diff --git a/app/controllers/admin/forward_auth_rules_controller.rb b/app/controllers/admin/forward_auth_rules_controller.rb
index 740df3e..17c1b4c 100644
--- a/app/controllers/admin/forward_auth_rules_controller.rb
+++ b/app/controllers/admin/forward_auth_rules_controller.rb
@@ -17,6 +17,8 @@ module Admin
 
     def create
       @forward_auth_rule = ForwardAuthRule.new(forward_auth_rule_params)
+      # Handle headers configuration
+      @forward_auth_rule.headers_config = process_headers_config(params[:headers_config])
 
       if @forward_auth_rule.save
         # Handle group assignments
@@ -38,6 +40,10 @@ module Admin
 
     def update
       if @forward_auth_rule.update(forward_auth_rule_params)
+        # Handle headers configuration
+        @forward_auth_rule.headers_config = process_headers_config(params[:headers_config])
+        @forward_auth_rule.save!
+
         # Handle group assignments
         if params[:forward_auth_rule][:group_ids].present?
           group_ids = params[:forward_auth_rule][:group_ids].reject(&:blank?)
@@ -67,5 +73,12 @@ module Admin
     def forward_auth_rule_params
       params.require(:forward_auth_rule).permit(:domain_pattern, :active)
     end
+
+    def process_headers_config(headers_params)
+      return {} unless headers_params.is_a?(Hash)
+
+      # Clean up headers config - remove empty values, keep only filled ones
+      headers_params.select { |key, value| value.present? }.symbolize_keys
+    end
   end
 end
\ No newline at end of file
diff --git a/app/controllers/api/forward_auth_controller.rb b/app/controllers/api/forward_auth_controller.rb
index 7678061..51603bd 100644
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -64,19 +64,27 @@ module Api
       end
 
       # User is authenticated and authorized
-      # Return 200 with user information headers
-      response.headers["Remote-User"] = user.email_address
-      response.headers["Remote-Email"] = user.email_address
-      response.headers["Remote-Name"] = user.email_address
+      # Return 200 with user information headers using rule-specific configuration
+      headers = rule ? rule.headers_for_user(user) : ForwardAuthRule::DEFAULT_HEADERS.map { |key, header_name|
+        case key
+        when :user, :email, :name
+          [header_name, user.email_address]
+        when :groups
+          user.groups.any? ? [header_name, user.groups.pluck(:name).join(",")] : nil
+        when :admin
+          [header_name, user.admin? ? "true" : "false"]
+        end
+      }.compact.to_h
 
-      # Add groups if user has any
-      if user.groups.any?
-        response.headers["Remote-Groups"] = user.groups.pluck(:name).join(",")
+      headers.each { |key, value| response.headers[key] = value }
+
+      # Log what headers we're sending (helpful for debugging)
+      if headers.any?
+        Rails.logger.debug "ForwardAuth: Headers sent: #{headers.keys.join(', ')}"
+      else
+        Rails.logger.debug "ForwardAuth: No headers sent (access only)"
       end
 
-      # Add admin flag
-      response.headers["Remote-Admin"] = user.admin? ? "true" : "false"
-
       # Return 200 OK with no body
       head :ok
     end
diff --git a/app/models/forward_auth_rule.rb b/app/models/forward_auth_rule.rb
index fef753e..19f86c2 100644
--- a/app/models/forward_auth_rule.rb
+++ b/app/models/forward_auth_rule.rb
@@ -7,6 +7,15 @@ class ForwardAuthRule < ApplicationRecord
 
   normalizes :domain_pattern, with: ->(pattern) { pattern.strip.downcase }
 
+  # Default header configuration
+  DEFAULT_HEADERS = {
+    user: 'X-Remote-User',
+    email: 'X-Remote-Email',
+    name: 'X-Remote-Name',
+    groups: 'X-Remote-Groups',
+    admin: 'X-Remote-Admin'
+  }.freeze
+
   # Scopes
   scope :active, -> { where(active: true) }
   scope :ordered, -> { order(domain_pattern: :asc) }
@@ -50,4 +59,36 @@ class ForwardAuthRule < ApplicationRecord
       'deny'
     end
   end
+
+  # Get effective header configuration (rule-specific + defaults)
+  def effective_headers
+    DEFAULT_HEADERS.merge((headers_config || {}).symbolize_keys)
+  end
+
+  # Generate headers for a specific user
+  def headers_for_user(user)
+    headers = {}
+    effective = effective_headers
+
+    # Only generate headers that are configured (not set to nil/false)
+    effective.each do |key, header_name|
+      next unless header_name.present?  # Skip disabled headers
+
+      case key
+      when :user, :email, :name
+        headers[header_name] = user.email_address
+      when :groups
+        headers[header_name] = user.groups.pluck(:name).join(",") if user.groups.any?
+      when :admin
+        headers[header_name] = user.admin? ? "true" : "false"
+      end
+    end
+
+    headers
+  end
+
+  # Check if all headers are disabled
+  def headers_disabled?
+    headers_config.present? && effective_headers.values.all?(&:blank?)
+  end
 end
diff --git a/app/views/admin/applications/index.html.erb b/app/views/admin/applications/index.html.erb
index 30f27fe..49be1b8 100644
--- a/app/views/admin/applications/index.html.erb
+++ b/app/views/admin/applications/index.html.erb
@@ -56,9 +56,11 @@
                 <% end %>
               </td>
               <td class="relative whitespace-nowrap py-4 pl-3 pr-4 text-right text-sm font-medium sm:pr-0">
-                <%= link_to "View", admin_application_path(application), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                <%= link_to "Edit", edit_admin_application_path(application), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                <%= button_to "Delete", admin_application_path(application), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this application?" }, class: "text-red-600 hover:text-red-900" %>
+                <div class="flex justify-end space-x-3">
+                  <%= link_to "View", admin_application_path(application), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= link_to "Edit", edit_admin_application_path(application), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= button_to "Delete", admin_application_path(application), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this application?" }, class: "text-red-600 hover:text-red-900 whitespace-nowrap" %>
+                </div>
               </td>
             </tr>
           <% end %>
diff --git a/app/views/admin/forward_auth_rules/edit.html.erb b/app/views/admin/forward_auth_rules/edit.html.erb
index 7796ccb..6c3d302 100644
--- a/app/views/admin/forward_auth_rules/edit.html.erb
+++ b/app/views/admin/forward_auth_rules/edit.html.erb
@@ -45,6 +45,75 @@
               Select groups that are allowed to access this domain. If no groups are selected, all authenticated users will be allowed access (bypass).
             </p>
           </div>
+
+          <div class="col-span-full">
+            <div class="block text-sm font-medium leading-6 text-gray-900 mb-4">
+              HTTP Headers Configuration
+            </div>
+            <div class="mt-2 space-y-4">
+              <div class="grid grid-cols-1 gap-y-4 sm:grid-cols-2 sm:gap-x-4">
+                <div>
+                  <%= label_tag "headers_config[user]", "User Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[user]", @forward_auth_rule.headers_config&.dig(:user) || ForwardAuthRule::DEFAULT_HEADERS[:user],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-User" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for user identity</p>
+                </div>
+
+                <div>
+                  <%= label_tag "headers_config[email]", "Email Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[email]", @forward_auth_rule.headers_config&.dig(:email) || ForwardAuthRule::DEFAULT_HEADERS[:email],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-Email" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for user email</p>
+                </div>
+
+                <div>
+                  <%= label_tag "headers_config[name]", "Name Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[name]", @forward_auth_rule.headers_config&.dig(:name) || ForwardAuthRule::DEFAULT_HEADERS[:name],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-Name" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for user display name</p>
+                </div>
+
+                <div>
+                  <%= label_tag "headers_config[groups]", "Groups Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[groups]", @forward_auth_rule.headers_config&.dig(:groups) || ForwardAuthRule::DEFAULT_HEADERS[:groups],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-Groups" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for user groups (comma-separated)</p>
+                </div>
+
+                <div>
+                  <%= label_tag "headers_config[admin]", "Admin Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[admin]", @forward_auth_rule.headers_config&.dig(:admin) || ForwardAuthRule::DEFAULT_HEADERS[:admin],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-Admin" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for admin status (true/false)</p>
+                </div>
+              </div>
+
+              <div class="mt-4 p-4 bg-blue-50 rounded-lg">
+                <h4 class="text-sm font-medium text-blue-900 mb-2">Header Configuration Options:</h4>
+                <ul class="text-sm text-blue-700 space-y-1">
+                  <li>• <strong>Default headers:</strong> Use standard headers like Remote-User, Remote-Email</li>
+                  <li>• <strong>X- prefixed:</strong> Use X-Remote-User, X-Remote-Email, etc.</li>
+                  <li>• <strong>Custom:</strong> Use application-specific headers</li>
+                  <li>• <strong>No headers:</strong> Leave fields empty for access-only (like Metube)</li>
+                </ul>
+              </div>
+            </div>
+          </div>
         </div>
       </div>
     </div>
diff --git a/app/views/admin/forward_auth_rules/index.html.erb b/app/views/admin/forward_auth_rules/index.html.erb
index b8e4a74..1fdc91d 100644
--- a/app/views/admin/forward_auth_rules/index.html.erb
+++ b/app/views/admin/forward_auth_rules/index.html.erb
@@ -1,89 +1,68 @@
-<% content_for :title, "Forward Auth Rules" %>
-
 <div class="sm:flex sm:items-center">
   <div class="sm:flex-auto">
-    <h1 class="text-base font-semibold leading-6 text-gray-900">Forward Auth Rules</h1>
-    <p class="mt-2 text-sm text-gray-700">A list of all forward authentication rules for domain-based access control.</p>
+    <h1 class="text-2xl font-semibold text-gray-900">Forward Auth Rules</h1>
+    <p class="mt-2 text-sm text-gray-700">Manage forward authentication rules for domain-based access control.</p>
   </div>
-  <div class="mt-4 sm:ml-16 sm:mt-0 sm:flex-none">
-    <%= link_to "Add rule", new_admin_forward_auth_rule_path, class: "block rounded-md bg-blue-600 px-3 py-2 text-center text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
+  <div class="mt-4 sm:mt-0 sm:ml-16 sm:flex-none">
+    <%= link_to "New Rule", new_admin_forward_auth_rule_path, class: "block rounded-md bg-blue-600 px-3 py-2 text-center text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
   </div>
 </div>
 
 <div class="mt-8 flow-root">
   <div class="-mx-4 -my-2 overflow-x-auto sm:-mx-6 lg:-mx-8">
     <div class="inline-block min-w-full py-2 align-middle sm:px-6 lg:px-8">
-      <% if @forward_auth_rules.any? %>
-        <div class="overflow-hidden shadow ring-1 ring-black ring-opacity-5 md:rounded-lg">
-          <table class="min-w-full divide-y divide-gray-300">
-            <thead class="bg-gray-50">
-              <tr>
-                <th scope="col" class="py-3.5 pl-4 pr-3 text-left text-sm font-semibold text-gray-900 sm:pl-6">Domain Pattern</th>
-                <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Groups</th>
-                <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Status</th>
-                <th scope="col" class="relative py-3.5 pl-3 pr-4 sm:pr-6">
-                  <span class="sr-only">Actions</span>
-                </th>
-              </tr>
-            </thead>
-            <tbody class="divide-y divide-gray-200 bg-white">
-              <% @forward_auth_rules.each do |rule| %>
-                <tr>
-                  <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm font-medium text-gray-900 sm:pl-6">
-                    <%= rule.domain_pattern %>
-                  </td>
-                  <td class="px-3 py-4 text-sm text-gray-500">
-                    <% if rule.allowed_groups.any? %>
-                      <div class="flex flex-wrap gap-1">
-                        <% rule.allowed_groups.each do |group| %>
-                          <span class="inline-flex items-center rounded-md bg-blue-50 px-2 py-1 text-xs font-medium text-blue-700">
-                            <%= group.name %>
-                          </span>
-                        <% end %>
-                      </div>
-                    <% else %>
-                      <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700">
-                        Bypass (All Users)
-                      </span>
-                    <% end %>
-                  </td>
-                  <td class="px-3 py-4 text-sm text-gray-500">
-                    <% if rule.active? %>
-                      <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700">
-                        Active
-                      </span>
-                    <% else %>
-                      <span class="inline-flex items-center rounded-md bg-red-50 px-2 py-1 text-xs font-medium text-red-700">
-                        Inactive
-                      </span>
-                    <% end %>
-                  </td>
-                  <td class="relative whitespace-nowrap py-4 pl-3 pr-4 text-right text-sm font-medium sm:pr-6">
-                    <%= link_to "Edit", edit_admin_forward_auth_rule_path(rule), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                    <%= link_to "Delete", admin_forward_auth_rule_path(rule),
-                        data: {
-                          turbo_method: :delete,
-                          turbo_confirm: "Are you sure you want to delete this forward auth rule?"
-                        },
-                        class: "text-red-600 hover:text-red-900" %>
-                  </td>
-                </tr>
-              <% end %>
-            </tbody>
-          </table>
-        </div>
-      <% else %>
-        <div class="text-center py-12">
-          <svg class="mx-auto h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
-            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" />
-          </svg>
-          <h3 class="mt-2 text-sm font-semibold text-gray-900">No forward auth rules</h3>
-          <p class="mt-1 text-sm text-gray-500">Get started by creating a new forward authentication rule.</p>
-          <div class="mt-6">
-            <%= link_to "Add rule", new_admin_forward_auth_rule_path, class: "inline-flex items-center rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
-          </div>
-        </div>
-      <% end %>
+      <table class="min-w-full divide-y divide-gray-300">
+        <thead>
+          <tr>
+            <th scope="col" class="py-3.5 pl-4 pr-3 text-left text-sm font-semibold text-gray-900 sm:pl-0">Domain Pattern</th>
+            <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Headers</th>
+            <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Groups</th>
+            <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Status</th>
+            <th scope="col" class="relative py-3.5 pl-3 pr-4 sm:pr-0">
+              <span class="sr-only">Actions</span>
+            </th>
+          </tr>
+        </thead>
+        <tbody class="divide-y divide-gray-200">
+          <% @forward_auth_rules.each do |rule| %>
+            <tr>
+              <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm font-medium text-gray-900 sm:pl-0">
+                <%= link_to rule.domain_pattern, admin_forward_auth_rule_path(rule), class: "text-blue-600 hover:text-blue-900" %>
+              </td>
+              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
+                <% if rule.headers_config.blank? %>
+                  <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">Default</span>
+                <% elsif rule.headers_config.values.all?(&:blank?) %>
+                  <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">None</span>
+                <% else %>
+                  <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700">Custom</span>
+                <% end %>
+              </td>
+              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
+                <% if rule.allowed_groups.empty? %>
+                  <span class="text-gray-400">All users</span>
+                <% else %>
+                  <%= rule.allowed_groups.count %> groups
+                <% end %>
+              </td>
+              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
+                <% if rule.active? %>
+                  <span class="inline-flex items-center rounded-full bg-green-100 px-2 py-1 text-xs font-medium text-green-700">Active</span>
+                <% else %>
+                  <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">Inactive</span>
+                <% end %>
+              </td>
+              <td class="relative whitespace-nowrap py-4 pl-3 pr-4 text-right text-sm font-medium sm:pr-0">
+                <div class="flex justify-end space-x-3">
+                  <%= link_to "View", admin_forward_auth_rule_path(rule), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= link_to "Edit", edit_admin_forward_auth_rule_path(rule), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= button_to "Delete", admin_forward_auth_rule_path(rule), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this forward auth rule?" }, class: "text-red-600 hover:text-red-900 whitespace-nowrap" %>
+                </div>
+              </td>
+            </tr>
+          <% end %>
+        </tbody>
+      </table>
     </div>
   </div>
 </div>
\ No newline at end of file
diff --git a/app/views/admin/forward_auth_rules/new.html.erb b/app/views/admin/forward_auth_rules/new.html.erb
index 7f15374..cd3f16d 100644
--- a/app/views/admin/forward_auth_rules/new.html.erb
+++ b/app/views/admin/forward_auth_rules/new.html.erb
@@ -45,6 +45,75 @@
               Select groups that are allowed to access this domain. If no groups are selected, all authenticated users will be allowed access (bypass).
             </p>
           </div>
+
+          <div class="col-span-full">
+            <div class="block text-sm font-medium leading-6 text-gray-900 mb-4">
+              HTTP Headers Configuration
+            </div>
+            <div class="mt-2 space-y-4">
+              <div class="grid grid-cols-1 gap-y-4 sm:grid-cols-2 sm:gap-x-4">
+                <div>
+                  <%= label_tag "headers_config[user]", "User Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[user]", @forward_auth_rule.headers_config&.dig(:user) || ForwardAuthRule::DEFAULT_HEADERS[:user],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-User" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for user identity</p>
+                </div>
+
+                <div>
+                  <%= label_tag "headers_config[email]", "Email Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[email]", @forward_auth_rule.headers_config&.dig(:email) || ForwardAuthRule::DEFAULT_HEADERS[:email],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-Email" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for user email</p>
+                </div>
+
+                <div>
+                  <%= label_tag "headers_config[name]", "Name Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[name]", @forward_auth_rule.headers_config&.dig(:name) || ForwardAuthRule::DEFAULT_HEADERS[:name],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-Name" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for user display name</p>
+                </div>
+
+                <div>
+                  <%= label_tag "headers_config[groups]", "Groups Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[groups]", @forward_auth_rule.headers_config&.dig(:groups) || ForwardAuthRule::DEFAULT_HEADERS[:groups],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-Groups" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for user groups (comma-separated)</p>
+                </div>
+
+                <div>
+                  <%= label_tag "headers_config[admin]", "Admin Header", class: "block text-sm font-medium leading-6 text-gray-900" %>
+                  <div class="mt-2">
+                    <%= text_field_tag "headers_config[admin]", @forward_auth_rule.headers_config&.dig(:admin) || ForwardAuthRule::DEFAULT_HEADERS[:admin],
+                        class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6",
+                        placeholder: "Remote-Admin" %>
+                  </div>
+                  <p class="mt-1 text-xs text-gray-500">Header name for admin status (true/false)</p>
+                </div>
+              </div>
+
+              <div class="mt-4 p-4 bg-blue-50 rounded-lg">
+                <h4 class="text-sm font-medium text-blue-900 mb-2">Header Configuration Options:</h4>
+                <ul class="text-sm text-blue-700 space-y-1">
+                  <li>• <strong>Default headers:</strong> Use standard headers like Remote-User, Remote-Email</li>
+                  <li>• <strong>X- prefixed:</strong> Use X-Remote-User, X-Remote-Email, etc.</li>
+                  <li>• <strong>Custom:</strong> Use application-specific headers</li>
+                  <li>• <strong>No headers:</strong> Leave fields empty for access-only (like Metube)</li>
+                </ul>
+              </div>
+            </div>
+          </div>
         </div>
       </div>
     </div>
diff --git a/app/views/admin/forward_auth_rules/show.html.erb b/app/views/admin/forward_auth_rules/show.html.erb
index 4767eaf..6e1953e 100644
--- a/app/views/admin/forward_auth_rules/show.html.erb
+++ b/app/views/admin/forward_auth_rules/show.html.erb
@@ -1,110 +1,115 @@
-<% content_for :title, "Forward Auth Rule: #{@forward_auth_rule.domain_pattern}" %>
-
-<div class="md:flex md:items-center md:justify-between">
-  <div class="min-w-0 flex-1">
-    <h2 class="text-2xl font-bold leading-7 text-gray-900 sm:truncate sm:text-3xl sm:tracking-tight">
-      <%= @forward_auth_rule.domain_pattern %>
-    </h2>
-  </div>
-  <div class="mt-4 flex md:ml-4 md:mt-0">
-    <%= link_to "Edit", edit_admin_forward_auth_rule_path(@forward_auth_rule), class: "inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
-    <%= link_to "Delete", admin_forward_auth_rule_path(@forward_auth_rule),
-        data: {
-          turbo_method: :delete,
-          turbo_confirm: "Are you sure you want to delete this forward auth rule?"
-        },
-        class: "ml-3 inline-flex items-center rounded-md bg-red-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-red-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-red-600" %>
+<div class="mb-6">
+  <div class="sm:flex sm:items-center sm:justify-between">
+    <div>
+      <h1 class="text-2xl font-semibold text-gray-900"><%= @forward_auth_rule.domain_pattern %></h1>
+      <p class="mt-1 text-sm text-gray-500">Forward authentication rule for domain-based access control</p>
+    </div>
+    <div class="mt-4 sm:mt-0 flex gap-3">
+      <%= link_to "Edit", edit_admin_forward_auth_rule_path(@forward_auth_rule), class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
+      <%= button_to "Delete", admin_forward_auth_rule_path(@forward_auth_rule), method: :delete, data: { turbo_confirm: "Are you sure?" }, class: "rounded-md bg-red-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-red-500" %>
+    </div>
   </div>
 </div>
 
-<div class="mt-8">
-  <div class="bg-white shadow overflow-hidden sm:rounded-lg">
-    <div class="px-4 py-5 sm:px-6">
-      <h3 class="text-lg leading-6 font-medium text-gray-900">Rule Details</h3>
-      <p class="mt-1 max-w-2xl text-sm text-gray-500">Forward authentication rule configuration.</p>
-    </div>
-    <div class="border-t border-gray-200">
-      <dl>
-        <div class="bg-gray-50 px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
+<div class="space-y-6">
+  <!-- Basic Information -->
+  <div class="bg-white shadow sm:rounded-lg">
+    <div class="px-4 py-5 sm:p-6">
+      <h3 class="text-base font-semibold leading-6 text-gray-900 mb-4">Basic Information</h3>
+      <dl class="grid grid-cols-1 gap-x-4 gap-y-6 sm:grid-cols-2">
+        <div>
           <dt class="text-sm font-medium text-gray-500">Domain Pattern</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
-            <code class="bg-gray-100 px-2 py-1 rounded text-sm"><%= @forward_auth_rule.domain_pattern %></code>
-          </dd>
+          <dd class="mt-1 text-sm text-gray-900"><code class="bg-gray-100 px-2 py-1 rounded"><%= @forward_auth_rule.domain_pattern %></code></dd>
         </div>
-        <div class="bg-white px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
+        <div>
           <dt class="text-sm font-medium text-gray-500">Status</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
+          <dd class="mt-1 text-sm text-gray-900">
             <% if @forward_auth_rule.active? %>
-              <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700">
-                Active
-              </span>
+              <span class="inline-flex items-center rounded-full bg-green-100 px-2 py-1 text-xs font-medium text-green-700">Active</span>
             <% else %>
-              <span class="inline-flex items-center rounded-md bg-red-50 px-2 py-1 text-xs font-medium text-red-700">
-                Inactive
-              </span>
+              <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">Inactive</span>
             <% end %>
           </dd>
         </div>
-        <div class="bg-gray-50 px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
-          <dt class="text-sm font-medium text-gray-500">Access Policy</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
-            <% if @allowed_groups.any? %>
-              <div class="space-y-2">
-                <p class="text-sm">Only users in these groups are allowed access:</p>
-                <div class="flex flex-wrap gap-2">
-                  <% @allowed_groups.each do |group| %>
-                    <span class="inline-flex items-center rounded-md bg-blue-50 px-2 py-1 text-xs font-medium text-blue-700">
-                      <%= group.name %>
-                    </span>
-                  <% end %>
-                </div>
-              </div>
+        <div>
+          <dt class="text-sm font-medium text-gray-500">Headers Configuration</dt>
+          <dd class="mt-1 text-sm text-gray-900">
+            <% if @forward_auth_rule.headers_config.blank? %>
+              <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">Default</span>
+            <% elsif @forward_auth_rule.headers_config.values.all?(&:blank?) %>
+              <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">None</span>
             <% else %>
-              <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700">
-                Bypass - All authenticated users allowed
-              </span>
+              <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700">Custom</span>
             <% end %>
           </dd>
         </div>
-        <div class="bg-white px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
-          <dt class="text-sm font-medium text-gray-500">Created</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
-            <%= @forward_auth_rule.created_at.strftime("%B %d, %Y at %I:%M %p") %>
-          </dd>
-        </div>
-        <div class="bg-gray-50 px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
-          <dt class="text-sm font-medium text-gray-500">Last Updated</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
-            <%= @forward_auth_rule.updated_at.strftime("%B %d, %Y at %I:%M %p") %>
-          </dd>
-        </div>
       </dl>
     </div>
   </div>
-</div>
 
-<div class="mt-8">
-  <div class="bg-blue-50 border-l-4 border-blue-400 p-4">
-    <div class="flex">
-      <div class="flex-shrink-0">
-        <svg class="h-5 w-5 text-blue-400" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
-          <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
-        </svg>
-      </div>
-      <div class="ml-3">
-        <h3 class="text-sm font-medium text-blue-800">How this rule works</h3>
-        <div class="mt-2 text-sm text-blue-700">
-          <ul class="list-disc list-inside space-y-1">
-            <li>This rule matches domains that fit the pattern: <code class="bg-blue-100 px-1 rounded"><%= @forward_auth_rule.domain_pattern %></code></li>
-            <% if @allowed_groups.any? %>
-              <li>Only users belonging to the specified groups will be granted access</li>
-              <li>Users will be required to authenticate with password (and 2FA if enabled)</li>
-            <% else %>
-              <li>All authenticated users will be granted access (bypass mode)</li>
+  <!-- Header Configuration -->
+  <div class="bg-white shadow sm:rounded-lg">
+    <div class="px-4 py-5 sm:p-6">
+      <h3 class="text-base font-semibold leading-6 text-gray-900 mb-4">Header Configuration</h3>
+      <div class="space-y-4">
+        <% effective_headers = @forward_auth_rule.effective_headers %>
+
+        <% if effective_headers.empty? %>
+          <div class="rounded-md bg-gray-50 p-4">
+            <div class="flex">
+              <div class="ml-3">
+                <p class="text-sm text-gray-700">
+                  No headers configured - access control only.
+                </p>
+              </div>
+            </div>
+          </div>
+        <% else %>
+          <dl class="space-y-4">
+            <% effective_headers.each do |key, header_name| %>
+              <div>
+                <dt class="text-sm font-medium text-gray-500"><%= key.to_s.capitalize %></dt>
+                <dd class="mt-1 text-sm text-gray-900">
+                  <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs break-all"><%= header_name %></code>
+                </dd>
+              </div>
             <% end %>
-            <li>Inactive rules are ignored during authentication</li>
-          </ul>
-        </div>
+          </dl>
+        <% end %>
+      </div>
+    </div>
+  </div>
+
+  <!-- Group Access Control -->
+  <div class="bg-white shadow sm:rounded-lg">
+    <div class="px-4 py-5 sm:p-6">
+      <h3 class="text-base font-semibold leading-6 text-gray-900 mb-4">Access Control</h3>
+      <div>
+        <dt class="text-sm font-medium text-gray-500 mb-2">Allowed Groups</dt>
+        <dd class="mt-1 text-sm text-gray-900">
+          <% if @allowed_groups.empty? %>
+            <div class="rounded-md bg-blue-50 p-4">
+              <div class="flex">
+                <div class="ml-3">
+                  <p class="text-sm text-blue-700">
+                    No groups assigned - all active users can access this domain.
+                  </p>
+                </div>
+              </div>
+            </div>
+          <% else %>
+            <ul class="divide-y divide-gray-200 border border-gray-200 rounded-md">
+              <% @allowed_groups.each do |group| %>
+                <li class="px-4 py-3 flex items-center justify-between">
+                  <div>
+                    <p class="text-sm font-medium text-gray-900"><%= group.name %></p>
+                    <p class="text-xs text-gray-500"><%= pluralize(group.users.count, "member") %></p>
+                  </div>
+                </li>
+              <% end %>
+            </ul>
+          <% end %>
+        </dd>
       </div>
     </div>
   </div>
diff --git a/app/views/invitations_mailer/invite_user.html.erb b/app/views/invitations_mailer/invite_user.html.erb
new file mode 100644
index 0000000..9e2c21f
--- /dev/null
+++ b/app/views/invitations_mailer/invite_user.html.erb
@@ -0,0 +1,12 @@
+<p>
+  You've been invited to join Clinch! To set up your account and create your password, please visit
+  <%= link_to "this invitation page", invite_url(@user.invitation_login_token) %>.
+</p>
+
+<p>
+  This invitation link will expire in <%= distance_of_time_in_words(0, @user.invitation_login_token_expires_in) %>.
+</p>
+
+<p>
+  If you didn't expect this invitation, you can safely ignore this email.
+</p>
\ No newline at end of file
diff --git a/app/views/invitations_mailer/invite_user.text.erb b/app/views/invitations_mailer/invite_user.text.erb
new file mode 100644
index 0000000..572a1fc
--- /dev/null
+++ b/app/views/invitations_mailer/invite_user.text.erb
@@ -0,0 +1,8 @@
+You've been invited to join Clinch!
+
+To set up your account and create your password, please visit:
+#{invite_url(@user.invitation_login_token)}
+
+This invitation link will expire in #{distance_of_time_in_words(0, @user.invitation_login_token_expires_in)}.
+
+If you didn't expect this invitation, you can safely ignore this email.
\ No newline at end of file
diff --git a/db/migrate/20251026033102_add_headers_config_to_forward_auth_rule.rb b/db/migrate/20251026033102_add_headers_config_to_forward_auth_rule.rb
new file mode 100644
index 0000000..0ae9182
--- /dev/null
+++ b/db/migrate/20251026033102_add_headers_config_to_forward_auth_rule.rb
@@ -0,0 +1,5 @@
+class AddHeadersConfigToForwardAuthRule < ActiveRecord::Migration[8.1]
+  def change
+    add_column :forward_auth_rules, :headers_config, :json, default: {}, null: false
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 942fff7..62d0433 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.1].define(version: 2025_10_24_055739) do
+ActiveRecord::Schema[8.1].define(version: 2025_10_26_033102) do
   create_table "application_groups", force: :cascade do |t|
     t.integer "application_id", null: false
     t.datetime "created_at", null: false
@@ -68,6 +68,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_24_055739) do
     t.boolean "active"
     t.datetime "created_at", null: false
     t.string "domain_pattern"
+    t.json "headers_config", default: {}, null: false
     t.integer "policy"
     t.datetime "updated_at", null: false
   end
diff --git a/docs/forward-auth.md b/docs/forward-auth.md
new file mode 100644
index 0000000..ffc39ce
--- /dev/null
+++ b/docs/forward-auth.md
@@ -0,0 +1,153 @@
+# Forward Authentication
+
+References:
+- https://www.reddit.com/r/selfhosted/comments/1hybe81/i_wanted_to_implement_my_own_forward_auth_proxy/
+- https://www.kevinsimper.dk/posts/implementing-a-forward_auth-proxy-tips-and-details
+
+## Overview
+
+Forward authentication allows a reverse proxy (like Caddy, Nginx, Traefik) to delegate authentication decisions to a separate service. Clinch implements this pattern to provide SSO for multiple applications.
+
+## Key Implementation Details
+
+### Tip 1: Forward URL Configuration ✅
+
+Clinch includes the original destination URL in the redirect parameters:
+
+```ruby
+login_params = {
+  rd: original_url,    # redirect destination
+  rm: request.method   # request method
+}
+login_url = "#{base_url}/signin?#{login_params.to_query}"
+```
+
+Example: `https://clinch.aapamilne.com/signin?rd=https://metube.aapamilne.com/&rm=GET`
+
+### Tip 2: Root Domain Cookies ✅
+
+Clinch sets authentication cookies on the root domain to enable cross-subdomain authentication:
+
+```ruby
+def extract_root_domain(host)
+  # clinch.aapamilne.com -> .aapamilne.com
+  # app.example.co.uk -> .example.co.uk
+  # localhost -> nil (no domain restriction)
+end
+
+cookies.signed.permanent[:session_id] = {
+  value: session.id,
+  httponly: true,
+  same_site: :lax,
+  secure: Rails.env.production?,
+  domain: ".aapamilne.com"  # Available to all subdomains
+}
+```
+
+This allows the same session cookie to work across:
+- `clinch.aapamilne.com` (auth service)
+- `metube.aapamilne.com` (protected app)
+- `sonarr.aapamilne.com` (protected app)
+
+## Authelia Analysis
+
+### Implementation Comparison
+
+**Authelia Approach (from analysis of `tmp/authelia/`):**
+- Returns `302 Found` or `303 See Other` with `Location` header
+- Direct browser redirects (bypasses some proxy logic)
+- Uses StatusFound (302) or StatusSeeOther (303)
+
+**Clinch Current Implementation:**
+- Returns `302 Found` directly to login URL (matching Authelia)
+- Includes `rd` (redirect destination) and `rm` (request method) parameters
+- Uses root domain cookies for cross-subdomain authentication
+
+## How Clinch Forward Auth Works
+
+### Authentication Flow
+
+1. **User visits** `https://metube.aapamilne.com/`
+2. **Caddy forwards** to `http://clinch:9000/api/verify?rd=https://clinch.aapamilne.com`
+3. **Clinch checks session**:
+   - **If authenticated**: Returns `200 OK` with user headers
+   - **If not authenticated**: Returns `302 Found` to login URL with redirect parameters
+4. **Browser follows redirect** to Clinch login page
+5. **User logs in** → gets redirected back to original MEtube URL
+6. **Caddy tries again** → succeeds and forwards to MEtube
+
+### Response Headers
+
+**Successful Authentication (200 OK):**
+```
+Remote-User: user@example.com
+Remote-Email: user@example.com
+Remote-Groups: media-managers,users
+Remote-Admin: false
+```
+
+**Redirect to Login (302 Found):**
+```
+Location: https://clinch.aapamilne.com/signin?rd=https://metube.aapamilne.com/&rm=GET
+```
+
+## Caddy Configuration
+
+```caddyfile
+# Clinch SSO (main authentication server)
+clinch.aapamilne.com {
+    reverse_proxy clinch:9000
+}
+
+# MEtube (protected by Clinch)
+metube.aapamilne.com {
+    forward_auth clinch:9000 {
+        uri /api/verify?rd=https://clinch.aapamilne.com
+        copy_headers Remote-User Remote-Email Remote-Groups Remote-Admin
+    }
+
+    handle {
+        reverse_proxy * {
+            to http://192.168.2.223:8081
+            header_up X-Real-IP {remote_host}
+        }
+    }
+}
+```
+
+## Key Files
+
+- **Forward Auth Controller**: `app/controllers/api/forward_auth_controller.rb`
+- **Authentication Logic**: `app/controllers/concerns/authentication.rb`
+- **Caddy Examples**: `docs/caddy-example.md`
+- **Authelia Analysis**: `docs/authelia-forward-auth.md`
+
+## Testing
+
+```bash
+# Test forward auth endpoint directly
+curl -v http://localhost:9000/api/verify?rd=https://clinch.aapamilne.com
+
+# Should return 302 redirect to login page
+# Or 200 OK if you have a valid session cookie
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Authentication Loop**: Check that cookies are set on the root domain
+2. **Session Not Shared**: Verify `extract_root_domain` is working correctly
+3. **Caddy Connection**: Ensure `clinch:9000` resolves from your Caddy container
+
+### Debug Logging
+
+Enable debug logging in `forward_auth_controller.rb` to see:
+- Headers received from Caddy
+- Domain extraction results
+- Redirect URLs being generated
+
+```ruby
+Rails.logger.info "ForwardAuth Headers: Host=#{host}, X-Forwarded-Host=#{original_host}"
+Rails.logger.info "Setting 302 redirect to: #{login_url}"
+```
\ No newline at end of file