diff --git a/app/(main)/configurations/prompt-editor/page.tsx b/app/(main)/configurations/prompt-editor/page.tsx
index 7e4b4e0..029569d 100644
--- a/app/(main)/configurations/prompt-editor/page.tsx
+++ b/app/(main)/configurations/prompt-editor/page.tsx
@@ -368,10 +368,7 @@ function PromptEditorContent() {
   };
 
   return (
-    <div
-      className="w-full h-screen flex flex-col"
-      style={{ backgroundColor: colors.bg.secondary }}
-    >
+    <div className="w-full h-screen flex flex-col bg-bg-secondary">
       <div className="flex flex-1 overflow-hidden">
         <Sidebar
           collapsed={sidebarCollapsed}
@@ -396,19 +393,8 @@ function PromptEditorContent() {
                 style={{ backgroundColor: colors.bg.secondary }}
               >
                 <div className="flex flex-col items-center gap-3">
-                  <div
-                    className="animate-spin rounded-full border-4 border-solid"
-                    style={{
-                      width: "36px",
-                      height: "36px",
-                      borderColor: colors.bg.primary,
-                      borderTopColor: colors.accent.primary,
-                    }}
-                  />
-                  <p
-                    className="text-sm"
-                    style={{ color: colors.text.secondary }}
-                  >
+                  <div className="animate-spin rounded-full border-4 border-solid w-9 h-9 border-bg-primary border-t-accent-primary" />
+                  <p className="text-sm text-text-secondary">
                     Loading configuration...
                   </p>
                 </div>
@@ -469,7 +455,6 @@ function PromptEditorContent() {
                   />
                 ) : (
                   <div className="flex-1 flex flex-col overflow-hidden">
-                    {/* Split View: Prompt (left) + Config (right) */}
                     <div className="flex flex-1 overflow-hidden">
                       <div
                         className="flex"
diff --git a/app/(main)/settings/credentials/page.tsx b/app/(main)/settings/credentials/page.tsx
index c80364e..3ca22c1 100644
--- a/app/(main)/settings/credentials/page.tsx
+++ b/app/(main)/settings/credentials/page.tsx
@@ -1,7 +1,7 @@
 /**
  * Credentials Settings Page — orchestrator
  * State management and API calls only. UI split into:
- *   ProviderList  — left sidebar nav
+ *   ProviderSidebar  — left sidebar nav
  *   CredentialForm — right form with fields and actions
  */
 
@@ -9,7 +9,7 @@
 
 import { useState, useEffect } from "react";
 import SettingsSidebar from "@/app/components/settings/SettingsSidebar";
-import { colors } from "@/app/lib/colors";
+import PageHeader from "@/app/components/PageHeader";
 import { useToast } from "@/app/components/Toast";
 import { useAuth } from "@/app/lib/context/AuthContext";
 import {
@@ -18,7 +18,7 @@ import {
   ProviderDef,
 } from "@/app/lib/types/credentials";
 import { getExistingForProvider } from "@/app/lib/utils";
-import ProviderList from "@/app/components/settings/credentials/ProviderList";
+import ProviderSidebar from "@/app/components/settings/ProviderSidebar";
 import CredentialForm from "@/app/components/settings/credentials/CredentialForm";
 import { apiFetch } from "@/app/lib/apiClient";
 
@@ -34,15 +34,14 @@ export default function CredentialsPage() {
   const [isDeleting, setIsDeleting] = useState(false);
   const [formValues, setFormValues] = useState<Record<string, string>>({});
   const [isActive, setIsActive] = useState(true);
-  const [visibleFields, setVisibleFields] = useState<Set<string>>(new Set());
   const [existingCredential, setExistingCredential] =
     useState<Credential | null>(null);
 
-  // Load credentials once we have an API key
+  // Load credentials once authenticated
   useEffect(() => {
     if (!isAuthenticated) return;
     loadCredentials();
-  }, [apiKeys]);
+  }, [isAuthenticated, apiKeys]);
 
   // Re-populate form when provider or credentials change
   useEffect(() => {
@@ -64,7 +63,6 @@ export default function CredentialsPage() {
       });
       setFormValues(blank);
     }
-    setVisibleFields(new Set());
   }, [selectedProvider, credentials]);
 
   const loadCredentials = async () => {
@@ -151,7 +149,6 @@ export default function CredentialsPage() {
       setFormValues(blank);
       setIsActive(true);
     }
-    setVisibleFields(new Set());
   };
 
   const handleDelete = async () => {
@@ -178,68 +175,29 @@ export default function CredentialsPage() {
     setFormValues((prev) => ({ ...prev, [key]: value }));
   };
 
-  const handleToggleVisibility = (key: string) => {
-    setVisibleFields((prev) => {
-      const next = new Set(prev);
-      if (next.has(key)) {
-        next.delete(key);
-      } else {
-        next.add(key);
-      }
-      return next;
-    });
-  };
-
   return (
-    <div
-      className="w-full h-screen flex flex-col"
-      style={{ backgroundColor: colors.bg.secondary }}
-    >
+    <div className="w-full h-screen flex flex-col bg-bg-secondary">
       <div className="flex flex-1 overflow-hidden">
         <SettingsSidebar />
 
         <div className="flex-1 flex flex-col overflow-hidden">
-          <div
-            className="border-b px-4 py-3 flex items-center justify-between shrink-0"
-            style={{
-              backgroundColor: colors.bg.primary,
-              borderColor: colors.border,
-            }}
-          >
-            <div>
-              <h1
-                className="text-base font-semibold"
-                style={{
-                  color: colors.text.primary,
-                  letterSpacing: "-0.01em",
-                }}
-              >
-                Credentials
-              </h1>
-              <p className="text-xs" style={{ color: colors.text.secondary }}>
-                Manage provider credentials
-              </p>
-            </div>
-          </div>
+          <PageHeader
+            title="Credentials"
+            subtitle="Manage provider credentials"
+          />
 
           <div className="flex flex-1 overflow-hidden">
-            <ProviderList
+            <ProviderSidebar
               providers={PROVIDERS}
               selectedProvider={selectedProvider}
               credentials={credentials}
               onSelect={setSelectedProvider}
+              className="w-56 border-r border-border overflow-y-auto bg-bg-secondary"
             />
 
             <div className="flex-1 overflow-y-auto p-8">
               {!isAuthenticated ? (
-                <div
-                  className="max-w-lg rounded-lg border p-6 text-sm"
-                  style={{
-                    borderColor: colors.border,
-                    backgroundColor: colors.bg.primary,
-                    color: colors.text.secondary,
-                  }}
-                >
+                <div className="max-w-lg rounded-lg border border-border p-6 text-sm bg-bg-primary text-text-secondary">
                   Please log in to manage credentials.
                 </div>
               ) : (
@@ -251,10 +209,8 @@ export default function CredentialsPage() {
                   isLoading={isLoading}
                   isSaving={isSaving}
                   isDeleting={isDeleting}
-                  visibleFields={visibleFields}
                   onChange={handleFieldChange}
                   onActiveChange={setIsActive}
-                  onToggleVisibility={handleToggleVisibility}
                   onSave={handleSave}
                   onCancel={handleCancel}
                   onDelete={handleDelete}
diff --git a/app/(main)/settings/onboarding/page.tsx b/app/(main)/settings/onboarding/page.tsx
index f453e60..79c50e0 100644
--- a/app/(main)/settings/onboarding/page.tsx
+++ b/app/(main)/settings/onboarding/page.tsx
@@ -1,7 +1,6 @@
 "use client";
 
 import { useState, useEffect, useCallback } from "react";
-import { useRouter } from "next/navigation";
 import SettingsSidebar from "@/app/components/settings/SettingsSidebar";
 import PageHeader from "@/app/components/PageHeader";
 import { useAuth } from "@/app/lib/context/AuthContext";
@@ -13,6 +12,7 @@ import {
   ProjectList,
   StepIndicator,
   UserList,
+  OnboardingCredentials,
 } from "@/app/components/settings/onboarding";
 import {
   Organization,
@@ -21,9 +21,14 @@ import {
   OnboardResponseData,
 } from "@/app/lib/types/onboarding";
 import { apiFetch } from "@/app/lib/apiClient";
-import { colors } from "@/app/lib/colors";
 import { ArrowLeftIcon } from "@/app/components/icons";
 import { DEFAULT_PAGE_LIMIT } from "@/app/lib/constants";
+import TabNavigation from "@/app/components/TabNavigation";
+
+const PROJECT_TABS = [
+  { id: "users", label: "Users" },
+  { id: "credentials", label: "Credentials" },
+];
 
 type View = "loading" | "list" | "projects" | "users" | "form" | "success";
 
@@ -59,8 +64,7 @@ function OrganizationListSkeleton() {
 }
 
 export default function OnboardingPage() {
-  const router = useRouter();
-  const { activeKey, currentUser, isHydrated, isAuthenticated } = useAuth();
+  const { activeKey } = useAuth();
   const [view, setView] = useState<View>("loading");
   const [selectedOrg, setSelectedOrg] = useState<Organization | null>(null);
   const [selectedProject, setSelectedProject] = useState<Project | null>(null);
@@ -69,6 +73,7 @@ export default function OnboardingPage() {
   const [onboardData, setOnboardData] = useState<OnboardResponseData | null>(
     null,
   );
+  const [activeProjectTab, setActiveProjectTab] = useState("users");
 
   const {
     items: organizations,
@@ -97,18 +102,6 @@ export default function OnboardingPage() {
     }
   }, [isLoadingOrgs, organizations.length]);
 
-  // Redirect if no API key or not a superuser
-  useEffect(() => {
-    if (!isHydrated) return;
-    if (!isAuthenticated) {
-      router.replace("/");
-      return;
-    }
-    if (currentUser && !currentUser.is_superuser) {
-      router.replace("/settings/credentials");
-    }
-  }, [isHydrated, activeKey, currentUser, router]);
-
   const fetchProjects = useCallback(
     async (org: Organization) => {
       setSelectedOrg(org);
@@ -172,17 +165,14 @@ export default function OnboardingPage() {
   };
 
   return (
-    <div
-      className="w-full h-screen flex flex-col"
-      style={{ backgroundColor: colors.bg.secondary }}
-    >
+    <div className="w-full h-screen flex flex-col bg-bg-secondary">
       <div className="flex flex-1 overflow-hidden">
         <SettingsSidebar />
 
         <div className="flex-1 flex flex-col overflow-hidden">
           <PageHeader
-            title="Onboarding"
-            subtitle="Manage organizations and set up new projects"
+            title="Organizations"
+            subtitle="Manage organizations, projects, users, and credentials"
           />
 
           <div className="flex-1 overflow-y-auto">
@@ -211,11 +201,47 @@ export default function OnboardingPage() {
               )}
 
               {view === "users" && selectedOrg && selectedProject && (
-                <UserList
-                  organization={selectedOrg}
-                  project={selectedProject}
-                  onBack={handleBackToProjects}
-                />
+                <div>
+                  <button
+                    onClick={handleBackToProjects}
+                    className="text-sm text-text-secondary hover:text-text-primary mb-4 flex items-center gap-1 transition-colors cursor-pointer"
+                  >
+                    <ArrowLeftIcon className="w-3.5 h-3.5" /> Back to projects
+                  </button>
+
+                  <div className="flex items-center justify-between mb-4">
+                    <div>
+                      <h2 className="text-lg font-semibold text-text-primary">
+                        {selectedProject.name}
+                      </h2>
+                      <p className="text-xs text-text-secondary mt-0.5">
+                        {selectedOrg.name}
+                      </p>
+                    </div>
+                  </div>
+
+                  <TabNavigation
+                    tabs={PROJECT_TABS}
+                    activeTab={activeProjectTab}
+                    onTabChange={setActiveProjectTab}
+                  />
+
+                  {activeProjectTab === "users" && (
+                    <UserList
+                      organization={selectedOrg}
+                      project={selectedProject}
+                      onBack={handleBackToProjects}
+                      hideHeader
+                    />
+                  )}
+
+                  {activeProjectTab === "credentials" && (
+                    <OnboardingCredentials
+                      organizationId={selectedOrg.id}
+                      projectId={selectedProject.id}
+                    />
+                  )}
+                </div>
               )}
 
               {view === "form" && (
diff --git a/app/api/auth/google/route.ts b/app/api/auth/google/route.ts
index 7dc39ad..b9d1bd0 100644
--- a/app/api/auth/google/route.ts
+++ b/app/api/auth/google/route.ts
@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import { apiClient } from "@/app/lib/apiClient";
+import { setRoleCookieFromBody } from "@/app/lib/authCookie";
 
 /** Proxy Google login token to backend. Forwards Set-Cookie headers back to the browser. */
 export async function POST(request: Request) {
@@ -31,6 +32,10 @@ export async function POST(request: Request) {
       });
     }
 
+    if (status >= 200 && status < 300) {
+      setRoleCookieFromBody(response, data);
+    }
+
     return response;
   } catch {
     return NextResponse.json(
diff --git a/app/api/auth/invite/route.ts b/app/api/auth/invite/route.ts
index 96984c1..e1fd42d 100644
--- a/app/api/auth/invite/route.ts
+++ b/app/api/auth/invite/route.ts
@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { apiClient } from "@/app/lib/apiClient";
+import { setRoleCookieFromBody } from "@/app/lib/authCookie";
 
 export async function GET(request: NextRequest) {
   try {
@@ -25,6 +26,10 @@ export async function GET(request: NextRequest) {
       res.headers.append("Set-Cookie", cookie);
     }
 
+    if (status >= 200 && status < 300) {
+      setRoleCookieFromBody(res, data);
+    }
+
     return res;
   } catch {
     return NextResponse.json(
diff --git a/app/api/auth/logout/route.ts b/app/api/auth/logout/route.ts
index 3b5994f..5111c38 100644
--- a/app/api/auth/logout/route.ts
+++ b/app/api/auth/logout/route.ts
@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { apiClient } from "@/app/lib/apiClient";
+import { clearRoleCookie } from "@/app/lib/authCookie";
 
 export async function POST(request: NextRequest) {
   const { status, data, headers } = await apiClient(
@@ -15,5 +16,7 @@ export async function POST(request: NextRequest) {
     res.headers.append("Set-Cookie", cookie);
   }
 
+  clearRoleCookie(res);
+
   return res;
 }
diff --git a/app/api/auth/magic-link/verify/route.ts b/app/api/auth/magic-link/verify/route.ts
index fc436f5..70475a4 100644
--- a/app/api/auth/magic-link/verify/route.ts
+++ b/app/api/auth/magic-link/verify/route.ts
@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { apiClient } from "@/app/lib/apiClient";
+import { setRoleCookieFromBody } from "@/app/lib/authCookie";
 
 export async function GET(request: NextRequest) {
   try {
@@ -25,6 +26,10 @@ export async function GET(request: NextRequest) {
       res.headers.append("Set-Cookie", cookie);
     }
 
+    if (status >= 200 && status < 300) {
+      setRoleCookieFromBody(res, data);
+    }
+
     return res;
   } catch {
     return NextResponse.json(
diff --git a/app/api/credentials/org/[orgId]/[projectId]/provider/[provider]/route.ts b/app/api/credentials/org/[orgId]/[projectId]/provider/[provider]/route.ts
new file mode 100644
index 0000000..583ed96
--- /dev/null
+++ b/app/api/credentials/org/[orgId]/[projectId]/provider/[provider]/route.ts
@@ -0,0 +1,40 @@
+import { apiClient } from "@/app/lib/apiClient";
+import { NextResponse, NextRequest } from "next/server";
+
+type Params = {
+  params: Promise<{ orgId: string; projectId: string; provider: string }>;
+};
+
+export async function GET(request: NextRequest, { params }: Params) {
+  const { orgId, projectId, provider } = await params;
+  try {
+    const { status, data } = await apiClient(
+      request,
+      `/api/v1/credentials/${orgId}/${projectId}/provider/${provider}`,
+    );
+    return NextResponse.json(data, { status });
+  } catch (e: unknown) {
+    return NextResponse.json(
+      { error: e instanceof Error ? e.message : String(e) },
+      { status: 500 },
+    );
+  }
+}
+
+export async function DELETE(request: NextRequest, { params }: Params) {
+  const { orgId, projectId, provider } = await params;
+  try {
+    const { status, data } = await apiClient(
+      request,
+      `/api/v1/credentials/${orgId}/${projectId}/provider/${provider}`,
+      { method: "DELETE" },
+    );
+    if (status === 204) return new NextResponse(null, { status: 204 });
+    return NextResponse.json(data, { status });
+  } catch (e: unknown) {
+    return NextResponse.json(
+      { error: e instanceof Error ? e.message : String(e) },
+      { status: 500 },
+    );
+  }
+}
diff --git a/app/api/credentials/org/[orgId]/[projectId]/route.ts b/app/api/credentials/org/[orgId]/[projectId]/route.ts
new file mode 100644
index 0000000..d98638b
--- /dev/null
+++ b/app/api/credentials/org/[orgId]/[projectId]/route.ts
@@ -0,0 +1,56 @@
+import { apiClient } from "@/app/lib/apiClient";
+import { NextResponse, NextRequest } from "next/server";
+
+type Params = { params: Promise<{ orgId: string; projectId: string }> };
+
+export async function GET(request: NextRequest, { params }: Params) {
+  const { orgId, projectId } = await params;
+  try {
+    const { status, data } = await apiClient(
+      request,
+      `/api/v1/credentials/${orgId}/${projectId}`,
+    );
+    return NextResponse.json(data, { status });
+  } catch (e: unknown) {
+    return NextResponse.json(
+      { error: e instanceof Error ? e.message : String(e) },
+      { status: 500 },
+    );
+  }
+}
+
+export async function PATCH(request: NextRequest, { params }: Params) {
+  const { orgId, projectId } = await params;
+  try {
+    const body = await request.json();
+    const { status, data } = await apiClient(
+      request,
+      `/api/v1/credentials/${orgId}/${projectId}`,
+      { method: "PATCH", body: JSON.stringify(body) },
+    );
+    return NextResponse.json(data, { status });
+  } catch (e: unknown) {
+    return NextResponse.json(
+      { error: e instanceof Error ? e.message : String(e) },
+      { status: 500 },
+    );
+  }
+}
+
+export async function DELETE(request: NextRequest, { params }: Params) {
+  const { orgId, projectId } = await params;
+  try {
+    const { status, data } = await apiClient(
+      request,
+      `/api/v1/credentials/${orgId}/${projectId}`,
+      { method: "DELETE" },
+    );
+    if (status === 204) return new NextResponse(null, { status: 204 });
+    return NextResponse.json(data, { status });
+  } catch (e: unknown) {
+    return NextResponse.json(
+      { error: e instanceof Error ? e.message : String(e) },
+      { status: 500 },
+    );
+  }
+}
diff --git a/app/api/users/me/route.ts b/app/api/users/me/route.ts
index f910e1c..6b9fe0f 100644
--- a/app/api/users/me/route.ts
+++ b/app/api/users/me/route.ts
@@ -1,10 +1,17 @@
 import { NextRequest, NextResponse } from "next/server";
 import { apiClient } from "@/app/lib/apiClient";
+import { setRoleCookieFromBody } from "@/app/lib/authCookie";
 
 export async function GET(request: NextRequest) {
   try {
     const { status, data } = await apiClient(request, "/api/v1/users/me");
-    return NextResponse.json(data, { status });
+    const res = NextResponse.json(data, { status });
+
+    if (status >= 200 && status < 300) {
+      setRoleCookieFromBody(res, data);
+    }
+
+    return res;
   } catch {
     return NextResponse.json(
       { error: "Failed to connect to backend" },
diff --git a/app/components/Field.tsx b/app/components/Field.tsx
index f6a3a99..7d90b0b 100644
--- a/app/components/Field.tsx
+++ b/app/components/Field.tsx
@@ -48,7 +48,7 @@ export default function Field({
           <button
             type="button"
             onClick={() => setShowPassword((prev) => !prev)}
-            className="absolute right-3 top-1/2 -translate-y-1/2 text-text-secondary hover:text-text-primary transition-colors"
+            className="absolute right-3 top-1/2 -translate-y-1/2 text-text-secondary hover:text-text-primary transition-colors cursor-pointer"
             tabIndex={-1}
           >
             {showPassword ? <EyeOffIcon /> : <EyeIcon />}
diff --git a/app/components/PageHeader.tsx b/app/components/PageHeader.tsx
index 1b56118..2d13227 100644
--- a/app/components/PageHeader.tsx
+++ b/app/components/PageHeader.tsx
@@ -1,7 +1,6 @@
 "use client";
 
 import { ReactNode, useState } from "react";
-import { colors } from "@/app/lib/colors";
 import { useApp } from "@/app/lib/context/AppContext";
 import { useAuth } from "@/app/lib/context/AuthContext";
 import { MenuIcon } from "@/app/components/icons";
@@ -31,18 +30,11 @@ export default function PageHeader({
 
   return (
     <>
-      <div
-        className="border-b px-4 py-3 flex items-center justify-between shrink-0"
-        style={{
-          backgroundColor: colors.bg.primary,
-          borderColor: colors.border,
-        }}
-      >
+      <div className="border-b px-4 py-3 flex items-center justify-between shrink-0 bg-bg-primary border-border">
         <div className="flex items-center gap-3">
           <button
             onClick={() => setSidebarCollapsed(!sidebarCollapsed)}
-            className="p-1.5 rounded-md"
-            style={{ color: colors.text.secondary }}
+            className="p-1.5 rounded-md text-text-secondary"
             aria-label="Toggle sidebar"
           >
             <MenuIcon className="w-5 h-5" />
@@ -50,20 +42,12 @@ export default function PageHeader({
           {children ?? (
             <div>
               {title && (
-                <h1
-                  className="text-base font-semibold"
-                  style={{
-                    color: colors.text.primary,
-                    letterSpacing: "-0.01em",
-                  }}
-                >
+                <h1 className="text-base font-semibold text-text-primary tracking-[-0.01em]">
                   {title}
                 </h1>
               )}
               {subtitle && (
-                <p className="text-xs" style={{ color: colors.text.secondary }}>
-                  {subtitle}
-                </p>
+                <p className="text-xs text-text-secondary">{subtitle}</p>
               )}
             </div>
           )}
diff --git a/app/components/Toast.tsx b/app/components/Toast.tsx
index 5912187..2951ae8 100644
--- a/app/components/Toast.tsx
+++ b/app/components/Toast.tsx
@@ -1,27 +1,27 @@
 "use client";
 
-import React, { createContext, useContext, useState, useCallback } from "react";
-
-export type ToastType = "success" | "error" | "info" | "warning";
-
-export interface Toast {
-  id: string;
-  message: string;
-  type: ToastType;
-  duration?: number;
-}
-
-interface ToastContextType {
-  toasts: Toast[];
-  addToast: (message: string, type?: ToastType, duration?: number) => void;
-  removeToast: (id: string) => void;
-  success: (message: string, duration?: number) => void;
-  error: (message: string, duration?: number) => void;
-  info: (message: string, duration?: number) => void;
-  warning: (message: string, duration?: number) => void;
-}
-
-const ToastContext = createContext<ToastContextType | undefined>(undefined);
+import React, {
+  createContext,
+  useContext,
+  useState,
+  useCallback,
+  useEffect,
+} from "react";
+import {
+  CheckCircleIcon,
+  ErrorCircleIcon,
+  WarningTriangleIcon,
+  InfoIcon,
+  CloseIcon,
+} from "@/app/components/icons";
+import type { Toast, ToastType, ToastContextType } from "@/app/lib/types/toast";
+import { TOAST_CONFIG } from "@/app/lib/constants";
+
+export type { ToastType, Toast, ToastContextType };
+
+export const ToastContext = createContext<ToastContextType | undefined>(
+  undefined,
+);
 
 export function ToastProvider({ children }: { children: React.ReactNode }) {
   const [toasts, setToasts] = useState<Toast[]>([]);
@@ -34,43 +34,31 @@ export function ToastProvider({ children }: { children: React.ReactNode }) {
     (message: string, type: ToastType = "info", duration: number = 5000) => {
       const id = `toast-${Date.now()}-${Math.random()}`;
       const toast: Toast = { id, message, type, duration };
-
       setToasts((prev) => [...prev, toast]);
-
-      if (duration > 0) {
-        setTimeout(() => {
-          removeToast(id);
-        }, duration);
-      }
     },
-    [removeToast],
+    [],
   );
 
   const success = useCallback(
-    (message: string, duration?: number) => {
-      addToast(message, "success", duration);
-    },
+    (message: string, duration?: number) =>
+      addToast(message, "success", duration),
     [addToast],
   );
 
   const error = useCallback(
-    (message: string, duration?: number) => {
-      addToast(message, "error", duration);
-    },
+    (message: string, duration?: number) =>
+      addToast(message, "error", duration),
     [addToast],
   );
 
   const info = useCallback(
-    (message: string, duration?: number) => {
-      addToast(message, "info", duration);
-    },
+    (message: string, duration?: number) => addToast(message, "info", duration),
     [addToast],
   );
 
   const warning = useCallback(
-    (message: string, duration?: number) => {
-      addToast(message, "warning", duration);
-    },
+    (message: string, duration?: number) =>
+      addToast(message, "warning", duration),
     [addToast],
   );
 
@@ -92,7 +80,6 @@ export function useToast() {
   return context;
 }
 
-// Toast Container Component
 function ToastContainer({
   toasts,
   removeToast,
@@ -101,7 +88,7 @@ function ToastContainer({
   removeToast: (id: string) => void;
 }) {
   return (
-    <div className="fixed top-4 right-4 z-[9999] flex flex-col gap-2 pointer-events-none max-w-[420px]">
+    <div className="fixed top-4 right-4 z-[9999] flex flex-col gap-3 pointer-events-none">
       {toasts.map((toast) => (
         <ToastItem
           key={toast.id}
@@ -113,152 +100,91 @@ function ToastContainer({
   );
 }
 
-// Individual Toast Item
+function ToastIcon({ type }: { type: ToastType }) {
+  const config = TOAST_CONFIG[type];
+  const style = { color: config.icon };
+
+  switch (type) {
+    case "success":
+      return <CheckCircleIcon className="w-5 h-5" style={style} />;
+    case "error":
+      return <ErrorCircleIcon className="w-5 h-5" style={style} />;
+    case "warning":
+      return <WarningTriangleIcon className="w-5 h-5" style={style} />;
+    case "info":
+      return <InfoIcon className="w-5 h-5" style={style} />;
+  }
+}
+
 function ToastItem({ toast, onClose }: { toast: Toast; onClose: () => void }) {
-  const styles = getToastStyles(toast.type);
+  const [exiting, setExiting] = useState(false);
+  const [paused, setPaused] = useState(false);
+  const [remaining, setRemaining] = useState(toast.duration ?? 5000);
+  const config = TOAST_CONFIG[toast.type];
+
+  useEffect(() => {
+    if (paused || remaining <= 0) return;
+
+    const start = Date.now();
+    const timer = setTimeout(() => {
+      setExiting(true);
+    }, remaining);
+
+    return () => {
+      clearTimeout(timer);
+      setRemaining((prev) => prev - (Date.now() - start));
+    };
+  }, [paused, remaining]);
+
+  useEffect(() => {
+    if (!exiting) return;
+    const timer = setTimeout(onClose, 300);
+    return () => clearTimeout(timer);
+  }, [exiting, onClose]);
+
+  const duration = toast.duration ?? 5000;
 
   return (
     <div
-      className="pointer-events-auto animate-slideIn"
-      style={{
-        animation: "slideIn 0.2s ease-out",
-      }}
+      className={`pointer-events-auto ${exiting ? "animate-slideOut" : "animate-slideIn"}`}
+      onMouseEnter={() => setPaused(true)}
+      onMouseLeave={() => setPaused(false)}
     >
       <div
-        className="rounded-lg border p-4 shadow-lg flex items-start gap-3 min-w-[300px] max-w-[420px]"
-        style={{
-          backgroundColor: styles.bg,
-          borderColor: styles.border,
-        }}
+        className="relative overflow-hidden rounded-md shadow-[0_1px_10px_0_rgba(0,0,0,0.1),0_2px_15px_0_rgba(0,0,0,0.05)] min-w-[320px] max-w-[420px] flex items-center"
+        style={{ backgroundColor: config.bg }}
       >
-        {/* Icon */}
-        <div className="flex-shrink-0 mt-0.5">
-          {toast.type === "success" && (
-            <svg
-              className="w-5 h-5"
-              fill="none"
-              viewBox="0 0 24 24"
-              stroke="currentColor"
-              style={{ color: styles.icon }}
-            >
-              <path
-                strokeLinecap="round"
-                strokeLinejoin="round"
-                strokeWidth={2}
-                d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"
-              />
-            </svg>
-          )}
-          {toast.type === "error" && (
-            <svg
-              className="w-5 h-5"
-              fill="none"
-              viewBox="0 0 24 24"
-              stroke="currentColor"
-              style={{ color: styles.icon }}
-            >
-              <path
-                strokeLinecap="round"
-                strokeLinejoin="round"
-                strokeWidth={2}
-                d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"
-              />
-            </svg>
-          )}
-          {toast.type === "warning" && (
-            <svg
-              className="w-5 h-5"
-              fill="none"
-              viewBox="0 0 24 24"
-              stroke="currentColor"
-              style={{ color: styles.icon }}
-            >
-              <path
-                strokeLinecap="round"
-                strokeLinejoin="round"
-                strokeWidth={2}
-                d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"
-              />
-            </svg>
-          )}
-          {toast.type === "info" && (
-            <svg
-              className="w-5 h-5"
-              fill="none"
-              viewBox="0 0 24 24"
-              stroke="currentColor"
-              style={{ color: styles.icon }}
-            >
-              <path
-                strokeLinecap="round"
-                strokeLinejoin="round"
-                strokeWidth={2}
-                d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z"
-              />
-            </svg>
-          )}
-        </div>
+        <div
+          className="absolute left-0 top-0 bottom-0 w-[5px]"
+          style={{ backgroundColor: config.accent }}
+        />
 
-        {/* Message */}
-        <div className="flex-1 text-sm" style={{ color: styles.text }}>
-          {toast.message}
+        <div className="flex items-center gap-3 px-4 py-3 pl-5 flex-1 min-w-0">
+          <div className="shrink-0">
+            <ToastIcon type={toast.type} />
+          </div>
+          <p className="text-sm text-[#757575] flex-1 min-w-0 wrap-break-word leading-snug">
+            {toast.message}
+          </p>
         </div>
 
-        {/* Close Button */}
         <button
-          onClick={onClose}
-          className="flex-shrink-0 rounded-md p-1 hover:bg-black/5 transition-colors"
-          style={{ color: styles.text }}
+          onClick={() => setExiting(true)}
+          className="shrink-0 self-start p-2 opacity-50 hover:opacity-100 transition-opacity"
         >
-          <svg
-            className="w-4 h-4"
-            fill="none"
-            viewBox="0 0 24 24"
-            stroke="currentColor"
-          >
-            <path
-              strokeLinecap="round"
-              strokeLinejoin="round"
-              strokeWidth={2}
-              d="M6 18L18 6M6 6l12 12"
-            />
-          </svg>
+          <CloseIcon className="w-3.5 h-3.5 text-[#757575]" />
         </button>
+
+        <div className="absolute bottom-0 left-0 right-0 h-1 bg-transparent">
+          <div
+            className={`h-full opacity-70 animate-[toastProgress_linear_forwards] ${paused ? "[animation-play-state:paused]" : "[animation-play-state:running]"}`}
+            style={{
+              backgroundColor: config.progressBg,
+              animationDuration: `${duration}ms`,
+            }}
+          />
+        </div>
       </div>
     </div>
   );
 }
-
-function getToastStyles(type: ToastType) {
-  switch (type) {
-    case "success":
-      return {
-        bg: "#f0fdf4",
-        border: "#86efac",
-        text: "#15803d",
-        icon: "#16a34a",
-      };
-    case "error":
-      return {
-        bg: "#fef2f2",
-        border: "#fca5a5",
-        text: "#b91c1c",
-        icon: "#dc2626",
-      };
-    case "warning":
-      return {
-        bg: "#fffbeb",
-        border: "#fcd34d",
-        text: "#b45309",
-        icon: "#f59e0b",
-      };
-    case "info":
-    default:
-      return {
-        bg: "#eff6ff",
-        border: "#93c5fd",
-        text: "#1e40af",
-        icon: "#3b82f6",
-      };
-  }
-}
diff --git a/app/components/icons/common/ErrorCircleIcon.tsx b/app/components/icons/common/ErrorCircleIcon.tsx
new file mode 100644
index 0000000..a0f604e
--- /dev/null
+++ b/app/components/icons/common/ErrorCircleIcon.tsx
@@ -0,0 +1,23 @@
+interface IconProps {
+  className?: string;
+  style?: React.CSSProperties;
+}
+
+export default function ErrorCircleIcon({ className, style }: IconProps) {
+  return (
+    <svg
+      className={`w-5 h-5 ${className ?? ""}`}
+      fill="none"
+      viewBox="0 0 24 24"
+      stroke="currentColor"
+      strokeWidth={2}
+      style={style}
+    >
+      <path
+        strokeLinecap="round"
+        strokeLinejoin="round"
+        d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"
+      />
+    </svg>
+  );
+}
diff --git a/app/components/icons/document/CloseIcon.tsx b/app/components/icons/document/CloseIcon.tsx
index af939c2..59b151c 100644
--- a/app/components/icons/document/CloseIcon.tsx
+++ b/app/components/icons/document/CloseIcon.tsx
@@ -1,8 +1,9 @@
 interface IconProps {
   className?: string;
+  style?: React.CSSProperties;
 }
 
-export default function CloseIcon({ className }: IconProps) {
+export default function CloseIcon({ className, style }: IconProps) {
   return (
     <svg
       className={`w-6 h-6 ${className ?? ""}`}
@@ -10,6 +11,7 @@ export default function CloseIcon({ className }: IconProps) {
       viewBox="0 0 24 24"
       stroke="currentColor"
       strokeWidth={2}
+      style={style}
     >
       <path
         strokeLinecap="round"
diff --git a/app/components/icons/index.tsx b/app/components/icons/index.tsx
index ce9e2f5..fe08959 100644
--- a/app/components/icons/index.tsx
+++ b/app/components/icons/index.tsx
@@ -11,6 +11,7 @@ export { default as PlusIcon } from "./common/PlusIcon";
 export { default as SearchIcon } from "./common/SearchIcon";
 export { default as SidebarToggleIcon } from "./common/SidebarToggleIcon";
 export { default as MailIcon } from "./common/MailIcon";
+export { default as ErrorCircleIcon } from "./common/ErrorCircleIcon";
 
 // Evaluations Icons
 export { default as ChevronUpIcon } from "./evaluations/ChevronUpIcon";
diff --git a/app/components/icons/prompt-editor/CheckCircleIcon.tsx b/app/components/icons/prompt-editor/CheckCircleIcon.tsx
index fd61436..1818087 100644
--- a/app/components/icons/prompt-editor/CheckCircleIcon.tsx
+++ b/app/components/icons/prompt-editor/CheckCircleIcon.tsx
@@ -1,8 +1,9 @@
 interface IconProps {
   className?: string;
+  style?: React.CSSProperties;
 }
 
-export default function CheckCircleIcon({ className }: IconProps) {
+export default function CheckCircleIcon({ className, style }: IconProps) {
   return (
     <svg
       className={`w-3 h-3 ${className ?? ""}`}
@@ -10,6 +11,7 @@ export default function CheckCircleIcon({ className }: IconProps) {
       viewBox="0 0 24 24"
       stroke="currentColor"
       strokeWidth={2}
+      style={style}
     >
       <path
         strokeLinecap="round"
diff --git a/app/components/prompt-editor/Header.tsx b/app/components/prompt-editor/Header.tsx
index efe0675..a8dc29e 100644
--- a/app/components/prompt-editor/Header.tsx
+++ b/app/components/prompt-editor/Header.tsx
@@ -1,11 +1,6 @@
 import { useRouter } from "next/navigation";
 import PageHeader from "@/app/components/PageHeader";
-import {
-  ChevronRightIcon,
-  ArrowBackCircleIcon,
-  PlayCircleIcon,
-  CheckCircleIcon,
-} from "@/app/components/icons";
+import { ChevronRightIcon, CheckCircleIcon } from "@/app/components/icons";
 
 interface HeaderProps {
   currentConfigId?: string;
@@ -18,52 +13,16 @@ interface HeaderProps {
 }
 
 export default function Header({
-  currentConfigId,
   currentConfigVersion,
   currentConfigName,
   hasUnsavedChanges = false,
   datasetId,
-  experimentName,
   fromEvaluations = false,
 }: HeaderProps) {
   const router = useRouter();
 
-  const handleUseInEvaluation = () => {
-    const params = new URLSearchParams();
-    if (currentConfigId && currentConfigVersion) {
-      params.set("config", currentConfigId);
-      params.set("version", currentConfigVersion.toString());
-    }
-    if (datasetId) params.set("dataset", datasetId);
-    if (experimentName) params.set("experiment", experimentName);
-
-    router.push(`/evaluations?${params.toString()}`);
-  };
-
   return (
-    <PageHeader
-      actions={
-        <button
-          onClick={handleUseInEvaluation}
-          disabled={hasUnsavedChanges}
-          className={`px-4 py-2 rounded-md text-sm font-medium flex items-center gap-2 transition-colors ${
-            hasUnsavedChanges
-              ? "bg-bg-secondary text-text-secondary border border-border cursor-not-allowed"
-              : "bg-accent-primary text-white cursor-pointer hover:bg-accent-hover"
-          }`}
-          title={
-            hasUnsavedChanges
-              ? "Save your changes first"
-              : fromEvaluations
-                ? "Return to evaluation with this config"
-                : "Use this config in an evaluation"
-          }
-        >
-          {fromEvaluations ? <ArrowBackCircleIcon /> : <PlayCircleIcon />}
-          {fromEvaluations ? "Back to Evaluation" : "Run Evaluation"}
-        </button>
-      }
-    >
+    <PageHeader>
       <nav className="flex items-center gap-2 text-sm">
         <button
           onClick={() => router.push("/configurations")}
diff --git a/app/components/settings/ProviderSidebar.tsx b/app/components/settings/ProviderSidebar.tsx
new file mode 100644
index 0000000..5dcbae1
--- /dev/null
+++ b/app/components/settings/ProviderSidebar.tsx
@@ -0,0 +1,52 @@
+"use client";
+
+import { Credential, ProviderDef } from "@/app/lib/types/credentials";
+import { getExistingForProvider } from "@/app/lib/utils";
+
+interface ProviderSidebarProps {
+  providers: ProviderDef[];
+  selectedProvider: ProviderDef;
+  credentials: Credential[];
+  onSelect: (provider: ProviderDef) => void;
+  className?: string;
+}
+
+export default function ProviderSidebar({
+  providers,
+  selectedProvider,
+  credentials,
+  onSelect,
+  className = "",
+}: ProviderSidebarProps) {
+  return (
+    <div className={`shrink-0 ${className}`}>
+      <div className="p-3">
+        <nav className="space-y-0.5">
+          {providers.map((provider) => {
+            const hasExisting = !!getExistingForProvider(provider, credentials);
+            const isSelected = selectedProvider.id === provider.id;
+            return (
+              <button
+                key={provider.id}
+                onClick={() => onSelect(provider)}
+                className={`w-full text-left px-3 py-2 rounded-md text-sm flex items-center justify-between gap-2 transition-all duration-150 border cursor-pointer ${
+                  isSelected
+                    ? "bg-bg-primary text-text-primary font-semibold border-border"
+                    : "bg-transparent text-text-secondary font-normal border-transparent hover:bg-bg-primary hover:text-text-primary"
+                }`}
+              >
+                <span>{provider.name}</span>
+                {hasExisting && (
+                  <span
+                    className="w-2 h-2 rounded-full shrink-0 bg-status-success"
+                    title="Configured"
+                  />
+                )}
+              </button>
+            );
+          })}
+        </nav>
+      </div>
+    </div>
+  );
+}
diff --git a/app/components/settings/SettingsSidebar.tsx b/app/components/settings/SettingsSidebar.tsx
index e2cc889..e0598e5 100644
--- a/app/components/settings/SettingsSidebar.tsx
+++ b/app/components/settings/SettingsSidebar.tsx
@@ -6,6 +6,7 @@ import Image from "next/image";
 import { ArrowLeftIcon, KeyIcon, SlidersIcon } from "@/app/components/icons";
 import { SETTINGS_NAV } from "@/app/lib/navConfig";
 import { useAuth } from "@/app/lib/context/AuthContext";
+import { useApp } from "@/app/lib/context/AppContext";
 import { Branding, UserMenuPopover } from "@/app/components/user-menu";
 
 const iconMap: Record<string, React.ReactNode> = {
@@ -17,6 +18,7 @@ export default function SettingsSidebar() {
   const router = useRouter();
   const pathname = usePathname();
   const { currentUser, googleProfile, isAuthenticated, logout } = useAuth();
+  const { sidebarCollapsed } = useApp();
   const [showUserMenu, setShowUserMenu] = useState(false);
   const userMenuRef = useRef<HTMLDivElement>(null);
 
@@ -41,7 +43,9 @@ export default function SettingsSidebar() {
     .toUpperCase();
 
   return (
-    <aside className="w-60 h-full border-r border-border bg-bg-secondary flex flex-col shrink-0">
+    <aside
+      className={`h-full border-r border-border bg-bg-secondary flex flex-col shrink-0 transition-all duration-300 ease-in-out ${sidebarCollapsed ? "w-0 overflow-hidden" : "w-60"}`}
+    >
       <Branding />
 
       <div className="px-3 pt-3 pb-1">
diff --git a/app/components/settings/credentials/CredentialForm.tsx b/app/components/settings/credentials/CredentialForm.tsx
index 39a5d74..f2e843b 100644
--- a/app/components/settings/credentials/CredentialForm.tsx
+++ b/app/components/settings/credentials/CredentialForm.tsx
@@ -1,7 +1,8 @@
 "use client";
 
-import { colors } from "@/app/lib/colors";
 import Loader from "@/app/components/Loader";
+import Field from "@/app/components/Field";
+import Button from "@/app/components/Button";
 import { Credential, ProviderDef } from "@/app/lib/types/credentials";
 import { timeAgo } from "@/app/lib/utils";
 
@@ -13,10 +14,8 @@ interface Props {
   isLoading: boolean;
   isSaving: boolean;
   isDeleting?: boolean;
-  visibleFields: Set<string>;
   onChange: (key: string, value: string) => void;
   onActiveChange: (active: boolean) => void;
-  onToggleVisibility: (key: string) => void;
   onSave: () => void;
   onCancel: () => void;
   onDelete?: () => void;
@@ -30,156 +29,46 @@ export default function CredentialForm({
   isLoading,
   isSaving,
   isDeleting,
-  visibleFields,
   onChange,
   onActiveChange,
-  onToggleVisibility,
   onSave,
   onCancel,
   onDelete,
 }: Props) {
   return (
     <div className="max-w-lg">
-      <h2
-        className="text-xl font-semibold mb-1"
-        style={{ color: colors.text.primary }}
-      >
+      <h2 className="text-xl font-semibold mb-1 text-text-primary">
         {provider.name}
       </h2>
-      <p className="text-sm mb-6" style={{ color: colors.text.secondary }}>
-        {provider.description}
-      </p>
+      <p className="text-sm mb-6 text-text-secondary">{provider.description}</p>
 
       {isLoading ? (
         <Loader size="sm" message="Loading credentials…" />
       ) : (
         <div className="space-y-5">
-          {/* Active toggle */}
           <label className="flex items-center gap-2.5 cursor-pointer select-none w-fit">
             <input
               type="checkbox"
               checked={isActive}
               onChange={(e) => onActiveChange(e.target.checked)}
-              className="w-4 h-4 rounded"
-              style={{ accentColor: colors.status.success }}
+              className="w-4 h-4 rounded accent-status-success"
             />
-            <span className="text-sm" style={{ color: colors.text.primary }}>
-              Active?
-            </span>
+            <span className="text-sm text-text-primary">Active?</span>
           </label>
 
-          {/* Fields */}
-          {provider.fields.map((field) => {
-            const isPassword = field.type === "password";
-            const visible = visibleFields.has(field.key);
-            const hasValue = !!formValues[field.key];
-            return (
-              <div key={field.key}>
-                <label
-                  className="block text-sm font-medium mb-1.5"
-                  style={{ color: colors.text.primary }}
-                >
-                  {field.label}
-                </label>
-                <div className="relative">
-                  <input
-                    type={isPassword && !visible ? "password" : "text"}
-                    value={formValues[field.key] || ""}
-                    onChange={(e) => onChange(field.key, e.target.value)}
-                    placeholder={field.placeholder}
-                    className="w-full px-4 py-2.5 rounded-lg border text-sm outline-none transition-colors"
-                    style={{
-                      borderColor: colors.border,
-                      backgroundColor: colors.bg.primary,
-                      color: colors.text.primary,
-                      paddingRight: isPassword || hasValue ? "5rem" : undefined,
-                    }}
-                    onFocus={(e) => {
-                      e.target.style.borderColor = colors.accent.primary;
-                    }}
-                    onBlur={(e) => {
-                      e.target.style.borderColor = colors.border;
-                    }}
-                  />
-                  <div className="absolute right-3 top-1/2 -translate-y-1/2 flex items-center gap-1.5">
-                    {hasValue && (
-                      <button
-                        type="button"
-                        onClick={() => onChange(field.key, "")}
-                        className="flex items-center justify-center w-4 h-4 rounded-full"
-                        style={{ color: colors.text.secondary }}
-                        title="Clear field"
-                        tabIndex={-1}
-                      >
-                        <svg
-                          className="w-3.5 h-3.5"
-                          fill="none"
-                          viewBox="0 0 24 24"
-                          stroke="currentColor"
-                        >
-                          <path
-                            strokeLinecap="round"
-                            strokeLinejoin="round"
-                            strokeWidth={2}
-                            d="M6 18L18 6M6 6l12 12"
-                          />
-                        </svg>
-                      </button>
-                    )}
-                    {isPassword && (
-                      <button
-                        type="button"
-                        onClick={() => onToggleVisibility(field.key)}
-                        className="flex items-center justify-center"
-                        style={{ color: colors.text.secondary }}
-                        tabIndex={-1}
-                      >
-                        {visible ? (
-                          <svg
-                            className="w-4 h-4"
-                            fill="none"
-                            viewBox="0 0 24 24"
-                            stroke="currentColor"
-                          >
-                            <path
-                              strokeLinecap="round"
-                              strokeLinejoin="round"
-                              strokeWidth={2}
-                              d="M13.875 18.825A10.05 10.05 0 0112 19c-4.478 0-8.268-2.943-9.543-7a9.97 9.97 0 011.563-3.029m5.858.908a3 3 0 114.243 4.243M9.878 9.878l4.242 4.242M9.88 9.88l-3.29-3.29m7.532 7.532l3.29 3.29M3 3l3.59 3.59m0 0A9.953 9.953 0 0112 5c4.478 0 8.268 2.943 9.543 7a10.025 10.025 0 01-4.132 5.411m0 0L21 21"
-                            />
-                          </svg>
-                        ) : (
-                          <svg
-                            className="w-4 h-4"
-                            fill="none"
-                            viewBox="0 0 24 24"
-                            stroke="currentColor"
-                          >
-                            <path
-                              strokeLinecap="round"
-                              strokeLinejoin="round"
-                              strokeWidth={2}
-                              d="M15 12a3 3 0 11-6 0 3 3 0 016 0z"
-                            />
-                            <path
-                              strokeLinecap="round"
-                              strokeLinejoin="round"
-                              strokeWidth={2}
-                              d="M2.458 12C3.732 7.943 7.523 5 12 5c4.478 0 8.268 2.943 9.542 7-1.274 4.057-5.064 7-9.542 7-4.477 0-8.268-2.943-9.542-7z"
-                            />
-                          </svg>
-                        )}
-                      </button>
-                    )}
-                  </div>
-                </div>
-              </div>
-            );
-          })}
+          {provider.fields.map((field) => (
+            <Field
+              key={field.key}
+              label={field.label}
+              value={formValues[field.key] || ""}
+              onChange={(val) => onChange(field.key, val)}
+              placeholder={field.placeholder}
+              type={field.type || "text"}
+            />
+          ))}
 
-          {/* Last updated */}
           {existingCredential && (
-            <p className="text-xs" style={{ color: colors.text.secondary }}>
+            <p className="text-xs text-text-secondary">
               Last updated:{" "}
               {existingCredential.updated_at
                 ? timeAgo(existingCredential.updated_at)
@@ -187,50 +76,26 @@ export default function CredentialForm({
             </p>
           )}
 
-          {/* Actions */}
           <div className="flex items-center gap-3 pt-1">
-            <button
-              onClick={onSave}
-              disabled={isSaving || isDeleting}
-              className="px-5 py-2 rounded-full text-sm font-medium transition-colors"
-              style={{
-                backgroundColor: isSaving
-                  ? colors.accent.hover
-                  : colors.accent.primary,
-                color: colors.bg.primary,
-                opacity: isSaving || isDeleting ? 0.7 : 1,
-              }}
-            >
+            <Button onClick={onSave} disabled={isSaving || isDeleting}>
               {isSaving ? "Saving…" : existingCredential ? "Update" : "Save"}
-            </button>
-            <button
+            </Button>
+            <Button
+              variant="outline"
               onClick={onCancel}
               disabled={isSaving || isDeleting}
-              className="px-5 py-2 rounded-full text-sm font-medium border transition-colors"
-              style={{
-                borderColor: colors.border,
-                color: colors.text.secondary,
-                backgroundColor: colors.bg.primary,
-              }}
-              onMouseEnter={(e) => {
-                e.currentTarget.style.borderColor = colors.accent.primary;
-                e.currentTarget.style.color = colors.text.primary;
-              }}
-              onMouseLeave={(e) => {
-                e.currentTarget.style.borderColor = colors.border;
-                e.currentTarget.style.color = colors.text.secondary;
-              }}
             >
               Cancel
-            </button>
+            </Button>
             {existingCredential && onDelete && (
-              <button
+              <Button
+                variant="danger"
                 onClick={onDelete}
                 disabled={isSaving || isDeleting}
-                className={`ml-auto px-4 py-2 rounded-full text-sm font-medium border transition-colors bg-transparent border-[#ef444440] text-[#ef4444] hover:bg-[#ef444415] hover:border-[#ef4444] disabled:cursor-not-allowed ${isDeleting ? "opacity-70" : ""}`}
+                className="ml-auto"
               >
                 {isDeleting ? "Removing…" : "Remove"}
-              </button>
+              </Button>
             )}
           </div>
         </div>
diff --git a/app/components/settings/credentials/CredentialFormPanel.tsx b/app/components/settings/credentials/CredentialFormPanel.tsx
new file mode 100644
index 0000000..738da63
--- /dev/null
+++ b/app/components/settings/credentials/CredentialFormPanel.tsx
@@ -0,0 +1,116 @@
+"use client";
+
+import { Credential, ProviderDef } from "@/app/lib/types/credentials";
+import { timeAgo } from "@/app/lib/utils";
+import { Button, Field } from "@/app/components";
+
+interface CredentialFormPanelProps {
+  provider: ProviderDef;
+  existingCredential: Credential | null;
+  formValues: Record<string, string>;
+  isActive: boolean;
+  hasChanges: boolean;
+  isLoading: boolean;
+  isSaving: boolean;
+  isDeleting: boolean;
+  onChange: (key: string, value: string) => void;
+  onActiveChange: (active: boolean) => void;
+  onSave: () => void;
+  onCancel: () => void;
+  onDelete: () => void;
+}
+
+export default function CredentialFormPanel({
+  provider,
+  existingCredential,
+  formValues,
+  isActive,
+  hasChanges,
+  isLoading,
+  isSaving,
+  isDeleting,
+  onChange,
+  onActiveChange,
+  onSave,
+  onCancel,
+  onDelete,
+}: CredentialFormPanelProps) {
+  if (isLoading) {
+    return (
+      <div className="flex-1 flex items-center justify-center py-8">
+        <div className="text-center">
+          <div className="w-6 h-6 border-2 border-border border-t-transparent rounded-full animate-spin mx-auto mb-2" />
+          <p className="text-sm text-text-secondary">Loading credentials...</p>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex-1">
+      <div className="max-w-md">
+        <h3 className="text-base font-semibold mb-0.5 text-text-primary">
+          {provider.name}
+        </h3>
+        <p className="text-sm mb-5 text-text-secondary">
+          {provider.description}
+        </p>
+
+        <div className="space-y-4">
+          <label className="flex items-center gap-2.5 cursor-pointer select-none w-fit">
+            <input
+              type="checkbox"
+              checked={isActive}
+              onChange={(e) => onActiveChange(e.target.checked)}
+              className="w-4 h-4 rounded accent-status-success"
+            />
+            <span className="text-sm text-text-primary">Active</span>
+          </label>
+
+          {provider.fields.map((field) => (
+            <Field
+              key={field.key}
+              label={field.label}
+              value={formValues[field.key] || ""}
+              onChange={(val) => onChange(field.key, val)}
+              placeholder={field.placeholder}
+              type={field.type || "text"}
+            />
+          ))}
+
+          {existingCredential?.updated_at && (
+            <p className="text-xs text-text-secondary">
+              Last updated: {timeAgo(existingCredential.updated_at)}
+            </p>
+          )}
+
+          <div className="flex items-center gap-2.5 pt-1">
+            <Button
+              onClick={onSave}
+              disabled={isSaving || isDeleting || !hasChanges}
+            >
+              {isSaving ? "Saving..." : existingCredential ? "Update" : "Save"}
+            </Button>
+            <Button
+              variant="outline"
+              onClick={onCancel}
+              disabled={isSaving || isDeleting}
+            >
+              Cancel
+            </Button>
+            {existingCredential && (
+              <Button
+                variant="danger"
+                onClick={onDelete}
+                disabled={isSaving || isDeleting}
+                className="ml-auto"
+              >
+                {isDeleting ? "Removing..." : "Remove"}
+              </Button>
+            )}
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/app/components/settings/credentials/ProviderList.tsx b/app/components/settings/credentials/ProviderList.tsx
deleted file mode 100644
index 0d3804c..0000000
--- a/app/components/settings/credentials/ProviderList.tsx
+++ /dev/null
@@ -1,79 +0,0 @@
-"use client";
-
-import { colors } from "@/app/lib/colors";
-import { Credential, ProviderDef } from "@/app/lib/types/credentials";
-import { getExistingForProvider } from "@/app/lib/utils";
-
-interface Props {
-  providers: ProviderDef[];
-  selectedProvider: ProviderDef;
-  credentials: Credential[];
-  onSelect: (provider: ProviderDef) => void;
-}
-
-export default function ProviderList({
-  providers,
-  selectedProvider,
-  credentials,
-  onSelect,
-}: Props) {
-  return (
-    <div
-      className="w-56 shrink-0 border-r overflow-y-auto"
-      style={{
-        backgroundColor: colors.bg.secondary,
-        borderColor: colors.border,
-      }}
-    >
-      <div className="p-3">
-        <nav className="space-y-0.5">
-          {providers.map((provider) => {
-            const hasExisting = !!getExistingForProvider(provider, credentials);
-            const isSelected = selectedProvider.id === provider.id;
-            return (
-              <button
-                key={provider.id}
-                onClick={() => onSelect(provider)}
-                className="w-full text-left px-3 py-2 rounded-md text-sm flex items-center justify-between gap-2"
-                style={{
-                  backgroundColor: isSelected
-                    ? colors.bg.primary
-                    : "transparent",
-                  color: isSelected
-                    ? colors.text.primary
-                    : colors.text.secondary,
-                  fontWeight: isSelected ? 600 : 400,
-                  border: isSelected
-                    ? `1px solid ${colors.border}`
-                    : "1px solid transparent",
-                  transition: "all 0.15s ease",
-                }}
-                onMouseEnter={(e) => {
-                  if (!isSelected) {
-                    e.currentTarget.style.backgroundColor = colors.bg.primary;
-                    e.currentTarget.style.color = colors.text.primary;
-                  }
-                }}
-                onMouseLeave={(e) => {
-                  if (!isSelected) {
-                    e.currentTarget.style.backgroundColor = "transparent";
-                    e.currentTarget.style.color = colors.text.secondary;
-                  }
-                }}
-              >
-                <span>{provider.name}</span>
-                {hasExisting && (
-                  <span
-                    className="w-1.5 h-1.5 rounded-full shrink-0"
-                    style={{ backgroundColor: colors.status.success }}
-                    title="Configured"
-                  />
-                )}
-              </button>
-            );
-          })}
-        </nav>
-      </div>
-    </div>
-  );
-}
diff --git a/app/components/settings/credentials/index.ts b/app/components/settings/credentials/index.ts
new file mode 100644
index 0000000..23d592b
--- /dev/null
+++ b/app/components/settings/credentials/index.ts
@@ -0,0 +1,2 @@
+export { default as CredentialForm } from "./CredentialForm";
+export { default as CredentialFormPanel } from "./CredentialFormPanel";
diff --git a/app/components/settings/onboarding/OnboardingCredentials.tsx b/app/components/settings/onboarding/OnboardingCredentials.tsx
new file mode 100644
index 0000000..237dcbd
--- /dev/null
+++ b/app/components/settings/onboarding/OnboardingCredentials.tsx
@@ -0,0 +1,204 @@
+"use client";
+
+import { useState, useEffect, useCallback } from "react";
+import { useAuth } from "@/app/lib/context/AuthContext";
+import { useToast } from "@/app/components/Toast";
+import { apiFetch } from "@/app/lib/apiClient";
+import {
+  PROVIDERS,
+  Credential,
+  ProviderDef,
+} from "@/app/lib/types/credentials";
+import { getExistingForProvider } from "@/app/lib/utils";
+import ProviderSidebar from "@/app/components/settings/ProviderSidebar";
+import { CredentialFormPanel } from "@/app/components/settings/credentials";
+
+interface OnboardingCredentialsProps {
+  organizationId: number;
+  projectId: number;
+}
+
+export default function OnboardingCredentials({
+  organizationId,
+  projectId,
+}: OnboardingCredentialsProps) {
+  const toast = useToast();
+  const { activeKey } = useAuth();
+  const apiKey = activeKey?.key ?? "";
+
+  const [selectedProvider, setSelectedProvider] = useState<ProviderDef>(
+    PROVIDERS[0],
+  );
+  const [credentials, setCredentials] = useState<Credential[]>([]);
+  const [isLoading, setIsLoading] = useState(true);
+  const [isSaving, setIsSaving] = useState(false);
+  const [isDeleting, setIsDeleting] = useState(false);
+  const [formValues, setFormValues] = useState<Record<string, string>>({});
+  const [isActive, setIsActive] = useState(true);
+  const [existingCredential, setExistingCredential] =
+    useState<Credential | null>(null);
+
+  const credentialsUrl = `/api/credentials/org/${organizationId}/${projectId}`;
+
+  const loadCredentials = useCallback(async () => {
+    setIsLoading(true);
+    try {
+      const data = await apiFetch<{ data?: Credential[] } | Credential[]>(
+        `/api/credentials/org/${organizationId}/${projectId}`,
+        apiKey,
+      );
+      setCredentials(Array.isArray(data) ? data : data.data || []);
+    } catch (err) {
+      console.error("Failed to load credentials:", err);
+    } finally {
+      setIsLoading(false);
+    }
+  }, [apiKey, organizationId, projectId]);
+
+  useEffect(() => {
+    loadCredentials();
+  }, [loadCredentials]);
+
+  // Re-populate form when provider or credentials change
+  useEffect(() => {
+    const existing = getExistingForProvider(selectedProvider, credentials);
+    if (existing) {
+      setExistingCredential(existing);
+      setIsActive(existing.is_active);
+      const populated: Record<string, string> = {};
+      selectedProvider.fields.forEach((f) => {
+        populated[f.key] = existing.credential[f.key] || "";
+      });
+      setFormValues(populated);
+    } else {
+      setExistingCredential(null);
+      setIsActive(true);
+      const blank: Record<string, string> = {};
+      selectedProvider.fields.forEach((f) => {
+        blank[f.key] = "";
+      });
+      setFormValues(blank);
+    }
+  }, [selectedProvider, credentials]);
+
+  const handleSave = async () => {
+    const missing = selectedProvider.fields.filter(
+      (f) => !formValues[f.key]?.trim(),
+    );
+    if (missing.length > 0) {
+      toast.error(`Please fill in: ${missing.map((f) => f.label).join(", ")}`);
+      return;
+    }
+
+    setIsSaving(true);
+    try {
+      const innerPayload: Record<string, string> = {};
+      selectedProvider.fields.forEach((f) => {
+        innerPayload[f.key] = formValues[f.key].trim();
+      });
+
+      await apiFetch(credentialsUrl, apiKey, {
+        method: "PATCH",
+        body: JSON.stringify({
+          provider: selectedProvider.credentialKey,
+          is_active: isActive,
+          credential: {
+            [selectedProvider.credentialKey]: innerPayload,
+          },
+        }),
+      });
+      toast.success(
+        `${selectedProvider.name} credentials ${existingCredential ? "updated" : "saved"}`,
+      );
+      await loadCredentials();
+    } catch (err: unknown) {
+      toast.error(
+        err instanceof Error ? err.message : "Failed to save credentials",
+      );
+    } finally {
+      setIsSaving(false);
+    }
+  };
+
+  const handleCancel = () => {
+    const existing = getExistingForProvider(selectedProvider, credentials);
+    if (existing) {
+      setIsActive(existing.is_active);
+      const populated: Record<string, string> = {};
+      selectedProvider.fields.forEach((f) => {
+        populated[f.key] = existing.credential[f.key] || "";
+      });
+      setFormValues(populated);
+    } else {
+      const blank: Record<string, string> = {};
+      selectedProvider.fields.forEach((f) => {
+        blank[f.key] = "";
+      });
+      setFormValues(blank);
+      setIsActive(true);
+    }
+  };
+
+  const handleDelete = async () => {
+    if (!existingCredential) return;
+    setIsDeleting(true);
+    try {
+      await apiFetch(
+        `${credentialsUrl}/provider/${selectedProvider.credentialKey}`,
+        apiKey,
+        { method: "DELETE" },
+      );
+      toast.success(`${selectedProvider.name} credentials removed`);
+      await loadCredentials();
+    } catch (err: unknown) {
+      toast.error(
+        err instanceof Error ? err.message : "Failed to remove credentials",
+      );
+    } finally {
+      setIsDeleting(false);
+    }
+  };
+
+  const handleFieldChange = (key: string, value: string) => {
+    setFormValues((prev) => ({ ...prev, [key]: value }));
+  };
+
+  return (
+    <div>
+      <div className="flex gap-8 mt-4">
+        <ProviderSidebar
+          providers={PROVIDERS}
+          selectedProvider={selectedProvider}
+          credentials={credentials}
+          onSelect={setSelectedProvider}
+          className="w-44"
+        />
+
+        <CredentialFormPanel
+          provider={selectedProvider}
+          existingCredential={existingCredential}
+          formValues={formValues}
+          isActive={isActive}
+          hasChanges={
+            existingCredential
+              ? isActive !== existingCredential.is_active ||
+                selectedProvider.fields.some(
+                  (f) =>
+                    (formValues[f.key] || "") !==
+                    (existingCredential.credential[f.key] || ""),
+                )
+              : selectedProvider.fields.some((f) => !!formValues[f.key]?.trim())
+          }
+          isLoading={isLoading}
+          isSaving={isSaving}
+          isDeleting={isDeleting}
+          onChange={handleFieldChange}
+          onActiveChange={setIsActive}
+          onSave={handleSave}
+          onCancel={handleCancel}
+          onDelete={handleDelete}
+        />
+      </div>
+    </div>
+  );
+}
diff --git a/app/components/settings/onboarding/UserList.tsx b/app/components/settings/onboarding/UserList.tsx
index 3bffccc..459879f 100644
--- a/app/components/settings/onboarding/UserList.tsx
+++ b/app/components/settings/onboarding/UserList.tsx
@@ -42,6 +42,7 @@ export default function UserList({
   organization,
   project,
   onBack,
+  hideHeader,
 }: UserListProps) {
   const toast = useToast();
   const { activeKey, currentUser } = useAuth();
@@ -91,31 +92,50 @@ export default function UserList({
 
   return (
     <div>
-      <button
-        onClick={onBack}
-        className="text-sm text-text-secondary hover:text-text-primary mb-4 flex items-center gap-1 transition-colors cursor-pointer"
-      >
-        <ArrowLeftIcon className="w-3.5 h-3.5" /> Back to projects
-      </button>
+      {!hideHeader && (
+        <>
+          <button
+            onClick={onBack}
+            className="text-sm text-text-secondary hover:text-text-primary mb-4 flex items-center gap-1 transition-colors cursor-pointer"
+          >
+            <ArrowLeftIcon className="w-3.5 h-3.5" /> Back to projects
+          </button>
 
-      <div className="flex items-center justify-between mb-4">
-        <div>
-          <h2 className="text-lg font-semibold text-text-primary">
-            {project.name}
-          </h2>
-          <p className="text-xs text-text-secondary mt-0.5">
-            {organization.name} &middot;{" "}
+          <div className="flex items-center justify-between mb-4">
+            <div>
+              <h2 className="text-lg font-semibold text-text-primary">
+                {project.name}
+              </h2>
+              <p className="text-xs text-text-secondary mt-0.5">
+                {organization.name} &middot;{" "}
+                {isLoading
+                  ? "Loading users..."
+                  : `${users.length} user${users.length !== 1 ? "s" : ""}`}
+              </p>
+            </div>
+            {currentUser?.is_superuser && (
+              <Button size="sm" onClick={() => setShowAddModal(true)}>
+                + Add User
+              </Button>
+            )}
+          </div>
+        </>
+      )}
+
+      {hideHeader && (
+        <div className="flex items-center justify-between my-4">
+          <p className="text-xs text-text-secondary">
             {isLoading
               ? "Loading users..."
               : `${users.length} user${users.length !== 1 ? "s" : ""}`}
           </p>
+          {currentUser?.is_superuser && (
+            <Button size="sm" onClick={() => setShowAddModal(true)}>
+              + Add User
+            </Button>
+          )}
         </div>
-        {currentUser?.is_superuser && (
-          <Button size="sm" onClick={() => setShowAddModal(true)}>
-            + Add User
-          </Button>
-        )}
-      </div>
+      )}
 
       {isLoading ? (
         <UserListSkeleton />
diff --git a/app/components/settings/onboarding/index.ts b/app/components/settings/onboarding/index.ts
index b9f06c5..27ebaa4 100644
--- a/app/components/settings/onboarding/index.ts
+++ b/app/components/settings/onboarding/index.ts
@@ -4,6 +4,7 @@ export { default as OrganizationList } from "./OrganizationList";
 export { default as ProjectList } from "./ProjectList";
 export { default as StepIndicator } from "./StepIndicator";
 export { default as UserList } from "./UserList";
+export { default as OnboardingCredentials } from "./OnboardingCredentials";
 export { default as AddUserModal } from "./AddUserModal";
 export { default as AddProjectModal } from "./AddProjectModal";
 export { default as EditProjectModal } from "./EditProjectModal";
diff --git a/app/globals.css b/app/globals.css
index b691cc4..1d67ebc 100644
--- a/app/globals.css
+++ b/app/globals.css
@@ -154,7 +154,31 @@ a {
 }
 
 .animate-slideIn {
-  animation: slideIn 0.2s ease-out;
+  animation: slideIn 0.3s ease-out;
+}
+
+@keyframes slideOut {
+  from {
+    opacity: 1;
+    transform: translateX(0);
+  }
+  to {
+    opacity: 0;
+    transform: translateX(100%);
+  }
+}
+
+.animate-slideOut {
+  animation: slideOut 0.3s ease-in forwards;
+}
+
+@keyframes toastProgress {
+  from {
+    width: 100%;
+  }
+  to {
+    width: 0%;
+  }
 }
 
 .loader-spinner {
diff --git a/app/hooks/useToast.ts b/app/hooks/useToast.ts
new file mode 100644
index 0000000..28eac13
--- /dev/null
+++ b/app/hooks/useToast.ts
@@ -0,0 +1 @@
+export { useToast } from "@/app/components/Toast";
diff --git a/app/lib/authCookie.ts b/app/lib/authCookie.ts
new file mode 100644
index 0000000..99ac769
--- /dev/null
+++ b/app/lib/authCookie.ts
@@ -0,0 +1,60 @@
+import { NextResponse } from "next/server";
+
+/**
+ * Shared name for the non-httpOnly role cookie that middleware uses
+ * to gate routes. Values: "superuser" | "user". Absence = unauthenticated.
+ */
+export const ROLE_COOKIE = "kaapi_role";
+
+interface UserLike {
+  is_superuser?: boolean;
+}
+
+/**
+ * Parse the backend response body and set the role cookie if a user is present.
+ * Accepts both `{ data: { user } }` and `{ user }` shapes used across the auth
+ */
+export function setRoleCookieFromBody(
+  response: NextResponse,
+  body: unknown,
+): void {
+  if (!body || typeof body !== "object") return;
+
+  const user = extractUser(body);
+  if (!user) return;
+
+  response.cookies.set(ROLE_COOKIE, user.is_superuser ? "superuser" : "user", {
+    httpOnly: false,
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    path: "/",
+    maxAge: 60 * 60 * 24 * 7, // 7 days
+  });
+}
+
+export function clearRoleCookie(response: NextResponse): void {
+  response.cookies.set(ROLE_COOKIE, "", {
+    httpOnly: false,
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    path: "/",
+    maxAge: 0,
+  });
+}
+
+function extractUser(body: unknown): UserLike | null {
+  if (!body || typeof body !== "object") return null;
+  const outer = body as Record<string, unknown>;
+
+  if (outer.data && typeof outer.data === "object") {
+    const data = outer.data as Record<string, unknown>;
+    if (data.user && typeof data.user === "object") {
+      return data.user as UserLike;
+    }
+    if ("is_superuser" in data) return data as UserLike;
+  }
+
+  if ("is_superuser" in outer) return outer as UserLike;
+
+  return null;
+}
diff --git a/app/lib/constants.ts b/app/lib/constants.ts
index 5fdbd86..fde30b1 100644
--- a/app/lib/constants.ts
+++ b/app/lib/constants.ts
@@ -3,6 +3,7 @@
  */
 
 import { ConfigBlob } from "@/app/lib/types/promptEditor";
+import { ToastType } from "@/app/components/Toast";
 
 export const APP_NAME = "Kaapi Konsole";
 
@@ -56,17 +57,6 @@ export const MODEL_OPTIONS = {
     { value: "gpt-4", label: "GPT-4" },
     { value: "gpt-3.5-turbo", label: "GPT-3.5 Turbo" },
   ],
-  // anthropic: [
-  //   { value: 'claude-3-5-sonnet-20241022', label: 'Claude 3.5 Sonnet' },
-  //   { value: 'claude-3-opus-20240229', label: 'Claude 3 Opus' },
-  //   { value: 'claude-3-sonnet-20240229', label: 'Claude 3 Sonnet' },
-  //   { value: 'claude-3-haiku-20240307', label: 'Claude 3 Haiku' },
-  // ],
-  // google: [
-  //   { value: 'gemini-1.5-pro', label: 'Gemini 1.5 Pro' },
-  //   { value: 'gemini-1.5-flash', label: 'Gemini 1.5 Flash' },
-  //   { value: 'gemini-pro', label: 'Gemini Pro' },
-  // ],
 };
 
 export const DEFAULT_CONFIG: ConfigBlob = {
@@ -81,3 +71,38 @@ export const DEFAULT_CONFIG: ConfigBlob = {
     },
   },
 };
+
+export const TOAST_CONFIG: Record<
+  ToastType,
+  {
+    accent: string;
+    bg: string;
+    icon: string;
+    progressBg: string;
+  }
+> = {
+  success: {
+    accent: "#07bc0c",
+    bg: "#ffffff",
+    icon: "#07bc0c",
+    progressBg: "#07bc0c",
+  },
+  error: {
+    accent: "#e74c3c",
+    bg: "#ffffff",
+    icon: "#e74c3c",
+    progressBg: "#e74c3c",
+  },
+  warning: {
+    accent: "#f1c40f",
+    bg: "#ffffff",
+    icon: "#f1c40f",
+    progressBg: "#f1c40f",
+  },
+  info: {
+    accent: "#3498db",
+    bg: "#ffffff",
+    icon: "#3498db",
+    progressBg: "#3498db",
+  },
+};
diff --git a/app/lib/navConfig.ts b/app/lib/navConfig.ts
index 57e999a..f5d3a6a 100644
--- a/app/lib/navConfig.ts
+++ b/app/lib/navConfig.ts
@@ -5,7 +5,7 @@ export const SETTINGS_NAV: SettingsNavSection[] = [
     label: "Settings",
     items: [
       { name: "Credentials", route: "/settings/credentials", icon: "key" },
-      { name: "Onboarding", route: "/settings/onboarding", icon: "sliders" },
+      { name: "Organizations", route: "/settings/onboarding", icon: "sliders" },
     ],
   },
 ];
diff --git a/app/lib/types/onboarding.ts b/app/lib/types/onboarding.ts
index ee22401..1c9a338 100644
--- a/app/lib/types/onboarding.ts
+++ b/app/lib/types/onboarding.ts
@@ -94,6 +94,7 @@ export interface UserListProps {
   organization: Organization;
   project: Project;
   onBack: () => void;
+  hideHeader?: boolean;
 }
 
 export interface AddProjectModalProps {
diff --git a/app/lib/types/toast.ts b/app/lib/types/toast.ts
new file mode 100644
index 0000000..74f4841
--- /dev/null
+++ b/app/lib/types/toast.ts
@@ -0,0 +1,18 @@
+export type ToastType = "success" | "error" | "info" | "warning";
+
+export interface Toast {
+  id: string;
+  message: string;
+  type: ToastType;
+  duration?: number;
+}
+
+export interface ToastContextType {
+  toasts: Toast[];
+  addToast: (message: string, type?: ToastType, duration?: number) => void;
+  removeToast: (id: string) => void;
+  success: (message: string, duration?: number) => void;
+  error: (message: string, duration?: number) => void;
+  info: (message: string, duration?: number) => void;
+  warning: (message: string, duration?: number) => void;
+}
diff --git a/middleware.ts b/middleware.ts
new file mode 100644
index 0000000..068da38
--- /dev/null
+++ b/middleware.ts
@@ -0,0 +1,68 @@
+import { NextResponse, type NextRequest } from "next/server";
+
+/** Route protection via `kaapi_role` cookie. Settings requires superuser. */
+
+const PUBLIC_ROUTES = new Set<string>([
+  "/evaluations",
+  "/invite",
+  "/verify",
+  "/coming-soon/guardrails",
+  "/coming-soon/model-testing",
+  "/coming-soon/redteaming",
+  "/coming-soon/text-to-speech",
+]);
+
+const GUEST_ONLY_ROUTES = new Set<string>(["/keystore"]);
+
+const HOME_ROUTE = "/evaluations";
+const PATHNAME_STARTS_WITH = ["/settings"];
+
+export function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+  const role = request.cookies.get("kaapi_role")?.value;
+  const isAuthenticated = role === "superuser" || role === "user";
+  const isSuperuser = role === "superuser";
+
+  // Guest-only routes: allowed when unauthenticated, blocked otherwise
+  if (GUEST_ONLY_ROUTES.has(pathname)) {
+    if (isAuthenticated) {
+      return NextResponse.redirect(new URL(HOME_ROUTE, request.url));
+    }
+    return NextResponse.next();
+  }
+
+  // Allow public routes for everyone
+  if (PUBLIC_ROUTES.has(pathname)) {
+    return NextResponse.next();
+  }
+
+  // /settings/* requires superuser
+  if (PATHNAME_STARTS_WITH.some((prefix) => pathname.startsWith(prefix))) {
+    if (!isAuthenticated) {
+      return NextResponse.redirect(new URL(HOME_ROUTE, request.url));
+    }
+    if (!isSuperuser) {
+      return NextResponse.redirect(new URL(HOME_ROUTE, request.url));
+    }
+    return NextResponse.next();
+  }
+
+  // Any other app route requires authentication
+  if (!isAuthenticated) {
+    return NextResponse.redirect(new URL(HOME_ROUTE, request.url));
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: [
+    /*
+     * Match all request paths except:
+     * - api routes (/api/*)
+     * - _next internals
+     * - static files (images, fonts, favicon, etc.)
+     */
+    "/((?!api|_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)",
+  ],
+};