feat: enhance BearerKeyDaoImpl to handle migration and caching behavior for bearer keys (#507 )

Add HTTP/HTTPS proxy configuration and environment variable support (#506 )
feat: add bearer authentication key management with migration support (#503 )
2025-12-24 02:39:19 -05:00 · 2025-12-14 20:40:57 +08:00 · 2025-12-14 15:44:44 +08:00 · 2025-12-13 16:46:58 +08:00 · 2025-12-12 14:50:18 +08:00 · 2025-12-11 17:42:50 +08:00
44 changed files with 3627 additions and 421 deletions
--- a/frontend/src/components/GroupImportForm.tsx
+++ b/frontend/src/components/GroupImportForm.tsx
@@ -0,0 +1,284 @@
+import React, { useState } from 'react';
+import { useTranslation } from 'react-i18next';
+import { apiPost } from '@/utils/fetchInterceptor';
+
+interface GroupImportFormProps {
+  onSuccess: () => void;
+  onCancel: () => void;
+}
+
+interface ImportGroupConfig {
+  name: string;
+  description?: string;
+  servers?: string[] | Array<{ name: string; tools?: string[] | 'all' }>;
+}
+
+interface ImportJsonFormat {
+  groups: ImportGroupConfig[];
+}
+
+const GroupImportForm: React.FC<GroupImportFormProps> = ({ onSuccess, onCancel }) => {
+  const { t } = useTranslation();
+  const [jsonInput, setJsonInput] = useState('');
+  const [error, setError] = useState<string | null>(null);
+  const [isImporting, setIsImporting] = useState(false);
+  const [previewGroups, setPreviewGroups] = useState<ImportGroupConfig[] | null>(null);
+
+  const examplePlaceholder = `{
+  "groups": [
+    {
+      "name": "AI Assistants",
+      "servers": ["openai-server", "anthropic-server"]
+    },
+    {
+      "name": "Development Tools",
+      "servers": [
+        {
+          "name": "github-server",
+          "tools": ["create_issue", "list_repos"]
+        },
+        {
+          "name": "gitlab-server",
+          "tools": "all"
+        }
+      ]
+    }
+  ]
+}
+
+Supports:
+- Simple server list: ["server1", "server2"]
+- Advanced server config: [{"name": "server1", "tools": ["tool1", "tool2"]}]
+- All groups will be imported in a single efficient batch operation.`;
+
+  const parseAndValidateJson = (input: string): ImportJsonFormat | null => {
+    try {
+      const parsed = JSON.parse(input.trim());
+
+      // Validate structure
+      if (!parsed.groups || !Array.isArray(parsed.groups)) {
+        setError(t('groupImport.invalidFormat'));
+        return null;
+      }
+
+      // Validate each group
+      for (const group of parsed.groups) {
+        if (!group.name || typeof group.name !== 'string') {
+          setError(t('groupImport.missingName'));
+          return null;
+        }
+      }
+
+      return parsed as ImportJsonFormat;
+    } catch (e) {
+      setError(t('groupImport.parseError'));
+      return null;
+    }
+  };
+
+  const handlePreview = () => {
+    setError(null);
+    const parsed = parseAndValidateJson(jsonInput);
+    if (!parsed) return;
+
+    setPreviewGroups(parsed.groups);
+  };
+
+  const handleImport = async () => {
+    if (!previewGroups) return;
+
+    setIsImporting(true);
+    setError(null);
+
+    try {
+      // Use batch import API for better performance
+      const result = await apiPost('/groups/batch', {
+        groups: previewGroups,
+      });
+
+      if (result.success) {
+        const { successCount, failureCount, results } = result;
+
+        if (failureCount > 0) {
+          const errors = results
+            .filter((r: any) => !r.success)
+            .map((r: any) => `${r.name}: ${r.message || t('groupImport.addFailed')}`);
+
+          setError(
+            t('groupImport.partialSuccess', { count: successCount, total: previewGroups.length }) +
+              '\n' +
+              errors.join('\n'),
+          );
+        }
+
+        if (successCount > 0) {
+          onSuccess();
+        }
+      } else {
+        setError(result.message || t('groupImport.importFailed'));
+      }
+    } catch (err) {
+      console.error('Import error:', err);
+      setError(t('groupImport.importFailed'));
+    } finally {
+      setIsImporting(false);
+    }
+  };
+
+  const renderServerList = (
+    servers?: string[] | Array<{ name: string; tools?: string[] | 'all' }>,
+  ) => {
+    if (!servers || servers.length === 0) {
+      return <span className="text-gray-500">{t('groups.noServers')}</span>;
+    }
+
+    return (
+      <div className="space-y-1">
+        {servers.map((server, idx) => {
+          if (typeof server === 'string') {
+            return (
+              <div key={idx} className="text-sm">
+                • {server}
+              </div>
+            );
+          } else {
+            return (
+              <div key={idx} className="text-sm">
+                • {server.name}
+                {server.tools && server.tools !== 'all' && (
+                  <span className="text-gray-500 ml-2">
+                    ({Array.isArray(server.tools) ? server.tools.join(', ') : server.tools})
+                  </span>
+                )}
+                {server.tools === 'all' && <span className="text-gray-500 ml-2">(all tools)</span>}
+              </div>
+            );
+          }
+        })}
+      </div>
+    );
+  };
+
+  return (
+    <div className="fixed inset-0 bg-black/50 z-50 flex items-center justify-center p-4">
+      <div className="bg-white shadow rounded-lg p-6 w-full max-w-4xl max-h-[90vh] overflow-y-auto">
+        <div className="flex justify-between items-center mb-6">
+          <h2 className="text-xl font-semibold text-gray-900">{t('groupImport.title')}</h2>
+          <button onClick={onCancel} className="text-gray-500 hover:text-gray-700">
+            ✕
+          </button>
+        </div>
+
+        {error && (
+          <div className="mb-4 bg-red-50 border-l-4 border-red-500 p-4 rounded">
+            <p className="text-red-700 whitespace-pre-wrap">{error}</p>
+          </div>
+        )}
+
+        {!previewGroups ? (
+          <div>
+            <div className="mb-4">
+              <label className="block text-sm font-medium text-gray-700 mb-2">
+                {t('groupImport.inputLabel')}
+              </label>
+              <textarea
+                value={jsonInput}
+                onChange={(e) => setJsonInput(e.target.value)}
+                className="w-full h-96 px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-blue-500 font-mono text-sm"
+                placeholder={examplePlaceholder}
+              />
+              <p className="text-xs text-gray-500 mt-2">{t('groupImport.inputHelp')}</p>
+            </div>
+
+            <div className="flex justify-end space-x-4">
+              <button
+                onClick={onCancel}
+                className="px-4 py-2 text-gray-700 bg-gray-200 rounded hover:bg-gray-300 btn-secondary"
+              >
+                {t('common.cancel')}
+              </button>
+              <button
+                onClick={handlePreview}
+                disabled={!jsonInput.trim()}
+                className="px-4 py-2 bg-blue-600 text-white rounded hover:bg-blue-700 disabled:opacity-50 btn-primary"
+              >
+                {t('groupImport.preview')}
+              </button>
+            </div>
+          </div>
+        ) : (
+          <div>
+            <div className="mb-4">
+              <h3 className="text-lg font-medium text-gray-900 mb-3">
+                {t('groupImport.previewTitle')}
+              </h3>
+              <div className="space-y-3">
+                {previewGroups.map((group, index) => (
+                  <div key={index} className="bg-gray-50 p-4 rounded-lg border border-gray-200">
+                    <div className="flex items-start justify-between">
+                      <div className="flex-1">
+                        <h4 className="font-medium text-gray-900">{group.name}</h4>
+                        {group.description && (
+                          <p className="text-sm text-gray-600 mt-1">{group.description}</p>
+                        )}
+                        <div className="mt-2 text-sm text-gray-600">
+                          <strong>{t('groups.servers')}:</strong>
+                          <div className="mt-1">{renderServerList(group.servers)}</div>
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                ))}
+              </div>
+            </div>
+
+            <div className="flex justify-end space-x-4">
+              <button
+                onClick={() => setPreviewGroups(null)}
+                disabled={isImporting}
+                className="px-4 py-2 text-gray-700 bg-gray-200 rounded hover:bg-gray-300 disabled:opacity-50 btn-secondary"
+              >
+                {t('common.back')}
+              </button>
+              <button
+                onClick={handleImport}
+                disabled={isImporting}
+                className="px-4 py-2 bg-blue-600 text-white rounded hover:bg-blue-700 disabled:opacity-50 flex items-center btn-primary"
+              >
+                {isImporting ? (
+                  <>
+                    <svg
+                      className="animate-spin h-4 w-4 mr-2"
+                      xmlns="http://www.w3.org/2000/svg"
+                      fill="none"
+                      viewBox="0 0 24 24"
+                    >
+                      <circle
+                        className="opacity-25"
+                        cx="12"
+                        cy="12"
+                        r="10"
+                        stroke="currentColor"
+                        strokeWidth="4"
+                      ></circle>
+                      <path
+                        className="opacity-75"
+                        fill="currentColor"
+                        d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
+                      ></path>
+                    </svg>
+                    {t('groupImport.importing')}
+                  </>
+                ) : (
+                  t('groupImport.import')
+                )}
+              </button>
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+};
+
+export default GroupImportForm;
--- a/frontend/src/components/JSONImportForm.tsx
+++ b/frontend/src/components/JSONImportForm.tsx
@@ -14,6 +14,10 @@ interface McpServerConfig {
  type?: string;
  url?: string;
  headers?: Record<string, string>;
+  openapi?: {
+    version: string;
+    url: string;
+  };
 }

 interface ImportJsonFormat {
@@ -29,29 +33,16 @@ const JSONImportForm: React.FC<JSONImportFormProps> = ({ onSuccess, onCancel })
    null,
  );

-  const examplePlaceholder = `STDIO example:
-{
+  const examplePlaceholder = `{
  "mcpServers": {
    "stdio-server-example": {
      "command": "npx",
      "args": ["-y", "mcp-server-example"]
-    }
-  }
-}
-
-SSE example:
-{
-  "mcpServers": {
+    },
    "sse-server-example": {
      "type": "sse",
      "url": "http://localhost:3000"
-    }
-  }
-}
-
-HTTP example:
-{
-  "mcpServers": {
+    },
    "http-server-example": {
      "type": "streamable-http",
      "url": "http://localhost:3001",
@@ -59,9 +50,18 @@ HTTP example:
        "Content-Type": "application/json",
        "Authorization": "Bearer your-token"
      }
+    },
+    "openapi-server-example": {
+      "type": "openapi",
+      "openapi": {
+        "url": "https://petstore.swagger.io/v2/swagger.json"
+      }
    }
  }
-}`;
+}
+
+Supports: STDIO, SSE, HTTP (streamable-http), OpenAPI
+All servers will be imported in a single efficient batch operation.`;

  const parseAndValidateJson = (input: string): ImportJsonFormat | null => {
    try {
@@ -95,6 +95,9 @@ HTTP example:
        if (config.headers) {
          normalizedConfig.headers = config.headers;
        }
+      } else if (config.type === 'openapi') {
+        normalizedConfig.type = 'openapi';
+        normalizedConfig.openapi = config.openapi;
      } else {
        // Default to stdio
        normalizedConfig.type = 'stdio';
@@ -118,38 +121,31 @@ HTTP example:
    setError(null);

    try {
-      let successCount = 0;
-      const errors: string[] = [];
+      // Use batch import API for better performance
+      const result = await apiPost('/servers/batch', {
+        servers: previewServers,
+      });

-      for (const server of previewServers) {
-        try {
-          const result = await apiPost('/servers', {
-            name: server.name,
-            config: server.config,
-          });
+      if (result.success && result.data) {
+        const { successCount, failureCount, results } = result.data;

-          if (result.success) {
-            successCount++;
-          } else {
-            errors.push(`${server.name}: ${result.message || t('jsonImport.addFailed')}`);
-          }
-        } catch (err) {
-          errors.push(
-            `${server.name}: ${err instanceof Error ? err.message : t('jsonImport.addFailed')}`,
+        if (failureCount > 0) {
+          const errors = results
+            .filter((r: any) => !r.success)
+            .map((r: any) => `${r.name}: ${r.message || t('jsonImport.addFailed')}`);
+
+          setError(
+            t('jsonImport.partialSuccess', { count: successCount, total: previewServers.length }) +
+              '\n' +
+              errors.join('\n'),
          );
        }
-      }

-      if (errors.length > 0) {
-        setError(
-          t('jsonImport.partialSuccess', { count: successCount, total: previewServers.length }) +
-            '\n' +
-            errors.join('\n'),
-        );
-      }
-
-      if (successCount > 0) {
-        onSuccess();
+        if (successCount > 0) {
+          onSuccess();
+        }
+      } else {
+        setError(result.message || t('jsonImport.importFailed'));
      }
    } catch (err) {
      console.error('Import error:', err);
--- a/frontend/src/components/ServerForm.tsx
+++ b/frontend/src/components/ServerForm.tsx
@@ -375,6 +375,7 @@ const ServerForm = ({
              ? {
                  url: formData.url,
                  ...(Object.keys(headers).length > 0 ? { headers } : {}),
+                  ...(Object.keys(env).length > 0 ? { env } : {}),
                  ...(oauthConfig ? { oauth: oauthConfig } : {}),
                }
              : {
@@ -978,6 +979,49 @@ const ServerForm = ({
              ))}
            </div>

+            <div className="mb-4">
+              <div className="flex justify-between items-center mb-2">
+                <label className="block text-gray-700 text-sm font-bold">
+                  {t('server.envVars')}
+                </label>
+                <button
+                  type="button"
+                  onClick={addEnvVar}
+                  className="bg-gray-200 hover:bg-gray-300 text-gray-700 font-medium py-1 px-2 rounded text-sm flex items-center justify-center min-w-[30px] min-h-[30px] btn-primary"
+                >
+                  +
+                </button>
+              </div>
+              {envVars.map((envVar, index) => (
+                <div key={index} className="flex items-center mb-2">
+                  <div className="flex items-center space-x-2 flex-grow">
+                    <input
+                      type="text"
+                      value={envVar.key}
+                      onChange={(e) => handleEnvVarChange(index, 'key', e.target.value)}
+                      className="shadow appearance-none border rounded py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline w-1/2 form-input"
+                      placeholder={t('server.key')}
+                    />
+                    <span className="flex items-center">:</span>
+                    <input
+                      type="text"
+                      value={envVar.value}
+                      onChange={(e) => handleEnvVarChange(index, 'value', e.target.value)}
+                      className="shadow appearance-none border rounded py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline w-1/2 form-input"
+                      placeholder={t('server.value')}
+                    />
+                  </div>
+                  <button
+                    type="button"
+                    onClick={() => removeEnvVar(index)}
+                    className="bg-gray-200 hover:bg-gray-300 text-gray-700 font-medium py-1 px-2 rounded text-sm flex items-center justify-center min-w-[30px] min-h-[30px] ml-2 btn-danger"
+                  >
+                    -
+                  </button>
+                </div>
+              ))}
+            </div>
+
            <div className="mb-4">
              <div
                className="flex items-center justify-between cursor-pointer bg-gray-50 hover:bg-gray-100 p-3 rounded border border-gray-200"
--- a/frontend/src/components/ui/DynamicForm.tsx
+++ b/frontend/src/components/ui/DynamicForm.tsx
@@ -21,7 +21,14 @@ interface DynamicFormProps {
  title?: string; // Optional title to display instead of default parameters title
 }

-const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, loading = false, storageKey, title }) => {
+const DynamicForm: React.FC<DynamicFormProps> = ({
+  schema,
+  onSubmit,
+  onCancel,
+  loading = false,
+  storageKey,
+  title,
+}) => {
  const { t } = useTranslation();
  const [formValues, setFormValues] = useState<Record<string, any>>({});
  const [errors, setErrors] = useState<Record<string, string>>({});
@@ -40,9 +47,14 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
            description: obj.description,
            enum: obj.enum,
            default: obj.default,
-            properties: obj.properties ? Object.fromEntries(
-              Object.entries(obj.properties).map(([key, value]) => [key, convertProperty(value)])
-            ) : undefined,
+            properties: obj.properties
+              ? Object.fromEntries(
+                  Object.entries(obj.properties).map(([key, value]) => [
+                    key,
+                    convertProperty(value),
+                  ]),
+                )
+              : undefined,
            required: obj.required,
            items: obj.items ? convertProperty(obj.items) : undefined,
          };
@@ -52,9 +64,14 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l

      return {
        type: schema.type,
-        properties: schema.properties ? Object.fromEntries(
-          Object.entries(schema.properties).map(([key, value]) => [key, convertProperty(value)])
-        ) : undefined,
+        properties: schema.properties
+          ? Object.fromEntries(
+              Object.entries(schema.properties).map(([key, value]) => [
+                key,
+                convertProperty(value),
+              ]),
+            )
+          : undefined,
        required: schema.required,
      };
    };
@@ -167,7 +184,7 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
  };

  const handleInputChange = (path: string, value: any) => {
-    setFormValues(prev => {
+    setFormValues((prev) => {
      const newValues = { ...prev };
      const keys = path.split('.');
      let current = newValues;
@@ -195,7 +212,7 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l

    // Clear error for this field
    if (errors[path]) {
-      setErrors(prev => {
+      setErrors((prev) => {
        const newErrors = { ...prev };
        delete newErrors[path];
        return newErrors;
@@ -209,10 +226,16 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
      if (schema.type === 'object' && schema.properties) {
        Object.entries(schema.properties).forEach(([key, propSchema]) => {
          const fullPath = path ? `${path}.${key}` : key;
-          const value = getNestedValue(values, fullPath);
+          const value = values?.[key];

          // Check required fields
-          if (schema.required?.includes(key) && (value === undefined || value === null || value === '')) {
+          if (
+            schema.required?.includes(key) &&
+            (value === undefined ||
+              value === null ||
+              value === '' ||
+              (Array.isArray(value) && value.length === 0))
+          ) {
            newErrors[fullPath] = `${key} is required`;
            return;
          }
@@ -223,7 +246,10 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
              newErrors[fullPath] = `${key} must be a string`;
            } else if (propSchema.type === 'number' && typeof value !== 'number') {
              newErrors[fullPath] = `${key} must be a number`;
-            } else if (propSchema.type === 'integer' && (!Number.isInteger(value) || typeof value !== 'number')) {
+            } else if (
+              propSchema.type === 'integer' &&
+              (!Number.isInteger(value) || typeof value !== 'number')
+            ) {
              newErrors[fullPath] = `${key} must be an integer`;
            } else if (propSchema.type === 'boolean' && typeof value !== 'boolean') {
              newErrors[fullPath] = `${key} must be a boolean`;
@@ -260,7 +286,12 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
    return path.split('.').reduce((current, key) => current?.[key], obj);
  };

-  const renderObjectField = (key: string, schema: JsonSchema, currentValue: any, onChange: (value: any) => void): React.ReactNode => {
+  const renderObjectField = (
+    key: string,
+    schema: JsonSchema,
+    currentValue: any,
+    onChange: (value: any) => void,
+  ): React.ReactNode => {
    const value = currentValue?.[key];

    if (schema.type === 'string') {
@@ -299,7 +330,12 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
          step={schema.type === 'integer' ? '1' : 'any'}
          value={value ?? ''}
          onChange={(e) => {
-            const val = e.target.value === '' ? '' : schema.type === 'integer' ? parseInt(e.target.value) : parseFloat(e.target.value);
+            const val =
+              e.target.value === ''
+                ? ''
+                : schema.type === 'integer'
+                  ? parseInt(e.target.value)
+                  : parseFloat(e.target.value);
            onChange(val);
          }}
          className="w-full border rounded-md px-2 py-1 text-sm border-gray-300 focus:outline-none focus:ring-1 focus:ring-blue-500 form-input"
@@ -333,7 +369,7 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
  const renderField = (key: string, propSchema: JsonSchema, path: string = ''): React.ReactNode => {
    const fullPath = path ? `${path}.${key}` : key;
    const value = getNestedValue(formValues, fullPath);
-    const error = errors[fullPath];    // Handle array type
+    const error = errors[fullPath]; // Handle array type
    if (propSchema.type === 'array') {
      const arrayValue = getNestedValue(formValues, fullPath) || [];

@@ -341,7 +377,11 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
        <div key={fullPath} className="mb-6">
          <label className="block text-sm font-medium text-gray-700 mb-1">
            {key}
-            {(path ? getNestedValue(jsonSchema, path)?.required?.includes(key) : jsonSchema.required?.includes(key)) && <span className="text-status-red ml-1">*</span>}
+            {(path
+              ? getNestedValue(jsonSchema, path)?.required?.includes(key)
+              : jsonSchema.required?.includes(key)) && (
+              <span className="text-status-red ml-1">*</span>
+            )}
          </label>
          {propSchema.description && (
            <p className="text-xs text-gray-500 mb-2">{propSchema.description}</p>
@@ -349,9 +389,11 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l

          <div className="border border-gray-200 rounded-md p-3 bg-gray-50">
            {arrayValue.map((item: any, index: number) => (
-              <div key={index} className="mb-3 p-3 bg-white border rounded-md">
+              <div key={index} className="mb-3 p-3 bg-white border border-gray-200 rounded-md">
                <div className="flex justify-between items-center mb-2">
-                  <span className="text-sm font-medium text-gray-600">{t('tool.item', { index: index + 1 })}</span>
+                  <span className="text-sm font-medium text-gray-600">
+                    {t('tool.item', { index: index + 1 })}
+                  </span>
                  <button
                    type="button"
                    onClick={() => {
@@ -388,7 +430,9 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
                      <div key={objKey}>
                        <label className="block text-xs font-medium text-gray-600 mb-1">
                          {objKey}
-                          {propSchema.items?.required?.includes(objKey) && <span className="text-status-red ml-1">*</span>}
+                          {propSchema.items?.required?.includes(objKey) && (
+                            <span className="text-status-red ml-1">*</span>
+                          )}
                        </label>
                        {renderObjectField(objKey, objSchema as JsonSchema, item, (newValue) => {
                          const newArray = [...arrayValue];
@@ -429,7 +473,7 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
          {error && <p className="text-status-red text-xs mt-1">{error}</p>}
        </div>
      );
-    }    // Handle object type
+    } // Handle object type
    if (propSchema.type === 'object') {
      if (propSchema.properties) {
        // Object with defined properties - render as nested form
@@ -437,16 +481,20 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
          <div key={fullPath} className="mb-6">
            <label className="block text-sm font-medium text-gray-700 mb-1">
              {key}
-              {(path ? getNestedValue(jsonSchema, path)?.required?.includes(key) : jsonSchema.required?.includes(key)) && <span className="text-status-red ml-1">*</span>}
+              {(path
+                ? getNestedValue(jsonSchema, path)?.required?.includes(key)
+                : jsonSchema.required?.includes(key)) && (
+                <span className="text-status-red ml-1">*</span>
+              )}
            </label>
            {propSchema.description && (
              <p className="text-xs text-gray-500 mb-2">{propSchema.description}</p>
            )}

            <div className="border border-gray-200 rounded-md p-4 bg-gray-50">
-              {Object.entries(propSchema.properties).map(([objKey, objSchema]) => (
-                renderField(objKey, objSchema as JsonSchema, fullPath)
-              ))}
+              {Object.entries(propSchema.properties).map(([objKey, objSchema]) =>
+                renderField(objKey, objSchema as JsonSchema, fullPath),
+              )}
            </div>

            {error && <p className="text-status-red text-xs mt-1">{error}</p>}
@@ -458,7 +506,11 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
          <div key={fullPath} className="mb-4">
            <label className="block text-sm font-medium text-gray-700 mb-1">
              {key}
-              {(path ? getNestedValue(jsonSchema, path)?.required?.includes(key) : jsonSchema.required?.includes(key)) && <span className="text-status-red ml-1">*</span>}
+              {(path
+                ? getNestedValue(jsonSchema, path)?.required?.includes(key)
+                : jsonSchema.required?.includes(key)) && (
+                <span className="text-status-red ml-1">*</span>
+              )}
              <span className="text-xs text-gray-500 ml-1">(JSON object)</span>
            </label>
            {propSchema.description && (
@@ -483,13 +535,16 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
          </div>
        );
      }
-    } if (propSchema.type === 'string') {
+    }
+    if (propSchema.type === 'string') {
      if (propSchema.enum) {
        return (
          <div key={fullPath} className="mb-4">
            <label className="block text-sm font-medium text-gray-700 mb-1">
              {key}
-              {(path ? false : jsonSchema.required?.includes(key)) && <span className="text-status-red ml-1">*</span>}
+              {(path ? false : jsonSchema.required?.includes(key)) && (
+                <span className="text-status-red ml-1">*</span>
+              )}
            </label>
            {propSchema.description && (
              <p className="text-xs text-gray-500 mb-2">{propSchema.description}</p>
@@ -514,7 +569,9 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
          <div key={fullPath} className="mb-4">
            <label className="block text-sm font-medium text-gray-700 mb-1">
              {key}
-              {(path ? false : jsonSchema.required?.includes(key)) && <span className="text-status-red ml-1">*</span>}
+              {(path ? false : jsonSchema.required?.includes(key)) && (
+                <span className="text-status-red ml-1">*</span>
+              )}
            </label>
            {propSchema.description && (
              <p className="text-xs text-gray-500 mb-2">{propSchema.description}</p>
@@ -529,12 +586,15 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
          </div>
        );
      }
-    } if (propSchema.type === 'number' || propSchema.type === 'integer') {
+    }
+    if (propSchema.type === 'number' || propSchema.type === 'integer') {
      return (
        <div key={fullPath} className="mb-4">
          <label className="block text-sm font-medium text-gray-700 mb-1">
            {key}
-            {(path ? false : jsonSchema.required?.includes(key)) && <span className="text-status-red ml-1">*</span>}
+            {(path ? false : jsonSchema.required?.includes(key)) && (
+              <span className="text-status-red ml-1">*</span>
+            )}
          </label>
          {propSchema.description && (
            <p className="text-xs text-gray-500 mb-2">{propSchema.description}</p>
@@ -544,7 +604,12 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
            step={propSchema.type === 'integer' ? '1' : 'any'}
            value={value !== undefined && value !== null ? value : ''}
            onChange={(e) => {
-              const val = e.target.value === '' ? '' : propSchema.type === 'integer' ? parseInt(e.target.value) : parseFloat(e.target.value);
+              const val =
+                e.target.value === ''
+                  ? ''
+                  : propSchema.type === 'integer'
+                    ? parseInt(e.target.value)
+                    : parseFloat(e.target.value);
              handleInputChange(fullPath, val);
            }}
            className={`w-full border rounded-md px-3 py-2 form-input ${error ? 'border-red-500' : 'border-gray-300'} focus:outline-none focus:ring-2 focus:ring-blue-500`}
@@ -566,7 +631,9 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
            />
            <label className="ml-2 block text-sm text-gray-700">
              {key}
-              {(path ? false : jsonSchema.required?.includes(key)) && <span className="text-status-red ml-1">*</span>}
+              {(path ? false : jsonSchema.required?.includes(key)) && (
+                <span className="text-status-red ml-1">*</span>
+              )}
            </label>
          </div>
          {propSchema.description && (
@@ -575,12 +642,14 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
          {error && <p className="text-status-red text-xs mt-1">{error}</p>}
        </div>
      );
-    }    // For other types, show as text input with description
+    } // For other types, show as text input with description
    return (
      <div key={fullPath} className="mb-4">
        <label className="block text-sm font-medium text-gray-700 mb-1">
          {key}
-          {(path ? false : jsonSchema.required?.includes(key)) && <span className="text-status-red ml-1">*</span>}
+          {(path ? false : jsonSchema.required?.includes(key)) && (
+            <span className="text-status-red ml-1">*</span>
+          )}
          <span className="text-xs text-gray-500 ml-1">({propSchema.type})</span>
        </label>
        {propSchema.description && (
@@ -631,20 +700,22 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
          <button
            type="button"
            onClick={switchToFormMode}
-            className={`px-3 py-1 text-sm rounded-md transition-colors ${!isJsonMode
-              ? 'bg-blue-100 text-blue-800 rounded hover:bg-blue-200 text-sm btn-primary'
-              : 'text-sm text-gray-600 bg-gray-200 rounded hover:bg-gray-300 btn-secondary'
-              }`}
+            className={`px-3 py-1 text-sm rounded-md transition-colors ${
+              !isJsonMode
+                ? 'bg-blue-100 text-blue-800 rounded hover:bg-blue-200 text-sm btn-primary'
+                : 'text-sm text-gray-600 bg-gray-200 rounded hover:bg-gray-300 btn-secondary'
+            }`}
          >
            {t('tool.formMode')}
          </button>
          <button
            type="button"
            onClick={switchToJsonMode}
-            className={`px-3 py-1 text-sm rounded-md transition-colors ${isJsonMode
-              ? 'px-4 py-1 bg-blue-100 text-blue-800 rounded hover:bg-blue-200 text-sm btn-primary'
-              : 'text-sm text-gray-600 bg-gray-200 rounded hover:bg-gray-300 btn-secondary'
-              }`}
+            className={`px-3 py-1 text-sm rounded-md transition-colors ${
+              isJsonMode
+                ? 'px-4 py-1 bg-blue-100 text-blue-800 rounded hover:bg-blue-200 text-sm btn-primary'
+                : 'text-sm text-gray-600 bg-gray-200 rounded hover:bg-gray-300 btn-secondary'
+            }`}
          >
            {t('tool.jsonMode')}
          </button>
@@ -662,8 +733,9 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
              value={jsonText}
              onChange={(e) => handleJsonTextChange(e.target.value)}
              placeholder={`{\n  "key": "value"\n}`}
-              className={`w-full h-64 border rounded-md px-3 py-2 font-mono text-sm resize-y form-input ${jsonError ? 'border-red-500' : 'border-gray-300'
-                } focus:outline-none focus:ring-2 focus:ring-blue-500`}
+              className={`w-full h-64 border rounded-md px-3 py-2 font-mono text-sm resize-y form-input ${
+                jsonError ? 'border-red-500' : 'border-gray-300'
+              } focus:outline-none focus:ring-2 focus:ring-blue-500`}
            />
            {jsonError && <p className="text-status-red text-xs mt-1">{jsonError}</p>}
          </div>
@@ -696,7 +768,7 @@ const DynamicForm: React.FC<DynamicFormProps> = ({ schema, onSubmit, onCancel, l
        /* Form Mode */
        <form onSubmit={handleSubmit} className="space-y-4">
          {Object.entries(jsonSchema.properties || {}).map(([key, propSchema]) =>
-            renderField(key, propSchema)
+            renderField(key, propSchema),
          )}

          <div className="flex justify-end space-x-2 pt-4">
--- a/frontend/src/components/ui/MultiSelect.tsx
+++ b/frontend/src/components/ui/MultiSelect.tsx
@@ -0,0 +1,161 @@
+import React, { useState, useRef, useEffect } from 'react';
+import { Check, ChevronDown, X } from 'lucide-react';
+
+interface MultiSelectProps {
+  options: { value: string; label: string }[];
+  selected: string[];
+  onChange: (selected: string[]) => void;
+  placeholder?: string;
+  disabled?: boolean;
+  className?: string;
+}
+
+export const MultiSelect: React.FC<MultiSelectProps> = ({
+  options,
+  selected,
+  onChange,
+  placeholder = 'Select items...',
+  disabled = false,
+  className = '',
+}) => {
+  const [isOpen, setIsOpen] = useState(false);
+  const [searchTerm, setSearchTerm] = useState('');
+  const dropdownRef = useRef<HTMLDivElement>(null);
+  const inputRef = useRef<HTMLInputElement>(null);
+
+  // Close dropdown when clicking outside
+  useEffect(() => {
+    const handleClickOutside = (event: MouseEvent) => {
+      if (dropdownRef.current && !dropdownRef.current.contains(event.target as Node)) {
+        setIsOpen(false);
+        setSearchTerm('');
+      }
+    };
+
+    document.addEventListener('mousedown', handleClickOutside);
+    return () => document.removeEventListener('mousedown', handleClickOutside);
+  }, []);
+
+  const filteredOptions = options.filter((option) =>
+    option.label.toLowerCase().includes(searchTerm.toLowerCase()),
+  );
+
+  const handleToggleOption = (value: string) => {
+    if (disabled) return;
+
+    const newSelected = selected.includes(value)
+      ? selected.filter((item) => item !== value)
+      : [...selected, value];
+
+    onChange(newSelected);
+  };
+
+  const handleRemoveItem = (value: string, e: React.MouseEvent) => {
+    e.stopPropagation();
+    if (disabled) return;
+    onChange(selected.filter((item) => item !== value));
+  };
+
+  const handleToggleDropdown = () => {
+    if (disabled) return;
+    setIsOpen(!isOpen);
+    if (!isOpen) {
+      setTimeout(() => inputRef.current?.focus(), 0);
+    }
+  };
+
+  const getSelectedLabels = () => {
+    return selected
+      .map((value) => options.find((opt) => opt.value === value)?.label || value)
+      .filter(Boolean);
+  };
+
+  return (
+    <div ref={dropdownRef} className={`relative ${className}`}>
+      {/* Selected items display */}
+      <div
+        onClick={handleToggleDropdown}
+        className={`
+          min-h-[38px] w-full px-3 py-1.5 border rounded-md shadow-sm
+          flex flex-wrap items-center gap-1.5 cursor-pointer
+          transition-all duration-200
+          ${disabled ? 'bg-gray-100 cursor-not-allowed' : 'bg-white hover:border-blue-400'}
+          ${isOpen ? 'border-blue-500 ring-1 ring-blue-500' : 'border-gray-300'}
+        `}
+      >
+        {selected.length > 0 ? (
+          <>
+            {getSelectedLabels().map((label, index) => (
+              <span
+                key={selected[index]}
+                className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-blue-100 text-blue-800"
+              >
+                {label}
+                {!disabled && (
+                  <button
+                    type="button"
+                    onClick={(e) => handleRemoveItem(selected[index], e)}
+                    className="ml-1 hover:bg-blue-200 rounded-full p-0.5 transition-colors"
+                  >
+                    <X className="h-3 w-3" />
+                  </button>
+                )}
+              </span>
+            ))}
+          </>
+        ) : (
+          <span className="text-gray-400 text-sm">{placeholder}</span>
+        )}
+        <div className="flex-1"></div>
+        <ChevronDown
+          className={`h-4 w-4 text-gray-400 transition-transform duration-200 ${isOpen ? 'transform rotate-180' : ''}`}
+        />
+      </div>
+
+      {/* Dropdown menu */}
+      {isOpen && !disabled && (
+        <div className="absolute z-50 w-full mt-1 bg-white border border-gray-300 rounded-md shadow-lg max-h-60 overflow-hidden">
+          {/* Search input */}
+          <div className="p-2 border-b border-gray-200">
+            <input
+              ref={inputRef}
+              type="text"
+              value={searchTerm}
+              onChange={(e) => setSearchTerm(e.target.value)}
+              placeholder="Search..."
+              className="w-full px-3 py-1.5 text-sm border border-gray-300 rounded focus:outline-none focus:ring-1 focus:ring-blue-500 focus:border-blue-500"
+              onClick={(e) => e.stopPropagation()}
+            />
+          </div>
+
+          {/* Options list */}
+          <div className="max-h-48 overflow-y-auto">
+            {filteredOptions.length > 0 ? (
+              filteredOptions.map((option) => {
+                const isSelected = selected.includes(option.value);
+                return (
+                  <div
+                    key={option.value}
+                    onClick={() => handleToggleOption(option.value)}
+                    className={`
+                      px-3 py-2 cursor-pointer flex items-center justify-between
+                      transition-colors duration-150
+                      ${isSelected ? 'bg-blue-50 text-blue-700' : 'hover:bg-gray-100'}
+                    `}
+                  >
+                    <span className="text-sm">{option.label}</span>
+                    {isSelected && <Check className="h-4 w-4 text-blue-600" />}
+                  </div>
+                );
+              })
+            ) : (
+              <div className="px-3 py-2 text-sm text-gray-500 text-center">
+                {searchTerm ? 'No results found' : 'No options available'}
+              </div>
+            )}
+          </div>
+        </div>
+      )}
+    </div>
+  );
+};
--- a/frontend/src/contexts/SettingsContext.tsx
+++ b/frontend/src/contexts/SettingsContext.tsx
@@ -7,9 +7,9 @@ import React, {
  ReactNode,
 } from 'react';
 import { useTranslation } from 'react-i18next';
-import { ApiResponse } from '@/types';
+import { ApiResponse, BearerKey } from '@/types';
 import { useToast } from '@/contexts/ToastContext';
-import { apiGet, apiPut } from '@/utils/fetchInterceptor';
+import { apiGet, apiPut, apiPost, apiDelete } from '@/utils/fetchInterceptor';

 // Define types for the settings data
 interface RoutingConfig {
@@ -66,6 +66,7 @@ interface SystemSettings {
    oauthServer?: OAuthServerConfig;
    enableSessionRebuild?: boolean;
  };
+  bearerKeys?: BearerKey[];
 }

 interface TempRoutingConfig {
@@ -82,6 +83,7 @@ interface SettingsContextValue {
  oauthServerConfig: OAuthServerConfig;
  nameSeparator: string;
  enableSessionRebuild: boolean;
+  bearerKeys: BearerKey[];
  loading: boolean;
  error: string | null;
  setError: React.Dispatch<React.SetStateAction<string | null>>;
@@ -109,6 +111,14 @@ interface SettingsContextValue {
  updateNameSeparator: (value: string) => Promise<boolean | undefined>;
  updateSessionRebuild: (value: boolean) => Promise<boolean | undefined>;
  exportMCPSettings: (serverName?: string) => Promise<any>;
+  // Bearer key management
+  refreshBearerKeys: () => Promise<void>;
+  createBearerKey: (payload: Omit<BearerKey, 'id'>) => Promise<BearerKey | null>;
+  updateBearerKey: (
+    id: string,
+    updates: Partial<Omit<BearerKey, 'id'>>,
+  ) => Promise<BearerKey | null>;
+  deleteBearerKey: (id: string) => Promise<boolean>;
 }

 const getDefaultOAuthServerConfig = (): OAuthServerConfig => ({
@@ -183,6 +193,7 @@ export const SettingsProvider: React.FC<SettingsProviderProps> = ({ children })

  const [nameSeparator, setNameSeparator] = useState<string>('-');
  const [enableSessionRebuild, setEnableSessionRebuild] = useState<boolean>(false);
+  const [bearerKeys, setBearerKeys] = useState<BearerKey[]>([]);

  const [loading, setLoading] = useState(false);
  const [error, setError] = useState<string | null>(null);
@@ -279,6 +290,10 @@ export const SettingsProvider: React.FC<SettingsProviderProps> = ({ children })
      if (data.success && data.data?.systemConfig?.enableSessionRebuild !== undefined) {
        setEnableSessionRebuild(data.data.systemConfig.enableSessionRebuild);
      }
+
+      if (data.success && Array.isArray(data.data?.bearerKeys)) {
+        setBearerKeys(data.data.bearerKeys);
+      }
    } catch (error) {
      console.error('Failed to fetch settings:', error);
      setError(error instanceof Error ? error.message : 'Failed to fetch settings');
@@ -659,6 +674,73 @@ export const SettingsProvider: React.FC<SettingsProviderProps> = ({ children })
    }
  };

+  // Bearer key management helpers
+  const refreshBearerKeys = async () => {
+    try {
+      const data: ApiResponse<BearerKey[]> = await apiGet('/auth/keys');
+      if (data.success && Array.isArray(data.data)) {
+        setBearerKeys(data.data);
+      }
+    } catch (error) {
+      console.error('Failed to refresh bearer keys:', error);
+      showToast(t('errors.failedToFetchSettings'));
+    }
+  };
+
+  const createBearerKey = async (payload: Omit<BearerKey, 'id'>): Promise<BearerKey | null> => {
+    try {
+      const data: ApiResponse<BearerKey> = await apiPost('/auth/keys', payload as any);
+      if (data.success && data.data) {
+        await refreshBearerKeys();
+        showToast(t('settings.systemConfigUpdated'));
+        return data.data;
+      }
+      showToast(data.message || t('errors.failedToUpdateRoutingConfig'));
+      return null;
+    } catch (error) {
+      console.error('Failed to create bearer key:', error);
+      showToast(t('errors.failedToUpdateRoutingConfig'));
+      return null;
+    }
+  };
+
+  const updateBearerKey = async (
+    id: string,
+    updates: Partial<Omit<BearerKey, 'id'>>,
+  ): Promise<BearerKey | null> => {
+    try {
+      const data: ApiResponse<BearerKey> = await apiPut(`/auth/keys/${id}`, updates as any);
+      if (data.success && data.data) {
+        await refreshBearerKeys();
+        showToast(t('settings.systemConfigUpdated'));
+        return data.data;
+      }
+      showToast(data.message || t('errors.failedToUpdateRoutingConfig'));
+      return null;
+    } catch (error) {
+      console.error('Failed to update bearer key:', error);
+      showToast(t('errors.failedToUpdateRoutingConfig'));
+      return null;
+    }
+  };
+
+  const deleteBearerKey = async (id: string): Promise<boolean> => {
+    try {
+      const data: ApiResponse = await apiDelete(`/auth/keys/${id}`);
+      if (data.success) {
+        await refreshBearerKeys();
+        showToast(t('settings.systemConfigUpdated'));
+        return true;
+      }
+      showToast(data.message || t('errors.failedToUpdateRoutingConfig'));
+      return false;
+    } catch (error) {
+      console.error('Failed to delete bearer key:', error);
+      showToast(t('errors.failedToUpdateRoutingConfig'));
+      return false;
+    }
+  };
+
  // Fetch settings when the component mounts or refreshKey changes
  useEffect(() => {
    fetchSettings();
@@ -682,6 +764,7 @@ export const SettingsProvider: React.FC<SettingsProviderProps> = ({ children })
    oauthServerConfig,
    nameSeparator,
    enableSessionRebuild,
+    bearerKeys,
    loading,
    error,
    setError,
@@ -699,6 +782,10 @@ export const SettingsProvider: React.FC<SettingsProviderProps> = ({ children })
    updateNameSeparator,
    updateSessionRebuild,
    exportMCPSettings,
+    refreshBearerKeys,
+    createBearerKey,
+    updateBearerKey,
+    deleteBearerKey,
  };

  return <SettingsContext.Provider value={value}>{children}</SettingsContext.Provider>;
--- a/frontend/src/pages/GroupsPage.tsx
+++ b/frontend/src/pages/GroupsPage.tsx
@@ -6,6 +6,7 @@ import { useServerData } from '@/hooks/useServerData';
 import AddGroupForm from '@/components/AddGroupForm';
 import EditGroupForm from '@/components/EditGroupForm';
 import GroupCard from '@/components/GroupCard';
+import GroupImportForm from '@/components/GroupImportForm';

 const GroupsPage: React.FC = () => {
  const { t } = useTranslation();
@@ -15,12 +16,13 @@ const GroupsPage: React.FC = () => {
    error: groupError,
    setError: setGroupError,
    deleteGroup,
-    triggerRefresh
+    triggerRefresh,
  } = useGroupData();
  const { servers } = useServerData({ refreshOnMount: true });

  const [editingGroup, setEditingGroup] = useState<Group | null>(null);
  const [showAddForm, setShowAddForm] = useState(false);
+  const [showImportForm, setShowImportForm] = useState(false);

  const handleEditClick = (group: Group) => {
    setEditingGroup(group);
@@ -47,6 +49,11 @@ const GroupsPage: React.FC = () => {
    triggerRefresh(); // Refresh the groups list after adding
  };

+  const handleImportSuccess = () => {
+    setShowImportForm(false);
+    triggerRefresh(); // Refresh the groups list after import
+  };
+
  return (
    <div>
      <div className="flex justify-between items-center mb-8">
@@ -56,11 +63,38 @@ const GroupsPage: React.FC = () => {
            onClick={handleAddGroup}
            className="px-4 py-2 bg-blue-100 text-blue-800 rounded hover:bg-blue-200 flex items-center btn-primary transition-all duration-200"
          >
-            <svg xmlns="http://www.w3.org/2000/svg" className="h-4 w-4 mr-2" viewBox="0 0 20 20" fill="currentColor">
-              <path fillRule="evenodd" d="M10 3a1 1 0 00-1 1v5H4a1 1 0 100 2h5v5a1 1 0 102 0v-5h5a1 1 0 100-2h-5V4a1 1 0 00-1-1z" clipRule="evenodd" />
+            <svg
+              xmlns="http://www.w3.org/2000/svg"
+              className="h-4 w-4 mr-2"
+              viewBox="0 0 20 20"
+              fill="currentColor"
+            >
+              <path
+                fillRule="evenodd"
+                d="M10 3a1 1 0 00-1 1v5H4a1 1 0 100 2h5v5a1 1 0 102 0v-5h5a1 1 0 100-2h-5V4a1 1 0 00-1-1z"
+                clipRule="evenodd"
+              />
            </svg>
            {t('groups.add')}
          </button>
+          <button
+            onClick={() => setShowImportForm(true)}
+            className="px-4 py-2 bg-blue-100 text-blue-800 rounded hover:bg-blue-200 flex items-center btn-primary transition-all duration-200"
+          >
+            <svg
+              xmlns="http://www.w3.org/2000/svg"
+              className="h-4 w-4 mr-2"
+              viewBox="0 0 20 20"
+              fill="currentColor"
+            >
+              <path
+                fillRule="evenodd"
+                d="M3 17a1 1 0 011-1h12a1 1 0 110 2H4a1 1 0 01-1-1zm3.293-7.707a1 1 0 011.414 0L9 10.586V3a1 1 0 112 0v7.586l1.293-1.293a1 1 0 111.414 1.414l-3 3a1 1 0 01-1.414 0l-3-3a1 1 0 010-1.414z"
+                clipRule="evenodd"
+              />
+            </svg>
+            {t('groupImport.button')}
+          </button>
        </div>
      </div>

@@ -73,9 +107,25 @@ const GroupsPage: React.FC = () => {
      {groupsLoading ? (
        <div className="bg-white shadow rounded-lg p-6 loading-container">
          <div className="flex flex-col items-center justify-center">
-            <svg className="animate-spin h-10 w-10 text-blue-500 mb-4" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
-              <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4"></circle>
-              <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+            <svg
+              className="animate-spin h-10 w-10 text-blue-500 mb-4"
+              xmlns="http://www.w3.org/2000/svg"
+              fill="none"
+              viewBox="0 0 24 24"
+            >
+              <circle
+                className="opacity-25"
+                cx="12"
+                cy="12"
+                r="10"
+                stroke="currentColor"
+                strokeWidth="4"
+              ></circle>
+              <path
+                className="opacity-75"
+                fill="currentColor"
+                d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
+              ></path>
            </svg>
            <p className="text-gray-600">{t('app.loading')}</p>
          </div>
@@ -98,8 +148,13 @@ const GroupsPage: React.FC = () => {
        </div>
      )}

-      {showAddForm && (
-        <AddGroupForm onAdd={handleAddComplete} onCancel={handleAddComplete} />
+      {showAddForm && <AddGroupForm onAdd={handleAddComplete} onCancel={handleAddComplete} />}
+
+      {showImportForm && (
+        <GroupImportForm
+          onSuccess={handleImportSuccess}
+          onCancel={() => setShowImportForm(false)}
+        />
      )}

      {editingGroup && (
@@ -113,4 +168,4 @@ const GroupsPage: React.FC = () => {
  );
 };

-export default GroupsPage;
+export default GroupsPage;
--- a/frontend/src/pages/SettingsPage.tsx
+++ b/frontend/src/pages/SettingsPage.tsx
@@ -3,17 +3,317 @@ import { useTranslation } from 'react-i18next';
 import { useNavigate } from 'react-router-dom';
 import ChangePasswordForm from '@/components/ChangePasswordForm';
 import { Switch } from '@/components/ui/ToggleGroup';
+import { MultiSelect } from '@/components/ui/MultiSelect';
 import { useSettingsData } from '@/hooks/useSettingsData';
 import { useToast } from '@/contexts/ToastContext';
 import { generateRandomKey } from '@/utils/key';
 import { PermissionChecker } from '@/components/PermissionChecker';
 import { PERMISSIONS } from '@/constants/permissions';
-import { Copy, Check, Download } from 'lucide-react';
+import { Copy, Check, Download, Edit, Trash2 } from 'lucide-react';
+import type { BearerKey } from '@/types';
+import { useServerContext } from '@/contexts/ServerContext';
+import { useGroupData } from '@/hooks/useGroupData';
+
+interface BearerKeyRowProps {
+  keyData: BearerKey;
+  loading: boolean;
+  availableServers: { value: string; label: string }[];
+  availableGroups: { value: string; label: string }[];
+  onSave: (
+    id: string,
+    payload: {
+      name: string;
+      token: string;
+      enabled: boolean;
+      accessType: 'all' | 'groups' | 'servers';
+      allowedGroups: string;
+      allowedServers: string;
+    },
+  ) => Promise<void>;
+  onDelete: (id: string) => Promise<void>;
+}
+
+const BearerKeyRow: React.FC<BearerKeyRowProps> = ({
+  keyData,
+  loading,
+  availableServers,
+  availableGroups,
+  onSave,
+  onDelete,
+}) => {
+  const { t } = useTranslation();
+  const { showToast } = useToast();
+  const [isEditing, setIsEditing] = useState(false);
+  const [name, setName] = useState(keyData.name);
+  const [token, setToken] = useState(keyData.token);
+  const [enabled, setEnabled] = useState<boolean>(keyData.enabled);
+  const [accessType, setAccessType] = useState<'all' | 'groups' | 'servers'>(
+    keyData.accessType || 'all',
+  );
+  const [selectedGroups, setSelectedGroups] = useState<string[]>(keyData.allowedGroups || []);
+  const [selectedServers, setSelectedServers] = useState<string[]>(keyData.allowedServers || []);
+  const [saving, setSaving] = useState(false);
+  const [deleting, setDeleting] = useState(false);
+
+  useEffect(() => {
+    if (!isEditing) {
+      setName(keyData.name);
+      setToken(keyData.token);
+      setEnabled(keyData.enabled);
+      setAccessType(keyData.accessType || 'all');
+      setSelectedGroups(keyData.allowedGroups || []);
+      setSelectedServers(keyData.allowedServers || []);
+    }
+  }, [keyData, isEditing]);
+
+  const handleCopyToken = async () => {
+    try {
+      if (navigator.clipboard && window.isSecureContext) {
+        await navigator.clipboard.writeText(keyData.token);
+        showToast(t('common.copySuccess') || 'Copied to clipboard', 'success');
+      } else {
+        const textArea = document.createElement('textarea');
+        textArea.value = keyData.token;
+        textArea.style.position = 'fixed';
+        textArea.style.left = '-9999px';
+        document.body.appendChild(textArea);
+        textArea.focus();
+        textArea.select();
+        try {
+          document.execCommand('copy');
+          showToast(t('common.copySuccess') || 'Copied to clipboard', 'success');
+        } catch (err) {
+          showToast(t('common.copyFailed') || 'Copy failed', 'error');
+        }
+        document.body.removeChild(textArea);
+      }
+    } catch (error) {
+      console.error('Failed to copy', error);
+      showToast(t('common.copyFailed') || 'Copy failed', 'error');
+    }
+  };
+
+  const handleSave = async () => {
+    if (accessType === 'groups' && selectedGroups.length === 0) {
+      showToast(t('settings.selectAtLeastOneGroup') || 'Please select at least one group', 'error');
+      return;
+    }
+    if (accessType === 'servers' && selectedServers.length === 0) {
+      showToast(
+        t('settings.selectAtLeastOneServer') || 'Please select at least one server',
+        'error',
+      );
+      return;
+    }
+
+    setSaving(true);
+    try {
+      await onSave(keyData.id, {
+        name,
+        token,
+        enabled,
+        accessType,
+        allowedGroups: selectedGroups.join(', '),
+        allowedServers: selectedServers.join(', '),
+      });
+      setIsEditing(false);
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  const handleDelete = async () => {
+    if (!window.confirm(t('settings.deleteBearerKeyConfirm') || 'Delete this key?')) {
+      return;
+    }
+    setDeleting(true);
+    try {
+      await onDelete(keyData.id);
+    } finally {
+      setDeleting(false);
+    }
+  };
+
+  const isGroupsMode = accessType === 'groups';
+
+  if (isEditing) {
+    return (
+      <tr>
+        <td colSpan={5} className="p-0 border-b border-gray-200">
+          <div className="bg-gray-50 p-5">
+            <div className="grid grid-cols-1 md:grid-cols-12 gap-4 mb-4">
+              <div className="md:col-span-3">
+                <label className="block text-sm font-medium text-gray-700 mb-1">
+                  {t('settings.bearerKeyName') || 'Name'}
+                </label>
+                <input
+                  type="text"
+                  className="block w-full py-2 px-3 border border-gray-300 rounded-md shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm form-input transition-shadow duration-200"
+                  value={name}
+                  onChange={(e) => setName(e.target.value)}
+                  disabled={loading}
+                />
+              </div>
+              <div className="md:col-span-9">
+                <label className="block text-sm font-medium text-gray-700 mb-1">
+                  {t('settings.bearerKeyToken') || 'Token'}
+                </label>
+                <input
+                  type="text"
+                  className="block w-full py-2 px-3 border border-gray-300 rounded-md shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm form-input transition-shadow duration-200"
+                  value={token}
+                  onChange={(e) => setToken(e.target.value)}
+                  disabled={loading}
+                />
+              </div>
+            </div>
+
+            <div className="flex flex-wrap items-end gap-4">
+              <div className="w-40">
+                <label className="block text-sm font-medium text-gray-700 mb-1">
+                  {t('settings.bearerKeyEnabled') || 'Status'}
+                </label>
+                <div className="flex items-center h-[38px] px-3 bg-white border border-gray-300 rounded-md">
+                  <span
+                    className={`text-sm mr-3 ${enabled ? 'text-green-600 font-medium' : 'text-gray-500'}`}
+                  >
+                    {enabled ? 'Active' : 'Inactive'}
+                  </span>
+                  <Switch
+                    disabled={loading}
+                    checked={enabled}
+                    onCheckedChange={(checked) => setEnabled(checked)}
+                  />
+                </div>
+              </div>
+
+              <div className="w-48">
+                <label className="block text-sm font-medium text-gray-700 mb-1">
+                  {t('settings.bearerKeyAccessType') || 'Access scope'}
+                </label>
+                <select
+                  className="block w-full py-2 px-3 border border-gray-300 bg-white rounded-md shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm form-select transition-shadow duration-200"
+                  value={accessType}
+                  onChange={(e) => setAccessType(e.target.value as 'all' | 'groups' | 'servers')}
+                  disabled={loading}
+                >
+                  <option value="all">{t('settings.bearerKeyAccessAll') || 'All Resources'}</option>
+                  <option value="groups">
+                    {t('settings.bearerKeyAccessGroups') || 'Specific Groups'}
+                  </option>
+                  <option value="servers">
+                    {t('settings.bearerKeyAccessServers') || 'Specific Servers'}
+                  </option>
+                </select>
+              </div>
+
+              <div className="flex-1 min-w-[200px]">
+                <label
+                  className={`block text-sm font-medium mb-1 ${accessType === 'all' ? 'text-gray-400' : 'text-gray-700'}`}
+                >
+                  {isGroupsMode
+                    ? t('settings.bearerKeyAllowedGroups') || 'Allowed groups'
+                    : t('settings.bearerKeyAllowedServers') || 'Allowed servers'}
+                </label>
+                <MultiSelect
+                  options={isGroupsMode ? availableGroups : availableServers}
+                  selected={isGroupsMode ? selectedGroups : selectedServers}
+                  onChange={isGroupsMode ? setSelectedGroups : setSelectedServers}
+                  placeholder={
+                    isGroupsMode
+                      ? t('settings.selectGroups') || 'Select groups...'
+                      : t('settings.selectServers') || 'Select servers...'
+                  }
+                  disabled={loading || accessType === 'all'}
+                />
+              </div>
+
+              <div className="flex justify-end gap-2">
+                <button
+                  type="button"
+                  onClick={() => setIsEditing(false)}
+                  className="px-4 py-2 bg-white border border-gray-300 text-gray-700 rounded-md text-sm font-medium hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500 h-[38px]"
+                >
+                  {t('common.cancel') || 'Cancel'}
+                </button>
+                <button
+                  type="button"
+                  onClick={handleSave}
+                  disabled={loading || saving}
+                  className="px-4 py-2 bg-blue-600 hover:bg-blue-700 text-white rounded-md text-sm font-medium disabled:opacity-50 btn-primary h-[38px]"
+                >
+                  {saving ? t('common.saving') || 'Saving...' : t('common.save') || 'Save'}
+                </button>
+              </div>
+            </div>
+          </div>
+        </td>
+      </tr>
+    );
+  }
+
+  return (
+    <tr className="hover:bg-gray-50">
+      <td className="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">
+        {keyData.name}
+      </td>
+      <td className="px-6 py-4 whitespace-nowrap text-sm text-gray-500 font-mono">
+        <div className="flex items-center gap-2">
+          <span>
+            {keyData.token.length > 12
+              ? `${keyData.token.substring(0, 8)}...${keyData.token.substring(keyData.token.length - 4)}`
+              : keyData.token}
+          </span>
+          <button
+            onClick={handleCopyToken}
+            className="text-gray-400 hover:text-gray-600 transition-colors"
+            title={t('common.copy') || 'Copy'}
+          >
+            <Copy className="h-3.5 w-3.5" />
+          </button>
+        </div>
+      </td>
+      <td className="px-6 py-4 whitespace-nowrap text-sm text-gray-500">
+        <span
+          className={`px-2 inline-flex text-xs leading-5 font-semibold rounded-full ${keyData.enabled ? 'bg-green-100 text-green-800' : 'bg-gray-100 text-gray-800'}`}
+        >
+          {keyData.enabled ? t('common.active') || 'Active' : t('common.inactive') || 'Inactive'}
+        </span>
+      </td>
+      <td className="px-6 py-4 whitespace-nowrap text-sm text-gray-500">
+        {keyData.accessType === 'all'
+          ? t('settings.bearerKeyAccessAll') || 'All Resources'
+          : keyData.accessType === 'groups'
+            ? `${t('settings.bearerKeyAccessGroups') || 'Groups'}: ${keyData.allowedGroups}`
+            : `${t('settings.bearerKeyAccessServers') || 'Servers'}: ${keyData.allowedServers}`}
+      </td>
+      <td className="px-6 py-4 whitespace-nowrap text-right text-sm font-medium">
+        <button
+          onClick={() => setIsEditing(true)}
+          className="text-blue-600 hover:text-blue-900 mr-4 inline-flex items-center"
+          title={t('common.edit') || 'Edit'}
+        >
+          <Edit className="h-4 w-4" />
+        </button>
+        <button
+          onClick={handleDelete}
+          disabled={deleting}
+          className="text-red-600 hover:text-red-900 inline-flex items-center"
+          title={t('common.delete') || 'Delete'}
+        >
+          <Trash2 className="h-4 w-4" />
+        </button>
+      </td>
+    </tr>
+  );
+};

 const SettingsPage: React.FC = () => {
  const { t } = useTranslation();
  const navigate = useNavigate();
  const { showToast } = useToast();
+  const { servers } = useServerContext();
+  const { groups } = useGroupData();

  const [installConfig, setInstallConfig] = useState<{
    pythonIndexUrl: string;
@@ -64,6 +364,7 @@ const SettingsPage: React.FC = () => {
  });

  const [tempNameSeparator, setTempNameSeparator] = useState<string>('-');
+  const [showAddBearerKeyForm, setShowAddBearerKeyForm] = useState(false);

  const {
    routingConfig,
@@ -76,6 +377,7 @@ const SettingsPage: React.FC = () => {
    nameSeparator,
    enableSessionRebuild,
    loading,
+    bearerKeys,
    updateRoutingConfig,
    updateRoutingConfigBatch,
    updateInstallConfig,
@@ -86,6 +388,10 @@ const SettingsPage: React.FC = () => {
    updateNameSeparator,
    updateSessionRebuild,
    exportMCPSettings,
+    createBearerKey,
+    updateBearerKey,
+    deleteBearerKey,
+    refreshBearerKeys,
  } = useSettingsData();

  // Update local installConfig when savedInstallConfig changes
@@ -151,6 +457,11 @@ const SettingsPage: React.FC = () => {
    setTempNameSeparator(nameSeparator);
  }, [nameSeparator]);

+  // Refresh bearer keys when component mounts
+  useEffect(() => {
+    refreshBearerKeys();
+  }, []);
+
  const [sectionsVisible, setSectionsVisible] = useState({
    routingConfig: false,
    installConfig: false,
@@ -160,6 +471,7 @@ const SettingsPage: React.FC = () => {
    nameSeparator: false,
    password: false,
    exportConfig: false,
+    bearerKeys: false,
  });

  const toggleSection = (
@@ -171,7 +483,8 @@ const SettingsPage: React.FC = () => {
      | 'mcpRouterConfig'
      | 'nameSeparator'
      | 'password'
-      | 'exportConfig',
+      | 'exportConfig'
+      | 'bearerKeys',
  ) => {
    setSectionsVisible((prev) => ({
      ...prev,
@@ -221,10 +534,6 @@ const SettingsPage: React.FC = () => {
    }));
  };

-  const saveBearerAuthKey = async () => {
-    await updateRoutingConfig('bearerAuthKey', tempRoutingConfig.bearerAuthKey);
-  };
-
  const handleInstallConfigChange = (
    key: 'pythonIndexUrl' | 'npmRegistry' | 'baseUrl',
    value: string,
@@ -405,6 +714,46 @@ const SettingsPage: React.FC = () => {
  const [copiedConfig, setCopiedConfig] = useState(false);
  const [mcpSettingsJson, setMcpSettingsJson] = useState<string>('');

+  const [newBearerKey, setNewBearerKey] = useState<{
+    name: string;
+    token: string;
+    enabled: boolean;
+    accessType: 'all' | 'groups' | 'servers';
+    allowedGroups: string;
+    allowedServers: string;
+  }>({
+    name: '',
+    token: '',
+    enabled: true,
+    accessType: 'all',
+    allowedGroups: '',
+    allowedServers: '',
+  });
+
+  const [newSelectedGroups, setNewSelectedGroups] = useState<string[]>([]);
+  const [newSelectedServers, setNewSelectedServers] = useState<string[]>([]);
+
+  // Prepare options for MultiSelect
+  const availableServers = servers.map((server) => ({
+    value: server.name,
+    label: server.name,
+  }));
+
+  const availableGroups = groups.map((group) => ({
+    value: group.name,
+    label: group.name,
+  }));
+
+  // Reset selected arrays when accessType changes
+  useEffect(() => {
+    if (newBearerKey.accessType !== 'groups') {
+      setNewSelectedGroups([]);
+    }
+    if (newBearerKey.accessType !== 'servers') {
+      setNewSelectedServers([]);
+    }
+  }, [newBearerKey.accessType]);
+
  const fetchMcpSettings = async () => {
    try {
      const result = await exportMCPSettings();
@@ -473,15 +822,374 @@ const SettingsPage: React.FC = () => {
    showToast(t('settings.exportSuccess') || 'Settings exported successfully', 'success');
  };

+  const parseCommaSeparated = (value: string): string[] | undefined => {
+    const parts = value
+      .split(',')
+      .map((item) => item.trim())
+      .filter((item) => item.length > 0);
+    return parts.length > 0 ? parts : undefined;
+  };
+
+  const handleCreateBearerKey = async () => {
+    if (!newBearerKey.name || !newBearerKey.token) {
+      showToast(t('settings.bearerKeyRequired') || 'Name and token are required', 'error');
+      return;
+    }
+
+    if (newBearerKey.accessType === 'groups' && newSelectedGroups.length === 0) {
+      showToast(t('settings.selectAtLeastOneGroup') || 'Please select at least one group', 'error');
+      return;
+    }
+    if (newBearerKey.accessType === 'servers' && newSelectedServers.length === 0) {
+      showToast(
+        t('settings.selectAtLeastOneServer') || 'Please select at least one server',
+        'error',
+      );
+      return;
+    }
+
+    await createBearerKey({
+      name: newBearerKey.name,
+      token: newBearerKey.token,
+      enabled: newBearerKey.enabled,
+      accessType: newBearerKey.accessType,
+      allowedGroups:
+        newBearerKey.accessType === 'groups' && newSelectedGroups.length > 0
+          ? newSelectedGroups
+          : undefined,
+      allowedServers:
+        newBearerKey.accessType === 'servers' && newSelectedServers.length > 0
+          ? newSelectedServers
+          : undefined,
+    } as any);
+
+    setNewBearerKey({
+      name: '',
+      token: '',
+      enabled: true,
+      accessType: 'all',
+      allowedGroups: '',
+      allowedServers: '',
+    });
+    setNewSelectedGroups([]);
+    setNewSelectedServers([]);
+    await refreshBearerKeys();
+  };
+
+  const handleSaveExistingBearerKey = async (
+    id: string,
+    payload: {
+      name: string;
+      token: string;
+      enabled: boolean;
+      accessType: 'all' | 'groups' | 'servers';
+      allowedGroups: string;
+      allowedServers: string;
+    },
+  ) => {
+    await updateBearerKey(id, {
+      name: payload.name,
+      token: payload.token,
+      enabled: payload.enabled,
+      accessType: payload.accessType,
+      allowedGroups: parseCommaSeparated(payload.allowedGroups),
+      allowedServers: parseCommaSeparated(payload.allowedServers),
+    } as any);
+    await refreshBearerKeys();
+  };
+
+  const handleDeleteExistingBearerKey = async (id: string) => {
+    await deleteBearerKey(id);
+    await refreshBearerKeys();
+  };
+
  return (
    <div className="container mx-auto">
      <h1 className="text-2xl font-bold text-gray-900 mb-8">{t('pages.settings.title')}</h1>

+      {/* Bearer Keys Settings */}
+      <PermissionChecker permissions={PERMISSIONS.SETTINGS_ROUTE_CONFIG}>
+        <div className="bg-white shadow rounded-lg mb-6 page-card dashboard-card">
+          <div
+            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600 py-4 px-6"
+            onClick={() => toggleSection('bearerKeys')}
+          >
+            <h2 className="font-semibold text-gray-800">
+              {t('settings.bearerKeysSectionTitle') || 'Bearer authentication keys'}
+            </h2>
+            <span className="text-gray-500 transition-transform duration-200">
+              {sectionsVisible.bearerKeys ? '▼' : '►'}
+            </span>
+          </div>
+
+          {sectionsVisible.bearerKeys && (
+            <div className="space-y-4 pb-4 px-6">
+              <div className="flex justify-between items-center">
+                <p className="text-sm text-gray-600">
+                  {t('settings.bearerKeysSectionDescription') ||
+                    'Manage multiple bearer authentication keys with different access scopes.'}
+                </p>
+                {!showAddBearerKeyForm && (
+                  <button
+                    type="button"
+                    onClick={() => setShowAddBearerKeyForm(true)}
+                    className="flex items-center text-blue-600 hover:text-blue-800 font-medium transition-colors duration-200"
+                  >
+                    <svg
+                      xmlns="http://www.w3.org/2000/svg"
+                      className="h-5 w-5 mr-1"
+                      viewBox="0 0 20 20"
+                      fill="currentColor"
+                    >
+                      <path
+                        fillRule="evenodd"
+                        d="M10 3a1 1 0 011 1v5h5a1 1 0 110 2h-5v5a1 1 0 11-2 0v-5H4a1 1 0 110-2h5V4a1 1 0 011-1z"
+                        clipRule="evenodd"
+                      />
+                    </svg>
+                    {t('settings.addBearerKey') || 'Add bearer key'}
+                  </button>
+                )}
+              </div>
+
+              {/* Existing keys */}
+              {bearerKeys.length === 0 ? (
+                <p className="text-sm text-gray-500">
+                  {t('settings.noBearerKeys') || 'No bearer keys configured yet.'}
+                </p>
+              ) : (
+                <div className="mt-2 overflow-x-auto">
+                  <table className="min-w-full divide-y divide-gray-200 border border-gray-200 rounded-lg">
+                    <thead className="bg-gray-50">
+                      <tr>
+                        <th
+                          scope="col"
+                          className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider"
+                        >
+                          {t('settings.bearerKeyName') || 'Name'}
+                        </th>
+                        <th
+                          scope="col"
+                          className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider"
+                        >
+                          {t('settings.bearerKeyToken') || 'Token'}
+                        </th>
+                        <th
+                          scope="col"
+                          className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider"
+                        >
+                          {t('settings.bearerKeyEnabled') || 'Status'}
+                        </th>
+                        <th
+                          scope="col"
+                          className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider"
+                        >
+                          {t('settings.bearerKeyAccessType') || 'Access Scope'}
+                        </th>
+                        <th
+                          scope="col"
+                          className="px-6 py-3 text-right text-xs font-medium text-gray-500 uppercase tracking-wider"
+                        >
+                          {t('common.actions') || 'Actions'}
+                        </th>
+                      </tr>
+                    </thead>
+                    <tbody className="bg-white divide-y divide-gray-200">
+                      {bearerKeys.map((key) => (
+                        <BearerKeyRow
+                          key={key.id}
+                          keyData={key}
+                          loading={loading}
+                          availableServers={availableServers}
+                          availableGroups={availableGroups}
+                          onSave={handleSaveExistingBearerKey}
+                          onDelete={handleDeleteExistingBearerKey}
+                        />
+                      ))}
+                    </tbody>
+                  </table>
+                </div>
+              )}
+
+              {/* New key form */}
+              {showAddBearerKeyForm && (
+                <div className="mt-6 border-t border-gray-200 pt-6">
+                  <div className="bg-gray-50 rounded-lg p-5 border border-gray-200">
+                    <h3 className="font-medium text-gray-900 mb-4 flex items-center gap-2">
+                      <span className="bg-blue-100 text-blue-600 p-1 rounded">
+                        <svg
+                          xmlns="http://www.w3.org/2000/svg"
+                          className="h-4 w-4"
+                          viewBox="0 0 20 20"
+                          fill="currentColor"
+                        >
+                          <path
+                            fillRule="evenodd"
+                            d="M10 3a1 1 0 011 1v5h5a1 1 0 110 2h-5v5a1 1 0 11-2 0v-5H4a1 1 0 110-2h5V4a1 1 0 011-1z"
+                            clipRule="evenodd"
+                          />
+                        </svg>
+                      </span>
+                      {t('settings.addBearerKey') || 'Add bearer key'}
+                    </h3>
+
+                    <div className="grid grid-cols-1 md:grid-cols-12 gap-4 mb-4">
+                      <div className="md:col-span-3">
+                        <label className="block text-sm font-medium text-gray-700 mb-1">
+                          {t('settings.bearerKeyName') || 'Name'}
+                        </label>
+                        <input
+                          type="text"
+                          className="block w-full py-2 px-3 border border-gray-300 rounded-md shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm form-input transition-shadow duration-200"
+                          placeholder="e.g. My API Key"
+                          value={newBearerKey.name}
+                          onChange={(e) =>
+                            setNewBearerKey((prev) => ({ ...prev, name: e.target.value }))
+                          }
+                          disabled={loading}
+                        />
+                      </div>
+                      <div className="md:col-span-9">
+                        <label className="block text-sm font-medium text-gray-700 mb-1">
+                          {t('settings.bearerKeyToken') || 'Token'}
+                        </label>
+                        <div className="flex rounded-md shadow-sm">
+                          <input
+                            type="text"
+                            className="flex-1 block w-full py-2 px-3 border border-gray-300 rounded-l-md rounded-r-none border-r-0 focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm form-input transition-shadow duration-200"
+                            placeholder="sk-..."
+                            value={newBearerKey.token}
+                            onChange={(e) =>
+                              setNewBearerKey((prev) => ({ ...prev, token: e.target.value }))
+                            }
+                            disabled={loading}
+                          />
+                          <button
+                            type="button"
+                            onClick={() =>
+                              setNewBearerKey((prev) => ({ ...prev, token: generateRandomKey() }))
+                            }
+                            disabled={loading}
+                            className="relative -ml-[5px] inline-flex items-center px-4 py-2 border border-gray-300 bg-gray-100 text-gray-700 text-sm font-medium rounded-r-md rounded-l-none hover:bg-gray-200 focus:outline-none focus:ring-1 focus:ring-blue-500 focus:border-blue-500 transition-colors duration-200 z-10"
+                          >
+                            {t('settings.generate') || 'Generate'}
+                          </button>
+                        </div>
+                      </div>
+                    </div>
+
+                    <div className="flex flex-wrap items-end gap-4 mb-2">
+                      <div className="w-40">
+                        <label className="block text-sm font-medium text-gray-700 mb-1">
+                          {t('settings.bearerKeyEnabled') || 'Status'}
+                        </label>
+                        <div className="flex items-center h-[38px] px-3 bg-white border border-gray-300 rounded-md">
+                          <span
+                            className={`text-sm mr-3 ${newBearerKey.enabled ? 'text-green-600 font-medium' : 'text-gray-500'}`}
+                          >
+                            {newBearerKey.enabled ? 'Active' : 'Inactive'}
+                          </span>
+                          <Switch
+                            disabled={loading}
+                            checked={newBearerKey.enabled}
+                            onCheckedChange={(checked) =>
+                              setNewBearerKey((prev) => ({ ...prev, enabled: checked }))
+                            }
+                          />
+                        </div>
+                      </div>
+
+                      <div className="w-48">
+                        <label className="block text-sm font-medium text-gray-700 mb-1">
+                          {t('settings.bearerKeyAccessType') || 'Access scope'}
+                        </label>
+                        <select
+                          className="block w-full py-2 px-3 border border-gray-300 bg-white rounded-md shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm form-select transition-shadow duration-200"
+                          value={newBearerKey.accessType}
+                          onChange={(e) =>
+                            setNewBearerKey((prev) => ({
+                              ...prev,
+                              accessType: e.target.value as 'all' | 'groups' | 'servers',
+                            }))
+                          }
+                          disabled={loading}
+                        >
+                          <option value="all">
+                            {t('settings.bearerKeyAccessAll') || 'All Resources'}
+                          </option>
+                          <option value="groups">
+                            {t('settings.bearerKeyAccessGroups') || 'Specific Groups'}
+                          </option>
+                          <option value="servers">
+                            {t('settings.bearerKeyAccessServers') || 'Specific Servers'}
+                          </option>
+                        </select>
+                      </div>
+
+                      <div className="flex-1 min-w-[200px]">
+                        <label
+                          className={`block text-sm font-medium mb-1 ${newBearerKey.accessType === 'all' ? 'text-gray-400' : 'text-gray-700'}`}
+                        >
+                          {newBearerKey.accessType === 'groups'
+                            ? t('settings.bearerKeyAllowedGroups') || 'Allowed groups'
+                            : t('settings.bearerKeyAllowedServers') || 'Allowed servers'}
+                        </label>
+                        <MultiSelect
+                          options={
+                            newBearerKey.accessType === 'groups'
+                              ? availableGroups
+                              : availableServers
+                          }
+                          selected={
+                            newBearerKey.accessType === 'groups'
+                              ? newSelectedGroups
+                              : newSelectedServers
+                          }
+                          onChange={
+                            newBearerKey.accessType === 'groups'
+                              ? setNewSelectedGroups
+                              : setNewSelectedServers
+                          }
+                          placeholder={
+                            newBearerKey.accessType === 'groups'
+                              ? t('settings.selectGroups') || 'Select groups...'
+                              : t('settings.selectServers') || 'Select servers...'
+                          }
+                          disabled={loading || newBearerKey.accessType === 'all'}
+                        />
+                      </div>
+
+                      <div className="flex justify-end gap-2">
+                        <button
+                          type="button"
+                          onClick={() => setShowAddBearerKeyForm(false)}
+                          className="px-4 py-2 bg-white border border-gray-300 text-gray-700 rounded-md text-sm font-medium hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500 h-[38px]"
+                        >
+                          {t('common.cancel') || 'Cancel'}
+                        </button>
+                        <button
+                          type="button"
+                          onClick={handleCreateBearerKey}
+                          disabled={loading}
+                          className="px-4 py-2 bg-blue-600 hover:bg-blue-700 text-white rounded-md text-sm font-medium disabled:opacity-50 btn-primary h-[38px]"
+                        >
+                          {t('settings.addBearerKeyButton') || 'Create Key'}
+                        </button>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+              )}
+            </div>
+          )}
+        </div>
+      </PermissionChecker>
+
      {/* Smart Routing Configuration Settings */}
      <PermissionChecker permissions={PERMISSIONS.SETTINGS_SMART_ROUTING}>
-        <div className="bg-white shadow rounded-lg py-4 px-6 mb-6 page-card dashboard-card">
+        <div className="bg-white shadow rounded-lg mb-6 page-card dashboard-card">
          <div
-            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600"
+            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600 py-4 px-6"
            onClick={() => toggleSection('smartRoutingConfig')}
          >
            <h2 className="font-semibold text-gray-800">{t('pages.settings.smartRouting')}</h2>
@@ -491,7 +1199,7 @@ const SettingsPage: React.FC = () => {
          </div>

          {sectionsVisible.smartRoutingConfig && (
-            <div className="space-y-4 mt-4">
+            <div className="space-y-4 pb-4 px-6">
              <div className="flex items-center justify-between p-3 bg-gray-50 rounded-md">
                <div>
                  <h3 className="font-medium text-gray-700">{t('settings.enableSmartRouting')}</h3>
@@ -616,9 +1324,9 @@ const SettingsPage: React.FC = () => {

      {/* OAuth Server Configuration Settings */}
      <PermissionChecker permissions={PERMISSIONS.SETTINGS_OAUTH_SERVER}>
-        <div className="bg-white shadow rounded-lg py-4 px-6 mb-6 dashboard-card">
+        <div className="bg-white shadow rounded-lg mb-6 dashboard-card">
          <div
-            className="flex justify-between items-center cursor-pointer"
+            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600 py-4 px-6"
            onClick={() => toggleSection('oauthServerConfig')}
          >
            <h2 className="font-semibold text-gray-800">{t('pages.settings.oauthServer')}</h2>
@@ -626,7 +1334,7 @@ const SettingsPage: React.FC = () => {
          </div>

          {sectionsVisible.oauthServerConfig && (
-            <div className="space-y-4 mt-4">
+            <div className="space-y-4 pb-4 px-6">
              <div className="flex items-center justify-between p-3 bg-gray-50 rounded-md">
                <div>
                  <h3 className="font-medium text-gray-700">{t('settings.enableOauthServer')}</h3>
@@ -870,9 +1578,9 @@ const SettingsPage: React.FC = () => {

      {/* MCPRouter Configuration Settings */}
      <PermissionChecker permissions={PERMISSIONS.SETTINGS_INSTALL_CONFIG}>
-        <div className="bg-white shadow rounded-lg py-4 px-6 mb-6 page-card dashboard-card">
+        <div className="bg-white shadow rounded-lg mb-6 page-card dashboard-card">
          <div
-            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600"
+            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600 py-4 px-6"
            onClick={() => toggleSection('mcpRouterConfig')}
          >
            <h2 className="font-semibold text-gray-800">{t('settings.mcpRouterConfig')}</h2>
@@ -882,7 +1590,7 @@ const SettingsPage: React.FC = () => {
          </div>

          {sectionsVisible.mcpRouterConfig && (
-            <div className="space-y-4 mt-4">
+            <div className="space-y-4 pb-4 px-6">
              <div className="p-3 bg-gray-50 rounded-md">
                <div className="mb-2">
                  <h3 className="font-medium text-gray-700">{t('settings.mcpRouterApiKey')}</h3>
@@ -941,9 +1649,9 @@ const SettingsPage: React.FC = () => {

      {/* System Settings */}
      <PermissionChecker permissions={PERMISSIONS.SETTINGS_SYSTEM_CONFIG}>
-        <div className="bg-white shadow rounded-lg py-4 px-6 mb-6 dashboard-card">
+        <div className="bg-white shadow rounded-lg mb-6 dashboard-card">
          <div
-            className="flex justify-between items-center cursor-pointer"
+            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600 py-4 px-6"
            onClick={() => toggleSection('nameSeparator')}
          >
            <h2 className="font-semibold text-gray-800">{t('settings.systemSettings')}</h2>
@@ -951,7 +1659,7 @@ const SettingsPage: React.FC = () => {
          </div>

          {sectionsVisible.nameSeparator && (
-            <div className="space-y-4 mt-4">
+            <div className="space-y-4 pb-4 px-6">
              <div className="p-3 bg-gray-50 rounded-md">
                <div className="mb-2">
                  <h3 className="font-medium text-gray-700">{t('settings.nameSeparatorLabel')}</h3>
@@ -999,9 +1707,9 @@ const SettingsPage: React.FC = () => {

      {/* Route Configuration Settings */}
      <PermissionChecker permissions={PERMISSIONS.SETTINGS_ROUTE_CONFIG}>
-        <div className="bg-white shadow rounded-lg py-4 px-6 mb-6 dashboard-card">
+        <div className="bg-white shadow rounded-lg mb-6 dashboard-card">
          <div
-            className="flex justify-between items-center cursor-pointer"
+            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600 py-4 px-6"
            onClick={() => toggleSection('routingConfig')}
          >
            <h2 className="font-semibold text-gray-800">{t('pages.settings.routeConfig')}</h2>
@@ -1009,51 +1717,7 @@ const SettingsPage: React.FC = () => {
          </div>

          {sectionsVisible.routingConfig && (
-            <div className="space-y-4 mt-4">
-              <div className="flex items-center justify-between p-3 bg-gray-50 rounded-md">
-                <div>
-                  <h3 className="font-medium text-gray-700">{t('settings.enableBearerAuth')}</h3>
-                  <p className="text-sm text-gray-500">
-                    {t('settings.enableBearerAuthDescription')}
-                  </p>
-                </div>
-                <Switch
-                  disabled={loading}
-                  checked={routingConfig.enableBearerAuth}
-                  onCheckedChange={(checked) =>
-                    handleRoutingConfigChange('enableBearerAuth', checked)
-                  }
-                />
-              </div>
-
-              {routingConfig.enableBearerAuth && (
-                <div className="p-3 bg-gray-50 rounded-md">
-                  <div className="mb-2">
-                    <h3 className="font-medium text-gray-700">{t('settings.bearerAuthKey')}</h3>
-                    <p className="text-sm text-gray-500">
-                      {t('settings.bearerAuthKeyDescription')}
-                    </p>
-                  </div>
-                  <div className="flex items-center gap-3">
-                    <input
-                      type="text"
-                      value={tempRoutingConfig.bearerAuthKey}
-                      onChange={(e) => handleBearerAuthKeyChange(e.target.value)}
-                      placeholder={t('settings.bearerAuthKeyPlaceholder')}
-                      className="flex-1 mt-1 block w-full py-2 px-3 border border-gray-300 rounded-md shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm form-input"
-                      disabled={loading || !routingConfig.enableBearerAuth}
-                    />
-                    <button
-                      onClick={saveBearerAuthKey}
-                      disabled={loading || !routingConfig.enableBearerAuth}
-                      className="mt-1 px-4 py-2 bg-blue-600 hover:bg-blue-700 text-white rounded-md text-sm font-medium disabled:opacity-50 btn-primary"
-                    >
-                      {t('common.save')}
-                    </button>
-                  </div>
-                </div>
-              )}
-
+            <div className="space-y-4 pb-4 px-6">
              <div className="flex items-center justify-between p-3 bg-gray-50 rounded-md">
                <div>
                  <h3 className="font-medium text-gray-700">{t('settings.enableGlobalRoute')}</h3>
@@ -1106,9 +1770,9 @@ const SettingsPage: React.FC = () => {

      {/* Installation Configuration Settings */}
      <PermissionChecker permissions={PERMISSIONS.SETTINGS_INSTALL_CONFIG}>
-        <div className="bg-white shadow rounded-lg py-4 px-6 mb-6 dashboard-card">
+        <div className="bg-white shadow rounded-lg mb-6 dashboard-card">
          <div
-            className="flex justify-between items-center cursor-pointer"
+            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600 py-4 px-6"
            onClick={() => toggleSection('installConfig')}
          >
            <h2 className="font-semibold text-gray-800">{t('settings.installConfig')}</h2>
@@ -1116,7 +1780,7 @@ const SettingsPage: React.FC = () => {
          </div>

          {sectionsVisible.installConfig && (
-            <div className="space-y-4 mt-4">
+            <div className="space-y-4 pb-4 px-6">
              <div className="p-3 bg-gray-50 rounded-md">
                <div className="mb-2">
                  <h3 className="font-medium text-gray-700">{t('settings.baseUrl')}</h3>
@@ -1194,12 +1858,9 @@ const SettingsPage: React.FC = () => {
      </PermissionChecker>

      {/* Change Password */}
-      <div
-        className="bg-white shadow rounded-lg py-4 px-6 mb-6 dashboard-card"
-        data-section="password"
-      >
+      <div className="bg-white shadow rounded-lg mb-6 dashboard-card" data-section="password">
        <div
-          className="flex justify-between items-center cursor-pointer"
+          className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600 py-4 px-6"
          onClick={() => toggleSection('password')}
          role="button"
        >
@@ -1208,7 +1869,7 @@ const SettingsPage: React.FC = () => {
        </div>

        {sectionsVisible.password && (
-          <div className="max-w-lg mt-4">
+          <div className="max-w-lg pb-4 px-6">
            <ChangePasswordForm onSuccess={handlePasswordChangeSuccess} />
          </div>
        )}
@@ -1216,9 +1877,9 @@ const SettingsPage: React.FC = () => {

      {/* Export MCP Settings */}
      <PermissionChecker permissions={PERMISSIONS.SETTINGS_EXPORT_CONFIG}>
-        <div className="bg-white shadow rounded-lg py-4 px-6 mb-6 dashboard-card">
+        <div className="bg-white shadow rounded-lg mb-6 dashboard-card">
          <div
-            className="flex justify-between items-center cursor-pointer"
+            className="flex justify-between items-center cursor-pointer transition-colors duration-200 hover:text-blue-600 py-4 px-6"
            onClick={() => toggleSection('exportConfig')}
          >
            <h2 className="font-semibold text-gray-800">{t('settings.exportMcpSettings')}</h2>
@@ -1226,7 +1887,7 @@ const SettingsPage: React.FC = () => {
          </div>

          {sectionsVisible.exportConfig && (
-            <div className="space-y-4 mt-4">
+            <div className="space-y-4 pb-4 px-6">
              <div className="p-3 bg-gray-50 rounded-md">
                <div className="mb-4">
                  <h3 className="font-medium text-gray-700">{t('settings.mcpSettingsJson')}</h3>
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -309,6 +309,19 @@ export interface ApiResponse<T = any> {
  data?: T;
 }

+// Bearer authentication key configuration (frontend view model)
+export type BearerKeyAccessType = 'all' | 'groups' | 'servers';
+
+export interface BearerKey {
+  id: string;
+  name: string;
+  token: string;
+  enabled: boolean;
+  accessType: BearerKeyAccessType;
+  allowedGroups?: string[];
+  allowedServers?: string[];
+}
+
 // Auth types
 export interface IUser {
  username: string;
--- a/locales/en.json
+++ b/locales/en.json
@@ -253,7 +253,11 @@
    "type": "Type",
    "repeated": "Repeated",
    "valueHint": "Value Hint",
-    "choices": "Choices"
+    "choices": "Choices",
+    "actions": "Actions",
+    "saving": "Saving...",
+    "active": "Active",
+    "inactive": "Inactive"
  },
  "nav": {
    "dashboard": "Dashboard",
@@ -276,7 +280,7 @@
      "recentServers": "Recent Servers"
    },
    "servers": {
-      "title": "Servers Management"
+      "title": "Server Management"
    },
    "groups": {
      "title": "Group Management"
@@ -553,6 +557,27 @@
    "bearerAuthKey": "Bearer Authentication Key",
    "bearerAuthKeyDescription": "The authentication key that will be required in the Bearer token",
    "bearerAuthKeyPlaceholder": "Enter bearer authentication key",
+    "bearerKeysSectionTitle": "Keys",
+    "bearerKeysSectionDescription": "Manage multiple keys with different access scopes.",
+    "noBearerKeys": "No keys configured yet.",
+    "bearerKeyName": "Name",
+    "bearerKeyToken": "Token",
+    "bearerKeyEnabled": "Enabled",
+    "bearerKeyAccessType": "Access scope",
+    "bearerKeyAccessAll": "All",
+    "bearerKeyAccessGroups": "Groups",
+    "bearerKeyAccessServers": "Servers",
+    "bearerKeyAllowedGroups": "Allowed groups",
+    "bearerKeyAllowedServers": "Allowed servers",
+    "addBearerKey": "Add key",
+    "addBearerKeyButton": "Create",
+    "bearerKeyRequired": "Name and token are required",
+    "deleteBearerKeyConfirm": "Are you sure you want to delete this key?",
+    "generate": "Generate",
+    "selectGroups": "Select Groups",
+    "selectServers": "Select Servers",
+    "selectAtLeastOneGroup": "Please select at least one group",
+    "selectAtLeastOneServer": "Please select at least one server",
    "skipAuth": "Skip Authentication",
    "skipAuthDescription": "Bypass login requirement for frontend and API access (DEFAULT OFF for security)",
    "pythonIndexUrl": "Python Package Repository URL",
@@ -672,6 +697,22 @@
    "importFailed": "Failed to import servers",
    "partialSuccess": "Imported {{count}} of {{total}} servers successfully. Some servers failed:"
  },
+  "groupImport": {
+    "button": "Import",
+    "title": "Import Groups from JSON",
+    "inputLabel": "Group Configuration JSON",
+    "inputHelp": "Paste your group configuration JSON. Each group can contain a list of servers.",
+    "preview": "Preview",
+    "previewTitle": "Preview Groups to Import",
+    "import": "Import",
+    "importing": "Importing...",
+    "invalidFormat": "Invalid JSON format. The JSON must contain a 'groups' array.",
+    "missingName": "Each group must have a 'name' field.",
+    "parseError": "Failed to parse JSON. Please check the format and try again.",
+    "addFailed": "Failed to add group",
+    "importFailed": "Failed to import groups",
+    "partialSuccess": "Imported {{count}} of {{total}} groups successfully. Some groups failed:"
+  },
  "users": {
    "add": "Add User",
    "addNew": "Add New User",
--- a/locales/fr.json
+++ b/locales/fr.json
@@ -254,7 +254,11 @@
    "type": "Type",
    "repeated": "Répété",
    "valueHint": "Indice de valeur",
-    "choices": "Choix"
+    "choices": "Choix",
+    "actions": "Actions",
+    "saving": "Enregistrement...",
+    "active": "Actif",
+    "inactive": "Inactif"
  },
  "nav": {
    "dashboard": "Tableau de bord",
@@ -554,6 +558,27 @@
    "bearerAuthKey": "Clé d'authentification Bearer",
    "bearerAuthKeyDescription": "La clé d'authentification qui sera requise dans le jeton Bearer",
    "bearerAuthKeyPlaceholder": "Entrez la clé d'authentification Bearer",
+    "bearerKeysSectionTitle": "Clés",
+    "bearerKeysSectionDescription": "Gérez plusieurs clés avec différentes portées d’accès.",
+    "noBearerKeys": "Aucune clé configurée pour le moment.",
+    "bearerKeyName": "Nom",
+    "bearerKeyToken": "Jeton",
+    "bearerKeyEnabled": "Activée",
+    "bearerKeyAccessType": "Portée d’accès",
+    "bearerKeyAccessAll": "Toutes",
+    "bearerKeyAccessGroups": "Groupes",
+    "bearerKeyAccessServers": "Serveurs",
+    "bearerKeyAllowedGroups": "Groupes autorisés",
+    "bearerKeyAllowedServers": "Serveurs autorisés",
+    "addBearerKey": "Ajouter une clé",
+    "addBearerKeyButton": "Créer",
+    "bearerKeyRequired": "Le nom et le jeton sont obligatoires",
+    "deleteBearerKeyConfirm": "Voulez-vous vraiment supprimer cette clé ?",
+    "generate": "Générer",
+    "selectGroups": "Sélectionner des groupes",
+    "selectServers": "Sélectionner des serveurs",
+    "selectAtLeastOneGroup": "Veuillez sélectionner au moins un groupe",
+    "selectAtLeastOneServer": "Veuillez sélectionner au moins un serveur",
    "skipAuth": "Ignorer l'authentification",
    "skipAuthDescription": "Contourner l'exigence de connexion pour l'accès au frontend et à l'API (DÉSACTIVÉ PAR DÉFAUT pour des raisons de sécurité)",
    "pythonIndexUrl": "URL du dépôt de paquets Python",
@@ -673,6 +698,22 @@
    "importFailed": "Échec de l'importation des serveurs",
    "partialSuccess": "{{count}} serveur(s) sur {{total}} importé(s) avec succès. Certains serveurs ont échoué :"
  },
+  "groupImport": {
+    "button": "Importer",
+    "title": "Importer des groupes depuis JSON",
+    "inputLabel": "Configuration JSON des groupes",
+    "inputHelp": "Collez votre configuration JSON de groupes. Chaque groupe peut contenir une liste de serveurs.",
+    "preview": "Aperçu",
+    "previewTitle": "Aperçu des groupes à importer",
+    "import": "Importer",
+    "importing": "Importation en cours...",
+    "invalidFormat": "Format JSON invalide. Le JSON doit contenir un tableau 'groups'.",
+    "missingName": "Chaque groupe doit avoir un champ 'name'.",
+    "parseError": "Échec de l'analyse du JSON. Veuillez vérifier le format et réessayer.",
+    "addFailed": "Échec de l'ajout du groupe",
+    "importFailed": "Échec de l'importation des groupes",
+    "partialSuccess": "{{count}} groupe(s) sur {{total}} importé(s) avec succès. Certains groupes ont échoué :"
+  },
  "users": {
    "add": "Ajouter un utilisateur",
    "addNew": "Ajouter un nouvel utilisateur",
--- a/locales/tr.json
+++ b/locales/tr.json
@@ -254,7 +254,11 @@
    "type": "Tür",
    "repeated": "Tekrarlanan",
    "valueHint": "Değer İpucu",
-    "choices": "Seçenekler"
+    "choices": "Seçenekler",
+    "actions": "Eylemler",
+    "saving": "Kaydediliyor...",
+    "active": "Aktif",
+    "inactive": "Pasif"
  },
  "nav": {
    "dashboard": "Kontrol Paneli",
@@ -554,6 +558,27 @@
    "bearerAuthKey": "Bearer Kimlik Doğrulama Anahtarı",
    "bearerAuthKeyDescription": "Bearer token'da gerekli olacak kimlik doğrulama anahtarı",
    "bearerAuthKeyPlaceholder": "Bearer kimlik doğrulama anahtarını girin",
+    "bearerKeysSectionTitle": "Anahtarlar",
+    "bearerKeysSectionDescription": "Farklı erişim kapsamlarına sahip birden fazla anahtarı yönetin.",
+    "noBearerKeys": "Henüz yapılandırılmış herhangi bir anahtar yok.",
+    "bearerKeyName": "Ad",
+    "bearerKeyToken": "Token",
+    "bearerKeyEnabled": "Etkin",
+    "bearerKeyAccessType": "Erişim kapsamı",
+    "bearerKeyAccessAll": "Tümü",
+    "bearerKeyAccessGroups": "Gruplar",
+    "bearerKeyAccessServers": "Sunucular",
+    "bearerKeyAllowedGroups": "İzin verilen gruplar",
+    "bearerKeyAllowedServers": "İzin verilen sunucular",
+    "addBearerKey": "Anahtar ekle",
+    "addBearerKeyButton": "Oluştur",
+    "bearerKeyRequired": "Ad ve token zorunludur",
+    "deleteBearerKeyConfirm": "Bu anahtarı silmek istediğinizden emin misiniz?",
+    "generate": "Oluştur",
+    "selectGroups": "Grupları Seç",
+    "selectServers": "Sunucuları Seç",
+    "selectAtLeastOneGroup": "Lütfen en az bir grup seçin",
+    "selectAtLeastOneServer": "Lütfen en az bir sunucu seçin",
    "skipAuth": "Kimlik Doğrulamayı Atla",
    "skipAuthDescription": "Arayüz ve API erişimi için giriş gereksinimini atla (Güvenlik için VARSAYILAN KAPALI)",
    "pythonIndexUrl": "Python Paket Deposu URL'si",
@@ -673,6 +698,22 @@
    "importFailed": "Sunucular içe aktarılamadı",
    "partialSuccess": "{{total}} sunucudan {{count}} tanesi başarıyla içe aktarıldı. Bazı sunucular başarısız oldu:"
  },
+  "groupImport": {
+    "button": "İçe Aktar",
+    "title": "JSON'dan Grupları İçe Aktar",
+    "inputLabel": "Grup Yapılandırma JSON",
+    "inputHelp": "Grup yapılandırma JSON'unuzu yapıştırın. Her grup bir sunucu listesi içerebilir.",
+    "preview": "Önizle",
+    "previewTitle": "İçe Aktarılacak Grupları Önizle",
+    "import": "İçe Aktar",
+    "importing": "İçe aktarılıyor...",
+    "invalidFormat": "Geçersiz JSON formatı. JSON bir 'groups' dizisi içermelidir.",
+    "missingName": "Her grubun bir 'name' alanı olmalıdır.",
+    "parseError": "JSON ayrıştırılamadı. Lütfen formatı kontrol edip tekrar deneyin.",
+    "addFailed": "Grup eklenemedi",
+    "importFailed": "Gruplar içe aktarılamadı",
+    "partialSuccess": "{{total}} gruptan {{count}} tanesi başarıyla içe aktarıldı. Bazı gruplar başarısız oldu:"
+  },
  "users": {
    "add": "Kullanıcı Ekle",
    "addNew": "Yeni Kullanıcı Ekle",
--- a/locales/zh.json
+++ b/locales/zh.json
@@ -255,7 +255,11 @@
    "type": "类型",
    "repeated": "可重复",
    "valueHint": "值提示",
-    "choices": "可选值"
+    "choices": "可选值",
+    "actions": "操作",
+    "saving": "保存中...",
+    "active": "已激活",
+    "inactive": "未激活"
  },
  "nav": {
    "dashboard": "仪表盘",
@@ -289,7 +293,7 @@
      "routeConfig": "安全配置",
      "installConfig": "安装",
      "smartRouting": "智能路由",
-      "oauthServer": "OAuth 服务器"
+      "oauthServer": "OAuth"
    },
    "groups": {
      "title": "分组管理"
@@ -555,6 +559,27 @@
    "bearerAuthKey": "Bearer 认证密钥",
    "bearerAuthKeyDescription": "Bearer 令牌中需要携带的认证密钥",
    "bearerAuthKeyPlaceholder": "请输入 Bearer 认证密钥",
+    "bearerKeysSectionTitle": "密钥",
+    "bearerKeysSectionDescription": "管理多条密钥，并为不同密钥配置不同的访问范围。",
+    "noBearerKeys": "当前还没有配置任何密钥。",
+    "bearerKeyName": "名称",
+    "bearerKeyToken": "密钥值",
+    "bearerKeyEnabled": "启用",
+    "bearerKeyAccessType": "访问范围",
+    "bearerKeyAccessAll": "全部",
+    "bearerKeyAccessGroups": "指定分组",
+    "bearerKeyAccessServers": "指定服务器",
+    "bearerKeyAllowedGroups": "允许访问的分组",
+    "bearerKeyAllowedServers": "允许访问的服务器",
+    "addBearerKey": "新增密钥",
+    "addBearerKeyButton": "创建",
+    "bearerKeyRequired": "名称和密钥值为必填项",
+    "deleteBearerKeyConfirm": "确定要删除这条密钥吗？",
+    "generate": "生成",
+    "selectGroups": "选择分组",
+    "selectServers": "选择服务器",
+    "selectAtLeastOneGroup": "请至少选择一个分组",
+    "selectAtLeastOneServer": "请至少选择一个服务",
    "skipAuth": "免登录开关",
    "skipAuthDescription": "跳过前端和 API 访问的登录要求（默认关闭确保安全性）",
    "pythonIndexUrl": "Python 包仓库地址",
@@ -675,6 +700,22 @@
    "importFailed": "导入服务器失败",
    "partialSuccess": "成功导入 {{count}} / {{total}} 个服务器。部分服务器失败："
  },
+  "groupImport": {
+    "button": "导入",
+    "title": "从 JSON 导入分组",
+    "inputLabel": "分组配置 JSON",
+    "inputHelp": "粘贴您的分组配置 JSON。每个分组可以包含一个服务器列表。",
+    "preview": "预览",
+    "previewTitle": "预览要导入的分组",
+    "import": "导入",
+    "importing": "导入中...",
+    "invalidFormat": "无效的 JSON 格式。JSON 必须包含 'groups' 数组。",
+    "missingName": "每个分组必须有 'name' 字段。",
+    "parseError": "解析 JSON 失败。请检查格式后重试。",
+    "addFailed": "添加分组失败",
+    "importFailed": "导入分组失败",
+    "partialSuccess": "成功导入 {{count}} / {{total}} 个分组。部分分组失败："
+  },
  "users": {
    "add": "添加",
    "addNew": "添加新用户",
--- a/package.json
+++ b/package.json
@@ -73,6 +73,7 @@
    "postgres": "^3.4.7",
    "reflect-metadata": "^0.2.2",
    "typeorm": "^0.3.26",
+    "undici": "^7.16.0",
    "uuid": "^11.1.0"
  },
  "devDependencies": {
@@ -110,8 +111,8 @@
    "next": "^15.5.0",
    "postcss": "^8.5.6",
    "prettier": "^3.6.2",
-    "react": "19.2.0",
-    "react-dom": "19.2.0",
+    "react": "19.2.1",
+    "react-dom": "19.2.1",
    "react-i18next": "^15.7.2",
    "react-router-dom": "^7.8.2",
    "supertest": "^7.1.4",
@@ -133,6 +134,8 @@
    "overrides": {
      "brace-expansion@1.1.11": "1.1.12",
      "brace-expansion@2.0.1": "2.0.2",
+      "glob@10.4.5": "10.5.0",
+      "js-yaml": "4.1.1",
      "jws@3.2.2": "4.0.1"
    }
  }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -7,6 +7,8 @@ settings:
 overrides:
  brace-expansion@1.1.11: 1.1.12
  brace-expansion@2.0.1: 2.0.2
+  glob@10.4.5: 10.5.0
+  js-yaml: 4.1.1
  jws@3.2.2: 4.0.1

 importers:
@@ -97,16 +99,19 @@ importers:
      typeorm:
        specifier: ^0.3.26
        version: 0.3.27(pg@8.16.3)(reflect-metadata@0.2.2)(ts-node@10.9.2(@swc/core@1.15.3)(@types/node@24.6.2)(typescript@5.9.2))
+      undici:
+        specifier: ^7.16.0
+        version: 7.16.0
      uuid:
        specifier: ^11.1.0
        version: 11.1.0
    devDependencies:
      '@radix-ui/react-accordion':
        specifier: ^1.2.12
-        version: 1.2.12(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+        version: 1.2.12(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)
      '@radix-ui/react-slot':
        specifier: ^1.2.3
-        version: 1.2.3(@types/react@19.2.7)(react@19.2.0)
+        version: 1.2.3(@types/react@19.2.7)(react@19.2.1)
      '@shadcn/ui':
        specifier: ^0.0.4
        version: 0.0.4
@@ -193,10 +198,10 @@ importers:
        version: 4.0.0(@jest/globals@30.2.0)(jest@30.2.0(@types/node@24.6.2)(ts-node@10.9.2(@swc/core@1.15.3)(@types/node@24.6.2)(typescript@5.9.2)))(typescript@5.9.2)
      lucide-react:
        specifier: ^0.552.0
-        version: 0.552.0(react@19.2.0)
+        version: 0.552.0(react@19.2.1)
      next:
        specifier: ^15.5.0
-        version: 15.5.7(@babel/core@7.28.4)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+        version: 15.5.9(@babel/core@7.28.4)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)
      postcss:
        specifier: ^8.5.6
        version: 8.5.6
@@ -204,17 +209,17 @@ importers:
        specifier: ^3.6.2
        version: 3.6.2
      react:
-        specifier: 19.2.0
-        version: 19.2.0
+        specifier: 19.2.1
+        version: 19.2.1
      react-dom:
-        specifier: 19.2.0
-        version: 19.2.0(react@19.2.0)
+        specifier: 19.2.1
+        version: 19.2.1(react@19.2.1)
      react-i18next:
        specifier: ^15.7.2
-        version: 15.7.2(i18next@25.6.0(typescript@5.9.2))(react-dom@19.2.0(react@19.2.0))(react@19.2.0)(typescript@5.9.2)
+        version: 15.7.2(i18next@25.6.0(typescript@5.9.2))(react-dom@19.2.1(react@19.2.1))(react@19.2.1)(typescript@5.9.2)
      react-router-dom:
        specifier: ^7.8.2
-        version: 7.8.2(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+        version: 7.8.2(react-dom@19.2.1(react@19.2.1))(react@19.2.1)
      supertest:
        specifier: ^7.1.4
        version: 7.1.4
@@ -1120,8 +1125,8 @@ packages:
  '@napi-rs/wasm-runtime@0.2.12':
    resolution: {integrity: sha512-ZVWUcfwY4E/yPitQJl481FjFo3K22D6qF0DuFH6Y/nbnE11GY5uguDxZMGXPQ8WQ0128MXQD7TnfHyK4oWoIJQ==}

-  '@next/env@15.5.7':
-    resolution: {integrity: sha512-4h6Y2NyEkIEN7Z8YxkA27pq6zTkS09bUSYC0xjd0NpwFxjnIKeZEeH591o5WECSmjpUhLn3H2QLJcDye3Uzcvg==}
+  '@next/env@15.5.9':
+    resolution: {integrity: sha512-4GlTZ+EJM7WaW2HEZcyU317tIQDjkQIyENDLxYJfSWlfqguN+dHkZgyQTV/7ykvobU7yEH5gKvreNrH4B6QgIg==}

  '@next/swc-darwin-arm64@15.5.7':
    resolution: {integrity: sha512-IZwtxCEpI91HVU/rAUOOobWSZv4P2DeTtNaCdHqLcTJU4wdNXgAySvKa/qJCgR5m6KI8UsKDXtO2B31jcaw1Yw==}
@@ -2077,9 +2082,6 @@ packages:
  arg@4.1.3:
    resolution: {integrity: sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==}

-  argparse@1.0.10:
-    resolution: {integrity: sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==}
-
  argparse@2.0.1:
    resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}

@@ -2237,8 +2239,8 @@ packages:
  caniuse-lite@1.0.30001737:
    resolution: {integrity: sha512-BiloLiXtQNrY5UyF0+1nSJLXUENuhka2pzy2Fx5pGxqavdrxSCW4U6Pn/PoG3Efspi2frRbHpBV2XsrPE6EDlw==}

-  caniuse-lite@1.0.30001759:
-    resolution: {integrity: sha512-Pzfx9fOKoKvevQf8oCXoyNRQ5QyxJj+3O0Rqx2V5oxT61KGx8+n6hV/IUyJeifUci2clnmmKVpvtiqRzgiWjSw==}
+  caniuse-lite@1.0.30001760:
+    resolution: {integrity: sha512-7AAMPcueWELt1p3mi13HR/LHH0TJLT11cnwDJEs3xA4+CK/PLKeO9Kl1oru24htkyUKtkGCvAx4ohB0Ttry8Dw==}

  chalk@4.1.2:
    resolution: {integrity: sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==}
@@ -2574,11 +2576,6 @@ packages:
    resolution: {integrity: sha512-oruZaFkjorTpF32kDSI5/75ViwGeZginGGy2NoOSg3Q9bnwlnmDm4HLnkl0RE3n+njDXR037aY1+x58Z/zFdwQ==}
    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}

-  esprima@4.0.1:
-    resolution: {integrity: sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==}
-    engines: {node: '>=4'}
-    hasBin: true
-
  esquery@1.6.0:
    resolution: {integrity: sha512-ca9pw9fomFcKPvFLXhBKUK90ZvGibiGOvRJNbjljY7s7uq/5YO4BOzcYtJqExdx99rF6aAcnRxHmcUHcz6sQsg==}
    engines: {node: '>=0.10'}
@@ -2804,8 +2801,8 @@ packages:
    resolution: {integrity: sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==}
    engines: {node: '>=10.13.0'}

-  glob@10.4.5:
-    resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==}
+  glob@10.5.0:
+    resolution: {integrity: sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==}
    hasBin: true

  glob@7.2.3:
@@ -3188,12 +3185,8 @@ packages:
  js-tokens@4.0.0:
    resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}

-  js-yaml@3.14.1:
-    resolution: {integrity: sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==}
-    hasBin: true
-
-  js-yaml@4.1.0:
-    resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==}
+  js-yaml@4.1.1:
+    resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==}
    hasBin: true

  jsesc@3.1.0:
@@ -3524,8 +3517,8 @@ packages:
  neo-async@2.6.2:
    resolution: {integrity: sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==}

-  next@15.5.7:
-    resolution: {integrity: sha512-+t2/0jIJ48kUpGKkdlhgkv+zPTEOoXyr60qXe68eB/pl3CMJaLeIGjzp5D6Oqt25hCBiBTt8wEeeAzfJvUKnPQ==}
+  next@15.5.9:
+    resolution: {integrity: sha512-agNLK89seZEtC5zUHwtut0+tNrc0Xw4FT/Dg+B/VLEo9pAcS9rtTKpek3V6kVcVwsB2YlqMaHdfZL4eLEVYuCg==}
    engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0}
    hasBin: true
    peerDependencies:
@@ -3854,10 +3847,10 @@ packages:
    resolution: {integrity: sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==}
    engines: {node: '>= 0.10'}

-  react-dom@19.2.0:
-    resolution: {integrity: sha512-UlbRu4cAiGaIewkPyiRGJk0imDN2T3JjieT6spoL2UeSf5od4n5LB/mQ4ejmxhCFT1tYe8IvaFulzynWovsEFQ==}
+  react-dom@19.2.1:
+    resolution: {integrity: sha512-ibrK8llX2a4eOskq1mXKu/TGZj9qzomO+sNfO98M6d9zIPOEhlBkMkBUBLd1vgS0gQsLDBzA+8jJBVXDnfHmJg==}
    peerDependencies:
-      react: ^19.2.0
+      react: ^19.2.1

  react-i18next@15.7.2:
    resolution: {integrity: sha512-xJxq7ibnhUlMvd82lNC4te1GxGUMoM1A05KKyqoqsBXVZtEvZg/fz/fnVzdlY/hhQ3SpP/79qCocZOtICGhd3g==}
@@ -3899,8 +3892,8 @@ packages:
      react-dom:
        optional: true

-  react@19.2.0:
-    resolution: {integrity: sha512-tmbWg6W31tQLeB5cdIBOicJDJRR2KzXsV7uSK9iNfLWQ5bIZfxuPEHp7M8wiHyHnn0DD1i7w3Zmin0FtkrwoCQ==}
+  react@19.2.1:
+    resolution: {integrity: sha512-DGrYcCWK7tvYMnWh79yrPHt+vdx9tY+1gPZa7nJQtO/p8bLTDaHp4dzwEhQB7pZ4Xe3ok4XKuEPrVuc+wlpkmw==}
    engines: {node: '>=0.10.0'}

  readable-stream@3.6.2:
@@ -4100,9 +4093,6 @@ packages:
    resolution: {integrity: sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==}
    engines: {node: '>= 10.x'}

-  sprintf-js@1.0.3:
-    resolution: {integrity: sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==}
-
  sql-highlight@6.1.0:
    resolution: {integrity: sha512-ed7OK4e9ywpE7pgRMkMQmZDPKSVdm0oX5IEtZiKnFucSF0zu6c80GZBe38UqHuVhTWJ9xsKgSMjCG2bml86KvA==}
    engines: {node: '>=14'}
@@ -4444,6 +4434,10 @@ packages:
  undici-types@7.13.0:
    resolution: {integrity: sha512-Ov2Rr9Sx+fRgagJ5AX0qvItZG/JKKoBRAVITs1zk7IqZGTJUwgUr7qoYBpWwakpWilTZFM98rG/AFRocu10iIQ==}

+  undici@7.16.0:
+    resolution: {integrity: sha512-QEg3HPMll0o3t2ourKwOeUAZ159Kn9mx5pnzHRQO8+Wixmh88YdZRiIwat0iNzNNXn0yoEtXJqFpyW7eM8BV7g==}
+    engines: {node: '>=20.18.1'}
+
  universalify@2.0.1:
    resolution: {integrity: sha512-gptHNQghINnc/vTGIk0SOFGFNXw7JVrlRUtConJRlvaw6DuX0wO5Jeko9sWrMBhh+PsYAZ7oXAiOnf/UKogyiw==}
    engines: {node: '>= 10.0.0'}
@@ -4622,7 +4616,7 @@ snapshots:
  '@apidevtools/json-schema-ref-parser@14.0.1':
    dependencies:
      '@types/json-schema': 7.0.15
-      js-yaml: 4.1.0
+      js-yaml: 4.1.1

  '@apidevtools/openapi-schemas@2.1.0': {}

@@ -5087,7 +5081,7 @@ snapshots:
      globals: 13.24.0
      ignore: 5.3.2
      import-fresh: 3.3.1
-      js-yaml: 4.1.0
+      js-yaml: 4.1.1
      minimatch: 3.1.2
      strip-json-comments: 3.1.1
    transitivePeerDependencies:
@@ -5218,7 +5212,7 @@ snapshots:
      camelcase: 5.3.1
      find-up: 4.1.0
      get-package-type: 0.1.0
-      js-yaml: 3.14.1
+      js-yaml: 4.1.1
      resolve-from: 5.0.0

  '@istanbuljs/schema@0.1.3': {}
@@ -5347,7 +5341,7 @@ snapshots:
      chalk: 4.1.2
      collect-v8-coverage: 1.0.2
      exit-x: 0.2.2
-      glob: 10.4.5
+      glob: 10.5.0
      graceful-fs: 4.2.11
      istanbul-lib-coverage: 3.2.2
      istanbul-lib-instrument: 6.0.3
@@ -5489,7 +5483,7 @@ snapshots:
      '@tybys/wasm-util': 0.10.1
    optional: true

-  '@next/env@15.5.7': {}
+  '@next/env@15.5.9': {}

  '@next/swc-darwin-arm64@15.5.7':
    optional: true
@@ -5548,120 +5542,120 @@ snapshots:

  '@radix-ui/primitive@1.1.3': {}

-  '@radix-ui/react-accordion@1.2.12(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
+  '@radix-ui/react-accordion@1.2.12(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)':
    dependencies:
      '@radix-ui/primitive': 1.1.3
-      '@radix-ui/react-collapsible': 1.1.12(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
-      '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-context': 1.1.2(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-direction': 1.1.1(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-id': 1.1.1(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
-      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.7)(react@19.2.0)
-      react: 19.2.0
-      react-dom: 19.2.0(react@19.2.0)
+      '@radix-ui/react-collapsible': 1.1.12(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)
+      '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-context': 1.1.2(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-direction': 1.1.1(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-id': 1.1.1(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)
+      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.7)(react@19.2.1)
+      react: 19.2.1
+      react-dom: 19.2.1(react@19.2.1)
    optionalDependencies:
      '@types/react': 19.2.7
      '@types/react-dom': 19.1.7(@types/react@19.2.7)

-  '@radix-ui/react-collapsible@1.1.12(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
+  '@radix-ui/react-collapsible@1.1.12(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)':
    dependencies:
      '@radix-ui/primitive': 1.1.3
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-context': 1.1.2(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-id': 1.1.1(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
-      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.0)
-      react: 19.2.0
-      react-dom: 19.2.0(react@19.2.0)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-context': 1.1.2(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-id': 1.1.1(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)
+      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.1)
+      react: 19.2.1
+      react-dom: 19.2.1(react@19.2.1)
    optionalDependencies:
      '@types/react': 19.2.7
      '@types/react-dom': 19.1.7(@types/react@19.2.7)

-  '@radix-ui/react-collection@1.1.7(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
+  '@radix-ui/react-collection@1.1.7(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)':
    dependencies:
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-context': 1.1.2(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
-      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.7)(react@19.2.0)
-      react: 19.2.0
-      react-dom: 19.2.0(react@19.2.0)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-context': 1.1.2(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)
+      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.7)(react@19.2.1)
+      react: 19.2.1
+      react-dom: 19.2.1(react@19.2.1)
    optionalDependencies:
      '@types/react': 19.2.7
      '@types/react-dom': 19.1.7(@types/react@19.2.7)

-  '@radix-ui/react-compose-refs@1.1.2(@types/react@19.2.7)(react@19.2.0)':
+  '@radix-ui/react-compose-refs@1.1.2(@types/react@19.2.7)(react@19.2.1)':
    dependencies:
-      react: 19.2.0
+      react: 19.2.1
    optionalDependencies:
      '@types/react': 19.2.7

-  '@radix-ui/react-context@1.1.2(@types/react@19.2.7)(react@19.2.0)':
+  '@radix-ui/react-context@1.1.2(@types/react@19.2.7)(react@19.2.1)':
    dependencies:
-      react: 19.2.0
+      react: 19.2.1
    optionalDependencies:
      '@types/react': 19.2.7

-  '@radix-ui/react-direction@1.1.1(@types/react@19.2.7)(react@19.2.0)':
+  '@radix-ui/react-direction@1.1.1(@types/react@19.2.7)(react@19.2.1)':
    dependencies:
-      react: 19.2.0
+      react: 19.2.1
    optionalDependencies:
      '@types/react': 19.2.7

-  '@radix-ui/react-id@1.1.1(@types/react@19.2.7)(react@19.2.0)':
+  '@radix-ui/react-id@1.1.1(@types/react@19.2.7)(react@19.2.1)':
    dependencies:
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.0)
-      react: 19.2.0
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.1)
+      react: 19.2.1
    optionalDependencies:
      '@types/react': 19.2.7

-  '@radix-ui/react-presence@1.1.5(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
+  '@radix-ui/react-presence@1.1.5(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)':
    dependencies:
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.0)
-      react: 19.2.0
-      react-dom: 19.2.0(react@19.2.0)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.1)
+      react: 19.2.1
+      react-dom: 19.2.1(react@19.2.1)
    optionalDependencies:
      '@types/react': 19.2.7
      '@types/react-dom': 19.1.7(@types/react@19.2.7)

-  '@radix-ui/react-primitive@2.1.3(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
+  '@radix-ui/react-primitive@2.1.3(@types/react-dom@19.1.7(@types/react@19.2.7))(@types/react@19.2.7)(react-dom@19.2.1(react@19.2.1))(react@19.2.1)':
    dependencies:
-      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.7)(react@19.2.0)
-      react: 19.2.0
-      react-dom: 19.2.0(react@19.2.0)
+      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.7)(react@19.2.1)
+      react: 19.2.1
+      react-dom: 19.2.1(react@19.2.1)
    optionalDependencies:
      '@types/react': 19.2.7
      '@types/react-dom': 19.1.7(@types/react@19.2.7)

-  '@radix-ui/react-slot@1.2.3(@types/react@19.2.7)(react@19.2.0)':
+  '@radix-ui/react-slot@1.2.3(@types/react@19.2.7)(react@19.2.1)':
    dependencies:
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.0)
-      react: 19.2.0
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.7)(react@19.2.1)
+      react: 19.2.1
    optionalDependencies:
      '@types/react': 19.2.7

-  '@radix-ui/react-use-controllable-state@1.2.2(@types/react@19.2.7)(react@19.2.0)':
+  '@radix-ui/react-use-controllable-state@1.2.2(@types/react@19.2.7)(react@19.2.1)':
    dependencies:
-      '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.7)(react@19.2.0)
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.0)
-      react: 19.2.0
+      '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.7)(react@19.2.1)
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.1)
+      react: 19.2.1
    optionalDependencies:
      '@types/react': 19.2.7

-  '@radix-ui/react-use-effect-event@0.0.2(@types/react@19.2.7)(react@19.2.0)':
+  '@radix-ui/react-use-effect-event@0.0.2(@types/react@19.2.7)(react@19.2.1)':
    dependencies:
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.0)
-      react: 19.2.0
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.7)(react@19.2.1)
+      react: 19.2.1
    optionalDependencies:
      '@types/react': 19.2.7

-  '@radix-ui/react-use-layout-effect@1.1.1(@types/react@19.2.7)(react@19.2.0)':
+  '@radix-ui/react-use-layout-effect@1.1.1(@types/react@19.2.7)(react@19.2.1)':
    dependencies:
-      react: 19.2.0
+      react: 19.2.1
    optionalDependencies:
      '@types/react': 19.2.7

@@ -6332,10 +6326,6 @@ snapshots:

  arg@4.1.3: {}

-  argparse@1.0.10:
-    dependencies:
-      sprintf-js: 1.0.3
-
  argparse@2.0.1: {}

  array-flatten@1.1.1: {}
@@ -6544,7 +6534,7 @@ snapshots:

  caniuse-lite@1.0.30001737: {}

-  caniuse-lite@1.0.30001759: {}
+  caniuse-lite@1.0.30001760: {}

  chalk@4.1.2:
    dependencies:
@@ -6886,7 +6876,7 @@ snapshots:
      imurmurhash: 0.1.4
      is-glob: 4.0.3
      is-path-inside: 3.0.3
-      js-yaml: 4.1.0
+      js-yaml: 4.1.1
      json-stable-stringify-without-jsonify: 1.0.1
      levn: 0.4.1
      lodash.merge: 4.6.2
@@ -6904,8 +6894,6 @@ snapshots:
      acorn-jsx: 5.3.2(acorn@8.15.0)
      eslint-visitor-keys: 3.4.3

-  esprima@4.0.1: {}
-
  esquery@1.6.0:
    dependencies:
      estraverse: 5.3.0
@@ -7211,7 +7199,7 @@ snapshots:
    dependencies:
      is-glob: 4.0.3

-  glob@10.4.5:
+  glob@10.5.0:
    dependencies:
      foreground-child: 3.3.1
      jackspeak: 3.4.3
@@ -7487,7 +7475,7 @@ snapshots:
      chalk: 4.1.2
      ci-info: 4.3.0
      deepmerge: 4.3.1
-      glob: 10.4.5
+      glob: 10.5.0
      graceful-fs: 4.2.11
      jest-circus: 30.2.0
      jest-docblock: 30.2.0
@@ -7682,7 +7670,7 @@ snapshots:
      chalk: 4.1.2
      cjs-module-lexer: 2.1.0
      collect-v8-coverage: 1.0.2
-      glob: 10.4.5
+      glob: 10.5.0
      graceful-fs: 4.2.11
      jest-haste-map: 30.2.0
      jest-message-util: 30.2.0
@@ -7798,12 +7786,7 @@ snapshots:

  js-tokens@4.0.0: {}

-  js-yaml@3.14.1:
-    dependencies:
-      argparse: 1.0.10
-      esprima: 4.0.1
-
-  js-yaml@4.1.0:
+  js-yaml@4.1.1:
    dependencies:
      argparse: 2.0.1

@@ -7956,9 +7939,9 @@ snapshots:
    dependencies:
      yallist: 3.1.1

-  lucide-react@0.552.0(react@19.2.0):
+  lucide-react@0.552.0(react@19.2.1):
    dependencies:
-      react: 19.2.0
+      react: 19.2.1

  magic-string@0.30.21:
    dependencies:
@@ -8067,15 +8050,15 @@ snapshots:

  neo-async@2.6.2: {}

-  next@15.5.7(@babel/core@7.28.4)(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
+  next@15.5.9(@babel/core@7.28.4)(react-dom@19.2.1(react@19.2.1))(react@19.2.1):
    dependencies:
-      '@next/env': 15.5.7
+      '@next/env': 15.5.9
      '@swc/helpers': 0.5.15
-      caniuse-lite: 1.0.30001759
+      caniuse-lite: 1.0.30001760
      postcss: 8.4.31
-      react: 19.2.0
-      react-dom: 19.2.0(react@19.2.0)
-      styled-jsx: 5.1.6(@babel/core@7.28.4)(react@19.2.0)
+      react: 19.2.1
+      react-dom: 19.2.1(react@19.2.1)
+      styled-jsx: 5.1.6(@babel/core@7.28.4)(react@19.2.1)
    optionalDependencies:
      '@next/swc-darwin-arm64': 15.5.7
      '@next/swc-darwin-x64': 15.5.7
@@ -8359,40 +8342,40 @@ snapshots:
      iconv-lite: 0.7.0
      unpipe: 1.0.0

-  react-dom@19.2.0(react@19.2.0):
+  react-dom@19.2.1(react@19.2.1):
    dependencies:
-      react: 19.2.0
+      react: 19.2.1
      scheduler: 0.27.0

-  react-i18next@15.7.2(i18next@25.6.0(typescript@5.9.2))(react-dom@19.2.0(react@19.2.0))(react@19.2.0)(typescript@5.9.2):
+  react-i18next@15.7.2(i18next@25.6.0(typescript@5.9.2))(react-dom@19.2.1(react@19.2.1))(react@19.2.1)(typescript@5.9.2):
    dependencies:
      '@babel/runtime': 7.28.3
      html-parse-stringify: 3.0.1
      i18next: 25.6.0(typescript@5.9.2)
-      react: 19.2.0
+      react: 19.2.1
    optionalDependencies:
-      react-dom: 19.2.0(react@19.2.0)
+      react-dom: 19.2.1(react@19.2.1)
      typescript: 5.9.2

  react-is@18.3.1: {}

  react-refresh@0.17.0: {}

-  react-router-dom@7.8.2(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
+  react-router-dom@7.8.2(react-dom@19.2.1(react@19.2.1))(react@19.2.1):
    dependencies:
-      react: 19.2.0
-      react-dom: 19.2.0(react@19.2.0)
-      react-router: 7.8.2(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+      react: 19.2.1
+      react-dom: 19.2.1(react@19.2.1)
+      react-router: 7.8.2(react-dom@19.2.1(react@19.2.1))(react@19.2.1)

-  react-router@7.8.2(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
+  react-router@7.8.2(react-dom@19.2.1(react@19.2.1))(react@19.2.1):
    dependencies:
      cookie: 1.1.1
-      react: 19.2.0
+      react: 19.2.1
      set-cookie-parser: 2.7.1
    optionalDependencies:
-      react-dom: 19.2.0(react@19.2.0)
+      react-dom: 19.2.1(react@19.2.1)

-  react@19.2.0: {}
+  react@19.2.1: {}

  readable-stream@3.6.2:
    dependencies:
@@ -8682,8 +8665,6 @@ snapshots:

  split2@4.2.0: {}

-  sprintf-js@1.0.3: {}
-
  sql-highlight@6.1.0: {}

  stack-utils@2.0.6:
@@ -8745,10 +8726,10 @@ snapshots:

  strip-json-comments@3.1.1: {}

-  styled-jsx@5.1.6(@babel/core@7.28.4)(react@19.2.0):
+  styled-jsx@5.1.6(@babel/core@7.28.4)(react@19.2.1):
    dependencies:
      client-only: 0.0.1
-      react: 19.2.0
+      react: 19.2.1
    optionalDependencies:
      '@babel/core': 7.28.4

@@ -8951,7 +8932,7 @@ snapshots:
      debug: 4.4.3
      dedent: 1.7.0
      dotenv: 16.6.1
-      glob: 10.4.5
+      glob: 10.5.0
      reflect-metadata: 0.2.2
      sha.js: 2.4.12
      sql-highlight: 6.1.0
@@ -8972,6 +8953,8 @@ snapshots:

  undici-types@7.13.0: {}

+  undici@7.16.0: {}
+
  universalify@2.0.1: {}

  unpipe@1.0.0: {}
--- a/src/controllers/bearerKeyController.ts
+++ b/src/controllers/bearerKeyController.ts
@@ -0,0 +1,169 @@
+import { Request, Response } from 'express';
+import { ApiResponse, BearerKey } from '../types/index.js';
+import { getBearerKeyDao, getSystemConfigDao } from '../dao/index.js';
+
+const requireAdmin = async (req: Request, res: Response): Promise<boolean> => {
+  const systemConfigDao = getSystemConfigDao();
+  const systemConfig = await systemConfigDao.get();
+  if (systemConfig?.routing?.skipAuth) {
+    return true;
+  }
+
+  const user = (req as any).user;
+  if (!user || !user.isAdmin) {
+    res.status(403).json({
+      success: false,
+      message: 'Admin privileges required',
+    });
+    return false;
+  }
+  return true;
+};
+
+export const getBearerKeys = async (req: Request, res: Response): Promise<void> => {
+  if (!(await requireAdmin(req, res))) return;
+
+  try {
+    const dao = getBearerKeyDao();
+    const keys = await dao.findAll();
+    const response: ApiResponse = {
+      success: true,
+      data: keys,
+    };
+    res.json(response);
+  } catch (error) {
+    console.error('Failed to get bearer keys:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to get bearer keys',
+    });
+  }
+};
+
+export const createBearerKey = async (req: Request, res: Response): Promise<void> => {
+  if (!(await requireAdmin(req, res))) return;
+
+  try {
+    const { name, token, enabled, accessType, allowedGroups, allowedServers } =
+      req.body as Partial<BearerKey>;
+
+    if (!name || typeof name !== 'string') {
+      res.status(400).json({ success: false, message: 'Key name is required' });
+      return;
+    }
+
+    if (!token || typeof token !== 'string') {
+      res.status(400).json({ success: false, message: 'Token value is required' });
+      return;
+    }
+
+    if (!accessType || !['all', 'groups', 'servers'].includes(accessType)) {
+      res.status(400).json({ success: false, message: 'Invalid accessType' });
+      return;
+    }
+
+    const dao = getBearerKeyDao();
+    const key = await dao.create({
+      name,
+      token,
+      enabled: enabled ?? true,
+      accessType,
+      allowedGroups: Array.isArray(allowedGroups) ? allowedGroups : [],
+      allowedServers: Array.isArray(allowedServers) ? allowedServers : [],
+    });
+
+    const response: ApiResponse = {
+      success: true,
+      data: key,
+    };
+    res.status(201).json(response);
+  } catch (error) {
+    console.error('Failed to create bearer key:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to create bearer key',
+    });
+  }
+};
+
+export const updateBearerKey = async (req: Request, res: Response): Promise<void> => {
+  if (!(await requireAdmin(req, res))) return;
+
+  try {
+    const { id } = req.params;
+    if (!id) {
+      res.status(400).json({ success: false, message: 'Key id is required' });
+      return;
+    }
+
+    const { name, token, enabled, accessType, allowedGroups, allowedServers } =
+      req.body as Partial<BearerKey>;
+
+    const updates: Partial<BearerKey> = {};
+    if (name !== undefined) updates.name = name;
+    if (token !== undefined) updates.token = token;
+    if (enabled !== undefined) updates.enabled = enabled;
+    if (accessType !== undefined) {
+      if (!['all', 'groups', 'servers'].includes(accessType)) {
+        res.status(400).json({ success: false, message: 'Invalid accessType' });
+        return;
+      }
+      updates.accessType = accessType as BearerKey['accessType'];
+    }
+    if (allowedGroups !== undefined) {
+      updates.allowedGroups = Array.isArray(allowedGroups) ? allowedGroups : [];
+    }
+    if (allowedServers !== undefined) {
+      updates.allowedServers = Array.isArray(allowedServers) ? allowedServers : [];
+    }
+
+    const dao = getBearerKeyDao();
+    const updated = await dao.update(id, updates);
+    if (!updated) {
+      res.status(404).json({ success: false, message: 'Bearer key not found' });
+      return;
+    }
+
+    const response: ApiResponse = {
+      success: true,
+      data: updated,
+    };
+    res.json(response);
+  } catch (error) {
+    console.error('Failed to update bearer key:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to update bearer key',
+    });
+  }
+};
+
+export const deleteBearerKey = async (req: Request, res: Response): Promise<void> => {
+  if (!(await requireAdmin(req, res))) return;
+
+  try {
+    const { id } = req.params;
+    if (!id) {
+      res.status(400).json({ success: false, message: 'Key id is required' });
+      return;
+    }
+
+    const dao = getBearerKeyDao();
+    const deleted = await dao.delete(id);
+    if (!deleted) {
+      res.status(404).json({ success: false, message: 'Bearer key not found' });
+      return;
+    }
+
+    const response: ApiResponse = {
+      success: true,
+    };
+    res.json(response);
+  } catch (error) {
+    console.error('Failed to delete bearer key:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to delete bearer key',
+    });
+  }
+};
--- a/src/controllers/configController.ts
+++ b/src/controllers/configController.ts
@@ -1,10 +1,19 @@
 import { Request, Response } from 'express';
 import config from '../config/index.js';
-import { loadSettings, loadOriginalSettings } from '../config/index.js';
+import { loadSettings } from '../config/index.js';
 import { getDataService } from '../services/services.js';
 import { DataService } from '../services/dataService.js';
 import { IUser } from '../types/index.js';
-import { getServerDao } from '../dao/DaoFactory.js';
+import {
+  getGroupDao,
+  getOAuthClientDao,
+  getOAuthTokenDao,
+  getServerDao,
+  getSystemConfigDao,
+  getUserConfigDao,
+  getUserDao,
+  getBearerKeyDao,
+} from '../dao/DaoFactory.js';

 const dataService: DataService = getDataService();

@@ -128,8 +137,43 @@ export const getMcpSettingsJson = async (req: Request, res: Response): Promise<v
        },
      });
    } else {
-      // Return full settings
-      const settings = loadOriginalSettings();
+      // Return full settings via DAO layer (supports both file and database modes)
+      const [
+        servers,
+        users,
+        groups,
+        systemConfig,
+        userConfigs,
+        oauthClients,
+        oauthTokens,
+        bearerKeys,
+      ] = await Promise.all([
+        getServerDao().findAll(),
+        getUserDao().findAll(),
+        getGroupDao().findAll(),
+        getSystemConfigDao().get(),
+        getUserConfigDao().getAll(),
+        getOAuthClientDao().findAll(),
+        getOAuthTokenDao().findAll(),
+        getBearerKeyDao().findAll(),
+      ]);
+
+      const mcpServers: Record<string, any> = {};
+      for (const { name: serverConfigName, ...config } of servers) {
+        mcpServers[serverConfigName] = removeNullValues(config);
+      }
+
+      const settings = {
+        mcpServers,
+        users,
+        groups,
+        systemConfig,
+        userConfigs,
+        oauthClients,
+        oauthTokens,
+        bearerKeys,
+      };
+
      res.json({
        success: true,
        data: settings,
--- a/src/controllers/groupController.ts
+++ b/src/controllers/groupController.ts
@@ -1,5 +1,11 @@
 import { Request, Response } from 'express';
-import { ApiResponse } from '../types/index.js';
+import {
+  ApiResponse,
+  AddGroupRequest,
+  BatchCreateGroupsRequest,
+  BatchCreateGroupsResponse,
+  BatchGroupResult,
+} from '../types/index.js';
 import {
  getAllGroups,
  getGroupByIdOrName,
@@ -106,6 +112,143 @@ export const createNewGroup = async (req: Request, res: Response): Promise<void>
  }
 };

+// Batch create groups - validates and creates multiple groups in one request
+export const batchCreateGroups = async (req: Request, res: Response): Promise<void> => {
+  try {
+    const { groups } = req.body as BatchCreateGroupsRequest;
+
+    // Validate request body
+    if (!groups || !Array.isArray(groups)) {
+      res.status(400).json({
+        success: false,
+        message: 'Request body must contain a "groups" array',
+      });
+      return;
+    }
+
+    if (groups.length === 0) {
+      res.status(400).json({
+        success: false,
+        message: 'Groups array cannot be empty',
+      });
+      return;
+    }
+
+    // Helper function to validate a single group configuration
+    const validateGroupConfig = (group: AddGroupRequest): { valid: boolean; message?: string } => {
+      if (!group.name || typeof group.name !== 'string') {
+        return { valid: false, message: 'Group name is required and must be a string' };
+      }
+
+      if (group.description !== undefined && typeof group.description !== 'string') {
+        return { valid: false, message: 'Group description must be a string' };
+      }
+
+      if (group.servers !== undefined && !Array.isArray(group.servers)) {
+        return { valid: false, message: 'Group servers must be an array' };
+      }
+
+      // Validate server configurations if provided in new format
+      if (group.servers) {
+        for (const server of group.servers) {
+          if (typeof server === 'object' && server !== null) {
+            if (!server.name || typeof server.name !== 'string') {
+              return {
+                valid: false,
+                message: 'Server configuration must have a name property',
+              };
+            }
+
+            if (
+              server.tools !== undefined &&
+              server.tools !== 'all' &&
+              !Array.isArray(server.tools)
+            ) {
+              return {
+                valid: false,
+                message: 'Server tools must be "all" or an array of tool names',
+              };
+            }
+          }
+        }
+      }
+
+      return { valid: true };
+    };
+
+    // Process each group
+    const results: BatchGroupResult[] = [];
+    let successCount = 0;
+    let failureCount = 0;
+
+    // Get current user for owner field
+    const currentUser = (req as any).user;
+    const defaultOwner = currentUser?.username || 'admin';
+
+    for (const groupData of groups) {
+      const { name, description, servers } = groupData;
+
+      // Validate group configuration
+      const validation = validateGroupConfig(groupData);
+      if (!validation.valid) {
+        results.push({
+          name: name || 'unknown',
+          success: false,
+          message: validation.message,
+        });
+        failureCount++;
+        continue;
+      }
+
+      try {
+        const serverList = Array.isArray(servers) ? servers : [];
+        const newGroup = await createGroup(name, description, serverList, defaultOwner);
+
+        if (newGroup) {
+          results.push({
+            name,
+            success: true,
+            message: 'Group created successfully',
+          });
+          successCount++;
+        } else {
+          results.push({
+            name,
+            success: false,
+            message: 'Failed to create group or group name already exists',
+          });
+          failureCount++;
+        }
+      } catch (error) {
+        results.push({
+          name,
+          success: false,
+          message: error instanceof Error ? error.message : 'Failed to create group',
+        });
+        failureCount++;
+      }
+    }
+
+    // Return response
+    const response: BatchCreateGroupsResponse = {
+      success: successCount > 0,
+      successCount,
+      failureCount,
+      results,
+    };
+
+    // Use 207 Multi-Status if there were partial failures, 200 if all succeeded
+    const statusCode = failureCount > 0 && successCount > 0 ? 207 : successCount > 0 ? 200 : 400;
+    res.status(statusCode).json(response);
+  } catch (error) {
+    console.error('Batch create groups error:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Internal server error',
+    });
+  }
+};
+
 // Update an existing group
 export const updateExistingGroup = async (req: Request, res: Response): Promise<void> => {
  try {
--- a/src/controllers/serverController.ts
+++ b/src/controllers/serverController.ts
@@ -1,5 +1,13 @@
 import { Request, Response } from 'express';
-import { ApiResponse, AddServerRequest, McpSettings } from '../types/index.js';
+import {
+  ApiResponse,
+  AddServerRequest,
+  McpSettings,
+  BatchCreateServersRequest,
+  BatchCreateServersResponse,
+  BatchServerResult,
+  ServerConfig,
+} from '../types/index.js';
 import {
  getServersInfo,
  addServer,
@@ -15,6 +23,7 @@ import { syncAllServerToolsEmbeddings } from '../services/vectorSearchService.js
 import { createSafeJSON } from '../utils/serialization.js';
 import { cloneDefaultOAuthServerConfig } from '../constants/oauthServerDefaults.js';
 import { getServerDao, getGroupDao, getSystemConfigDao } from '../dao/DaoFactory.js';
+import { getBearerKeyDao } from '../dao/DaoFactory.js';

 export const getAllServers = async (_: Request, res: Response): Promise<void> => {
  try {
@@ -57,12 +66,17 @@ export const getAllSettings = async (_: Request, res: Response): Promise<void> =
    const systemConfigDao = getSystemConfigDao();
    const systemConfig = await systemConfigDao.get();

+    // Get bearer auth keys from DAO
+    const bearerKeyDao = getBearerKeyDao();
+    const bearerKeys = await bearerKeyDao.findAll();
+
    // Merge all data into settings object
    const settings: McpSettings = {
      ...fileSettings,
      mcpServers,
      groups,
      systemConfig,
+      bearerKeys,
    };

    const response: ApiResponse = {
@@ -189,6 +203,177 @@ export const createServer = async (req: Request, res: Response): Promise<void> =
  }
 };

+// Batch create servers - validates and creates multiple servers in one request
+export const batchCreateServers = async (req: Request, res: Response): Promise<void> => {
+  try {
+    const { servers } = req.body as BatchCreateServersRequest;
+
+    // Validate request body
+    if (!servers || !Array.isArray(servers)) {
+      res.status(400).json({
+        success: false,
+        message: 'Request body must contain a "servers" array',
+      });
+      return;
+    }
+
+    if (servers.length === 0) {
+      res.status(400).json({
+        success: false,
+        message: 'Servers array cannot be empty',
+      });
+      return;
+    }
+
+    // Helper function to validate a single server configuration
+    const validateServerConfig = (
+      name: string,
+      config: ServerConfig,
+    ): { valid: boolean; message?: string } => {
+      if (!name || typeof name !== 'string') {
+        return { valid: false, message: 'Server name is required and must be a string' };
+      }
+
+      if (!config || typeof config !== 'object') {
+        return { valid: false, message: 'Server configuration is required and must be an object' };
+      }
+
+      if (
+        !config.url &&
+        !config.openapi?.url &&
+        !config.openapi?.schema &&
+        (!config.command || !config.args)
+      ) {
+        return {
+          valid: false,
+          message:
+            'Server configuration must include either a URL, OpenAPI specification URL or schema, or command with arguments',
+        };
+      }
+
+      // Validate server type if specified
+      if (config.type && !['stdio', 'sse', 'streamable-http', 'openapi'].includes(config.type)) {
+        return {
+          valid: false,
+          message: 'Server type must be one of: stdio, sse, streamable-http, openapi',
+        };
+      }
+
+      // Validate URL is provided for sse and streamable-http types
+      if ((config.type === 'sse' || config.type === 'streamable-http') && !config.url) {
+        return { valid: false, message: `URL is required for ${config.type} server type` };
+      }
+
+      // Validate OpenAPI specification URL or schema is provided for openapi type
+      if (config.type === 'openapi' && !config.openapi?.url && !config.openapi?.schema) {
+        return {
+          valid: false,
+          message: 'OpenAPI specification URL or schema is required for openapi server type',
+        };
+      }
+
+      // Validate headers if provided
+      if (config.headers && typeof config.headers !== 'object') {
+        return { valid: false, message: 'Headers must be an object' };
+      }
+
+      // Validate that headers are only used with sse, streamable-http, and openapi types
+      if (config.headers && config.type === 'stdio') {
+        return { valid: false, message: 'Headers are not supported for stdio server type' };
+      }
+
+      return { valid: true };
+    };
+
+    // Process each server
+    const results: BatchServerResult[] = [];
+    let successCount = 0;
+    let failureCount = 0;
+
+    // Get current user for owner field
+    const currentUser = (req as any).user;
+    const defaultOwner = currentUser?.username || 'admin';
+
+    for (const server of servers) {
+      const { name, config } = server;
+
+      // Validate server configuration
+      const validation = validateServerConfig(name, config);
+      if (!validation.valid) {
+        results.push({
+          name: name || 'unknown',
+          success: false,
+          message: validation.message,
+        });
+        failureCount++;
+        continue;
+      }
+
+      try {
+        // Set default keep-alive interval for SSE servers if not specified
+        if ((config.type === 'sse' || (!config.type && config.url)) && !config.keepAliveInterval) {
+          config.keepAliveInterval = 60000; // Default 60 seconds for SSE servers
+        }
+
+        // Set owner property if not provided
+        if (!config.owner) {
+          config.owner = defaultOwner;
+        }
+
+        // Attempt to add server
+        const result = await addServer(name, config);
+        if (result.success) {
+          results.push({
+            name,
+            success: true,
+          });
+          successCount++;
+        } else {
+          results.push({
+            name,
+            success: false,
+            message: result.message || 'Failed to add server',
+          });
+          failureCount++;
+        }
+      } catch (error) {
+        results.push({
+          name,
+          success: false,
+          message: error instanceof Error ? error.message : 'Internal server error',
+        });
+        failureCount++;
+      }
+    }
+
+    // Notify tool changes if any server was added successfully
+    if (successCount > 0) {
+      notifyToolChanged();
+    }
+
+    // Prepare response
+    const response: ApiResponse<BatchCreateServersResponse> = {
+      success: successCount > 0, // Success if at least one server was created
+      data: {
+        success: successCount > 0,
+        successCount,
+        failureCount,
+        results,
+      },
+    };
+
+    // Return 207 Multi-Status if there were partial failures, 200 if all succeeded, 400 if all failed
+    const statusCode = failureCount === 0 ? 200 : successCount === 0 ? 400 : 207;
+    res.status(statusCode).json(response);
+  } catch (error) {
+    console.error('Batch create servers error:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Internal server error',
+    });
+  }
+};
+
 export const deleteServer = async (req: Request, res: Response): Promise<void> => {
  try {
    const { name } = req.params;
--- a/src/dao/BearerKeyDao.ts
+++ b/src/dao/BearerKeyDao.ts
@@ -0,0 +1,125 @@
+import { randomUUID } from 'node:crypto';
+import { BearerKey } from '../types/index.js';
+import { JsonFileBaseDao } from './base/JsonFileBaseDao.js';
+
+/**
+ * DAO interface for bearer authentication keys
+ */
+export interface BearerKeyDao {
+  findAll(): Promise<BearerKey[]>;
+  findEnabled(): Promise<BearerKey[]>;
+  findById(id: string): Promise<BearerKey | undefined>;
+  findByToken(token: string): Promise<BearerKey | undefined>;
+  create(data: Omit<BearerKey, 'id'>): Promise<BearerKey>;
+  update(id: string, data: Partial<Omit<BearerKey, 'id'>>): Promise<BearerKey | null>;
+  delete(id: string): Promise<boolean>;
+}
+
+/**
+ * JSON file-based BearerKey DAO implementation
+ * Stores keys under the top-level `bearerKeys` field in mcp_settings.json
+ * and performs one-time migration from legacy routing.enableBearerAuth/bearerAuthKey.
+ */
+export class BearerKeyDaoImpl extends JsonFileBaseDao implements BearerKeyDao {
+  private async loadKeysWithMigration(): Promise<BearerKey[]> {
+    const settings = await this.loadSettings();
+
+    // Treat an existing array (including an empty array) as already migrated.
+    // Otherwise, when there are no configured keys, we'd rewrite mcp_settings.json
+    // on every request, which also clears the global settings cache.
+    if (Array.isArray(settings.bearerKeys)) {
+      return settings.bearerKeys;
+    }
+
+    // Perform one-time migration from legacy routing config if present
+    const routing = settings.systemConfig?.routing || {};
+    const enableBearerAuth: boolean = !!routing.enableBearerAuth;
+    const rawKey: string = (routing.bearerAuthKey || '').trim();
+
+    let migrated: BearerKey[] = [];
+
+    if (rawKey) {
+      // Cases 2 and 3 in migration rules
+      migrated = [
+        {
+          id: randomUUID(),
+          name: 'default',
+          token: rawKey,
+          enabled: enableBearerAuth,
+          accessType: 'all',
+          allowedGroups: [],
+          allowedServers: [],
+        },
+      ];
+    }
+
+    // Cases 1 and 4 both result in empty keys list
+    settings.bearerKeys = migrated;
+    await this.saveSettings(settings);
+
+    return migrated;
+  }
+
+  private async saveKeys(keys: BearerKey[]): Promise<void> {
+    const settings = await this.loadSettings();
+    settings.bearerKeys = keys;
+    await this.saveSettings(settings);
+  }
+
+  async findAll(): Promise<BearerKey[]> {
+    return await this.loadKeysWithMigration();
+  }
+
+  async findEnabled(): Promise<BearerKey[]> {
+    const keys = await this.loadKeysWithMigration();
+    return keys.filter((key) => key.enabled);
+  }
+
+  async findById(id: string): Promise<BearerKey | undefined> {
+    const keys = await this.loadKeysWithMigration();
+    return keys.find((key) => key.id === id);
+  }
+
+  async findByToken(token: string): Promise<BearerKey | undefined> {
+    const keys = await this.loadKeysWithMigration();
+    return keys.find((key) => key.token === token);
+  }
+
+  async create(data: Omit<BearerKey, 'id'>): Promise<BearerKey> {
+    const keys = await this.loadKeysWithMigration();
+    const newKey: BearerKey = {
+      id: randomUUID(),
+      ...data,
+    };
+    keys.push(newKey);
+    await this.saveKeys(keys);
+    return newKey;
+  }
+
+  async update(id: string, data: Partial<Omit<BearerKey, 'id'>>): Promise<BearerKey | null> {
+    const keys = await this.loadKeysWithMigration();
+    const index = keys.findIndex((key) => key.id === id);
+    if (index === -1) {
+      return null;
+    }
+
+    const updated: BearerKey = {
+      ...keys[index],
+      ...data,
+      id: keys[index].id,
+    };
+    keys[index] = updated;
+    await this.saveKeys(keys);
+    return updated;
+  }
+
+  async delete(id: string): Promise<boolean> {
+    const keys = await this.loadKeysWithMigration();
+    const next = keys.filter((key) => key.id !== id);
+    if (next.length === keys.length) {
+      return false;
+    }
+    await this.saveKeys(next);
+    return true;
+  }
+}
--- a/src/dao/BearerKeyDaoDbImpl.ts
+++ b/src/dao/BearerKeyDaoDbImpl.ts
@@ -0,0 +1,77 @@
+import { BearerKeyDao } from './BearerKeyDao.js';
+import { BearerKey as BearerKeyModel } from '../types/index.js';
+import { BearerKeyRepository } from '../db/repositories/BearerKeyRepository.js';
+
+/**
+ * Database-backed implementation of BearerKeyDao
+ */
+export class BearerKeyDaoDbImpl implements BearerKeyDao {
+  private repository: BearerKeyRepository;
+
+  constructor() {
+    this.repository = new BearerKeyRepository();
+  }
+
+  private toModel(entity: import('../db/entities/BearerKey.js').BearerKey): BearerKeyModel {
+    return {
+      id: entity.id,
+      name: entity.name,
+      token: entity.token,
+      enabled: entity.enabled,
+      accessType: entity.accessType,
+      allowedGroups: entity.allowedGroups ?? [],
+      allowedServers: entity.allowedServers ?? [],
+    };
+  }
+
+  async findAll(): Promise<BearerKeyModel[]> {
+    const entities = await this.repository.findAll();
+    return entities.map((e) => this.toModel(e));
+  }
+
+  async findEnabled(): Promise<BearerKeyModel[]> {
+    const entities = await this.repository.findAll();
+    return entities.filter((e) => e.enabled).map((e) => this.toModel(e));
+  }
+
+  async findById(id: string): Promise<BearerKeyModel | undefined> {
+    const entity = await this.repository.findById(id);
+    return entity ? this.toModel(entity) : undefined;
+  }
+
+  async findByToken(token: string): Promise<BearerKeyModel | undefined> {
+    const entity = await this.repository.findByToken(token);
+    return entity ? this.toModel(entity) : undefined;
+  }
+
+  async create(data: Omit<BearerKeyModel, 'id'>): Promise<BearerKeyModel> {
+    const entity = await this.repository.create({
+      name: data.name,
+      token: data.token,
+      enabled: data.enabled,
+      accessType: data.accessType,
+      allowedGroups: data.allowedGroups ?? [],
+      allowedServers: data.allowedServers ?? [],
+    } as any);
+    return this.toModel(entity as any);
+  }
+
+  async update(
+    id: string,
+    data: Partial<Omit<BearerKeyModel, 'id'>>,
+  ): Promise<BearerKeyModel | null> {
+    const entity = await this.repository.update(id, {
+      name: data.name,
+      token: data.token,
+      enabled: data.enabled,
+      accessType: data.accessType,
+      allowedGroups: data.allowedGroups,
+      allowedServers: data.allowedServers,
+    } as any);
+    return entity ? this.toModel(entity as any) : null;
+  }
+
+  async delete(id: string): Promise<boolean> {
+    return await this.repository.delete(id);
+  }
+}
--- a/src/dao/DaoFactory.ts
+++ b/src/dao/DaoFactory.ts
@@ -5,6 +5,7 @@ import { SystemConfigDao, SystemConfigDaoImpl } from './SystemConfigDao.js';
 import { UserConfigDao, UserConfigDaoImpl } from './UserConfigDao.js';
 import { OAuthClientDao, OAuthClientDaoImpl } from './OAuthClientDao.js';
 import { OAuthTokenDao, OAuthTokenDaoImpl } from './OAuthTokenDao.js';
+import { BearerKeyDao, BearerKeyDaoImpl } from './BearerKeyDao.js';

 /**
 * DAO Factory interface for creating DAO instances
@@ -17,6 +18,7 @@ export interface DaoFactory {
  getUserConfigDao(): UserConfigDao;
  getOAuthClientDao(): OAuthClientDao;
  getOAuthTokenDao(): OAuthTokenDao;
+  getBearerKeyDao(): BearerKeyDao;
 }

 /**
@@ -32,6 +34,7 @@ export class JsonFileDaoFactory implements DaoFactory {
  private userConfigDao: UserConfigDao | null = null;
  private oauthClientDao: OAuthClientDao | null = null;
  private oauthTokenDao: OAuthTokenDao | null = null;
+  private bearerKeyDao: BearerKeyDao | null = null;

  /**
   * Get singleton instance
@@ -96,6 +99,13 @@ export class JsonFileDaoFactory implements DaoFactory {
    return this.oauthTokenDao;
  }

+  getBearerKeyDao(): BearerKeyDao {
+    if (!this.bearerKeyDao) {
+      this.bearerKeyDao = new BearerKeyDaoImpl();
+    }
+    return this.bearerKeyDao;
+  }
+
  /**
   * Reset all cached DAO instances (useful for testing)
   */
@@ -107,6 +117,7 @@ export class JsonFileDaoFactory implements DaoFactory {
    this.userConfigDao = null;
    this.oauthClientDao = null;
    this.oauthTokenDao = null;
+    this.bearerKeyDao = null;
  }
 }

@@ -179,3 +190,7 @@ export function getOAuthClientDao(): OAuthClientDao {
 export function getOAuthTokenDao(): OAuthTokenDao {
  return getDaoFactory().getOAuthTokenDao();
 }
+
+export function getBearerKeyDao(): BearerKeyDao {
+  return getDaoFactory().getBearerKeyDao();
+}
--- a/src/dao/DatabaseDaoFactory.ts
+++ b/src/dao/DatabaseDaoFactory.ts
@@ -7,6 +7,7 @@ import {
  UserConfigDao,
  OAuthClientDao,
  OAuthTokenDao,
+  BearerKeyDao,
 } from './index.js';
 import { UserDaoDbImpl } from './UserDaoDbImpl.js';
 import { ServerDaoDbImpl } from './ServerDaoDbImpl.js';
@@ -15,6 +16,7 @@ import { SystemConfigDaoDbImpl } from './SystemConfigDaoDbImpl.js';
 import { UserConfigDaoDbImpl } from './UserConfigDaoDbImpl.js';
 import { OAuthClientDaoDbImpl } from './OAuthClientDaoDbImpl.js';
 import { OAuthTokenDaoDbImpl } from './OAuthTokenDaoDbImpl.js';
+import { BearerKeyDaoDbImpl } from './BearerKeyDaoDbImpl.js';

 /**
 * Database-backed DAO factory implementation
@@ -29,6 +31,7 @@ export class DatabaseDaoFactory implements DaoFactory {
  private userConfigDao: UserConfigDao | null = null;
  private oauthClientDao: OAuthClientDao | null = null;
  private oauthTokenDao: OAuthTokenDao | null = null;
+  private bearerKeyDao: BearerKeyDao | null = null;

  /**
   * Get singleton instance
@@ -93,6 +96,13 @@ export class DatabaseDaoFactory implements DaoFactory {
    return this.oauthTokenDao!;
  }

+  getBearerKeyDao(): BearerKeyDao {
+    if (!this.bearerKeyDao) {
+      this.bearerKeyDao = new BearerKeyDaoDbImpl();
+    }
+    return this.bearerKeyDao!;
+  }
+
  /**
   * Reset all cached DAO instances (useful for testing)
   */
@@ -104,5 +114,6 @@ export class DatabaseDaoFactory implements DaoFactory {
    this.userConfigDao = null;
    this.oauthClientDao = null;
    this.oauthTokenDao = null;
+    this.bearerKeyDao = null;
  }
 }
--- a/src/dao/ServerDaoDbImpl.ts
+++ b/src/dao/ServerDaoDbImpl.ts
@@ -38,6 +38,7 @@ export class ServerDaoDbImpl implements ServerDao {
      prompts: entity.prompts,
      options: entity.options,
      oauth: entity.oauth,
+      openapi: entity.openapi,
    });
    return this.mapToServerConfig(server);
  }
@@ -61,6 +62,7 @@ export class ServerDaoDbImpl implements ServerDao {
      prompts: entity.prompts,
      options: entity.options,
      oauth: entity.oauth,
+      openapi: entity.openapi,
    });
    return server ? this.mapToServerConfig(server) : null;
  }
@@ -129,6 +131,7 @@ export class ServerDaoDbImpl implements ServerDao {
    prompts?: Record<string, { enabled: boolean; description?: string }>;
    options?: Record<string, any>;
    oauth?: Record<string, any>;
+    openapi?: Record<string, any>;
  }): ServerConfigWithName {
    return {
      name: server.name,
@@ -146,6 +149,7 @@ export class ServerDaoDbImpl implements ServerDao {
      prompts: server.prompts,
      options: server.options,
      oauth: server.oauth,
+      openapi: server.openapi,
    };
  }
 }
--- a/src/dao/index.ts
+++ b/src/dao/index.ts
@@ -8,6 +8,7 @@ export * from './SystemConfigDao.js';
 export * from './UserConfigDao.js';
 export * from './OAuthClientDao.js';
 export * from './OAuthTokenDao.js';
+export * from './BearerKeyDao.js';

 // Export database implementations
 export * from './UserDaoDbImpl.js';
@@ -17,6 +18,7 @@ export * from './SystemConfigDaoDbImpl.js';
 export * from './UserConfigDaoDbImpl.js';
 export * from './OAuthClientDaoDbImpl.js';
 export * from './OAuthTokenDaoDbImpl.js';
+export * from './BearerKeyDaoDbImpl.js';

 // Export the DAO factory and convenience functions
 export * from './DaoFactory.js';
--- a/src/db/entities/BearerKey.ts
+++ b/src/db/entities/BearerKey.ts
@@ -0,0 +1,43 @@
+import {
+  Entity,
+  Column,
+  PrimaryGeneratedColumn,
+  CreateDateColumn,
+  UpdateDateColumn,
+} from 'typeorm';
+
+/**
+ * Bearer authentication key entity
+ * Stores multiple bearer keys with per-key enable/disable and scoped access control
+ */
+@Entity({ name: 'bearer_keys' })
+export class BearerKey {
+  @PrimaryGeneratedColumn('uuid')
+  id: string;
+
+  @Column({ type: 'varchar', length: 100 })
+  name: string;
+
+  @Column({ type: 'varchar', length: 512 })
+  token: string;
+
+  @Column({ type: 'boolean', default: true })
+  enabled: boolean;
+
+  @Column({ type: 'varchar', length: 20, default: 'all' })
+  accessType: 'all' | 'groups' | 'servers';
+
+  @Column({ type: 'simple-json', nullable: true })
+  allowedGroups?: string[];
+
+  @Column({ type: 'simple-json', nullable: true })
+  allowedServers?: string[];
+
+  @CreateDateColumn({ name: 'created_at', type: 'timestamp' })
+  createdAt: Date;
+
+  @UpdateDateColumn({ name: 'updated_at', type: 'timestamp' })
+  updatedAt: Date;
+}
+
+export default BearerKey;
--- a/src/db/entities/Server.ts
+++ b/src/db/entities/Server.ts
@@ -59,6 +59,9 @@ export class Server {
  @Column({ type: 'simple-json', nullable: true })
  oauth?: Record<string, any>;

+  @Column({ type: 'simple-json', nullable: true })
+  openapi?: Record<string, any>;
+
  @CreateDateColumn({ name: 'created_at', type: 'timestamp' })
  createdAt: Date;

--- a/src/db/entities/index.ts
+++ b/src/db/entities/index.ts
@@ -6,6 +6,7 @@ import SystemConfig from './SystemConfig.js';
 import UserConfig from './UserConfig.js';
 import OAuthClient from './OAuthClient.js';
 import OAuthToken from './OAuthToken.js';
+import BearerKey from './BearerKey.js';

 // Export all entities
 export default [
@@ -17,7 +18,18 @@ export default [
  UserConfig,
  OAuthClient,
  OAuthToken,
+  BearerKey,
 ];

 // Export individual entities for direct use
-export { VectorEmbedding, User, Server, Group, SystemConfig, UserConfig, OAuthClient, OAuthToken };
+export {
+  VectorEmbedding,
+  User,
+  Server,
+  Group,
+  SystemConfig,
+  UserConfig,
+  OAuthClient,
+  OAuthToken,
+  BearerKey,
+};
--- a/src/db/repositories/BearerKeyRepository.ts
+++ b/src/db/repositories/BearerKeyRepository.ts
@@ -0,0 +1,75 @@
+import { Repository } from 'typeorm';
+import { BearerKey } from '../entities/BearerKey.js';
+import { getAppDataSource } from '../connection.js';
+
+/**
+ * Repository for BearerKey entity
+ */
+export class BearerKeyRepository {
+  private repository: Repository<BearerKey>;
+
+  constructor() {
+    this.repository = getAppDataSource().getRepository(BearerKey);
+  }
+
+  /**
+   * Find all bearer keys
+   */
+  async findAll(): Promise<BearerKey[]> {
+    return await this.repository.find({ order: { createdAt: 'ASC' } });
+  }
+
+  /**
+   * Count bearer keys
+   */
+  async count(): Promise<number> {
+    return await this.repository.count();
+  }
+
+  /**
+   * Find bearer key by id
+   */
+  async findById(id: string): Promise<BearerKey | null> {
+    return await this.repository.findOne({ where: { id } });
+  }
+
+  /**
+   * Find bearer key by token value
+   */
+  async findByToken(token: string): Promise<BearerKey | null> {
+    return await this.repository.findOne({ where: { token } });
+  }
+
+  /**
+   * Create a new bearer key
+   */
+  async create(data: Omit<BearerKey, 'id' | 'createdAt' | 'updatedAt'>): Promise<BearerKey> {
+    const entity = this.repository.create(data);
+    return await this.repository.save(entity);
+  }
+
+  /**
+   * Update an existing bearer key
+   */
+  async update(
+    id: string,
+    updates: Partial<Omit<BearerKey, 'id' | 'createdAt' | 'updatedAt'>>,
+  ): Promise<BearerKey | null> {
+    const existing = await this.findById(id);
+    if (!existing) {
+      return null;
+    }
+    const merged = this.repository.merge(existing, updates);
+    return await this.repository.save(merged);
+  }
+
+  /**
+   * Delete a bearer key
+   */
+  async delete(id: string): Promise<boolean> {
+    const result = await this.repository.delete({ id });
+    return (result.affected ?? 0) > 0;
+  }
+}
+
+export default BearerKeyRepository;
--- a/src/db/repositories/index.ts
+++ b/src/db/repositories/index.ts
@@ -6,6 +6,7 @@ import { SystemConfigRepository } from './SystemConfigRepository.js';
 import { UserConfigRepository } from './UserConfigRepository.js';
 import { OAuthClientRepository } from './OAuthClientRepository.js';
 import { OAuthTokenRepository } from './OAuthTokenRepository.js';
+import { BearerKeyRepository } from './BearerKeyRepository.js';

 // Export all repositories
 export {
@@ -17,4 +18,5 @@ export {
  UserConfigRepository,
  OAuthClientRepository,
  OAuthTokenRepository,
+  BearerKeyRepository,
 };
--- a/src/middlewares/auth.ts
+++ b/src/middlewares/auth.ts
@@ -5,9 +5,15 @@ import defaultConfig from '../config/index.js';
 import { JWT_SECRET } from '../config/jwt.js';
 import { getToken } from '../models/OAuth.js';
 import { isOAuthServerEnabled } from '../services/oauthServerService.js';
+import { getBearerKeyDao } from '../dao/index.js';
+import { BearerKey } from '../types/index.js';

-const validateBearerAuth = (req: Request, routingConfig: any): boolean => {
-  if (!routingConfig.enableBearerAuth) {
+const validateBearerAuth = async (req: Request): Promise<boolean> => {
+  const bearerKeyDao = getBearerKeyDao();
+  const enabledKeys = await bearerKeyDao.findEnabled();
+
+  // If there are no enabled keys, bearer auth via static keys is disabled
+  if (enabledKeys.length === 0) {
    return false;
  }

@@ -16,7 +22,21 @@ const validateBearerAuth = (req: Request, routingConfig: any): boolean => {
    return false;
  }

-  return authHeader.substring(7) === routingConfig.bearerAuthKey;
+  const token = authHeader.substring(7).trim();
+  if (!token) {
+    return false;
+  }
+
+  const matchingKey: BearerKey | undefined = enabledKeys.find((key) => key.token === token);
+  if (!matchingKey) {
+    console.warn('Bearer auth failed: token did not match any configured bearer key');
+    return false;
+  }
+
+  console.log(
+    `Bearer auth succeeded with key id=${matchingKey.id}, name=${matchingKey.name}, accessType=${matchingKey.accessType}`,
+  );
+  return true;
 };

 const readonlyAllowPaths = ['/tools/call/'];
@@ -47,8 +67,6 @@ export const auth = async (req: Request, res: Response, next: NextFunction): Pro
  const routingConfig = loadSettings().systemConfig?.routing || {
    enableGlobalRoute: true,
    enableGroupNameRoute: true,
-    enableBearerAuth: false,
-    bearerAuthKey: '',
    skipAuth: false,
  };

@@ -57,8 +75,8 @@ export const auth = async (req: Request, res: Response, next: NextFunction): Pro
    return;
  }

-  // Check if bearer auth is enabled and validate it
-  if (validateBearerAuth(req, routingConfig)) {
+  // Check if bearer auth via configured keys can validate this request
+  if (await validateBearerAuth(req)) {
    next();
    return;
  }
--- a/src/routes/index.ts
+++ b/src/routes/index.ts
@@ -6,6 +6,7 @@ import {
  getAllSettings,
  getServerConfig,
  createServer,
+  batchCreateServers,
  updateServer,
  deleteServer,
  toggleServer,
@@ -20,6 +21,7 @@ import {
  getGroups,
  getGroup,
  createNewGroup,
+  batchCreateGroups,
  updateExistingGroup,
  deleteExistingGroup,
  addServerToExistingGroup,
@@ -104,6 +106,12 @@ import {
  updateClientConfiguration,
  deleteClientRegistration,
 } from '../controllers/oauthDynamicRegistrationController.js';
+import {
+  getBearerKeys,
+  createBearerKey,
+  updateBearerKey,
+  deleteBearerKey,
+} from '../controllers/bearerKeyController.js';
 import { auth } from '../middlewares/auth.js';

 const router = express.Router();
@@ -134,6 +142,7 @@ export const initRoutes = (app: express.Application): void => {
  router.get('/servers/:name', getServerConfig);
  router.get('/settings', getAllSettings);
  router.post('/servers', createServer);
+  router.post('/servers/batch', batchCreateServers);
  router.put('/servers/:name', updateServer);
  router.delete('/servers/:name', deleteServer);
  router.post('/servers/:name/toggle', toggleServer);
@@ -148,6 +157,7 @@ export const initRoutes = (app: express.Application): void => {
  router.get('/groups', getGroups);
  router.get('/groups/:id', getGroup);
  router.post('/groups', createNewGroup);
+  router.post('/groups/batch', batchCreateGroups);
  router.put('/groups/:id', updateExistingGroup);
  router.delete('/groups/:id', deleteExistingGroup);
  router.post('/groups/:id/servers', addServerToExistingGroup);
@@ -183,6 +193,12 @@ export const initRoutes = (app: express.Application): void => {
  router.delete('/oauth/clients/:clientId', deleteClient);
  router.post('/oauth/clients/:clientId/regenerate-secret', regenerateSecret);

+  // Bearer authentication key management (admin only)
+  router.get('/auth/keys', getBearerKeys);
+  router.post('/auth/keys', createBearerKey);
+  router.put('/auth/keys/:id', updateBearerKey);
+  router.delete('/auth/keys/:id', deleteBearerKey);
+
  // Tool management routes
  router.post('/tools/call/:server', callTool);

--- a/src/services/groupService.ts
+++ b/src/services/groupService.ts
@@ -29,9 +29,9 @@ export const getGroupByIdOrName = async (key: string): Promise<IGroup | undefine
  const systemConfigDao = getSystemConfigDao();

  const systemConfig = await systemConfigDao.get();
-  const routingConfig = systemConfig?.routing || {
-    enableGlobalRoute: true,
-    enableGroupNameRoute: true,
+  const routingConfig = {
+    enableGlobalRoute: systemConfig?.routing?.enableGlobalRoute ?? true,
+    enableGroupNameRoute: systemConfig?.routing?.enableGroupNameRoute ?? true,
  };

  const groups = await getAllGroups();
--- a/src/services/mcpService.ts
+++ b/src/services/mcpService.ts
@@ -14,6 +14,7 @@ import {
  StreamableHTTPClientTransport,
  StreamableHTTPClientTransportOptions,
 } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { createFetchWithProxy, getProxyConfigFromEnv } from './proxy.js';
 import { ServerInfo, ServerConfig, Tool } from '../types/index.js';
 import { expandEnvVars, replaceEnvVars, getNameSeparator } from '../config/index.js';
 import config from '../config/index.js';
@@ -134,6 +135,10 @@ export const cleanupAllServers = (): void => {
 // Helper function to create transport based on server configuration
 export const createTransportFromConfig = async (name: string, conf: ServerConfig): Promise<any> => {
  let transport;
+  const env: Record<string, string> = {
+    ...(process.env as Record<string, string>),
+    ...replaceEnvVars(conf.env || {}),
+  };

  if (conf.type === 'streamable-http') {
    const options: StreamableHTTPClientTransportOptions = {};
@@ -152,6 +157,8 @@ export const createTransportFromConfig = async (name: string, conf: ServerConfig
      console.log(`OAuth provider configured for server: ${name}`);
    }

+    options.fetch = createFetchWithProxy(getProxyConfigFromEnv(env));
+
    transport = new StreamableHTTPClientTransport(new URL(conf.url || ''), options);
  } else if (conf.url) {
    // SSE transport
@@ -174,13 +181,11 @@ export const createTransportFromConfig = async (name: string, conf: ServerConfig
      console.log(`OAuth provider configured for server: ${name}`);
    }

+    options.fetch = createFetchWithProxy(getProxyConfigFromEnv(env));
+
    transport = new SSEClientTransport(new URL(conf.url), options);
  } else if (conf.command && conf.args) {
    // Stdio transport
-    const env: Record<string, string> = {
-      ...(process.env as Record<string, string>),
-      ...replaceEnvVars(conf.env || {}),
-    };
    env['PATH'] = expandEnvVars(process.env.PATH as string) || '';

    const systemConfigDao = getSystemConfigDao();
@@ -614,9 +619,37 @@ export const registerAllTools = async (isInit: boolean, serverName?: string): Pr
 export const getServersInfo = async (): Promise<Omit<ServerInfo, 'client' | 'transport'>[]> => {
  const allServers: ServerConfigWithName[] = await getServerDao().findAll();
  const dataService = getDataService();
+
+  // Ensure that servers recently added via DAO but not yet initialized in serverInfos
+  // are still visible in the servers list. This avoids a race condition where
+  // a POST /api/servers immediately followed by GET /api/servers would not
+  // return the newly created server until background initialization completes.
+  const combinedServerInfos: ServerInfo[] = [...serverInfos];
+  const existingNames = new Set(combinedServerInfos.map((s) => s.name));
+
+  for (const server of allServers) {
+    if (!existingNames.has(server.name)) {
+      const isEnabled = server.enabled === undefined ? true : server.enabled;
+      combinedServerInfos.push({
+        name: server.name,
+        owner: server.owner,
+        // Newly created servers that are enabled should appear as "connecting"
+        // until the MCP client initialization completes. Disabled servers remain
+        // in the "disconnected" state.
+        status: isEnabled ? 'connecting' : 'disconnected',
+        error: null,
+        tools: [],
+        prompts: [],
+        createTime: Date.now(),
+        enabled: isEnabled,
+      });
+    }
+  }
+
  const filterServerInfos: ServerInfo[] = dataService.filterData
-    ? dataService.filterData(serverInfos)
-    : serverInfos;
+    ? dataService.filterData(combinedServerInfos)
+    : combinedServerInfos;
+
  const infos = filterServerInfos.map(
    ({ name, status, tools, prompts, createTime, error, oauth }) => {
      const serverConfig = allServers.find((server) => server.name === name);
--- a/src/services/openApiGeneratorService.ts
+++ b/src/services/openApiGeneratorService.ts
@@ -42,7 +42,7 @@ function convertToolSchemaToOpenAPI(tool: Tool): {
      (prop: any) =>
        prop.type === 'object' ||
        prop.type === 'array' ||
-        (prop.type === 'string' && prop.enum && prop.enum.length > 10),
+        prop.type === 'string',
    );

    if (!hasComplexTypes && Object.keys(properties).length <= 10) {
@@ -93,7 +93,7 @@ function generateOperationFromTool(tool: Tool, serverName: string): OpenAPIV3.Op
  const operation: OpenAPIV3.OperationObject = {
    summary: tool.description || `Execute ${tool.name} tool`,
    description: tool.description || `Execute the ${tool.name} tool from ${serverName} server`,
-    operationId: `${serverName}_${tool.name}`,
+    operationId: `${tool.name}`,
    tags: [serverName],
    ...(parameters && parameters.length > 0 && { parameters }),
    ...(requestBody && { requestBody }),
--- a/src/services/proxy.ts
+++ b/src/services/proxy.ts
@@ -0,0 +1,167 @@
+/**
+ * HTTP/HTTPS proxy configuration utilities for MCP client transports.
+ *
+ * This module provides utilities to configure HTTP and HTTPS proxies when
+ * connecting to MCP servers. Proxies are configured by providing a custom
+ * fetch implementation that uses Node.js http/https agents with proxy support.
+ *
+ */
+
+import { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
+
+/**
+ * Configuration options for HTTP/HTTPS proxy settings.
+ */
+export interface ProxyConfig {
+  /**
+   * HTTP proxy URL (e.g., 'http://proxy.example.com:8080')
+   * Can include authentication: 'http://user:pass@proxy.example.com:8080'
+   */
+  httpProxy?: string;
+
+  /**
+   * HTTPS proxy URL (e.g., 'https://proxy.example.com:8443')
+   * Can include authentication: 'https://user:pass@proxy.example.com:8443'
+   */
+  httpsProxy?: string;
+
+  /**
+   * Comma-separated list of hosts that should bypass the proxy
+   * (e.g., 'localhost,127.0.0.1,.example.com')
+   */
+  noProxy?: string;
+}
+
+/**
+ * Creates a fetch function that uses the specified proxy configuration.
+ *
+ * This function returns a fetch implementation that routes requests through
+ * the configured HTTP/HTTPS proxies using undici's ProxyAgent.
+ *
+ * Note: This function requires the 'undici' package to be installed.
+ * Install it with: npm install undici
+ *
+ * @param config - Proxy configuration options
+ * @returns A fetch-compatible function configured to use the specified proxies
+ *
+ */
+export function createFetchWithProxy(config: ProxyConfig): FetchLike {
+  // If no proxy is configured, return the default fetch
+  if (!config.httpProxy && !config.httpsProxy) {
+    return fetch;
+  }
+
+  // Parse no_proxy list
+  const noProxyList = parseNoProxy(config.noProxy);
+
+  return async (url: string | URL, init?: RequestInit): Promise<Response> => {
+    const targetUrl = typeof url === 'string' ? new URL(url) : url;
+
+    // Check if host should bypass proxy
+    if (shouldBypassProxy(targetUrl.hostname, noProxyList)) {
+      return fetch(url, init);
+    }
+
+    // Determine which proxy to use based on protocol
+    const proxyUrl = targetUrl.protocol === 'https:' ? config.httpsProxy : config.httpProxy;
+
+    if (!proxyUrl) {
+      // No proxy configured for this protocol
+      return fetch(url, init);
+    }
+
+    // Use undici for proxy support if available
+    try {
+      // Dynamic import - undici is an optional peer dependency
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const undici = await import('undici' as any);
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const ProxyAgent = (undici as any).ProxyAgent;
+      const dispatcher = new ProxyAgent(proxyUrl);
+
+      return fetch(url, {
+        ...init,
+        // @ts-expect-error - dispatcher is undici-specific
+        dispatcher,
+      });
+    } catch (error) {
+      // undici not available - throw error requiring installation
+      throw new Error(
+        'Proxy support requires the "undici" package. ' +
+          'Install it with: npm install undici\n' +
+          `Original error: ${error instanceof Error ? error.message : String(error)}`,
+      );
+    }
+  };
+}
+
+/**
+ * Parses a NO_PROXY environment variable value into a list of patterns.
+ */
+function parseNoProxy(noProxy?: string): string[] {
+  if (!noProxy) {
+    return [];
+  }
+
+  return noProxy
+    .split(',')
+    .map((item) => item.trim())
+    .filter((item) => item.length > 0);
+}
+
+/**
+ * Checks if a hostname should bypass the proxy based on NO_PROXY patterns.
+ */
+function shouldBypassProxy(hostname: string, noProxyList: string[]): boolean {
+  if (noProxyList.length === 0) {
+    return false;
+  }
+
+  const hostnameLower = hostname.toLowerCase();
+
+  for (const pattern of noProxyList) {
+    const patternLower = pattern.toLowerCase();
+
+    // Exact match
+    if (hostnameLower === patternLower) {
+      return true;
+    }
+
+    // Domain suffix match (e.g., .example.com matches sub.example.com)
+    if (patternLower.startsWith('.') && hostnameLower.endsWith(patternLower)) {
+      return true;
+    }
+
+    // Domain suffix match without leading dot
+    if (!patternLower.startsWith('.') && hostnameLower.endsWith('.' + patternLower)) {
+      return true;
+    }
+
+    // Special case: "*" matches everything
+    if (patternLower === '*') {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Creates a ProxyConfig from environment variables.
+ *
+ * This function reads standard proxy environment variables:
+ * - HTTP_PROXY, http_proxy
+ * - HTTPS_PROXY, https_proxy
+ * - NO_PROXY, no_proxy
+ *
+ * Lowercase versions take precedence over uppercase versions.
+ *
+ * @returns A ProxyConfig object populated from environment variables
+ */
+export function getProxyConfigFromEnv(env: Record<string, string>): ProxyConfig {
+  return {
+    httpProxy: env.http_proxy || env.HTTP_PROXY,
+    httpsProxy: env.https_proxy || env.HTTPS_PROXY,
+    noProxy: env.no_proxy || env.NO_PROXY,
+  };
+}
--- a/src/services/sseService.test.ts
+++ b/src/services/sseService.test.ts
@@ -47,6 +47,30 @@ jest.mock('../dao/index.js', () => ({
  getSystemConfigDao: jest.fn(() => ({
    get: jest.fn().mockImplementation(() => Promise.resolve(currentSystemConfig)),
  })),
+  getBearerKeyDao: jest.fn(() => ({
+    // Keep these unit tests aligned with legacy routing semantics:
+    // enableBearerAuth + bearerAuthKey -> one enabled key (token=bearerAuthKey)
+    // otherwise -> no enabled keys (bearer auth effectively disabled)
+    findEnabled: jest.fn().mockImplementation(async () => {
+      const routing = (currentSystemConfig as any)?.routing || {};
+      const enabled = !!routing.enableBearerAuth;
+      const token = String(routing.bearerAuthKey || '').trim();
+      if (!enabled || !token) {
+        return [];
+      }
+      return [
+        {
+          id: 'test-key-id',
+          name: 'default',
+          token,
+          enabled: true,
+          accessType: 'all',
+          allowedGroups: [],
+          allowedServers: [],
+        },
+      ];
+    }),
+  })),
 }));

 // Mock oauthBearer
--- a/src/services/sseService.ts
+++ b/src/services/sseService.ts
@@ -6,10 +6,10 @@ import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/
 import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
 import { deleteMcpServer, getMcpServer } from './mcpService.js';
 import config from '../config/index.js';
-import { getSystemConfigDao } from '../dao/index.js';
+import { getBearerKeyDao, getGroupDao, getServerDao, getSystemConfigDao } from '../dao/index.js';
 import { UserContextService } from './userContextService.js';
 import { RequestContextService } from './requestContextService.js';
-import { IUser } from '../types/index.js';
+import { IUser, BearerKey } from '../types/index.js';
 import { resolveOAuthUserFromToken } from '../utils/oauthBearer.js';

 export const transports: {
@@ -30,40 +30,164 @@ type BearerAuthResult =
      reason: 'missing' | 'invalid';
    };

+/**
+ * Check if a string is a valid UUID v4 format
+ */
+const isValidUUID = (str: string): boolean => {
+  const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+  return uuidRegex.test(str);
+};
+
+const isBearerKeyAllowedForRequest = async (req: Request, key: BearerKey): Promise<boolean> => {
+  const paramValue = (req.params as any)?.group as string | undefined;
+
+  // accessType 'all' allows all requests
+  if (key.accessType === 'all') {
+    return true;
+  }
+
+  // No parameter value means global route
+  if (!paramValue) {
+    // Only accessType 'all' allows global routes
+    return false;
+  }
+
+  try {
+    const groupDao = getGroupDao();
+    const serverDao = getServerDao();
+
+    // Step 1: Try to match as a group (by name or id), since group has higher priority
+    let matchedGroup = await groupDao.findByName(paramValue);
+    if (!matchedGroup && isValidUUID(paramValue)) {
+      // Only try findById if the parameter is a valid UUID
+      matchedGroup = await groupDao.findById(paramValue);
+    }
+
+    if (matchedGroup) {
+      // Matched as a group
+      if (key.accessType === 'groups') {
+        // For group-scoped keys, check if the matched group is in allowedGroups
+        const allowedGroups = key.allowedGroups || [];
+        return allowedGroups.includes(matchedGroup.name) || allowedGroups.includes(matchedGroup.id);
+      }
+
+      if (key.accessType === 'servers') {
+        // For server-scoped keys, check if any server in the group is allowed
+        const allowedServers = key.allowedServers || [];
+        if (allowedServers.length === 0) {
+          return false;
+        }
+
+        if (!Array.isArray(matchedGroup.servers)) {
+          return false;
+        }
+
+        const groupServerNames = matchedGroup.servers.map((server) =>
+          typeof server === 'string' ? server : server.name,
+        );
+        return groupServerNames.some((name) => allowedServers.includes(name));
+      }
+
+      // Unknown accessType with matched group
+      return false;
+    }
+
+    // Step 2: Not a group, try to match as a server name
+    const matchedServer = await serverDao.findById(paramValue);
+
+    if (matchedServer) {
+      // Matched as a server
+      if (key.accessType === 'groups') {
+        // For group-scoped keys, server access is not allowed
+        return false;
+      }
+
+      if (key.accessType === 'servers') {
+        // For server-scoped keys, check if the server is in allowedServers
+        const allowedServers = key.allowedServers || [];
+        return allowedServers.includes(matchedServer.name);
+      }
+
+      // Unknown accessType with matched server
+      return false;
+    }
+
+    // Step 3: Not a valid group or server, deny access
+    console.warn(
+      `Bearer key access denied: parameter '${paramValue}' does not match any group or server`,
+    );
+    return false;
+  } catch (error) {
+    console.error('Error checking bearer key request access:', error);
+    return false;
+  }
+};
+
 const validateBearerAuth = async (req: Request): Promise<BearerAuthResult> => {
-  const systemConfigDao = getSystemConfigDao();
-  const systemConfig = await systemConfigDao.get();
-  const routingConfig = systemConfig?.routing || {
-    enableGlobalRoute: true,
-    enableGroupNameRoute: true,
-    enableBearerAuth: false,
-    bearerAuthKey: '',
-  };
+  const bearerKeyDao = getBearerKeyDao();
+  const enabledKeys = await bearerKeyDao.findEnabled();

-  if (routingConfig.enableBearerAuth) {
-    const authHeader = req.headers.authorization;
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-      return { valid: false, reason: 'missing' };
+  const authHeader = req.headers.authorization;
+  const hasBearerHeader = !!authHeader && authHeader.startsWith('Bearer ');
+
+  // If no enabled keys are configured, bearer auth is effectively disabled.
+  // We still allow OAuth bearer tokens to attach user context in this case.
+  if (enabledKeys.length === 0) {
+    if (!hasBearerHeader) {
+      return { valid: true };
    }

-    const token = authHeader.substring(7); // Remove "Bearer " prefix
-    if (token.trim().length === 0) {
-      return { valid: false, reason: 'missing' };
-    }
-
-    if (token === routingConfig.bearerAuthKey) {
+    const token = authHeader!.substring(7).trim();
+    if (!token) {
      return { valid: true };
    }

    const oauthUser = await resolveOAuthUserFromToken(token);
    if (oauthUser) {
+      console.log('Authenticated request using OAuth bearer token without configured keys');
      return { valid: true, user: oauthUser };
    }

-    return { valid: false, reason: 'invalid' };
+    // When there are no keys, a non-OAuth bearer token should not block access
+    return { valid: true };
  }

-  return { valid: true };
+  // When keys exist, bearer header is required
+  if (!hasBearerHeader) {
+    return { valid: false, reason: 'missing' };
+  }
+
+  const token = authHeader!.substring(7).trim();
+  if (!token) {
+    return { valid: false, reason: 'missing' };
+  }
+
+  // First, try to match a configured bearer key
+  const matchingKey = enabledKeys.find((key) => key.token === token);
+  if (matchingKey) {
+    const allowed = await isBearerKeyAllowedForRequest(req, matchingKey);
+    if (!allowed) {
+      console.warn(
+        `Bearer key rejected due to scope restrictions: id=${matchingKey.id}, name=${matchingKey.name}, accessType=${matchingKey.accessType}`,
+      );
+      return { valid: false, reason: 'invalid' };
+    }
+
+    console.log(
+      `Bearer key authenticated: id=${matchingKey.id}, name=${matchingKey.name}, accessType=${matchingKey.accessType}`,
+    );
+    return { valid: true };
+  }
+
+  // Fallback: treat token as potential OAuth access token
+  const oauthUser = await resolveOAuthUserFromToken(token);
+  if (oauthUser) {
+    console.log('Authenticated request using OAuth bearer token (no matching static key)');
+    return { valid: true, user: oauthUser };
+  }
+
+  console.warn('Bearer authentication failed: token did not match any key or OAuth user');
+  return { valid: false, reason: 'invalid' };
 };

 const attachUserContextFromBearer = (result: BearerAuthResult, res: Response): void => {
@@ -398,9 +522,9 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
  // Get filtered settings based on user context (after setting user context)
  const systemConfigDao = getSystemConfigDao();
  const systemConfig = await systemConfigDao.get();
-  const routingConfig = systemConfig?.routing || {
-    enableGlobalRoute: true,
-    enableGroupNameRoute: true,
+  const routingConfig = {
+    enableGlobalRoute: systemConfig?.routing?.enableGlobalRoute ?? true,
+    enableGroupNameRoute: systemConfig?.routing?.enableGroupNameRoute ?? true,
  };
  if (!group && !routingConfig.enableGlobalRoute) {
    res.status(403).send('Global routes are disabled. Please specify a group ID.');
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -243,6 +243,19 @@ export interface OAuthServerConfig {
  };
 }

+// Bearer authentication key configuration
+export type BearerKeyAccessType = 'all' | 'groups' | 'servers';
+
+export interface BearerKey {
+  id: string; // Unique identifier for the key
+  name: string; // Human readable key name
+  token: string; // Bearer token value
+  enabled: boolean; // Whether this key is enabled
+  accessType: BearerKeyAccessType; // Access scope type
+  allowedGroups?: string[]; // Allowed group names when accessType === 'groups'
+  allowedServers?: string[]; // Allowed server names when accessType === 'servers'
+}
+
 // Represents the settings for MCP servers
 export interface McpSettings {
  users?: IUser[]; // Array of user credentials and permissions
@@ -254,6 +267,7 @@ export interface McpSettings {
  userConfigs?: Record<string, UserConfig>; // User-specific configurations
  oauthClients?: IOAuthClient[]; // OAuth clients for MCPHub's authorization server
  oauthTokens?: IOAuthToken[]; // Persisted OAuth tokens (access + refresh) for authorization server
+  bearerKeys?: BearerKey[]; // Bearer authentication keys (multi-key configuration)
 }

 // Configuration details for an individual server
@@ -420,3 +434,50 @@ export interface AddServerRequest {
  name: string; // Name of the server to add
  config: ServerConfig; // Configuration details for the server
 }
+
+// Request payload for batch creating servers
+export interface BatchCreateServersRequest {
+  servers: AddServerRequest[]; // Array of servers to create
+}
+
+// Result for a single server in batch operation
+export interface BatchServerResult {
+  name: string; // Server name
+  success: boolean; // Whether the operation succeeded
+  message?: string; // Error message if failed
+}
+
+// Response for batch create servers operation
+export interface BatchCreateServersResponse {
+  success: boolean; // Overall operation success (true if at least one server succeeded)
+  successCount: number; // Number of servers successfully created
+  failureCount: number; // Number of servers that failed
+  results: BatchServerResult[]; // Detailed results for each server
+}
+
+// Request payload for adding a new group
+export interface AddGroupRequest {
+  name: string; // Name of the group to add
+  description?: string; // Optional description of the group
+  servers?: string[] | IGroupServerConfig[]; // Array of server names or server configurations
+}
+
+// Request payload for batch creating groups
+export interface BatchCreateGroupsRequest {
+  groups: AddGroupRequest[]; // Array of groups to create
+}
+
+// Result for a single group in batch operation
+export interface BatchGroupResult {
+  name: string; // Group name
+  success: boolean; // Whether the operation succeeded
+  message?: string; // Error message if failed
+}
+
+// Response for batch create groups operation
+export interface BatchCreateGroupsResponse {
+  success: boolean; // Overall operation success (true if at least one group succeeded)
+  successCount: number; // Number of groups successfully created
+  failureCount: number; // Number of groups that failed
+  results: BatchGroupResult[]; // Detailed results for each group
+}
--- a/src/utils/migration.test.ts
+++ b/src/utils/migration.test.ts
@@ -0,0 +1,122 @@
+import { jest } from '@jest/globals';
+
+// Mocks must be defined before importing the module under test.
+
+const initializeDatabaseMock = jest.fn(async () => undefined);
+jest.mock('../db/connection.js', () => ({
+  initializeDatabase: initializeDatabaseMock,
+}));
+
+const setDaoFactoryMock = jest.fn();
+jest.mock('../dao/DaoFactory.js', () => ({
+  setDaoFactory: setDaoFactoryMock,
+}));
+
+jest.mock('../dao/DatabaseDaoFactory.js', () => ({
+  DatabaseDaoFactory: {
+    getInstance: jest.fn(() => ({
+      /* noop */
+    })),
+  },
+}));
+
+const loadOriginalSettingsMock = jest.fn(() => ({ users: [] }));
+jest.mock('../config/index.js', () => ({
+  loadOriginalSettings: loadOriginalSettingsMock,
+}));
+
+const userRepoCountMock = jest.fn<() => Promise<number>>();
+jest.mock('../db/repositories/UserRepository.js', () => ({
+  UserRepository: jest.fn().mockImplementation(() => ({
+    count: userRepoCountMock,
+  })),
+}));
+
+const bearerKeyCountMock = jest.fn<() => Promise<number>>();
+const bearerKeyCreateMock =
+  jest.fn<
+    (data: {
+      name: string;
+      token: string;
+      enabled: boolean;
+      accessType: string;
+      allowedGroups: string[];
+      allowedServers: string[];
+    }) => Promise<unknown>
+  >();
+jest.mock('../db/repositories/BearerKeyRepository.js', () => ({
+  BearerKeyRepository: jest.fn().mockImplementation(() => ({
+    count: bearerKeyCountMock,
+    create: bearerKeyCreateMock,
+  })),
+}));
+
+const systemConfigGetMock = jest.fn<() => Promise<any>>();
+jest.mock('../db/repositories/SystemConfigRepository.js', () => ({
+  SystemConfigRepository: jest.fn().mockImplementation(() => ({
+    get: systemConfigGetMock,
+  })),
+}));
+
+describe('initializeDatabaseMode legacy bearer auth migration', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('skips legacy migration when bearerKeys table already has data', async () => {
+    userRepoCountMock.mockResolvedValue(1);
+    bearerKeyCountMock.mockResolvedValue(2);
+    systemConfigGetMock.mockResolvedValue({
+      routing: { enableBearerAuth: true, bearerAuthKey: 'db-key' },
+    });
+
+    const { initializeDatabaseMode } = await import('./migration.js');
+    const ok = await initializeDatabaseMode();
+
+    expect(ok).toBe(true);
+    expect(initializeDatabaseMock).toHaveBeenCalled();
+    expect(loadOriginalSettingsMock).not.toHaveBeenCalled();
+    expect(systemConfigGetMock).not.toHaveBeenCalled();
+    expect(bearerKeyCreateMock).not.toHaveBeenCalled();
+  });
+
+  it('migrates legacy routing bearerAuthKey into bearerKeys when users exist and keys table is empty', async () => {
+    userRepoCountMock.mockResolvedValue(3);
+    bearerKeyCountMock.mockResolvedValue(0);
+    systemConfigGetMock.mockResolvedValue({
+      routing: { enableBearerAuth: true, bearerAuthKey: 'db-key' },
+    });
+
+    const { initializeDatabaseMode } = await import('./migration.js');
+    const ok = await initializeDatabaseMode();
+
+    expect(ok).toBe(true);
+    expect(loadOriginalSettingsMock).not.toHaveBeenCalled();
+    expect(systemConfigGetMock).toHaveBeenCalledTimes(1);
+    expect(bearerKeyCreateMock).toHaveBeenCalledTimes(1);
+    expect(bearerKeyCreateMock).toHaveBeenCalledWith({
+      name: 'default',
+      token: 'db-key',
+      enabled: true,
+      accessType: 'all',
+      allowedGroups: [],
+      allowedServers: [],
+    });
+  });
+
+  it('does not migrate when routing has no bearerAuthKey', async () => {
+    userRepoCountMock.mockResolvedValue(1);
+    bearerKeyCountMock.mockResolvedValue(0);
+    systemConfigGetMock.mockResolvedValue({
+      routing: { enableBearerAuth: true, bearerAuthKey: '   ' },
+    });
+
+    const { initializeDatabaseMode } = await import('./migration.js');
+    const ok = await initializeDatabaseMode();
+
+    expect(ok).toBe(true);
+    expect(loadOriginalSettingsMock).not.toHaveBeenCalled();
+    expect(systemConfigGetMock).toHaveBeenCalledTimes(1);
+    expect(bearerKeyCreateMock).not.toHaveBeenCalled();
+  });
+});
--- a/src/utils/migration.ts
+++ b/src/utils/migration.ts
@@ -9,6 +9,7 @@ import { SystemConfigRepository } from '../db/repositories/SystemConfigRepositor
 import { UserConfigRepository } from '../db/repositories/UserConfigRepository.js';
 import { OAuthClientRepository } from '../db/repositories/OAuthClientRepository.js';
 import { OAuthTokenRepository } from '../db/repositories/OAuthTokenRepository.js';
+import { BearerKeyRepository } from '../db/repositories/BearerKeyRepository.js';

 /**
 * Migrate from file-based configuration to database
@@ -33,6 +34,7 @@ export async function migrateToDatabase(): Promise<boolean> {
    const userConfigRepo = new UserConfigRepository();
    const oauthClientRepo = new OAuthClientRepository();
    const oauthTokenRepo = new OAuthTokenRepository();
+    const bearerKeyRepo = new BearerKeyRepository();

    // Migrate users
    if (settings.users && settings.users.length > 0) {
@@ -75,6 +77,7 @@ export async function migrateToDatabase(): Promise<boolean> {
            prompts: config.prompts,
            options: config.options,
            oauth: config.oauth,
+            openapi: config.openapi,
          });
          console.log(`  - Created server: ${name}`);
        } else {
@@ -119,6 +122,52 @@ export async function migrateToDatabase(): Promise<boolean> {
      console.log('  - System configuration updated');
    }

+    // Migrate bearer auth keys
+    console.log('Migrating bearer authentication keys...');
+
+    // Prefer explicit bearerKeys if present in settings
+    if (Array.isArray(settings.bearerKeys) && settings.bearerKeys.length > 0) {
+      for (const key of settings.bearerKeys) {
+        await bearerKeyRepo.create({
+          name: key.name,
+          token: key.token,
+          enabled: key.enabled,
+          accessType: key.accessType,
+          allowedGroups: key.allowedGroups ?? [],
+          allowedServers: key.allowedServers ?? [],
+        } as any);
+        console.log(`  - Migrated bearer key: ${key.name} (${key.id ?? 'no-id'})`);
+      }
+    } else if (settings.systemConfig?.routing) {
+      // Fallback to legacy routing.enableBearerAuth / bearerAuthKey
+      const routing = settings.systemConfig.routing as any;
+      const enableBearerAuth: boolean = !!routing.enableBearerAuth;
+      const rawKey: string = (routing.bearerAuthKey || '').trim();
+
+      // Migration rules:
+      // 1) enable=false, key empty   -> no keys
+      // 2) enable=false, key present -> one disabled key (name=default)
+      // 3) enable=true, key present  -> one enabled key (name=default)
+      // 4) enable=true, key empty    -> no keys
+      if (rawKey) {
+        await bearerKeyRepo.create({
+          name: 'default',
+          token: rawKey,
+          enabled: enableBearerAuth,
+          accessType: 'all',
+          allowedGroups: [],
+          allowedServers: [],
+        } as any);
+        console.log(
+          `  - Migrated legacy bearer auth config to key: default (enabled=${enableBearerAuth})`,
+        );
+      } else {
+        console.log('  - No legacy bearer auth key found, skipping bearer key migration');
+      }
+    } else {
+      console.log('  - No bearer auth configuration found, skipping bearer key migration');
+    }
+
    // Migrate user configs
    if (settings.userConfigs) {
      const usernames = Object.keys(settings.userConfigs);
@@ -206,6 +255,9 @@ export async function initializeDatabaseMode(): Promise<boolean> {

    // Check if migration is needed
    const userRepo = new UserRepository();
+    const bearerKeyRepo = new BearerKeyRepository();
+    const systemConfigRepo = new SystemConfigRepository();
+
    const userCount = await userRepo.count();

    if (userCount === 0) {
@@ -216,6 +268,36 @@ export async function initializeDatabaseMode(): Promise<boolean> {
      }
    } else {
      console.log(`Database already contains ${userCount} users, skipping migration`);
+
+      // One-time migration for legacy bearer auth config stored inside DB routing settings.
+      // If bearerKeys table already has data, do nothing.
+      const bearerKeyCount = await bearerKeyRepo.count();
+      if (bearerKeyCount > 0) {
+        console.log(
+          `Bearer keys table already contains ${bearerKeyCount} keys, skipping legacy bearer auth migration`,
+        );
+      } else {
+        const systemConfig = await systemConfigRepo.get();
+        const routing = (systemConfig as any)?.routing || {};
+        const enableBearerAuth: boolean = !!routing.enableBearerAuth;
+        const rawKey: string = (routing.bearerAuthKey || '').trim();
+
+        if (rawKey) {
+          await bearerKeyRepo.create({
+            name: 'default',
+            token: rawKey,
+            enabled: enableBearerAuth,
+            accessType: 'all',
+            allowedGroups: [],
+            allowedServers: [],
+          } as any);
+          console.log(
+            `  - Migrated legacy DB routing bearer auth config to key: default (enabled=${enableBearerAuth})`,
+          );
+        } else {
+          console.log('No legacy DB routing bearer auth key found, skipping bearer key migration');
+        }
+      }
    }

    console.log('✅ Database mode initialized successfully');
--- a/tests/controllers/configController.test.ts
+++ b/tests/controllers/configController.test.ts
@@ -1,11 +1,7 @@
 import { getMcpSettingsJson } from '../../src/controllers/configController.js';
-import * as config from '../../src/config/index.js';
 import * as DaoFactory from '../../src/dao/DaoFactory.js';
 import { Request, Response } from 'express';

-// Mock the config module
-jest.mock('../../src/config/index.js');
-// Mock the DaoFactory module
 jest.mock('../../src/dao/DaoFactory.js');

 describe('ConfigController - getMcpSettingsJson', () => {
@@ -13,9 +9,18 @@ describe('ConfigController - getMcpSettingsJson', () => {
  let mockResponse: Partial<Response>;
  let mockJson: jest.Mock;
  let mockStatus: jest.Mock;
-  let mockServerDao: { findById: jest.Mock };
+  let mockServerDao: { findById: jest.Mock; findAll: jest.Mock };
+  let mockUserDao: { findAll: jest.Mock };
+  let mockGroupDao: { findAll: jest.Mock };
+  let mockSystemConfigDao: { get: jest.Mock };
+  let mockUserConfigDao: { getAll: jest.Mock };
+  let mockOAuthClientDao: { findAll: jest.Mock };
+  let mockOAuthTokenDao: { findAll: jest.Mock };
+  let mockBearerKeyDao: { findAll: jest.Mock };

  beforeEach(() => {
+    jest.clearAllMocks();
+
    mockJson = jest.fn();
    mockStatus = jest.fn().mockReturnThis();
    mockRequest = {
@@ -25,40 +30,28 @@ describe('ConfigController - getMcpSettingsJson', () => {
      json: mockJson,
      status: mockStatus,
    };
+
    mockServerDao = {
      findById: jest.fn(),
+      findAll: jest.fn(),
    };
+    mockUserDao = { findAll: jest.fn() };
+    mockGroupDao = { findAll: jest.fn() };
+    mockSystemConfigDao = { get: jest.fn() };
+    mockUserConfigDao = { getAll: jest.fn() };
+    mockOAuthClientDao = { findAll: jest.fn() };
+    mockOAuthTokenDao = { findAll: jest.fn() };
+    mockBearerKeyDao = { findAll: jest.fn() };

-    // Setup ServerDao mock
-    (DaoFactory.getServerDao as jest.Mock).mockReturnValue(mockServerDao);
-
-    // Reset mocks
-    jest.clearAllMocks();
-  });
-
-  describe('Full Settings Export', () => {
-    it('should handle settings without users array', async () => {
-      const mockSettings = {
-        mcpServers: {
-          'test-server': {
-            command: 'test',
-            args: ['--test'],
-          },
-        },
-      };
-
-      (config.loadOriginalSettings as jest.Mock).mockReturnValue(mockSettings);
-
-      await getMcpSettingsJson(mockRequest as Request, mockResponse as Response);
-
-      expect(mockJson).toHaveBeenCalledWith({
-        success: true,
-        data: {
-          mcpServers: mockSettings.mcpServers,
-          users: undefined,
-        },
-      });
-    });
+    // Wire DaoFactory convenience functions to our mocks
+    (DaoFactory.getServerDao as unknown as jest.Mock).mockReturnValue(mockServerDao);
+    (DaoFactory.getUserDao as unknown as jest.Mock).mockReturnValue(mockUserDao);
+    (DaoFactory.getGroupDao as unknown as jest.Mock).mockReturnValue(mockGroupDao);
+    (DaoFactory.getSystemConfigDao as unknown as jest.Mock).mockReturnValue(mockSystemConfigDao);
+    (DaoFactory.getUserConfigDao as unknown as jest.Mock).mockReturnValue(mockUserConfigDao);
+    (DaoFactory.getOAuthClientDao as unknown as jest.Mock).mockReturnValue(mockOAuthClientDao);
+    (DaoFactory.getOAuthTokenDao as unknown as jest.Mock).mockReturnValue(mockOAuthTokenDao);
+    (DaoFactory.getBearerKeyDao as unknown as jest.Mock).mockReturnValue(mockBearerKeyDao);
  });

  describe('Individual Server Export', () => {
@@ -146,10 +139,14 @@ describe('ConfigController - getMcpSettingsJson', () => {

  describe('Error Handling', () => {
    it('should handle errors gracefully and return 500', async () => {
-      const errorMessage = 'Failed to load settings';
-      (config.loadOriginalSettings as jest.Mock).mockImplementation(() => {
-        throw new Error(errorMessage);
-      });
+      mockServerDao.findAll.mockRejectedValue(new Error('boom'));
+      mockUserDao.findAll.mockResolvedValue([]);
+      mockGroupDao.findAll.mockResolvedValue([]);
+      mockSystemConfigDao.get.mockResolvedValue({});
+      mockUserConfigDao.getAll.mockResolvedValue({});
+      mockOAuthClientDao.findAll.mockResolvedValue([]);
+      mockOAuthTokenDao.findAll.mockResolvedValue([]);
+      mockBearerKeyDao.findAll.mockResolvedValue([]);

      await getMcpSettingsJson(mockRequest as Request, mockResponse as Response);

--- a/tests/dao/bearerKeyDao.test.ts
+++ b/tests/dao/bearerKeyDao.test.ts
@@ -0,0 +1,97 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+
+import { BearerKeyDaoImpl } from '../../src/dao/BearerKeyDao.js';
+
+const writeSettings = (settingsPath: string, settings: unknown): void => {
+  fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), 'utf8');
+};
+
+describe('BearerKeyDaoImpl migration + settings caching behavior', () => {
+  let tmpDir: string;
+  let settingsPath: string;
+  let originalSettingsEnv: string | undefined;
+
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'mcphub-bearer-keys-'));
+    settingsPath = path.join(tmpDir, 'mcp_settings.json');
+
+    originalSettingsEnv = process.env.MCPHUB_SETTING_PATH;
+    process.env.MCPHUB_SETTING_PATH = settingsPath;
+  });
+
+  afterEach(() => {
+    if (originalSettingsEnv === undefined) {
+      delete process.env.MCPHUB_SETTING_PATH;
+    } else {
+      process.env.MCPHUB_SETTING_PATH = originalSettingsEnv;
+    }
+
+    try {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    } catch {
+      // ignore cleanup errors
+    }
+  });
+
+  it('does not rewrite settings when bearerKeys exists as an empty array', async () => {
+    writeSettings(settingsPath, {
+      mcpServers: {},
+      users: [],
+      systemConfig: {
+        routing: {
+          enableBearerAuth: false,
+          bearerAuthKey: '',
+        },
+      },
+      bearerKeys: [],
+    });
+
+    const writeSpy = jest.spyOn(fs, 'writeFileSync');
+
+    const dao = new BearerKeyDaoImpl();
+    const enabled1 = await dao.findEnabled();
+    const enabled2 = await dao.findEnabled();
+
+    expect(enabled1).toEqual([]);
+    expect(enabled2).toEqual([]);
+
+    // The DAO should NOT persist anything because bearerKeys already exists.
+    expect(writeSpy).not.toHaveBeenCalled();
+
+    writeSpy.mockRestore();
+  });
+
+  it('migrates legacy bearerAuthKey only once', async () => {
+    writeSettings(settingsPath, {
+      mcpServers: {},
+      users: [],
+      systemConfig: {
+        routing: {
+          enableBearerAuth: true,
+          bearerAuthKey: 'legacy-token',
+        },
+      },
+      // bearerKeys is intentionally missing to trigger migration
+    });
+
+    const writeSpy = jest.spyOn(fs, 'writeFileSync');
+
+    const dao = new BearerKeyDaoImpl();
+
+    const enabled1 = await dao.findEnabled();
+    expect(enabled1).toHaveLength(1);
+    expect(enabled1[0].token).toBe('legacy-token');
+    expect(enabled1[0].enabled).toBe(true);
+
+    const enabled2 = await dao.findEnabled();
+    expect(enabled2).toHaveLength(1);
+    expect(enabled2[0].token).toBe('legacy-token');
+
+    // One write for the migration, no further writes on subsequent reads.
+    expect(writeSpy).toHaveBeenCalledTimes(1);
+
+    writeSpy.mockRestore();
+  });
+});
--- a/tests/services/keepalive.test.ts
+++ b/tests/services/keepalive.test.ts
@@ -31,14 +31,28 @@ jest.mock('../../src/utils/oauthBearer.js', () => ({
  resolveOAuthUserFromToken: jest.fn(),
 }));

+// Mock DAO accessors used by sseService (avoid file-based DAOs and migrations)
+jest.mock('../../src/dao/index.js', () => ({
+  getBearerKeyDao: jest.fn(),
+  getGroupDao: jest.fn(),
+  getSystemConfigDao: jest.fn(),
+}));
+
+// Mock config module default export used by sseService
+jest.mock('../../src/config/index.js', () => ({
+  __esModule: true,
+  default: { basePath: '' },
+  loadSettings: jest.fn(),
+}));
+
 import { Request, Response } from 'express';
 import { handleSseConnection, transports } from '../../src/services/sseService.js';
 import * as mcpService from '../../src/services/mcpService.js';
 import * as configModule from '../../src/config/index.js';
+import * as daoIndex from '../../src/dao/index.js';

 // Mock remaining dependencies
 jest.mock('../../src/services/mcpService.js');
-jest.mock('../../src/config/index.js');

 // Mock UserContextService with getInstance pattern
 const mockUserContextService = {
@@ -141,6 +155,24 @@ describe('Keepalive Functionality', () => {
    };
    (mcpService.getMcpServer as jest.Mock).mockReturnValue(mockMcpServer);

+    // Mock bearer key + system config DAOs used by sseService
+    const mockBearerKeyDao = {
+      findEnabled: jest.fn().mockResolvedValue([]),
+    };
+    (daoIndex.getBearerKeyDao as unknown as jest.Mock).mockReturnValue(mockBearerKeyDao);
+
+    const mockSystemConfigDao = {
+      get: jest.fn().mockResolvedValue({
+        routing: {
+          enableGlobalRoute: true,
+          enableGroupNameRoute: true,
+          enableBearerAuth: false,
+          bearerAuthKey: '',
+        },
+      }),
+    };
+    (daoIndex.getSystemConfigDao as unknown as jest.Mock).mockReturnValue(mockSystemConfigDao);
+
    // Mock loadSettings
    (configModule.loadSettings as jest.Mock).mockReturnValue({
      systemConfig: {
Author	SHA1	Message	Date
samanhappy	1f3a6794ea	feat: enhance BearerKeyDaoImpl to handle migration and caching behavior for bearer keys (#507 )	2025-12-14 20:40:57 +08:00
samanhappy	c673afb97e	Add HTTP/HTTPS proxy configuration and environment variable support (#506 )	2025-12-14 15:44:44 +08:00
samanhappy	01855ca2ca	feat: add bearer authentication key management with migration support (#503 )	2025-12-13 16:46:58 +08:00
dependabot[bot]	88efad9d60	chore(deps-dev): bump next from 15.5.7 to 15.5.9 (#501 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-12 14:50:18 +08:00
samanhappy	2028233b53	Add OpenAPI support and enhance settings aggregation (#500 )	2025-12-11 17:42:50 +08:00
samanhappy	1dfa0a990b	Add batch server and group creation functionality (#499 )	2025-12-11 14:21:58 +08:00
Alptekin Gülcan	ab7c210281	Optimizing API Operations: Simplified operationId Values and Large String Parameter Management (#488 )	2025-12-07 13:11:35 +08:00
Copilot	6bd28ec89b	Upgrade react and react-dom to 19.2.1 (#489 ) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-06 15:58:14 +08:00
Copilot	41a42f82d0	Upgrade js-yaml to 4.1.1 (#486 ) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-05 18:11:26 +08:00
Copilot	7aa3ff3bb1	Upgrade glob to version 10.5.0 (#485 ) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-05 17:52:46 +08:00