diff --git a/Dockerfile b/Dockerfile
index ce760e9..fa0ce6e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM dexidp/dex:v2.33.0
+FROM dexidp/dex:v2.35.3
 
 LABEL org.opencontainers.image.title="dns3l auth"
 LABEL org.opencontainers.image.description="An OIDC provider for DNS3L"
diff --git a/config.docker.yaml b/config.docker.yaml
index d36aac4..ab562ad 100644
--- a/config.docker.yaml
+++ b/config.docker.yaml
@@ -25,7 +25,7 @@ web:
   https: 0.0.0.0:5554
   tlsCert: {{.Env.DEXPATH}}/tls.crt
   tlsKey: {{.Env.DEXPATH}}/tls.key
-  allowedOrigins: ['*']
+  allowedOrigins: ['*'] # .Env.DNS3L_FQDN
 
 grpc:
   addr: 0.0.0.0:5557
@@ -71,6 +71,15 @@ staticClients:
   #   https://tools.ietf.org/html/rfc6749#section-4.3
   secret: {{.Env.DNS3L_API_SECRET}}
   name: 'DNS3L API'
+- id: dns3ld
+  # dns3ld can only validate against a single client ID actually...
+  #  https://github.com/dns3l/dns3l-core/issues/59
+  secret: {{.Env.DNS3L_DAEMON_SECRET}}
+  name: 'DNS3L daemon validator'
+  trustedPeers:
+  - dns3l-app # new scope: audience:server:client_id:dns3ld
+  - dns3l-api # new scope: audience:server:client_id:dns3ld
+  - dns3l-cli # new scope: audience:server:client_id:dns3ld
 
 {{if eq .Env.production "false" -}}
 # Note: Prod SHOULD NOT provide mock and local
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index f72f86f..4c4ef86 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -45,12 +45,38 @@ function random_token() {
   tr -cd '[:alnum:]' </dev/urandom | fold -w32 | head -n1
 }
 
+# inspired by https://www.rfc-editor.org/rfc/rfc3986#appendix-B
+# //URL prefix required. Not for IPv6 ([2001:db8::7]) addresses.
+readonly URI_REGEX='^(([^:/?#]+):)?(//((([^:/?#]+)@)?([^:/?#]+)(:([0-9]+))?))?(/([^?#]*))?(\?([^#]*))?(#(.*))?'
+protFromURL () {
+    [[ "$@" =~ $URI_REGEX ]] && echo "${BASH_REMATCH[2],,}"
+}
+hostFromURL () {
+    [[ "$@" =~ $URI_REGEX ]] && echo "${BASH_REMATCH[7],,}"
+}
+portFromURL () {
+    if [[ "$@" =~ $URI_REGEX ]]; then
+      if [[ -z "${BASH_REMATCH[9]}" ]]; then
+        case "${BASH_REMATCH[2],,}" in
+          # some default ports...
+          http)  echo "80" ;;
+          https) echo "443" ;;
+          ldap)  echo "389" ;;
+          ldaps) echo "636" ;;
+        esac
+      else
+        echo "${BASH_REMATCH[9]}"
+      fi
+    fi
+}
+
 SERVICE_TIMEOUT=${SERVICE_TIMEOUT:-300s} # wait for dependencies
 
 echo Running: "$@"
 
 export DEX_URL=${DEX_URL:-"http://localhost:5556/auth"}
 export DNS3L_URL=${DNS3L_URL:-"http://localhost:3000"}
+export DNS3L_FQDN=`hostFromURL ${DNS3L_URL}`
 export HELP_URL=${HELP_URL:-"https://github.com/dns3l/dns3l"}
 
 export LDAP_CONNECTOR_ID=${LDAP_CONNECTOR_ID:-"ldap"}
@@ -110,6 +136,8 @@ P=$(random_token)
 export DNS3L_CLI_SECRET=${DNS3L_CLI_SECRET:-$P}
 P=$(random_token)
 export DNS3L_API_SECRET=${DNS3L_API_SECRET:-$P}
+P=$(random_token)
+export DNS3L_DAEMON_SECRET=${DNS3L_DAEMON_SECRET:-$P}
 
 # Avoid destroying bootstrapping by simple start/stop
 if [[ ! -e ${DEXPATH}/.bootstrapped ]]; then