diff --git a/README.md b/README.md
index cef05856..46b002c8 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ Pocket ID is a simple OIDC provider that allows users to authenticate with their
 
 → Try out the [Demo](https://demo.pocket-id.org)
 
-<img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="1200"/>
+<img src="https://github.com/user-attachments/assets/1e99ba44-76da-4b47-9b8a-dbe9b7f84512" width="1200"/>
 
 The goal of Pocket ID is to be a simple and easy-to-use. There are other self-hosted OIDC providers like [Keycloak](https://www.keycloak.org/) or [ORY Hydra](https://www.ory.sh/hydra/) but they are often too complex for simple use cases.
 
diff --git a/backend/internal/bootstrap/app_images_bootstrap.go b/backend/internal/bootstrap/app_images_bootstrap.go
index 6c428468..fb8d6fe5 100644
--- a/backend/internal/bootstrap/app_images_bootstrap.go
+++ b/backend/internal/bootstrap/app_images_bootstrap.go
@@ -24,7 +24,8 @@ func initApplicationImages(ctx context.Context, fileStorage storage.FileStorage)
 	// Previous versions of images
 	// If these are found, they are deleted
 	legacyImageHashes := imageHashMap{
-		"background.jpg": mustDecodeHex("138d510030ed845d1d74de34658acabff562d306476454369a60ab8ade31933f"),
+		"background.jpg":  mustDecodeHex("138d510030ed845d1d74de34658acabff562d306476454369a60ab8ade31933f"),
+		"background.webp": mustDecodeHex("3fc436a66d6b872b01d96a4e75046c46b5c3e2daccd51e98ecdf98fd445599ab"),
 	}
 
 	sourceFiles, err := resources.FS.ReadDir("images")
diff --git a/backend/internal/bootstrap/router_bootstrap.go b/backend/internal/bootstrap/router_bootstrap.go
index 4af260ea..f2229114 100644
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -189,6 +189,7 @@ func initLogger(r *gin.Engine) {
 		"GET /api/application-images/logo",
 		"GET /api/application-images/background",
 		"GET /api/application-images/favicon",
+		"GET /api/application-images/email",
 		"GET /_app",
 		"GET /fonts",
 		"GET /healthz",
diff --git a/backend/internal/common/env_config.go b/backend/internal/common/env_config.go
index e391069d..6f2f828f 100644
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -38,25 +38,26 @@ const (
 )
 
 type EnvConfigSchema struct {
-	AppEnv             AppEnv `env:"APP_ENV" options:"toLower"`
-	LogLevel           string `env:"LOG_LEVEL" options:"toLower"`
-	LogJSON            bool   `env:"LOG_JSON"`
-	AppURL             string `env:"APP_URL" options:"toLower,trimTrailingSlash"`
-	DbProvider         DbProvider
-	DbConnectionString string `env:"DB_CONNECTION_STRING" options:"file"`
-	EncryptionKey      []byte `env:"ENCRYPTION_KEY" options:"file"`
-	Port               string `env:"PORT"`
-	Host               string `env:"HOST" options:"toLower"`
-	UnixSocket         string `env:"UNIX_SOCKET"`
-	UnixSocketMode     string `env:"UNIX_SOCKET_MODE"`
-	LocalIPv6Ranges    string `env:"LOCAL_IPV6_RANGES"`
-	UiConfigDisabled   bool   `env:"UI_CONFIG_DISABLED"`
-	MetricsEnabled     bool   `env:"METRICS_ENABLED"`
-	TracingEnabled     bool   `env:"TRACING_ENABLED"`
-	TrustProxy         bool   `env:"TRUST_PROXY"`
-	AnalyticsDisabled  bool   `env:"ANALYTICS_DISABLED"`
-	AllowDowngrade     bool   `env:"ALLOW_DOWNGRADE"`
-	InternalAppURL     string `env:"INTERNAL_APP_URL"`
+	AppEnv                AppEnv `env:"APP_ENV" options:"toLower"`
+	LogLevel              string `env:"LOG_LEVEL" options:"toLower"`
+	LogJSON               bool   `env:"LOG_JSON"`
+	AuditLogRetentionDays int    `env:"AUDIT_LOG_RETENTION_DAYS"`
+	AppURL                string `env:"APP_URL" options:"toLower,trimTrailingSlash"`
+	DbProvider            DbProvider
+	DbConnectionString    string `env:"DB_CONNECTION_STRING" options:"file"`
+	EncryptionKey         []byte `env:"ENCRYPTION_KEY" options:"file"`
+	Port                  string `env:"PORT"`
+	Host                  string `env:"HOST" options:"toLower"`
+	UnixSocket            string `env:"UNIX_SOCKET"`
+	UnixSocketMode        string `env:"UNIX_SOCKET_MODE"`
+	LocalIPv6Ranges       string `env:"LOCAL_IPV6_RANGES"`
+	UiConfigDisabled      bool   `env:"UI_CONFIG_DISABLED"`
+	MetricsEnabled        bool   `env:"METRICS_ENABLED"`
+	TracingEnabled        bool   `env:"TRACING_ENABLED"`
+	TrustProxy            bool   `env:"TRUST_PROXY"`
+	AnalyticsDisabled     bool   `env:"ANALYTICS_DISABLED"`
+	AllowDowngrade        bool   `env:"ALLOW_DOWNGRADE"`
+	InternalAppURL        string `env:"INTERNAL_APP_URL"`
 
 	MaxMindLicenseKey string `env:"MAXMIND_LICENSE_KEY" options:"file"`
 	GeoLiteDBPath     string `env:"GEOLITE_DB_PATH"`
@@ -86,15 +87,16 @@ func init() {
 
 func defaultConfig() EnvConfigSchema {
 	return EnvConfigSchema{
-		AppEnv:        AppEnvProduction,
-		LogLevel:      "info",
-		DbProvider:    "sqlite",
-		FileBackend:   "filesystem",
-		AppURL:        AppUrl,
-		Port:          "1411",
-		Host:          "0.0.0.0",
-		GeoLiteDBPath: "data/GeoLite2-City.mmdb",
-		GeoLiteDBUrl:  MaxMindGeoLiteCityUrl,
+		AppEnv:                AppEnvProduction,
+		LogLevel:              "info",
+		DbProvider:            "sqlite",
+		FileBackend:           "filesystem",
+		AppURL:                AppUrl,
+		Port:                  "1411",
+		Host:                  "0.0.0.0",
+		GeoLiteDBPath:         "data/GeoLite2-City.mmdb",
+		GeoLiteDBUrl:          MaxMindGeoLiteCityUrl,
+		AuditLogRetentionDays: 90,
 	}
 }
 
@@ -191,6 +193,10 @@ func ValidateEnvConfig(config *EnvConfigSchema) error {
 
 	}
 
+	if config.AuditLogRetentionDays <= 0 {
+		return errors.New("AUDIT_LOG_RETENTION_DAYS must be greater than 0")
+	}
+
 	return nil
 
 }
diff --git a/backend/internal/common/env_config_test.go b/backend/internal/common/env_config_test.go
index 879c0ebc..266e5437 100644
--- a/backend/internal/common/env_config_test.go
+++ b/backend/internal/common/env_config_test.go
@@ -129,6 +129,41 @@ func TestParseEnvConfig(t *testing.T) {
 		assert.False(t, EnvConfig.AnalyticsDisabled)
 	})
 
+	t.Run("should default audit log retention days to 90", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.Equal(t, 90, EnvConfig.AuditLogRetentionDays)
+	})
+
+	t.Run("should parse audit log retention days override", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("AUDIT_LOG_RETENTION_DAYS", "365")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.Equal(t, 365, EnvConfig.AuditLogRetentionDays)
+	})
+
+	t.Run("should fail when AUDIT_LOG_RETENTION_DAYS is non-positive", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("AUDIT_LOG_RETENTION_DAYS", "0")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "AUDIT_LOG_RETENTION_DAYS must be greater than 0")
+	})
+
 	t.Run("should parse string environment variables correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_CONNECTION_STRING", "postgres://test")
diff --git a/backend/internal/controller/app_images_controller.go b/backend/internal/controller/app_images_controller.go
index c4568377..ec3215aa 100644
--- a/backend/internal/controller/app_images_controller.go
+++ b/backend/internal/controller/app_images_controller.go
@@ -23,11 +23,13 @@ func NewAppImagesController(
 	}
 
 	group.GET("/application-images/logo", controller.getLogoHandler)
+	group.GET("/application-images/email", controller.getEmailLogoHandler)
 	group.GET("/application-images/background", controller.getBackgroundImageHandler)
 	group.GET("/application-images/favicon", controller.getFaviconHandler)
 	group.GET("/application-images/default-profile-picture", authMiddleware.Add(), controller.getDefaultProfilePicture)
 
 	group.PUT("/application-images/logo", authMiddleware.Add(), controller.updateLogoHandler)
+	group.PUT("/application-images/email", authMiddleware.Add(), controller.updateEmailLogoHandler)
 	group.PUT("/application-images/background", authMiddleware.Add(), controller.updateBackgroundImageHandler)
 	group.PUT("/application-images/favicon", authMiddleware.Add(), controller.updateFaviconHandler)
 	group.PUT("/application-images/default-profile-picture", authMiddleware.Add(), controller.updateDefaultProfilePicture)
@@ -59,6 +61,18 @@ func (c *AppImagesController) getLogoHandler(ctx *gin.Context) {
 	c.getImage(ctx, imageName)
 }
 
+// getEmailLogoHandler godoc
+// @Summary Get email logo image
+// @Description Get the email logo image for use in emails
+// @Tags Application Images
+// @Produce image/png
+// @Produce image/jpeg
+// @Success 200 {file} binary "Email logo image"
+// @Router /api/application-images/email [get]
+func (c *AppImagesController) getEmailLogoHandler(ctx *gin.Context) {
+	c.getImage(ctx, "logoEmail")
+}
+
 // getBackgroundImageHandler godoc
 // @Summary Get background image
 // @Description Get the background image for the application
@@ -124,6 +138,37 @@ func (c *AppImagesController) updateLogoHandler(ctx *gin.Context) {
 	ctx.Status(http.StatusNoContent)
 }
 
+// updateEmailLogoHandler godoc
+// @Summary Update email logo
+// @Description Update the email logo for use in emails
+// @Tags Application Images
+// @Accept multipart/form-data
+// @Param file formData file true "Email logo image file"
+// @Success 204 "No Content"
+// @Router /api/application-images/email [put]
+func (c *AppImagesController) updateEmailLogoHandler(ctx *gin.Context) {
+	file, err := ctx.FormFile("file")
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	fileType := utils.GetFileExtension(file.Filename)
+	mimeType := utils.GetImageMimeType(fileType)
+
+	if mimeType != "image/png" && mimeType != "image/jpeg" {
+		_ = ctx.Error(&common.WrongFileTypeError{ExpectedFileType: ".png or .jpg/jpeg"})
+		return
+	}
+
+	if err := c.appImagesService.UpdateImage(ctx.Request.Context(), file, "logoEmail"); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
 // updateBackgroundImageHandler godoc
 // @Summary Update background image
 // @Description Update the application background image
diff --git a/backend/internal/controller/user_controller.go b/backend/internal/controller/user_controller.go
index cf87720e..d348e893 100644
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -72,7 +72,7 @@ type UserController struct {
 // @Description Retrieve all groups a specific user belongs to
 // @Tags Users,User Groups
 // @Param id path string true "User ID"
-// @Success 200 {array} dto.UserGroupDtoWithUsers
+// @Success 200 {array} dto.UserGroupDto
 // @Router /api/users/{id}/groups [get]
 func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
 	userID := c.Param("id")
@@ -82,7 +82,7 @@ func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
 		return
 	}
 
-	var groupsDto []dto.UserGroupDtoWithUsers
+	var groupsDto []dto.UserGroupDto
 	if err := dto.MapStructList(groups, &groupsDto); err != nil {
 		_ = c.Error(err)
 		return
@@ -545,7 +545,7 @@ func (uc *UserController) createSignupTokenHandler(c *gin.Context) {
 		ttl = defaultSignupTokenDuration
 	}
 
-	signupToken, err := uc.userService.CreateSignupToken(c.Request.Context(), ttl, input.UsageLimit)
+	signupToken, err := uc.userService.CreateSignupToken(c.Request.Context(), ttl, input.UsageLimit, input.UserGroupIDs)
 	if err != nil {
 		_ = c.Error(err)
 		return
diff --git a/backend/internal/controller/user_group_controller.go b/backend/internal/controller/user_group_controller.go
index ba05b20c..a0567752 100644
--- a/backend/internal/controller/user_group_controller.go
+++ b/backend/internal/controller/user_group_controller.go
@@ -28,6 +28,7 @@ func NewUserGroupController(group *gin.RouterGroup, authMiddleware *middleware.A
 		userGroupsGroup.PUT("/:id", ugc.update)
 		userGroupsGroup.DELETE("/:id", ugc.delete)
 		userGroupsGroup.PUT("/:id/users", ugc.updateUsers)
+		userGroupsGroup.PUT("/:id/allowed-oidc-clients", ugc.updateAllowedOidcClients)
 	}
 }
 
@@ -44,7 +45,7 @@ type UserGroupController struct {
 // @Param pagination[limit] query int false "Number of items per page" default(20)
 // @Param sort[column] query string false "Column to sort by"
 // @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
-// @Success 200 {object} dto.Paginated[dto.UserGroupDtoWithUserCount]
+// @Success 200 {object} dto.Paginated[dto.UserGroupMinimalDto]
 // @Router /api/user-groups [get]
 func (ugc *UserGroupController) list(c *gin.Context) {
 	searchTerm := c.Query("search")
@@ -57,9 +58,9 @@ func (ugc *UserGroupController) list(c *gin.Context) {
 	}
 
 	// Map the user groups to DTOs
-	var groupsDto = make([]dto.UserGroupDtoWithUserCount, len(groups))
+	var groupsDto = make([]dto.UserGroupMinimalDto, len(groups))
 	for i, group := range groups {
-		var groupDto dto.UserGroupDtoWithUserCount
+		var groupDto dto.UserGroupMinimalDto
 		if err := dto.MapStruct(group, &groupDto); err != nil {
 			_ = c.Error(err)
 			return
@@ -72,7 +73,7 @@ func (ugc *UserGroupController) list(c *gin.Context) {
 		groupsDto[i] = groupDto
 	}
 
-	c.JSON(http.StatusOK, dto.Paginated[dto.UserGroupDtoWithUserCount]{
+	c.JSON(http.StatusOK, dto.Paginated[dto.UserGroupMinimalDto]{
 		Data:       groupsDto,
 		Pagination: pagination,
 	})
@@ -85,7 +86,7 @@ func (ugc *UserGroupController) list(c *gin.Context) {
 // @Accept json
 // @Produce json
 // @Param id path string true "User Group ID"
-// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Success 200 {object} dto.UserGroupDto
 // @Router /api/user-groups/{id} [get]
 func (ugc *UserGroupController) get(c *gin.Context) {
 	group, err := ugc.UserGroupService.Get(c.Request.Context(), c.Param("id"))
@@ -94,7 +95,7 @@ func (ugc *UserGroupController) get(c *gin.Context) {
 		return
 	}
 
-	var groupDto dto.UserGroupDtoWithUsers
+	var groupDto dto.UserGroupDto
 	if err := dto.MapStruct(group, &groupDto); err != nil {
 		_ = c.Error(err)
 		return
@@ -110,7 +111,7 @@ func (ugc *UserGroupController) get(c *gin.Context) {
 // @Accept json
 // @Produce json
 // @Param userGroup body dto.UserGroupCreateDto true "User group information"
-// @Success 201 {object} dto.UserGroupDtoWithUsers "Created user group"
+// @Success 201 {object} dto.UserGroupDto "Created user group"
 // @Router /api/user-groups [post]
 func (ugc *UserGroupController) create(c *gin.Context) {
 	var input dto.UserGroupCreateDto
@@ -125,7 +126,7 @@ func (ugc *UserGroupController) create(c *gin.Context) {
 		return
 	}
 
-	var groupDto dto.UserGroupDtoWithUsers
+	var groupDto dto.UserGroupDto
 	if err := dto.MapStruct(group, &groupDto); err != nil {
 		_ = c.Error(err)
 		return
@@ -142,7 +143,7 @@ func (ugc *UserGroupController) create(c *gin.Context) {
 // @Produce json
 // @Param id path string true "User Group ID"
 // @Param userGroup body dto.UserGroupCreateDto true "User group information"
-// @Success 200 {object} dto.UserGroupDtoWithUsers "Updated user group"
+// @Success 200 {object} dto.UserGroupDto "Updated user group"
 // @Router /api/user-groups/{id} [put]
 func (ugc *UserGroupController) update(c *gin.Context) {
 	var input dto.UserGroupCreateDto
@@ -157,7 +158,7 @@ func (ugc *UserGroupController) update(c *gin.Context) {
 		return
 	}
 
-	var groupDto dto.UserGroupDtoWithUsers
+	var groupDto dto.UserGroupDto
 	if err := dto.MapStruct(group, &groupDto); err != nil {
 		_ = c.Error(err)
 		return
@@ -192,7 +193,7 @@ func (ugc *UserGroupController) delete(c *gin.Context) {
 // @Produce json
 // @Param id path string true "User Group ID"
 // @Param users body dto.UserGroupUpdateUsersDto true "List of user IDs to assign to this group"
-// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Success 200 {object} dto.UserGroupDto
 // @Router /api/user-groups/{id}/users [put]
 func (ugc *UserGroupController) updateUsers(c *gin.Context) {
 	var input dto.UserGroupUpdateUsersDto
@@ -207,7 +208,7 @@ func (ugc *UserGroupController) updateUsers(c *gin.Context) {
 		return
 	}
 
-	var groupDto dto.UserGroupDtoWithUsers
+	var groupDto dto.UserGroupDto
 	if err := dto.MapStruct(group, &groupDto); err != nil {
 		_ = c.Error(err)
 		return
@@ -215,3 +216,35 @@ func (ugc *UserGroupController) updateUsers(c *gin.Context) {
 
 	c.JSON(http.StatusOK, groupDto)
 }
+
+// updateAllowedOidcClients godoc
+// @Summary Update allowed OIDC clients
+// @Description Update the OIDC clients allowed for a specific user group
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Param groups body dto.UserGroupUpdateAllowedOidcClientsDto true "OIDC client IDs to allow"
+// @Success 200 {object} dto.UserGroupDto "Updated user group"
+// @Router /api/user-groups/{id}/allowed-oidc-clients [put]
+func (ugc *UserGroupController) updateAllowedOidcClients(c *gin.Context) {
+	var input dto.UserGroupUpdateAllowedOidcClientsDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	userGroup, err := ugc.UserGroupService.UpdateAllowedOidcClient(c.Request.Context(), c.Param("id"), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var userGroupDto dto.UserGroupDto
+	if err := dto.MapStruct(userGroup, &userGroupDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userGroupDto)
+}
diff --git a/backend/internal/dto/oidc_dto.go b/backend/internal/dto/oidc_dto.go
index 9f3239de..da26686a 100644
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -18,11 +18,12 @@ type OidcClientDto struct {
 	IsPublic           bool                     `json:"isPublic"`
 	PkceEnabled        bool                     `json:"pkceEnabled"`
 	Credentials        OidcClientCredentialsDto `json:"credentials"`
+	IsGroupRestricted  bool                     `json:"isGroupRestricted"`
 }
 
 type OidcClientWithAllowedUserGroupsDto struct {
 	OidcClientDto
-	AllowedUserGroups []UserGroupDtoWithUserCount `json:"allowedUserGroups"`
+	AllowedUserGroups []UserGroupMinimalDto `json:"allowedUserGroups"`
 }
 
 type OidcClientWithAllowedGroupsCountDto struct {
@@ -43,6 +44,7 @@ type OidcClientUpdateDto struct {
 	HasDarkLogo              bool                     `json:"hasDarkLogo"`
 	LogoURL                  *string                  `json:"logoUrl"`
 	DarkLogoURL              *string                  `json:"darkLogoUrl"`
+	IsGroupRestricted        bool                     `json:"isGroupRestricted"`
 }
 
 type OidcClientCreateDto struct {
diff --git a/backend/internal/dto/signup_token_dto.go b/backend/internal/dto/signup_token_dto.go
index 92bb374a..bffd430e 100644
--- a/backend/internal/dto/signup_token_dto.go
+++ b/backend/internal/dto/signup_token_dto.go
@@ -6,15 +6,17 @@ import (
 )
 
 type SignupTokenCreateDto struct {
-	TTL        utils.JSONDuration `json:"ttl" binding:"required,ttl"`
-	UsageLimit int                `json:"usageLimit" binding:"required,min=1,max=100"`
+	TTL          utils.JSONDuration `json:"ttl" binding:"required,ttl"`
+	UsageLimit   int                `json:"usageLimit" binding:"required,min=1,max=100"`
+	UserGroupIDs []string           `json:"userGroupIds"`
 }
 
 type SignupTokenDto struct {
-	ID         string            `json:"id"`
-	Token      string            `json:"token"`
-	ExpiresAt  datatype.DateTime `json:"expiresAt"`
-	UsageLimit int               `json:"usageLimit"`
-	UsageCount int               `json:"usageCount"`
-	CreatedAt  datatype.DateTime `json:"createdAt"`
+	ID         string                `json:"id"`
+	Token      string                `json:"token"`
+	ExpiresAt  datatype.DateTime     `json:"expiresAt"`
+	UsageLimit int                   `json:"usageLimit"`
+	UsageCount int                   `json:"usageCount"`
+	UserGroups []UserGroupMinimalDto `json:"userGroups"`
+	CreatedAt  datatype.DateTime     `json:"createdAt"`
 }
diff --git a/backend/internal/dto/user_dto.go b/backend/internal/dto/user_dto.go
index 985b12d7..671142f5 100644
--- a/backend/internal/dto/user_dto.go
+++ b/backend/internal/dto/user_dto.go
@@ -8,30 +8,31 @@ import (
 )
 
 type UserDto struct {
-	ID           string           `json:"id"`
-	Username     string           `json:"username"`
-	Email        *string          `json:"email" `
-	FirstName    string           `json:"firstName"`
-	LastName     *string          `json:"lastName"`
-	DisplayName  string           `json:"displayName"`
-	IsAdmin      bool             `json:"isAdmin"`
-	Locale       *string          `json:"locale"`
-	CustomClaims []CustomClaimDto `json:"customClaims"`
-	UserGroups   []UserGroupDto   `json:"userGroups"`
-	LdapID       *string          `json:"ldapId"`
-	Disabled     bool             `json:"disabled"`
+	ID           string                `json:"id"`
+	Username     string                `json:"username"`
+	Email        *string               `json:"email" `
+	FirstName    string                `json:"firstName"`
+	LastName     *string               `json:"lastName"`
+	DisplayName  string                `json:"displayName"`
+	IsAdmin      bool                  `json:"isAdmin"`
+	Locale       *string               `json:"locale"`
+	CustomClaims []CustomClaimDto      `json:"customClaims"`
+	UserGroups   []UserGroupMinimalDto `json:"userGroups"`
+	LdapID       *string               `json:"ldapId"`
+	Disabled     bool                  `json:"disabled"`
 }
 
 type UserCreateDto struct {
-	Username    string  `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
-	Email       *string `json:"email" binding:"omitempty,email" unorm:"nfc"`
-	FirstName   string  `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
-	LastName    string  `json:"lastName" binding:"max=50" unorm:"nfc"`
-	DisplayName string  `json:"displayName" binding:"required,min=1,max=100" unorm:"nfc"`
-	IsAdmin     bool    `json:"isAdmin"`
-	Locale      *string `json:"locale"`
-	Disabled    bool    `json:"disabled"`
-	LdapID      string  `json:"-"`
+	Username     string   `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
+	Email        *string  `json:"email" binding:"omitempty,email" unorm:"nfc"`
+	FirstName    string   `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
+	LastName     string   `json:"lastName" binding:"max=50" unorm:"nfc"`
+	DisplayName  string   `json:"displayName" binding:"required,min=1,max=100" unorm:"nfc"`
+	IsAdmin      bool     `json:"isAdmin"`
+	Locale       *string  `json:"locale"`
+	Disabled     bool     `json:"disabled"`
+	UserGroupIds []string `json:"userGroupIds"`
+	LdapID       string   `json:"-"`
 }
 
 func (u UserCreateDto) Validate() error {
diff --git a/backend/internal/dto/user_group_dto.go b/backend/internal/dto/user_group_dto.go
index 09b3d1dc..79cd8d48 100644
--- a/backend/internal/dto/user_group_dto.go
+++ b/backend/internal/dto/user_group_dto.go
@@ -8,25 +8,17 @@ import (
 )
 
 type UserGroupDto struct {
-	ID           string            `json:"id"`
-	FriendlyName string            `json:"friendlyName"`
-	Name         string            `json:"name"`
-	CustomClaims []CustomClaimDto  `json:"customClaims"`
-	LdapID       *string           `json:"ldapId"`
-	CreatedAt    datatype.DateTime `json:"createdAt"`
+	ID                 string                  `json:"id"`
+	FriendlyName       string                  `json:"friendlyName"`
+	Name               string                  `json:"name"`
+	CustomClaims       []CustomClaimDto        `json:"customClaims"`
+	LdapID             *string                 `json:"ldapId"`
+	CreatedAt          datatype.DateTime       `json:"createdAt"`
+	Users              []UserDto               `json:"users"`
+	AllowedOidcClients []OidcClientMetaDataDto `json:"allowedOidcClients"`
 }
 
-type UserGroupDtoWithUsers struct {
-	ID           string            `json:"id"`
-	FriendlyName string            `json:"friendlyName"`
-	Name         string            `json:"name"`
-	CustomClaims []CustomClaimDto  `json:"customClaims"`
-	Users        []UserDto         `json:"users"`
-	LdapID       *string           `json:"ldapId"`
-	CreatedAt    datatype.DateTime `json:"createdAt"`
-}
-
-type UserGroupDtoWithUserCount struct {
+type UserGroupMinimalDto struct {
 	ID           string            `json:"id"`
 	FriendlyName string            `json:"friendlyName"`
 	Name         string            `json:"name"`
@@ -36,6 +28,10 @@ type UserGroupDtoWithUserCount struct {
 	CreatedAt    datatype.DateTime `json:"createdAt"`
 }
 
+type UserGroupUpdateAllowedOidcClientsDto struct {
+	OidcClientIDs []string `json:"oidcClientIds" binding:"required"`
+}
+
 type UserGroupCreateDto struct {
 	FriendlyName string `json:"friendlyName" binding:"required,min=2,max=50" unorm:"nfc"`
 	Name         string `json:"name" binding:"required,min=2,max=255" unorm:"nfc"`
diff --git a/backend/internal/job/db_cleanup_job.go b/backend/internal/job/db_cleanup_job.go
index 3e89e886..3566f858 100644
--- a/backend/internal/job/db_cleanup_job.go
+++ b/backend/internal/job/db_cleanup_job.go
@@ -10,6 +10,7 @@ import (
 	"github.com/go-co-op/gocron/v2"
 	"gorm.io/gorm"
 
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
@@ -119,11 +120,13 @@ func (j *DbCleanupJobs) clearReauthenticationTokens(ctx context.Context) error {
 	return nil
 }
 
-// ClearAuditLogs deletes audit logs older than 90 days
+// ClearAuditLogs deletes audit logs older than the configured retention window
 func (j *DbCleanupJobs) clearAuditLogs(ctx context.Context) error {
+	cutoff := time.Now().AddDate(0, 0, -common.EnvConfig.AuditLogRetentionDays)
+
 	st := j.db.
 		WithContext(ctx).
-		Delete(&model.AuditLog{}, "created_at < ?", datatype.DateTime(time.Now().AddDate(0, 0, -90)))
+		Delete(&model.AuditLog{}, "created_at < ?", datatype.DateTime(cutoff))
 	if st.Error != nil {
 		return fmt.Errorf("failed to delete old audit logs: %w", st.Error)
 	}
diff --git a/backend/internal/model/oidc.go b/backend/internal/model/oidc.go
index 1aaebe91..0902d125 100644
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -58,6 +58,7 @@ type OidcClient struct {
 	RequiresReauthentication bool `sortable:"true" filterable:"true"`
 	Credentials              OidcClientCredentials
 	LaunchURL                *string
+	IsGroupRestricted        bool
 
 	AllowedUserGroups         []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
 	CreatedByID               *string
diff --git a/backend/internal/model/signup_token.go b/backend/internal/model/signup_token.go
index af1599aa..6ebbe9c1 100644
--- a/backend/internal/model/signup_token.go
+++ b/backend/internal/model/signup_token.go
@@ -13,6 +13,7 @@ type SignupToken struct {
 	ExpiresAt  datatype.DateTime `json:"expiresAt" sortable:"true"`
 	UsageLimit int               `json:"usageLimit" sortable:"true"`
 	UsageCount int               `json:"usageCount" sortable:"true"`
+	UserGroups []UserGroup       `gorm:"many2many:signup_tokens_user_groups;"`
 }
 
 func (st *SignupToken) IsExpired() bool {
diff --git a/backend/internal/model/user_group.go b/backend/internal/model/user_group.go
index caa670be..99a750da 100644
--- a/backend/internal/model/user_group.go
+++ b/backend/internal/model/user_group.go
@@ -2,9 +2,10 @@ package model
 
 type UserGroup struct {
 	Base
-	FriendlyName string `sortable:"true"`
-	Name         string `sortable:"true"`
-	LdapID       *string
-	Users        []User `gorm:"many2many:user_groups_users;"`
-	CustomClaims []CustomClaim
+	FriendlyName       string `sortable:"true"`
+	Name               string `sortable:"true"`
+	LdapID             *string
+	Users              []User `gorm:"many2many:user_groups_users;"`
+	CustomClaims       []CustomClaim
+	AllowedOidcClients []OidcClient `gorm:"many2many:oidc_clients_allowed_user_groups;"`
 }
diff --git a/backend/internal/service/e2etest_service.go b/backend/internal/service/e2etest_service.go
index c15f4d61..830be42b 100644
--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -169,10 +169,11 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Base: model.Base{
 					ID: "606c7782-f2b1-49e5-8ea9-26eb1b06d018",
 				},
-				Name:         "Immich",
-				Secret:       "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
-				CallbackURLs: model.UrlList{"http://immich/auth/callback"},
-				CreatedByID:  utils.Ptr(users[1].ID),
+				Name:              "Immich",
+				Secret:            "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
+				CallbackURLs:      model.UrlList{"http://immich/auth/callback"},
+				CreatedByID:       utils.Ptr(users[1].ID),
+				IsGroupRestricted: true,
 				AllowedUserGroups: []model.UserGroup{
 					userGroups[1],
 				},
@@ -185,6 +186,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Secret:             "$2a$10$xcRReBsvkI1XI6FG8xu/pOgzeF00bH5Wy4d/NThwcdi3ZBpVq/B9a", // n4VfQeXlTzA6yKpWbR9uJcMdSx2qH0Lo
 				CallbackURLs:       model.UrlList{"http://tailscale/auth/callback"},
 				LogoutCallbackURLs: model.UrlList{"http://tailscale/auth/logout/callback"},
+				IsGroupRestricted:  true,
 				CreatedByID:        utils.Ptr(users[0].ID),
 			},
 			{
@@ -349,6 +351,9 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				ExpiresAt:  datatype.DateTime(time.Now().Add(24 * time.Hour)),
 				UsageLimit: 1,
 				UsageCount: 0,
+				UserGroups: []model.UserGroup{
+					userGroups[0],
+				},
 			},
 			{
 				Base: model.Base{
diff --git a/backend/internal/service/email_service.go b/backend/internal/service/email_service.go
index 3f0a7e30..05affa5b 100644
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -78,7 +78,7 @@ func SendEmail[V any](ctx context.Context, srv *EmailService, toEmail email.Addr
 
 	data := &email.TemplateData[V]{
 		AppName: dbConfig.AppName.Value,
-		LogoURL: common.EnvConfig.AppURL + "/api/application-images/logo",
+		LogoURL: common.EnvConfig.AppURL + "/api/application-images/email",
 		Data:    tData,
 	}
 
diff --git a/backend/internal/service/oidc_service.go b/backend/internal/service/oidc_service.go
index 47c624c1..69b4c08b 100644
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -225,7 +225,7 @@ func (s *OidcService) hasAuthorizedClientInternal(ctx context.Context, clientID,
 
 // IsUserGroupAllowedToAuthorize checks if the user group of the user is allowed to authorize the client
 func (s *OidcService) IsUserGroupAllowedToAuthorize(user model.User, client model.OidcClient) bool {
-	if len(client.AllowedUserGroups) == 0 {
+	if !client.IsGroupRestricted {
 		return true
 	}
 
@@ -777,6 +777,14 @@ func (s *OidcService) UpdateClient(ctx context.Context, clientID string, input d
 
 	updateOIDCClientModelFromDto(&client, &input)
 
+	if !input.IsGroupRestricted {
+		// Clear allowed user groups if the restriction is removed
+		err = tx.Model(&client).Association("AllowedUserGroups").Clear()
+		if err != nil {
+			return model.OidcClient{}, err
+		}
+	}
+
 	err = tx.WithContext(ctx).Save(&client).Error
 	if err != nil {
 		return model.OidcClient{}, err
@@ -815,6 +823,7 @@ func updateOIDCClientModelFromDto(client *model.OidcClient, input *dto.OidcClien
 	client.PkceEnabled = input.IsPublic || input.PkceEnabled
 	client.RequiresReauthentication = input.RequiresReauthentication
 	client.LaunchURL = input.LaunchURL
+	client.IsGroupRestricted = input.IsGroupRestricted
 
 	// Credentials
 	client.Credentials.FederatedIdentities = make([]model.OidcClientFederatedIdentity, len(input.Credentials.FederatedIdentities))
diff --git a/backend/internal/service/user_group_service.go b/backend/internal/service/user_group_service.go
index f18a66c9..c9223ae5 100644
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -53,6 +53,7 @@ func (s *UserGroupService) getInternal(ctx context.Context, id string, tx *gorm.
 		Where("id = ?", id).
 		Preload("CustomClaims").
 		Preload("Users").
+		Preload("AllowedOidcClients").
 		First(&group).
 		Error
 	return group, err
@@ -248,3 +249,54 @@ func (s *UserGroupService) GetUserCountOfGroup(ctx context.Context, id string) (
 		Count()
 	return count, nil
 }
+
+func (s *UserGroupService) UpdateAllowedOidcClient(ctx context.Context, id string, input dto.UserGroupUpdateAllowedOidcClientsDto) (group model.UserGroup, err error) {
+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()
+
+	group, err = s.getInternal(ctx, id, tx)
+	if err != nil {
+		return model.UserGroup{}, err
+	}
+
+	// Fetch the clients based on the client IDs
+	var clients []model.OidcClient
+	if len(input.OidcClientIDs) > 0 {
+		err = tx.
+			WithContext(ctx).
+			Where("id IN (?)", input.OidcClientIDs).
+			Find(&clients).
+			Error
+		if err != nil {
+			return model.UserGroup{}, err
+		}
+	}
+
+	// Replace the current clients with the new set of clients
+	err = tx.
+		WithContext(ctx).
+		Model(&group).
+		Association("AllowedOidcClients").
+		Replace(clients)
+	if err != nil {
+		return model.UserGroup{}, err
+	}
+
+	// Save the updated group
+	err = tx.
+		WithContext(ctx).
+		Save(&group).
+		Error
+	if err != nil {
+		return model.UserGroup{}, err
+	}
+
+	err = tx.Commit().Error
+	if err != nil {
+		return model.UserGroup{}, err
+	}
+
+	return group, nil
+}
diff --git a/backend/internal/service/user_service.go b/backend/internal/service/user_service.go
index 260e9778..315de043 100644
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -253,6 +253,18 @@ func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCrea
 		return model.User{}, &common.UserEmailNotSetError{}
 	}
 
+	var userGroups []model.UserGroup
+	if len(input.UserGroupIds) > 0 {
+		err := tx.
+			WithContext(ctx).
+			Where("id IN ?", input.UserGroupIds).
+			Find(&userGroups).
+			Error
+		if err != nil {
+			return model.User{}, err
+		}
+	}
+
 	user := model.User{
 		FirstName:   input.FirstName,
 		LastName:    input.LastName,
@@ -262,6 +274,7 @@ func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCrea
 		IsAdmin:     input.IsAdmin,
 		Locale:      input.Locale,
 		Disabled:    input.Disabled,
+		UserGroups:  userGroups,
 	}
 	if input.LdapID != "" {
 		user.LdapID = &input.LdapID
@@ -285,7 +298,13 @@ func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCrea
 
 	// Apply default groups and claims for new non-LDAP users
 	if !isLdapSync {
-		if err := s.applySignupDefaults(ctx, &user, tx); err != nil {
+		if len(input.UserGroupIds) == 0 {
+			if err := s.applyDefaultGroups(ctx, &user, tx); err != nil {
+				return model.User{}, err
+			}
+		}
+
+		if err := s.applyDefaultCustomClaims(ctx, &user, tx); err != nil {
 			return model.User{}, err
 		}
 	}
@@ -293,10 +312,9 @@ func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCrea
 	return user, nil
 }
 
-func (s *UserService) applySignupDefaults(ctx context.Context, user *model.User, tx *gorm.DB) error {
+func (s *UserService) applyDefaultGroups(ctx context.Context, user *model.User, tx *gorm.DB) error {
 	config := s.appConfigService.GetDbConfig()
 
-	// Apply default user groups
 	var groupIDs []string
 	v := config.SignupDefaultUserGroupIDs.Value
 	if v != "" && v != "[]" {
@@ -323,10 +341,14 @@ func (s *UserService) applySignupDefaults(ctx context.Context, user *model.User,
 			}
 		}
 	}
+	return nil
+}
+
+func (s *UserService) applyDefaultCustomClaims(ctx context.Context, user *model.User, tx *gorm.DB) error {
+	config := s.appConfigService.GetDbConfig()
 
-	// Apply default custom claims
 	var claims []dto.CustomClaimCreateDto
-	v = config.SignupDefaultCustomClaims.Value
+	v := config.SignupDefaultCustomClaims.Value
 	if v != "" && v != "[]" {
 		err := json.Unmarshal([]byte(v), &claims)
 		if err != nil {
@@ -727,12 +749,22 @@ func (s *UserService) disableUserInternal(ctx context.Context, tx *gorm.DB, user
 		Error
 }
 
-func (s *UserService) CreateSignupToken(ctx context.Context, ttl time.Duration, usageLimit int) (model.SignupToken, error) {
+func (s *UserService) CreateSignupToken(ctx context.Context, ttl time.Duration, usageLimit int, userGroupIDs []string) (model.SignupToken, error) {
 	signupToken, err := NewSignupToken(ttl, usageLimit)
 	if err != nil {
 		return model.SignupToken{}, err
 	}
 
+	var userGroups []model.UserGroup
+	err = s.db.WithContext(ctx).
+		Where("id IN ?", userGroupIDs).
+		Find(&userGroups).
+		Error
+	if err != nil {
+		return model.SignupToken{}, err
+	}
+	signupToken.UserGroups = userGroups
+
 	err = s.db.WithContext(ctx).Create(signupToken).Error
 	if err != nil {
 		return model.SignupToken{}, err
@@ -755,9 +787,11 @@ func (s *UserService) SignUp(ctx context.Context, signupData dto.SignUpDto, ipAd
 	}
 
 	var signupToken model.SignupToken
+	var userGroupIDs []string
 	if tokenProvided {
 		err := tx.
 			WithContext(ctx).
+			Preload("UserGroups").
 			Where("token = ?", signupData.Token).
 			Clauses(clause.Locking{Strength: "UPDATE"}).
 			First(&signupToken).
@@ -772,14 +806,19 @@ func (s *UserService) SignUp(ctx context.Context, signupData dto.SignUpDto, ipAd
 		if !signupToken.IsValid() {
 			return model.User{}, "", &common.TokenInvalidOrExpiredError{}
 		}
+
+		for _, group := range signupToken.UserGroups {
+			userGroupIDs = append(userGroupIDs, group.ID)
+		}
 	}
 
 	userToCreate := dto.UserCreateDto{
-		Username:    signupData.Username,
-		Email:       signupData.Email,
-		FirstName:   signupData.FirstName,
-		LastName:    signupData.LastName,
-		DisplayName: strings.TrimSpace(signupData.FirstName + " " + signupData.LastName),
+		Username:     signupData.Username,
+		Email:        signupData.Email,
+		FirstName:    signupData.FirstName,
+		LastName:     signupData.LastName,
+		DisplayName:  strings.TrimSpace(signupData.FirstName + " " + signupData.LastName),
+		UserGroupIds: userGroupIDs,
 	}
 
 	user, err := s.createUserInternal(ctx, userToCreate, false, tx)
@@ -820,7 +859,7 @@ func (s *UserService) SignUp(ctx context.Context, signupData dto.SignUpDto, ipAd
 
 func (s *UserService) ListSignupTokens(ctx context.Context, listRequestOptions utils.ListRequestOptions) ([]model.SignupToken, utils.PaginationResponse, error) {
 	var tokens []model.SignupToken
-	query := s.db.WithContext(ctx).Model(&model.SignupToken{})
+	query := s.db.WithContext(ctx).Preload("UserGroups").Model(&model.SignupToken{})
 
 	pagination, err := utils.PaginateFilterAndSort(listRequestOptions, query, &tokens)
 	return tokens, pagination, err
diff --git a/backend/resources/images/background.webp b/backend/resources/images/background.webp
index 7950cac6..6c48fa1f 100644
Binary files a/backend/resources/images/background.webp and b/backend/resources/images/background.webp differ
diff --git a/backend/resources/images/logoEmail.png b/backend/resources/images/logoEmail.png
new file mode 100644
index 00000000..ab7bff23
Binary files /dev/null and b/backend/resources/images/logoEmail.png differ
diff --git a/backend/resources/migrations/postgres/20251217000000_signup_token_groups.down.sql b/backend/resources/migrations/postgres/20251217000000_signup_token_groups.down.sql
new file mode 100644
index 00000000..9db5aae4
--- /dev/null
+++ b/backend/resources/migrations/postgres/20251217000000_signup_token_groups.down.sql
@@ -0,0 +1 @@
+DROP TABLE signup_tokens_user_groups;
\ No newline at end of file
diff --git a/backend/resources/migrations/postgres/20251217000000_signup_token_groups.up.sql b/backend/resources/migrations/postgres/20251217000000_signup_token_groups.up.sql
new file mode 100644
index 00000000..9d7b4175
--- /dev/null
+++ b/backend/resources/migrations/postgres/20251217000000_signup_token_groups.up.sql
@@ -0,0 +1,8 @@
+CREATE TABLE signup_tokens_user_groups
+(
+    signup_token_id UUID NOT NULL,
+    user_group_id   UUID NOT NULL,
+    PRIMARY KEY (signup_token_id, user_group_id),
+    FOREIGN KEY (signup_token_id) REFERENCES signup_tokens (id) ON DELETE CASCADE,
+    FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
+);
\ No newline at end of file
diff --git a/backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.down.sql b/backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.down.sql
new file mode 100644
index 00000000..f535c59b
--- /dev/null
+++ b/backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.down.sql
@@ -0,0 +1 @@
+ALTER TABLE oidc_clients DROP COLUMN is_group_restricted;
\ No newline at end of file
diff --git a/backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.up.sql b/backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.up.sql
new file mode 100644
index 00000000..63392cbf
--- /dev/null
+++ b/backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.up.sql
@@ -0,0 +1,10 @@
+ALTER TABLE oidc_clients
+    ADD COLUMN is_group_restricted boolean NOT NULL DEFAULT false;
+
+UPDATE oidc_clients oc
+SET is_group_restricted =
+    EXISTS (
+    SELECT 1
+    FROM oidc_clients_allowed_user_groups a
+    WHERE a.oidc_client_id = oc.id
+    );
\ No newline at end of file
diff --git a/backend/resources/migrations/sqlite/20251210000000_one_time_access_device_token.down.sql b/backend/resources/migrations/sqlite/20251210000000_one_time_access_device_token.down.sql
index e8dba6e4..1c556747 100644
--- a/backend/resources/migrations/sqlite/20251210000000_one_time_access_device_token.down.sql
+++ b/backend/resources/migrations/sqlite/20251210000000_one_time_access_device_token.down.sql
@@ -1 +1,7 @@
-ALTER TABLE one_time_access_tokens DROP COLUMN device_token;
\ No newline at end of file
+PRAGMA foreign_keys=OFF;
+BEGIN;
+
+ALTER TABLE one_time_access_tokens DROP COLUMN device_token;
+
+COMMIT;
+PRAGMA foreign_keys=ON;
diff --git a/backend/resources/migrations/sqlite/20251210000000_one_time_access_device_token.up.sql b/backend/resources/migrations/sqlite/20251210000000_one_time_access_device_token.up.sql
index 1aabc368..f563e91f 100644
--- a/backend/resources/migrations/sqlite/20251210000000_one_time_access_device_token.up.sql
+++ b/backend/resources/migrations/sqlite/20251210000000_one_time_access_device_token.up.sql
@@ -1 +1,7 @@
-ALTER TABLE one_time_access_tokens ADD COLUMN device_token TEXT;
\ No newline at end of file
+PRAGMA foreign_keys=OFF;
+BEGIN;
+
+ALTER TABLE one_time_access_tokens ADD COLUMN device_token TEXT;
+
+COMMIT;
+PRAGMA foreign_keys=ON;
diff --git a/backend/resources/migrations/sqlite/20251217000000_signup_token_groups.down.sql b/backend/resources/migrations/sqlite/20251217000000_signup_token_groups.down.sql
new file mode 100644
index 00000000..9bf54307
--- /dev/null
+++ b/backend/resources/migrations/sqlite/20251217000000_signup_token_groups.down.sql
@@ -0,0 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+
+DROP TABLE signup_tokens_user_groups;
+
+COMMIT;
+PRAGMA foreign_keys=ON;
\ No newline at end of file
diff --git a/backend/resources/migrations/sqlite/20251217000000_signup_token_groups.up.sql b/backend/resources/migrations/sqlite/20251217000000_signup_token_groups.up.sql
new file mode 100644
index 00000000..b411a4a2
--- /dev/null
+++ b/backend/resources/migrations/sqlite/20251217000000_signup_token_groups.up.sql
@@ -0,0 +1,14 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+
+CREATE TABLE signup_tokens_user_groups
+(
+    signup_token_id TEXT NOT NULL,
+    user_group_id   TEXT NOT NULL,
+    PRIMARY KEY (signup_token_id, user_group_id),
+    FOREIGN KEY (signup_token_id) REFERENCES signup_tokens (id) ON DELETE CASCADE,
+    FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
+);
+
+COMMIT;
+PRAGMA foreign_keys=ON;
\ No newline at end of file
diff --git a/backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.down.sql b/backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.down.sql
new file mode 100644
index 00000000..6e198fc7
--- /dev/null
+++ b/backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.down.sql
@@ -0,0 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+
+ALTER TABLE oidc_clients DROP COLUMN is_group_restricted;
+
+COMMIT;
+PRAGMA foreign_keys=ON;
\ No newline at end of file
diff --git a/backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.up.sql b/backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.up.sql
new file mode 100644
index 00000000..21dee24d
--- /dev/null
+++ b/backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.up.sql
@@ -0,0 +1,13 @@
+PRAGMA foreign_keys= OFF;
+BEGIN;
+
+ALTER TABLE oidc_clients
+    ADD COLUMN is_group_restricted BOOLEAN NOT NULL DEFAULT 0;
+
+UPDATE oidc_clients
+SET is_group_restricted = (SELECT CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END
+                           FROM oidc_clients_allowed_user_groups
+                           WHERE oidc_clients_allowed_user_groups.oidc_client_id = oidc_clients.id);
+
+COMMIT;
+PRAGMA foreign_keys= ON;
\ No newline at end of file
diff --git a/frontend/messages/en.json b/frontend/messages/en.json
index fa05691f..50a74506 100644
--- a/frontend/messages/en.json
+++ b/frontend/messages/en.json
@@ -95,7 +95,7 @@
 	"settings": "Settings",
 	"update_pocket_id": "Update Pocket ID",
 	"powered_by": "Powered by",
-	"see_your_account_activities_from_the_last_3_months": "See your account activities from the last 3 months.",
+	"see_your_recent_account_activities": "See your account activities within the configured retention period.",
 	"time": "Time",
 	"event": "Event",
 	"approximate_location": "Approximate Location",
@@ -301,16 +301,21 @@
 	"are_you_sure_you_want_to_create_a_new_client_secret": "Are you sure you want to create a new client secret? The old one will be invalidated.",
 	"generate": "Generate",
 	"new_client_secret_created_successfully": "New client secret created successfully",
-	"allowed_user_groups_updated_successfully": "Allowed user groups updated successfully",
 	"oidc_client_name": "OIDC Client {name}",
 	"client_id": "Client ID",
 	"client_secret": "Client secret",
 	"show_more_details": "Show more details",
 	"allowed_user_groups": "Allowed User Groups",
-	"add_user_groups_to_this_client_to_restrict_access_to_users_in_these_groups": "Add user groups to this client to restrict access to users in these groups. If no user groups are selected, all users will have access to this client.",
+	"allowed_user_groups_description": "Select the user groups whose members are allowed to sign in to this client.",
+	"allowed_user_groups_status_unrestricted_description": "No user group restrictions are applied. Any user can sign in to this client.",
+	"unrestrict": "Unrestrict",
+	"restrict": "Restrict",
+	"user_groups_restriction_updated_successfully": "User groups restriction updated successfully",
+	"allowed_user_groups_updated_successfully": "Allowed user groups updated successfully",
 	"favicon": "Favicon",
 	"light_mode_logo": "Light Mode Logo",
 	"dark_mode_logo": "Dark Mode Logo",
+	"email_logo": "Email Logo",
 	"background_image": "Background Image",
 	"language": "Language",
 	"reset_profile_picture_question": "Reset profile picture?",
@@ -327,7 +332,7 @@
 	"all_clients": "All Clients",
 	"all_locations": "All Locations",
 	"global_audit_log": "Global Audit Log",
-	"see_all_account_activities_from_the_last_3_months": "See all user activity for the last 3 months.",
+	"see_all_recent_account_activities": "View the account activities of all users during the set retention period.",
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client Authorization",
 	"new_client_authorization": "New Client Authorization",
@@ -469,5 +474,11 @@
 	"default_profile_picture": "Default Profile Picture",
 	"light": "Light",
 	"dark": "Dark",
-	"system": "System"
+	"system": "System",
+	"signup_token_user_groups_description": "Automatically assign these groups to users who sign up using this token.",
+	"allowed_oidc_clients": "Allowed OIDC Clients",
+	"allowed_oidc_clients_description": "Select the OIDC clients that members of this user group are allowed to sign in to.",
+	"unrestrict_oidc_client": "Unrestrict {clientName}",
+	"confirm_unrestrict_oidc_client_description": "Are you sure you want to unrestrict the OIDC client <b>{clientName}</b>? This will remove all group assignments for this client and any user will be able to sign in.",
+	"allowed_oidc_clients_updated_successfully": "Allowed OIDC clients updated successfully"
 }
diff --git a/frontend/src/app.css b/frontend/src/app.css
index d120917c..361a0230 100644
--- a/frontend/src/app.css
+++ b/frontend/src/app.css
@@ -232,22 +232,19 @@
 	}
 }
 
-@keyframes slide-bg-container {
+@keyframes bg-zoom {
 	0% {
-		left: 0;
+		transform: scale(1.3);
 	}
 	100% {
-		left: 650px;
+		transform: scale(1);
 	}
 }
 
-.animate-slide-bg-container {
-	position: absolute;
-	top: 0;
-	bottom: 0;
-	left: 0;
-	right: 0;
-	animation: slide-bg-container 0.6s cubic-bezier(0.33, 1, 0.68, 1) forwards;
+.animate-bg-zoom {
+	transform-origin: center;
+	will-change: transform;
+	animation: bg-zoom 0.7s cubic-bezier(0.25, 0.1, 0.25, 1) forwards;
 }
 
 @keyframes delayed-fade {
diff --git a/frontend/src/lib/components/collapsible-card.svelte b/frontend/src/lib/components/collapsible-card.svelte
index d8fc045a..94358651 100644
--- a/frontend/src/lib/components/collapsible-card.svelte
+++ b/frontend/src/lib/components/collapsible-card.svelte
@@ -12,6 +12,8 @@
 		title,
 		description,
 		defaultExpanded = false,
+		forcedExpanded,
+		button,
 		icon,
 		children
 	}: {
@@ -19,7 +21,9 @@
 		title: string;
 		description?: string;
 		defaultExpanded?: boolean;
+		forcedExpanded?: boolean;
 		icon?: typeof IconType;
+		button?: Snippet;
 		children: Snippet;
 	} = $props();
 
@@ -47,6 +51,12 @@
 		}
 		loadExpandedState();
 	});
+
+	$effect(() => {
+		if (forcedExpanded !== undefined) {
+			expanded = forcedExpanded;
+		}
+	});
 </script>
 
 <Card.Root>
@@ -63,11 +73,18 @@
 					<Card.Description>{description}</Card.Description>
 				{/if}
 			</div>
-			<Button class="ml-10 h-8 p-3" variant="ghost" aria-label={m.expand_card()}>
-				<LucideChevronDown
-					class={cn('size-5 transition-transform duration-200', expanded && 'rotate-180 transform')}
-				/>
-			</Button>
+			{#if button}
+				{@render button()}
+			{:else}
+				<Button class="ml-10 h-8 p-3" variant="ghost" aria-label={m.expand_card()}>
+					<LucideChevronDown
+						class={cn(
+							'size-5 transition-transform duration-200',
+							expanded && 'rotate-180 transform'
+						)}
+					/>
+				</Button>
+			{/if}
 		</div>
 	</Card.Header>
 	{#if expanded}
diff --git a/frontend/src/lib/components/form/form-input.svelte b/frontend/src/lib/components/form/form-input.svelte
index e7f09e9a..e3dbaae9 100644
--- a/frontend/src/lib/components/form/form-input.svelte
+++ b/frontend/src/lib/components/form/form-input.svelte
@@ -9,6 +9,17 @@
 	import type { HTMLAttributes } from 'svelte/elements';
 	import FormattedMessage from '../formatted-message.svelte';
 
+	type WithoutChildren = {
+		children?: undefined;
+		input?: FormInput<string | boolean | number | Date | undefined>;
+		labelFor?: never;
+	};
+	type WithChildren = {
+		children: Snippet;
+		input?: any;
+		labelFor?: string;
+	};
+
 	let {
 		input = $bindable(),
 		label,
@@ -19,25 +30,25 @@
 		type = 'text',
 		children,
 		onInput,
+		labelFor,
 		...restProps
-	}: HTMLAttributes<HTMLDivElement> & {
-		input?: FormInput<string | boolean | number | Date | undefined>;
-		label?: string;
-		description?: string;
-		docsLink?: string;
-		placeholder?: string;
-		disabled?: boolean;
-		type?: 'text' | 'password' | 'email' | 'number' | 'checkbox' | 'date';
-		onInput?: (e: FormInputEvent) => void;
-		children?: Snippet;
-	} = $props();
+	}: HTMLAttributes<HTMLDivElement> &
+		(WithChildren | WithoutChildren) & {
+			label?: string;
+			description?: string;
+			docsLink?: string;
+			placeholder?: string;
+			disabled?: boolean;
+			type?: 'text' | 'password' | 'email' | 'number' | 'checkbox' | 'date';
+			onInput?: (e: FormInputEvent) => void;
+		} = $props();
 
 	const id = label?.toLowerCase().replace(/ /g, '-');
 </script>
 
 <div {...restProps}>
 	{#if label}
-		<Label required={input?.required} class="mb-0" for={id}>{label}</Label>
+		<Label required={input?.required} class="mb-0" for={labelFor ?? id}>{label}</Label>
 	{/if}
 	{#if description}
 		<p class="text-muted-foreground mt-1 text-xs">
diff --git a/frontend/src/lib/components/form/user-group-input.svelte b/frontend/src/lib/components/form/user-group-input.svelte
new file mode 100644
index 00000000..74e04eda
--- /dev/null
+++ b/frontend/src/lib/components/form/user-group-input.svelte
@@ -0,0 +1,50 @@
+<script lang="ts">
+	import SearchableMultiSelect from '$lib/components/form/searchable-multi-select.svelte';
+	import UserGroupService from '$lib/services/user-group-service';
+	import { debounced } from '$lib/utils/debounce-util';
+	import { onMount } from 'svelte';
+
+	let {
+		selectedGroupIds = $bindable()
+	}: {
+		selectedGroupIds: string[];
+	} = $props();
+
+	const userGroupService = new UserGroupService();
+
+	let userGroups = $state<{ value: string; label: string }[]>([]);
+	let isLoading = $state(false);
+
+	async function loadUserGroups(search?: string) {
+		userGroups = (await userGroupService.list({ search })).data.map((group) => ({
+			value: group.id,
+			label: group.name
+		}));
+
+		// Ensure selected groups are still in the list
+		for (const selectedGroupId of selectedGroupIds) {
+			if (!userGroups.some((g) => g.value === selectedGroupId)) {
+				const group = await userGroupService.get(selectedGroupId);
+				userGroups.push({ value: group.id, label: group.name });
+			}
+		}
+	}
+
+	const onUserGroupSearch = debounced(
+		async (search: string) => await loadUserGroups(search),
+		300,
+		(loading) => (isLoading = loading)
+	);
+
+	onMount(() => loadUserGroups());
+</script>
+
+<SearchableMultiSelect
+	id="default-groups"
+	items={userGroups}
+	oninput={(e) => onUserGroupSearch(e.currentTarget.value)}
+	selectedItems={selectedGroupIds}
+	onSelect={(selected) => (selectedGroupIds = selected)}
+	{isLoading}
+	disableInternalSearch
+/>
diff --git a/frontend/src/lib/components/header/header.svelte b/frontend/src/lib/components/header/header.svelte
index 503e1ca1..82082ccc 100644
--- a/frontend/src/lib/components/header/header.svelte
+++ b/frontend/src/lib/components/header/header.svelte
@@ -19,7 +19,7 @@
 	);
 </script>
 
-<div class=" w-full {isAuthPage ? 'absolute top-0 z-10 mt-4' : 'border-b'}">
+<div class=" w-full {isAuthPage ? 'absolute top-0 z-10 mt-3 lg:mt-8 pr-2 lg:pr-3' : 'border-b'}">
 	<div
 		class="{!isAuthPage
 			? 'max-w-[1640px]'
diff --git a/frontend/src/lib/components/login-wrapper.svelte b/frontend/src/lib/components/login-wrapper.svelte
index 4d5de56b..1216697e 100644
--- a/frontend/src/lib/components/login-wrapper.svelte
+++ b/frontend/src/lib/components/login-wrapper.svelte
@@ -48,20 +48,16 @@
 {#if isDesktop.current}
 	<div class="h-screen items-center overflow-hidden text-center">
 		<div
-			class="relative z-10 flex h-full w-[650px] p-16 {cn(
-				showAlternativeSignInMethodButton && 'pb-0',
-				animate && 'animate-delayed-fade'
+			class="relative z-10 flex h-full w-[650px] 2xl:w-[800px] p-16 {cn(
+				showAlternativeSignInMethodButton && 'pb-0'
 			)}"
 		>
 			<div class="flex h-full w-full flex-col overflow-hidden">
-				<div class="relative flex flex-grow flex-col items-center justify-center overflow-auto">
+				<div class="relative flex grow flex-col items-center justify-center overflow-auto">
 					{@render children()}
 				</div>
 				{#if showAlternativeSignInMethodButton}
-					<div
-						class="mb-4 flex items-center justify-center"
-						style={animate ? 'animation-delay: 500ms;' : ''}
-					>
+					<div class="mb-4 flex items-center justify-center">
 						<a
 							href={alternativeSignInButton.href}
 							class="text-muted-foreground text-xs transition-colors hover:underline"
@@ -73,13 +69,13 @@
 			</div>
 		</div>
 
-		<!-- Background image with slide animation -->
-		<div class="{cn(animate && 'animate-slide-bg-container')} absolute top-0 right-0 bottom-0 z-0">
+		<!-- Background image -->
+		<div class="absolute top-0 right-0 left-500px bottom-0 z-0 overflow-hidden rounded-[40px] m-6">
 			<img
 				src={cachedBackgroundImage.getUrl()}
-				class="h-screen rounded-l-[60px] object-cover {animate
-					? 'w-full'
-					: 'w-[calc(100vw-650px)]'}"
+				class="{cn(
+					animate && 'animate-bg-zoom'
+				)} h-screen object-cover w-[calc(100vw-650px)] 2xl:w-[calc(100vw-800px)]"
 				alt={m.login_background()}
 			/>
 		</div>
@@ -89,7 +85,7 @@
 		class="flex h-screen items-center justify-center bg-cover bg-center text-center"
 		style="background-image: url({cachedBackgroundImage.getUrl()});"
 	>
-		<Card.Root class="mx-3 w-full max-w-md" style={animate ? 'animation-delay: 200ms;' : ''}>
+		<Card.Root class="mx-3 w-full max-w-md">
 			<Card.CardContent
 				class="px-4 py-10 sm:p-10 {showAlternativeSignInMethodButton ? 'pb-3 sm:pb-3' : ''}"
 			>
diff --git a/frontend/src/lib/components/signup/signup-token-list-modal.svelte b/frontend/src/lib/components/signup/signup-token-list-modal.svelte
index c1581694..98ce1caf 100644
--- a/frontend/src/lib/components/signup/signup-token-list-modal.svelte
+++ b/frontend/src/lib/components/signup/signup-token-list-modal.svelte
@@ -11,7 +11,7 @@
 		AdvancedTableColumn,
 		CreateAdvancedTableActions
 	} from '$lib/types/advanced-table.type';
-	import type { SignupTokenDto } from '$lib/types/signup-token.type';
+	import type { SignupToken } from '$lib/types/signup-token.type';
 	import { axiosErrorToast } from '$lib/utils/error-util';
 	import { Copy, Trash2 } from '@lucide/svelte';
 	import { toast } from 'svelte-sonner';
@@ -23,14 +23,14 @@
 	} = $props();
 
 	const userService = new UserService();
-	let tableRef: AdvancedTable<SignupTokenDto>;
+	let tableRef: AdvancedTable<SignupToken>;
 
 	function formatDate(dateStr: string | undefined) {
 		if (!dateStr) return m.never();
 		return new Date(dateStr).toLocaleString();
 	}
 
-	async function deleteToken(token: SignupTokenDto) {
+	async function deleteToken(token: SignupToken) {
 		openConfirmDialog({
 			title: m.delete_signup_token(),
 			message: m.are_you_sure_you_want_to_delete_this_signup_token(),
@@ -58,11 +58,11 @@
 		return new Date(expiresAt) < new Date();
 	}
 
-	function isTokenUsedUp(token: SignupTokenDto) {
+	function isTokenUsedUp(token: SignupToken) {
 		return token.usageCount >= token.usageLimit;
 	}
 
-	function getTokenStatus(token: SignupTokenDto) {
+	function getTokenStatus(token: SignupToken) {
 		if (isTokenExpired(token.expiresAt)) return 'expired';
 		if (isTokenUsedUp(token)) return 'used-up';
 		return 'active';
@@ -79,7 +79,7 @@
 		}
 	}
 
-	function copySignupLink(token: SignupTokenDto) {
+	function copySignupLink(token: SignupToken) {
 		const signupLink = `${page.url.origin}/st/${token.token}`;
 		navigator.clipboard
 			.writeText(signupLink)
@@ -91,7 +91,7 @@
 			});
 	}
 
-	const columns: AdvancedTableColumn<SignupTokenDto>[] = [
+	const columns: AdvancedTableColumn<SignupToken>[] = [
 		{ label: m.token(), column: 'token', cell: TokenCell },
 		{ label: m.status(), key: 'status', cell: StatusCell },
 		{
@@ -106,7 +106,12 @@
 			sortable: true,
 			value: (item) => formatDate(item.expiresAt)
 		},
-		{ label: 'Usage Limit', column: 'usageLimit' },
+		{
+			key: 'userGroups',
+			label: m.user_groups(),
+			value: (item) => item.userGroups.map((g) => g.name).join(', '),
+			hidden: true
+		},
 		{
 			label: m.created(),
 			column: 'createdAt',
@@ -116,7 +121,7 @@
 		}
 	];
 
-	const actions: CreateAdvancedTableActions<SignupTokenDto> = (_) => [
+	const actions: CreateAdvancedTableActions<SignupToken> = (_) => [
 		{
 			label: m.copy(),
 			icon: Copy,
@@ -131,13 +136,13 @@
 	];
 </script>
 
-{#snippet TokenCell({ item }: { item: SignupTokenDto })}
+{#snippet TokenCell({ item }: { item: SignupToken })}
 	<span class="font-mono text-xs">
 		{item.token.substring(0, 3)}...{item.token.substring(Math.max(item.token.length - 4, 0))}
 	</span>
 {/snippet}
 
-{#snippet StatusCell({ item }: { item: SignupTokenDto })}
+{#snippet StatusCell({ item }: { item: SignupToken })}
 	{@const status = getTokenStatus(item)}
 	{@const statusBadge = getStatusBadge(status)}
 	<Badge class="rounded-full" variant={statusBadge.variant}>
@@ -145,7 +150,7 @@
 	</Badge>
 {/snippet}
 
-{#snippet UsageCell({ item }: { item: SignupTokenDto })}
+{#snippet UsageCell({ item }: { item: SignupToken })}
 	<div class="flex items-center gap-1">
 		{item.usageCount}
 		{m.of()}
diff --git a/frontend/src/lib/components/signup/signup-token-modal.svelte b/frontend/src/lib/components/signup/signup-token-modal.svelte
index fc948465..33e88e1d 100644
--- a/frontend/src/lib/components/signup/signup-token-modal.svelte
+++ b/frontend/src/lib/components/signup/signup-token-modal.svelte
@@ -1,16 +1,22 @@
 <script lang="ts">
 	import { page } from '$app/state';
 	import CopyToClipboard from '$lib/components/copy-to-clipboard.svelte';
+	import FormInput from '$lib/components/form/form-input.svelte';
+	import UserGroupInput from '$lib/components/form/user-group-input.svelte';
 	import Qrcode from '$lib/components/qrcode/qrcode.svelte';
 	import { Button } from '$lib/components/ui/button';
 	import * as Dialog from '$lib/components/ui/dialog';
 	import { Input } from '$lib/components/ui/input';
-	import Label from '$lib/components/ui/label/label.svelte';
 	import * as Select from '$lib/components/ui/select/index.js';
 	import { m } from '$lib/paraglide/messages';
+	import AppConfigService from '$lib/services/app-config-service';
 	import UserService from '$lib/services/user-service';
 	import { axiosErrorToast } from '$lib/utils/error-util';
+	import { preventDefault } from '$lib/utils/event-util';
+	import { createForm } from '$lib/utils/form-util';
 	import { mode } from 'mode-watcher';
+	import { onMount } from 'svelte';
+	import { z } from 'zod/v4';
 
 	let {
 		open = $bindable()
@@ -19,29 +25,74 @@
 	} = $props();
 
 	const userService = new UserService();
+	const appConfigService = new AppConfigService();
+
+	const DEFAULT_TTL_SECONDS = 60 * 60 * 24;
+	const availableExpirations = [
+		{ label: m.one_hour(), value: 60 * 60 },
+		{ label: m.twelve_hours(), value: 60 * 60 * 12 },
+		{ label: m.one_day(), value: DEFAULT_TTL_SECONDS },
+		{ label: m.one_week(), value: DEFAULT_TTL_SECONDS * 7 },
+		{ label: m.one_month(), value: DEFAULT_TTL_SECONDS * 30 }
+	] as const;
+
+	const defaultExpiration =
+		availableExpirations.find((exp) => exp.value === DEFAULT_TTL_SECONDS)?.value ??
+		availableExpirations[0].value;
+
+	type SignupTokenForm = {
+		ttl: number;
+		usageLimit: number;
+		userGroupIds: string[];
+	};
+
+	const initialFormValues: SignupTokenForm = {
+		ttl: defaultExpiration,
+		usageLimit: 1,
+		userGroupIds: []
+	};
+
+	const formSchema = z.object({
+		ttl: z.number(),
+		usageLimit: z.number().min(1).max(100),
+		userGroupIds: z.array(z.string()).default([])
+	});
+
+	const { inputs, ...form } = createForm<typeof formSchema>(formSchema, initialFormValues);
 
 	let signupToken: string | null = $state(null);
 	let signupLink: string | null = $state(null);
-	let selectedExpiration: keyof typeof availableExpirations = $state(m.one_day());
-	let usageLimit: number = $state(1);
+	let createdSignupData: SignupTokenForm | null = $state(null);
+	let isLoading = $state(false);
 
-	let availableExpirations = {
-		[m.one_hour()]: 60 * 60,
-		[m.twelve_hours()]: 60 * 60 * 12,
-		[m.one_day()]: 60 * 60 * 24,
-		[m.one_week()]: 60 * 60 * 24 * 7,
-		[m.one_month()]: 60 * 60 * 24 * 30
-	};
+	let defaultUserGroupIds: string[] = [];
+
+	function getExpirationLabel(ttl: number) {
+		return availableExpirations.find((exp) => exp.value === ttl)?.label ?? '';
+	}
+
+	function resetForm() {
+		form.reset();
+		form.setValue('userGroupIds', defaultUserGroupIds);
+	}
 
 	async function createSignupToken() {
+		const data = form.validate();
+		if (!data) return;
+
+		isLoading = true;
 		try {
 			signupToken = await userService.createSignupToken(
-				availableExpirations[selectedExpiration],
-				usageLimit
+				data.ttl,
+				data.usageLimit,
+				data.userGroupIds
 			);
 			signupLink = `${page.url.origin}/st/${signupToken}`;
+			createdSignupData = data;
 		} catch (e) {
 			axiosErrorToast(e);
+		} finally {
+			isLoading = false;
 		}
 	}
 
@@ -50,10 +101,22 @@
 		if (!isOpen) {
 			signupToken = null;
 			signupLink = null;
-			selectedExpiration = m.one_day();
-			usageLimit = 1;
+			createdSignupData = null;
+			resetForm();
 		}
 	}
+
+	onMount(() => {
+		appConfigService
+			.list(true)
+			.then((response) => {
+				const responseGroupIds = response.signupDefaultUserGroupIDs || [];
+				defaultUserGroupIds = responseGroupIds;
+				initialFormValues.userGroupIds = responseGroupIds;
+				form.setValue('userGroupIds', responseGroupIds);
+			})
+			.catch(axiosErrorToast);
+	});
 </script>
 
 <Dialog.Root {open} {onOpenChange}>
@@ -66,49 +129,57 @@
 		</Dialog.Header>
 
 		{#if signupToken === null}
-			<div class="space-y-4">
-				<div>
-					<Label for="expiration">{m.expiration()}</Label>
+			<form class="space-y-4" onsubmit={preventDefault(createSignupToken)}>
+				<FormInput labelFor="expiration" label={m.expiration()} input={$inputs.ttl}>
 					<Select.Root
 						type="single"
-						value={Object.keys(availableExpirations)[0]}
-						onValueChange={(v) => (selectedExpiration = v! as keyof typeof availableExpirations)}
+						value={$inputs.ttl.value.toString()}
+						onValueChange={(v) => v && form.setValue('ttl', Number(v))}
 					>
 						<Select.Trigger id="expiration" class="h-9 w-full">
-							{selectedExpiration}
+							{getExpirationLabel($inputs.ttl.value)}
 						</Select.Trigger>
 						<Select.Content>
-							{#each Object.keys(availableExpirations) as key}
-								<Select.Item value={key}>{key}</Select.Item>
+							{#each availableExpirations as expiration}
+								<Select.Item value={expiration.value.toString()}>
+									{expiration.label}
+								</Select.Item>
 							{/each}
 						</Select.Content>
 					</Select.Root>
-				</div>
-
-				<div>
-					<Label class="mb-0" for="usage-limit">{m.usage_limit()}</Label>
-					<p class="text-muted-foreground mt-1 mb-2 text-xs">
-						{m.number_of_times_token_can_be_used()}
-					</p>
+					{#if $inputs.ttl.error}
+						<p class="text-destructive mt-1 text-xs">{$inputs.ttl.error}</p>
+					{/if}
+				</FormInput>
+				<FormInput
+					labelFor="usage-limit"
+					label={m.usage_limit()}
+					description={m.number_of_times_token_can_be_used()}
+					input={$inputs.usageLimit}
+				>
 					<Input
 						id="usage-limit"
 						type="number"
-						min="1"
-						max="100"
-						bind:value={usageLimit}
+						bind:value={$inputs.usageLimit.value}
+						aria-invalid={$inputs.usageLimit.error ? 'true' : undefined}
 						class="h-9"
 					/>
-				</div>
-			</div>
-
-			<Dialog.Footer class="mt-4">
-				<Button
-					onclick={() => createSignupToken()}
-					disabled={!selectedExpiration || usageLimit < 1}
+				</FormInput>
+				<FormInput
+					labelFor="default-groups"
+					label={m.user_groups()}
+					description={m.signup_token_user_groups_description()}
+					input={$inputs.userGroupIds}
 				>
-					{m.create()}
-				</Button>
-			</Dialog.Footer>
+					<UserGroupInput bind:selectedGroupIds={$inputs.userGroupIds.value} />
+				</FormInput>
+
+				<Dialog.Footer class="mt-4">
+					<Button type="submit" {isLoading}>
+						{m.create()}
+					</Button>
+				</Dialog.Footer>
+			</form>
 		{:else}
 			<div class="flex flex-col items-center gap-2">
 				<Qrcode
@@ -125,8 +196,8 @@
 				</CopyToClipboard>
 
 				<div class="text-muted-foreground mt-2 text-center text-sm">
-					<p>{m.usage_limit()}: {usageLimit}</p>
-					<p>{m.expiration()}: {selectedExpiration}</p>
+					<p>{m.usage_limit()}: {createdSignupData?.usageLimit}</p>
+					<p>{m.expiration()}: {getExpirationLabel(createdSignupData?.ttl ?? 0)}</p>
 				</div>
 			</div>
 		{/if}
diff --git a/frontend/src/lib/components/table/advanced-table.svelte b/frontend/src/lib/components/table/advanced-table.svelte
index f67a4d59..1e2eb1bd 100644
--- a/frontend/src/lib/components/table/advanced-table.svelte
+++ b/frontend/src/lib/components/table/advanced-table.svelte
@@ -25,6 +25,7 @@
 		selectedIds = $bindable(),
 		withoutSearch = false,
 		selectionDisabled = false,
+		rowSelectionDisabled,
 		fetchCallback,
 		defaultSort,
 		columns,
@@ -34,6 +35,7 @@
 		selectedIds?: string[];
 		withoutSearch?: boolean;
 		selectionDisabled?: boolean;
+		rowSelectionDisabled?: (item: T) => boolean;
 		fetchCallback: (requestOptions: ListRequestOptions) => Promise<Paginated<T>>;
 		defaultSort?: SortRequest;
 		columns: AdvancedTableColumn<T>[];
@@ -91,7 +93,9 @@
 	});
 
 	async function onAllCheck(checked: boolean) {
-		const pageIds = items!.data.map((item) => item.id);
+		const pageIds = items!.data
+			.filter((item) => !rowSelectionDisabled?.(item))
+			.map((item) => item.id);
 		const current = selectedIds ?? [];
 
 		if (checked) {
@@ -264,7 +268,7 @@
 							{#if selectedIds}
 								<Table.Cell class="w-12">
 									<Checkbox
-										disabled={selectionDisabled}
+										disabled={selectionDisabled || rowSelectionDisabled?.(item)}
 										checked={selectedIds.includes(item.id)}
 										onCheckedChange={(c: boolean) => onCheck(c, item.id)}
 									/>
diff --git a/frontend/src/lib/components/user-group-selection.svelte b/frontend/src/lib/components/user-group-selection.svelte
index 19eeb0bc..81540d7a 100644
--- a/frontend/src/lib/components/user-group-selection.svelte
+++ b/frontend/src/lib/components/user-group-selection.svelte
@@ -3,7 +3,7 @@
 	import { m } from '$lib/paraglide/messages';
 	import UserGroupService from '$lib/services/user-group-service';
 	import type { AdvancedTableColumn } from '$lib/types/advanced-table.type';
-	import type { UserGroupWithUserCount } from '$lib/types/user-group.type';
+	import type { UserGroupMinimal } from '$lib/types/user-group.type';
 
 	let {
 		selectionDisabled = false,
@@ -15,7 +15,7 @@
 
 	const userGroupService = new UserGroupService();
 
-	const columns: AdvancedTableColumn<UserGroupWithUserCount>[] = [
+	const columns: AdvancedTableColumn<UserGroupMinimal>[] = [
 		{ label: 'ID', column: 'id', hidden: true },
 		{ label: m.friendly_name(), column: 'friendlyName', sortable: true },
 		{ label: m.name(), column: 'name', sortable: true },
diff --git a/frontend/src/lib/services/app-config-service.ts b/frontend/src/lib/services/app-config-service.ts
index 1e8e7f64..88386bf6 100644
--- a/frontend/src/lib/services/app-config-service.ts
+++ b/frontend/src/lib/services/app-config-service.ts
@@ -4,6 +4,7 @@ import {
 	cachedApplicationLogo,
 	cachedBackgroundImage,
 	cachedDefaultProfilePicture,
+	cachedEmailLogo,
 	cachedProfilePicture
 } from '$lib/utils/cached-image-util';
 import { get } from 'svelte/store';
@@ -46,6 +47,14 @@ export default class AppConfigService extends APIService {
 		cachedApplicationLogo.bustCache(light);
 	};
 
+	updateEmailLogo = async (emailLogo: File) => {
+		const formData = new FormData();
+		formData.append('file', emailLogo);
+
+		await this.api.put(`/application-images/email`, formData);
+		cachedEmailLogo.bustCache();
+	};
+
 	updateDefaultProfilePicture = async (defaultProfilePicture: File) => {
 		const formData = new FormData();
 		formData.append('file', defaultProfilePicture);
diff --git a/frontend/src/lib/services/user-group-service.ts b/frontend/src/lib/services/user-group-service.ts
index d10e45c9..b442ba71 100644
--- a/frontend/src/lib/services/user-group-service.ts
+++ b/frontend/src/lib/services/user-group-service.ts
@@ -1,30 +1,26 @@
 import type { ListRequestOptions, Paginated } from '$lib/types/list-request.type';
-import type {
-	UserGroupCreate,
-	UserGroupWithUserCount,
-	UserGroupWithUsers
-} from '$lib/types/user-group.type';
+import type { UserGroup, UserGroupCreate, UserGroupMinimal } from '$lib/types/user-group.type';
 import APIService from './api-service';
 
 export default class UserGroupService extends APIService {
 	list = async (options?: ListRequestOptions) => {
 		const res = await this.api.get('/user-groups', { params: options });
-		return res.data as Paginated<UserGroupWithUserCount>;
+		return res.data as Paginated<UserGroupMinimal>;
 	};
 
 	get = async (id: string) => {
 		const res = await this.api.get(`/user-groups/${id}`);
-		return res.data as UserGroupWithUsers;
+		return res.data as UserGroup;
 	};
 
 	create = async (user: UserGroupCreate) => {
 		const res = await this.api.post('/user-groups', user);
-		return res.data as UserGroupWithUsers;
+		return res.data as UserGroup;
 	};
 
 	update = async (id: string, user: UserGroupCreate) => {
 		const res = await this.api.put(`/user-groups/${id}`, user);
-		return res.data as UserGroupWithUsers;
+		return res.data as UserGroup;
 	};
 
 	remove = async (id: string) => {
@@ -33,6 +29,11 @@ export default class UserGroupService extends APIService {
 
 	updateUsers = async (id: string, userIds: string[]) => {
 		const res = await this.api.put(`/user-groups/${id}/users`, { userIds });
-		return res.data as UserGroupWithUsers;
+		return res.data as UserGroup;
+	};
+
+	updateAllowedOidcClients = async (id: string, oidcClientIds: string[]) => {
+		const res = await this.api.put(`/user-groups/${id}/allowed-oidc-clients`, { oidcClientIds });
+		return res.data as UserGroup;
 	};
 }
diff --git a/frontend/src/lib/services/user-service.ts b/frontend/src/lib/services/user-service.ts
index c53f4c4f..9f3163f0 100644
--- a/frontend/src/lib/services/user-service.ts
+++ b/frontend/src/lib/services/user-service.ts
@@ -1,6 +1,6 @@
 import userStore from '$lib/stores/user-store';
 import type { ListRequestOptions, Paginated } from '$lib/types/list-request.type';
-import type { SignupTokenDto } from '$lib/types/signup-token.type';
+import type { SignupToken } from '$lib/types/signup-token.type';
 import type { UserGroup } from '$lib/types/user-group.type';
 import type { User, UserCreate, UserSignUp } from '$lib/types/user.type';
 import { cachedProfilePicture } from '$lib/utils/cached-image-util';
@@ -76,8 +76,12 @@ export default class UserService extends APIService {
 		return res.data.token;
 	};
 
-	createSignupToken = async (ttl: string | number, usageLimit: number) => {
-		const res = await this.api.post(`/signup-tokens`, { ttl, usageLimit });
+	createSignupToken = async (
+		ttl: string | number,
+		usageLimit: number,
+		userGroupIds: string[] = []
+	) => {
+		const res = await this.api.post(`/signup-tokens`, { ttl, usageLimit, userGroupIds });
 		return res.data.token;
 	};
 
@@ -111,7 +115,7 @@ export default class UserService extends APIService {
 
 	listSignupTokens = async (options?: ListRequestOptions) => {
 		const res = await this.api.get('/signup-tokens', { params: options });
-		return res.data as Paginated<SignupTokenDto>;
+		return res.data as Paginated<SignupToken>;
 	};
 
 	deleteSignupToken = async (tokenId: string) => {
diff --git a/frontend/src/lib/types/oidc.type.ts b/frontend/src/lib/types/oidc.type.ts
index 9c926fbb..b0b37ed8 100644
--- a/frontend/src/lib/types/oidc.type.ts
+++ b/frontend/src/lib/types/oidc.type.ts
@@ -28,6 +28,7 @@ export type OidcClient = OidcClientMetaData & {
 	requiresReauthentication: boolean;
 	credentials?: OidcClientCredentials;
 	launchURL?: string;
+	isGroupRestricted: boolean;
 };
 
 export type OidcClientWithAllowedUserGroups = OidcClient & {
diff --git a/frontend/src/lib/types/signup-token.type.ts b/frontend/src/lib/types/signup-token.type.ts
index 1212f478..2d7206ff 100644
--- a/frontend/src/lib/types/signup-token.type.ts
+++ b/frontend/src/lib/types/signup-token.type.ts
@@ -1,8 +1,11 @@
-export interface SignupTokenDto {
+import type { UserGroup } from './user-group.type';
+
+export interface SignupToken {
 	id: string;
 	token: string;
 	expiresAt: string;
 	usageLimit: number;
 	usageCount: number;
+	userGroups: UserGroup[];
 	createdAt: string;
 }
diff --git a/frontend/src/lib/types/user-group.type.ts b/frontend/src/lib/types/user-group.type.ts
index 83067744..2d977d73 100644
--- a/frontend/src/lib/types/user-group.type.ts
+++ b/frontend/src/lib/types/user-group.type.ts
@@ -1,4 +1,5 @@
 import type { CustomClaim } from './custom-claim.type';
+import type { OidcClientMetaData } from './oidc.type';
 import type { User } from './user.type';
 
 export type UserGroup = {
@@ -8,13 +9,11 @@ export type UserGroup = {
 	createdAt: string;
 	customClaims: CustomClaim[];
 	ldapId?: string;
-};
-
-export type UserGroupWithUsers = UserGroup & {
 	users: User[];
+	allowedOidcClients: OidcClientMetaData[];
 };
 
-export type UserGroupWithUserCount = UserGroup & {
+export type UserGroupMinimal = Omit<UserGroup, 'users' | 'allowedOidcClients'> & {
 	userCount: number;
 };
 
diff --git a/frontend/src/lib/utils/cached-image-util.ts b/frontend/src/lib/utils/cached-image-util.ts
index bb732bd1..4f883867 100644
--- a/frontend/src/lib/utils/cached-image-util.ts
+++ b/frontend/src/lib/utils/cached-image-util.ts
@@ -20,6 +20,11 @@ export const cachedApplicationLogo: CachableImage = {
 	}
 };
 
+export const cachedEmailLogo: CachableImage = {
+	getUrl: () => getCachedImageUrl(new URL('/api/application-images/email', window.location.origin)),
+	bustCache: () => bustImageCache(new URL('/api/application-images/email', window.location.origin))
+};
+
 export const cachedDefaultProfilePicture: CachableImage = {
 	getUrl: () =>
 		getCachedImageUrl(
diff --git a/frontend/src/routes/login/+page.svelte b/frontend/src/routes/login/+page.svelte
index 24baaee3..597cc791 100644
--- a/frontend/src/routes/login/+page.svelte
+++ b/frontend/src/routes/login/+page.svelte
@@ -9,6 +9,7 @@
 	import { getWebauthnErrorMessage } from '$lib/utils/error-util';
 	import { startAuthentication } from '@simplewebauthn/browser';
 	import { fade } from 'svelte/transition';
+	import { cn } from 'tailwind-variants';
 	import LoginLogoErrorSuccessIndicator from './components/login-logo-error-success-indicator.svelte';
 
 	let { data } = $props();
@@ -55,13 +56,18 @@
 			{m.authenticate_with_passkey_to_access_account()}
 		</p>
 	{/if}
-	<div class="mt-10 flex justify-center gap-3">
+	<div class="mt-10 flex justify-center gap-3 w-full max-w-[450px]">
 		{#if $appConfigStore.allowUserSignups === 'open'}
-			<Button variant="secondary" href="/signup">
+			<Button class="w-[50%]" variant="secondary" href="/signup">
 				{m.signup()}
 			</Button>
 		{/if}
-		<Button {isLoading} onclick={authenticate} autofocus={true}>
+		<Button
+			class={cn($appConfigStore.allowUserSignups === 'open' && 'w-[50%]')}
+			{isLoading}
+			onclick={authenticate}
+			autofocus={true}
+		>
 			{error ? m.try_again() : m.authenticate()}
 		</Button>
 	</div>
diff --git a/frontend/src/routes/settings/admin/application-configuration/+page.svelte b/frontend/src/routes/settings/admin/application-configuration/+page.svelte
index 05566b01..fdecb945 100644
--- a/frontend/src/routes/settings/admin/application-configuration/+page.svelte
+++ b/frontend/src/routes/settings/admin/application-configuration/+page.svelte
@@ -42,6 +42,7 @@
 	async function updateImages(
 		logoLight: File | undefined,
 		logoDark: File | undefined,
+		logoEmail: File | undefined,
 		defaultProfilePicture: File | null | undefined,
 		backgroundImage: File | undefined,
 		favicon: File | undefined
@@ -56,6 +57,10 @@
 			? appConfigService.updateLogo(logoDark, false)
 			: Promise.resolve();
 
+		const emailLogoPromise = logoEmail
+			? appConfigService.updateEmailLogo(logoEmail)
+			: Promise.resolve();
+
 		const defaultProfilePicturePromise =
 			defaultProfilePicture === null
 				? appConfigService.deleteDefaultProfilePicture()
@@ -70,6 +75,7 @@
 		await Promise.all([
 			lightLogoPromise,
 			darkLogoPromise,
+			emailLogoPromise,
 			defaultProfilePicturePromise,
 			backgroundImagePromise,
 			faviconPromise
diff --git a/frontend/src/routes/settings/admin/application-configuration/forms/app-config-signup-defaults-form.svelte b/frontend/src/routes/settings/admin/application-configuration/forms/app-config-signup-defaults-form.svelte
index ad4c0bde..33e81896 100644
--- a/frontend/src/routes/settings/admin/application-configuration/forms/app-config-signup-defaults-form.svelte
+++ b/frontend/src/routes/settings/admin/application-configuration/forms/app-config-signup-defaults-form.svelte
@@ -1,16 +1,13 @@
 <script lang="ts">
 	import CustomClaimsInput from '$lib/components/form/custom-claims-input.svelte';
-	import SearchableMultiSelect from '$lib/components/form/searchable-multi-select.svelte';
+	import UserGroupInput from '$lib/components/form/user-group-input.svelte';
 	import { Button } from '$lib/components/ui/button';
 	import { Label } from '$lib/components/ui/label';
 	import * as Select from '$lib/components/ui/select';
 	import { m } from '$lib/paraglide/messages';
-	import UserGroupService from '$lib/services/user-group-service';
 	import appConfigStore from '$lib/stores/application-configuration-store';
 	import type { AllAppConfig } from '$lib/types/application-configuration';
-	import { debounced } from '$lib/utils/debounce-util';
 	import { preventDefault } from '$lib/utils/event-util';
-	import { onMount } from 'svelte';
 	import { toast } from 'svelte-sonner';
 
 	let {
@@ -21,14 +18,10 @@
 		callback: (updatedConfig: Partial<AllAppConfig>) => Promise<void>;
 	} = $props();
 
-	const userGroupService = new UserGroupService();
-
-	let userGroups = $state<{ value: string; label: string }[]>([]);
-	let selectedGroups = $state<{ value: string; label: string }[]>([]);
+	let selectedGroupIds = $state<string[]>(appConfig.signupDefaultUserGroupIDs || []);
 	let customClaims = $state(appConfig.signupDefaultCustomClaims || []);
 	let allowUserSignups = $state(appConfig.allowUserSignups);
 	let isLoading = $state(false);
-	let isUserSearchLoading = $state(false);
 
 	const signupOptions = {
 		disabled: {
@@ -45,42 +38,11 @@
 		}
 	};
 
-	async function loadUserGroups(search?: string) {
-		userGroups = (await userGroupService.list({ search })).data.map((group) => ({
-			value: group.id,
-			label: group.name
-		}));
-
-		// Ensure selected groups are still in the list
-		for (const selectedGroup of selectedGroups) {
-			if (!userGroups.some((g) => g.value === selectedGroup.value)) {
-				userGroups.push(selectedGroup);
-			}
-		}
-	}
-
-	async function loadSelectedGroups() {
-		selectedGroups = (
-			await Promise.all(
-				appConfig.signupDefaultUserGroupIDs.map((groupId) => userGroupService.get(groupId))
-			)
-		).map((group) => ({
-			value: group.id,
-			label: group.name
-		}));
-	}
-
-	const onUserGroupSearch = debounced(
-		async (search: string) => await loadUserGroups(search),
-		300,
-		(loading) => (isUserSearchLoading = loading)
-	);
-
 	async function onSubmit() {
 		isLoading = true;
 		await callback({
 			allowUserSignups: allowUserSignups,
-			signupDefaultUserGroupIDs: selectedGroups.map((g) => g.value),
+			signupDefaultUserGroupIDs: selectedGroupIds,
 			signupDefaultCustomClaims: customClaims
 		});
 		toast.success(m.user_creation_updated_successfully());
@@ -88,12 +50,9 @@
 	}
 
 	$effect(() => {
-		loadSelectedGroups();
 		customClaims = appConfig.signupDefaultCustomClaims || [];
 		allowUserSignups = appConfig.allowUserSignups;
 	});
-
-	onMount(() => loadUserGroups());
 </script>
 
 <form onsubmit={preventDefault(onSubmit)}>
@@ -152,17 +111,7 @@
 			<p class="text-muted-foreground mt-1 mb-2 text-xs">
 				{m.user_creation_groups_description()}
 			</p>
-			<SearchableMultiSelect
-				id="default-groups"
-				items={userGroups}
-				oninput={(e) => onUserGroupSearch(e.currentTarget.value)}
-				selectedItems={selectedGroups.map((g) => g.value)}
-				onSelect={(selected) => {
-					selectedGroups = userGroups.filter((g) => selected.includes(g.value));
-				}}
-				isLoading={isUserSearchLoading}
-				disableInternalSearch
-			/>
+			<UserGroupInput bind:selectedGroupIds />
 		</div>
 		<div>
 			<Label class="mb-0">{m.custom_claims()}</Label>
diff --git a/frontend/src/routes/settings/admin/application-configuration/update-application-images.svelte b/frontend/src/routes/settings/admin/application-configuration/update-application-images.svelte
index 8fced2f7..e59795ee 100644
--- a/frontend/src/routes/settings/admin/application-configuration/update-application-images.svelte
+++ b/frontend/src/routes/settings/admin/application-configuration/update-application-images.svelte
@@ -4,7 +4,8 @@
 	import {
 		cachedApplicationLogo,
 		cachedBackgroundImage,
-		cachedDefaultProfilePicture
+		cachedDefaultProfilePicture,
+		cachedEmailLogo
 	} from '$lib/utils/cached-image-util';
 	import ApplicationImage from './application-image.svelte';
 
@@ -14,6 +15,7 @@
 		callback: (
 			logoLight: File | undefined,
 			logoDark: File | undefined,
+			logoEmail: File | undefined,
 			defaultProfilePicture: File | null | undefined,
 			backgroundImage: File | undefined,
 			favicon: File | undefined
@@ -22,6 +24,7 @@
 
 	let logoLight = $state<File | undefined>();
 	let logoDark = $state<File | undefined>();
+	let logoEmail = $state<File | undefined>();
 	let defaultProfilePicture = $state<File | null | undefined>();
 	let backgroundImage = $state<File | undefined>();
 	let favicon = $state<File | undefined>();
@@ -54,6 +57,15 @@
 		imageURL={cachedApplicationLogo.getUrl(false)}
 		forceColorScheme="dark"
 	/>
+	<ApplicationImage
+		id="logo-email"
+		imageClass="size-24"
+		label={m.email_logo()}
+		bind:image={logoEmail}
+		imageURL={cachedEmailLogo.getUrl()}
+		accept="image/png, image/jpeg"
+		forceColorScheme="light"
+	/>
 	<ApplicationImage
 		id="default-profile-picture"
 		imageClass="size-24"
@@ -75,7 +87,8 @@
 	<Button
 		class="mt-5"
 		usePromiseLoading
-		onclick={() => callback(logoLight, logoDark, defaultProfilePicture, backgroundImage, favicon)}
+		onclick={() =>
+			callback(logoLight, logoDark, logoEmail, defaultProfilePicture, backgroundImage, favicon)}
 		>{m.save()}</Button
 	>
 </div>
diff --git a/frontend/src/routes/settings/admin/oidc-clients/[id]/+page.svelte b/frontend/src/routes/settings/admin/oidc-clients/[id]/+page.svelte
index a90bafab..857bd155 100644
--- a/frontend/src/routes/settings/admin/oidc-clients/[id]/+page.svelte
+++ b/frontend/src/routes/settings/admin/oidc-clients/[id]/+page.svelte
@@ -80,6 +80,44 @@
 		return success;
 	}
 
+	async function enableGroupRestriction() {
+		client.isGroupRestricted = true;
+		await oidcService
+			.updateClient(client.id, {
+				...client,
+				isGroupRestricted: true
+			})
+			.then(() => {
+				toast.success(m.user_groups_restriction_updated_successfully());
+				client.isGroupRestricted = true;
+			})
+			.catch(axiosErrorToast);
+	}
+
+	function disableGroupRestriction() {
+		openConfirmDialog({
+			title: m.unrestrict_oidc_client({ clientName: client.name }),
+			message: m.confirm_unrestrict_oidc_client_description({ clientName: client.name }),
+			confirm: {
+				label: m.unrestrict(),
+				destructive: true,
+				action: async () => {
+					await oidcService
+						.updateClient(client.id, {
+							...client,
+							isGroupRestricted: false
+						})
+						.then(() => {
+							toast.success(m.user_groups_restriction_updated_successfully());
+							client.allowedUserGroupIds = [];
+							client.isGroupRestricted = false;
+						})
+						.catch(axiosErrorToast);
+				}
+			}
+		});
+	}
+
 	async function createClientSecret() {
 		openConfirmDialog({
 			title: m.create_new_client_secret(),
@@ -120,6 +158,13 @@
 	<title>{m.oidc_client_name({ name: client.name })}</title>
 </svelte:head>
 
+{#snippet UnrestrictButton()}
+	<Button
+		onclick={enableGroupRestriction}
+		variant={client.isGroupRestricted ? 'secondary' : 'default'}>{m.restrict()}</Button
+	>
+{/snippet}
+
 <div>
 	<button type="button" class="text-muted-foreground flex text-sm" onclick={backNavigation.go}
 		><LucideChevronLeft class="size-5" /> {m.back()}</button
@@ -193,10 +238,19 @@
 <CollapsibleCard
 	id="allowed-user-groups"
 	title={m.allowed_user_groups()}
-	description={m.add_user_groups_to_this_client_to_restrict_access_to_users_in_these_groups()}
+	button={!client.isGroupRestricted ? UnrestrictButton : undefined}
+	forcedExpanded={client.isGroupRestricted ? undefined : false}
+	description={client.isGroupRestricted
+		? m.allowed_user_groups_description()
+		: m.allowed_user_groups_status_unrestricted_description()}
 >
-	<UserGroupSelection bind:selectedGroupIds={client.allowedUserGroupIds} />
-	<div class="mt-5 flex justify-end">
+	<UserGroupSelection
+		bind:selectedGroupIds={client.allowedUserGroupIds}
+		selectionDisabled={!client.isGroupRestricted}
+	/>
+	<div class="mt-5 flex justify-end gap-3">
+		<Button onclick={disableGroupRestriction} variant="secondary">{m.unrestrict()}</Button>
+
 		<Button onclick={() => updateUserGroupClients(client.allowedUserGroupIds)}>{m.save()}</Button>
 	</div>
 </CollapsibleCard>
diff --git a/frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte b/frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte
index 2689e031..e1e1c504 100644
--- a/frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte
+++ b/frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte
@@ -102,7 +102,8 @@
 			logo: $inputs.logoUrl?.value ? undefined : logo,
 			logoUrl: $inputs.logoUrl?.value,
 			darkLogo: $inputs.darkLogoUrl?.value ? undefined : darkLogo,
-			darkLogoUrl: $inputs.darkLogoUrl?.value
+			darkLogoUrl: $inputs.darkLogoUrl?.value,
+			isGroupRestricted: existingClient?.isGroupRestricted ?? true
 		});
 
 		const hasLogo = logo != null || !!$inputs.logoUrl?.value;
diff --git a/frontend/src/routes/settings/admin/user-groups/[id]/+page.svelte b/frontend/src/routes/settings/admin/user-groups/[id]/+page.svelte
index bb44ff1a..768285c5 100644
--- a/frontend/src/routes/settings/admin/user-groups/[id]/+page.svelte
+++ b/frontend/src/routes/settings/admin/user-groups/[id]/+page.svelte
@@ -15,11 +15,13 @@
 	import { backNavigate } from '../../users/navigate-back-util';
 	import UserGroupForm from '../user-group-form.svelte';
 	import UserSelection from '../user-selection.svelte';
+	import OidcClientSelection from './oidc-client-selection.svelte';
 
 	let { data } = $props();
 	let userGroup = $state({
 		...data.userGroup,
-		userIds: data.userGroup.users.map((u) => u.id)
+		userIds: data.userGroup.users.map((u) => u.id),
+		allowedOidcClientIds: data.userGroup.allowedOidcClients.map((c) => c.id)
 	});
 
 	const userGroupService = new UserGroupService();
@@ -56,6 +58,17 @@
 				axiosErrorToast(e);
 			});
 	}
+
+	async function updateAllowedOidcClients(allowedClients: string[]) {
+		await userGroupService
+			.updateAllowedOidcClients(userGroup.id, allowedClients)
+			.then(() => {
+				toast.success(m.allowed_oidc_clients_updated_successfully());
+			})
+			.catch((e) => {
+				axiosErrorToast(e);
+			});
+	}
 </script>
 
 <svelte:head>
@@ -110,3 +123,16 @@
 		<Button onclick={updateCustomClaims} type="submit">{m.save()}</Button>
 	</div>
 </CollapsibleCard>
+
+<CollapsibleCard
+	id="user-group-oidc-clients"
+	title={m.allowed_oidc_clients()}
+	description={m.allowed_oidc_clients_description()}
+>
+	<OidcClientSelection bind:selectedGroupIds={userGroup.allowedOidcClientIds} />
+	<div class="mt-5 flex justify-end gap-3">
+		<Button onclick={() => updateAllowedOidcClients(userGroup.allowedOidcClientIds)}
+			>{m.save()}</Button
+		>
+	</div>
+</CollapsibleCard>
diff --git a/frontend/src/routes/settings/admin/user-groups/[id]/oidc-client-selection.svelte b/frontend/src/routes/settings/admin/user-groups/[id]/oidc-client-selection.svelte
new file mode 100644
index 00000000..552bb713
--- /dev/null
+++ b/frontend/src/routes/settings/admin/user-groups/[id]/oidc-client-selection.svelte
@@ -0,0 +1,69 @@
+<script lang="ts">
+	import ImageBox from '$lib/components/image-box.svelte';
+	import AdvancedTable from '$lib/components/table/advanced-table.svelte';
+	import { m } from '$lib/paraglide/messages';
+	import OidcService from '$lib/services/oidc-service';
+	import type { AdvancedTableColumn } from '$lib/types/advanced-table.type';
+	import type { ListRequestOptions } from '$lib/types/list-request.type';
+	import type { OidcClient } from '$lib/types/oidc.type';
+	import { cachedOidcClientLogo } from '$lib/utils/cached-image-util';
+	import { mode } from 'mode-watcher';
+
+	let {
+		selectedGroupIds = $bindable()
+	}: {
+		selectedGroupIds: string[];
+	} = $props();
+
+	const oidcClientService = new OidcService();
+
+	const isLightMode = $derived(mode.current === 'light');
+
+	const columns: AdvancedTableColumn<OidcClient>[] = [
+		{ label: 'ID', column: 'id', hidden: true },
+		{ label: m.logo(), key: 'logo', cell: LogoCell },
+		{ label: m.name(), column: 'name', sortable: true },
+		{
+			label: m.client_launch_url(),
+			column: 'launchURL',
+			hidden: true
+		},
+		{
+			label: m.public_client(),
+			column: 'isPublic',
+			sortable: true,
+			hidden: true
+		}
+	];
+
+	async function fetchCallback(requestOptions: ListRequestOptions) {
+		const clients = await oidcClientService.listClients(requestOptions);
+		const unrestrictedClientIds = clients.data.filter((c) => !c.isGroupRestricted).map((c) => c.id);
+		selectedGroupIds = [...new Set([...selectedGroupIds, ...unrestrictedClientIds])];
+
+		return clients;
+	}
+</script>
+
+{#snippet LogoCell({ item }: { item: OidcClient })}
+	{#if item.hasLogo}
+		<ImageBox
+			class="size-12 rounded-lg"
+			src={cachedOidcClientLogo.getUrl(item.id, isLightMode)}
+			alt={m.name_logo({ name: item.name })}
+		/>
+	{:else}
+		<div class="bg-muted flex size-12 items-center justify-center rounded-lg text-lg font-bold">
+			{item.name.charAt(0).toUpperCase()}
+		</div>
+	{/if}
+{/snippet}
+
+<AdvancedTable
+	id="oidc-client-selection"
+	{fetchCallback}
+	defaultSort={{ column: 'name', direction: 'asc' }}
+	bind:selectedIds={selectedGroupIds}
+	rowSelectionDisabled={(item) => !item.isGroupRestricted}
+	{columns}
+/>
diff --git a/frontend/src/routes/settings/admin/user-groups/user-group-list.svelte b/frontend/src/routes/settings/admin/user-groups/user-group-list.svelte
index 59f359df..812753df 100644
--- a/frontend/src/routes/settings/admin/user-groups/user-group-list.svelte
+++ b/frontend/src/routes/settings/admin/user-groups/user-group-list.svelte
@@ -10,19 +10,19 @@
 		AdvancedTableColumn,
 		CreateAdvancedTableActions
 	} from '$lib/types/advanced-table.type';
-	import type { UserGroup, UserGroupWithUserCount } from '$lib/types/user-group.type';
+	import type { UserGroupMinimal } from '$lib/types/user-group.type';
 	import { axiosErrorToast } from '$lib/utils/error-util';
 	import { LucidePencil, LucideTrash } from '@lucide/svelte';
 	import { toast } from 'svelte-sonner';
 
 	const userGroupService = new UserGroupService();
-	let tableRef: AdvancedTable<UserGroupWithUserCount>;
+	let tableRef: AdvancedTable<UserGroupMinimal>;
 
 	export function refresh() {
 		return tableRef?.refresh();
 	}
 
-	const columns: AdvancedTableColumn<UserGroupWithUserCount>[] = [
+	const columns: AdvancedTableColumn<UserGroupMinimal>[] = [
 		{ label: 'ID', column: 'id', hidden: true },
 		{ label: m.friendly_name(), column: 'friendlyName', sortable: true },
 		{ label: m.name(), column: 'name', sortable: true },
@@ -38,7 +38,7 @@
 		{ label: m.source(), key: 'source', hidden: !$appConfigStore.ldapEnabled, cell: SourceCell }
 	];
 
-	const actions: CreateAdvancedTableActions<UserGroupWithUserCount> = (group) => [
+	const actions: CreateAdvancedTableActions<UserGroupMinimal> = (group) => [
 		{
 			label: m.edit(),
 			primary: true,
@@ -55,7 +55,7 @@
 		}
 	];
 
-	async function deleteUserGroup(userGroup: UserGroup) {
+	async function deleteUserGroup(userGroup: UserGroupMinimal) {
 		openConfirmDialog({
 			title: m.delete_name({ name: userGroup.name }),
 			message: m.are_you_sure_you_want_to_delete_this_user_group(),
@@ -76,7 +76,7 @@
 	}
 </script>
 
-{#snippet SourceCell({ item }: { item: UserGroupWithUserCount })}
+{#snippet SourceCell({ item }: { item: UserGroupMinimal })}
 	<Badge class="rounded-full" variant={item.ldapId ? 'default' : 'outline'}>
 		{item.ldapId ? m.ldap() : m.local()}
 	</Badge>
diff --git a/frontend/src/routes/settings/admin/users/+page.svelte b/frontend/src/routes/settings/admin/users/+page.svelte
index d9fa9436..2708bbec 100644
--- a/frontend/src/routes/settings/admin/users/+page.svelte
+++ b/frontend/src/routes/settings/admin/users/+page.svelte
@@ -64,8 +64,7 @@
 								<DropdownButton.Main disabled={false} onclick={() => (expandAddUser = true)}>
 									{selectedCreateOptions}
 								</DropdownButton.Main>
-
-								<DropdownButton.DropdownTrigger>
+								<DropdownButton.DropdownTrigger aria-label="Create options">
 									<DropdownButton.Trigger class="border-l" />
 								</DropdownButton.DropdownTrigger>
 							</DropdownButton.Root>
diff --git a/frontend/svelte.config.js b/frontend/svelte.config.js
index 584c6315..1bd67d78 100644
--- a/frontend/svelte.config.js
+++ b/frontend/svelte.config.js
@@ -7,7 +7,13 @@ const config = {
 	// Consult https://kit.svelte.dev/docs/integrations#preprocessors
 	// for more information about preprocessors
 	preprocess: vitePreprocess(),
-
+	compilerOptions: {
+		warningFilter: (warning) => {
+			// Ignore "state_referenced_locally" warnings
+			if (warning.code === 'state_referenced_locally') return false;
+			return true;
+		}
+	},
 	kit: {
 		// adapter-auto only supports some environments, see https://kit.svelte.dev/docs/adapter-auto for a list.
 		// If your environment is not supported, or you settled on a specific environment, switch out the adapter.
diff --git a/tests/data.ts b/tests/data.ts
index 01b88b6e..236ffe0c 100644
--- a/tests/data.ts
+++ b/tests/data.ts
@@ -66,7 +66,7 @@ export const oidcClients = {
 
 export const userGroups = {
 	developers: {
-		id: '4110f814-56f1-4b28-8998-752b69bc97c0e',
+		id: 'c7ae7c01-28a3-4f3c-9572-1ee734ea8368',
 		friendlyName: 'Developers',
 		name: 'developers'
 	},
diff --git a/tests/resources/images/cloud-logo.png b/tests/resources/images/cloud-logo.png
new file mode 100644
index 00000000..cb1a8e0f
Binary files /dev/null and b/tests/resources/images/cloud-logo.png differ
diff --git a/tests/resources/images/cloud-logo.svg b/tests/resources/images/cloud-logo.svg
new file mode 100644
index 00000000..1b6ea276
--- /dev/null
+++ b/tests/resources/images/cloud-logo.svg
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 1024 1024" class="icon"  version="1.1" xmlns="http://www.w3.org/2000/svg"><path d="M993.763 493.538v35c0 13.333-6.04 26.664-18.135 37.139-140.15 121.42-280.35 242.794-420.487 364.219-11.817 10.238-25.814 15.501-42.456 15.501v-35c16.642 0 30.639-5.264 42.456-15.501 140.138-121.425 280.335-242.802 420.487-364.218 12.095-10.476 18.135-23.804 18.135-37.14z" fill="#56C3E9" /><path d="M30.239 528.367v-3.5-1.75-3.5-3.5-1.75-3.5-3.5-1.75-3.5-3.5-1.75-3.5c0 14.707 6.701 29.313 19.037 40.019 138.449 120.064 277.049 239.996 415.562 360.02 13.002 11.26 28.74 16.466 47.852 16.994v35c-19.109-0.528-34.85-5.734-47.852-16.994C326.325 808.382 187.725 688.45 49.276 568.386c-12.337-10.705-19.037-25.312-19.037-40.019z" fill="#56C3E9" /><path d="M510.786 76.601c16.263 0 32.546 5.362 44.946 16.097 139.949 121.188 279.9 242.376 419.819 363.586 24.241 20.995 24.295 53.413 0.078 74.397-140.15 121.418-280.351 242.795-420.488 364.217-11.816 10.239-25.813 15.502-42.454 15.502-19.109-0.528-34.85-5.734-47.853-16.994-138.51-120.024-277.11-239.956-415.559-360.02-19.581-16.988-24.96-43.81-11.895-65.251 3.919-6.438 8.669-11.829 14.465-16.849C189.954 331.734 328.024 212.152 466.107 92.567c12.296-10.64 28.478-15.966 44.679-15.966z" fill="#7DCCDF" /><path d="M644.064 422.878v16.8c0-0.481-0.135-1.069-0.344-1.769-2.813-9.279-6.875-18.104-12.52-26.362-18.91-27.628-47.8-41.491-83.934-44.207a83.77 83.77 0 0 0-6.212-0.231c-4.07 0-8.079 0.294-12.04 0.835v-16.8a88.595 88.595 0 0 1 12.04-0.835c2.056 0 4.125 0.075 6.212 0.232 36.137 2.715 65.023 16.578 83.934 44.207 5.645 8.258 9.71 17.083 12.52 26.362 0.21 0.699 0.344 1.286 0.344 1.768" fill="#040000" /><path d="M529.016 351.144v16.8c-8.348 1.141-16.454 3.383-24.349 6.285v-16.8c7.895-2.903 16.001-5.143 24.349-6.285" fill="#040000" /><path d="M504.668 357.429v16.8a178.404 178.404 0 0 0-10.978 4.477c-5.663 2.523-11.073 5.377-16.16 8.627v-16.8c5.087-3.25 10.498-6.104 16.16-8.627a177.523 177.523 0 0 1 10.978-4.477M477.53 370.532v16.8c-4.122 2.633-8.032 5.525-11.69 8.711-0.475 0.413-0.983 0.79-1.329 1.2v-16.8c0.347-0.409 0.854-0.787 1.329-1.2 3.658-3.186 7.568-6.077 11.69-8.711" fill="#040000" /><path d="M464.511 380.443v16.8c-0.242 0.284-0.406 0.583-0.431 0.923v-16.799c0.024-0.34 0.189-0.639 0.431-0.924M464.08 381.365v16.884-16.8-0.084" fill="#040000" /><path d="M470.29 442.727v16.8c-1.208 0.163-2.39 0.245-3.545 0.245-10.169 0-18.045-6.215-18.657-15.445-0.928-14.055-8.003-25.456-23.13-32.736-6.363-3.064-13.047-4.402-19.563-4.402-2.207 0-4.398 0.153-6.549 0.447v-16.8a48.383 48.383 0 0 1 6.549-0.446c6.515 0 13.2 1.338 19.563 4.4 15.129 7.28 22.205 18.681 23.13 32.736 0.614 9.23 8.489 15.445 18.657 15.445 1.155 0 2.338-0.08 3.545-0.244M398.845 390.836v16.8a50.077 50.077 0 0 0-10.482 2.61v-16.8a50.14 50.14 0 0 1 10.482-2.61M388.362 393.448v16.8a47.943 47.943 0 0 0-9.25 4.566v-16.8a47.686 47.686 0 0 1 9.25-4.566M379.109 398.013v16.8c-3.417 2.186-6.396 4.74-8.769 7.542v-16.8c2.374-2.802 5.353-5.358 8.769-7.542M370.34 405.557v16.8c-1.546 1.827-2.833 3.754-3.821 5.749-3.071 6.199-4.696 12.486-5.083 18.922v-16.8c0.384-6.436 2.013-12.723 5.083-18.922 0.988-1.997 2.276-3.924 3.821-5.749" fill="#040000" /><path d="M470.29 442.727v16.8c-1.208 0.163-2.39 0.245-3.545 0.245-10.169 0-18.045-6.215-18.657-15.445-0.928-14.055-8.003-25.456-23.13-32.736-6.363-3.064-13.047-4.402-19.563-4.402-2.207 0-4.398 0.153-6.549 0.447v-16.8a48.383 48.383 0 0 1 6.549-0.446c6.515 0 13.2 1.338 19.563 4.4 15.129 7.28 22.205 18.681 23.13 32.736 0.614 9.23 8.489 15.445 18.657 15.445 1.155 0 2.338-0.08 3.545-0.244" fill="#040000" /><path d="M644.064 422.878v16.8c0-0.481-0.135-1.069-0.344-1.769-2.813-9.279-6.875-18.104-12.52-26.362-18.91-27.628-47.8-41.491-83.934-44.207a83.77 83.77 0 0 0-6.212-0.231c-4.07 0-8.079 0.294-12.04 0.835v-16.8a88.595 88.595 0 0 1 12.04-0.835c2.056 0 4.125 0.075 6.212 0.232 36.137 2.715 65.023 16.578 83.934 44.207 5.645 8.258 9.71 17.083 12.52 26.362 0.21 0.699 0.344 1.286 0.344 1.768" fill="#040000" /><path d="M644.073 422.921v16.8c0 0.049 0 0.098-0.004 0.146v-16.8c0.004-0.047 0.004-0.095 0.004-0.146" fill="#949394" /><path d="M644.069 423.066v16.8c-0.02 0.328-0.111 0.604-0.297 0.827v-16.8c0.186-0.221 0.278-0.496 0.297-0.827" fill="#989898" /><path d="M643.772 423.894v16.8a1.282 1.282 0 0 1-0.307 0.262v-16.8a1.22 1.22 0 0 0 0.307-0.262" fill="#949394" /><path d="M643.466 424.158v16.8c-0.11 0.075-0.24 0.137-0.39 0.191v-16.8a1.94 1.94 0 0 0 0.39-0.191" fill="#8E8E8E" /><path d="M643.076 424.348v16.8a3.896 3.896 0 0 1-0.797 0.185v-16.8c0.312-0.043 0.575-0.105 0.797-0.185" fill="#8A8A8A" /><path d="M642.279 424.532v16.8a9.381 9.381 0 0 1-1.261 0.073v-16.8a9.381 9.381 0 0 0 1.261-0.073" fill="#858585" /><path d="M483.664 425.657v16.8c0-15.981-5.512-30.333-18.51-42.416-0.778-0.725-1.076-1.299-1.076-1.792v-16.8c0 0.493 0.297 1.067 1.076 1.792 12.998 12.084 18.51 26.435 18.51 42.416" fill="#858585" /><path d="M370.34 405.557v16.8c-1.546 1.827-2.833 3.754-3.821 5.749-3.071 6.199-4.696 12.486-5.083 18.922v-16.8c0.384-6.436 2.013-12.723 5.083-18.922 0.988-1.997 2.276-3.924 3.821-5.749" fill="#040000" /><path d="M361.437 430.228v16.8a51.92 51.92 0 0 0-0.091 3.06v-16.8a48.642 48.642 0 0 1 0.091-3.06" fill="#040000" /><path d="M361.533 438.189v16.8c0-0.272-0.014-0.551-0.031-0.833a53.518 53.518 0 0 1-0.156-4.069v-16.8c0 1.35 0.053 2.704 0.156 4.069 0.02 0.283 0.031 0.561 0.031 0.833" fill="#858585" /><path d="M641.016 424.604v16.8a159.11 159.11 0 0 0-2.985-0.032c-5.223 0-10.447 0.316-15.629 1.023h-0.001v-16.8h0.001c5.182-0.708 10.406-1.022 15.629-1.022 0.886 0 1.777 0.01 2.985 0.031" fill="#858585" /><path d="M622.4 425.597v16.8a12.83 12.83 0 0 0-2.658 0.673v-16.8c0.877-0.32 1.769-0.551 2.658-0.673" fill="#8A8A8A" /><path d="M619.742 426.271v16.8c-1.07 0.392-2.116 0.923-3.108 1.557v-16.8a16.483 16.483 0 0 1 3.108-1.557" fill="#8E8E8E" /><path d="M616.634 427.831v16.8a18.585 18.585 0 0 0-4.126 3.608v-16.8a18.534 18.534 0 0 1 4.126-3.608" fill="#949394" /><path d="M612.508 431.438v16.8c-1.823 2.153-3.031 4.626-3.175 6.951v-16.8c0.144-2.325 1.352-4.798 3.175-6.951" fill="#989898" /><path d="M609.333 438.39v16.8c-0.003 0.03-0.003 0.056-0.009 0.086a50.433 50.433 0 0 0-0.069 2.375v-16.8c0-0.779 0.03-1.574 0.069-2.375 0.006-0.03 0.006-0.059 0.009-0.086" fill="#949394" /><path d="M483.662 425.656v16.8c0 1.393-0.042 2.8-0.124 4.218v0.005-16.8-0.006c0.082-1.417 0.124-2.824 0.124-4.217" fill="#040000" /><path d="M483.538 429.879v16.8c-0.134 2.248-1.489 4.919-3.447 7.226v-16.8c1.957-2.308 3.313-4.977 3.447-7.226M480.091 437.105v16.8c-1.201 1.415-2.625 2.696-4.133 3.661v-16.8c1.508-0.965 2.934-2.245 4.133-3.661M475.958 440.766v16.8a13.14 13.14 0 0 1-2.482 1.257v-16.8a13.08 13.08 0 0 0 2.482-1.257M473.473 442.022v16.8a9.46 9.46 0 0 1-1.375 0.392c-0.607 0.125-1.21 0.227-1.809 0.311v-16.8a29.761 29.761 0 0 0 1.809-0.31 9.02 9.02 0 0 0 1.375-0.393" fill="#040000" /><path d="M470.29 442.727v16.8c-1.208 0.163-2.39 0.245-3.545 0.245-10.169 0-18.045-6.215-18.657-15.445-0.928-14.055-8.003-25.456-23.13-32.736-6.363-3.064-13.047-4.402-19.563-4.402-2.207 0-4.398 0.153-6.549 0.447v-16.8a48.383 48.383 0 0 1 6.549-0.446c6.515 0 13.2 1.338 19.563 4.4 15.129 7.28 22.205 18.681 23.13 32.736 0.614 9.23 8.489 15.445 18.657 15.445 1.155 0 2.338-0.08 3.545-0.244" fill="#040000" /><path d="M715.577 512.719v16.8c0-5.979-1.147-11.892-3.533-17.442-10.727-24.923-34.171-38.619-61.396-40.119a65.195 65.195 0 0 0-3.559-0.094c-3.494 0-6.971 0.246-10.442 0.487-3.439 0.246-6.881 0.484-10.336 0.484-0.382 0-0.766-0.003-1.146-0.008-4.173-0.072-7.146-1.389-10.362-3.634-4.64-3.229-5.542-7.175-5.542-11.535v-16.8c0 4.36 0.902 8.307 5.542 11.535 3.217 2.245 6.189 3.562 10.362 3.634 0.38 0.005 0.764 0.008 1.146 0.008 3.455 0 6.896-0.237 10.336-0.484 3.47-0.24 6.948-0.486 10.442-0.486 1.185 0 2.367 0.03 3.559 0.094 27.227 1.499 50.67 15.195 61.396 40.119 2.386 5.546 3.533 11.46 3.533 17.441" fill="#040000" /><path d="M361.53 438.188v16.8c0 0.206-0.007 0.413-0.018 0.612v-16.8a8.16 8.16 0 0 0 0.018-0.612" fill="#040000" /><path d="M361.514 438.801v16.8c-0.122 2.019-0.845 3.654-1.985 4.994v-16.8c1.138-1.339 1.863-2.974 1.985-4.994M359.528 443.796v16.8c-0.707 0.833-1.575 1.553-2.555 2.179v-16.8c0.981-0.626 1.849-1.347 2.555-2.179M356.973 445.975v16.8c-0.949 0.608-2.004 1.128-3.121 1.575-4.856 1.957-9.319 4.242-13.4 6.853v-16.8c4.081-2.608 8.546-4.895 13.4-6.852 1.117-0.449 2.172-0.969 3.121-1.576M340.451 454.4v16.8c-5.94 3.794-11.07 8.268-15.42 13.393v-16.8c4.35-5.125 9.479-9.599 15.42-13.393M325.03 467.795v16.8a68.825 68.825 0 0 0-8.173 12.031c-4.417 8.217-8.184 16.667-8.724 25.629v-16.8c0.544-8.962 4.308-17.413 8.724-25.629a68.88 68.88 0 0 1 8.173-12.031M308.132 505.455v16.8a36.542 36.542 0 0 0-0.065 2.199v-16.8a35.64 35.64 0 0 1 0.065-2.199" fill="#040000" /><path d="M715.577 512.719v16.8c0-5.979-1.147-11.892-3.533-17.442-10.727-24.923-34.171-38.619-61.396-40.119a65.195 65.195 0 0 0-3.559-0.094c-3.494 0-6.971 0.246-10.442 0.487-3.439 0.246-6.881 0.484-10.336 0.484-0.382 0-0.766-0.003-1.146-0.008-4.173-0.072-7.146-1.389-10.362-3.634-4.64-3.229-5.542-7.175-5.542-11.535v-16.8c0 4.36 0.902 8.307 5.542 11.535 3.217 2.245 6.189 3.562 10.362 3.634 0.38 0.005 0.764 0.008 1.146 0.008 3.455 0 6.896-0.237 10.336-0.484 3.47-0.24 6.948-0.486 10.442-0.486 1.185 0 2.367 0.03 3.559 0.094 27.227 1.499 50.67 15.195 61.396 40.119 2.386 5.546 3.533 11.46 3.533 17.441" fill="#040000" /><path d="M283.528 518.876v16.8c0-0.622-0.05-1.239-0.923-1.594v-16.8c0.873 0.354 0.923 0.972 0.923 1.594z" fill="#58A1D8" /><path d="M283.528 518.876v16.8c0-0.622-0.05-1.239-0.923-1.594v-16.8c0.873 0.354 0.923 0.972 0.923 1.594" fill="#58A1D8" /><path d="M715.577 512.721v16.801c0 0.984-0.031 1.974-0.093 2.965v-16.8c0.062-0.991 0.093-1.98 0.093-2.966" fill="#949394" /><path d="M715.484 515.688v16.801c-0.7 11.153-5.313 22.365-13.234 31.714v-16.8c7.921-9.352 12.534-20.564 13.234-31.715" fill="#989898" /><path d="M702.25 547.402v16.8c-3.892 4.596-8.586 8.743-14.006 12.212v-16.8a62.466 62.466 0 0 0 14.006-12.212" fill="#949394" /><path d="M688.244 559.614v16.8a66.6 66.6 0 0 1-12.898 6.385v-16.8a66.6 66.6 0 0 0 12.898-6.385" fill="#8E8E8E" /><path d="M675.346 565.996v16.8a71.044 71.044 0 0 1-8.743 2.582 108.677 108.677 0 0 1-9.302 1.686v-16.8c3.113-0.427 6.212-0.984 9.302-1.687a70.523 70.523 0 0 0 8.743-2.581" fill="#8A8A8A" /><path d="M657.301 570.264v16.8c-5.26 0.719-10.559 1.06-15.907 1.064-21.129 0.007-42.255 0.01-63.379 0.01s-42.253-0.003-63.38-0.003c-24.059 0-48.12-0.005-72.178-0.005-18.047 0-36.089 0.004-54.134 0.015-15.53 0-30.162-2.731-43.738-9.356-21.611-10.539-32.044-27.403-35.915-47.848a34.872 34.872 0 0 1-0.605-6.486v-16.8c0 2.129 0.191 4.289 0.605 6.486 3.874 20.444 14.305 37.306 35.915 47.847 13.576 6.622 28.208 9.357 43.738 9.357 18.044-0.011 36.087-0.015 54.134-0.015 24.059 0 48.12 0.005 72.178 0.005 21.128 0 42.257 0.003 63.38 0.003s42.25-0.003 63.379-0.01a118.249 118.249 0 0 0 15.907-1.064" fill="#858585" /><path d="M541.056 350.31c2.056 0 4.125 0.074 6.212 0.23 36.138 2.715 65.023 16.578 83.935 44.207 5.644 8.258 9.709 17.083 12.519 26.363 0.726 2.419 0.565 3.495-2.705 3.495a158.188 158.188 0 0 0-2.985-0.031c-5.223 0-10.445 0.316-15.629 1.022-6.373 0.874-12.794 7.314-13.077 12.877-0.268 5.308 0 10.108 5.475 13.913 3.216 2.245 6.188 3.562 10.362 3.631 0.378 0.008 0.764 0.011 1.142 0.011 3.459 0 6.898-0.236 10.34-0.482 3.47-0.242 6.946-0.487 10.441-0.488 1.185 0 2.367 0.029 3.56 0.095 27.223 1.498 50.67 15.196 61.396 40.119 11.933 27.736-7.137 64.606-45.441 73.302-8.306 1.885-16.693 2.741-25.21 2.751-21.128 0.007-42.254 0.009-63.379 0.009l-63.38-0.002c-24.058 0-48.119-0.006-72.178-0.006-18.048 0-36.09 0.004-54.134 0.015-15.53 0-30.162-2.732-43.738-9.356-21.614-10.538-32.044-27.402-35.915-47.848-2.317-12.268 2.369-23.491 8.187-34.318 7.811-14.534 19.997-25.428 36.994-32.272 4.555-1.833 8.054-4.801 7.651-10.196-0.677-8.948 0.826-17.581 5.019-26.048 5.744-11.623 21.717-20.916 38.874-20.916 6.515 0 13.202 1.337 19.563 4.399 15.129 7.282 22.203 18.682 23.13 32.737 0.614 9.229 8.489 15.445 18.658 15.445a26.59 26.59 0 0 0 5.353-0.555c5.363-1.089 11.159-7.768 11.44-12.544 1.028-17.678-4.253-33.495-18.386-46.633-2.157-2.008-0.615-2.863 0.684-3.999 8.177-7.115 17.6-12.771 27.854-17.337 14.964-6.649 30.684-11.59 47.368-11.59z" fill="#F7FBFC" /><path d="M740.618 504.075c0.776 6.739 0.776 12.685 0.776 18.638-2.188 3.692-2.134 7.875-3.324 11.796-9.02 29.504-38.997 52.829-74.049 57.43a132.892 132.892 0 0 1-17.389 1.159c-51.658 0.03-103.33 0.05-154.99 0.05-35.995 0-71.981-0.011-107.977-0.038-34.534-0.029-62.446-11.828-82.928-36.08-9.394-11.129-14.897-23.719-17.176-37.363-0.142-0.829 0.292-1.877-0.957-2.381v-18.629c2.305-5.779 2.851-11.941 5.29-17.72 8.801-20.796 23.204-37.677 45.312-49.217 2.336-1.223 3.053-2.513 3.104-4.865 0.721-33.457 31.243-58.83 68.943-58.83 2.55 0 5.127 0.116 7.735 0.353 7.287 0.664 14.345 2.357 20.906 5.247 0.753 0.332 1.383 0.511 1.957 0.511 0.886 0 1.634-0.424 2.479-1.358 15.049-16.647 34.101-28.737 56.792-36.395 16.368-5.524 32.615-8.327 48.657-8.327 20.657 0 40.978 4.645 60.801 14.098 32.205 15.355 52.98 39.012 63.212 69.583 2.329 6.949 3.639 14.098 4.335 21.312 0.171 1.779 0.896 2.546 2.953 3.16 37.599 11.176 59.371 33.89 65.538 67.866z m-74.016 64.502c38.305-8.695 57.375-45.568 45.442-73.303-10.727-24.922-34.171-38.619-61.396-40.119a65.195 65.195 0 0 0-3.559-0.094c-3.494 0-6.971 0.246-10.442 0.487-3.439 0.246-6.881 0.484-10.336 0.484-0.382 0-0.766-0.003-1.146-0.008-4.173-0.072-7.146-1.389-10.362-3.634-5.47-3.805-5.743-8.605-5.47-13.913 0.278-5.563 6.7-12.002 13.074-12.876 5.183-0.708 10.405-1.022 15.628-1.022 0.888 0 1.777 0.011 2.664 0.03 3.589 0.002 3.748-1.072 3.023-3.493-2.812-9.279-6.874-18.104-12.518-26.362-18.911-27.629-47.801-41.491-83.935-44.206a83.773 83.773 0 0 0-6.212-0.232c-16.686 0-32.404 4.943-47.365 11.597-10.252 4.567-19.677 10.223-27.851 17.338-1.304 1.134-2.844 1.989-0.686 3.999 14.131 13.137 19.414 28.954 18.384 46.633-0.283 4.774-6.077 11.455-11.44 12.542a26.665 26.665 0 0 1-5.354 0.555c-10.169 0-18.045-6.215-18.657-15.445-0.927-14.055-8.003-25.456-23.13-32.736-6.363-3.062-13.047-4.4-19.562-4.4-17.158 0-33.132 9.293-38.875 20.916-4.193 8.467-5.693 17.101-5.02 26.049 0.403 5.395-3.094 8.363-7.649 10.194-16.999 6.847-29.183 17.739-36.994 32.276-5.817 10.823-10.502 22.05-8.187 34.316 3.872 20.444 14.305 37.307 35.915 47.848 13.576 6.623 28.208 9.36 43.664 9.36 18.116-0.016 36.161-0.019 54.208-0.019 24.058 0 48.12 0.006 72.178 0.006 21.128 0 42.253 0.004 63.38 0.004 21.124 0 42.249-0.004 63.377-0.012 8.516-0.019 16.904-0.874 25.209-2.76" fill="#56C3E9" /><path d="M283.528 535.929v-16.8c0 0.188 0.004 0.368 0.033 0.539 2.279 13.643 7.782 26.23 17.176 37.362 20.483 24.251 48.396 36.053 82.928 36.08 35.995 0.028 71.982 0.037 107.976 0.037 51.661 0 103.331-0.022 154.99-0.05 5.819 0 11.604-0.397 17.39-1.157 35.049-4.601 65.026-27.927 74.051-57.431 1.188-3.921 1.138-8.104 3.325-11.796v16.8c-2.189 3.693-2.137 7.875-3.325 11.796-9.022 29.504-38.999 52.83-74.051 57.431-5.785 0.76-11.57 1.158-17.39 1.158-51.657 0.029-103.329 0.049-154.99 0.049-35.995 0-71.981-0.011-107.976-0.037-34.534-0.03-62.445-11.829-82.928-36.08-9.394-11.129-14.897-23.715-17.176-37.362a3.409 3.409 0 0 1-0.033-0.539z" fill="#58A1D8" /><path d="M741.395 522.711v16.8c-2.188 3.693-2.134 7.875-3.324 11.797-2.839 9.29-7.761 17.967-14.262 25.642v-16.801c6.501-7.674 11.42-16.354 14.262-25.642 1.187-3.921 1.136-8.103 3.324-11.796M723.809 560.148v16.801c-5.583 6.592-12.336 12.442-19.94 17.302V577.45c7.604-4.858 14.357-10.709 19.94-17.302M703.868 577.453v16.8a97.065 97.065 0 0 1-18.758 9.29v-16.8a97.094 97.094 0 0 0 18.758-9.29M685.107 586.743v16.8a98.029 98.029 0 0 1-20.576 5.126v-16.8a98.338 98.338 0 0 0 20.576-5.126M664.531 591.869v16.8c-0.169 0.026-0.34 0.047-0.51 0.069-5.784 0.762-11.57 1.16-17.389 1.16-51.658 0.029-103.33 0.049-154.99 0.049-35.995 0-71.981-0.011-107.977-0.037-34.534-0.03-62.446-11.829-82.928-36.08-9.394-11.129-14.897-23.717-17.176-37.362a3.16 3.16 0 0 1-0.033-0.539v-16.8c0 0.187 0.004 0.368 0.033 0.539 2.279 13.643 7.782 26.23 17.176 37.362 20.484 24.251 48.396 36.053 82.928 36.08 35.996 0.028 71.982 0.037 107.977 0.037 51.66 0 103.331-0.022 154.99-0.05 5.818 0 11.604-0.397 17.389-1.157 0.17-0.025 0.341-0.047 0.51-0.071" fill="#58A1D8" /></svg>
\ No newline at end of file
diff --git a/tests/resources/images/nextcloud-logo.png b/tests/resources/images/nextcloud-logo.png
deleted file mode 100644
index 5d4e8e06..00000000
Binary files a/tests/resources/images/nextcloud-logo.png and /dev/null differ
diff --git a/tests/specs/application-configuration.spec.ts b/tests/specs/application-configuration.spec.ts
index 1f7e56f2..a0a82692 100644
--- a/tests/specs/application-configuration.spec.ts
+++ b/tests/specs/application-configuration.spec.ts
@@ -116,30 +116,53 @@ test('Update email configuration', async ({ page }) => {
 	await expect(page.getByLabel('API Key Expiration')).toBeChecked();
 });
 
-test('Update application images', async ({ page }) => {
-	await page.getByRole('button', { name: 'Expand card' }).nth(4).click();
+test.describe('Update application images', () => {
+	test.beforeEach(async ({ page }) => {
+		await page.getByRole('button', { name: 'Expand card' }).nth(4).click();
+	});
 
-	await page.getByLabel('Favicon').setInputFiles('resources/images/w3-schools-favicon.ico');
-	await page.getByLabel('Light Mode Logo').setInputFiles('resources/images/pingvin-share-logo.png');
-	await page.getByLabel('Dark Mode Logo').setInputFiles('resources/images/nextcloud-logo.png');
-		await page.getByLabel('Default Profile Picture').setInputFiles('resources/images/pingvin-share-logo.png');
-    await page.getByLabel('Background Image').setInputFiles('resources/images/clouds.jpg');
-	await page.getByRole('button', { name: 'Save' }).last().click();
+	test('should upload images', async ({ page }) => {
+		await page.getByLabel('Favicon').setInputFiles('resources/images/w3-schools-favicon.ico');
+		await page
+			.getByLabel('Light Mode Logo')
+			.setInputFiles('resources/images/pingvin-share-logo.png');
+		await page.getByLabel('Dark Mode Logo').setInputFiles('resources/images/cloud-logo.png');
+		await page.getByLabel('Email Logo').setInputFiles('assets/pingvin-share-logo.png');
+		await page
+			.getByLabel('Default Profile Picture')
+			.setInputFiles('resources/images/pingvin-share-logo.png');
+		await page.getByLabel('Background Image').setInputFiles('resources/images/clouds.jpg');
+		await page.getByRole('button', { name: 'Save' }).last().click();
 
-	await expect(page.locator('[data-type="success"]')).toHaveText(
-		'Images updated successfully. It may take a few minutes to update.'
-	);
+		await expect(page.locator('[data-type="success"]')).toHaveText(
+			'Images updated successfully. It may take a few minutes to update.'
+		);
 
-	await page.request
-		.get('/api/application-images/favicon')
-		.then((res) => expect.soft(res.status()).toBe(200));
-	await page.request
-		.get('/api/application-images/logo?light=true')
-		.then((res) => expect.soft(res.status()).toBe(200));
-	await page.request
-		.get('/api/application-images/logo?light=false')
-		.then((res) => expect.soft(res.status()).toBe(200));
-	await page.request
-		.get('/api/application-images/background')
-		.then((res) => expect.soft(res.status()).toBe(200));
+		await page.request
+			.get('/api/application-images/favicon')
+			.then((res) => expect.soft(res.status()).toBe(200));
+		await page.request
+			.get('/api/application-images/logo?light=true')
+			.then((res) => expect.soft(res.status()).toBe(200));
+		await page.request
+			.get('/api/application-images/logo?light=false')
+			.then((res) => expect.soft(res.status()).toBe(200));
+		await page.request
+			.get('/api/application-images/email')
+			.then((res) => expect.soft(res.status()).toBe(200));
+		await page.request
+			.get('/api/application-images/background')
+			.then((res) => expect.soft(res.status()).toBe(200));
+	});
+
+	test('should only allow png/jpeg for email logo', async ({ page }) => {
+		const emailLogoInput = page.getByLabel('Email Logo');
+
+		await emailLogoInput.setInputFiles('assets/cloud-logo.svg');
+		await page.getByRole('button', { name: 'Save' }).last().click();
+
+		await expect(page.locator('[data-type="error"]')).toHaveText(
+			'File must be of type .png or .jpg/jpeg'
+		);
+	});
 });
diff --git a/tests/specs/oidc-client-settings.spec.ts b/tests/specs/oidc-client-settings.spec.ts
index c847733b..e4c198d2 100644
--- a/tests/specs/oidc-client-settings.spec.ts
+++ b/tests/specs/oidc-client-settings.spec.ts
@@ -1,5 +1,5 @@
 import test, { expect, Page } from '@playwright/test';
-import { oidcClients } from '../data';
+import { oidcClients, userGroups } from '../data';
 import { cleanupBackend } from '../utils/cleanup.util';
 
 test.beforeEach(async () => await cleanupBackend());
@@ -71,9 +71,9 @@ test('Edit OIDC client', async ({ page }) => {
 	await page.getByLabel('Name').fill('Nextcloud updated');
 	await page.getByTestId('callback-url-1').first().fill('http://nextcloud-updated/auth/callback');
 	await page.locator('[role="tab"][data-value="light-logo"]').first().click();
-	await page.setInputFiles('#oidc-client-logo-light', 'resources/images/nextcloud-logo.png');
+	await page.setInputFiles('#oidc-client-logo-light', 'resources/images/cloud-logo.png');
 	await page.locator('[role="tab"][data-value="dark-logo"]').first().click();
-	await page.setInputFiles('#oidc-client-logo-dark', 'resources/images/nextcloud-logo.png');
+	await page.setInputFiles('#oidc-client-logo-dark', 'resources/images/cloud-logo.png');
 	await page.getByLabel('Client Launch URL').fill(oidcClient.launchURL);
 	await page.getByRole('button', { name: 'Save' }).click();
 
@@ -117,3 +117,25 @@ test('Delete OIDC client', async ({ page }) => {
 	);
 	await expect(page.getByRole('row', { name: oidcClient.name })).not.toBeVisible();
 });
+
+test('Update OIDC client allowed user groups', async ({ page }) => {
+	await page.goto(`/settings/admin/oidc-clients/${oidcClients.nextcloud.id}`);
+
+	await page.getByRole('button', { name: 'Restrict' }).click();
+
+	await page.getByRole('row', { name: userGroups.designers.name }).getByRole('checkbox').click();
+	await page.getByRole('row', { name: userGroups.developers.name }).getByRole('checkbox').click();
+
+	await page.getByRole('button', { name: 'Save' }).nth(1).click();
+
+	await expect(page.getByText('Allowed user groups updated successfully')).toBeVisible();
+
+	await page.reload();
+
+	await expect(
+		page.getByRole('row', { name: userGroups.designers.name }).getByRole('checkbox')
+	).toHaveAttribute('data-state', 'checked');
+	await expect(
+		page.getByRole('row', { name: userGroups.developers.name }).getByRole('checkbox')
+	).toHaveAttribute('data-state', 'checked');
+});
diff --git a/tests/specs/user-group.spec.ts b/tests/specs/user-group.spec.ts
index 7deb39b0..590cce1a 100644
--- a/tests/specs/user-group.spec.ts
+++ b/tests/specs/user-group.spec.ts
@@ -1,5 +1,5 @@
 import test, { expect } from '@playwright/test';
-import { userGroups, users } from '../data';
+import { oidcClients, userGroups, users } from '../data';
 import { cleanupBackend } from '../utils/cleanup.util';
 
 test.beforeEach(async () => await cleanupBackend());
@@ -77,7 +77,7 @@ test('Delete user group', async ({ page }) => {
 test('Update user group custom claims', async ({ page }) => {
 	await page.goto(`/settings/admin/user-groups/${userGroups.designers.id}`);
 
-	await page.getByRole('button', { name: 'Expand card' }).click();
+	await page.getByRole('button', { name: 'Expand card' }).first().click();
 
 	// Add two custom claims
 	await page.getByRole('button', { name: 'Add custom claim' }).click();
@@ -119,3 +119,34 @@ test('Update user group custom claims', async ({ page }) => {
 	await expect(page.getByPlaceholder('Key').first()).toHaveValue('customClaim2');
 	await expect(page.getByPlaceholder('Value').first()).toHaveValue('customClaim2_value');
 });
+
+test('Update user group allowed user groups', async ({ page }) => {
+	await page.goto(`/settings/admin/user-groups/${userGroups.designers.id}`);
+
+	await page.getByRole('button', { name: 'Expand card' }).nth(1).click();
+
+	// Unrestricted OIDC clients should be checked and disabled
+	const nextcloudRow = page
+		.getByRole('row', { name: oidcClients.nextcloud.name })
+		.getByRole('checkbox');
+	await expect(nextcloudRow).toHaveAttribute('data-state', 'checked');
+	await expect(nextcloudRow).toBeDisabled();
+
+	await page.getByRole('row', { name: oidcClients.tailscale.name }).getByRole('checkbox').click();
+	await page.getByRole('row', { name: oidcClients.immich.name }).getByRole('checkbox').click();
+
+	await page.getByRole('button', { name: 'Save' }).nth(2).click();
+
+	await expect(page.locator('[data-type="success"]')).toHaveText(
+		'Allowed OIDC clients updated successfully'
+	);
+
+	await page.reload();
+
+	await expect(
+		page.getByRole('row', { name: oidcClients.tailscale.name }).getByRole('checkbox')
+	).toHaveAttribute('data-state', 'checked');
+	await expect(
+		page.getByRole('row', { name: oidcClients.immich.name }).getByRole('checkbox')
+	).toHaveAttribute('data-state', 'unchecked');
+});
diff --git a/tests/specs/user-signup.spec.ts b/tests/specs/user-signup.spec.ts
index 4644f980..8cb48b30 100644
--- a/tests/specs/user-signup.spec.ts
+++ b/tests/specs/user-signup.spec.ts
@@ -1,9 +1,13 @@
 import test, { expect, type Page } from '@playwright/test';
-import { signupTokens, users } from '../data';
+import { signupTokens, userGroups, users } from '../data';
 import { cleanupBackend } from '../utils/cleanup.util';
 import passkeyUtil from '../utils/passkey.util';
 
-async function setSignupMode(page: Page, mode: 'Disabled' | 'Signup with token' | 'Open Signup') {
+async function setSignupMode(
+	page: Page,
+	mode: 'Disabled' | 'Signup with token' | 'Open Signup',
+	signout = true
+) {
 	await page.goto('/settings/admin/application-configuration');
 
 	await page.getByRole('button', { name: 'Expand card' }).nth(1).click();
@@ -15,10 +19,51 @@ async function setSignupMode(page: Page, mode: 'Disabled' | 'Signup with token'
 		'User creation settings updated successfully.'
 	);
 
-	await page.context().clearCookies();
-	await page.goto('/login');
+	if (signout) {
+		await page.context().clearCookies();
+		await page.goto('/login');
+	}
 }
 
+test.describe('Signup Token Creation', () => {
+	test.beforeEach(async ({ page }) => {
+		await cleanupBackend();
+		await setSignupMode(page, 'Signup with token', false);
+	});
+
+	test('Create signup token', async ({ page }) => {
+		await page.goto('/settings/admin/users');
+
+		await page.getByLabel('Create options').getByRole('button').click();
+		await page.getByRole('menuitem', { name: 'Create Signup Token' }).click();
+		await page.getByLabel('Expiration').click();
+		await page.getByRole('option', { name: 'week' }).click();
+
+		await page.getByLabel('Usage Limit').fill('8');
+
+		await page.getByLabel('User Groups').click();
+		await page.getByRole('option', { name: userGroups.developers.name }).click();
+		await page.getByRole('option', { name: userGroups.designers.name }).click();
+		await page.getByLabel('User Groups').click();
+
+		await page.getByRole('button', { name: 'Create', exact: true }).click();
+		await page.getByRole('button', { name: 'Close' }).click();
+
+		await page.getByLabel('Create options').getByRole('button').click();
+		await page.getByRole('menuitem', { name: 'View Active Signup Tokens' }).click();
+		await page.getByLabel('Manage Signup Tokens').getByRole('button', { name: 'View' }).click();
+
+		await page.getByRole('menuitemcheckbox', { name: 'User Groups' }).click();
+
+		const row = page.getByRole('row').last();
+		await expect(row.getByRole('cell', { name: '0 of 8' })).toBeVisible();
+		const dateInAWeek = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toLocaleDateString('en-US');
+		await expect(row.getByRole('cell', { name: dateInAWeek })).toBeVisible();
+		await expect(row.getByRole('cell', { name: userGroups.developers.name })).toBeVisible();
+		await expect(row.getByRole('cell', { name: userGroups.designers.name })).toBeVisible();
+	});
+});
+
 test.describe('Initial User Signup', () => {
 	test.beforeEach(async ({ page }) => {
 		await page.context().clearCookies();
@@ -74,6 +119,9 @@ test.describe('User Signup', () => {
 
 			await page.waitForURL('/signup/add-passkey');
 			await expect(page.getByText('Set up your passkey')).toBeVisible();
+
+			const response = await page.request.get('/api/users/me').then((res) => res.json());
+			expect(response.userGroups.map((g) => g.id)).toContain(userGroups.developers.id);
 		});
 
 		test('Signup with token - invalid token shows error', async ({ page }) => {