not found in store")
+	}
+
+	provider, err := oidc.NewProvider(ctx, s.oidcConfig.Issuer)
+	if err != nil {
+		// TODO: log
+		return nil, status.Errorf(codes.FailedPrecondition, "failed to create OIDC provider: %v", err)
+	}
+
+	scopes := s.oidcConfig.Scopes
+	if len(scopes) == 0 {
+		scopes = []string{oidc.ScopeOpenID, "profile", "email"}
+	}
+
+	// Using an HMAC here to avoid redirection state being modified.
+	// State format: base64(redirectURL)|hmac
+	hmacSum := s.generateHMAC(redirectURL.String())
+	state := fmt.Sprintf("%s|%s", base64.URLEncoding.EncodeToString([]byte(redirectURL.String())), hmacSum)
+
+	codeVerifier := oauth2.GenerateVerifier()
+	s.pkceVerifiers.Store(state, codeVerifier)
+
+	return &proto.GetOIDCURLResponse{
+		Url: (&oauth2.Config{
+			ClientID:    s.oidcConfig.ClientID,
+			Endpoint:    provider.Endpoint(),
+			RedirectURL: s.oidcConfig.CallbackURL,
+			Scopes:      scopes,
+		}).AuthCodeURL(state, oauth2.S256ChallengeOption(codeVerifier)),
+	}, nil
+}
+
+// GetOIDCConfig returns the OIDC configuration for token validation.
+func (s *ProxyServiceServer) GetOIDCConfig() ProxyOIDCConfig {
+	return s.oidcConfig
+}
+
+// GetOIDCValidationConfig returns the OIDC configuration for token validation
+// in the format needed by ToProtoMapping.
+func (s *ProxyServiceServer) GetOIDCValidationConfig() reverseproxy.OIDCValidationConfig {
+	return reverseproxy.OIDCValidationConfig{
+		Issuer:             s.oidcConfig.Issuer,
+		Audiences:          []string{s.oidcConfig.Audience},
+		KeysLocation:       s.oidcConfig.KeysLocation,
+		MaxTokenAgeSeconds: 0, // No max token age by default
+	}
+}
+
+func (s *ProxyServiceServer) generateHMAC(input string) string {
+	mac := hmac.New(sha256.New, s.oidcConfig.HMACKey)
+	mac.Write([]byte(input))
+	return hex.EncodeToString(mac.Sum(nil))
+}
+
+// ValidateState validates the state parameter from an OAuth callback.
+// Returns the original redirect URL if valid, or an error if invalid.
+func (s *ProxyServiceServer) ValidateState(state string) (verifier, redirectURL string, err error) {
+	v, ok := s.pkceVerifiers.LoadAndDelete(state)
+	if !ok {
+		return "", "", errors.New("no verifier for state")
+	}
+	verifier, ok = v.(string)
+	if !ok {
+		return "", "", errors.New("invalid verifier for state")
+	}
+
+	parts := strings.Split(state, "|")
+	if len(parts) != 2 {
+		return "", "", errors.New("invalid state format")
+	}
+
+	encodedURL := parts[0]
+	providedHMAC := parts[1]
+
+	redirectURLBytes, err := base64.URLEncoding.DecodeString(encodedURL)
+	if err != nil {
+		return "", "", fmt.Errorf("invalid state encoding: %w", err)
+	}
+	redirectURL = string(redirectURLBytes)
+
+	expectedHMAC := s.generateHMAC(redirectURL)
+
+	if !hmac.Equal([]byte(providedHMAC), []byte(expectedHMAC)) {
+		return "", "", fmt.Errorf("invalid state signature")
+	}
+
+	return verifier, redirectURL, nil
+}
+
+// GenerateSessionToken creates a signed session JWT for the given domain and user.
+func (s *ProxyServiceServer) GenerateSessionToken(ctx context.Context, domain, userID string, method proxyauth.Method) (string, error) {
+	// Find the proxy by domain to get its signing key
+	proxies, err := s.reverseProxyManager.GetGlobalReverseProxies(ctx)
+	if err != nil {
+		return "", fmt.Errorf("get reverse proxies: %w", err)
+	}
+
+	var proxy *reverseproxy.ReverseProxy
+	for _, p := range proxies {
+		if p.Domain == domain {
+			proxy = p
+			break
+		}
+	}
+	if proxy == nil {
+		return "", fmt.Errorf("reverse proxy not found for domain: %s", domain)
+	}
+
+	if proxy.SessionPrivateKey == "" {
+		return "", fmt.Errorf("no session key configured for domain: %s", domain)
+	}
+
+	return sessionkey.SignToken(
+		proxy.SessionPrivateKey,
+		userID,
+		domain,
+		method,
+		proxyauth.DefaultSessionExpiry,
+	)
+}
+
+// ValidateUserGroupAccess checks if a user has access to a reverse proxy.
+// It looks up the proxy within the user's account only, then optionally checks
+// group membership if BearerAuth with DistributionGroups is configured.
+func (s *ProxyServiceServer) ValidateUserGroupAccess(ctx context.Context, domain, userID string) error {
+	user, err := s.usersManager.GetUser(ctx, userID)
+	if err != nil {
+		return fmt.Errorf("user not found: %s", userID)
+	}
+
+	proxy, err := s.getAccountProxyByDomain(ctx, user.AccountID, domain)
+	if err != nil {
+		return err
+	}
+
+	if proxy.Auth.BearerAuth == nil || !proxy.Auth.BearerAuth.Enabled {
+		return nil
+	}
+
+	allowedGroups := proxy.Auth.BearerAuth.DistributionGroups
+	if len(allowedGroups) == 0 {
+		return nil
+	}
+
+	allowedSet := make(map[string]bool, len(allowedGroups))
+	for _, groupID := range allowedGroups {
+		allowedSet[groupID] = true
+	}
+
+	for _, groupID := range user.AutoGroups {
+		if allowedSet[groupID] {
+			log.WithFields(log.Fields{
+				"user_id":  user.Id,
+				"group_id": groupID,
+				"domain":   domain,
+			}).Debug("User granted access via group membership")
+			return nil
+		}
+	}
+
+	return fmt.Errorf("user %s not in allowed groups for domain %s", user.Id, domain)
+}
+
+func (s *ProxyServiceServer) getAccountProxyByDomain(ctx context.Context, accountID, domain string) (*reverseproxy.ReverseProxy, error) {
+	proxies, err := s.reverseProxyManager.GetAccountReverseProxies(ctx, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("get account reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		if proxy.Domain == domain {
+			return proxy, nil
+		}
+	}
+
+	return nil, fmt.Errorf("reverse proxy not found for domain %s in account %s", domain, accountID)
+}
+
+// ValidateSession validates a session token and checks if the user has access to the domain.
+func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.ValidateSessionRequest) (*proto.ValidateSessionResponse, error) {
+	domain := req.GetDomain()
+	sessionToken := req.GetSessionToken()
+
+	if domain == "" || sessionToken == "" {
+		return &proto.ValidateSessionResponse{
+			Valid:        false,
+			DeniedReason: "missing domain or session_token",
+		}, nil
+	}
+
+	proxy, err := s.getProxyByDomain(ctx, domain)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"domain": domain,
+			"error":  err.Error(),
+		}).Debug("ValidateSession: proxy not found")
+		return &proto.ValidateSessionResponse{
+			Valid:        false,
+			DeniedReason: "proxy_not_found",
+		}, nil
+	}
+
+	pubKeyBytes, err := base64.StdEncoding.DecodeString(proxy.SessionPublicKey)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"domain": domain,
+			"error":  err.Error(),
+		}).Error("ValidateSession: decode public key")
+		return &proto.ValidateSessionResponse{
+			Valid:        false,
+			DeniedReason: "invalid_proxy_config",
+		}, nil
+	}
+
+	userID, _, err := proxyauth.ValidateSessionJWT(sessionToken, domain, pubKeyBytes)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"domain": domain,
+			"error":  err.Error(),
+		}).Debug("ValidateSession: invalid session token")
+		return &proto.ValidateSessionResponse{
+			Valid:        false,
+			DeniedReason: "invalid_token",
+		}, nil
+	}
+
+	user, err := s.usersManager.GetUser(ctx, userID)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"domain":  domain,
+			"user_id": userID,
+			"error":   err.Error(),
+		}).Debug("ValidateSession: user not found")
+		return &proto.ValidateSessionResponse{
+			Valid:        false,
+			DeniedReason: "user_not_found",
+		}, nil
+	}
+
+	if user.AccountID != proxy.AccountID {
+		log.WithFields(log.Fields{
+			"domain":        domain,
+			"user_id":       userID,
+			"user_account":  user.AccountID,
+			"proxy_account": proxy.AccountID,
+		}).Debug("ValidateSession: user account mismatch")
+		return &proto.ValidateSessionResponse{
+			Valid:        false,
+			DeniedReason: "account_mismatch",
+		}, nil
+	}
+
+	if err := s.checkGroupAccess(proxy, user); err != nil {
+		log.WithFields(log.Fields{
+			"domain":  domain,
+			"user_id": userID,
+			"error":   err.Error(),
+		}).Debug("ValidateSession: access denied")
+		return &proto.ValidateSessionResponse{
+			Valid:        false,
+			UserId:       user.Id,
+			UserEmail:    user.Email,
+			DeniedReason: "not_in_group",
+		}, nil
+	}
+
+	log.WithFields(log.Fields{
+		"domain":  domain,
+		"user_id": userID,
+		"email":   user.Email,
+	}).Debug("ValidateSession: access granted")
+
+	return &proto.ValidateSessionResponse{
+		Valid:     true,
+		UserId:    user.Id,
+		UserEmail: user.Email,
+	}, nil
+}
+
+func (s *ProxyServiceServer) getProxyByDomain(ctx context.Context, domain string) (*reverseproxy.ReverseProxy, error) {
+	proxies, err := s.reverseProxyManager.GetGlobalReverseProxies(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("get reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		if proxy.Domain == domain {
+			return proxy, nil
+		}
+	}
+
+	return nil, fmt.Errorf("reverse proxy not found for domain: %s", domain)
+}
+
+func (s *ProxyServiceServer) checkGroupAccess(proxy *reverseproxy.ReverseProxy, user *types.User) error {
+	if proxy.Auth.BearerAuth == nil || !proxy.Auth.BearerAuth.Enabled {
+		return nil
+	}
+
+	allowedGroups := proxy.Auth.BearerAuth.DistributionGroups
+	if len(allowedGroups) == 0 {
+		return nil
+	}
+
+	allowedSet := make(map[string]bool, len(allowedGroups))
+	for _, groupID := range allowedGroups {
+		allowedSet[groupID] = true
+	}
+
+	for _, groupID := range user.AutoGroups {
+		if allowedSet[groupID] {
+			return nil
+		}
+	}
+
+	return fmt.Errorf("user not in allowed groups")
+}

management/internals/shared/grpc/proxy_auth.go

@@ -0,0 +1,234 @@
+package grpc
+
+import (
+	"context"
+	"strings"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+const (
+	// lastUsedUpdateInterval is the minimum interval between last_used updates for the same token.
+	lastUsedUpdateInterval = time.Minute
+	// lastUsedCleanupInterval is how often stale lastUsed entries are removed.
+	lastUsedCleanupInterval = 2 * time.Minute
+)
+
+type proxyTokenContextKey struct{}
+
+// ProxyTokenContextKey is the typed key used to store validated token info in context.
+var ProxyTokenContextKey = proxyTokenContextKey{}
+
+// proxyTokenID identifies a proxy access token by its database ID.
+type proxyTokenID = string
+
+// proxyTokenStore defines the store interface needed for token validation
+type proxyTokenStore interface {
+	GetProxyAccessTokenByHashedToken(ctx context.Context, lockStrength store.LockingStrength, hashedToken types.HashedProxyToken) (*types.ProxyAccessToken, error)
+	MarkProxyAccessTokenUsed(ctx context.Context, tokenID string) error
+}
+
+// proxyAuthInterceptor holds state for proxy authentication interceptors.
+type proxyAuthInterceptor struct {
+	store          proxyTokenStore
+	failureLimiter *authFailureLimiter
+
+	// lastUsedMu protects lastUsedTimes
+	lastUsedMu    sync.Mutex
+	lastUsedTimes map[proxyTokenID]time.Time
+	cancel        context.CancelFunc
+}
+
+func newProxyAuthInterceptor(tokenStore proxyTokenStore) *proxyAuthInterceptor {
+	ctx, cancel := context.WithCancel(context.Background())
+	i := &proxyAuthInterceptor{
+		store:          tokenStore,
+		failureLimiter: newAuthFailureLimiter(),
+		lastUsedTimes:  make(map[proxyTokenID]time.Time),
+		cancel:         cancel,
+	}
+	go i.lastUsedCleanupLoop(ctx)
+	return i
+}
+
+// NewProxyAuthInterceptors creates gRPC unary and stream interceptors that validate proxy access tokens.
+// They only intercept ProxyService methods. Both interceptors share state for last-used and failure rate limiting.
+// The returned close function must be called on shutdown to stop background goroutines.
+func NewProxyAuthInterceptors(tokenStore proxyTokenStore) (grpc.UnaryServerInterceptor, grpc.StreamServerInterceptor, func()) {
+	interceptor := newProxyAuthInterceptor(tokenStore)
+
+	unary := func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
+		if !strings.HasPrefix(info.FullMethod, "/management.ProxyService/") {
+			return handler(ctx, req)
+		}
+
+		token, err := interceptor.validateProxyToken(ctx)
+		if err != nil {
+			// Log auth failures explicitly; gRPC doesn't log these by default.
+			log.WithContext(ctx).Warnf("proxy auth failed: %v", err)
+			return nil, err
+		}
+
+		ctx = context.WithValue(ctx, ProxyTokenContextKey, token)
+		return handler(ctx, req)
+	}
+
+	stream := func(srv any, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+		if !strings.HasPrefix(info.FullMethod, "/management.ProxyService/") {
+			return handler(srv, ss)
+		}
+
+		token, err := interceptor.validateProxyToken(ss.Context())
+		if err != nil {
+			// Log auth failures explicitly; gRPC doesn't log these by default.
+			log.WithContext(ss.Context()).Warnf("proxy auth failed: %v", err)
+			return err
+		}
+
+		ctx := context.WithValue(ss.Context(), ProxyTokenContextKey, token)
+		wrapped := &wrappedServerStream{
+			ServerStream: ss,
+			ctx:          ctx,
+		}
+
+		return handler(srv, wrapped)
+	}
+
+	return unary, stream, interceptor.close
+}
+
+func (i *proxyAuthInterceptor) validateProxyToken(ctx context.Context) (*types.ProxyAccessToken, error) {
+	clientIP := peerIPFromContext(ctx)
+
+	if clientIP != "" && i.failureLimiter.isLimited(clientIP) {
+		return nil, status.Errorf(codes.ResourceExhausted, "too many failed authentication attempts")
+	}
+
+	token, err := i.doValidateProxyToken(ctx)
+	if err != nil {
+		if clientIP != "" {
+			i.failureLimiter.recordFailure(clientIP)
+		}
+		return nil, err
+	}
+
+	i.maybeUpdateLastUsed(ctx, token.ID)
+
+	return token, nil
+}
+
+func (i *proxyAuthInterceptor) doValidateProxyToken(ctx context.Context) (*types.ProxyAccessToken, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, status.Errorf(codes.Unauthenticated, "missing metadata")
+	}
+
+	authValues := md.Get("authorization")
+	if len(authValues) == 0 {
+		return nil, status.Errorf(codes.Unauthenticated, "missing authorization header")
+	}
+
+	authValue := authValues[0]
+	if !strings.HasPrefix(authValue, "Bearer ") {
+		return nil, status.Errorf(codes.Unauthenticated, "invalid authorization format")
+	}
+
+	plainToken := types.PlainProxyToken(strings.TrimPrefix(authValue, "Bearer "))
+
+	if err := plainToken.Validate(); err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, "invalid token format")
+	}
+
+	token, err := i.store.GetProxyAccessTokenByHashedToken(ctx, store.LockingStrengthNone, plainToken.Hash())
+	if err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, "invalid token")
+	}
+
+	// TODO: Enforce AccountID scope for "bring your own proxy" feature.
+	// Currently tokens are management-wide; AccountID field is reserved for future use.
+
+	if !token.IsValid() {
+		return nil, status.Errorf(codes.Unauthenticated, "token expired or revoked")
+	}
+
+	return token, nil
+}
+
+// maybeUpdateLastUsed updates the last_used timestamp if enough time has passed since the last update.
+func (i *proxyAuthInterceptor) maybeUpdateLastUsed(ctx context.Context, tokenID string) {
+	now := time.Now()
+
+	i.lastUsedMu.Lock()
+	lastUpdate, exists := i.lastUsedTimes[tokenID]
+	if exists && now.Sub(lastUpdate) < lastUsedUpdateInterval {
+		i.lastUsedMu.Unlock()
+		return
+	}
+	i.lastUsedTimes[tokenID] = now
+	i.lastUsedMu.Unlock()
+
+	if err := i.store.MarkProxyAccessTokenUsed(ctx, tokenID); err != nil {
+		log.WithContext(ctx).Debugf("failed to mark proxy token as used: %v", err)
+	}
+}
+
+func (i *proxyAuthInterceptor) lastUsedCleanupLoop(ctx context.Context) {
+	ticker := time.NewTicker(lastUsedCleanupInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+			i.cleanupStaleLastUsed()
+		case <-ctx.Done():
+			return
+		}
+	}
+}
+
+// cleanupStaleLastUsed removes entries older than 2x the update interval.
+func (i *proxyAuthInterceptor) cleanupStaleLastUsed() {
+	i.lastUsedMu.Lock()
+	defer i.lastUsedMu.Unlock()
+
+	now := time.Now()
+	staleThreshold := 2 * lastUsedUpdateInterval
+	for id, lastUpdate := range i.lastUsedTimes {
+		if now.Sub(lastUpdate) > staleThreshold {
+			delete(i.lastUsedTimes, id)
+		}
+	}
+}
+
+func (i *proxyAuthInterceptor) close() {
+	i.cancel()
+	i.failureLimiter.stop()
+}
+
+// GetProxyTokenFromContext retrieves the validated proxy token from the context
+func GetProxyTokenFromContext(ctx context.Context) *types.ProxyAccessToken {
+	token, ok := ctx.Value(ProxyTokenContextKey).(*types.ProxyAccessToken)
+	if !ok {
+		return nil
+	}
+	return token
+}
+
+// wrappedServerStream wraps a grpc.ServerStream to provide a custom context
+type wrappedServerStream struct {
+	grpc.ServerStream
+	ctx context.Context
+}
+
+func (w *wrappedServerStream) Context() context.Context {
+	return w.ctx
+}

management/internals/shared/grpc/proxy_auth_ratelimit.go

@@ -0,0 +1,134 @@
+package grpc
+
+import (
+	"context"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
+	"golang.org/x/time/rate"
+	"google.golang.org/grpc/peer"
+)
+
+const (
+	// proxyAuthFailureBurst is the maximum number of failed attempts before rate limiting kicks in.
+	proxyAuthFailureBurst = 5
+	// proxyAuthLimiterCleanup is how often stale limiters are removed.
+	proxyAuthLimiterCleanup = 5 * time.Minute
+	// proxyAuthLimiterTTL is how long a limiter is kept after the last failure.
+	proxyAuthLimiterTTL = 15 * time.Minute
+)
+
+// defaultProxyAuthFailureRate is the token replenishment rate for failed auth attempts.
+// One token every 12 seconds = 5 per minute.
+var defaultProxyAuthFailureRate = rate.Every(12 * time.Second)
+
+// clientIP identifies a client by its IP address for rate limiting purposes.
+type clientIP = string
+
+type limiterEntry struct {
+	limiter    *rate.Limiter
+	lastAccess time.Time
+}
+
+// authFailureLimiter tracks per-IP rate limits for failed proxy authentication attempts.
+type authFailureLimiter struct {
+	mu          sync.Mutex
+	limiters    map[clientIP]*limiterEntry
+	failureRate rate.Limit
+	cancel      context.CancelFunc
+}
+
+func newAuthFailureLimiter() *authFailureLimiter {
+	return newAuthFailureLimiterWithRate(defaultProxyAuthFailureRate)
+}
+
+func newAuthFailureLimiterWithRate(failureRate rate.Limit) *authFailureLimiter {
+	ctx, cancel := context.WithCancel(context.Background())
+	l := &authFailureLimiter{
+		limiters:    make(map[clientIP]*limiterEntry),
+		failureRate: failureRate,
+		cancel:      cancel,
+	}
+	go l.cleanupLoop(ctx)
+	return l
+}
+
+// isLimited returns true if the given IP has exhausted its failure budget.
+func (l *authFailureLimiter) isLimited(ip clientIP) bool {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	entry, exists := l.limiters[ip]
+	if !exists {
+		return false
+	}
+
+	return entry.limiter.Tokens() < 1
+}
+
+// recordFailure consumes a token from the rate limiter for the given IP.
+func (l *authFailureLimiter) recordFailure(ip clientIP) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	now := time.Now()
+	entry, exists := l.limiters[ip]
+	if !exists {
+		entry = &limiterEntry{
+			limiter: rate.NewLimiter(l.failureRate, proxyAuthFailureBurst),
+		}
+		l.limiters[ip] = entry
+	}
+	entry.lastAccess = now
+	entry.limiter.Allow()
+}
+
+func (l *authFailureLimiter) cleanupLoop(ctx context.Context) {
+	ticker := time.NewTicker(proxyAuthLimiterCleanup)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+			l.cleanup()
+		case <-ctx.Done():
+			return
+		}
+	}
+}
+
+func (l *authFailureLimiter) cleanup() {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	now := time.Now()
+	for ip, entry := range l.limiters {
+		if now.Sub(entry.lastAccess) > proxyAuthLimiterTTL {
+			delete(l.limiters, ip)
+		}
+	}
+}
+
+func (l *authFailureLimiter) stop() {
+	l.cancel()
+}
+
+// peerIPFromContext extracts the client IP from the gRPC context.
+// Uses realip (from trusted proxy headers) first, falls back to the transport peer address.
+func peerIPFromContext(ctx context.Context) clientIP {
+	if addr, ok := realip.FromContext(ctx); ok {
+		return addr.String()
+	}
+
+	if p, ok := peer.FromContext(ctx); ok {
+		host, _, err := net.SplitHostPort(p.Addr.String())
+		if err != nil {
+			return p.Addr.String()
+		}
+		return host
+	}
+
+	return ""
+}

management/internals/shared/grpc/proxy_auth_ratelimit_test.go

@@ -0,0 +1,98 @@
+package grpc
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/time/rate"
+)
+
+func TestAuthFailureLimiter_NotLimitedInitially(t *testing.T) {
+	l := newAuthFailureLimiter()
+	defer l.stop()
+
+	assert.False(t, l.isLimited("192.168.1.1"), "new IP should not be rate limited")
+}
+
+func TestAuthFailureLimiter_LimitedAfterBurst(t *testing.T) {
+	l := newAuthFailureLimiter()
+	defer l.stop()
+
+	ip := "192.168.1.1"
+	for i := 0; i < proxyAuthFailureBurst; i++ {
+		l.recordFailure(ip)
+	}
+
+	assert.True(t, l.isLimited(ip), "IP should be limited after exhausting burst")
+}
+
+func TestAuthFailureLimiter_DifferentIPsIndependent(t *testing.T) {
+	l := newAuthFailureLimiter()
+	defer l.stop()
+
+	for i := 0; i < proxyAuthFailureBurst; i++ {
+		l.recordFailure("192.168.1.1")
+	}
+
+	assert.True(t, l.isLimited("192.168.1.1"))
+	assert.False(t, l.isLimited("192.168.1.2"), "different IP should not be affected")
+}
+
+func TestAuthFailureLimiter_RecoveryOverTime(t *testing.T) {
+	l := newAuthFailureLimiterWithRate(rate.Limit(100)) // 100 tokens/sec for fast recovery
+	defer l.stop()
+
+	ip := "10.0.0.1"
+
+	// Exhaust burst
+	for i := 0; i < proxyAuthFailureBurst; i++ {
+		l.recordFailure(ip)
+	}
+	require.True(t, l.isLimited(ip))
+
+	// Wait for token replenishment
+	time.Sleep(50 * time.Millisecond)
+
+	assert.False(t, l.isLimited(ip), "should recover after tokens replenish")
+}
+
+func TestAuthFailureLimiter_Cleanup(t *testing.T) {
+	l := newAuthFailureLimiter()
+	defer l.stop()
+
+	l.recordFailure("10.0.0.1")
+
+	l.mu.Lock()
+	require.Len(t, l.limiters, 1)
+	// Backdate the entry so it looks stale
+	l.limiters["10.0.0.1"].lastAccess = time.Now().Add(-proxyAuthLimiterTTL - time.Minute)
+	l.mu.Unlock()
+
+	l.cleanup()
+
+	l.mu.Lock()
+	assert.Empty(t, l.limiters, "stale entries should be cleaned up")
+	l.mu.Unlock()
+}
+
+func TestAuthFailureLimiter_CleanupKeepsFresh(t *testing.T) {
+	l := newAuthFailureLimiter()
+	defer l.stop()
+
+	l.recordFailure("10.0.0.1")
+	l.recordFailure("10.0.0.2")
+
+	l.mu.Lock()
+	// Only backdate one entry
+	l.limiters["10.0.0.1"].lastAccess = time.Now().Add(-proxyAuthLimiterTTL - time.Minute)
+	l.mu.Unlock()
+
+	l.cleanup()
+
+	l.mu.Lock()
+	assert.Len(t, l.limiters, 1, "only stale entries should be removed")
+	assert.Contains(t, l.limiters, "10.0.0.2")
+	l.mu.Unlock()
+}

management/internals/shared/grpc/proxy_group_access_test.go

@@ -0,0 +1,381 @@
+package grpc
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+type mockReverseProxyManager struct {
+	proxiesByAccount map[string][]*reverseproxy.ReverseProxy
+	err              error
+}
+
+func (m *mockReverseProxyManager) GetAccountReverseProxies(ctx context.Context, accountID string) ([]*reverseproxy.ReverseProxy, error) {
+	if m.err != nil {
+		return nil, m.err
+	}
+	return m.proxiesByAccount[accountID], nil
+}
+
+func (m *mockReverseProxyManager) GetGlobalReverseProxies(ctx context.Context) ([]*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *mockReverseProxyManager) GetAllReverseProxies(ctx context.Context, accountID, userID string) ([]*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *mockReverseProxyManager) GetReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *mockReverseProxyManager) CreateReverseProxy(ctx context.Context, accountID, userID string, rp *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *mockReverseProxyManager) UpdateReverseProxy(ctx context.Context, accountID, userID string, rp *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *mockReverseProxyManager) DeleteReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) error {
+	return nil
+}
+
+func (m *mockReverseProxyManager) SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error {
+	return nil
+}
+
+func (m *mockReverseProxyManager) SetStatus(ctx context.Context, accountID, reverseProxyID string, status reverseproxy.ProxyStatus) error {
+	return nil
+}
+
+func (m *mockReverseProxyManager) ReloadAllReverseProxiesForAccount(ctx context.Context, accountID string) error {
+	return nil
+}
+
+func (m *mockReverseProxyManager) ReloadReverseProxy(ctx context.Context, accountID, reverseProxyID string) error {
+	return nil
+}
+
+func (m *mockReverseProxyManager) GetProxyByID(ctx context.Context, accountID, reverseProxyID string) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *mockReverseProxyManager) GetProxyIDByTargetID(_ context.Context, _, _ string) (string, error) {
+	return "", nil
+}
+
+type mockUsersManager struct {
+	users map[string]*types.User
+	err   error
+}
+
+func (m *mockUsersManager) GetUser(ctx context.Context, userID string) (*types.User, error) {
+	if m.err != nil {
+		return nil, m.err
+	}
+	user, ok := m.users[userID]
+	if !ok {
+		return nil, errors.New("user not found")
+	}
+	return user, nil
+}
+
+func TestValidateUserGroupAccess(t *testing.T) {
+	tests := []struct {
+		name             string
+		domain           string
+		userID           string
+		proxiesByAccount map[string][]*reverseproxy.ReverseProxy
+		users            map[string]*types.User
+		proxyErr         error
+		userErr          error
+		expectErr        bool
+		expectErrMsg     string
+	}{
+		{
+			name:   "user not found",
+			domain: "app.example.com",
+			userID: "unknown-user",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {{Domain: "app.example.com", AccountID: "account1"}},
+			},
+			users:        map[string]*types.User{},
+			expectErr:    true,
+			expectErrMsg: "user not found",
+		},
+		{
+			name:             "proxy not found in user's account",
+			domain:           "app.example.com",
+			userID:           "user1",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{},
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1"},
+			},
+			expectErr:    true,
+			expectErrMsg: "reverse proxy not found",
+		},
+		{
+			name:   "proxy exists in different account - not accessible",
+			domain: "app.example.com",
+			userID: "user1",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account2": {{Domain: "app.example.com", AccountID: "account2"}},
+			},
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1"},
+			},
+			expectErr:    true,
+			expectErrMsg: "reverse proxy not found",
+		},
+		{
+			name:   "no bearer auth configured - same account allows access",
+			domain: "app.example.com",
+			userID: "user1",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {{Domain: "app.example.com", AccountID: "account1", Auth: reverseproxy.AuthConfig{}}},
+			},
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1"},
+			},
+			expectErr: false,
+		},
+		{
+			name:   "bearer auth disabled - same account allows access",
+			domain: "app.example.com",
+			userID: "user1",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {{
+					Domain:    "app.example.com",
+					AccountID: "account1",
+					Auth: reverseproxy.AuthConfig{
+						BearerAuth: &reverseproxy.BearerAuthConfig{Enabled: false},
+					},
+				}},
+			},
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1"},
+			},
+			expectErr: false,
+		},
+		{
+			name:   "bearer auth enabled but no groups configured - same account allows access",
+			domain: "app.example.com",
+			userID: "user1",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {{
+					Domain:    "app.example.com",
+					AccountID: "account1",
+					Auth: reverseproxy.AuthConfig{
+						BearerAuth: &reverseproxy.BearerAuthConfig{
+							Enabled:            true,
+							DistributionGroups: []string{},
+						},
+					},
+				}},
+			},
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1"},
+			},
+			expectErr: false,
+		},
+		{
+			name:   "user not in allowed groups",
+			domain: "app.example.com",
+			userID: "user1",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {{
+					Domain:    "app.example.com",
+					AccountID: "account1",
+					Auth: reverseproxy.AuthConfig{
+						BearerAuth: &reverseproxy.BearerAuthConfig{
+							Enabled:            true,
+							DistributionGroups: []string{"group1", "group2"},
+						},
+					},
+				}},
+			},
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1", AutoGroups: []string{"group3", "group4"}},
+			},
+			expectErr:    true,
+			expectErrMsg: "not in allowed groups",
+		},
+		{
+			name:   "user in one of the allowed groups - allow access",
+			domain: "app.example.com",
+			userID: "user1",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {{
+					Domain:    "app.example.com",
+					AccountID: "account1",
+					Auth: reverseproxy.AuthConfig{
+						BearerAuth: &reverseproxy.BearerAuthConfig{
+							Enabled:            true,
+							DistributionGroups: []string{"group1", "group2"},
+						},
+					},
+				}},
+			},
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1", AutoGroups: []string{"group2", "group3"}},
+			},
+			expectErr: false,
+		},
+		{
+			name:   "user in all allowed groups - allow access",
+			domain: "app.example.com",
+			userID: "user1",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {{
+					Domain:    "app.example.com",
+					AccountID: "account1",
+					Auth: reverseproxy.AuthConfig{
+						BearerAuth: &reverseproxy.BearerAuthConfig{
+							Enabled:            true,
+							DistributionGroups: []string{"group1", "group2"},
+						},
+					},
+				}},
+			},
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1", AutoGroups: []string{"group1", "group2", "group3"}},
+			},
+			expectErr: false,
+		},
+		{
+			name:             "proxy manager error",
+			domain:           "app.example.com",
+			userID:           "user1",
+			proxiesByAccount: nil,
+			proxyErr:         errors.New("database error"),
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1"},
+			},
+			expectErr:    true,
+			expectErrMsg: "get account reverse proxies",
+		},
+		{
+			name:   "multiple proxies in account - finds correct one",
+			domain: "app2.example.com",
+			userID: "user1",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {
+					{Domain: "app1.example.com", AccountID: "account1"},
+					{Domain: "app2.example.com", AccountID: "account1", Auth: reverseproxy.AuthConfig{}},
+					{Domain: "app3.example.com", AccountID: "account1"},
+				},
+			},
+			users: map[string]*types.User{
+				"user1": {Id: "user1", AccountID: "account1"},
+			},
+			expectErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			server := &ProxyServiceServer{
+				reverseProxyManager: &mockReverseProxyManager{
+					proxiesByAccount: tt.proxiesByAccount,
+					err:              tt.proxyErr,
+				},
+				usersManager: &mockUsersManager{
+					users: tt.users,
+					err:   tt.userErr,
+				},
+			}
+
+			err := server.ValidateUserGroupAccess(context.Background(), tt.domain, tt.userID)
+
+			if tt.expectErr {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.expectErrMsg)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestGetAccountProxyByDomain(t *testing.T) {
+	tests := []struct {
+		name             string
+		accountID        string
+		domain           string
+		proxiesByAccount map[string][]*reverseproxy.ReverseProxy
+		err              error
+		expectProxy      bool
+		expectErr        bool
+	}{
+		{
+			name:      "proxy found",
+			accountID: "account1",
+			domain:    "app.example.com",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {
+					{Domain: "other.example.com", AccountID: "account1"},
+					{Domain: "app.example.com", AccountID: "account1"},
+				},
+			},
+			expectProxy: true,
+			expectErr:   false,
+		},
+		{
+			name:      "proxy not found in account",
+			accountID: "account1",
+			domain:    "unknown.example.com",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{
+				"account1": {{Domain: "app.example.com", AccountID: "account1"}},
+			},
+			expectProxy: false,
+			expectErr:   true,
+		},
+		{
+			name:             "empty proxy list for account",
+			accountID:        "account1",
+			domain:           "app.example.com",
+			proxiesByAccount: map[string][]*reverseproxy.ReverseProxy{},
+			expectProxy:      false,
+			expectErr:        true,
+		},
+		{
+			name:             "manager error",
+			accountID:        "account1",
+			domain:           "app.example.com",
+			proxiesByAccount: nil,
+			err:              errors.New("database error"),
+			expectProxy:      false,
+			expectErr:        true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			server := &ProxyServiceServer{
+				reverseProxyManager: &mockReverseProxyManager{
+					proxiesByAccount: tt.proxiesByAccount,
+					err:              tt.err,
+				},
+			}
+
+			proxy, err := server.getAccountProxyByDomain(context.Background(), tt.accountID, tt.domain)
+
+			if tt.expectErr {
+				require.Error(t, err)
+				assert.Nil(t, proxy)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, proxy)
+				assert.Equal(t, tt.domain, proxy.Domain)
+			}
+		})
+	}
+}

management/internals/shared/grpc/server.go

@@ -77,8 +77,9 @@ type Server struct {
 
 	oAuthConfigProvider idp.OAuthConfigProvider
 
-	syncSem atomic.Int32
-	syncLim int32
+	syncSem        atomic.Int32
+	syncLimEnabled bool
+	syncLim        int32
 }
 
 // NewServer creates a new Management server
@@ -108,6 +109,7 @@ func NewServer(
 	blockPeersWithSameConfig := strings.ToLower(os.Getenv(envBlockPeers)) == "true"
 
 	syncLim := int32(defaultSyncLim)
+	syncLimEnabled := true
 	if syncLimStr := os.Getenv(envConcurrentSyncs); syncLimStr != "" {
 		syncLimParsed, err := strconv.Atoi(syncLimStr)
 		if err != nil {
@@ -115,6 +117,9 @@ func NewServer(
 		} else {
 			//nolint:gosec
 			syncLim = int32(syncLimParsed)
+			if syncLim < 0 {
+				syncLimEnabled = false
+			}
 		}
 	}
 
@@ -134,7 +139,8 @@ func NewServer(
 
 		loginFilter: newLoginFilter(),
 
-		syncLim: syncLim,
+		syncLim:        syncLim,
+		syncLimEnabled: syncLimEnabled,
 	}, nil
 }
 
@@ -212,7 +218,7 @@ func (s *Server) Job(srv proto.ManagementService_JobServer) error {
 // Sync validates the existence of a connecting peer, sends an initial state (all available for the connecting peers) and
 // notifies the connected peer of any updates (e.g. new peers under the same account)
 func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error {
-	if s.syncSem.Load() >= s.syncLim {
+	if s.syncLimEnabled && s.syncSem.Load() >= s.syncLim {
 		return status.Errorf(codes.ResourceExhausted, "too many concurrent sync requests, please try again later")
 	}
 	s.syncSem.Add(1)
@@ -294,7 +300,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	metahash := metaHash(peerMeta, realIP.String())
 	s.loginFilter.addLogin(peerKey.String(), metahash)
 
-	peer, netMap, postureChecks, dnsFwdPort, err := s.accountManager.SyncAndMarkPeer(ctx, accountID, peerKey.String(), peerMeta, realIP)
+	peer, netMap, postureChecks, dnsFwdPort, err := s.accountManager.SyncAndMarkPeer(ctx, accountID, peerKey.String(), peerMeta, realIP, reqStart)
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while syncing peer %s: %v", peerKey.String(), err)
 		s.syncSem.Add(-1)
@@ -305,7 +311,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while sending initial sync for %s: %v", peerKey.String(), err)
 		s.syncSem.Add(-1)
-		s.cancelPeerRoutines(ctx, accountID, peer)
+		s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, reqStart)
 		return err
 	}
 
@@ -313,7 +319,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while notify peer connected for %s: %v", peerKey.String(), err)
 		s.syncSem.Add(-1)
-		s.cancelPeerRoutines(ctx, accountID, peer)
+		s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, reqStart)
 		return err
 	}
 
@@ -330,7 +336,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 
 	s.syncSem.Add(-1)
 
-	return s.handleUpdates(ctx, accountID, peerKey, peer, updates, srv)
+	return s.handleUpdates(ctx, accountID, peerKey, peer, updates, srv, reqStart)
 }
 
 func (s *Server) handleHandshake(ctx context.Context, srv proto.ManagementService_JobServer) (wgtypes.Key, error) {
@@ -398,11 +404,20 @@ func (s *Server) sendJobsLoop(ctx context.Context, accountID string, peerKey wgt
 }
 
 // handleUpdates sends updates to the connected peer until the updates channel is closed.
-func (s *Server) handleUpdates(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, updates chan *network_map.UpdateMessage, srv proto.ManagementService_SyncServer) error {
+// It implements a backpressure mechanism that sends the first update immediately,
+// then debounces subsequent rapid updates, ensuring only the latest update is sent
+// after a quiet period.
+func (s *Server) handleUpdates(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, updates chan *network_map.UpdateMessage, srv proto.ManagementService_SyncServer, streamStartTime time.Time) error {
 	log.WithContext(ctx).Tracef("starting to handle updates for peer %s", peerKey.String())
+
+	// Create a debouncer for this peer connection
+	debouncer := NewUpdateDebouncer(1000 * time.Millisecond)
+	defer debouncer.Stop()
+
 	for {
 		select {
 		// condition when there are some updates
+		// todo set the updates channel size to 1
 		case update, open := <-updates:
 			if s.appMetrics != nil {
 				s.appMetrics.GRPCMetrics().UpdateChannelQueueLength(len(updates) + 1)
@@ -410,20 +425,38 @@ func (s *Server) handleUpdates(ctx context.Context, accountID string, peerKey wg
 
 			if !open {
 				log.WithContext(ctx).Debugf("updates channel for peer %s was closed", peerKey.String())
-				s.cancelPeerRoutines(ctx, accountID, peer)
+				s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
 				return nil
 			}
+
 			log.WithContext(ctx).Debugf("received an update for peer %s", peerKey.String())
-			if err := s.sendUpdate(ctx, accountID, peerKey, peer, update, srv); err != nil {
-				log.WithContext(ctx).Debugf("error while sending an update to peer %s: %v", peerKey.String(), err)
-				return err
+			if debouncer.ProcessUpdate(update) {
+				// Send immediately (first update or after quiet period)
+				if err := s.sendUpdate(ctx, accountID, peerKey, peer, update, srv, streamStartTime); err != nil {
+					log.WithContext(ctx).Debugf("error while sending an update to peer %s: %v", peerKey.String(), err)
+					return err
+				}
+			}
+
+		// Timer expired - quiet period reached, send pending updates if any
+		case <-debouncer.TimerChannel():
+			pendingUpdates := debouncer.GetPendingUpdates()
+			if len(pendingUpdates) == 0 {
+				continue
+			}
+			log.WithContext(ctx).Debugf("sending %d debounced update(s) for peer %s", len(pendingUpdates), peerKey.String())
+			for _, pendingUpdate := range pendingUpdates {
+				if err := s.sendUpdate(ctx, accountID, peerKey, peer, pendingUpdate, srv, streamStartTime); err != nil {
+					log.WithContext(ctx).Debugf("error while sending an update to peer %s: %v", peerKey.String(), err)
+					return err
+				}
 			}
 
 		// condition when client <-> server connection has been terminated
 		case <-srv.Context().Done():
 			// happens when connection drops, e.g. client disconnects
 			log.WithContext(ctx).Debugf("stream of peer %s has been closed", peerKey.String())
-			s.cancelPeerRoutines(ctx, accountID, peer)
+			s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
 			return srv.Context().Err()
 		}
 	}
@@ -431,16 +464,16 @@ func (s *Server) handleUpdates(ctx context.Context, accountID string, peerKey wg
 
 // sendUpdate encrypts the update message using the peer key and the server's wireguard key,
 // then sends the encrypted message to the connected peer via the sync server.
-func (s *Server) sendUpdate(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, update *network_map.UpdateMessage, srv proto.ManagementService_SyncServer) error {
+func (s *Server) sendUpdate(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, update *network_map.UpdateMessage, srv proto.ManagementService_SyncServer, streamStartTime time.Time) error {
 	key, err := s.secretsManager.GetWGKey()
 	if err != nil {
-		s.cancelPeerRoutines(ctx, accountID, peer)
+		s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
 		return status.Errorf(codes.Internal, "failed processing update message")
 	}
 
 	encryptedResp, err := encryption.EncryptMessage(peerKey, key, update.Update)
 	if err != nil {
-		s.cancelPeerRoutines(ctx, accountID, peer)
+		s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
 		return status.Errorf(codes.Internal, "failed processing update message")
 	}
 	err = srv.Send(&proto.EncryptedMessage{
@@ -448,7 +481,7 @@ func (s *Server) sendUpdate(ctx context.Context, accountID string, peerKey wgtyp
 		Body:     encryptedResp,
 	})
 	if err != nil {
-		s.cancelPeerRoutines(ctx, accountID, peer)
+		s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
 		return status.Errorf(codes.Internal, "failed sending update message")
 	}
 	log.WithContext(ctx).Debugf("sent an update to peer %s", peerKey.String())
@@ -480,11 +513,15 @@ func (s *Server) sendJob(ctx context.Context, peerKey wgtypes.Key, job *job.Even
 	return nil
 }
 
-func (s *Server) cancelPeerRoutines(ctx context.Context, accountID string, peer *nbpeer.Peer) {
+func (s *Server) cancelPeerRoutines(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {
 	unlock := s.acquirePeerLockByUID(ctx, peer.Key)
 	defer unlock()
 
-	err := s.accountManager.OnPeerDisconnected(ctx, accountID, peer.Key)
+	s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, streamStartTime)
+}
+
+func (s *Server) cancelPeerRoutinesWithoutLock(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {
+	err := s.accountManager.OnPeerDisconnected(ctx, accountID, peer.Key, streamStartTime)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to disconnect peer %s properly: %v", peer.Key, err)
 	}

management/internals/shared/grpc/token_mgr.go

@@ -242,7 +242,10 @@ func (m *TimeBasedAuthSecretsManager) pushNewTURNAndRelayTokens(ctx context.Cont
 	m.extendNetbirdConfig(ctx, peerID, accountID, update)
 
 	log.WithContext(ctx).Debugf("sending new TURN credentials to peer %s", peerID)
-	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{Update: update})
+	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{
+		Update:      update,
+		MessageType: network_map.MessageTypeControlConfig,
+	})
 }
 
 func (m *TimeBasedAuthSecretsManager) pushNewRelayTokens(ctx context.Context, accountID, peerID string) {
@@ -266,7 +269,10 @@ func (m *TimeBasedAuthSecretsManager) pushNewRelayTokens(ctx context.Context, ac
 	m.extendNetbirdConfig(ctx, peerID, accountID, update)
 
 	log.WithContext(ctx).Debugf("sending new relay credentials to peer %s", peerID)
-	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{Update: update})
+	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{
+		Update:      update,
+		MessageType: network_map.MessageTypeControlConfig,
+	})
 }
 
 func (m *TimeBasedAuthSecretsManager) extendNetbirdConfig(ctx context.Context, peerID, accountID string, update *proto.SyncResponse) {

management/internals/shared/grpc/update_debouncer.go

@@ -0,0 +1,103 @@
+package grpc
+
+import (
+	"time"
+
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
+)
+
+// UpdateDebouncer implements a backpressure mechanism that:
+// - Sends the first update immediately
+// - Coalesces rapid subsequent network map updates (only latest matters)
+// - Queues control/config updates (all must be delivered)
+// - Preserves the order of messages (important for control configs between network maps)
+// - Ensures pending updates are sent after a quiet period
+type UpdateDebouncer struct {
+	debounceInterval time.Duration
+	timer            *time.Timer
+	pendingUpdates   []*network_map.UpdateMessage // Queue that preserves order
+	timerC           <-chan time.Time
+}
+
+// NewUpdateDebouncer creates a new debouncer with the specified interval
+func NewUpdateDebouncer(interval time.Duration) *UpdateDebouncer {
+	return &UpdateDebouncer{
+		debounceInterval: interval,
+	}
+}
+
+// ProcessUpdate handles an incoming update and returns whether it should be sent immediately
+func (d *UpdateDebouncer) ProcessUpdate(update *network_map.UpdateMessage) bool {
+	if d.timer == nil {
+		// No active debounce timer, signal to send immediately
+		// and start the debounce period
+		d.startTimer()
+		return true
+	}
+
+	// Already in debounce period, accumulate this update preserving order
+	// Check if we should coalesce with the last pending update
+	if len(d.pendingUpdates) > 0 &&
+		update.MessageType == network_map.MessageTypeNetworkMap &&
+		d.pendingUpdates[len(d.pendingUpdates)-1].MessageType == network_map.MessageTypeNetworkMap {
+		// Replace the last network map with this one (coalesce consecutive network maps)
+		d.pendingUpdates[len(d.pendingUpdates)-1] = update
+	} else {
+		// Append to the queue (preserves order for control configs and non-consecutive network maps)
+		d.pendingUpdates = append(d.pendingUpdates, update)
+	}
+	d.resetTimer()
+	return false
+}
+
+// TimerChannel returns the timer channel for select statements
+func (d *UpdateDebouncer) TimerChannel() <-chan time.Time {
+	if d.timer == nil {
+		return nil
+	}
+	return d.timerC
+}
+
+// GetPendingUpdates returns and clears all pending updates after timer expiration.
+// Updates are returned in the order they were received, with consecutive network maps
+// already coalesced to only the latest one.
+// If there were pending updates, it restarts the timer to continue debouncing.
+// If there were no pending updates, it clears the timer (true quiet period).
+func (d *UpdateDebouncer) GetPendingUpdates() []*network_map.UpdateMessage {
+	updates := d.pendingUpdates
+	d.pendingUpdates = nil
+
+	if len(updates) > 0 {
+		// There were pending updates, so updates are still coming rapidly
+		// Restart the timer to continue debouncing mode
+		if d.timer != nil {
+			d.timer.Reset(d.debounceInterval)
+		}
+	} else {
+		// No pending updates means true quiet period - return to immediate mode
+		d.timer = nil
+		d.timerC = nil
+	}
+
+	return updates
+}
+
+// Stop stops the debouncer and cleans up resources
+func (d *UpdateDebouncer) Stop() {
+	if d.timer != nil {
+		d.timer.Stop()
+		d.timer = nil
+		d.timerC = nil
+	}
+	d.pendingUpdates = nil
+}
+
+func (d *UpdateDebouncer) startTimer() {
+	d.timer = time.NewTimer(d.debounceInterval)
+	d.timerC = d.timer.C
+}
+
+func (d *UpdateDebouncer) resetTimer() {
+	d.timer.Stop()
+	d.timer.Reset(d.debounceInterval)
+}

management/internals/shared/grpc/update_debouncer_test.go

@@ -0,0 +1,587 @@
+package grpc
+
+import (
+	"testing"
+	"time"
+
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+func TestUpdateDebouncer_FirstUpdateSentImmediately(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+	defer debouncer.Stop()
+
+	update := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+
+	shouldSend := debouncer.ProcessUpdate(update)
+
+	if !shouldSend {
+		t.Error("First update should be sent immediately")
+	}
+
+	if debouncer.TimerChannel() == nil {
+		t.Error("Timer should be started after first update")
+	}
+}
+
+func TestUpdateDebouncer_RapidUpdatesCoalesced(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+	defer debouncer.Stop()
+
+	update1 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	update2 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	update3 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+
+	// First update should be sent immediately
+	if !debouncer.ProcessUpdate(update1) {
+		t.Error("First update should be sent immediately")
+	}
+
+	// Rapid subsequent updates should be coalesced
+	if debouncer.ProcessUpdate(update2) {
+		t.Error("Second rapid update should not be sent immediately")
+	}
+
+	if debouncer.ProcessUpdate(update3) {
+		t.Error("Third rapid update should not be sent immediately")
+	}
+
+	// Wait for debounce period
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+		if len(pendingUpdates) != 1 {
+			t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
+		}
+		if pendingUpdates[0] != update3 {
+			t.Error("Should get the last update (update3)")
+		}
+	case <-time.After(100 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}
+
+func TestUpdateDebouncer_LastUpdateAlwaysSent(t *testing.T) {
+	debouncer := NewUpdateDebouncer(30 * time.Millisecond)
+	defer debouncer.Stop()
+
+	update1 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	update2 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+
+	// Send first update
+	debouncer.ProcessUpdate(update1)
+
+	// Send second update within debounce period
+	debouncer.ProcessUpdate(update2)
+
+	// Wait for timer
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+		if len(pendingUpdates) != 1 {
+			t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
+		}
+		if pendingUpdates[0] != update2 {
+			t.Error("Should get the last update")
+		}
+		if pendingUpdates[0] == update1 {
+			t.Error("Should not get the first update")
+		}
+	case <-time.After(100 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}
+
+func TestUpdateDebouncer_TimerResetOnNewUpdate(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+	defer debouncer.Stop()
+
+	update1 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	update2 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	update3 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+
+	// Send first update
+	debouncer.ProcessUpdate(update1)
+
+	// Wait a bit, but not the full debounce period
+	time.Sleep(30 * time.Millisecond)
+
+	// Send second update - should reset timer
+	debouncer.ProcessUpdate(update2)
+
+	// Wait a bit more
+	time.Sleep(30 * time.Millisecond)
+
+	// Send third update - should reset timer again
+	debouncer.ProcessUpdate(update3)
+
+	// Now wait for the timer (should fire after last update's reset)
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+		if len(pendingUpdates) != 1 {
+			t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
+		}
+		if pendingUpdates[0] != update3 {
+			t.Error("Should get the last update (update3)")
+		}
+		// Timer should be restarted since there was a pending update
+		if debouncer.TimerChannel() == nil {
+			t.Error("Timer should be restarted after sending pending update")
+		}
+	case <-time.After(150 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}
+
+func TestUpdateDebouncer_TimerRestartsAfterPendingUpdateSent(t *testing.T) {
+	debouncer := NewUpdateDebouncer(30 * time.Millisecond)
+	defer debouncer.Stop()
+
+	update1 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	update2 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	update3 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+
+	// First update sent immediately
+	debouncer.ProcessUpdate(update1)
+
+	// Second update coalesced
+	debouncer.ProcessUpdate(update2)
+
+	// Wait for timer to expire
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+
+		if len(pendingUpdates) == 0 {
+			t.Fatal("Should have pending update")
+		}
+
+		// After sending pending update, timer is restarted, so next update is NOT immediate
+		if debouncer.ProcessUpdate(update3) {
+			t.Error("Update after debounced send should not be sent immediately (timer restarted)")
+		}
+
+		// Wait for the restarted timer and verify update3 is pending
+		select {
+		case <-debouncer.TimerChannel():
+			finalUpdates := debouncer.GetPendingUpdates()
+			if len(finalUpdates) != 1 || finalUpdates[0] != update3 {
+				t.Error("Should get update3 as pending")
+			}
+		case <-time.After(100 * time.Millisecond):
+			t.Error("Timer should have fired for restarted timer")
+		}
+	case <-time.After(100 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}
+
+func TestUpdateDebouncer_StopCleansUp(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+
+	update := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+
+	// Send update to start timer
+	debouncer.ProcessUpdate(update)
+
+	// Stop should clean up
+	debouncer.Stop()
+
+	// Multiple stops should be safe
+	debouncer.Stop()
+}
+
+func TestUpdateDebouncer_HighFrequencyUpdates(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+	defer debouncer.Stop()
+
+	// Simulate high-frequency updates
+	var lastUpdate *network_map.UpdateMessage
+	sentImmediately := 0
+	for i := 0; i < 100; i++ {
+		update := &network_map.UpdateMessage{
+			Update: &proto.SyncResponse{
+				NetworkMap: &proto.NetworkMap{
+					Serial: uint64(i),
+				},
+			},
+			MessageType: network_map.MessageTypeNetworkMap,
+		}
+		lastUpdate = update
+		if debouncer.ProcessUpdate(update) {
+			sentImmediately++
+		}
+		time.Sleep(1 * time.Millisecond) // Very rapid updates
+	}
+
+	// Only first update should be sent immediately
+	if sentImmediately != 1 {
+		t.Errorf("Expected only 1 update sent immediately, got %d", sentImmediately)
+	}
+
+	// Wait for debounce period
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+		if len(pendingUpdates) != 1 {
+			t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
+		}
+		if pendingUpdates[0] != lastUpdate {
+			t.Error("Should get the very last update")
+		}
+		if pendingUpdates[0].Update.NetworkMap.Serial != 99 {
+			t.Errorf("Expected serial 99, got %d", pendingUpdates[0].Update.NetworkMap.Serial)
+		}
+	case <-time.After(200 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}
+
+func TestUpdateDebouncer_NoUpdatesAfterFirst(t *testing.T) {
+	debouncer := NewUpdateDebouncer(30 * time.Millisecond)
+	defer debouncer.Stop()
+
+	update := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+
+	// Send first update
+	if !debouncer.ProcessUpdate(update) {
+		t.Error("First update should be sent immediately")
+	}
+
+	// Wait for timer to expire with no additional updates (true quiet period)
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+		if len(pendingUpdates) != 0 {
+			t.Error("Should have no pending updates")
+		}
+		// After true quiet period, timer should be cleared
+		if debouncer.TimerChannel() != nil {
+			t.Error("Timer should be cleared after quiet period")
+		}
+	case <-time.After(100 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}
+
+func TestUpdateDebouncer_IntermediateUpdatesDropped(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+	defer debouncer.Stop()
+
+	updates := make([]*network_map.UpdateMessage, 5)
+	for i := range updates {
+		updates[i] = &network_map.UpdateMessage{
+			Update: &proto.SyncResponse{
+				NetworkMap: &proto.NetworkMap{
+					Serial: uint64(i),
+				},
+			},
+			MessageType: network_map.MessageTypeNetworkMap,
+		}
+	}
+
+	// First update sent immediately
+	debouncer.ProcessUpdate(updates[0])
+
+	// Send updates 1, 2, 3, 4 rapidly - only last one should remain pending
+	debouncer.ProcessUpdate(updates[1])
+	debouncer.ProcessUpdate(updates[2])
+	debouncer.ProcessUpdate(updates[3])
+	debouncer.ProcessUpdate(updates[4])
+
+	// Wait for debounce
+	<-debouncer.TimerChannel()
+	pendingUpdates := debouncer.GetPendingUpdates()
+
+	if len(pendingUpdates) != 1 {
+		t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
+	}
+	if pendingUpdates[0].Update.NetworkMap.Serial != 4 {
+		t.Errorf("Expected only the last update (serial 4), got serial %d", pendingUpdates[0].Update.NetworkMap.Serial)
+	}
+}
+
+func TestUpdateDebouncer_TrueQuietPeriodResetsToImmediateMode(t *testing.T) {
+	debouncer := NewUpdateDebouncer(30 * time.Millisecond)
+	defer debouncer.Stop()
+
+	update1 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	update2 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+
+	// First update sent immediately
+	if !debouncer.ProcessUpdate(update1) {
+		t.Error("First update should be sent immediately")
+	}
+
+	// Wait for timer without sending any more updates (true quiet period)
+	<-debouncer.TimerChannel()
+	pendingUpdates := debouncer.GetPendingUpdates()
+
+	if len(pendingUpdates) != 0 {
+		t.Error("Should have no pending updates during quiet period")
+	}
+
+	// After true quiet period, next update should be sent immediately
+	if !debouncer.ProcessUpdate(update2) {
+		t.Error("Update after true quiet period should be sent immediately")
+	}
+}
+
+func TestUpdateDebouncer_ContinuousHighFrequencyStaysInDebounceMode(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+	defer debouncer.Stop()
+
+	// Simulate continuous high-frequency updates
+	for i := 0; i < 10; i++ {
+		update := &network_map.UpdateMessage{
+			Update: &proto.SyncResponse{
+				NetworkMap: &proto.NetworkMap{
+					Serial: uint64(i),
+				},
+			},
+			MessageType: network_map.MessageTypeNetworkMap,
+		}
+
+		if i == 0 {
+			// First one sent immediately
+			if !debouncer.ProcessUpdate(update) {
+				t.Error("First update should be sent immediately")
+			}
+		} else {
+			// All others should be coalesced (not sent immediately)
+			if debouncer.ProcessUpdate(update) {
+				t.Errorf("Update %d should not be sent immediately", i)
+			}
+		}
+
+		// Wait a bit but send next update before debounce expires
+		time.Sleep(20 * time.Millisecond)
+	}
+
+	// Now wait for final debounce
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+		if len(pendingUpdates) == 0 {
+			t.Fatal("Should have the last update pending")
+		}
+		if pendingUpdates[0].Update.NetworkMap.Serial != 9 {
+			t.Errorf("Expected serial 9, got %d", pendingUpdates[0].Update.NetworkMap.Serial)
+		}
+	case <-time.After(200 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}
+
+func TestUpdateDebouncer_ControlConfigMessagesQueued(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+	defer debouncer.Stop()
+
+	netmapUpdate := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: 1}},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	tokenUpdate1 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{NetbirdConfig: &proto.NetbirdConfig{}},
+		MessageType: network_map.MessageTypeControlConfig,
+	}
+	tokenUpdate2 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{NetbirdConfig: &proto.NetbirdConfig{}},
+		MessageType: network_map.MessageTypeControlConfig,
+	}
+
+	// First update sent immediately
+	debouncer.ProcessUpdate(netmapUpdate)
+
+	// Send multiple control config updates - they should all be queued
+	debouncer.ProcessUpdate(tokenUpdate1)
+	debouncer.ProcessUpdate(tokenUpdate2)
+
+	// Wait for debounce period
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+		// Should get both control config updates
+		if len(pendingUpdates) != 2 {
+			t.Errorf("Expected 2 control config updates, got %d", len(pendingUpdates))
+		}
+		// Control configs should come first
+		if pendingUpdates[0] != tokenUpdate1 {
+			t.Error("First pending update should be tokenUpdate1")
+		}
+		if pendingUpdates[1] != tokenUpdate2 {
+			t.Error("Second pending update should be tokenUpdate2")
+		}
+	case <-time.After(200 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}
+
+func TestUpdateDebouncer_MixedMessageTypes(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+	defer debouncer.Stop()
+
+	netmapUpdate1 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: 1}},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	netmapUpdate2 := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: 2}},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	tokenUpdate := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{NetbirdConfig: &proto.NetbirdConfig{}},
+		MessageType: network_map.MessageTypeControlConfig,
+	}
+
+	// First update sent immediately
+	debouncer.ProcessUpdate(netmapUpdate1)
+
+	// Send token update and network map update
+	debouncer.ProcessUpdate(tokenUpdate)
+	debouncer.ProcessUpdate(netmapUpdate2)
+
+	// Wait for debounce period
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+		// Should get 2 updates in order: token, then network map
+		if len(pendingUpdates) != 2 {
+			t.Errorf("Expected 2 pending updates, got %d", len(pendingUpdates))
+		}
+		// Token update should come first (preserves order)
+		if pendingUpdates[0] != tokenUpdate {
+			t.Error("First pending update should be tokenUpdate")
+		}
+		// Network map update should come second
+		if pendingUpdates[1] != netmapUpdate2 {
+			t.Error("Second pending update should be netmapUpdate2")
+		}
+	case <-time.After(200 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}
+
+func TestUpdateDebouncer_OrderPreservation(t *testing.T) {
+	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
+	defer debouncer.Stop()
+
+	// Simulate: 50 network maps -> 1 control config -> 50 network maps
+	// Expected result: 3 messages (netmap, controlConfig, netmap)
+
+	// Send first network map immediately
+	firstNetmap := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: 0}},
+		MessageType: network_map.MessageTypeNetworkMap,
+	}
+	if !debouncer.ProcessUpdate(firstNetmap) {
+		t.Error("First update should be sent immediately")
+	}
+
+	// Send 49 more network maps (will be coalesced to last one)
+	var lastNetmapBatch1 *network_map.UpdateMessage
+	for i := 1; i < 50; i++ {
+		lastNetmapBatch1 = &network_map.UpdateMessage{
+			Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: uint64(i)}},
+			MessageType: network_map.MessageTypeNetworkMap,
+		}
+		debouncer.ProcessUpdate(lastNetmapBatch1)
+	}
+
+	// Send 1 control config
+	controlConfig := &network_map.UpdateMessage{
+		Update:      &proto.SyncResponse{NetbirdConfig: &proto.NetbirdConfig{}},
+		MessageType: network_map.MessageTypeControlConfig,
+	}
+	debouncer.ProcessUpdate(controlConfig)
+
+	// Send 50 more network maps (will be coalesced to last one)
+	var lastNetmapBatch2 *network_map.UpdateMessage
+	for i := 50; i < 100; i++ {
+		lastNetmapBatch2 = &network_map.UpdateMessage{
+			Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: uint64(i)}},
+			MessageType: network_map.MessageTypeNetworkMap,
+		}
+		debouncer.ProcessUpdate(lastNetmapBatch2)
+	}
+
+	// Wait for debounce period
+	select {
+	case <-debouncer.TimerChannel():
+		pendingUpdates := debouncer.GetPendingUpdates()
+		// Should get exactly 3 updates: netmap, controlConfig, netmap
+		if len(pendingUpdates) != 3 {
+			t.Errorf("Expected 3 pending updates, got %d", len(pendingUpdates))
+		}
+		// First should be the last netmap from batch 1
+		if pendingUpdates[0] != lastNetmapBatch1 {
+			t.Error("First pending update should be last netmap from batch 1")
+		}
+		if pendingUpdates[0].Update.NetworkMap.Serial != 49 {
+			t.Errorf("Expected serial 49, got %d", pendingUpdates[0].Update.NetworkMap.Serial)
+		}
+		// Second should be the control config
+		if pendingUpdates[1] != controlConfig {
+			t.Error("Second pending update should be control config")
+		}
+		// Third should be the last netmap from batch 2
+		if pendingUpdates[2] != lastNetmapBatch2 {
+			t.Error("Third pending update should be last netmap from batch 2")
+		}
+		if pendingUpdates[2].Update.NetworkMap.Serial != 99 {
+			t.Errorf("Expected serial 99, got %d", pendingUpdates[2].Update.NetworkMap.Serial)
+		}
+	case <-time.After(200 * time.Millisecond):
+		t.Error("Timer should have fired")
+	}
+}

management/internals/shared/grpc/validate_session_test.go

@@ -0,0 +1,304 @@
+//go:build integration
+
+package grpc
+
+import (
+	"context"
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/proxy/auth"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+type validateSessionTestSetup struct {
+	proxyService *ProxyServiceServer
+	store        store.Store
+	cleanup      func()
+}
+
+func setupValidateSessionTest(t *testing.T) *validateSessionTestSetup {
+	t.Helper()
+
+	ctx := context.Background()
+	testStore, storeCleanup, err := store.NewTestStoreFromSQL(ctx, "../../../server/testdata/auth_callback.sql", t.TempDir())
+	require.NoError(t, err)
+
+	proxyManager := &testValidateSessionProxyManager{store: testStore}
+	usersManager := &testValidateSessionUsersManager{store: testStore}
+
+	proxyService := NewProxyServiceServer(nil, NewOneTimeTokenStore(time.Minute), ProxyOIDCConfig{}, nil, usersManager)
+	proxyService.SetProxyManager(proxyManager)
+
+	createTestProxies(t, ctx, testStore)
+
+	return &validateSessionTestSetup{
+		proxyService: proxyService,
+		store:        testStore,
+		cleanup:      storeCleanup,
+	}
+}
+
+func createTestProxies(t *testing.T, ctx context.Context, testStore store.Store) {
+	t.Helper()
+
+	pubKey, privKey := generateSessionKeyPair(t)
+
+	testProxy := &reverseproxy.ReverseProxy{
+		ID:                "testProxyId",
+		AccountID:         "testAccountId",
+		Name:              "Test Proxy",
+		Domain:            "test-proxy.example.com",
+		Enabled:           true,
+		SessionPrivateKey: privKey,
+		SessionPublicKey:  pubKey,
+		Auth: reverseproxy.AuthConfig{
+			BearerAuth: &reverseproxy.BearerAuthConfig{
+				Enabled: true,
+			},
+		},
+	}
+	require.NoError(t, testStore.CreateReverseProxy(ctx, testProxy))
+
+	restrictedProxy := &reverseproxy.ReverseProxy{
+		ID:                "restrictedProxyId",
+		AccountID:         "testAccountId",
+		Name:              "Restricted Proxy",
+		Domain:            "restricted-proxy.example.com",
+		Enabled:           true,
+		SessionPrivateKey: privKey,
+		SessionPublicKey:  pubKey,
+		Auth: reverseproxy.AuthConfig{
+			BearerAuth: &reverseproxy.BearerAuthConfig{
+				Enabled:            true,
+				DistributionGroups: []string{"allowedGroupId"},
+			},
+		},
+	}
+	require.NoError(t, testStore.CreateReverseProxy(ctx, restrictedProxy))
+}
+
+func generateSessionKeyPair(t *testing.T) (string, string) {
+	t.Helper()
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	require.NoError(t, err)
+	return base64.StdEncoding.EncodeToString(pub), base64.StdEncoding.EncodeToString(priv)
+}
+
+func createSessionToken(t *testing.T, privKeyB64, userID, domain string) string {
+	t.Helper()
+	token, err := sessionkey.SignToken(privKeyB64, userID, domain, auth.MethodOIDC, time.Hour)
+	require.NoError(t, err)
+	return token
+}
+
+func TestValidateSession_UserAllowed(t *testing.T) {
+	setup := setupValidateSessionTest(t)
+	defer setup.cleanup()
+
+	proxy, err := setup.store.GetReverseProxyByID(context.Background(), store.LockingStrengthNone, "testAccountId", "testProxyId")
+	require.NoError(t, err)
+
+	token := createSessionToken(t, proxy.SessionPrivateKey, "allowedUserId", "test-proxy.example.com")
+
+	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
+		Domain:       "test-proxy.example.com",
+		SessionToken: token,
+	})
+
+	require.NoError(t, err)
+	assert.True(t, resp.Valid, "User should be allowed access")
+	assert.Equal(t, "allowedUserId", resp.UserId)
+	assert.Empty(t, resp.DeniedReason)
+}
+
+func TestValidateSession_UserNotInAllowedGroup(t *testing.T) {
+	setup := setupValidateSessionTest(t)
+	defer setup.cleanup()
+
+	proxy, err := setup.store.GetReverseProxyByID(context.Background(), store.LockingStrengthNone, "testAccountId", "restrictedProxyId")
+	require.NoError(t, err)
+
+	token := createSessionToken(t, proxy.SessionPrivateKey, "nonGroupUserId", "restricted-proxy.example.com")
+
+	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
+		Domain:       "restricted-proxy.example.com",
+		SessionToken: token,
+	})
+
+	require.NoError(t, err)
+	assert.False(t, resp.Valid, "User not in group should be denied")
+	assert.Equal(t, "not_in_group", resp.DeniedReason)
+	assert.Equal(t, "nonGroupUserId", resp.UserId)
+}
+
+func TestValidateSession_UserInDifferentAccount(t *testing.T) {
+	setup := setupValidateSessionTest(t)
+	defer setup.cleanup()
+
+	proxy, err := setup.store.GetReverseProxyByID(context.Background(), store.LockingStrengthNone, "testAccountId", "testProxyId")
+	require.NoError(t, err)
+
+	token := createSessionToken(t, proxy.SessionPrivateKey, "otherAccountUserId", "test-proxy.example.com")
+
+	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
+		Domain:       "test-proxy.example.com",
+		SessionToken: token,
+	})
+
+	require.NoError(t, err)
+	assert.False(t, resp.Valid, "User in different account should be denied")
+	assert.Equal(t, "account_mismatch", resp.DeniedReason)
+}
+
+func TestValidateSession_UserNotFound(t *testing.T) {
+	setup := setupValidateSessionTest(t)
+	defer setup.cleanup()
+
+	proxy, err := setup.store.GetReverseProxyByID(context.Background(), store.LockingStrengthNone, "testAccountId", "testProxyId")
+	require.NoError(t, err)
+
+	token := createSessionToken(t, proxy.SessionPrivateKey, "nonExistentUserId", "test-proxy.example.com")
+
+	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
+		Domain:       "test-proxy.example.com",
+		SessionToken: token,
+	})
+
+	require.NoError(t, err)
+	assert.False(t, resp.Valid, "Non-existent user should be denied")
+	assert.Equal(t, "user_not_found", resp.DeniedReason)
+}
+
+func TestValidateSession_ProxyNotFound(t *testing.T) {
+	setup := setupValidateSessionTest(t)
+	defer setup.cleanup()
+
+	proxy, err := setup.store.GetReverseProxyByID(context.Background(), store.LockingStrengthNone, "testAccountId", "testProxyId")
+	require.NoError(t, err)
+
+	token := createSessionToken(t, proxy.SessionPrivateKey, "allowedUserId", "unknown-proxy.example.com")
+
+	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
+		Domain:       "unknown-proxy.example.com",
+		SessionToken: token,
+	})
+
+	require.NoError(t, err)
+	assert.False(t, resp.Valid, "Unknown proxy should be denied")
+	assert.Equal(t, "proxy_not_found", resp.DeniedReason)
+}
+
+func TestValidateSession_InvalidToken(t *testing.T) {
+	setup := setupValidateSessionTest(t)
+	defer setup.cleanup()
+
+	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
+		Domain:       "test-proxy.example.com",
+		SessionToken: "invalid-token",
+	})
+
+	require.NoError(t, err)
+	assert.False(t, resp.Valid, "Invalid token should be denied")
+	assert.Equal(t, "invalid_token", resp.DeniedReason)
+}
+
+func TestValidateSession_MissingDomain(t *testing.T) {
+	setup := setupValidateSessionTest(t)
+	defer setup.cleanup()
+
+	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
+		SessionToken: "some-token",
+	})
+
+	require.NoError(t, err)
+	assert.False(t, resp.Valid)
+	assert.Contains(t, resp.DeniedReason, "missing")
+}
+
+func TestValidateSession_MissingToken(t *testing.T) {
+	setup := setupValidateSessionTest(t)
+	defer setup.cleanup()
+
+	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
+		Domain: "test-proxy.example.com",
+	})
+
+	require.NoError(t, err)
+	assert.False(t, resp.Valid)
+	assert.Contains(t, resp.DeniedReason, "missing")
+}
+
+type testValidateSessionProxyManager struct {
+	store store.Store
+}
+
+func (m *testValidateSessionProxyManager) GetAllReverseProxies(_ context.Context, _, _ string) ([]*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *testValidateSessionProxyManager) GetReverseProxy(_ context.Context, _, _, _ string) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *testValidateSessionProxyManager) CreateReverseProxy(_ context.Context, _, _ string, _ *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *testValidateSessionProxyManager) UpdateReverseProxy(_ context.Context, _, _ string, _ *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *testValidateSessionProxyManager) DeleteReverseProxy(_ context.Context, _, _, _ string) error {
+	return nil
+}
+
+func (m *testValidateSessionProxyManager) SetCertificateIssuedAt(_ context.Context, _, _ string) error {
+	return nil
+}
+
+func (m *testValidateSessionProxyManager) SetStatus(_ context.Context, _, _ string, _ reverseproxy.ProxyStatus) error {
+	return nil
+}
+
+func (m *testValidateSessionProxyManager) ReloadAllReverseProxiesForAccount(_ context.Context, _ string) error {
+	return nil
+}
+
+func (m *testValidateSessionProxyManager) ReloadReverseProxy(_ context.Context, _, _ string) error {
+	return nil
+}
+
+func (m *testValidateSessionProxyManager) GetGlobalReverseProxies(ctx context.Context) ([]*reverseproxy.ReverseProxy, error) {
+	return m.store.GetReverseProxies(ctx, store.LockingStrengthNone)
+}
+
+func (m *testValidateSessionProxyManager) GetProxyByID(ctx context.Context, accountID, proxyID string) (*reverseproxy.ReverseProxy, error) {
+	return m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, proxyID)
+}
+
+func (m *testValidateSessionProxyManager) GetAccountReverseProxies(ctx context.Context, accountID string) ([]*reverseproxy.ReverseProxy, error) {
+	return m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
+}
+
+func (m *testValidateSessionProxyManager) GetProxyIDByTargetID(_ context.Context, _, _ string) (string, error) {
+	return "", nil
+}
+
+type testValidateSessionUsersManager struct {
+	store store.Store
+}
+
+func (m *testValidateSessionUsersManager) GetUser(ctx context.Context, userID string) (*types.User, error) {
+	return m.store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
+}

management/server/account.go

@@ -15,6 +15,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/job"
 	"github.com/netbirdio/netbird/shared/auth"
 
@@ -26,7 +27,6 @@ import (
 	"golang.org/x/exp/maps"
 
 	nbdns "github.com/netbirdio/netbird/dns"
-	nbdomain "github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/formatter/hook"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
@@ -49,6 +49,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/util"
 	"github.com/netbirdio/netbird/route"
+	nbdomain "github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
@@ -82,8 +83,9 @@ type DefaultAccountManager struct {
 
 	requestBuffer *AccountRequestBuffer
 
-	proxyController port_forwarding.Controller
-	settingsManager settings.Manager
+	proxyController     port_forwarding.Controller
+	settingsManager     settings.Manager
+	reverseProxyManager reverseproxy.Manager
 
 	// config contains the management server configuration
 	config *nbconfig.Config
@@ -113,6 +115,10 @@ type DefaultAccountManager struct {
 
 var _ account.Manager = (*DefaultAccountManager)(nil)
 
+func (am *DefaultAccountManager) SetReverseProxyManager(reverseProxyManager reverseproxy.Manager) {
+	am.reverseProxyManager = reverseProxyManager
+}
+
 func isUniqueConstraintError(err error) bool {
 	switch {
 	case strings.Contains(err.Error(), "(SQLSTATE 23505)"),
@@ -321,6 +327,9 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			if err = am.reallocateAccountPeerIPs(ctx, transaction, accountID, newSettings.NetworkRange); err != nil {
 				return err
 			}
+			if err = am.reverseProxyManager.ReloadAllReverseProxiesForAccount(ctx, accountID); err != nil {
+				log.WithContext(ctx).Warnf("failed to reload all reverse proxy for account %s: %v", accountID, err)
+			}
 			updateAccountPeers = true
 		}
 
@@ -795,6 +804,19 @@ func IsEmbeddedIdp(i idp.Manager) bool {
 	return ok
 }
 
+// IsLocalAuthDisabled checks if local (email/password) authentication is disabled.
+// Returns true only when using embedded IDP with local auth disabled in config.
+func IsLocalAuthDisabled(ctx context.Context, i idp.Manager) bool {
+	if isNil(i) {
+		return false
+	}
+	embeddedIdp, ok := i.(*idp.EmbeddedIdPManager)
+	if !ok {
+		return false
+	}
+	return embeddedIdp.IsLocalAuthDisabled()
+}
+
 // addAccountIDToIDPAppMeta update user's  app metadata in idp manager
 func (am *DefaultAccountManager) addAccountIDToIDPAppMeta(ctx context.Context, userID string, accountID string) error {
 	if !isNil(am.idpManager) && !IsEmbeddedIdp(am.idpManager) {
@@ -1657,13 +1679,13 @@ func domainIsUpToDate(domain string, domainCategory string, userAuth auth.UserAu
 	return domainCategory == types.PrivateCategory || userAuth.DomainCategory != types.PrivateCategory || domain != userAuth.Domain
 }
 
-func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
+func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	peer, netMap, postureChecks, dnsfwdPort, err := am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta}, accountID)
 	if err != nil {
 		return nil, nil, nil, 0, fmt.Errorf("error syncing peer: %w", err)
 	}
 
-	err = am.MarkPeerConnected(ctx, peerPubKey, true, realIP, accountID)
+	err = am.MarkPeerConnected(ctx, peerPubKey, true, realIP, accountID, syncTime)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as connected %s %v", peerPubKey, err)
 	}
@@ -1671,8 +1693,20 @@ func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID
 	return peer, netMap, postureChecks, dnsfwdPort, nil
 }
 
-func (am *DefaultAccountManager) OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string) error {
-	err := am.MarkPeerConnected(ctx, peerPubKey, false, nil, accountID)
+func (am *DefaultAccountManager) OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error {
+	peer, err := am.Store.GetPeerByPeerPubKey(ctx, store.LockingStrengthNone, peerPubKey)
+	if err != nil {
+		log.WithContext(ctx).Warnf("failed to get peer %s for disconnect check: %v", peerPubKey, err)
+		return nil
+	}
+
+	if peer.Status.LastSeen.After(streamStartTime) {
+		log.WithContext(ctx).Tracef("peer %s has newer activity (lastSeen=%s > streamStart=%s), skipping disconnect",
+			peerPubKey, peer.Status.LastSeen.Format(time.RFC3339), streamStartTime.Format(time.RFC3339))
+		return nil
+	}
+
+	err = am.MarkPeerConnected(ctx, peerPubKey, false, nil, accountID, time.Now().UTC())
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as disconnected %s %v", peerPubKey, err)
 	}

management/server/account/manager.go

@@ -6,6 +6,7 @@ import (
 	"net/netip"
 	"time"
 
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/shared/auth"
 
 	nbdns "github.com/netbirdio/netbird/dns"
@@ -58,7 +59,7 @@ type Manager interface {
 	GetUserFromUserAuth(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)
 	ListUsers(ctx context.Context, accountID string) ([]*types.User, error)
 	GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
-	MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string) error
+	MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error
 	DeletePeer(ctx context.Context, accountID, peerID, userID string) error
 	UpdatePeer(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error)
 	UpdatePeerIP(ctx context.Context, accountID, userID, peerID string, newIP netip.Addr) error
@@ -114,8 +115,8 @@ type Manager interface {
 	UpdateIntegratedValidator(ctx context.Context, accountID, userID, validator string, groups []string) error
 	GroupValidation(ctx context.Context, accountId string, groups []string) (bool, error)
 	GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error)
-	SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
-	OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string) error
+	SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
+	OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error
 	SyncPeerMeta(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error
 	FindExistingPostureCheck(accountID string, checks *posture.ChecksDefinition) (*posture.Checks, error)
 	GetAccountIDForPeerKey(ctx context.Context, peerKey string) (string, error)
@@ -139,4 +140,5 @@ type Manager interface {
 	CreatePeerJob(ctx context.Context, accountID, peerID, userID string, job *types.Job) error
 	GetAllPeerJobs(ctx context.Context, accountID, userID, peerID string) ([]*types.Job, error)
 	GetPeerJobByID(ctx context.Context, accountID, userID, peerID, jobID string) (*types.Job, error)
+	SetReverseProxyManager(reverseProxyManager reverseproxy.Manager)
 }

management/server/account_test.go

@@ -1881,7 +1881,7 @@ func TestDefaultAccountManager_UpdatePeer_PeerLoginExpiration(t *testing.T) {
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
 	require.NoError(t, err, "unable to get the account")
 
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID)
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
 	require.NoError(t, err, "unable to mark peer connected")
 
 	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
@@ -1952,7 +1952,7 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 	require.NoError(t, err, "unable to get the account")
 
 	// when we mark peer as connected, the peer login expiration routine should trigger
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID)
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
 	require.NoError(t, err, "unable to mark peer connected")
 
 	failed := waitTimeout(wg, time.Second)
@@ -1961,6 +1961,82 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 	}
 }
 
+func TestDefaultAccountManager_OnPeerDisconnected_LastSeenCheck(t *testing.T) {
+	manager, _, err := createManager(t)
+	require.NoError(t, err, "unable to create account manager")
+
+	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
+	require.NoError(t, err, "unable to create an account")
+
+	key, err := wgtypes.GenerateKey()
+	require.NoError(t, err, "unable to generate WireGuard key")
+	peerPubKey := key.PublicKey().String()
+
+	_, _, _, err = manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
+		Key:  peerPubKey,
+		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer"},
+	}, false)
+	require.NoError(t, err, "unable to add peer")
+
+	t.Run("disconnect peer when streamStartTime is after LastSeen", func(t *testing.T) {
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, time.Now().UTC())
+		require.NoError(t, err, "unable to mark peer connected")
+
+		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
+		require.NoError(t, err, "unable to get peer")
+		require.True(t, peer.Status.Connected, "peer should be connected")
+
+		streamStartTime := time.Now().UTC()
+
+		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, streamStartTime)
+		require.NoError(t, err)
+
+		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
+		require.NoError(t, err)
+		require.False(t, peer.Status.Connected, "peer should be disconnected")
+	})
+
+	t.Run("skip disconnect when LastSeen is after streamStartTime (zombie stream protection)", func(t *testing.T) {
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, time.Now().UTC())
+		require.NoError(t, err, "unable to mark peer connected")
+
+		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
+		require.NoError(t, err)
+		require.True(t, peer.Status.Connected, "peer should be connected")
+
+		streamStartTime := peer.Status.LastSeen.Add(-1 * time.Hour)
+
+		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, streamStartTime)
+		require.NoError(t, err)
+
+		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
+		require.NoError(t, err)
+		require.True(t, peer.Status.Connected,
+			"peer should remain connected because LastSeen > streamStartTime (zombie stream protection)")
+	})
+
+	t.Run("skip stale connect when peer already has newer LastSeen (blocked goroutine protection)", func(t *testing.T) {
+		node2SyncTime := time.Now().UTC()
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, node2SyncTime)
+		require.NoError(t, err, "node 2 should connect peer")
+
+		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
+		require.NoError(t, err)
+		require.True(t, peer.Status.Connected, "peer should be connected")
+		require.Equal(t, node2SyncTime.Unix(), peer.Status.LastSeen.Unix(), "LastSeen should be node2SyncTime")
+
+		node1StaleSyncTime := node2SyncTime.Add(-1 * time.Minute)
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, node1StaleSyncTime)
+		require.NoError(t, err, "stale connect should not return error")
+
+		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
+		require.NoError(t, err)
+		require.True(t, peer.Status.Connected, "peer should still be connected")
+		require.Equal(t, node2SyncTime.Unix(), peer.Status.LastSeen.Unix(),
+			"LastSeen should NOT be overwritten by stale syncTime from blocked goroutine")
+	})
+}
+
 func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *testing.T) {
 	manager, _, err := createManager(t)
 	require.NoError(t, err, "unable to create account manager")
@@ -1983,7 +2059,7 @@ func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *test
 	account, err := manager.Store.GetAccount(context.Background(), accountID)
 	require.NoError(t, err, "unable to get the account")
 
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID)
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
 	require.NoError(t, err, "unable to mark peer connected")
 
 	wg := &sync.WaitGroup{}
@@ -3176,7 +3252,7 @@ func BenchmarkSyncAndMarkPeer(b *testing.B) {
 			b.ResetTimer()
 			start := time.Now()
 			for i := 0; i < b.N; i++ {
-				_, _, _, _, err := manager.SyncAndMarkPeer(context.Background(), account.Id, account.Peers["peer-1"].Key, nbpeer.PeerSystemMeta{Hostname: strconv.Itoa(i)}, net.IP{1, 1, 1, 1})
+				_, _, _, _, err := manager.SyncAndMarkPeer(context.Background(), account.Id, account.Peers["peer-1"].Key, nbpeer.PeerSystemMeta{Hostname: strconv.Itoa(i)}, net.IP{1, 1, 1, 1}, time.Now().UTC())
 				assert.NoError(b, err)
 			}
 

management/server/activity/codes.go

@@ -204,6 +204,10 @@ const (
 	UserInviteLinkRegenerated Activity = 106
 	UserInviteLinkDeleted     Activity = 107
 
+	ReverseProxyCreated Activity = 108
+	ReverseProxyUpdated Activity = 109
+	ReverseProxyDeleted Activity = 110
+
 	AccountDeleted Activity = 99999
 )
 
@@ -337,6 +341,10 @@ var activityMap = map[Activity]Code{
 	UserInviteLinkAccepted:    {"User invite link accepted", "user.invite.link.accept"},
 	UserInviteLinkRegenerated: {"User invite link regenerated", "user.invite.link.regenerate"},
 	UserInviteLinkDeleted:     {"User invite link deleted", "user.invite.link.delete"},
+
+	ReverseProxyCreated: {"Reverse proxy created", "reverseproxy.create"},
+	ReverseProxyUpdated: {"Reverse proxy updated", "reverseproxy.update"},
+	ReverseProxyDeleted: {"Reverse proxy deleted", "reverseproxy.delete"},
 }
 
 // StringCode returns a string code of the activity

management/server/http/handler.go

@@ -9,10 +9,17 @@ import (
 	"time"
 
 	"github.com/gorilla/mux"
-	idpmanager "github.com/netbirdio/netbird/management/server/idp"
+	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/rs/cors"
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
+	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+	idpmanager "github.com/netbirdio/netbird/management/server/idp"
+
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
@@ -38,6 +45,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/handlers/networks"
 	"github.com/netbirdio/netbird/management/server/http/handlers/peers"
 	"github.com/netbirdio/netbird/management/server/http/handlers/policies"
+	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
 	"github.com/netbirdio/netbird/management/server/http/handlers/routes"
 	"github.com/netbirdio/netbird/management/server/http/handlers/setup_keys"
 	"github.com/netbirdio/netbird/management/server/http/handlers/users"
@@ -59,7 +67,7 @@ const (
 )
 
 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, reverseProxyManager reverseproxy.Manager, reverseProxyDomainManager *domain.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer) (http.Handler, error) {
 
 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -75,6 +83,10 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	if err := bypass.AddBypassPath("/api/users/invites/nbi_*/accept"); err != nil {
 		return nil, fmt.Errorf("failed to add bypass path: %w", err)
 	}
+	// OAuth callback for proxy authentication
+	if err := bypass.AddBypassPath(types.ProxyCallbackEndpointFull); err != nil {
+		return nil, fmt.Errorf("failed to add bypass path: %w", err)
+	}
 
 	var rateLimitingConfig *middleware.RateLimiterConfig
 	if os.Getenv(rateLimitingEnabledKey) == "true" {
@@ -129,15 +141,15 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 		return nil, fmt.Errorf("register integrations endpoints: %w", err)
 	}
 
-	// Check if embedded IdP is enabled
+	// Check if embedded IdP is enabled for instance manager
 	embeddedIdP, embeddedIdpEnabled := idpManager.(*idpmanager.EmbeddedIdPManager)
 	instanceManager, err := nbinstance.NewManager(ctx, accountManager.GetStore(), embeddedIdP)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create instance manager: %w", err)
 	}
 
-	accounts.AddEndpoints(accountManager, settingsManager, embeddedIdpEnabled, router)
-	peers.AddEndpoints(accountManager, router, networkMapController)
+	accounts.AddEndpoints(accountManager, settingsManager, router)
+	peers.AddEndpoints(accountManager, router, networkMapController, permissionsManager)
 	users.AddEndpoints(accountManager, router)
 	users.AddInvitesEndpoints(accountManager, router)
 	users.AddPublicInvitesEndpoints(accountManager, router)
@@ -155,6 +167,15 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	idp.AddEndpoints(accountManager, router)
 	instance.AddEndpoints(instanceManager, router)
 	instance.AddVersionEndpoint(instanceManager, router)
+	if reverseProxyManager != nil && reverseProxyDomainManager != nil {
+		reverseproxymanager.RegisterEndpoints(reverseProxyManager, *reverseProxyDomainManager, reverseProxyAccessLogsManager, router)
+	}
+
+	// Register OAuth callback handler for proxy authentication
+	if proxyGRPCServer != nil {
+		oauthHandler := proxy.NewAuthCallbackHandler(proxyGRPCServer)
+		oauthHandler.RegisterEndpoints(router)
+	}
 
 	// Mount embedded IdP handler at /oauth2 path if configured
 	if embeddedIdpEnabled {

management/server/http/handlers/accounts/accounts_handler.go

@@ -36,24 +36,22 @@ const (
 
 // handler is a handler that handles the server.Account HTTP endpoints
 type handler struct {
-	accountManager     account.Manager
-	settingsManager    settings.Manager
-	embeddedIdpEnabled bool
+	accountManager  account.Manager
+	settingsManager settings.Manager
 }
 
-func AddEndpoints(accountManager account.Manager, settingsManager settings.Manager, embeddedIdpEnabled bool, router *mux.Router) {
-	accountsHandler := newHandler(accountManager, settingsManager, embeddedIdpEnabled)
+func AddEndpoints(accountManager account.Manager, settingsManager settings.Manager, router *mux.Router) {
+	accountsHandler := newHandler(accountManager, settingsManager)
 	router.HandleFunc("/accounts/{accountId}", accountsHandler.updateAccount).Methods("PUT", "OPTIONS")
 	router.HandleFunc("/accounts/{accountId}", accountsHandler.deleteAccount).Methods("DELETE", "OPTIONS")
 	router.HandleFunc("/accounts", accountsHandler.getAllAccounts).Methods("GET", "OPTIONS")
 }
 
 // newHandler creates a new handler HTTP handler
-func newHandler(accountManager account.Manager, settingsManager settings.Manager, embeddedIdpEnabled bool) *handler {
+func newHandler(accountManager account.Manager, settingsManager settings.Manager) *handler {
 	return &handler{
-		accountManager:     accountManager,
-		settingsManager:    settingsManager,
-		embeddedIdpEnabled: embeddedIdpEnabled,
+		accountManager:  accountManager,
+		settingsManager: settingsManager,
 	}
 }
 
@@ -165,7 +163,7 @@ func (h *handler) getAllAccounts(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	resp := toAccountResponse(accountID, settings, meta, onboarding, h.embeddedIdpEnabled)
+	resp := toAccountResponse(accountID, settings, meta, onboarding)
 	util.WriteJSONObject(r.Context(), w, []*api.Account{resp})
 }
 
@@ -292,7 +290,7 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	resp := toAccountResponse(accountID, updatedSettings, meta, updatedOnboarding, h.embeddedIdpEnabled)
+	resp := toAccountResponse(accountID, updatedSettings, meta, updatedOnboarding)
 
 	util.WriteJSONObject(r.Context(), w, &resp)
 }
@@ -321,7 +319,7 @@ func (h *handler) deleteAccount(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
 }
 
-func toAccountResponse(accountID string, settings *types.Settings, meta *types.AccountMeta, onboarding *types.AccountOnboarding, embeddedIdpEnabled bool) *api.Account {
+func toAccountResponse(accountID string, settings *types.Settings, meta *types.AccountMeta, onboarding *types.AccountOnboarding) *api.Account {
 	jwtAllowGroups := settings.JWTAllowGroups
 	if jwtAllowGroups == nil {
 		jwtAllowGroups = []string{}
@@ -341,7 +339,8 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A
 		LazyConnectionEnabled:           &settings.LazyConnectionEnabled,
 		DnsDomain:                       &settings.DNSDomain,
 		AutoUpdateVersion:               &settings.AutoUpdateVersion,
-		EmbeddedIdpEnabled:              &embeddedIdpEnabled,
+		EmbeddedIdpEnabled:              &settings.EmbeddedIdpEnabled,
+		LocalAuthDisabled:               &settings.LocalAuthDisabled,
 	}
 
 	if settings.NetworkRange.IsValid() {

management/server/http/handlers/accounts/accounts_handler_test.go

@@ -33,7 +33,6 @@ func initAccountsTestData(t *testing.T, account *types.Account) *handler {
 		AnyTimes()
 
 	return &handler{
-		embeddedIdpEnabled: false,
 		accountManager: &mock_server.MockAccountManager{
 			GetAccountSettingsFunc: func(ctx context.Context, accountID string, userID string) (*types.Settings, error) {
 				return account.Settings, nil
@@ -124,6 +123,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
+				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: true,
 			expectedID:    accountID,
@@ -148,6 +148,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
+				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -172,6 +173,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr("latest"),
 				EmbeddedIdpEnabled:              br(false),
+				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -196,6 +198,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
+				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -220,6 +223,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
+				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -244,6 +248,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
+				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,

management/server/http/handlers/instance/instance_handler.go

@@ -46,7 +46,7 @@ func (h *handler) getInstanceStatus(w http.ResponseWriter, r *http.Request) {
 		util.WriteErrorResponse("failed to check instance status", http.StatusInternalServerError, w)
 		return
 	}
-
+	log.WithContext(r.Context()).Infof("instance setup status: %v", setupRequired)
 	util.WriteJSONObject(r.Context(), w, api.InstanceStatus{
 		SetupRequired: setupRequired,
 	})

management/server/http/handlers/peers/peers_handler.go

@@ -17,6 +17,7 @@ import (
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/groups"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -26,11 +27,12 @@ import (
 // Handler is a handler that returns peers of the account
 type Handler struct {
 	accountManager       account.Manager
+	permissionsManager   permissions.Manager
 	networkMapController network_map.Controller
 }
 
-func AddEndpoints(accountManager account.Manager, router *mux.Router, networkMapController network_map.Controller) {
-	peersHandler := NewHandler(accountManager, networkMapController)
+func AddEndpoints(accountManager account.Manager, router *mux.Router, networkMapController network_map.Controller, permissionsManager permissions.Manager) {
+	peersHandler := NewHandler(accountManager, networkMapController, permissionsManager)
 	router.HandleFunc("/peers", peersHandler.GetAllPeers).Methods("GET", "OPTIONS")
 	router.HandleFunc("/peers/{peerId}", peersHandler.HandlePeer).
 		Methods("GET", "PUT", "DELETE", "OPTIONS")
@@ -42,10 +44,11 @@ func AddEndpoints(accountManager account.Manager, router *mux.Router, networkMap
 }
 
 // NewHandler creates a new peers Handler
-func NewHandler(accountManager account.Manager, networkMapController network_map.Controller) *Handler {
+func NewHandler(accountManager account.Manager, networkMapController network_map.Controller, permissionsManager permissions.Manager) *Handler {
 	return &Handler{
 		accountManager:       accountManager,
 		networkMapController: networkMapController,
+		permissionsManager:   permissionsManager,
 	}
 }
 
@@ -359,13 +362,19 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	account, err := h.accountManager.GetAccountByID(r.Context(), accountID, activity.SystemInitiator)
+	user, err := h.accountManager.GetUserByID(r.Context(), userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	user, err := h.accountManager.GetUserByID(r.Context(), userID)
+	err = h.permissionsManager.ValidateAccountAccess(r.Context(), accountID, user, false)
+	if err != nil {
+		util.WriteError(r.Context(), status.NewPermissionDeniedError(), w)
+		return
+	}
+
+	account, err := h.accountManager.GetAccountByID(r.Context(), accountID, activity.SystemInitiator)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/peers/peers_handler_test.go

@@ -13,13 +13,15 @@ import (
 	"testing"
 	"time"
 
+	"github.com/golang/mock/gomock"
 	"github.com/gorilla/mux"
-	"go.uber.org/mock/gomock"
+	ugomock "go.uber.org/mock/gomock"
 	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
@@ -102,7 +104,7 @@ func initTestMetaData(t *testing.T, peers ...*nbpeer.Peer) *Handler {
 		},
 	}
 
-	ctrl := gomock.NewController(t)
+	ctrl := ugomock.NewController(t)
 
 	networkMapController := network_map.NewMockController(ctrl)
 	networkMapController.EXPECT().
@@ -110,6 +112,10 @@ func initTestMetaData(t *testing.T, peers ...*nbpeer.Peer) *Handler {
 		Return("domain").
 		AnyTimes()
 
+	ctrl2 := gomock.NewController(t)
+	permissionsManager := permissions.NewMockManager(ctrl2)
+	permissionsManager.EXPECT().ValidateAccountAccess(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
+
 	return &Handler{
 		accountManager: &mock_server.MockAccountManager{
 			UpdatePeerFunc: func(_ context.Context, accountID, userID string, update *nbpeer.Peer) (*nbpeer.Peer, error) {
@@ -199,6 +205,7 @@ func initTestMetaData(t *testing.T, peers ...*nbpeer.Peer) *Handler {
 			},
 		},
 		networkMapController: networkMapController,
+		permissionsManager:   permissionsManager,
 	}
 }
 

management/server/http/handlers/proxy/auth.go

@@ -0,0 +1,171 @@
+package proxy
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/gorilla/mux"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/oauth2"
+
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+	"github.com/netbirdio/netbird/management/server/http/middleware"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/proxy/auth"
+)
+
+// AuthCallbackHandler handles OAuth callbacks for proxy authentication.
+type AuthCallbackHandler struct {
+	proxyService *nbgrpc.ProxyServiceServer
+	rateLimiter  *middleware.APIRateLimiter
+}
+
+// NewAuthCallbackHandler creates a new OAuth callback handler.
+func NewAuthCallbackHandler(proxyService *nbgrpc.ProxyServiceServer) *AuthCallbackHandler {
+	rateLimiterConfig := &middleware.RateLimiterConfig{
+		RequestsPerMinute: 10,
+		Burst:             15,
+		CleanupInterval:   5 * time.Minute,
+		LimiterTTL:        10 * time.Minute,
+	}
+
+	return &AuthCallbackHandler{
+		proxyService: proxyService,
+		rateLimiter:  middleware.NewAPIRateLimiter(rateLimiterConfig),
+	}
+}
+
+// RegisterEndpoints registers the OAuth callback endpoint.
+func (h *AuthCallbackHandler) RegisterEndpoints(router *mux.Router) {
+	router.HandleFunc(types.ProxyCallbackEndpoint, h.handleCallback).Methods(http.MethodGet)
+}
+
+func (h *AuthCallbackHandler) handleCallback(w http.ResponseWriter, r *http.Request) {
+	clientIP := getClientIP(r)
+	if !h.rateLimiter.Allow(clientIP) {
+		log.WithField("client_ip", clientIP).Warn("OAuth callback rate limit exceeded")
+		http.Error(w, "Too many requests. Please try again later.", http.StatusTooManyRequests)
+		return
+	}
+
+	state := r.URL.Query().Get("state")
+
+	codeVerifier, originalURL, err := h.proxyService.ValidateState(state)
+	if err != nil {
+		log.WithError(err).Error("OAuth callback state validation failed")
+		http.Error(w, "Invalid state parameter", http.StatusBadRequest)
+		return
+	}
+
+	redirectURL, err := url.Parse(originalURL)
+	if err != nil {
+		log.WithError(err).Error("Failed to parse redirect URL")
+		http.Error(w, "Invalid redirect URL", http.StatusBadRequest)
+		return
+	}
+
+	oidcConfig := h.proxyService.GetOIDCConfig()
+
+	provider, err := oidc.NewProvider(r.Context(), oidcConfig.Issuer)
+	if err != nil {
+		log.WithError(err).Error("Failed to create OIDC provider")
+		http.Error(w, "Failed to create OIDC provider", http.StatusInternalServerError)
+		return
+	}
+
+	token, err := (&oauth2.Config{
+		ClientID:    oidcConfig.ClientID,
+		Endpoint:    provider.Endpoint(),
+		RedirectURL: oidcConfig.CallbackURL,
+	}).Exchange(r.Context(), r.URL.Query().Get("code"), oauth2.VerifierOption(codeVerifier))
+	if err != nil {
+		log.WithError(err).Error("Failed to exchange code for token")
+		http.Error(w, "Failed to exchange code for token", http.StatusInternalServerError)
+		return
+	}
+
+	userID := extractUserIDFromToken(r.Context(), provider, oidcConfig, token)
+	if userID == "" {
+		log.Error("Failed to extract user ID from OIDC token")
+		http.Error(w, "Failed to validate token", http.StatusUnauthorized)
+		return
+	}
+
+	// Group validation is performed by the proxy via ValidateSession gRPC call.
+	// This allows the proxy to show 403 pages directly without redirect dance.
+
+	sessionToken, err := h.proxyService.GenerateSessionToken(r.Context(), redirectURL.Hostname(), userID, auth.MethodOIDC)
+	if err != nil {
+		log.WithError(err).Error("Failed to create session token")
+		redirectURL.Scheme = "https"
+		query := redirectURL.Query()
+		query.Set("error", "access_denied")
+		query.Set("error_description", "Service configuration error")
+		redirectURL.RawQuery = query.Encode()
+		http.Redirect(w, r, redirectURL.String(), http.StatusFound)
+		return
+	}
+
+	redirectURL.Scheme = "https"
+
+	query := redirectURL.Query()
+	query.Set("session_token", sessionToken)
+	redirectURL.RawQuery = query.Encode()
+
+	log.WithField("redirect", redirectURL.Host).Debug("OAuth callback: redirecting user with session token")
+	http.Redirect(w, r, redirectURL.String(), http.StatusFound)
+}
+
+func extractUserIDFromToken(ctx context.Context, provider *oidc.Provider, config nbgrpc.ProxyOIDCConfig, token *oauth2.Token) string {
+	rawIDToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		log.Warn("No id_token in OIDC response")
+		return ""
+	}
+
+	verifier := provider.Verifier(&oidc.Config{
+		ClientID: config.ClientID,
+	})
+
+	idToken, err := verifier.Verify(ctx, rawIDToken)
+	if err != nil {
+		log.WithError(err).Warn("Failed to verify ID token")
+		return ""
+	}
+
+	var claims struct {
+		Subject string `json:"sub"`
+	}
+	if err := idToken.Claims(&claims); err != nil {
+		log.WithError(err).Warn("Failed to extract claims from ID token")
+		return ""
+	}
+
+	return claims.Subject
+}
+
+// getClientIP extracts the client IP address from the request.
+func getClientIP(r *http.Request) string {
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		if idx := strings.Index(xff, ","); idx != -1 {
+			return strings.TrimSpace(xff[:idx])
+		}
+		return xff
+	}
+
+	if xri := r.Header.Get("X-Real-IP"); xri != "" {
+		return xri
+	}
+
+	// Fall back to RemoteAddr
+	host, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		return r.RemoteAddr
+	}
+	return host
+}

management/server/http/handlers/proxy/auth_callback_integration_test.go

@@ -0,0 +1,523 @@
+//go:build integration
+
+package proxy
+
+import (
+	"context"
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	accesslogs "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/management/server/users"
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+// fakeOIDCServer creates a minimal OIDC provider for testing.
+type fakeOIDCServer struct {
+	server       *httptest.Server
+	issuer       string
+	signingKey   ed25519.PrivateKey
+	publicKey    ed25519.PublicKey
+	keyID        string
+	tokenSubject string
+	tokenExpiry  time.Duration
+	failExchange bool
+}
+
+func newFakeOIDCServer() *fakeOIDCServer {
+	pub, priv, _ := ed25519.GenerateKey(rand.Reader)
+	f := &fakeOIDCServer{
+		signingKey:  priv,
+		publicKey:   pub,
+		keyID:       "test-key-1",
+		tokenExpiry: time.Hour,
+	}
+	f.server = httptest.NewServer(f)
+	f.issuer = f.server.URL
+	return f
+}
+
+func (f *fakeOIDCServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case "/.well-known/openid-configuration":
+		f.handleDiscovery(w, r)
+	case "/token":
+		f.handleToken(w, r)
+	case "/keys":
+		f.handleJWKS(w, r)
+	default:
+		http.NotFound(w, r)
+	}
+}
+
+func (f *fakeOIDCServer) handleDiscovery(w http.ResponseWriter, _ *http.Request) {
+	discovery := map[string]interface{}{
+		"issuer":                 f.issuer,
+		"authorization_endpoint": f.issuer + "/auth",
+		"token_endpoint":         f.issuer + "/token",
+		"jwks_uri":               f.issuer + "/keys",
+		"response_types_supported": []string{
+			"code",
+			"id_token",
+			"token id_token",
+		},
+		"subject_types_supported":               []string{"public"},
+		"id_token_signing_alg_values_supported": []string{"EdDSA"},
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(discovery)
+}
+
+func (f *fakeOIDCServer) handleToken(w http.ResponseWriter, r *http.Request) {
+	if f.failExchange {
+		http.Error(w, "invalid_grant", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	idToken := f.createIDToken()
+
+	response := map[string]interface{}{
+		"access_token":  "test-access-token",
+		"token_type":    "Bearer",
+		"expires_in":    3600,
+		"id_token":      idToken,
+		"refresh_token": "test-refresh-token",
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
+func (f *fakeOIDCServer) createIDToken() string {
+	now := time.Now()
+	claims := jwt.MapClaims{
+		"iss": f.issuer,
+		"sub": f.tokenSubject,
+		"aud": "test-client-id",
+		"exp": now.Add(f.tokenExpiry).Unix(),
+		"iat": now.Unix(),
+		"nbf": now.Unix(),
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
+	token.Header["kid"] = f.keyID
+	signed, _ := token.SignedString(f.signingKey)
+	return signed
+}
+
+func (f *fakeOIDCServer) handleJWKS(w http.ResponseWriter, _ *http.Request) {
+	jwks := map[string]interface{}{
+		"keys": []map[string]interface{}{
+			{
+				"kty": "OKP",
+				"crv": "Ed25519",
+				"kid": f.keyID,
+				"x":   base64.RawURLEncoding.EncodeToString(f.publicKey),
+				"use": "sig",
+			},
+		},
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(jwks)
+}
+
+func (f *fakeOIDCServer) Close() {
+	f.server.Close()
+}
+
+// testSetup contains all test dependencies.
+type testSetup struct {
+	store        store.Store
+	oidcServer   *fakeOIDCServer
+	proxyService *nbgrpc.ProxyServiceServer
+	handler      *AuthCallbackHandler
+	router       *mux.Router
+	cleanup      func()
+}
+
+// testAccessLogManager is a minimal mock for accesslogs.Manager.
+type testAccessLogManager struct{}
+
+func (m *testAccessLogManager) SaveAccessLog(_ context.Context, _ *accesslogs.AccessLogEntry) error {
+	return nil
+}
+
+func (m *testAccessLogManager) GetAllAccessLogs(_ context.Context, _, _ string) ([]*accesslogs.AccessLogEntry, error) {
+	return nil, nil
+}
+
+func setupAuthCallbackTest(t *testing.T) *testSetup {
+	t.Helper()
+
+	ctx := context.Background()
+
+	testStore, cleanup, err := store.NewTestStoreFromSQL(ctx, "", t.TempDir())
+	require.NoError(t, err)
+
+	createTestAccountsAndUsers(t, ctx, testStore)
+	createTestReverseProxies(t, ctx, testStore)
+
+	oidcServer := newFakeOIDCServer()
+
+	tokenStore := nbgrpc.NewOneTimeTokenStore(time.Minute)
+
+	usersManager := users.NewManager(testStore)
+
+	oidcConfig := nbgrpc.ProxyOIDCConfig{
+		Issuer:      oidcServer.issuer,
+		ClientID:    "test-client-id",
+		Scopes:      []string{"openid", "profile", "email"},
+		CallbackURL: "https://management.example.com/reverse-proxy/callback",
+		HMACKey:     []byte("test-hmac-key-for-state-signing"),
+	}
+
+	proxyService := nbgrpc.NewProxyServiceServer(
+		&testAccessLogManager{},
+		tokenStore,
+		oidcConfig,
+		nil,
+		usersManager,
+	)
+
+	proxyService.SetProxyManager(&testReverseProxyManager{store: testStore})
+
+	handler := NewAuthCallbackHandler(proxyService)
+
+	router := mux.NewRouter()
+	handler.RegisterEndpoints(router)
+
+	return &testSetup{
+		store:        testStore,
+		oidcServer:   oidcServer,
+		proxyService: proxyService,
+		handler:      handler,
+		router:       router,
+		cleanup: func() {
+			cleanup()
+			oidcServer.Close()
+		},
+	}
+}
+
+func createTestReverseProxies(t *testing.T, ctx context.Context, testStore store.Store) {
+	t.Helper()
+
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	require.NoError(t, err)
+
+	pubKey := base64.StdEncoding.EncodeToString(pub)
+	privKey := base64.StdEncoding.EncodeToString(priv)
+
+	testProxy := &reverseproxy.ReverseProxy{
+		ID:        "testProxyId",
+		AccountID: "testAccountId",
+		Name:      "Test Proxy",
+		Domain:    "test-proxy.example.com",
+		Targets: []*reverseproxy.Target{{
+			Path:       strPtr("/"),
+			Host:       "localhost",
+			Port:       8080,
+			Protocol:   "http",
+			TargetId:   "peer1",
+			TargetType: "peer",
+			Enabled:    true,
+		}},
+		Enabled: true,
+		Auth: reverseproxy.AuthConfig{
+			BearerAuth: &reverseproxy.BearerAuthConfig{
+				Enabled:            true,
+				DistributionGroups: []string{"allowedGroupId"},
+			},
+		},
+		SessionPrivateKey: privKey,
+		SessionPublicKey:  pubKey,
+	}
+	require.NoError(t, testStore.CreateReverseProxy(ctx, testProxy))
+
+	restrictedProxy := &reverseproxy.ReverseProxy{
+		ID:        "restrictedProxyId",
+		AccountID: "testAccountId",
+		Name:      "Restricted Proxy",
+		Domain:    "restricted-proxy.example.com",
+		Targets: []*reverseproxy.Target{{
+			Path:       strPtr("/"),
+			Host:       "localhost",
+			Port:       8080,
+			Protocol:   "http",
+			TargetId:   "peer1",
+			TargetType: "peer",
+			Enabled:    true,
+		}},
+		Enabled: true,
+		Auth: reverseproxy.AuthConfig{
+			BearerAuth: &reverseproxy.BearerAuthConfig{
+				Enabled:            true,
+				DistributionGroups: []string{"restrictedGroupId"},
+			},
+		},
+		SessionPrivateKey: privKey,
+		SessionPublicKey:  pubKey,
+	}
+	require.NoError(t, testStore.CreateReverseProxy(ctx, restrictedProxy))
+
+	noAuthProxy := &reverseproxy.ReverseProxy{
+		ID:        "noAuthProxyId",
+		AccountID: "testAccountId",
+		Name:      "No Auth Proxy",
+		Domain:    "no-auth-proxy.example.com",
+		Targets: []*reverseproxy.Target{{
+			Path:       strPtr("/"),
+			Host:       "localhost",
+			Port:       8080,
+			Protocol:   "http",
+			TargetId:   "peer1",
+			TargetType: "peer",
+			Enabled:    true,
+		}},
+		Enabled: true,
+		Auth: reverseproxy.AuthConfig{
+			BearerAuth: &reverseproxy.BearerAuthConfig{
+				Enabled: false,
+			},
+		},
+		SessionPrivateKey: privKey,
+		SessionPublicKey:  pubKey,
+	}
+	require.NoError(t, testStore.CreateReverseProxy(ctx, noAuthProxy))
+}
+
+func strPtr(s string) *string {
+	return &s
+}
+
+func createTestAccountsAndUsers(t *testing.T, ctx context.Context, testStore store.Store) {
+	t.Helper()
+
+	testAccount := &types.Account{
+		Id:                     "testAccountId",
+		Domain:                 "test.com",
+		DomainCategory:         "private",
+		IsDomainPrimaryAccount: true,
+		CreatedAt:              time.Now(),
+	}
+	require.NoError(t, testStore.SaveAccount(ctx, testAccount))
+
+	allowedGroup := &types.Group{
+		ID:        "allowedGroupId",
+		AccountID: "testAccountId",
+		Name:      "Allowed Group",
+		Issued:    "api",
+	}
+	require.NoError(t, testStore.CreateGroup(ctx, allowedGroup))
+
+	allowedUser := &types.User{
+		Id:         "allowedUserId",
+		AccountID:  "testAccountId",
+		Role:       types.UserRoleUser,
+		AutoGroups: []string{"allowedGroupId"},
+		CreatedAt:  time.Now(),
+		Issued:     "api",
+	}
+	require.NoError(t, testStore.SaveUser(ctx, allowedUser))
+}
+
+// testReverseProxyManager is a minimal implementation for testing.
+type testReverseProxyManager struct {
+	store store.Store
+}
+
+func (m *testReverseProxyManager) GetAllReverseProxies(_ context.Context, _, _ string) ([]*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *testReverseProxyManager) GetReverseProxy(_ context.Context, _, _, _ string) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *testReverseProxyManager) CreateReverseProxy(_ context.Context, _, _ string, _ *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *testReverseProxyManager) UpdateReverseProxy(_ context.Context, _, _ string, _ *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
+	return nil, nil
+}
+
+func (m *testReverseProxyManager) DeleteReverseProxy(_ context.Context, _, _, _ string) error {
+	return nil
+}
+
+func (m *testReverseProxyManager) SetCertificateIssuedAt(_ context.Context, _, _ string) error {
+	return nil
+}
+
+func (m *testReverseProxyManager) SetStatus(_ context.Context, _, _ string, _ reverseproxy.ProxyStatus) error {
+	return nil
+}
+
+func (m *testReverseProxyManager) ReloadAllReverseProxiesForAccount(_ context.Context, _ string) error {
+	return nil
+}
+
+func (m *testReverseProxyManager) ReloadReverseProxy(_ context.Context, _, _ string) error {
+	return nil
+}
+
+func (m *testReverseProxyManager) GetGlobalReverseProxies(ctx context.Context) ([]*reverseproxy.ReverseProxy, error) {
+	return m.store.GetReverseProxies(ctx, store.LockingStrengthNone)
+}
+
+func (m *testReverseProxyManager) GetProxyByID(ctx context.Context, accountID, proxyID string) (*reverseproxy.ReverseProxy, error) {
+	return m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, proxyID)
+}
+
+func (m *testReverseProxyManager) GetAccountReverseProxies(ctx context.Context, accountID string) ([]*reverseproxy.ReverseProxy, error) {
+	return m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
+}
+
+func (m *testReverseProxyManager) GetProxyIDByTargetID(_ context.Context, _, _ string) (string, error) {
+	return "", nil
+}
+
+func createTestState(t *testing.T, ps *nbgrpc.ProxyServiceServer, redirectURL string) string {
+	t.Helper()
+
+	resp, err := ps.GetOIDCURL(context.Background(), &proto.GetOIDCURLRequest{
+		RedirectUrl: redirectURL,
+		AccountId:   "testAccountId",
+	})
+	require.NoError(t, err)
+
+	parsedURL, err := url.Parse(resp.Url)
+	require.NoError(t, err)
+
+	return parsedURL.Query().Get("state")
+}
+
+func TestAuthCallback_UserAllowedToLogin(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	setup.oidcServer.tokenSubject = "allowedUserId"
+
+	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/dashboard")
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state="+url.QueryEscape(state), nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusFound, rec.Code)
+
+	location := rec.Header().Get("Location")
+	require.NotEmpty(t, location)
+
+	parsedLocation, err := url.Parse(location)
+	require.NoError(t, err)
+
+	require.Equal(t, "test-proxy.example.com", parsedLocation.Host)
+	require.NotEmpty(t, parsedLocation.Query().Get("session_token"), "Should include session token")
+	require.Empty(t, parsedLocation.Query().Get("error"), "Should not have error parameter")
+}
+
+func TestAuthCallback_ProxyNotFound(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	setup.oidcServer.tokenSubject = "allowedUserId"
+
+	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/")
+
+	require.NoError(t, setup.store.DeleteReverseProxy(context.Background(), "testAccountId", "testProxyId"))
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state="+url.QueryEscape(state), nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusFound, rec.Code)
+
+	location := rec.Header().Get("Location")
+	parsedLocation, err := url.Parse(location)
+	require.NoError(t, err)
+
+	require.Equal(t, "access_denied", parsedLocation.Query().Get("error"))
+}
+
+func TestAuthCallback_InvalidToken(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	setup.oidcServer.failExchange = true
+
+	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/")
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=invalid-code&state="+url.QueryEscape(state), nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusInternalServerError, rec.Code)
+	require.Contains(t, rec.Body.String(), "Failed to exchange code")
+}
+
+func TestAuthCallback_ExpiredToken(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	setup.oidcServer.tokenSubject = "allowedUserId"
+	setup.oidcServer.tokenExpiry = -time.Hour
+
+	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/")
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state="+url.QueryEscape(state), nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusUnauthorized, rec.Code)
+	require.Contains(t, rec.Body.String(), "Failed to validate token")
+}
+
+func TestAuthCallback_InvalidState(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state=invalid-state", nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusBadRequest, rec.Code)
+	require.Contains(t, rec.Body.String(), "Invalid state")
+}
+
+func TestAuthCallback_MissingState(t *testing.T) {
+	setup := setupAuthCallbackTest(t)
+	defer setup.cleanup()
+
+	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code", nil)
+	rec := httptest.NewRecorder()
+
+	setup.router.ServeHTTP(rec, req)
+
+	require.Equal(t, http.StatusBadRequest, rec.Code)
+}

management/server/http/handlers/proxy/auth_test.go

@@ -0,0 +1,156 @@
+package proxy
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+)
+
+func TestAuthCallbackHandler_RateLimiting(t *testing.T) {
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
+	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
+
+	req := httptest.NewRequest(http.MethodGet, "/callback?state=test&code=test", nil)
+	req.RemoteAddr = "192.168.1.100:12345"
+
+	t.Run("allows requests under limit", func(t *testing.T) {
+		for i := 0; i < 15; i++ {
+			allowed := handler.rateLimiter.Allow("192.168.1.100")
+			assert.True(t, allowed, "Request %d should be allowed", i+1)
+		}
+	})
+
+	t.Run("blocks requests over limit", func(t *testing.T) {
+		handler.rateLimiter.Reset("192.168.1.200")
+
+		for i := 0; i < 15; i++ {
+			handler.rateLimiter.Allow("192.168.1.200")
+		}
+
+		allowed := handler.rateLimiter.Allow("192.168.1.200")
+		assert.False(t, allowed, "Request over limit should be blocked")
+	})
+
+	t.Run("different IPs have separate limits", func(t *testing.T) {
+		ip1 := "192.168.1.201"
+		ip2 := "192.168.1.202"
+
+		handler.rateLimiter.Reset(ip1)
+		handler.rateLimiter.Reset(ip2)
+
+		for i := 0; i < 15; i++ {
+			handler.rateLimiter.Allow(ip1)
+		}
+
+		assert.False(t, handler.rateLimiter.Allow(ip1), "IP1 should be blocked")
+
+		assert.True(t, handler.rateLimiter.Allow(ip2), "IP2 should be allowed")
+	})
+}
+
+func TestAuthCallbackHandler_RateLimitInHandleCallback(t *testing.T) {
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
+	testIP := "10.0.0.50"
+
+	handler.rateLimiter.Reset(testIP)
+
+	t.Run("returns 429 when rate limited", func(t *testing.T) {
+		for i := 0; i < 15; i++ {
+			handler.rateLimiter.Allow(testIP)
+		}
+
+		req := httptest.NewRequest(http.MethodGet, "/callback?state=test&code=test", nil)
+		req.RemoteAddr = testIP + ":12345"
+
+		rr := httptest.NewRecorder()
+		handler.handleCallback(rr, req)
+
+		assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Should return 429 status code")
+		assert.Contains(t, rr.Body.String(), "Too many requests", "Should contain rate limit message")
+	})
+}
+
+func TestGetClientIP(t *testing.T) {
+	tests := []struct {
+		name          string
+		remoteAddr    string
+		xForwardedFor string
+		xRealIP       string
+		expectedIP    string
+	}{
+		{
+			name:       "extract from RemoteAddr",
+			remoteAddr: "192.168.1.100:12345",
+			expectedIP: "192.168.1.100",
+		},
+		{
+			name:          "extract from X-Forwarded-For single IP",
+			remoteAddr:    "10.0.0.1:54321",
+			xForwardedFor: "203.0.113.195",
+			expectedIP:    "203.0.113.195",
+		},
+		{
+			name:          "extract from X-Forwarded-For multiple IPs",
+			remoteAddr:    "10.0.0.1:54321",
+			xForwardedFor: "203.0.113.195, 70.41.3.18, 150.172.238.178",
+			expectedIP:    "203.0.113.195",
+		},
+		{
+			name:       "extract from X-Real-IP",
+			remoteAddr: "10.0.0.1:54321",
+			xRealIP:    "198.51.100.42",
+			expectedIP: "198.51.100.42",
+		},
+		{
+			name:          "X-Forwarded-For takes precedence over X-Real-IP",
+			remoteAddr:    "10.0.0.1:54321",
+			xForwardedFor: "203.0.113.195",
+			xRealIP:       "198.51.100.42",
+			expectedIP:    "203.0.113.195",
+		},
+		{
+			name:       "handle RemoteAddr without port",
+			remoteAddr: "192.168.1.100",
+			expectedIP: "192.168.1.100",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, "/test", nil)
+			req.RemoteAddr = tt.remoteAddr
+
+			if tt.xForwardedFor != "" {
+				req.Header.Set("X-Forwarded-For", tt.xForwardedFor)
+			}
+			if tt.xRealIP != "" {
+				req.Header.Set("X-Real-IP", tt.xRealIP)
+			}
+
+			ip := getClientIP(req)
+			assert.Equal(t, tt.expectedIP, ip, "Extracted IP should match expected")
+		})
+	}
+}
+
+func TestAuthCallbackHandler_RateLimiterConfiguration(t *testing.T) {
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
+
+	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
+
+	testIP := "192.168.1.250"
+	handler.rateLimiter.Reset(testIP)
+
+	for i := 0; i < 15; i++ {
+		allowed := handler.rateLimiter.Allow(testIP)
+		assert.True(t, allowed, "Should allow request %d within burst limit", i+1)
+	}
+
+	allowed := handler.rateLimiter.Allow(testIP)
+	assert.False(t, allowed, "Should block request that exceeds burst limit")
+}

management/server/http/handlers/users/invites_handler_test.go

@@ -205,6 +205,14 @@ func TestCreateInvite(t *testing.T) {
 				return nil, status.Errorf(status.PreconditionFailed, "invite links are only available with embedded identity provider")
 			},
 		},
+		{
+			name:           "local auth disabled",
+			requestBody:    `{"email":"test@example.com","name":"Test User","role":"user","auto_groups":[]}`,
+			expectedStatus: http.StatusPreconditionFailed,
+			mockFunc: func(ctx context.Context, accountID, initiatorUserID string, invite *types.UserInfo, expiresIn int) (*types.UserInvite, error) {
+				return nil, status.Errorf(status.PreconditionFailed, "local user creation is disabled - use an external identity provider")
+			},
+		},
 		{
 			name:           "invalid JSON",
 			requestBody:    `{invalid json}`,
@@ -376,6 +384,15 @@ func TestAcceptInvite(t *testing.T) {
 				return status.Errorf(status.PreconditionFailed, "invite links are only available with embedded identity provider")
 			},
 		},
+		{
+			name:           "local auth disabled",
+			token:          testInviteToken,
+			requestBody:    `{"password":"SecurePass123!"}`,
+			expectedStatus: http.StatusPreconditionFailed,
+			mockFunc: func(ctx context.Context, token, password string) error {
+				return status.Errorf(status.PreconditionFailed, "local user creation is disabled - use an external identity provider")
+			},
+		},
 		{
 			name:           "missing token",
 			token:          "",

management/server/http/testing/testing_tools/channel/channel.go

@@ -73,7 +73,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	proxyController := integrations.NewController(store)
 	userManager := users.NewManager(store)
 	permissionsManager := permissions.NewManager(store)
-	settingsManager := settings.NewManager(store, userManager, integrations.NewManager(&activity.InMemoryEventStore{}), permissionsManager)
+	settingsManager := settings.NewManager(store, userManager, integrations.NewManager(&activity.InMemoryEventStore{}), permissionsManager, settings.IdpConfig{})
 	peersManager := peers.NewManager(store, permissionsManager)
 
 	jobManager := job.NewJobManager(nil, store, peersManager)
@@ -102,7 +102,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)
 
-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}

management/server/idp/auth0.go

@@ -135,7 +135,7 @@ func NewAuth0Manager(config Auth0ClientConfig, appMetrics telemetry.AppMetrics)
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5
 
-		httpClient := &http.Client{
+	httpClient := &http.Client{
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}

management/server/idp/authentik.go

@@ -56,7 +56,7 @@ func NewAuthentikManager(config AuthentikClientConfig, appMetrics telemetry.AppM
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}
 
 	if config.ClientID == "" {

management/server/idp/azure.go

@@ -57,11 +57,11 @@ func NewAzureManager(config AzureClientConfig, appMetrics telemetry.AppMetrics)
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5
 
-		httpClient := &http.Client{
+	httpClient := &http.Client{
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}
 
 	if config.ClientID == "" {

management/server/idp/embedded.go

@@ -43,6 +43,11 @@ type EmbeddedIdPConfig struct {
 	Owner *OwnerConfig
 	// SignKeyRefreshEnabled enables automatic key rotation for signing keys
 	SignKeyRefreshEnabled bool
+	// LocalAuthDisabled disables the local (email/password) authentication connector.
+	// When true, users cannot authenticate via email/password, only via external identity providers.
+	// Existing local users are preserved and will be able to login again if re-enabled.
+	// Cannot be enabled if no external identity provider connectors are configured.
+	LocalAuthDisabled bool
 }
 
 // EmbeddedStorageConfig holds storage configuration for the embedded IdP.
@@ -86,6 +91,12 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 	cliRedirectURIs = append(cliRedirectURIs, "/device/callback")
 	cliRedirectURIs = append(cliRedirectURIs, c.Issuer+"/device/callback")
 
+	// Build dashboard redirect URIs including the OAuth callback for proxy authentication
+	dashboardRedirectURIs := c.DashboardRedirectURIs
+	baseURL := strings.TrimSuffix(c.Issuer, "/oauth2")
+	// todo: resolve import cycle
+	dashboardRedirectURIs = append(dashboardRedirectURIs, baseURL+"/api/reverse-proxy/callback")
+
 	cfg := &dex.YAMLConfig{
 		Issuer: c.Issuer,
 		Storage: dex.Storage{
@@ -105,13 +116,15 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 			Issuer: "NetBird",
 			Theme:  "light",
 		},
+		// Always enable password DB initially - we disable the local connector after startup if needed.
+		// This ensures Dex has at least one connector during initialization.
 		EnablePasswordDB: true,
 		StaticClients: []storage.Client{
 			{
 				ID:           staticClientDashboard,
 				Name:         "NetBird Dashboard",
 				Public:       true,
-				RedirectURIs: c.DashboardRedirectURIs,
+				RedirectURIs: dashboardRedirectURIs,
 			},
 			{
 				ID:           staticClientCLI,
@@ -192,11 +205,32 @@ func NewEmbeddedIdPManager(ctx context.Context, config *EmbeddedIdPConfig, appMe
 		return nil, err
 	}
 
+	log.WithContext(ctx).Debugf("initializing embedded Dex IDP with config: %+v", config)
+
 	provider, err := dex.NewProviderFromYAML(ctx, yamlConfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create embedded IdP provider: %w", err)
 	}
 
+	// If local auth is disabled, validate that other connectors exist
+	if config.LocalAuthDisabled {
+		hasOthers, err := provider.HasNonLocalConnectors(ctx)
+		if err != nil {
+			_ = provider.Stop(ctx)
+			return nil, fmt.Errorf("failed to check connectors: %w", err)
+		}
+		if !hasOthers {
+			_ = provider.Stop(ctx)
+			return nil, fmt.Errorf("cannot disable local authentication: no other identity providers configured")
+		}
+		// Ensure local connector is removed (it might exist from a previous run)
+		if err := provider.DisableLocalAuth(ctx); err != nil {
+			_ = provider.Stop(ctx)
+			return nil, fmt.Errorf("failed to disable local auth: %w", err)
+		}
+		log.WithContext(ctx).Info("local authentication disabled - only external identity providers can be used")
+	}
+
 	log.WithContext(ctx).Infof("embedded Dex IDP initialized with issuer: %s", yamlConfig.Issuer)
 
 	return &EmbeddedIdPManager{
@@ -281,6 +315,8 @@ func (m *EmbeddedIdPManager) GetAllAccounts(ctx context.Context) (map[string][]*
 		return nil, fmt.Errorf("failed to list users: %w", err)
 	}
 
+	log.WithContext(ctx).Debugf("retrieved %d users from embedded IdP", len(users))
+
 	indexedUsers := make(map[string][]*UserData)
 	for _, user := range users {
 		indexedUsers[UnsetAccountID] = append(indexedUsers[UnsetAccountID], &UserData{
@@ -290,11 +326,17 @@ func (m *EmbeddedIdPManager) GetAllAccounts(ctx context.Context) (map[string][]*
 		})
 	}
 
+	log.WithContext(ctx).Debugf("retrieved %d users from embedded IdP", len(indexedUsers[UnsetAccountID]))
+
 	return indexedUsers, nil
 }
 
 // CreateUser creates a new user in the embedded IdP.
 func (m *EmbeddedIdPManager) CreateUser(ctx context.Context, email, name, accountID, invitedByEmail string) (*UserData, error) {
+	if m.config.LocalAuthDisabled {
+		return nil, fmt.Errorf("local user creation is disabled")
+	}
+
 	if m.appMetrics != nil {
 		m.appMetrics.IDPMetrics().CountCreateUser()
 	}
@@ -364,6 +406,10 @@ func (m *EmbeddedIdPManager) GetUserByEmail(ctx context.Context, email string) (
 // Unlike CreateUser which auto-generates a password, this method uses the provided password.
 // This is useful for instance setup where the user provides their own password.
 func (m *EmbeddedIdPManager) CreateUserWithPassword(ctx context.Context, email, password, name string) (*UserData, error) {
+	if m.config.LocalAuthDisabled {
+		return nil, fmt.Errorf("local user creation is disabled")
+	}
+
 	if m.appMetrics != nil {
 		m.appMetrics.IDPMetrics().CountCreateUser()
 	}
@@ -553,3 +599,13 @@ func (m *EmbeddedIdPManager) GetClientIDs() []string {
 func (m *EmbeddedIdPManager) GetUserIDClaim() string {
 	return defaultUserIDClaim
 }
+
+// IsLocalAuthDisabled returns whether local authentication is disabled based on configuration.
+func (m *EmbeddedIdPManager) IsLocalAuthDisabled() bool {
+	return m.config.LocalAuthDisabled
+}
+
+// HasNonLocalConnectors checks if there are any identity provider connectors other than local.
+func (m *EmbeddedIdPManager) HasNonLocalConnectors(ctx context.Context) (bool, error) {
+	return m.provider.HasNonLocalConnectors(ctx)
+}

management/server/idp/embedded_test.go

@@ -370,3 +370,234 @@ func TestEmbeddedIdPManager_GetLocalKeysLocation(t *testing.T) {
 		})
 	}
 }
+
+func TestEmbeddedIdPManager_LocalAuthDisabled(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("cannot start with local auth disabled without other connectors", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		config := &EmbeddedIdPConfig{
+			Enabled:           true,
+			Issuer:            "http://localhost:5556/dex",
+			LocalAuthDisabled: true,
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: filepath.Join(tmpDir, "dex.db"),
+				},
+			},
+		}
+
+		_, err = NewEmbeddedIdPManager(ctx, config, nil)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "no other identity providers configured")
+	})
+
+	t.Run("local auth enabled by default", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		config := &EmbeddedIdPConfig{
+			Enabled: true,
+			Issuer:  "http://localhost:5556/dex",
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: filepath.Join(tmpDir, "dex.db"),
+				},
+			},
+		}
+
+		manager, err := NewEmbeddedIdPManager(ctx, config, nil)
+		require.NoError(t, err)
+		defer func() { _ = manager.Stop(ctx) }()
+
+		// Verify local auth is enabled by default
+		assert.False(t, manager.IsLocalAuthDisabled())
+	})
+
+	t.Run("start with local auth disabled when connector exists", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		dbFile := filepath.Join(tmpDir, "dex.db")
+
+		// First, create a manager with local auth enabled and add a connector
+		config1 := &EmbeddedIdPConfig{
+			Enabled: true,
+			Issuer:  "http://localhost:5556/dex",
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager1, err := NewEmbeddedIdPManager(ctx, config1, nil)
+		require.NoError(t, err)
+
+		// Create a user
+		userData, err := manager1.CreateUser(ctx, "preserved@example.com", "Preserved User", "account1", "admin@example.com")
+		require.NoError(t, err)
+		userID := userData.ID
+
+		// Add an external connector (Google doesn't require OIDC discovery)
+		_, err = manager1.CreateConnector(ctx, &dex.ConnectorConfig{
+			ID:           "google-test",
+			Name:         "Google Test",
+			Type:         "google",
+			ClientID:     "test-client-id",
+			ClientSecret: "test-client-secret",
+		})
+		require.NoError(t, err)
+
+		// Stop the first manager
+		err = manager1.Stop(ctx)
+		require.NoError(t, err)
+
+		// Now create a new manager with local auth disabled
+		config2 := &EmbeddedIdPConfig{
+			Enabled:           true,
+			Issuer:            "http://localhost:5556/dex",
+			LocalAuthDisabled: true,
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager2, err := NewEmbeddedIdPManager(ctx, config2, nil)
+		require.NoError(t, err)
+		defer func() { _ = manager2.Stop(ctx) }()
+
+		// Verify local auth is disabled via config
+		assert.True(t, manager2.IsLocalAuthDisabled())
+
+		// Verify the user still exists in storage (just can't login via local)
+		lookedUp, err := manager2.GetUserDataByID(ctx, userID, AppMetadata{})
+		require.NoError(t, err)
+		assert.Equal(t, "preserved@example.com", lookedUp.Email)
+	})
+
+	t.Run("CreateUser fails when local auth is disabled", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		dbFile := filepath.Join(tmpDir, "dex.db")
+
+		// First, create a manager and add an external connector
+		config1 := &EmbeddedIdPConfig{
+			Enabled: true,
+			Issuer:  "http://localhost:5556/dex",
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager1, err := NewEmbeddedIdPManager(ctx, config1, nil)
+		require.NoError(t, err)
+
+		_, err = manager1.CreateConnector(ctx, &dex.ConnectorConfig{
+			ID:           "google-test",
+			Name:         "Google Test",
+			Type:         "google",
+			ClientID:     "test-client-id",
+			ClientSecret: "test-client-secret",
+		})
+		require.NoError(t, err)
+
+		err = manager1.Stop(ctx)
+		require.NoError(t, err)
+
+		// Create manager with local auth disabled
+		config2 := &EmbeddedIdPConfig{
+			Enabled:           true,
+			Issuer:            "http://localhost:5556/dex",
+			LocalAuthDisabled: true,
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager2, err := NewEmbeddedIdPManager(ctx, config2, nil)
+		require.NoError(t, err)
+		defer func() { _ = manager2.Stop(ctx) }()
+
+		// Try to create a user - should fail
+		_, err = manager2.CreateUser(ctx, "newuser@example.com", "New User", "account1", "admin@example.com")
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "local user creation is disabled")
+	})
+
+	t.Run("CreateUserWithPassword fails when local auth is disabled", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
+		require.NoError(t, err)
+		defer os.RemoveAll(tmpDir)
+
+		dbFile := filepath.Join(tmpDir, "dex.db")
+
+		// First, create a manager and add an external connector
+		config1 := &EmbeddedIdPConfig{
+			Enabled: true,
+			Issuer:  "http://localhost:5556/dex",
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager1, err := NewEmbeddedIdPManager(ctx, config1, nil)
+		require.NoError(t, err)
+
+		_, err = manager1.CreateConnector(ctx, &dex.ConnectorConfig{
+			ID:           "google-test",
+			Name:         "Google Test",
+			Type:         "google",
+			ClientID:     "test-client-id",
+			ClientSecret: "test-client-secret",
+		})
+		require.NoError(t, err)
+
+		err = manager1.Stop(ctx)
+		require.NoError(t, err)
+
+		// Create manager with local auth disabled
+		config2 := &EmbeddedIdPConfig{
+			Enabled:           true,
+			Issuer:            "http://localhost:5556/dex",
+			LocalAuthDisabled: true,
+			Storage: EmbeddedStorageConfig{
+				Type: "sqlite3",
+				Config: EmbeddedStorageTypeConfig{
+					File: dbFile,
+				},
+			},
+		}
+
+		manager2, err := NewEmbeddedIdPManager(ctx, config2, nil)
+		require.NoError(t, err)
+		defer func() { _ = manager2.Stop(ctx) }()
+
+		// Try to create a user with password - should fail
+		_, err = manager2.CreateUserWithPassword(ctx, "newuser@example.com", "SecurePass123!", "New User")
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "local user creation is disabled")
+	})
+}

management/server/idp/google_workspace.go

@@ -51,7 +51,7 @@ func NewGoogleWorkspaceManager(ctx context.Context, config GoogleWorkspaceClient
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}
 
 	if config.CustomerID == "" {

management/server/idp/keycloak.go

@@ -66,7 +66,7 @@ func NewKeycloakManager(config KeycloakClientConfig, appMetrics telemetry.AppMet
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}
 
 	if config.ClientID == "" {

management/server/idp/pocketid.go

@@ -90,7 +90,7 @@ func NewPocketIdManager(config PocketIdClientConfig, appMetrics telemetry.AppMet
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}
 
 	if config.ManagementEndpoint == "" {

management/server/idp/util.go

@@ -76,7 +76,7 @@ const (
 	// Provides the env variable name for use with idpTimeout function
 	idpTimeoutEnv = "NB_IDP_TIMEOUT"
 	// Sets the defaultTimeout to 10s.
-	defaultTimeout  = 10 * time.Second
+	defaultTimeout = 10 * time.Second
 )
 
 // idpTimeout returns a timeout value for the IDP

management/server/idp/zitadel.go

@@ -167,7 +167,7 @@ func NewZitadelManager(config ZitadelClientConfig, appMetrics telemetry.AppMetri
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-	
+
 	helper := JsonParser{}
 
 	hasPAT := config.PAT != ""

management/server/instance/manager.go

@@ -104,13 +104,22 @@ func NewManager(ctx context.Context, store store.Store, idpManager idp.Manager)
 }
 
 func (m *DefaultManager) loadSetupRequired(ctx context.Context) error {
+	// Check if there are any accounts in the NetBird store
+	numAccounts, err := m.store.GetAccountsCounter(ctx)
+	if err != nil {
+		return err
+	}
+	hasAccounts := numAccounts > 0
+
+	// Check if there are any users in the embedded IdP (Dex)
 	users, err := m.embeddedIdpManager.GetAllAccounts(ctx)
 	if err != nil {
 		return err
 	}
+	hasLocalUsers := len(users) > 0
 
 	m.setupMu.Lock()
-	m.setupRequired = len(users) == 0
+	m.setupRequired = !(hasAccounts || hasLocalUsers)
 	m.setupMu.Unlock()
 
 	return nil

management/server/management_test.go

@@ -610,6 +610,7 @@ func TestSync10PeersGetUpdates(t *testing.T) {
 
 	initialPeers := 10
 	additionalPeers := 10
+	expectedPeerCount := initialPeers + additionalPeers - 1 // -1 because peer doesn't see itself
 
 	var peers []wgtypes.Key
 	for i := 0; i < initialPeers; i++ {
@@ -618,8 +619,19 @@ func TestSync10PeersGetUpdates(t *testing.T) {
 		peers = append(peers, key)
 	}
 
+	// Track the maximum peer count each peer has seen
+	type peerState struct {
+		mu           sync.Mutex
+		maxPeerCount int
+		done         bool
+	}
+	peerStates := make(map[string]*peerState)
+	for _, pk := range peers {
+		peerStates[pk.PublicKey().String()] = &peerState{}
+	}
+
 	var wg sync.WaitGroup
-	wg.Add(initialPeers + initialPeers*additionalPeers)
+	wg.Add(initialPeers) // One completion per initial peer
 
 	var syncClients []mgmtProto.ManagementService_SyncClient
 	for _, pk := range peers {
@@ -643,6 +655,9 @@ func TestSync10PeersGetUpdates(t *testing.T) {
 		syncClients = append(syncClients, s)
 
 		go func(pk wgtypes.Key, syncStream mgmtProto.ManagementService_SyncClient) {
+			pubKey := pk.PublicKey().String()
+			state := peerStates[pubKey]
+
 			for {
 				encMsg := &mgmtProto.EncryptedMessage{}
 				err := syncStream.RecvMsg(encMsg)
@@ -651,19 +666,28 @@ func TestSync10PeersGetUpdates(t *testing.T) {
 				}
 				decryptedBytes, decErr := encryption.Decrypt(encMsg.Body, ts.serverPubKey, pk)
 				if decErr != nil {
-					t.Errorf("failed to decrypt SyncResponse for peer %s: %v", pk.PublicKey().String(), decErr)
+					t.Errorf("failed to decrypt SyncResponse for peer %s: %v", pubKey, decErr)
 					return
 				}
 				resp := &mgmtProto.SyncResponse{}
 				umErr := pb.Unmarshal(decryptedBytes, resp)
 				if umErr != nil {
-					t.Errorf("failed to unmarshal SyncResponse for peer %s: %v", pk.PublicKey().String(), umErr)
+					t.Errorf("failed to unmarshal SyncResponse for peer %s: %v", pubKey, umErr)
 					return
 				}
-				// We only count if there's a new peer update
-				if len(resp.GetRemotePeers()) > 0 {
+
+				// Track the maximum peer count seen (due to debouncing, updates are coalesced)
+				peerCount := len(resp.GetRemotePeers())
+				state.mu.Lock()
+				if peerCount > state.maxPeerCount {
+					state.maxPeerCount = peerCount
+				}
+				// Signal completion when this peer has seen all expected peers
+				if !state.done && state.maxPeerCount >= expectedPeerCount {
+					state.done = true
 					wg.Done()
 				}
+				state.mu.Unlock()
 			}
 		}(pk, s)
 	}
@@ -677,7 +701,30 @@ func TestSync10PeersGetUpdates(t *testing.T) {
 		time.Sleep(time.Duration(n) * time.Millisecond)
 	}
 
-	wg.Wait()
+	// Wait for debouncer to flush final updates (debounce interval is 1000ms)
+	time.Sleep(1500 * time.Millisecond)
+
+	// Wait with timeout
+	done := make(chan struct{})
+	go func() {
+		wg.Wait()
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		// Success - all peers received expected peer count
+	case <-time.After(5 * time.Second):
+		// Timeout - report which peers didn't receive all updates
+		t.Error("Timeout waiting for all peers to receive updates")
+		for pubKey, state := range peerStates {
+			state.mu.Lock()
+			if state.maxPeerCount < expectedPeerCount {
+				t.Errorf("Peer %s only saw %d peers, expected %d", pubKey, state.maxPeerCount, expectedPeerCount)
+			}
+			state.mu.Unlock()
+		}
+	}
 
 	for _, sc := range syncClients {
 		err := sc.CloseSend()

management/server/mock_server/account_mock.go

@@ -37,8 +37,8 @@ type MockAccountManager struct {
 	GetUserFromUserAuthFunc               func(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)
 	ListUsersFunc                         func(ctx context.Context, accountID string) ([]*types.User, error)
 	GetPeersFunc                          func(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
-	MarkPeerConnectedFunc                 func(ctx context.Context, peerKey string, connected bool, realIP net.IP) error
-	SyncAndMarkPeerFunc                   func(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
+	MarkPeerConnectedFunc                 func(ctx context.Context, peerKey string, connected bool, realIP net.IP, syncTime time.Time) error
+	SyncAndMarkPeerFunc                   func(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
 	DeletePeerFunc                        func(ctx context.Context, accountID, peerKey, userID string) error
 	GetNetworkMapFunc                     func(ctx context.Context, peerKey string) (*types.NetworkMap, error)
 	GetPeerNetworkFunc                    func(ctx context.Context, peerKey string) (*types.Network, error)
@@ -214,16 +214,15 @@ func (am *MockAccountManager) DeleteSetupKey(ctx context.Context, accountID, use
 	return status.Errorf(codes.Unimplemented, "method DeleteSetupKey is not implemented")
 }
 
-func (am *MockAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
+func (am *MockAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	if am.SyncAndMarkPeerFunc != nil {
-		return am.SyncAndMarkPeerFunc(ctx, accountID, peerPubKey, meta, realIP)
+		return am.SyncAndMarkPeerFunc(ctx, accountID, peerPubKey, meta, realIP, syncTime)
 	}
 	return nil, nil, nil, 0, status.Errorf(codes.Unimplemented, "method MarkPeerConnected is not implemented")
 }
 
-func (am *MockAccountManager) OnPeerDisconnected(_ context.Context, accountID string, peerPubKey string) error {
-	// TODO implement me
-	panic("implement me")
+func (am *MockAccountManager) OnPeerDisconnected(_ context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error {
+	return nil
 }
 
 func (am *MockAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error) {
@@ -323,9 +322,9 @@ func (am *MockAccountManager) GetAccountIDByUserID(ctx context.Context, userAuth
 }
 
 // MarkPeerConnected mock implementation of MarkPeerConnected from server.AccountManager interface
-func (am *MockAccountManager) MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string) error {
+func (am *MockAccountManager) MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error {
 	if am.MarkPeerConnectedFunc != nil {
-		return am.MarkPeerConnectedFunc(ctx, peerKey, connected, realIP)
+		return am.MarkPeerConnectedFunc(ctx, peerKey, connected, realIP, syncTime)
 	}
 	return status.Errorf(codes.Unimplemented, "method MarkPeerConnected is not implemented")
 }

management/server/networks/resources/manager.go

@@ -5,6 +5,9 @@ import (
 	"errors"
 	"fmt"
 
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/groups"
@@ -30,21 +33,23 @@ type Manager interface {
 }
 
 type managerImpl struct {
-	store              store.Store
-	permissionsManager permissions.Manager
-	groupsManager      groups.Manager
-	accountManager     account.Manager
+	store               store.Store
+	permissionsManager  permissions.Manager
+	groupsManager       groups.Manager
+	accountManager      account.Manager
+	reverseProxyManager reverseproxy.Manager
 }
 
 type mockManager struct {
 }
 
-func NewManager(store store.Store, permissionsManager permissions.Manager, groupsManager groups.Manager, accountManager account.Manager) Manager {
+func NewManager(store store.Store, permissionsManager permissions.Manager, groupsManager groups.Manager, accountManager account.Manager, reverseproxyManager reverseproxy.Manager) Manager {
 	return &managerImpl{
-		store:              store,
-		permissionsManager: permissionsManager,
-		groupsManager:      groupsManager,
-		accountManager:     accountManager,
+		store:               store,
+		permissionsManager:  permissionsManager,
+		groupsManager:       groupsManager,
+		accountManager:      accountManager,
+		reverseProxyManager: reverseproxyManager,
 	}
 }
 
@@ -257,6 +262,14 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 		event()
 	}
 
+	// TODO: optimize to only reload reverse proxies that are affected by the resource update instead of all of them
+	go func() {
+		err := m.reverseProxyManager.ReloadAllReverseProxiesForAccount(ctx, resource.AccountID)
+		if err != nil {
+			log.WithContext(ctx).Warnf("failed to reload all proxies for account: %v", err)
+		}
+	}()
+
 	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID)
 
 	return resource, nil
@@ -309,6 +322,14 @@ func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, net
 		return status.NewPermissionDeniedError()
 	}
 
+	proxyID, err := m.reverseProxyManager.GetProxyIDByTargetID(ctx, accountID, resourceID)
+	if err != nil {
+		return fmt.Errorf("failed to check if resource is used by reverse proxy: %w", err)
+	}
+	if proxyID != "" {
+		return status.NewResourceInUseError(resourceID, proxyID)
+	}
+
 	var events []func()
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		events, err = m.DeleteResourceInTransaction(ctx, transaction, accountID, userID, networkID, resourceID)

management/server/peer.go

@@ -103,11 +103,13 @@ func (am *DefaultAccountManager) getUserAccessiblePeers(ctx context.Context, acc
 }
 
 // MarkPeerConnected marks peer as connected (true) or disconnected (false)
-func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubKey string, connected bool, realIP net.IP, accountID string) error {
+// syncTime is used as the LastSeen timestamp and for stale request detection
+func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error {
 	var peer *nbpeer.Peer
 	var settings *types.Settings
 	var expired bool
 	var err error
+	var skipped bool
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		peer, err = transaction.GetPeerByPeerPubKey(ctx, store.LockingStrengthUpdate, peerPubKey)
@@ -115,9 +117,19 @@ func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubK
 			return err
 		}
 
-		expired, err = updatePeerStatusAndLocation(ctx, am.geo, transaction, peer, connected, realIP, accountID)
+		if connected && !syncTime.After(peer.Status.LastSeen) {
+			log.WithContext(ctx).Tracef("peer %s has newer activity (lastSeen=%s >= syncTime=%s), skipping connect",
+				peer.ID, peer.Status.LastSeen.Format(time.RFC3339), syncTime.Format(time.RFC3339))
+			skipped = true
+			return nil
+		}
+
+		expired, err = updatePeerStatusAndLocation(ctx, am.geo, transaction, peer, connected, realIP, accountID, syncTime)
 		return err
 	})
+	if skipped {
+		return nil
+	}
 	if err != nil {
 		return err
 	}
@@ -147,10 +159,10 @@ func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubK
 	return nil
 }
 
-func updatePeerStatusAndLocation(ctx context.Context, geo geolocation.Geolocation, transaction store.Store, peer *nbpeer.Peer, connected bool, realIP net.IP, accountID string) (bool, error) {
+func updatePeerStatusAndLocation(ctx context.Context, geo geolocation.Geolocation, transaction store.Store, peer *nbpeer.Peer, connected bool, realIP net.IP, accountID string, syncTime time.Time) (bool, error) {
 	oldStatus := peer.Status.Copy()
 	newStatus := oldStatus
-	newStatus.LastSeen = time.Now().UTC()
+	newStatus.LastSeen = syncTime
 	newStatus.Connected = connected
 	// whenever peer got connected that means that it logged in successfully
 	if newStatus.Connected {
@@ -477,6 +489,14 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 	var settings *types.Settings
 	var eventsToStore []func()
 
+	proxyID, err := am.reverseProxyManager.GetProxyIDByTargetID(ctx, accountID, peerID)
+	if err != nil {
+		return fmt.Errorf("failed to check if resource is used by reverse proxy: %w", err)
+	}
+	if proxyID != "" {
+		return status.NewPeerInUseError(peerID, proxyID)
+	}
+
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		peer, err = transaction.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
 		if err != nil {
@@ -545,7 +565,7 @@ func (am *DefaultAccountManager) GetPeerNetwork(ctx context.Context, peerID stri
 // Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
 // The peer property is just a placeholder for the Peer properties to pass further
 func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKey, userID string, peer *nbpeer.Peer, temporary bool) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) {
-	if setupKey == "" && userID == "" {
+	if setupKey == "" && userID == "" && !peer.ProxyMeta.Embedded {
 		// no auth method provided => reject access
 		return nil, nil, nil, status.Errorf(status.Unauthenticated, "no peer auth method provided, please use a setup key or interactive SSO login")
 	}
@@ -554,6 +574,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 	hashedKey := sha256.Sum256([]byte(upperKey))
 	encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
 	addedByUser := len(userID) > 0
+	addedBySetupKey := len(setupKey) > 0
 
 	// This is a handling for the case when the same machine (with the same WireGuard pub key) tries to register twice.
 	// Such case is possible when AddPeer function takes long time to finish after AcquireWriteLockByUID (e.g., database is slow)
@@ -573,10 +594,11 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 
 	var setupKeyID string
 	var setupKeyName string
-	var ephemeral bool
 	var groupsToAdd []string
 	var allowExtraDNSLabels bool
-	if addedByUser {
+	ephemeral := peer.Ephemeral
+	switch {
+	case addedByUser:
 		user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
 		if err != nil {
 			return nil, nil, nil, status.Errorf(status.NotFound, "failed adding new peer: user not found")
@@ -599,7 +621,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		}
 		opEvent.InitiatorID = userID
 		opEvent.Activity = activity.PeerAddedByUser
-	} else {
+	case addedBySetupKey:
 		// Validate the setup key
 		sk, err := am.Store.GetSetupKeyBySecret(ctx, store.LockingStrengthNone, encodedHashedKey)
 		if err != nil {
@@ -622,6 +644,12 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		if !sk.AllowExtraDNSLabels && len(peer.ExtraDNSLabels) > 0 {
 			return nil, nil, nil, status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key doesn't allow extra DNS labels")
 		}
+	default:
+		if peer.ProxyMeta.Embedded {
+			log.WithContext(ctx).Debugf("adding peer for proxy embedded, accountID: %s", accountID)
+		} else {
+			log.WithContext(ctx).Warnf("adding peer without setup key or userID, accountID: %s", accountID)
+		}
 	}
 	opEvent.AccountID = accountID
 
@@ -657,6 +685,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		CreatedAt:                   registrationTime,
 		LoginExpirationEnabled:      addedByUser && !temporary,
 		Ephemeral:                   ephemeral,
+		ProxyMeta:                   peer.ProxyMeta,
 		Location:                    peer.Location,
 		InactivityExpirationEnabled: addedByUser && !temporary,
 		ExtraDNSLabels:              peer.ExtraDNSLabels,
@@ -723,17 +752,20 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 				}
 			}
 
-			err = transaction.AddPeerToAllGroup(ctx, accountID, newPeer.ID)
-			if err != nil {
-				return fmt.Errorf("failed adding peer to All group: %w", err)
+			if !peer.ProxyMeta.Embedded {
+				err = transaction.AddPeerToAllGroup(ctx, accountID, newPeer.ID)
+				if err != nil {
+					return fmt.Errorf("failed adding peer to All group: %w", err)
+				}
 			}
 
-			if addedByUser {
+			switch {
+			case addedByUser:
 				err := transaction.SaveUserLastLogin(ctx, accountID, userID, newPeer.GetLastLogin())
 				if err != nil {
 					log.WithContext(ctx).Debugf("failed to update user last login: %v", err)
 				}
-			} else {
+			case addedBySetupKey:
 				sk, err := transaction.GetSetupKeyBySecret(ctx, store.LockingStrengthUpdate, encodedHashedKey)
 				if err != nil {
 					return fmt.Errorf("failed to get setup key: %w", err)

management/server/peer/peer.go

@@ -24,6 +24,8 @@ type Peer struct {
 	IP net.IP `gorm:"serializer:json"` // uniqueness index per accountID (check migrations)
 	// Meta is a Peer system meta data
 	Meta PeerSystemMeta `gorm:"embedded;embeddedPrefix:meta_"`
+	// ProxyMeta is metadata related to proxy peers
+	ProxyMeta ProxyMeta `gorm:"embedded;embeddedPrefix:proxy_meta_"`
 	// Name is peer's name (machine name)
 	Name string `gorm:"index"`
 	// DNSLabel is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's
@@ -48,6 +50,7 @@ type Peer struct {
 	CreatedAt time.Time
 	// Indicate ephemeral peer attribute
 	Ephemeral bool `gorm:"index"`
+
 	// Geo location based on connection IP
 	Location Location `gorm:"embedded;embeddedPrefix:location_"`
 
@@ -57,6 +60,11 @@ type Peer struct {
 	AllowExtraDNSLabels bool
 }
 
+type ProxyMeta struct {
+	Embedded bool   `gorm:"index"`
+	Cluster  string `gorm:"index"`
+}
+
 type PeerStatus struct { //nolint:revive
 	// LastSeen is the last time peer was connected to the management service
 	LastSeen time.Time
@@ -224,6 +232,7 @@ func (p *Peer) Copy() *Peer {
 		LastLogin:                   p.LastLogin,
 		CreatedAt:                   p.CreatedAt,
 		Ephemeral:                   p.Ephemeral,
+		ProxyMeta:                   p.ProxyMeta,
 		Location:                    p.Location,
 		InactivityExpirationEnabled: p.InactivityExpirationEnabled,
 		ExtraDNSLabels:              slices.Clone(p.ExtraDNSLabels),

management/server/permissions/modules/module.go

@@ -3,37 +3,39 @@ package modules
 type Module string
 
 const (
-	Networks    Module = "networks"
-	Peers       Module = "peers"
-	RemoteJobs  Module = "remote_jobs"
-	Groups      Module = "groups"
-	Settings    Module = "settings"
-	Accounts    Module = "accounts"
-	Dns         Module = "dns"
-	Nameservers Module = "nameservers"
-	Events      Module = "events"
-	Policies    Module = "policies"
-	Routes      Module = "routes"
-	Users       Module = "users"
-	SetupKeys   Module = "setup_keys"
-	Pats        Module = "pats"
+	Networks          Module = "networks"
+	Peers             Module = "peers"
+	RemoteJobs        Module = "remote_jobs"
+	Groups            Module = "groups"
+	Settings          Module = "settings"
+	Accounts          Module = "accounts"
+	Dns               Module = "dns"
+	Nameservers       Module = "nameservers"
+	Events            Module = "events"
+	Policies          Module = "policies"
+	Routes            Module = "routes"
+	Users             Module = "users"
+	SetupKeys         Module = "setup_keys"
+	Pats              Module = "pats"
 	IdentityProviders Module = "identity_providers"
+	Services          Module = "services"
 )
 
 var All = map[Module]struct{}{
-	Networks:    {},
-	Peers:       {},
-	RemoteJobs:  {},
-	Groups:      {},
-	Settings:    {},
-	Accounts:    {},
-	Dns:         {},
-	Nameservers: {},
-	Events:      {},
-	Policies:    {},
-	Routes:      {},
-	Users:       {},
-	SetupKeys:   {},
-	Pats:        {},
+	Networks:          {},
+	Peers:             {},
+	RemoteJobs:        {},
+	Groups:            {},
+	Settings:          {},
+	Accounts:          {},
+	Dns:               {},
+	Nameservers:       {},
+	Events:            {},
+	Policies:          {},
+	Routes:            {},
+	Users:             {},
+	SetupKeys:         {},
+	Pats:              {},
 	IdentityProviders: {},
+	Services:          {},
 }

management/server/settings/manager.go

@@ -24,19 +24,28 @@ type Manager interface {
 	UpdateExtraSettings(ctx context.Context, accountID, userID string, extraSettings *types.ExtraSettings) (bool, error)
 }
 
+// IdpConfig holds IdP-related configuration that is set at runtime
+// and not stored in the database.
+type IdpConfig struct {
+	EmbeddedIdpEnabled bool
+	LocalAuthDisabled  bool
+}
+
 type managerImpl struct {
 	store                store.Store
 	extraSettingsManager extra_settings.Manager
 	userManager          users.Manager
 	permissionsManager   permissions.Manager
+	idpConfig            IdpConfig
 }
 
-func NewManager(store store.Store, userManager users.Manager, extraSettingsManager extra_settings.Manager, permissionsManager permissions.Manager) Manager {
+func NewManager(store store.Store, userManager users.Manager, extraSettingsManager extra_settings.Manager, permissionsManager permissions.Manager, idpConfig IdpConfig) Manager {
 	return &managerImpl{
 		store:                store,
 		extraSettingsManager: extraSettingsManager,
 		userManager:          userManager,
 		permissionsManager:   permissionsManager,
+		idpConfig:            idpConfig,
 	}
 }
 
@@ -74,6 +83,10 @@ func (m *managerImpl) GetSettings(ctx context.Context, accountID, userID string)
 		settings.Extra.FlowDnsCollectionEnabled = extraSettings.FlowDnsCollectionEnabled
 	}
 
+	// Fill in IdP-related runtime settings
+	settings.EmbeddedIdpEnabled = m.idpConfig.EmbeddedIdpEnabled
+	settings.LocalAuthDisabled = m.idpConfig.LocalAuthDisabled
+
 	return settings, nil
 }
 

management/server/store/sql_store.go

@@ -18,6 +18,7 @@ import (
 
 	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 	"gorm.io/driver/mysql"
 	"gorm.io/driver/postgres"
@@ -27,6 +28,9 @@ import (
 	"gorm.io/gorm/logger"
 
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
@@ -122,11 +126,13 @@ func NewSqlStore(ctx context.Context, db *gorm.DB, storeEngine types.Engine, met
 		return nil, fmt.Errorf("migratePreAuto: %w", err)
 	}
 	err = db.AutoMigrate(
-		&types.SetupKey{}, &nbpeer.Peer{}, &types.User{}, &types.PersonalAccessToken{}, &types.Group{}, &types.GroupPeer{},
+		&types.SetupKey{}, &nbpeer.Peer{}, &types.User{}, &types.PersonalAccessToken{}, &types.ProxyAccessToken{},
+		&types.Group{}, &types.GroupPeer{},
 		&types.Account{}, &types.Policy{}, &types.PolicyRule{}, &route.Route{}, &nbdns.NameServerGroup{},
 		&installation{}, &types.ExtraSettings{}, &posture.Checks{}, &nbpeer.NetworkAddress{},
 		&networkTypes.Network{}, &routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{}, &types.AccountOnboarding{},
-		&types.Job{}, &zones.Zone{}, &records.Record{}, &types.UserInviteRecord{},
+		&types.Job{}, &zones.Zone{}, &records.Record{}, &types.UserInviteRecord{}, &reverseproxy.ReverseProxy{}, &reverseproxy.Target{}, &domain.Domain{},
+		&accesslogs.AccessLogEntry{},
 	)
 	if err != nil {
 		return nil, fmt.Errorf("auto migratePreAuto: %w", err)
@@ -1094,6 +1100,7 @@ func (s *SqlStore) getAccountGorm(ctx context.Context, accountID string) (*types
 		Preload("NetworkRouters").
 		Preload("NetworkResources").
 		Preload("Onboarding").
+		Preload("ReverseProxies").
 		Take(&account, idQueryCondition, accountID)
 	if result.Error != nil {
 		log.WithContext(ctx).Errorf("error when getting account %s from the store: %s", accountID, result.Error)
@@ -1271,6 +1278,17 @@ func (s *SqlStore) getAccountPgx(ctx context.Context, accountID string) (*types.
 		account.PostureChecks = checks
 	}()
 
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		proxies, err := s.getProxies(ctx, accountID)
+		if err != nil {
+			errChan <- err
+			return
+		}
+		account.ReverseProxies = proxies
+	}()
+
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
@@ -1672,7 +1690,7 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 	meta_kernel_version, meta_network_addresses, meta_system_serial_number, meta_system_product_name, meta_system_manufacturer,
 	meta_environment, meta_flags, meta_files, peer_status_last_seen, peer_status_connected, peer_status_login_expired, 
 	peer_status_requires_approval, location_connection_ip, location_country_code, location_city_name, 
-	location_geo_name_id FROM peers WHERE account_id = $1`
+	location_geo_name_id, proxy_meta_embedded, proxy_meta_cluster FROM peers WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -1685,12 +1703,12 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 			lastLogin, createdAt                                                                            sql.NullTime
 			sshEnabled, loginExpirationEnabled, inactivityExpirationEnabled, ephemeral, allowExtraDNSLabels sql.NullBool
 			peerStatusLastSeen                                                                              sql.NullTime
-			peerStatusConnected, peerStatusLoginExpired, peerStatusRequiresApproval                         sql.NullBool
+			peerStatusConnected, peerStatusLoginExpired, peerStatusRequiresApproval, proxyEmbedded          sql.NullBool
 			ip, extraDNS, netAddr, env, flags, files, connIP                                                []byte
 			metaHostname, metaGoOS, metaKernel, metaCore, metaPlatform                                      sql.NullString
 			metaOS, metaOSVersion, metaWtVersion, metaUIVersion, metaKernelVersion                          sql.NullString
 			metaSystemSerialNumber, metaSystemProductName, metaSystemManufacturer                           sql.NullString
-			locationCountryCode, locationCityName                                                           sql.NullString
+			locationCountryCode, locationCityName, proxyCluster                                             sql.NullString
 			locationGeoNameID                                                                               sql.NullInt64
 		)
 
@@ -1700,7 +1718,7 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 			&metaOS, &metaOSVersion, &metaWtVersion, &metaUIVersion, &metaKernelVersion, &netAddr,
 			&metaSystemSerialNumber, &metaSystemProductName, &metaSystemManufacturer, &env, &flags, &files,
 			&peerStatusLastSeen, &peerStatusConnected, &peerStatusLoginExpired, &peerStatusRequiresApproval, &connIP,
-			&locationCountryCode, &locationCityName, &locationGeoNameID)
+			&locationCountryCode, &locationCityName, &locationGeoNameID, &proxyEmbedded, &proxyCluster)
 
 		if err == nil {
 			if lastLogin.Valid {
@@ -1784,6 +1802,12 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 			if locationGeoNameID.Valid {
 				p.Location.GeoNameID = uint(locationGeoNameID.Int64)
 			}
+			if proxyEmbedded.Valid {
+				p.ProxyMeta.Embedded = proxyEmbedded.Bool
+			}
+			if proxyCluster.Valid {
+				p.ProxyMeta.Cluster = proxyCluster.String
+			}
 			if ip != nil {
 				_ = json.Unmarshal(ip, &p.IP)
 			}
@@ -2039,6 +2063,131 @@ func (s *SqlStore) getPostureChecks(ctx context.Context, accountID string) ([]*p
 	return checks, nil
 }
 
+func (s *SqlStore) getProxies(ctx context.Context, accountID string) ([]*reverseproxy.ReverseProxy, error) {
+	const proxyQuery = `SELECT id, account_id, name, domain, enabled, auth,
+		meta_created_at, meta_certificate_issued_at, meta_status, proxy_cluster,
+		pass_host_header, rewrite_redirects, session_private_key, session_public_key
+		FROM reverse_proxies WHERE account_id = $1`
+
+	const targetsQuery = `SELECT id, account_id, reverse_proxy_id, path, host, port, protocol,
+		target_id, target_type, enabled
+		FROM targets WHERE reverse_proxy_id = ANY($1)`
+
+	proxyRows, err := s.pool.Query(ctx, proxyQuery, accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	proxies, err := pgx.CollectRows(proxyRows, func(row pgx.CollectableRow) (*reverseproxy.ReverseProxy, error) {
+		var p reverseproxy.ReverseProxy
+		var auth []byte
+		var createdAt, certIssuedAt sql.NullTime
+		var status, proxyCluster, sessionPrivateKey, sessionPublicKey sql.NullString
+		err := row.Scan(
+			&p.ID,
+			&p.AccountID,
+			&p.Name,
+			&p.Domain,
+			&p.Enabled,
+			&auth,
+			&createdAt,
+			&certIssuedAt,
+			&status,
+			&proxyCluster,
+			&p.PassHostHeader,
+			&p.RewriteRedirects,
+			&sessionPrivateKey,
+			&sessionPublicKey,
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		if auth != nil {
+			if err := json.Unmarshal(auth, &p.Auth); err != nil {
+				return nil, err
+			}
+		}
+
+		p.Meta = reverseproxy.ReverseProxyMeta{}
+		if createdAt.Valid {
+			p.Meta.CreatedAt = createdAt.Time
+		}
+		if certIssuedAt.Valid {
+			p.Meta.CertificateIssuedAt = certIssuedAt.Time
+		}
+		if status.Valid {
+			p.Meta.Status = status.String
+		}
+		if proxyCluster.Valid {
+			p.ProxyCluster = proxyCluster.String
+		}
+		if sessionPrivateKey.Valid {
+			p.SessionPrivateKey = sessionPrivateKey.String
+		}
+		if sessionPublicKey.Valid {
+			p.SessionPublicKey = sessionPublicKey.String
+		}
+
+		p.Targets = []*reverseproxy.Target{}
+		return &p, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if len(proxies) == 0 {
+		return proxies, nil
+	}
+
+	proxyIDs := make([]string, len(proxies))
+	proxyMap := make(map[string]*reverseproxy.ReverseProxy)
+	for i, p := range proxies {
+		proxyIDs[i] = p.ID
+		proxyMap[p.ID] = p
+	}
+
+	targetRows, err := s.pool.Query(ctx, targetsQuery, proxyIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	targets, err := pgx.CollectRows(targetRows, func(row pgx.CollectableRow) (*reverseproxy.Target, error) {
+		var t reverseproxy.Target
+		var path sql.NullString
+		err := row.Scan(
+			&t.ID,
+			&t.AccountID,
+			&t.ReverseProxyID,
+			&path,
+			&t.Host,
+			&t.Port,
+			&t.Protocol,
+			&t.TargetId,
+			&t.TargetType,
+			&t.Enabled,
+		)
+		if err != nil {
+			return nil, err
+		}
+		if path.Valid {
+			t.Path = &path.String
+		}
+		return &t, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	for _, target := range targets {
+		if proxy, ok := proxyMap[target.ReverseProxyID]; ok {
+			proxy.Targets = append(proxy.Targets, target)
+		}
+	}
+
+	return proxies, nil
+}
+
 func (s *SqlStore) getNetworks(ctx context.Context, accountID string) ([]*networkTypes.Network, error) {
 	const query = `SELECT id, account_id, name, description FROM networks WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
@@ -4230,6 +4379,79 @@ func (s *SqlStore) DeletePAT(ctx context.Context, userID, patID string) error {
 	return nil
 }
 
+// GetProxyAccessTokenByHashedToken retrieves a proxy access token by its hashed value.
+func (s *SqlStore) GetProxyAccessTokenByHashedToken(ctx context.Context, lockStrength LockingStrength, hashedToken types.HashedProxyToken) (*types.ProxyAccessToken, error) {
+	tx := s.db.WithContext(ctx)
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var token types.ProxyAccessToken
+	result := tx.Take(&token, "hashed_token = ?", hashedToken)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "proxy access token not found")
+		}
+		return nil, status.Errorf(status.Internal, "get proxy access token: %v", result.Error)
+	}
+
+	return &token, nil
+}
+
+// GetAllProxyAccessTokens retrieves all proxy access tokens.
+func (s *SqlStore) GetAllProxyAccessTokens(ctx context.Context, lockStrength LockingStrength) ([]*types.ProxyAccessToken, error) {
+	tx := s.db.WithContext(ctx)
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var tokens []*types.ProxyAccessToken
+	result := tx.Find(&tokens)
+	if result.Error != nil {
+		return nil, status.Errorf(status.Internal, "get proxy access tokens: %v", result.Error)
+	}
+
+	return tokens, nil
+}
+
+// SaveProxyAccessToken saves a proxy access token to the database.
+func (s *SqlStore) SaveProxyAccessToken(ctx context.Context, token *types.ProxyAccessToken) error {
+	if result := s.db.WithContext(ctx).Create(token); result.Error != nil {
+		return status.Errorf(status.Internal, "save proxy access token: %v", result.Error)
+	}
+	return nil
+}
+
+// RevokeProxyAccessToken revokes a proxy access token by its ID.
+func (s *SqlStore) RevokeProxyAccessToken(ctx context.Context, tokenID string) error {
+	result := s.db.WithContext(ctx).Model(&types.ProxyAccessToken{}).Where(idQueryCondition, tokenID).Update("revoked", true)
+	if result.Error != nil {
+		return status.Errorf(status.Internal, "revoke proxy access token: %v", result.Error)
+	}
+
+	if result.RowsAffected == 0 {
+		return status.Errorf(status.NotFound, "proxy access token not found")
+	}
+
+	return nil
+}
+
+// MarkProxyAccessTokenUsed updates the last used timestamp for a proxy access token.
+func (s *SqlStore) MarkProxyAccessTokenUsed(ctx context.Context, tokenID string) error {
+	result := s.db.WithContext(ctx).Model(&types.ProxyAccessToken{}).
+		Where(idQueryCondition, tokenID).
+		Update("last_used", time.Now().UTC())
+	if result.Error != nil {
+		return status.Errorf(status.Internal, "mark proxy access token as used: %v", result.Error)
+	}
+
+	if result.RowsAffected == 0 {
+		return status.Errorf(status.NotFound, "proxy access token not found")
+	}
+
+	return nil
+}
+
 func (s *SqlStore) GetPeerByIP(ctx context.Context, lockStrength LockingStrength, accountID string, ip net.IP) (*nbpeer.Peer, error) {
 	tx := s.db
 	if lockStrength != LockingStrengthNone {
@@ -4602,3 +4824,352 @@ func (s *SqlStore) GetPeerIDByKey(ctx context.Context, lockStrength LockingStren
 
 	return peerID, nil
 }
+
+func (s *SqlStore) CreateReverseProxy(ctx context.Context, proxy *reverseproxy.ReverseProxy) error {
+	proxyCopy := proxy.Copy()
+	if err := proxyCopy.EncryptSensitiveData(s.fieldEncrypt); err != nil {
+		return fmt.Errorf("encrypt reverse proxy data: %w", err)
+	}
+	result := s.db.Create(proxyCopy)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to create reverse proxy to store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to create reverse proxy to store")
+	}
+
+	return nil
+}
+
+func (s *SqlStore) UpdateReverseProxy(ctx context.Context, proxy *reverseproxy.ReverseProxy) error {
+	proxyCopy := proxy.Copy()
+	if err := proxyCopy.EncryptSensitiveData(s.fieldEncrypt); err != nil {
+		return fmt.Errorf("encrypt reverse proxy data: %w", err)
+	}
+
+	// Use a transaction to ensure atomic updates of the proxy and its targets
+	err := s.db.Transaction(func(tx *gorm.DB) error {
+		// Delete existing targets
+		if err := tx.Where("reverse_proxy_id = ?", proxyCopy.ID).Delete(&reverseproxy.Target{}).Error; err != nil {
+			return err
+		}
+
+		// Update the proxy and create new targets
+		if err := tx.Session(&gorm.Session{FullSaveAssociations: true}).Save(proxyCopy).Error; err != nil {
+			return err
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to update reverse proxy to store: %v", err)
+		return status.Errorf(status.Internal, "failed to update reverse proxy to store")
+	}
+
+	return nil
+}
+
+func (s *SqlStore) DeleteReverseProxy(ctx context.Context, accountID, proxyID string) error {
+	result := s.db.Delete(&reverseproxy.ReverseProxy{}, accountAndIDQueryCondition, accountID, proxyID)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to delete reverse proxy from store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to delete reverse proxy from store")
+	}
+
+	if result.RowsAffected == 0 {
+		return status.Errorf(status.NotFound, "reverse proxy %s not found", proxyID)
+	}
+
+	return nil
+}
+
+func (s *SqlStore) GetReverseProxyByID(ctx context.Context, lockStrength LockingStrength, accountID, proxyID string) (*reverseproxy.ReverseProxy, error) {
+	tx := s.db.Preload("Targets")
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var proxy *reverseproxy.ReverseProxy
+	result := tx.Take(&proxy, accountAndIDQueryCondition, accountID, proxyID)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "reverse proxy %s not found", proxyID)
+		}
+
+		log.WithContext(ctx).Errorf("failed to get reverse proxy from store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get reverse proxy from store")
+	}
+
+	if err := proxy.DecryptSensitiveData(s.fieldEncrypt); err != nil {
+		return nil, fmt.Errorf("decrypt reverse proxy data: %w", err)
+	}
+
+	return proxy, nil
+}
+
+func (s *SqlStore) GetReverseProxyByDomain(ctx context.Context, accountID, domain string) (*reverseproxy.ReverseProxy, error) {
+	var proxy *reverseproxy.ReverseProxy
+	result := s.db.Preload("Targets").Where("account_id = ? AND domain = ?", accountID, domain).First(&proxy)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "reverse proxy with domain %s not found", domain)
+		}
+
+		log.WithContext(ctx).Errorf("failed to get reverse proxy by domain from store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get reverse proxy by domain from store")
+	}
+
+	if err := proxy.DecryptSensitiveData(s.fieldEncrypt); err != nil {
+		return nil, fmt.Errorf("decrypt reverse proxy data: %w", err)
+	}
+
+	return proxy, nil
+}
+
+func (s *SqlStore) GetReverseProxies(ctx context.Context, lockStrength LockingStrength) ([]*reverseproxy.ReverseProxy, error) {
+	tx := s.db.Preload("Targets")
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var proxyList []*reverseproxy.ReverseProxy
+	result := tx.Find(&proxyList)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to get reverse proxy from the store: %s", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get reverse proxy from store")
+	}
+
+	for _, proxy := range proxyList {
+		if err := proxy.DecryptSensitiveData(s.fieldEncrypt); err != nil {
+			return nil, fmt.Errorf("decrypt reverse proxy data: %w", err)
+		}
+	}
+
+	return proxyList, nil
+}
+
+func (s *SqlStore) GetAccountReverseProxies(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*reverseproxy.ReverseProxy, error) {
+	tx := s.db.Preload("Targets")
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var proxyList []*reverseproxy.ReverseProxy
+	result := tx.Find(&proxyList, accountIDCondition, accountID)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to get reverse proxy from the store: %s", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get reverse proxy from store")
+	}
+
+	for _, proxy := range proxyList {
+		if err := proxy.DecryptSensitiveData(s.fieldEncrypt); err != nil {
+			return nil, fmt.Errorf("decrypt reverse proxy data: %w", err)
+		}
+	}
+
+	return proxyList, nil
+}
+
+func (s *SqlStore) GetCustomDomain(ctx context.Context, accountID string, domainID string) (*domain.Domain, error) {
+	tx := s.db
+
+	customDomain := &domain.Domain{}
+	result := tx.Take(&customDomain, accountAndIDQueryCondition, accountID, domainID)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "reverse proxy custom domain %s not found", domainID)
+		}
+
+		log.WithContext(ctx).Errorf("failed to get reverse proxy custom domain from store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get reverse proxy custom domain from store")
+	}
+
+	return customDomain, nil
+}
+
+func (s *SqlStore) ListFreeDomains(ctx context.Context, accountID string) ([]string, error) {
+	return nil, nil
+}
+
+func (s *SqlStore) ListCustomDomains(ctx context.Context, accountID string) ([]*domain.Domain, error) {
+	tx := s.db
+
+	var domains []*domain.Domain
+	result := tx.Find(&domains, accountIDCondition, accountID)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to get reverse proxy custom domains from the store: %s", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get reverse proxy custom domains from store")
+	}
+
+	return domains, nil
+}
+
+func (s *SqlStore) CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*domain.Domain, error) {
+	newDomain := &domain.Domain{
+		ID:            xid.New().String(), // Generate our own ID because gorm doesn't always configure the database to handle this for us.
+		Domain:        domainName,
+		AccountID:     accountID,
+		TargetCluster: targetCluster,
+		Type:          domain.TypeCustom,
+		Validated:     validated,
+	}
+	result := s.db.Create(newDomain)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to create reverse proxy custom domain to store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to create reverse proxy custom domain to store")
+	}
+
+	return newDomain, nil
+}
+
+func (s *SqlStore) UpdateCustomDomain(ctx context.Context, accountID string, d *domain.Domain) (*domain.Domain, error) {
+	d.AccountID = accountID
+	result := s.db.Select("*").Save(d)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to update reverse proxy custom domain to store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to update reverse proxy custom domain to store")
+	}
+
+	return d, nil
+}
+
+func (s *SqlStore) DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error {
+	result := s.db.Delete(domain.Domain{}, accountAndIDQueryCondition, accountID, domainID)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to delete reverse proxy custom domain from store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to delete reverse proxy custom domain from store")
+	}
+
+	if result.RowsAffected == 0 {
+		return status.Errorf(status.NotFound, "reverse proxy custom domain %s not found", domainID)
+	}
+
+	return nil
+}
+
+// CreateAccessLog creates a new access log entry in the database
+func (s *SqlStore) CreateAccessLog(ctx context.Context, logEntry *accesslogs.AccessLogEntry) error {
+	result := s.db.Create(logEntry)
+	if result.Error != nil {
+		log.WithContext(ctx).WithFields(log.Fields{
+			"proxy_id": logEntry.ProxyID,
+			"method":   logEntry.Method,
+			"host":     logEntry.Host,
+			"path":     logEntry.Path,
+		}).Errorf("failed to create access log entry in store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to create access log entry in store")
+	}
+	return nil
+}
+
+// GetAccountAccessLogs retrieves access logs for a given account with pagination and filtering
+func (s *SqlStore) GetAccountAccessLogs(ctx context.Context, lockStrength LockingStrength, accountID string, filter accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
+	var logs []*accesslogs.AccessLogEntry
+	var totalCount int64
+
+	baseQuery := s.db.WithContext(ctx).
+		Model(&accesslogs.AccessLogEntry{}).
+		Where(accountIDCondition, accountID)
+
+	baseQuery = s.applyAccessLogFilters(baseQuery, filter)
+
+	if err := baseQuery.Count(&totalCount).Error; err != nil {
+		log.WithContext(ctx).Errorf("failed to count access logs: %v", err)
+		return nil, 0, status.Errorf(status.Internal, "failed to count access logs")
+	}
+
+	query := s.db.WithContext(ctx).
+		Where(accountIDCondition, accountID)
+
+	query = s.applyAccessLogFilters(query, filter)
+
+	query = query.
+		Order("timestamp DESC").
+		Limit(filter.GetLimit()).
+		Offset(filter.GetOffset())
+
+	if lockStrength != LockingStrengthNone {
+		query = query.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	result := query.Find(&logs)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to get access logs from store: %v", result.Error)
+		return nil, 0, status.Errorf(status.Internal, "failed to get access logs from store")
+	}
+
+	return logs, totalCount, nil
+}
+
+// applyAccessLogFilters applies filter conditions to the query
+func (s *SqlStore) applyAccessLogFilters(query *gorm.DB, filter accesslogs.AccessLogFilter) *gorm.DB {
+	if filter.Search != nil {
+		searchPattern := "%" + *filter.Search + "%"
+		query = query.Where(
+			"location_connection_ip LIKE ? OR host LIKE ? OR path LIKE ? OR CONCAT(host, path) LIKE ? OR user_id IN (SELECT id FROM users WHERE email LIKE ? OR name LIKE ?)",
+			searchPattern, searchPattern, searchPattern, searchPattern, searchPattern, searchPattern,
+		)
+	}
+
+	if filter.SourceIP != nil {
+		query = query.Where("location_connection_ip = ?", *filter.SourceIP)
+	}
+
+	if filter.Host != nil {
+		query = query.Where("host = ?", *filter.Host)
+	}
+
+	if filter.Path != nil {
+		// Support LIKE pattern for path filtering
+		query = query.Where("path LIKE ?", "%"+*filter.Path+"%")
+	}
+
+	if filter.UserID != nil {
+		query = query.Where("user_id = ?", *filter.UserID)
+	}
+
+	if filter.Method != nil {
+		query = query.Where("method = ?", *filter.Method)
+	}
+
+	if filter.Status != nil {
+		if *filter.Status == "success" {
+			query = query.Where("status_code >= ? AND status_code < ?", 200, 400)
+		} else if *filter.Status == "failed" {
+			query = query.Where("status_code < ? OR status_code >= ?", 200, 400)
+		}
+	}
+
+	if filter.StatusCode != nil {
+		query = query.Where("status_code = ?", *filter.StatusCode)
+	}
+
+	if filter.StartDate != nil {
+		query = query.Where("timestamp >= ?", *filter.StartDate)
+	}
+
+	if filter.EndDate != nil {
+		query = query.Where("timestamp <= ?", *filter.EndDate)
+	}
+
+	return query
+}
+
+func (s *SqlStore) GetReverseProxyTargetByTargetID(ctx context.Context, lockStrength LockingStrength, accountID string, targetID string) (*reverseproxy.Target, error) {
+	tx := s.db
+	if lockStrength != LockingStrengthNone {
+		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
+	}
+
+	var target *reverseproxy.Target
+	result := tx.Take(&target, "account_id = ? AND target_id = ?", accountID, targetID)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.Errorf(status.NotFound, "reverse proxy target with ID %s not found", targetID)
+		}
+
+		log.WithContext(ctx).Errorf("failed to get reverse proxy target from store: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "failed to get reverse proxy target from store")
+	}
+
+	return target, nil
+}

management/server/store/store.go

@@ -23,6 +23,9 @@ import (
 	"gorm.io/gorm"
 
 	"github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -106,6 +109,12 @@ type Store interface {
 	SavePAT(ctx context.Context, pat *types.PersonalAccessToken) error
 	DeletePAT(ctx context.Context, userID, patID string) error
 
+	GetProxyAccessTokenByHashedToken(ctx context.Context, lockStrength LockingStrength, hashedToken types.HashedProxyToken) (*types.ProxyAccessToken, error)
+	GetAllProxyAccessTokens(ctx context.Context, lockStrength LockingStrength) ([]*types.ProxyAccessToken, error)
+	SaveProxyAccessToken(ctx context.Context, token *types.ProxyAccessToken) error
+	RevokeProxyAccessToken(ctx context.Context, tokenID string) error
+	MarkProxyAccessTokenUsed(ctx context.Context, tokenID string) error
+
 	GetAccountGroups(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*types.Group, error)
 	GetResourceGroups(ctx context.Context, lockStrength LockingStrength, accountID, resourceID string) ([]*types.Group, error)
 	GetGroupByID(ctx context.Context, lockStrength LockingStrength, accountID, groupID string) (*types.Group, error)
@@ -240,6 +249,25 @@ type Store interface {
 	MarkPendingJobsAsFailed(ctx context.Context, accountID, peerID, jobID, reason string) error
 	MarkAllPendingJobsAsFailed(ctx context.Context, accountID, peerID, reason string) error
 	GetPeerIDByKey(ctx context.Context, lockStrength LockingStrength, key string) (string, error)
+
+	CreateReverseProxy(ctx context.Context, service *reverseproxy.ReverseProxy) error
+	UpdateReverseProxy(ctx context.Context, service *reverseproxy.ReverseProxy) error
+	DeleteReverseProxy(ctx context.Context, accountID, serviceID string) error
+	GetReverseProxyByID(ctx context.Context, lockStrength LockingStrength, accountID, serviceID string) (*reverseproxy.ReverseProxy, error)
+	GetReverseProxyByDomain(ctx context.Context, accountID, domain string) (*reverseproxy.ReverseProxy, error)
+	GetReverseProxies(ctx context.Context, lockStrength LockingStrength) ([]*reverseproxy.ReverseProxy, error)
+	GetAccountReverseProxies(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*reverseproxy.ReverseProxy, error)
+
+	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*domain.Domain, error)
+	ListFreeDomains(ctx context.Context, accountID string) ([]string, error)
+	ListCustomDomains(ctx context.Context, accountID string) ([]*domain.Domain, error)
+	CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*domain.Domain, error)
+	UpdateCustomDomain(ctx context.Context, accountID string, d *domain.Domain) (*domain.Domain, error)
+	DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error
+
+	CreateAccessLog(ctx context.Context, log *accesslogs.AccessLogEntry) error
+	GetAccountAccessLogs(ctx context.Context, lockStrength LockingStrength, accountID string, filter accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error)
+	GetReverseProxyTargetByTargetID(ctx context.Context, lockStrength LockingStrength, accountID string, targetID string) (*reverseproxy.Target, error)
 }
 
 const (

management/server/testdata/auth_callback.sql

@@ -0,0 +1,17 @@
+-- Schema definitions (must match GORM auto-migrate order)
+CREATE TABLE `accounts` (`id` text,`created_by` text,`created_at` datetime,`domain` text,`domain_category` text,`is_domain_primary_account` numeric,`network_identifier` text,`network_net` text,`network_dns` text,`network_serial` integer,`dns_settings_disabled_management_groups` text,`settings_peer_login_expiration_enabled` numeric,`settings_peer_login_expiration` integer,`settings_regular_users_view_blocked` numeric,`settings_groups_propagation_enabled` numeric,`settings_jwt_groups_enabled` numeric,`settings_jwt_groups_claim_name` text,`settings_jwt_allow_groups` text,`settings_extra_peer_approval_enabled` numeric,`settings_extra_integrated_validator_groups` text,PRIMARY KEY (`id`));
+CREATE TABLE `groups` (`id` text,`account_id` text,`name` text,`issued` text,`peers` text,`integration_ref_id` integer,`integration_ref_integration_type` text,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_groups_g` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
+CREATE TABLE `users` (`id` text,`account_id` text,`role` text,`is_service_user` numeric,`non_deletable` numeric,`service_user_name` text,`auto_groups` text,`blocked` numeric,`last_login` datetime DEFAULT NULL,`created_at` datetime,`issued` text DEFAULT "api",`integration_ref_id` integer,`integration_ref_integration_type` text,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_users_g` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
+
+-- Test accounts
+INSERT INTO accounts VALUES('testAccountId','','2024-10-02 16:01:38.000000000+00:00','test.com','private',1,'testNetworkIdentifier','{"IP":"100.64.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
+INSERT INTO accounts VALUES('otherAccountId','','2024-10-02 16:01:38.000000000+00:00','other.com','private',1,'otherNetworkIdentifier','{"IP":"100.64.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
+
+-- Test groups
+INSERT INTO "groups" VALUES('allowedGroupId','testAccountId','Allowed Group','api','[]',0,'');
+INSERT INTO "groups" VALUES('restrictedGroupId','testAccountId','Restricted Group','api','[]',0,'');
+
+-- Test users
+INSERT INTO users VALUES('allowedUserId','testAccountId','user',0,0,'','["allowedGroupId"]',0,NULL,'2024-10-02 16:01:38.000000000+00:00','api',0,'');
+INSERT INTO users VALUES('nonGroupUserId','testAccountId','user',0,0,'','[]',0,NULL,'2024-10-02 16:01:38.000000000+00:00','api',0,'');
+INSERT INTO users VALUES('otherAccountUserId','otherAccountId','user',0,0,'','["allowedGroupId"]',0,NULL,'2024-10-02 16:01:38.000000000+00:00','api',0,'');