diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index f5bc3c5af3e..575946624d8 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -438,3 +438,61 @@ jobs:
         gpg --armor --detach-sign cedarling_wasm_"${TAG}"_pkg.tar.gz || echo "Failed to sign"
         echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
         gh release upload "${VERSION}" *.tar.gz *.sha256sum *.asc
+  build_cedarling_krakend:
+    if: github.repository == 'JanssenProject/jans'
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        krakend-builder-image: [ 'builder:2.9.0', 'builder:2.9.0-linux-generic' ]
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      with:
+        egress-policy: audit
+
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Import GPG key
+      id: import_gpg
+      continue-on-error: true
+      uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+      with:
+        gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }}
+        passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }}
+        git_user_signingkey: true
+        git_commit_gpgsign: true
+    - name: Set environment variables
+      run: |
+        TAG=$(echo ${{ github.event.ref }} | cut -d '/' -f 3 | sed 's/^v//')
+        VERSION="$(echo ${{ github.event.ref }} | cut -d '/' -f 3)"
+        if [ "${TAG}" == "nightly" ]; then
+          VERSION=nightly
+          TAG="0.0.0"
+        fi
+        echo TAG=${TAG} >> $GITHUB_ENV
+        echo VERSION=${VERSION} >> $GITHUB_ENV
+        KRAKEND_BUILDER_IMAGE=${{ matrix.krakend-builder-image }}
+        KRAKEND_BUILDER_IMAGE=${KRAKEND_BUILDER_IMAGE/:/-}
+        echo KRAKEND_BUILDER_IMAGE=${KRAKEND_BUILDER_IMAGE} >> $GITHUB_ENV
+        echo CC="aarch64-linux-musl-gcc" >> $GITHUB_ENV
+        if [ "${{ matrix.krakend-builder-image }}" == "builder:2.9.0-linux-generic" ]; then
+          echo CC="aarch64-linux-gnu-gcc" >> $GITHUB_ENV
+        fi
+    - name: Build plugin for AMD64 
+      working-directory: ${{ github.workspace }}/jans-cedarling/cedarling-krakend
+      run: |
+        docker run -i -v "$PWD:/app" -w /app krakend/"${{ matrix.krakend-builder-image }}" go build -buildmode=plugin -o cedarling-krakend-amd64-"${{ env.KRAKEND_BUILDER_IMAGE }}"-"${{ env.TAG }}".so .
+    - name: Build plugin for ARM64
+      working-directory: ${{ github.workspace }}/jans-cedarling/cedarling-krakend
+      run: |
+
+        docker run -i -v "$PWD:/app" -w /app -e "CGO_ENABLED=1" -e "CC=${{ env.CC }}" -e "GOARCH=arm64" -e "GOHOSTARCH=amd64" krakend/"${{ matrix.krakend-builder-image }}" go build -ldflags='-extldflags=-fuse-ld=bfd -extld=${{ env.CC }}' -buildmode=plugin -o  cedarling-krakend-arm64-"${{ env.KRAKEND_BUILDER_IMAGE }}"-"${{ env.TAG }}".so .
+    - name: Generate sha256sum and sign
+      working-directory: ${{ github.workspace }}/jans-cedarling/cedarling-krakend
+      run: |
+        sha256sum cedarling-krakend-amd64-"${{ env.KRAKEND_BUILDER_IMAGE }}"-"${{ env.TAG }}".so >> cedarling-krakend-amd64-"${{ env.KRAKEND_BUILDER_IMAGE }}"-"${{ env.TAG }}".so.sha256sum
+        sha256sum cedarling-krakend-arm64-"${{ env.KRAKEND_BUILDER_IMAGE }}"-"${{ env.TAG }}".so >> cedarling-krakend-arm64-"${{ env.KRAKEND_BUILDER_IMAGE }}"-"${{ env.TAG }}".so.sha256sum
+        gpg --armor --detach-sign cedarling-krakend-amd64-"${{ env.KRAKEND_BUILDER_IMAGE }}"-"${{ env.TAG }}".so || echo "Failed to sign"
+        gpg --armor --detach-sign cedarling-krakend-arm64-"${{ env.KRAKEND_BUILDER_IMAGE }}"-"${{ env.TAG }}".so || echo "Failed to sign"
+        echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
+        gh release upload "${{ env.VERSION }}" *.so *.sha256sum *.asc
diff --git a/agama/misc/finished.ftlh b/agama/misc/finished.ftlh
index 4781071b084..9c593ab16a5 100644
--- a/agama/misc/finished.ftlh
+++ b/agama/misc/finished.ftlh
@@ -7,13 +7,13 @@
         
         <p class="my-4">Redirecting you...
         
-        <form action="${webCtx.contextPath}/postlogin.htm" method="post">
+        <form action="${webCtx.contextPath}/${data.post_finish_url}" method="post">
             <noscript>
                 <p>Your browser does not seem to support Javascript. Click on the button below to be redirected
                 <p><input type="submit" class="btn btn-success px-4" value="Continue">
             </noscript>
         </form>
-        
+
         <script>
             function submit() {
                 document.forms[0].submit()
diff --git a/agama/misc/json_finished.ftlh b/agama/misc/json_finished.ftlh
index ec8f44a8bbc..5d90514aa49 100644
--- a/agama/misc/json_finished.ftlh
+++ b/agama/misc/json_finished.ftlh
@@ -3,7 +3,7 @@
 {
 "success": ${success?c},
 <#if success>
-    "finish_post_url": "${webCtx.contextPath}/postlogin.htm"
+    "post_finish_url": "${webCtx.contextPath}/${data.post_finish_url}"
 <#else>
     "error": "${jt.escStr(error!"")}"
 </#if>
diff --git a/demos/jans-tarp/src/options/helpDrawer.tsx b/demos/jans-tarp/src/options/helpDrawer.tsx
index b1d34822515..a3195d9198d 100644
--- a/demos/jans-tarp/src/options/helpDrawer.tsx
+++ b/demos/jans-tarp/src/options/helpDrawer.tsx
@@ -1,14 +1,11 @@
 import * as React from 'react';
 import Box from '@mui/material/Box';
 import Drawer from '@mui/material/Drawer';
-import Card from '@mui/material/Card';
-import CardContent from '@mui/material/CardContent';
-import CardMedia from '@mui/material/CardMedia';
 import Typography from '@mui/material/Typography';
 
 export default function HelpDrawer({ isOpen, handleDrawer }) {
   const [open, setOpen] = React.useState(isOpen);
-
+  const [width, setWidth] = React.useState((window.innerWidth * 2)/3 )
   React.useEffect(() => {
     handleDrawer(isOpen)
     setOpen(isOpen);
@@ -20,88 +17,81 @@ export default function HelpDrawer({ isOpen, handleDrawer }) {
   };
 
   const DrawerList = (
-    <>
-      <Box sx={{ width: 1184 }} role="presentation">
-        <Card sx={{ maxWidth: 1184 }}>
-          <CardContent>
-            <Typography gutterBottom variant="h5" component="div">
-              Step 1
-            </Typography>
-            <Typography variant="body2" color="text.secondary">
-              Click on 'Add Client' button for Dynamic Client Registration on authentication server.
-            </Typography>
-          </CardContent>
-          <CardMedia
-            sx={{ height: 266 }}
-            image={'tarpDocs1.png'}
-          />
-        </Card>
-      </Box>
-      <Box sx={{ width: 586 }} role="presentation">
-        <Card sx={{ maxWidth: 586 }}>
-          <CardContent>
-            <Typography gutterBottom variant="h5" component="div">
-              Step 2
-            </Typography>
-            <Typography variant="body2" color="text.secondary">
-              On registration form enter details and register.
-            </Typography>
-          </CardContent>
-          <CardMedia
-            sx={{ height: 445 }}
-            image={'tarpDocs2.png'}
-          />
-        </Card>
-      </Box>
-      <Box sx={{ width: 1184 }} role="presentation">
-        <Card sx={{ maxWidth: 1184 }}>
-          <CardContent>
-            <Typography gutterBottom variant="h5" component="div">
-              Step 3
-            </Typography>
-            <Typography variant="body2" color="text.secondary">
-              Trigger authentication flow.
-            </Typography>
-          </CardContent>
-          <CardMedia
-            sx={{ height: 266 }}
-            image={'tarpDocs3.png'}
-          />
-        </Card>
-      </Box>
-      <Box sx={{ width: 575 }} role="presentation">
-        <Card sx={{ maxWidth: 575 }}>
-          <CardContent>
-            <Typography gutterBottom variant="h5" component="div">
-              Step 4
-            </Typography>
-            <Typography variant="body2" color="text.secondary">
-              The Registered client can be used to trigger authentication flow until it is expired.
-            </Typography>
-          </CardContent>
-          <CardMedia
-            sx={{ height: 459 }}
-            image={'tarpDocs4.png'}
-          />
-        </Card>
-      </Box>
-      <Box sx={{ width: 575 }} role="presentation">
-        <Card sx={{ maxWidth: 575 }}>
-          <CardContent>
-            <Typography gutterBottom variant="h5" component="div">
-              Optional
-            </Typography>
-            <Typography variant="body2" color="text.secondary">
-              For <b>'Acr Values'</b> input, you can also add a new ACR option.
-            </Typography>
-          </CardContent>
-          <CardMedia
-            sx={{ height: 459 }}
-            image={'tarpDocs5.png'}
-          />
-        </Card>
-      </Box>
-    </>
+
+    <Box sx={{ width: width }} role="presentation">
+      <div style={{ padding: "20px" }}>
+        <Typography gutterBottom variant="h5" component="div">
+          Step 1
+        </Typography>
+        <Typography variant="body2" color="text.secondary">
+          Click on 'Add Client' button for Dynamic Client Registration on authentication server.
+        </Typography>
+      </div>
+      <div className="image-container">
+        <img id="dynamic-image" src={'tarpDocs1.png'} />
+      </div>
+
+      <div style={{ padding: "20px" }}>
+        <Typography gutterBottom variant="h5" component="div">
+          Step 2
+        </Typography>
+        <Typography variant="body2" color="text.secondary">
+          On registration form enter details and register.
+        </Typography>
+      </div>
+      <div className="image-container">
+        <img id="dynamic-image" src={'tarpDocs2.png'} />
+      </div>
+
+      <div style={{ padding: "20px" }}>
+        <Typography gutterBottom variant="h5" component="div">
+          Step 3 (Optional: For Cedarlig authorization testing)
+        </Typography>
+        <Typography variant="body2" color="text.secondary">
+          Add Cedarling bootstrap configuration on <b>Cedarling</b> tab.
+        </Typography>
+      </div>
+      <div className="image-container">
+        <img id="dynamic-image" src={'tarpDocs3.png'} />
+      </div>
+
+      <div style={{ padding: "20px" }}>
+        <Typography gutterBottom variant="h5" component="div">
+          Step 4
+        </Typography>
+        <Typography variant="body2" color="text.secondary">
+          Start Authentication code flow.
+        </Typography>
+      </div>
+      <div className="image-container">
+        <img id="dynamic-image" src={'tarpDocs4.png'} />
+      </div>
+
+      <div style={{ padding: "20px" }}>
+        <Typography gutterBottom variant="h5" component="div">
+          Step 5
+        </Typography>
+        <Typography variant="body2" color="text.secondary">
+          Enter required details before starting Authentication Code flow.
+        </Typography>
+      </div>
+      <div className="image-container">
+        <img id="dynamic-image" src={'tarpDocs5.png'} />
+      </div>
+
+      <div style={{ padding: "20px" }}>
+        <Typography gutterBottom variant="h5" component="div">
+          Step 6 (Optional: For Cedarlig authorization testing)
+        </Typography>
+        <Typography variant="body2" color="text.secondary">
+          After authentication, test Cedarling Authorization decision using following request form.
+        </Typography>
+      </div>
+      <div className="image-container">
+        <img id="dynamic-image" src={'tarpDocs6.png'} />
+      </div>
+    </Box>
+
   );
 
   return (
diff --git a/demos/jans-tarp/src/options/options.css b/demos/jans-tarp/src/options/options.css
index 21d2ec6237f..57caa2ccfe8 100644
--- a/demos/jans-tarp/src/options/options.css
+++ b/demos/jans-tarp/src/options/options.css
@@ -195,6 +195,17 @@ label.light {
   z-index: 1; /* Ensure loader stays above the form */
 }
 
+.image-container {
+  display: flex;
+  flex-direction: column; /* Stack content vertically */
+  align-items: center; /* Optional: Center align other content */
+}
+
+.image-container img {
+  max-width: 100%; /* Ensure responsiveness */
+  height: auto;
+}
+
 @media screen and (min-width: 480px) {
 
   form {
diff --git a/demos/jans-tarp/src/static/tarpDocs1.png b/demos/jans-tarp/src/static/tarpDocs1.png
index a8d718216b1..ae7b703becc 100644
Binary files a/demos/jans-tarp/src/static/tarpDocs1.png and b/demos/jans-tarp/src/static/tarpDocs1.png differ
diff --git a/demos/jans-tarp/src/static/tarpDocs2.png b/demos/jans-tarp/src/static/tarpDocs2.png
index c35b6dffe25..47cfa5a43d8 100644
Binary files a/demos/jans-tarp/src/static/tarpDocs2.png and b/demos/jans-tarp/src/static/tarpDocs2.png differ
diff --git a/demos/jans-tarp/src/static/tarpDocs3.png b/demos/jans-tarp/src/static/tarpDocs3.png
index 07446ea80a1..65023899965 100644
Binary files a/demos/jans-tarp/src/static/tarpDocs3.png and b/demos/jans-tarp/src/static/tarpDocs3.png differ
diff --git a/demos/jans-tarp/src/static/tarpDocs4.png b/demos/jans-tarp/src/static/tarpDocs4.png
index cc234ec611c..f4d9f176764 100644
Binary files a/demos/jans-tarp/src/static/tarpDocs4.png and b/demos/jans-tarp/src/static/tarpDocs4.png differ
diff --git a/demos/jans-tarp/src/static/tarpDocs5.png b/demos/jans-tarp/src/static/tarpDocs5.png
index 25db047631a..102b551febc 100644
Binary files a/demos/jans-tarp/src/static/tarpDocs5.png and b/demos/jans-tarp/src/static/tarpDocs5.png differ
diff --git a/demos/jans-tarp/src/static/tarpDocs6.png b/demos/jans-tarp/src/static/tarpDocs6.png
new file mode 100644
index 00000000000..c9088019988
Binary files /dev/null and b/demos/jans-tarp/src/static/tarpDocs6.png differ
diff --git a/demos/jans-tarp/webpack.common.js b/demos/jans-tarp/webpack.common.js
index 9fa464d5a45..4beb0cd5da2 100644
--- a/demos/jans-tarp/webpack.common.js
+++ b/demos/jans-tarp/webpack.common.js
@@ -71,6 +71,9 @@ const assetArr = [{
 },
 {
     from: path.resolve('src/static/tarpDocs5.png')
+},
+{
+    from: path.resolve('src/static/tarpDocs6.png')
 }];
 
 const chromeConfig = merge(commonConfig, {
diff --git a/docs/cedarling/cedarling-krakend.md b/docs/cedarling/cedarling-krakend.md
new file mode 100644
index 00000000000..570759a7104
--- /dev/null
+++ b/docs/cedarling/cedarling-krakend.md
@@ -0,0 +1,137 @@
+# Cedarling KrakenD Plugin
+
+This is a [KrakenD HTTP server plugin](https://www.krakend.io/docs/extending/http-server-plugins/) that intercepts a call to a selected endpoint, calls the [sidecar](https://github.com/JanssenProject/jans/blob/main/jans-cedarling/flask-sidecar/README.md) and allows access only if the sidecar responds with `true`.
+
+## Functionality
+
+When an end user calls the KrakenD endpoint protected by the plugin, the following steps happen:
+
+1. The plugin intercepts the call, and creates an [AuthZen](https://openid.github.io/authzen/) access evaluation request.
+2. The plugin sends the request to the sidecar, which is running on the same host as KrakenD
+3. The sidecar calls cedarling's `authz()` interface to check if this call is allowed or not according to the policy store loaded
+4. The sidecar responds back to the plugin. If the decision was `true`, the plugin allows the request to pass through to the KrakenD backend. Otherwise, it responds with 403 Forbidden.
+
+[Sequence Diagram](https://sequencediagram.org/index.html#initialData=C4S2BsFMAIGFICYEMBO4QDsDm0DSKkBrSDAEWgAdwBXLTAKACMB7YYZgWwtVAGMRuGYAGdo9etxR8BSIXHQlgEniH6DgeAsTLKpqmXIDKIBJF6pd09XESp02cbAVCAtAD58REqQBc0AOIAogAq0AD0FCisZsCIADoY0C4AEtAARACC1MAAFswoIABeSKDMGH4AQpCokCjQADwAUgDqwW5p9J7apO7GpuYofgDeacLUjABWMWk+I8AAnhSQM2ktwWkANAlpJiu8tmiYWJvbkcxLepDCMyNIvPvCwgD67NorTa3tAL5fWxhpKCuzGoKH2NzSCyWK0asmEPh8yWCwQACk8AEqQACO1CuwBO-12PlGnEgT12GzSZwuoCu4Jy1VMKBuv22IPAdOYwjxRIAjAAmADsADoAAyioU8zaUko5FYRKKxXixBD4ykK5i8Zjsok5NgUNI-Fn-O6lf6zNIYJAcZZEmEYOE+DJKkBleFxNJBYLug1feh9MyodzwZCHbB+JDZHKFAAUdwez1eJAAvB82n9AcJgaDIEmhXm-iaXRhc3mAJT0JDgDTAFA4+jBuxHXomAODaA1uv+gbuLreYZpfogYRFmbt2uQX29shB5zAftnRXKskYABmzFHO1X699kHAwhgK8r+-rB3sWGb-VQfkPe8gfpb3Y8Wj70BGg+HZVHN-3k+f07cTggIofgACwigAzNAABi+SMCYpgYPQJAIEAA)
+
+## Downloading
+
+The cedarling-krakend plugin builds are available via [Janssen](https://github.com/JanssenProject/jans/releases) releases. Please note that builds are architecture, platform, and KrakenD version specific. This means that builds compiled against KrakenD version `2.9.0` will not work on other versions. The build tags are formatted as follows:
+
+```
+cedarling-krakend-<architecture>-<krakend version and platform>-<Janssen version>.so 
+```
+
+Use the following table to find which build you need:
+
+|   | amd64 | arm64 |
+| - | ----- | ----- |
+| Docker | `amd64-builder-2.9.0-0.0.0.so` | `arm64-builder-2.9.0-0.0.0.so` |
+| On-premise | `amd64-builder-2.9.0-linux-generic-0.0.0.so` | `arm64-builder-2.9.0-linux-generic-0.0.0.so` |
+
+If you are running a different version of KrakenD, you can use the following steps to build the plugin yourself.
+
+## Building
+
+Krakend recommends building via their builder docker image, to produce builds that match the target architecture and Go version. To build:
+
+- Clone the Janssen repository
+    ```
+    git clone --filter blob:none --no-checkout https://github.com/JanssenProject/jans
+    cd jans
+    git sparse-checkout init --cone
+    git checkout main
+    git sparse-checkout set jans-cedarling 
+    cd cedarling-krakend
+    ```
+- Build the plugin, replacing `<x.y.z>` with the KrakenD version you want to build against: 
+    
+    - For Docker targets:
+
+    ```
+    docker run -it -v "$PWD:/app" -w /app krakend/builder:<x.y.z> go build -buildmode=plugin -o cedarling-krakend.so .
+    ```
+
+    - For on-premise installations:
+
+    ```
+    docker run -it -v "$PWD:/app" -w /app krakend/builder:<x.y.z>-linux-generic go build -buildmode=plugin -o yourplugin.so .
+    ```
+
+    - For ARM64 Docker targets:
+
+    ```bash
+    docker run -it -v "$PWD:/app" -w /app \
+        -e "CGO_ENABLED=1" \
+        -e "CC=aarch64-linux-musl-gcc" \
+        -e "GOARCH=arm64" \
+        -e "GOHOSTARCH=amd64" \
+        krakend/builder:<x.y.z> \
+        go build -ldflags='-extldflags=-fuse-ld=bfd -extld=aarch64-linux-musl-gcc' \
+        -buildmode=plugin -o yourplugin.so .
+    ```
+
+    - For ARM64 on-premise installs:
+
+    ```bash
+    docker run -it -v "$PWD:/app" -w /app \
+        -e "CGO_ENABLED=1" \
+        -e "CC=aarch64-linux-gnu-gcc" \
+        -e "GOARCH=arm64" \
+        -e "GOHOSTARCH=amd64" \
+        krakend/builder:<x.y.z>-linux-generic \
+        go build -ldflags='-extldflags=-fuse-ld=bfd -extld=aarch64-linux-gnu-gcc' \
+        -buildmode=plugin -o yourplugin.so .
+    ```
+
+Check [KrakenD documentation](https://www.krakend.io/docs/extending/injecting-plugins/) on how to load plugins.
+
+## Prerequisites for testing
+
+To test the plugin, you will need:
+
+- A cedarling policy store with a policy for our gateway. To create this, please follow [these](https://github.com/JanssenProject/jans/wiki/Cedarling-Hello-World-%5BWIP%5D#setup-policy-store) steps.
+- An instance of the cedarling sidecar, using the policy store mentioned above. Please follow [these](https://github.com/JanssenProject/jans/wiki/Cedarling-Hello-World-%5BWIP%5D#setup-sidecar) steps. 
+- For our demo, we will use this sample policy as outlined in the instructions:
+    ```
+    @id("allow_one")
+    permit(
+        principal is gatewayDemo::Workload,
+        action == gatewayDemo::Action::"GET",
+        resource is gatewayDemo::HTTP_Request
+    )
+    when {
+        (principal["client_id"]) == "d7f71bea-c38d-4caf-a1ba-e43c74a11a62"
+    };
+    ```
+- A [KrakenD server installation](https://www.krakend.io/docs/overview/installing/). For development purposes, the binary install is recommended. For production setups, the Docker method is recommended.
+- The plugin `.so` file for your architecture. For Mac OS hosts, ARM64 is required.
+- A configuration file. Sample configuration is provided in [krakend.json](https://github.com/JanssenProject/jans/blob/main/jans-cedarling/cedarling-krakend/krakend.json).
+
+## Configuration
+
+See [krakend.json](https://github.com/JanssenProject/jans/blob/main/jans-cedarling/cedarling-krakend/krakend.json) to see an example KrakenD configuration which loads the plugin. The following table describes the plugin-specific configuration keys. These keys are mandatory and must be provided. Additional configuration is described in [KrakenD documentation](https://www.krakend.io/docs/configuration/structure/).
+
+The `namespace` field in the configuration needs to be the cedar namespace you used when creating the policy store. By default, Agama Lab sets the namespace to the name of the policy store. If you are following the demo, this value is `gatewayDemo`.
+
+| Field | Type | Example | Description |
+|-------|------|---------|-------------|
+| path   | String  | /protected | KrakenD endpoint to protect |
+| sidecar_endpoint | String | http://127.0.0.1:5000/cedarling/evaluation | Sidecar evaluation URL |
+| namespace | String | gatewayDemo | Cedar namespace being used by the sidecar |
+
+## Running
+
+1. Start the cedarling sidecar. The sample config expects the sidecar to be running on port 5000
+2. Place `krakend.json` and the plugin `.so` file in your current working directory
+2. Run the KrakenD server: `krakend run -c krakend.json`
+3. KrakenD is running on `http://127.0.0.1:8080`
+4. Test with no authentication: `curl http://127.0.0.1:8080/protected`. You should get a 403 Forbidden
+5. Test with authentication:
+
+```bash
+ACCESS_TOKEN=eyJraWQiOiJjb25uZWN0X2Y5YTAwN2EyLTZkMGItNDkyYS05MGNkLWYwYzliMWMyYjVkYl9zaWdfcnMyNTYiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJxenhuMVNjcmI5bFd0R3hWZWRNQ2t5LVFsX0lMc3BaYVFBNmZ5dVlrdHcwIiwiY29kZSI6IjNlMmEyMDEyLTA5OWMtNDY0Zi04OTBiLTQ0ODE2MGMyYWIyNSIsImlzcyI6Imh0dHBzOi8vYWNjb3VudC5nbHV1Lm9yZyIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJjbGllbnRfaWQiOiJkN2Y3MWJlYS1jMzhkLTRjYWYtYTFiYS1lNDNjNzRhMTFhNjIiLCJhdWQiOiJkN2Y3MWJlYS1jMzhkLTRjYWYtYTFiYS1lNDNjNzRhMTFhNjIiLCJhY3IiOiJzaW1wbGVfcGFzc3dvcmRfYXV0aCIsIng1dCNTMjU2IjoiIiwibmJmIjoxNzMxOTUzMDMwLCJzY29wZSI6WyJyb2xlIiwib3BlbmlkIiwicHJvZmlsZSIsImVtYWlsIl0sImF1dGhfdGltZSI6MTczMTk1MzAyNywiZXhwIjoxNzMyMTIxNDYwLCJpYXQiOjE3MzE5NTMwMzAsImp0aSI6InVaVWgxaERVUW82UEZrQlBud3BHemciLCJ1c2VybmFtZSI6IkRlZmF1bHQgQWRtaW4gVXNlciIsInN0YXR1cyI6eyJzdGF0dXNfbGlzdCI6eyJpZHgiOjMwNiwidXJpIjoiaHR0cHM6Ly9qYW5zLnRlc3QvamFucy1hdXRoL3Jlc3R2MS9zdGF0dXNfbGlzdCJ9fX0.Pt-Y7F-hfde_WP7ZYwyvvSS11rKYQWGZXTzjH_aJKC5VPxzOjAXqI3Igr6gJLsP1aOd9WJvOPchflZYArctopXMWClbX_TxpmADqyCMsz78r4P450TaMKj-WKEa9cL5KtgnFa0fmhZ1ZWolkDTQ_M00Xr4EIvv4zf-92Wu5fOrdjmsIGFot0jt-12WxQlJFfs5qVZ9P-cDjxvQSrO1wbyKfHQ_txkl1GDATXsw5SIpC5wct92vjAVm5CJNuv_PE8dHAY-KfPTxOuDYBuWI5uA2Yjd1WUFyicbJgcmYzUSVt03xZ0kQX9dxKExwU2YnpDorfwebaAPO7G114Bkw208g
+
+curl http://127.0.0.1:8080/protected -H "Authorization: Bearer $ACCESS_TOKEN"
+```
+
+KrakenD is configured to respond with the health check response if authentication succeeds. 
diff --git a/docs/janssen-server/developer/agama/engine-bridge-config.md b/docs/janssen-server/developer/agama/engine-bridge-config.md
index 8715554dba6..c582e25aa13 100644
--- a/docs/janssen-server/developer/agama/engine-bridge-config.md
+++ b/docs/janssen-server/developer/agama/engine-bridge-config.md
@@ -40,8 +40,6 @@ The properties of Agama engine configuration are described in the following:
 
 - `finishedFlowPage`:  A path relative to `/opt/jans/jetty/jans-auth/agama` containing the location of the page shown when a flow has finished (whether successfully or not) in the phase handled exclusively by the engine. This page features an auto-submitting form that users won't notice in practice. This page will rarely need modifications. Default value is `finished.ftlh`
 
-- `bridgeScriptPage`: This is a facelets (JSF) page the bridge needs for proper operation. This page resides in the authentication server WAR file and will rarely need modifications. Default value is `agama.xhtml`
-
 - `serializeRules`: A JSON object specifying the serialization rules, see below. It is not recommended to remove items from the out-of-the-box rules. Adding items is fine
 
 ### Serialization rules
diff --git a/docs/script-catalog/authorization_challenge/AgamaChallenge.java b/docs/script-catalog/authorization_challenge/AgamaChallenge.java
index 6c272dff776..fce798a574f 100644
--- a/docs/script-catalog/authorization_challenge/AgamaChallenge.java
+++ b/docs/script-catalog/authorization_challenge/AgamaChallenge.java
@@ -97,7 +97,7 @@ private Pair<String, String> prepareFlow(String sessionId, String flowName) {
             
             if (qn != null) {
                 NativeJansFlowBridge bridge = CdiUtil.bean(NativeJansFlowBridge.class);            
-                Boolean running = bridge.prepareFlow(sessionId, qn, inputs, true);           
+                Boolean running = bridge.prepareFlow(sessionId, qn, inputs, true, null);
     
                 if (running == null) {
                     msg = "Flow " + qn + " does not exist or cannot be launched from an application";
diff --git a/docs/script-catalog/consent_gathering/AgamaConsentGathering.py b/docs/script-catalog/consent_gathering/AgamaConsentGathering.py
new file mode 100644
index 00000000000..7709dbc06c8
--- /dev/null
+++ b/docs/script-catalog/consent_gathering/AgamaConsentGathering.py
@@ -0,0 +1,145 @@
+from io.jans.agama import NativeJansFlowBridge
+from io.jans.agama.engine.misc import FlowUtils
+from io.jans.as.model.util import Base64Util
+from io.jans.as.server.authorize.ws.rs import ConsentGatheringSessionService
+from io.jans.jsf2.service import FacesService
+from io.jans.model.custom.script.type.authz import ConsentGatheringType
+from io.jans.service.cdi.util import CdiUtil
+
+import java
+import sys
+
+class ConsentGathering(ConsentGatheringType):
+
+    def __init__(self, currentTimeMillis):
+        self.currentTimeMillis = currentTimeMillis
+
+    def init(self, customScript, configurationAttributes):
+        print "Agama-Consent. Initializing ..."
+        print "Agama-Consent. Initialized successfully"
+        self.enterUrl = "agama/consent.xhtml"
+
+        return True
+
+    def destroy(self, configurationAttributes):
+        print "Agama-Consent. Destroying ..."
+        print "Agama-Consent. Destroyed successfully"
+
+        return True
+
+    def getApiVersion(self):
+        return 11
+
+    def authorize(self, step, context):
+        print "Agama-Consent. Authorizing..."
+        
+        if step == 1:
+            print "Agama-Consent. Authorize for step 1"
+            
+            try:
+                bridge = CdiUtil.bean(NativeJansFlowBridge)
+                result = bridge.close()
+
+                if result == None or not result.isSuccess():
+                    print "Agama-Consent. Flow DID NOT finished successfully"
+                    return False
+            except:
+                print "Agama-Consent. Exception: ", sys.exc_info()[1]
+                return False
+
+            return True
+
+
+    def getNextStep(self, step, context):
+        return -1
+
+    def prepareForStep(self, step, context):
+
+        if not context.isAuthenticated():
+            print "Agama-Consent. User is not authenticated"
+            return False
+
+        if not CdiUtil.bean(FlowUtils).serviceEnabled():
+            print "Agama-Consent. Please ENABLE Agama engine in auth-server configuration"
+            return False
+
+        if step == 1:
+            print "Agama-Consent. Prepare for Step 1"
+
+            cgss = CdiUtil.bean(ConsentGatheringSessionService)
+            #userDn = context.getUserDn()
+            #session = cgss.getConsentSession(context.getHttpRequest(), context.getHttpResponse(), userDn, False)
+            session = cgss.getConnectSession(context.getHttpRequest())
+            
+            if session == None:
+                print "Agama-Consent. Failed to retrieve session_id"
+                return False
+                
+            cesar = session.getSessionAttributes()
+            param = cesar.get("agama_flow")
+
+            if not param:
+                param = self.extractAgamaFlow(cesar.get("acr_values"))
+
+                if not param:
+                    print "Agama-Consent. Unable to determine the Agama flow to launch. Check the docs"
+                    return False
+            
+            (qn, ins) = self.extractParams(param)
+            if qn == None:
+                print "Agama-Consent. Unable to determine the Agama flow to launch. Check the docs"
+                return False
+                
+            try:
+                sessionId = session.getId()
+                # print "==================================== %s" % sessionId
+
+                bridge = CdiUtil.bean(NativeJansFlowBridge)
+                running = bridge.prepareFlow(sessionId, qn, ins, False, self.enterUrl)
+                
+                if running == None:
+                    print "Agama-Consent. Flow '%s' does not exist or cannot be launched from a browser!" % qn
+                    return False
+                elif running:
+                    print "Agama-Consent. A flow is already in course"
+                    
+                print "Agama-Consent. Redirecting to start/resume agama flow '%s'..." % qn
+                
+                CdiUtil.bean(FacesService).redirectToExternalURL(bridge.getTriggerUrl())
+            except:
+                print "Agama-Consent. An error occurred when launching flow '%s'. Check jans-auth logs" % qn
+                print "Agama-Consent. Exception: ", sys.exc_info()[1]
+                return False
+
+        return True
+
+    def getStepsCount(self, context):
+        return 1
+
+    def getPageForStep(self, step, context):
+        return "/" + self.enterUrl
+
+# Misc routines
+        
+    def extractAgamaFlow(self, acr):
+        prefix = "agama_"
+        if acr and acr.startswith(prefix):
+            return acr[len(prefix):]
+        return None        
+        
+    def extractParams(self, param):
+
+        # param must be of the form QN-INPUT where QN is the qualified name of the flow to launch
+        # INPUT is a base64URL-encoded JSON object that contains the arguments to use for the flow call.
+        # The keys of this object should match the already defined flow inputs. Ideally, and   
+        # depending on the actual flow implementation, some keys may not even be required 
+        # QN and INPUTS are separated by a hyphen
+        # INPUT must be properly URL-encoded when HTTP GET is used
+        
+        i = param.find("-")
+        if i == 0:
+            return (None, None)
+        elif i == -1:
+            return (param, None)
+        else:
+            return (param[:i], Base64Util.base64urldecodeToString(param[i+1:]))
\ No newline at end of file
diff --git a/docs/script-catalog/consent_gathering/consent-gathering.md b/docs/script-catalog/consent_gathering/consent-gathering.md
index 9df1b9f0fce..83423289cff 100644
--- a/docs/script-catalog/consent_gathering/consent-gathering.md
+++ b/docs/script-catalog/consent_gathering/consent-gathering.md
@@ -212,9 +212,9 @@ public class ConsentGathering implements ConsentGatheringType {
         if(step == 1) {
             return "/authz/authorize.xhtml";
         } else if (step == 2) {
-            return "return \"/authz/transaction.xhtml\"";
+            return "/authz/transaction.xhtml";
         }
         return "";
     }
 }
-```
\ No newline at end of file
+```
diff --git a/docs/script-catalog/person_authentication/agama-bridge/AgamaBridge.py b/docs/script-catalog/person_authentication/agama-bridge/AgamaBridge.py
index ebbfaa433c5..e1107602ade 100644
--- a/docs/script-catalog/person_authentication/agama-bridge/AgamaBridge.py
+++ b/docs/script-catalog/person_authentication/agama-bridge/AgamaBridge.py
@@ -37,6 +37,7 @@ def init(self, customScript, configurationAttributes):
             print "Agama. Property '%s' is missing value" % prop
             return False
 
+        self.startUrl = "agama/agama.xhtml"
         print "Agama. DB attribute '%s' will be used to map the identity of userId passed in Finish directives (if any)" % self.finish_userid_db_attr
         print "Agama. Initialized successfully"
 
@@ -144,7 +145,7 @@ def prepareForStep(self, configurationAttributes, requestParameters, step):
                 
             try:
                 bridge = CdiUtil.bean(NativeJansFlowBridge)
-                running = bridge.prepareFlow(session.getId(), qn, ins, False)
+                running = bridge.prepareFlow(session.getId(), qn, ins, False, self.startUrl)
                 
                 if running == None:
                     print "Agama. Flow '%s' does not exist or cannot be launched from a browser!" % qn
@@ -161,7 +162,7 @@ def prepareForStep(self, configurationAttributes, requestParameters, step):
                 return False
             #except java.lang.Throwable, ex:
             #    ex.printStackTrace() 
-            #    return False                
+            #    return False
             return True
         
     def getExtraParametersForStep(self, configurationAttributes, step):
@@ -171,8 +172,7 @@ def getCountAuthenticationSteps(self, configurationAttributes):
         return 1
 
     def getPageForStep(self, configurationAttributes, step):
-        # page referenced here is only used when a flow is restarted
-        return "/" + CdiUtil.bean(NativeJansFlowBridge).scriptPageUrl()
+        return "/" + self.startUrl
 
     def getNextStep(self, configurationAttributes, requestParameters, step):
         return -1
diff --git a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/NativeJansFlowBridge.java b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/NativeJansFlowBridge.java
index 439c8987227..80e5253417d 100644
--- a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/NativeJansFlowBridge.java
+++ b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/NativeJansFlowBridge.java
@@ -7,7 +7,6 @@
 import io.jans.agama.engine.service.WebContext;
 import io.jans.agama.engine.servlet.ExecutionServlet;
 import io.jans.agama.engine.script.LogUtils;
-import io.jans.agama.model.EngineConfig;
 
 import jakarta.inject.Inject;
 import jakarta.enterprise.context.RequestScoped;
@@ -27,32 +26,26 @@ public class NativeJansFlowBridge {
     @Inject
     private FlowService fs;
     
-    @Inject
-    private EngineConfig conf;
-    
     @Inject
     private WebContext webContext;
-    
-    public String scriptPageUrl() {
-        return conf.getBridgeScriptPage();
-    }
 
     public String getTriggerUrl() {
         return webContext.getContextPath() + ExecutionServlet.URL_PREFIX + 
                 "agama" + ExecutionServlet.URL_SUFFIX;       
     }
     
-    public Boolean prepareFlow(String sessionId, String qname, String jsonInput, boolean nativeClient) throws Exception {
+    public Boolean prepareFlow(String sessionId, String qname, String jsonInput, boolean nativeClient,
+                String startUrl) throws Exception {
         
         logger.info("Preparing flow '{}'", qname);
         Boolean alreadyRunning = null;
         if (aps.flowEnabled(qname)) {
-            
+
             FlowStatus st = aps.getFlowStatus(sessionId);
             alreadyRunning = st != null;
             
-            if (alreadyRunning && !st.getQname().equals(qname)) {
-                logger.warn("Flow {} is already running. Will be terminated", st.getQname());
+            if (alreadyRunning && !qname.equals(st.getQname())) {
+                logger.warn("Flow {} seems to be already running. Will be terminated", st.getQname());
                 fs.terminateFlow();
                 st = null;
             }
@@ -69,6 +62,8 @@ public Boolean prepareFlow(String sessionId, String qname, String jsonInput, boo
                 st.setJsonInput(jsonInput);
                 st.setFinishBefore(expireAt);
                 st.setNativeClient(nativeClient);
+                st.setStartUrl(startUrl);
+
                 aps.createFlowRun(sessionId, st, expireAt);
                 LogUtils.log("@w Effective timeout for this flow will be % seconds", timeout);
             }
diff --git a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/model/FlowStatus.java b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/model/FlowStatus.java
index 6592cf5037a..2dc0d30d027 100644
--- a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/model/FlowStatus.java
+++ b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/model/FlowStatus.java
@@ -25,6 +25,7 @@ public class FlowStatus {
     private String externalRedirectUrl;
     private boolean allowCallbackResume;
     private String jsonInput;
+    private String startUrl;
     
     private FlowResult result;
 
@@ -116,4 +117,12 @@ public void setJsonInput(String jsonInput) {
         this.jsonInput = jsonInput;
     }
 
+    public String getStartUrl() {
+        return startUrl;
+    }
+
+    public void setStartUrl(String startUrl) {
+        this.startUrl = startUrl;
+    }
+
 }
diff --git a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/service/AgamaPersistenceService.java b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/service/AgamaPersistenceService.java
index 659a6de7da5..66e328c911a 100644
--- a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/service/AgamaPersistenceService.java
+++ b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/service/AgamaPersistenceService.java
@@ -218,6 +218,7 @@ public void finishFlow(String sessionId, FlowResult result) throws IOException {
             status.setTemplatePath(null);
             status.setTemplateDataModel(null);
             status.setExternalRedirectUrl(null);
+            status.setStartUrl(null);
 
             run.setEncodedContinuation(null);
             run.setHash(null);
diff --git a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/servlet/ExecutionServlet.java b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/servlet/ExecutionServlet.java
index f6a91b240df..80ab3019889 100644
--- a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/servlet/ExecutionServlet.java
+++ b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/servlet/ExecutionServlet.java
@@ -8,6 +8,7 @@
 import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.HttpMethod;
 import java.io.IOException;
+import java.util.*;
 import java.util.stream.Collectors;
 
 import io.jans.agama.engine.exception.FlowCrashException;
@@ -26,6 +27,8 @@ public class ExecutionServlet extends BaseServlet {
     public static final String URL_PREFIX = "/fl/";
     public static final String CALLBACK_PATH = URL_PREFIX + "callback";
     public static final String ABORT_PARAM = "_abort";
+    
+    private static final String POST_FINISH_URL_KEY = "post_finish_url";
 
     private static final String NO_ACTIVE_FLOW = "This flow may have already finished/timed out. " +
             "Login again to the website you were trying to access originally.";
@@ -55,7 +58,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
                 if (result == null) {
                     sendRedirect(response, request.getContextPath(), fstatus, true);
                 } else {
-                    sendFinishPage(response, result);
+                    sendFinishPage(response, result, fstatus.isNativeClient() ? null : fstatus.getStartUrl());
                 }
             } catch (FlowCrashException e) {
                 logger.error(e.getMessage(), e);
@@ -156,7 +159,7 @@ private void continueFlow(HttpServletResponse response, FlowStatus fstatus, bool
                 sendRedirect(response, request.getContextPath(), fstatus,
                         request.getMethod().equals(HttpMethod.GET));
             } else {                    
-                sendFinishPage(response, result);
+                sendFinishPage(response, result, fstatus.isNativeClient() ? null : fstatus.getStartUrl());
             }
             
         } catch (FlowTimeoutException te) {
@@ -204,13 +207,26 @@ private void sendRedirect(HttpServletResponse response, String contextPath, Flow
             response.setHeader(HttpHeaders.LOCATION, newLocation);
             response.setStatus(HttpServletResponse.SC_SEE_OTHER);
         }
-        
+
     }
 
-    private void sendFinishPage(HttpServletResponse response, FlowResult result) throws IOException {
+    private void sendFinishPage(HttpServletResponse response, FlowResult result,
+                String startUrl) throws IOException {
 
         String fpage = isJsonRequest() ? engineConf.getJsonFinishedFlowPage() : 
                 engineConf.getFinishedFlowPage();
+
+        if (startUrl != null) {            
+            Map<String, Object> map = Collections.singletonMap(POST_FINISH_URL_KEY,
+                    engineConf.getStartEndUrlMapping().get(startUrl));
+
+            if (result.getData() == null) {
+                result.setData(map);
+            } else {
+                result.getData().putAll(map);
+            }
+        }
+
         page.setTemplatePath(fpage);
         page.setDataModel(result);
         sendPageContents(response);
diff --git a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/servlet/RestartServlet.java b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/servlet/RestartServlet.java
index 0313778ea58..964528d82e9 100644
--- a/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/servlet/RestartServlet.java
+++ b/jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/servlet/RestartServlet.java
@@ -37,27 +37,31 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         try {
             FlowStatus st = flowService.getRunningFlowStatus();
 
-            if (st == null || st.getStartedAt() == FlowStatus.FINISHED) {
-                //If flow exists, ensure it is not about to be collected by cleaner job
+            if (st == null || st.getStartedAt() == FlowStatus.FINISHED)
                 throw new IOException("No flow to restart");
-            } else {
-                
-                try {
-                    flowService.ensureTimeNotExceeded(st);
-                    flowService.terminateFlow();
 
-                    logger.debug("Sending user's browser for a flow start");
-                    //This redirection relies on the (unauthenticated) session id being still alive 
-                    //(so the flow name and its inputs can be remembered in the bridge script)
-                    //see AgamaBridge.py#prepareForStep
-                    String url = bridge.scriptPageUrl().replaceFirst("\\.xhtml", ".htm");
-                    response.sendRedirect(request.getContextPath() + "/" + url);
+            try {
+                //If flow exists, ensure it is not about to be collected by cleaner job
+                flowService.ensureTimeNotExceeded(st);
+                flowService.terminateFlow();
+                logger.debug("Sending user's browser for a flow start");
 
-                } catch (FlowTimeoutException e) {
-                    sendFlowTimeout(response, e.getMessage());
+                //This redirection relies on the (unauthenticated) sessionId being still alive 
+                //(so the flow name and its inputs can be remembered in the script). See
+                //for instance AgamaBridge.py#prepareForStep or AgamaConsent.py#prepareForStep
+                String url = st.getStartUrl();
+                if (url == null) {
+                    logger.warn("Check the Engine's config startEndUrlMapping");
+                    throw new IOException("Unknown end url for " + url);
                 }
-                
+
+                url = url.replaceFirst("\\.xhtml", ".htm");
+                response.sendRedirect(request.getContextPath() + "/" + url);
+
+            } catch (FlowTimeoutException e) {
+                sendFlowTimeout(response, e.getMessage());
             }
+             
         } catch (IOException e) {
             sendFlowCrashed(response, e.getMessage());
         }
diff --git a/jans-auth-server/agama/model/src/main/java/io/jans/agama/model/EngineConfig.java b/jans-auth-server/agama/model/src/main/java/io/jans/agama/model/EngineConfig.java
index f66f8ece215..f8b7dc7ab0f 100644
--- a/jans-auth-server/agama/model/src/main/java/io/jans/agama/model/EngineConfig.java
+++ b/jans-auth-server/agama/model/src/main/java/io/jans/agama/model/EngineConfig.java
@@ -24,14 +24,12 @@ public class EngineConfig {
     //transpiled code hash verification. Boolean preferred over boolean because it helps to keep the property "hidden"
     private Boolean disableTCHV;
 
-    private String pageMismatchErrorPage = "mismatch.ftl";
-    private String interruptionErrorPage = "timeout.ftl";
-    private String crashErrorPage = "crash.ftl";
-    private String finishedFlowPage = "finished.ftl";
-    
-    //relative to https://.../jans-auth
-    private String bridgeScriptPage = "agama.xhtml";
+    private String pageMismatchErrorPage;
+    private String interruptionErrorPage;
+    private String crashErrorPage;
+    private String finishedFlowPage;
     
+    private Map<String, String> startEndUrlMapping;
     private Map<String, List<String>> serializeRules;
 
     private Map<String, String> defaultResponseHeaders = Map.of(
@@ -126,14 +124,6 @@ public void setFinishedFlowPage(String finishedFlowPage) {
         this.finishedFlowPage = finishedFlowPage;
     }
 
-    public String getBridgeScriptPage() {
-        return bridgeScriptPage;
-    }
-
-    public void setBridgeScriptPage(String bridgeScriptPage) {
-        this.bridgeScriptPage = bridgeScriptPage;
-    }
-
     public Map<String, String> getDefaultResponseHeaders() {
         return defaultResponseHeaders;
     }
@@ -141,7 +131,15 @@ public Map<String, String> getDefaultResponseHeaders() {
     public void setDefaultResponseHeaders(Map<String, String> defaultResponseHeaders) {
         this.defaultResponseHeaders = defaultResponseHeaders;
     }
+    
+    public Map<String, String> getStartEndUrlMapping() {
+        return startEndUrlMapping;
+    }
 
+    public void setStartEndUrlMapping(Map<String, String> startEndUrlMapping) {
+        this.startEndUrlMapping = startEndUrlMapping;
+    }
+   
     public Map<String, List<String>> getSerializeRules() {
         return serializeRules;
     }
diff --git a/jans-auth-server/server/conf/jans-config.json b/jans-auth-server/server/conf/jans-config.json
index 1c50a375ba0..2489526fac9 100644
--- a/jans-auth-server/server/conf/jans-config.json
+++ b/jans-auth-server/server/conf/jans-config.json
@@ -519,7 +519,7 @@
         "interruptionErrorPage": "timeout.ftlh",
         "crashErrorPage": "crash.ftlh",
         "finishedFlowPage": "finished.ftlh",
-        "bridgeScriptPage": "agama.xhtml",
+        "startEndUrlMapping": { "agama/agama.xhtml": "postlogin.htm", "agama/consent.xhtml": "agama/consent_authorize.htm" },
         "defaultResponseHeaders": {
             "Cache-Control": "max-age=0, no-store"
         },
diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/util/AgamaConsentUtil.java b/jans-auth-server/server/src/main/java/io/jans/as/server/util/AgamaConsentUtil.java
new file mode 100644
index 00000000000..0203be33645
--- /dev/null
+++ b/jans-auth-server/server/src/main/java/io/jans/as/server/util/AgamaConsentUtil.java
@@ -0,0 +1,56 @@
+package io.jans.as.server.util;
+
+import io.jans.as.common.model.common.User;
+import io.jans.as.common.model.registration.Client;
+import io.jans.as.persistence.model.Scope;
+import io.jans.as.server.authorize.ws.rs.ConsentGatheringSessionService;
+import io.jans.as.server.service.*;
+import io.jans.as.common.model.session.SessionId;
+import io.jans.service.cdi.util.CdiUtil;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import jakarta.servlet.http.HttpServletRequest;
+import java.util.*;
+
+/**
+ * An utilitarian class for developers writing Agama Consent flows
+ */
+@ApplicationScoped
+public class AgamaConsentUtil {
+    
+    @Inject
+    private ConsentGatheringSessionService cgss;
+    
+    @Inject
+    private AuthorizeService as;
+    
+    @Inject
+    private SessionIdService sis;
+
+    public Map<String, String> getSessionAttributes() {
+        return getSessionId().getSessionAttributes();
+    }
+    
+    public Client getClient() {
+         return cgss.getClient(getSessionId());
+    }
+    
+    public List<Scope> getScopes() {
+        String scope = getSessionAttributes().get("scope");
+        return Optional.ofNullable(scope).map(as::getScopes).orElse(Collections.emptyList()); 
+    }
+    
+    public User getUser() {
+        return sis.getUser(getSessionId());
+    }
+    
+    private SessionId getSessionId() {
+        return sis.getSessionId(getServletRequest());
+    }
+    
+    private HttpServletRequest getServletRequest() {
+        return CdiUtil.bean(HttpServletRequest.class);
+    }
+    
+}
diff --git a/jans-auth-server/server/src/main/webapp/agama.xhtml b/jans-auth-server/server/src/main/webapp/agama/agama.xhtml
similarity index 100%
rename from jans-auth-server/server/src/main/webapp/agama.xhtml
rename to jans-auth-server/server/src/main/webapp/agama/agama.xhtml
diff --git a/jans-auth-server/server/src/main/webapp/agama/consent.xhtml b/jans-auth-server/server/src/main/webapp/agama/consent.xhtml
new file mode 100644
index 00000000000..c87e0bce8d8
--- /dev/null
+++ b/jans-auth-server/server/src/main/webapp/agama/consent.xhtml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<f:view transient="true" xmlns:f="http://xmlns.jcp.org/jsf/core">
+	<f:metadata>
+		<f:viewAction action="#{consentGatherer.prepareForStep}" />
+	</f:metadata>
+</f:view>
diff --git a/jans-auth-server/server/src/main/webapp/agama/consent_authorize.xhtml b/jans-auth-server/server/src/main/webapp/agama/consent_authorize.xhtml
new file mode 100644
index 00000000000..daba0935069
--- /dev/null
+++ b/jans-auth-server/server/src/main/webapp/agama/consent_authorize.xhtml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<f:view transient="true" xmlns:f="http://xmlns.jcp.org/jsf/core">
+	<f:metadata>
+		<f:viewAction action="#{consentGatherer.authorize}" />
+	</f:metadata>
+</f:view>
diff --git a/jans-cedarling/cedarling-krakend/README.md b/jans-cedarling/cedarling-krakend/README.md
new file mode 100644
index 00000000000..570759a7104
--- /dev/null
+++ b/jans-cedarling/cedarling-krakend/README.md
@@ -0,0 +1,137 @@
+# Cedarling KrakenD Plugin
+
+This is a [KrakenD HTTP server plugin](https://www.krakend.io/docs/extending/http-server-plugins/) that intercepts a call to a selected endpoint, calls the [sidecar](https://github.com/JanssenProject/jans/blob/main/jans-cedarling/flask-sidecar/README.md) and allows access only if the sidecar responds with `true`.
+
+## Functionality
+
+When an end user calls the KrakenD endpoint protected by the plugin, the following steps happen:
+
+1. The plugin intercepts the call, and creates an [AuthZen](https://openid.github.io/authzen/) access evaluation request.
+2. The plugin sends the request to the sidecar, which is running on the same host as KrakenD
+3. The sidecar calls cedarling's `authz()` interface to check if this call is allowed or not according to the policy store loaded
+4. The sidecar responds back to the plugin. If the decision was `true`, the plugin allows the request to pass through to the KrakenD backend. Otherwise, it responds with 403 Forbidden.
+
+[Sequence Diagram](https://sequencediagram.org/index.html#initialData=C4S2BsFMAIGFICYEMBO4QDsDm0DSKkBrSDAEWgAdwBXLTAKACMB7YYZgWwtVAGMRuGYAGdo9etxR8BSIXHQlgEniH6DgeAsTLKpqmXIDKIBJF6pd09XESp02cbAVCAtAD58REqQBc0AOIAogAq0AD0FCisZsCIADoY0C4AEtAARACC1MAAFswoIABeSKDMGH4AQpCokCjQADwAUgDqwW5p9J7apO7GpuYofgDeacLUjABWMWk+I8AAnhSQM2ktwWkANAlpJiu8tmiYWJvbkcxLepDCMyNIvPvCwgD67NorTa3tAL5fWxhpKCuzGoKH2NzSCyWK0asmEPh8yWCwQACk8AEqQACO1CuwBO-12PlGnEgT12GzSZwuoCu4Jy1VMKBuv22IPAdOYwjxRIAjAAmADsADoAAyioU8zaUko5FYRKKxXixBD4ykK5i8Zjsok5NgUNI-Fn-O6lf6zNIYJAcZZEmEYOE+DJKkBleFxNJBYLug1feh9MyodzwZCHbB+JDZHKFAAUdwez1eJAAvB82n9AcJgaDIEmhXm-iaXRhc3mAJT0JDgDTAFA4+jBuxHXomAODaA1uv+gbuLreYZpfogYRFmbt2uQX29shB5zAftnRXKskYABmzFHO1X699kHAwhgK8r+-rB3sWGb-VQfkPe8gfpb3Y8Wj70BGg+HZVHN-3k+f07cTggIofgACwigAzNAABi+SMCYpgYPQJAIEAA)
+
+## Downloading
+
+The cedarling-krakend plugin builds are available via [Janssen](https://github.com/JanssenProject/jans/releases) releases. Please note that builds are architecture, platform, and KrakenD version specific. This means that builds compiled against KrakenD version `2.9.0` will not work on other versions. The build tags are formatted as follows:
+
+```
+cedarling-krakend-<architecture>-<krakend version and platform>-<Janssen version>.so 
+```
+
+Use the following table to find which build you need:
+
+|   | amd64 | arm64 |
+| - | ----- | ----- |
+| Docker | `amd64-builder-2.9.0-0.0.0.so` | `arm64-builder-2.9.0-0.0.0.so` |
+| On-premise | `amd64-builder-2.9.0-linux-generic-0.0.0.so` | `arm64-builder-2.9.0-linux-generic-0.0.0.so` |
+
+If you are running a different version of KrakenD, you can use the following steps to build the plugin yourself.
+
+## Building
+
+Krakend recommends building via their builder docker image, to produce builds that match the target architecture and Go version. To build:
+
+- Clone the Janssen repository
+    ```
+    git clone --filter blob:none --no-checkout https://github.com/JanssenProject/jans
+    cd jans
+    git sparse-checkout init --cone
+    git checkout main
+    git sparse-checkout set jans-cedarling 
+    cd cedarling-krakend
+    ```
+- Build the plugin, replacing `<x.y.z>` with the KrakenD version you want to build against: 
+    
+    - For Docker targets:
+
+    ```
+    docker run -it -v "$PWD:/app" -w /app krakend/builder:<x.y.z> go build -buildmode=plugin -o cedarling-krakend.so .
+    ```
+
+    - For on-premise installations:
+
+    ```
+    docker run -it -v "$PWD:/app" -w /app krakend/builder:<x.y.z>-linux-generic go build -buildmode=plugin -o yourplugin.so .
+    ```
+
+    - For ARM64 Docker targets:
+
+    ```bash
+    docker run -it -v "$PWD:/app" -w /app \
+        -e "CGO_ENABLED=1" \
+        -e "CC=aarch64-linux-musl-gcc" \
+        -e "GOARCH=arm64" \
+        -e "GOHOSTARCH=amd64" \
+        krakend/builder:<x.y.z> \
+        go build -ldflags='-extldflags=-fuse-ld=bfd -extld=aarch64-linux-musl-gcc' \
+        -buildmode=plugin -o yourplugin.so .
+    ```
+
+    - For ARM64 on-premise installs:
+
+    ```bash
+    docker run -it -v "$PWD:/app" -w /app \
+        -e "CGO_ENABLED=1" \
+        -e "CC=aarch64-linux-gnu-gcc" \
+        -e "GOARCH=arm64" \
+        -e "GOHOSTARCH=amd64" \
+        krakend/builder:<x.y.z>-linux-generic \
+        go build -ldflags='-extldflags=-fuse-ld=bfd -extld=aarch64-linux-gnu-gcc' \
+        -buildmode=plugin -o yourplugin.so .
+    ```
+
+Check [KrakenD documentation](https://www.krakend.io/docs/extending/injecting-plugins/) on how to load plugins.
+
+## Prerequisites for testing
+
+To test the plugin, you will need:
+
+- A cedarling policy store with a policy for our gateway. To create this, please follow [these](https://github.com/JanssenProject/jans/wiki/Cedarling-Hello-World-%5BWIP%5D#setup-policy-store) steps.
+- An instance of the cedarling sidecar, using the policy store mentioned above. Please follow [these](https://github.com/JanssenProject/jans/wiki/Cedarling-Hello-World-%5BWIP%5D#setup-sidecar) steps. 
+- For our demo, we will use this sample policy as outlined in the instructions:
+    ```
+    @id("allow_one")
+    permit(
+        principal is gatewayDemo::Workload,
+        action == gatewayDemo::Action::"GET",
+        resource is gatewayDemo::HTTP_Request
+    )
+    when {
+        (principal["client_id"]) == "d7f71bea-c38d-4caf-a1ba-e43c74a11a62"
+    };
+    ```
+- A [KrakenD server installation](https://www.krakend.io/docs/overview/installing/). For development purposes, the binary install is recommended. For production setups, the Docker method is recommended.
+- The plugin `.so` file for your architecture. For Mac OS hosts, ARM64 is required.
+- A configuration file. Sample configuration is provided in [krakend.json](https://github.com/JanssenProject/jans/blob/main/jans-cedarling/cedarling-krakend/krakend.json).
+
+## Configuration
+
+See [krakend.json](https://github.com/JanssenProject/jans/blob/main/jans-cedarling/cedarling-krakend/krakend.json) to see an example KrakenD configuration which loads the plugin. The following table describes the plugin-specific configuration keys. These keys are mandatory and must be provided. Additional configuration is described in [KrakenD documentation](https://www.krakend.io/docs/configuration/structure/).
+
+The `namespace` field in the configuration needs to be the cedar namespace you used when creating the policy store. By default, Agama Lab sets the namespace to the name of the policy store. If you are following the demo, this value is `gatewayDemo`.
+
+| Field | Type | Example | Description |
+|-------|------|---------|-------------|
+| path   | String  | /protected | KrakenD endpoint to protect |
+| sidecar_endpoint | String | http://127.0.0.1:5000/cedarling/evaluation | Sidecar evaluation URL |
+| namespace | String | gatewayDemo | Cedar namespace being used by the sidecar |
+
+## Running
+
+1. Start the cedarling sidecar. The sample config expects the sidecar to be running on port 5000
+2. Place `krakend.json` and the plugin `.so` file in your current working directory
+2. Run the KrakenD server: `krakend run -c krakend.json`
+3. KrakenD is running on `http://127.0.0.1:8080`
+4. Test with no authentication: `curl http://127.0.0.1:8080/protected`. You should get a 403 Forbidden
+5. Test with authentication:
+
+```bash
+ACCESS_TOKEN=eyJraWQiOiJjb25uZWN0X2Y5YTAwN2EyLTZkMGItNDkyYS05MGNkLWYwYzliMWMyYjVkYl9zaWdfcnMyNTYiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJxenhuMVNjcmI5bFd0R3hWZWRNQ2t5LVFsX0lMc3BaYVFBNmZ5dVlrdHcwIiwiY29kZSI6IjNlMmEyMDEyLTA5OWMtNDY0Zi04OTBiLTQ0ODE2MGMyYWIyNSIsImlzcyI6Imh0dHBzOi8vYWNjb3VudC5nbHV1Lm9yZyIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJjbGllbnRfaWQiOiJkN2Y3MWJlYS1jMzhkLTRjYWYtYTFiYS1lNDNjNzRhMTFhNjIiLCJhdWQiOiJkN2Y3MWJlYS1jMzhkLTRjYWYtYTFiYS1lNDNjNzRhMTFhNjIiLCJhY3IiOiJzaW1wbGVfcGFzc3dvcmRfYXV0aCIsIng1dCNTMjU2IjoiIiwibmJmIjoxNzMxOTUzMDMwLCJzY29wZSI6WyJyb2xlIiwib3BlbmlkIiwicHJvZmlsZSIsImVtYWlsIl0sImF1dGhfdGltZSI6MTczMTk1MzAyNywiZXhwIjoxNzMyMTIxNDYwLCJpYXQiOjE3MzE5NTMwMzAsImp0aSI6InVaVWgxaERVUW82UEZrQlBud3BHemciLCJ1c2VybmFtZSI6IkRlZmF1bHQgQWRtaW4gVXNlciIsInN0YXR1cyI6eyJzdGF0dXNfbGlzdCI6eyJpZHgiOjMwNiwidXJpIjoiaHR0cHM6Ly9qYW5zLnRlc3QvamFucy1hdXRoL3Jlc3R2MS9zdGF0dXNfbGlzdCJ9fX0.Pt-Y7F-hfde_WP7ZYwyvvSS11rKYQWGZXTzjH_aJKC5VPxzOjAXqI3Igr6gJLsP1aOd9WJvOPchflZYArctopXMWClbX_TxpmADqyCMsz78r4P450TaMKj-WKEa9cL5KtgnFa0fmhZ1ZWolkDTQ_M00Xr4EIvv4zf-92Wu5fOrdjmsIGFot0jt-12WxQlJFfs5qVZ9P-cDjxvQSrO1wbyKfHQ_txkl1GDATXsw5SIpC5wct92vjAVm5CJNuv_PE8dHAY-KfPTxOuDYBuWI5uA2Yjd1WUFyicbJgcmYzUSVt03xZ0kQX9dxKExwU2YnpDorfwebaAPO7G114Bkw208g
+
+curl http://127.0.0.1:8080/protected -H "Authorization: Bearer $ACCESS_TOKEN"
+```
+
+KrakenD is configured to respond with the health check response if authentication succeeds. 
diff --git a/jans-cedarling/cedarling-krakend/go.mod b/jans-cedarling/cedarling-krakend/go.mod
new file mode 100644
index 00000000000..68799e0302a
--- /dev/null
+++ b/jans-cedarling/cedarling-krakend/go.mod
@@ -0,0 +1,3 @@
+module cedarling-krakend
+
+go 1.22.9
diff --git a/jans-cedarling/cedarling-krakend/krakend.json b/jans-cedarling/cedarling-krakend/krakend.json
new file mode 100644
index 00000000000..421eb86ff93
--- /dev/null
+++ b/jans-cedarling/cedarling-krakend/krakend.json
@@ -0,0 +1,43 @@
+{
+    "version": 3,
+    "plugin": {
+        "pattern": ".so",
+        "folder": "./"
+    },
+    "endpoints": [
+        {
+            "endpoint": "/test/{id}",
+            "backend": [
+                {
+                    "host": [
+                        "http://localhost:8080"
+                    ],
+                    "url_pattern": "/__health"
+                }
+            ]
+        },
+        {
+            "endpoint": "/protected",
+            "backend": [
+                {
+                    "host": [
+                        "http://localhost:8080"
+                    ],
+                    "url_pattern": "/__health"
+                }
+            ]
+        }
+    ],
+    "extra_config": {
+        "plugin/http-server": {
+            "name": [
+                "cedarling-krakend"
+            ],
+            "cedarling-krakend": {
+                "path": "/protected",
+                "sidecar_endpoint": "http://127.0.0.1:5000/cedarling/evaluation",
+                "namespace": "gatewayDemo"
+            }
+        }
+    }
+}
diff --git a/jans-cedarling/cedarling-krakend/main.go b/jans-cedarling/cedarling-krakend/main.go
new file mode 100644
index 00000000000..a1f0b54261a
--- /dev/null
+++ b/jans-cedarling/cedarling-krakend/main.go
@@ -0,0 +1,161 @@
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"html"
+	"io"
+	"net/http"
+	"strings"
+)
+
+// pluginName is the plugin name
+var pluginName = "cedarling-krakend"
+
+// HandlerRegisterer is the symbol the plugin loader will try to load. It must implement the Registerer interface
+var HandlerRegisterer = registerer(pluginName)
+
+func (r registerer) RegisterHandlers(f func(name string, handler func(context.Context, map[string]interface{}, http.Handler) (http.Handler, error))) {
+	f(string(r), r.registerHandlers)
+}
+
+func createPayload(req *http.Request, namespace string) AuthZenPayload {
+	bearer := req.Header.Get("Authorization")
+	split_bearer := strings.Split(bearer, " ")
+	token := split_bearer[1]
+	var subject_properties = map[string]string{}
+	subject_properties["access_token"] = token
+	resource_properties := map[string]map[string]string{}
+	resource_properties["header"] = map[string]string{}
+	resource_properties["url"] = map[string]string{}
+	resource_properties["url"]["host"] = req.Host
+	resource_properties["url"]["path"] = req.URL.Path
+	resource_properties["url"]["protocol"] = "http"
+	payload := AuthZenPayload{
+		Subject: Subject{
+			Type:       "JWT",
+			Id:         "cedarling",
+			Properties: subject_properties,
+		},
+		Resource: Resource{
+			Type:       fmt.Sprintf("%s::HTTP_Request", namespace),
+			Id:         "some_id",
+			Properties: resource_properties,
+		},
+		Action: Action{
+			Name: fmt.Sprintf("%s::Action::\"%s\"", namespace, req.Method),
+		},
+	}
+	return payload
+}
+
+func (r registerer) registerHandlers(_ context.Context, extra map[string]interface{}, h http.Handler) (http.Handler, error) {
+	// If the plugin requires some configuration, it should be under the name of the plugin. E.g.:
+	/*
+	   "extra_config":{
+	       "plugin/http-server":{
+	           "name":["krakend-server-example"],
+	           "krakend-server-example":{
+	               "path": "/some-path"
+	           }
+	       }
+	   }
+	*/
+	// The config variable contains all the keys you have defined in the configuration
+	// if the key doesn't exists or is not a map the plugin returns an error and the default handler
+	config, ok := extra[pluginName].(map[string]interface{})
+	if !ok {
+		return h, errors.New("configuration not found")
+	}
+
+	// The plugin will look for this path:
+	path, ok := config["path"].(string)
+	if !ok {
+		return h, errors.New("No path provided")
+	}
+	sidecar_endpoint, ok := config["sidecar_endpoint"].(string)
+	if !ok {
+		return h, errors.New("No sidecar endpoint provided")
+	}
+	namespace, ok := config["namespace"].(string)
+	if !ok {
+		return h, errors.New("No cedar namespace provided")
+	}
+	logger.Debug(fmt.Sprintf("The plugin is now protecting %s\n", path))
+
+	customHandler := func(w http.ResponseWriter, req *http.Request) {
+
+		// If the requested path is not what we defined, continue.
+		if req.URL.Path != path {
+			h.ServeHTTP(w, req)
+		}
+
+		// The path has to be hijacked:
+		if req.Header.Get("Authorization") == "" {
+			http.Error(w, "Authorization not found", http.StatusForbidden)
+		} else {
+			payload := createPayload(req, namespace)
+			body_bytes, _ := json.Marshal(payload)
+			response, err := http.Post(sidecar_endpoint, "application/json", bytes.NewReader(body_bytes))
+			if err != nil {
+				logger.Warning(err)
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
+			defer response.Body.Close()
+			response_bytes, err := io.ReadAll(response.Body)
+			if err != nil {
+				logger.Warning(err)
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
+			var response_json AuthzenResponse
+			json.Unmarshal(response_bytes, &response_json)
+			if response_json.Decision == true {
+				h.ServeHTTP(w, req)
+			} else {
+				http.Error(w, "Forbidden", http.StatusForbidden)
+			}
+		}
+		logger.Debug("request:", html.EscapeString(req.URL.Path))
+	}
+	return http.HandlerFunc(customHandler), nil
+}
+
+func main() {}
+
+// This logger is replaced by the RegisterLogger method to load the one from KrakenD
+var logger Logger = noopLogger{}
+
+func (registerer) RegisterLogger(v interface{}) {
+	l, ok := v.(Logger)
+	if !ok {
+		return
+	}
+	logger = l
+	logger.Debug(fmt.Sprintf("[PLUGIN: %s] Logger loaded", HandlerRegisterer))
+}
+
+type Logger interface {
+	Debug(v ...interface{})
+	Info(v ...interface{})
+	Warning(v ...interface{})
+	Error(v ...interface{})
+	Critical(v ...interface{})
+	Fatal(v ...interface{})
+}
+
+// Empty logger implementation
+type noopLogger struct{}
+
+func (n noopLogger) Debug(_ ...interface{})    {}
+func (n noopLogger) Info(_ ...interface{})     {}
+func (n noopLogger) Warning(_ ...interface{})  {}
+func (n noopLogger) Error(_ ...interface{})    {}
+func (n noopLogger) Critical(_ ...interface{}) {}
+func (n noopLogger) Fatal(_ ...interface{})    {}
diff --git a/jans-cedarling/cedarling-krakend/types.go b/jans-cedarling/cedarling-krakend/types.go
new file mode 100644
index 00000000000..d7953889241
--- /dev/null
+++ b/jans-cedarling/cedarling-krakend/types.go
@@ -0,0 +1,30 @@
+package main
+
+type registerer string
+
+type Subject struct {
+	Type       string            `json:"type"`
+	Id         string            `json:"id"`
+	Properties map[string]string `json:"properties,omitempty"`
+}
+type Resource struct {
+	Type       string                       `json:"type"`
+	Id         string                       `json:"id"`
+	Properties map[string]map[string]string `json:"properties,omitempty"`
+}
+
+type Action struct {
+	Name       string            `json:"name"`
+	Properties map[string]string `json:"properties,omitempty"`
+}
+
+type AuthZenPayload struct {
+	Subject  Subject           `json:"subject"`
+	Resource Resource          `json:"resource"`
+	Action   Action            `json:"action"`
+	Context  map[string]string `json:"context,omitempty"`
+}
+
+type AuthzenResponse struct {
+	Decision bool `json:"decision"`
+}
diff --git a/jans-cli-tui/cli_tui/plugins/140_config_api/main.py b/jans-cli-tui/cli_tui/plugins/140_config_api/main.py
index a066e2b1a80..b80b7f3b9d9 100755
--- a/jans-cli-tui/cli_tui/plugins/140_config_api/main.py
+++ b/jans-cli-tui/cli_tui/plugins/140_config_api/main.py
@@ -5,6 +5,7 @@
 from functools import partial
 
 import prompt_toolkit
+from prompt_toolkit.layout import ScrollablePane
 from prompt_toolkit.layout.containers import HSplit, DynamicContainer, VSplit, Window, HorizontalAlign
 from prompt_toolkit.formatted_text import HTML
 from prompt_toolkit.layout.dimension import D
@@ -99,7 +100,7 @@ def do_add_acr(dialog):
                         add_handler=add_acr_validation
                         )
 
-        self.tabs['main_'] = HSplit([
+        self.tabs['main_'] = ScrollablePane(content=HSplit([
 
                         self.app.getTitledText(
                             _("Maximum Number of Result Per Page"),
@@ -204,6 +205,7 @@ def do_add_acr(dialog):
                     ],
                     width=D(),
                     )
+                , height=D(), display_arrows=False, show_scrollbar=True)
 
         self.agama_configuration_mandatory_attributes_widget = JansLabelWidget(
                         title = _("Mandatory Attributes"),
@@ -657,9 +659,8 @@ def get_cur_data_patch_path(items):
                 cur_data = cur_data[pprop]
             return cur_data, '/'.join(items_)
 
-
         changes = []
-        new_data = self.make_data_from_dialog(tabs={'main_': self.tabs['main_']})
+        new_data = self.make_data_from_dialog(tabs={'main_': self.tabs['main_'].content})
 
         replace = 'replace'
         add = 'add'
diff --git a/jans-linux-setup/jans_setup/templates/jans-auth/jans-auth-config.json b/jans-linux-setup/jans_setup/templates/jans-auth/jans-auth-config.json
index 8ad8b20d5d5..2c948e64074 100644
--- a/jans-linux-setup/jans_setup/templates/jans-auth/jans-auth-config.json
+++ b/jans-linux-setup/jans_setup/templates/jans-auth/jans-auth-config.json
@@ -570,7 +570,7 @@
         "interruptionErrorPage": "timeout.ftlh",
         "crashErrorPage": "crash.ftlh",
         "finishedFlowPage": "finished.ftlh",
-        "bridgeScriptPage": "agama.xhtml",
+        "startEndUrlMapping": { "agama/agama.xhtml": "postlogin.htm", "agama/consent.xhtml": "agama/consent_authorize.htm" },
         "defaultResponseHeaders": {
             "Cache-Control": "max-age=0, no-store"
         },
diff --git a/jans-linux-setup/jans_setup/templates/scripts.ldif b/jans-linux-setup/jans_setup/templates/scripts.ldif
index a3c926ae360..df45a35ce66 100644
--- a/jans-linux-setup/jans_setup/templates/scripts.ldif
+++ b/jans-linux-setup/jans_setup/templates/scripts.ldif
@@ -437,6 +437,20 @@ objectClass: jansCustomScr
 jansEnabled: false
 jansProgLng: python
 
+dn: inum=BADA-DAD1,ou=scripts,o=jans
+description: Agama Consent Gathering script
+displayName: agama_consent
+inum: BADA-DAD1
+jansLevel: 10
+jansModuleProperty: {"value1":"location_type","value2":"db","description":""}
+jansRevision: 1
+jansScr::%(consent_gathering_agamaconsentgathering)s
+jansScrTyp: consent_gathering
+objectClass: top
+objectClass: jansCustomScr
+jansEnabled: false
+jansProgLng: python
+
 dn: inum=8AF7.D82A,ou=scripts,o=jans
 displayName: persistence_extension
 inum: 8AF7.D82A
diff --git a/mkdocs.yml b/mkdocs.yml
index 1f91f74db38..d42a5345311 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -412,7 +412,9 @@ nav:
   - JWT: 'cedarling/cedarling-jwt.md'
   - Logs: 'cedarling/cedarling-logs.md'
   - Properties: 'cedarling/cedarling-properties.md'
-  - Sidecar: 'cedarling/cedarling-sidecar.md'
+  - Sidecar: 
+      - cedarling/cedarling-sidecar.md
+      - KrakenD Plugin: cedarling/cedarling-krakend.md
   - Python:
       - cedarling/python/README.md
       - How to use: cedarling/python/usage.md