diff --git a/.gitignore b/.gitignore
index cb7a921..4532edb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,6 @@ vendor/
 vendor/
 go.work
 /cmd/sandworm/sandworm
+/sandworm.db
+/sandworm.db-shm
+/sandworm.db-wal
diff --git a/README.md b/README.md
index e395606..6c3b44b 100644
--- a/README.md
+++ b/README.md
@@ -54,6 +54,49 @@ Allow mode (default) — only the listed domains/CIDRs are reachable:
 sandworm --port 2137 --domains "github.com,golang.org" --cidrs "10.0.0.0/8"
 ```
 
+## Simple Token Translation Workflow
+
+Start `sandworm` with SQLite-backed token translation enabled:
+
+```bash
+sandworm \
+  --port 2137 \
+  --domains "api.openai.com,api.github.com,github.com" \
+  --translate-tokens
+```
+
+Add bearer-token mappings for APIs that should receive translated secrets:
+
+```bash
+sandworm token add bearer --host api.openai.com \
+  --path /v1/ \
+  --secret "$OPENAI_API_KEY" \
+  --placeholder OPENAI_PLACEHOLDER
+
+sandworm token add bearer --host api.github.com \
+  --secret "$GITHUB_TOKEN" \
+  --placeholder GITHUB_PLACEHOLDER
+```
+
+Generate a sourceable shell config with proxy env vars and the local CA:
+
+```bash
+sandworm token config --host 127.0.0.1 --port 2137 > sandworm-env.sh
+source ./sandworm-env.sh
+```
+
+Clients can then use placeholders instead of real tokens:
+
+```bash
+curl https://api.openai.com/v1/models \
+  -H 'Authorization: Bearer OPENAI_PLACEHOLDER'
+
+curl https://api.github.com/user \
+  -H 'Authorization: Bearer GITHUB_PLACEHOLDER'
+```
+
+`sandworm` rewrites the outbound requests using the real values stored in SQLite.
+
 Block mode — everything is reachable except the listed domains/CIDRs:
 ```bash
 sandworm --port 2137 --mode block --blocked-domains "facebook.com,*.ads.example.com"
@@ -75,6 +118,7 @@ Note: block mode cannot be used together with `--ip-proxy-range`.
 - `--ip-proxy-range`: CIDR range for IP mode domain mapping
 - `--ip-ports`: Comma-separated list of ports for IP mode
 - `--dns-port`: DNS server port (requires IP mode)
+- `--translate-tokens`: Enable SQLite-backed token translation using `./sandworm.db`
 
 ## Building
 
diff --git a/cmd/sandworm/ipmode_cli.go b/cmd/sandworm/ipmode_cli.go
index 1735c94..a6e14aa 100644
--- a/cmd/sandworm/ipmode_cli.go
+++ b/cmd/sandworm/ipmode_cli.go
@@ -69,17 +69,15 @@ func runEtcHosts(args proxyArgs) error {
 		}
 	}
 
-	proxyServer := proxy.NewProxy(
-		0,       /* port */
-		"",      /* adminBind */
-		"allow", /* mode */
-		allowedDomains,
-		nil, /* allowedCIDRs */
-		nil, /* blockedDomains */
-		nil, /* blockedCIDRs */
-		args.IPProxyRange,
-		ipPorts,
-		0 /* dnsPort */)
+	proxyServer, err := proxy.NewProxy(proxy.Options{
+		Mode:           "allow",
+		AllowedDomains: allowedDomains,
+		IPProxyRange:   args.IPProxyRange,
+		IPPorts:        ipPorts,
+	})
+	if err != nil {
+		return err
+	}
 
 	mappings := proxyServer.GetIPMappings()
 	if len(mappings) == 0 {
diff --git a/cmd/sandworm/main.go b/cmd/sandworm/main.go
index e732ada..a688681 100644
--- a/cmd/sandworm/main.go
+++ b/cmd/sandworm/main.go
@@ -30,6 +30,7 @@ to containers on an internal network, with configurable domain and CIDR filterin
 	}
 
 	addSharedFlags(rootCmd, &args)
+	rootCmd.AddCommand(tokenCommand())
 	addIPModeCommands(rootCmd)
 
 	if err := rootCmd.Execute(); err != nil {
@@ -38,18 +39,19 @@ to containers on an internal network, with configurable domain and CIDR filterin
 }
 
 type proxyArgs struct {
-	Port           int
-	AdminEnabled   bool
-	AdminBind      string
-	Mode           string
-	Domains        string
-	CIDRs          string
-	BlockedDomains string
-	BlockedCIDRs   string
-	LogLevel       string
-	IPProxyRange   string
-	IPPorts        string
-	DNSPort        int
+	Port            int
+	AdminEnabled    bool
+	AdminBind       string
+	Mode            string
+	Domains         string
+	CIDRs           string
+	BlockedDomains  string
+	BlockedCIDRs    string
+	LogLevel        string
+	IPProxyRange    string
+	IPPorts         string
+	DNSPort         int
+	TranslateTokens bool
 }
 
 func addSharedFlags(cmd *cobra.Command, args *proxyArgs) {
@@ -63,7 +65,9 @@ func addSharedFlags(cmd *cobra.Command, args *proxyArgs) {
 	cmd.Flags().StringVar(&args.BlockedDomains, "blocked-domains", "", "Comma-separated list of blocked domains (block mode)")
 	cmd.Flags().StringVar(&args.BlockedCIDRs, "blocked-cidrs", "", "Comma-separated list of blocked CIDRs (block mode)")
 	cmd.Flags().StringVarP(&args.LogLevel, "log-level", "l", "info", "Log level (debug, info, warn, error)")
+	cmd.Flags().BoolVar(&args.TranslateTokens, "translate-tokens", false, "Enable SQLite-backed token translation using the default sandworm DB")
 	addIPModeFlags(cmd, args)
+
 }
 
 func validateArgs(args proxyArgs) error {
@@ -121,6 +125,9 @@ func runProxy(ctx context.Context, args proxyArgs) error {
 		slog.Warn("Deprecated flag --admin used; set --admin-bind explicitly (empty disables)",
 			"admin_bind", args.AdminBind)
 	}
+	if args.TranslateTokens && args.AdminBind == "" {
+		args.AdminBind = "127.0.0.1"
+	}
 
 	if err := validateArgs(args); err != nil {
 		return err
@@ -170,7 +177,27 @@ func runProxy(ctx context.Context, args proxyArgs) error {
 		}
 	}
 
-	proxyServer := proxy.NewProxy(args.Port, args.AdminBind, args.Mode, allowedDomains, allowedCIDRs, blockedDomains, blockedCIDRs, args.IPProxyRange, ipPorts, args.DNSPort)
+	tokenDBPath := ""
+	if args.TranslateTokens {
+		tokenDBPath = proxy.DefaultTokenDBPath
+	}
+
+	proxyServer, err := proxy.NewProxy(proxy.Options{
+		Port:           args.Port,
+		AdminBind:      args.AdminBind,
+		Mode:           args.Mode,
+		AllowedDomains: allowedDomains,
+		AllowedCIDRs:   allowedCIDRs,
+		BlockedDomains: blockedDomains,
+		BlockedCIDRs:   blockedCIDRs,
+		IPProxyRange:   args.IPProxyRange,
+		IPPorts:        ipPorts,
+		DNSPort:        args.DNSPort,
+		TokenDB:        tokenDBPath,
+	})
+	if err != nil {
+		return err
+	}
 
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
@@ -187,7 +214,9 @@ func runProxy(ctx context.Context, args proxyArgs) error {
 		"domains", allowedDomains,
 		"cidrs", allowedCIDRs,
 		"blocked_domains", blockedDomains,
-		"blocked_cidrs", blockedCIDRs)
+		"blocked_cidrs", blockedCIDRs,
+		"translate_tokens", args.TranslateTokens,
+		"translate_tokens_db", tokenDBPath)
 
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
diff --git a/cmd/sandworm/token_commands.go b/cmd/sandworm/token_commands.go
new file mode 100644
index 0000000..1501dff
--- /dev/null
+++ b/cmd/sandworm/token_commands.go
@@ -0,0 +1,276 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/poolsideai/sandworm/pkg/proxy"
+)
+
+type tokenArgs struct {
+	DB          string
+	Token       string
+	Name        string
+	Host        string
+	Path        string
+	Secret      string
+	Placeholder string
+	Header      string
+	BindHost    string
+	Port        int
+	CAPath      string
+}
+
+func tokenCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "token",
+		Short: "Manage translated secrets in SQLite",
+	}
+
+	cmd.AddCommand(tokenAddCommand())
+	cmd.AddCommand(tokenListCommand())
+	cmd.AddCommand(tokenRevokeCommand())
+	cmd.AddCommand(tokenConfigCommand())
+	return cmd
+}
+
+func tokenAddCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "add",
+		Short: "Add a translated secret mapping",
+	}
+	cmd.AddCommand(tokenAddBearerCommand())
+	cmd.AddCommand(tokenAddHeaderCommand())
+	return cmd
+}
+
+func tokenAddBearerCommand() *cobra.Command {
+	args := tokenArgs{}
+	cmd := &cobra.Command{
+		Use:   "bearer",
+		Short: "Add a bearer-token mapping",
+		RunE: func(cmd *cobra.Command, cmdArgs []string) error {
+			store, err := proxy.OpenTranslationStore(args.DB)
+			if err != nil {
+				return err
+			}
+			defer store.Close()
+
+			rule, token, err := proxy.AddBearerMapping(store, args.Token, args.Name, args.Host, args.Path, args.Secret, args.Placeholder)
+			if err != nil {
+				return err
+			}
+			fmt.Fprintf(os.Stdout, "created bearer mapping %q for %s %s using proxy token %q\n", rule.Name, rule.HostPattern, rule.PathPattern, token.Name)
+			return nil
+		},
+	}
+	addTokenStoreFlags(cmd, &args)
+	cmd.Flags().StringVar(&args.Host, "host", "", "Target host to rewrite (required)")
+	cmd.Flags().StringVar(&args.Path, "path", "", "Optional path prefix or exact path")
+	cmd.Flags().StringVar(&args.Secret, "secret", "", "Real bearer token to store (required)")
+	cmd.Flags().StringVar(&args.Placeholder, "placeholder", "", "Optional inbound placeholder token to match")
+	_ = cmd.MarkFlagRequired("host")
+	_ = cmd.MarkFlagRequired("secret")
+	return cmd
+}
+
+func tokenAddHeaderCommand() *cobra.Command {
+	args := tokenArgs{}
+	cmd := &cobra.Command{
+		Use:   "header",
+		Short: "Add a raw header-value mapping",
+		RunE: func(cmd *cobra.Command, cmdArgs []string) error {
+			store, err := proxy.OpenTranslationStore(args.DB)
+			if err != nil {
+				return err
+			}
+			defer store.Close()
+
+			rule, token, err := proxy.AddHeaderMapping(store, args.Token, args.Name, args.Host, args.Path, args.Secret, args.Header, args.Placeholder)
+			if err != nil {
+				return err
+			}
+			fmt.Fprintf(os.Stdout, "created header mapping %q for %s %s using proxy token %q\n", rule.Name, rule.HostPattern, rule.PathPattern, token.Name)
+			return nil
+		},
+	}
+	addTokenStoreFlags(cmd, &args)
+	cmd.Flags().StringVar(&args.Host, "host", "", "Target host to rewrite (required)")
+	cmd.Flags().StringVar(&args.Path, "path", "", "Optional path prefix or exact path")
+	cmd.Flags().StringVar(&args.Secret, "secret", "", "Real header value to store (required)")
+	cmd.Flags().StringVar(&args.Header, "header", "", "Header name to inject (required)")
+	cmd.Flags().StringVar(&args.Placeholder, "placeholder", "", "Optional inbound placeholder value to match")
+	_ = cmd.MarkFlagRequired("host")
+	_ = cmd.MarkFlagRequired("secret")
+	_ = cmd.MarkFlagRequired("header")
+	return cmd
+}
+
+func tokenConfigCommand() *cobra.Command {
+	args := tokenArgs{
+		BindHost: "127.0.0.1",
+		Port:     2137,
+		CAPath:   proxy.DefaultCACertOutPath,
+	}
+	cmd := &cobra.Command{
+		Use:   "config",
+		Short: "Print a sourceable shell config for the proxy token",
+		RunE: func(cmd *cobra.Command, cmdArgs []string) error {
+			store, err := proxy.OpenTranslationStore(args.DB)
+			if err != nil {
+				return err
+			}
+			defer store.Close()
+
+			token, err := store.EnsureToken(args.Token)
+			if err != nil {
+				return err
+			}
+			ca, err := proxy.EnsureTranslationCA(store)
+			if err != nil {
+				return err
+			}
+
+			return writeTokenConfig(os.Stdout, token, ca.CACertPEM(), args)
+		},
+	}
+	addTokenStoreFlags(cmd, &args)
+	cmd.Flags().StringVar(&args.BindHost, "host", args.BindHost, "Proxy host to embed in the generated env")
+	cmd.Flags().IntVar(&args.Port, "port", args.Port, "Proxy port to embed in the generated env")
+	cmd.Flags().StringVar(&args.CAPath, "ca-path", args.CAPath, "CA certificate path to embed in the generated env")
+	return cmd
+}
+
+func tokenListCommand() *cobra.Command {
+	args := tokenArgs{}
+	cmd := &cobra.Command{
+		Use:   "list",
+		Short: "List proxy tokens",
+		RunE: func(cmd *cobra.Command, cmdArgs []string) error {
+			store, err := proxy.OpenTranslationStore(args.DB)
+			if err != nil {
+				return err
+			}
+			defer store.Close()
+
+			tokens := store.ListTokens()
+			if len(tokens) == 0 {
+				fmt.Fprintln(os.Stderr, "no proxy tokens")
+				return nil
+			}
+
+			rules := store.ListRules()
+			for _, token := range tokens {
+				fmt.Println(token.Name)
+				count := 0
+				for _, rule := range rules {
+					if rule.TokenID != nil && *rule.TokenID == token.ID {
+						fmt.Fprintf(os.Stdout, "  - %s\n", mappingSummary(rule))
+						count++
+					}
+				}
+				if count == 0 {
+					fmt.Fprintln(os.Stdout, "  - no mappings")
+				}
+			}
+
+			sharedCount := 0
+			for _, rule := range rules {
+				if rule.TokenID == nil {
+					if sharedCount == 0 {
+						fmt.Fprintln(os.Stdout, "shared")
+					}
+					fmt.Fprintf(os.Stdout, "  - %s\n", mappingSummary(rule))
+					sharedCount++
+				}
+			}
+			return nil
+		},
+	}
+	addTokenStoreFlags(cmd, &args)
+	return cmd
+}
+
+func tokenRevokeCommand() *cobra.Command {
+	args := tokenArgs{}
+	cmd := &cobra.Command{
+		Use:   "revoke",
+		Short: "Revoke a proxy token by name",
+		RunE: func(cmd *cobra.Command, cmdArgs []string) error {
+			store, err := proxy.OpenTranslationStore(args.DB)
+			if err != nil {
+				return err
+			}
+			defer store.Close()
+
+			if err := store.RevokeTokenByName(args.Token); err != nil {
+				return err
+			}
+			fmt.Fprintf(os.Stdout, "revoked proxy token %q\n", args.Token)
+			return nil
+		},
+	}
+	addTokenStoreFlags(cmd, &args)
+	return cmd
+}
+
+func addTokenStoreFlags(cmd *cobra.Command, args *tokenArgs) {
+	cmd.Flags().StringVar(&args.DB, "db", proxy.DefaultTokenDBPath, "SQLite database path")
+	cmd.Flags().StringVar(&args.Token, "token", proxy.DefaultProxyToken, "Proxy token name to scope this mapping or config")
+	cmd.Flags().StringVar(&args.Name, "name", "", "Optional display name for the mapping")
+}
+
+func writeTokenConfig(w io.Writer, token *proxy.TranslationToken, caPEM string, args tokenArgs) error {
+	proxyURL := fmt.Sprintf("http://x:%s@%s:%d", token.Token, args.BindHost, args.Port)
+	fmt.Fprintln(w, "# sandworm token config")
+	fmt.Fprintln(w, "#")
+	fmt.Fprintln(w, "# The proxy URL below uses HTTP Basic auth for the proxy itself.")
+	fmt.Fprintln(w, "# Username 'x' is ignored; the password field carries the sandworm proxy token.")
+	fmt.Fprintln(w, "# sandworm reads that proxy token from Proxy-Authorization and uses it to select translated secrets.")
+	fmt.Fprintln(w, "#")
+	fmt.Fprintln(w, "# The CA file below is required for HTTPS translation.")
+	fmt.Fprintln(w, "# sandworm terminates TLS locally so it can rewrite outbound headers, then reconnects upstream.")
+	fmt.Fprintln(w, "# Clients must trust this CA or HTTPS requests through the proxy will fail certificate validation.")
+	fmt.Fprintf(w, "export SANDWORM_PROXY_URL=%q\n", proxyURL)
+	fmt.Fprintf(w, "export SANDWORM_CA_PATH=%q\n", args.CAPath)
+	fmt.Fprintf(w, "cat >\"$SANDWORM_CA_PATH\" <<'__SANDWORM_CA__'\n%s__SANDWORM_CA__\n", caPEM)
+	fmt.Fprintf(w, "export HTTP_PROXY=%q\n", proxyURL)
+	fmt.Fprintf(w, "export HTTPS_PROXY=%q\n", proxyURL)
+	fmt.Fprintf(w, "export http_proxy=%q\n", proxyURL)
+	fmt.Fprintf(w, "export https_proxy=%q\n", proxyURL)
+	fmt.Fprintf(w, "export SSL_CERT_FILE=%q\n", args.CAPath)
+	fmt.Fprintf(w, "export NODE_EXTRA_CA_CERTS=%q\n", args.CAPath)
+	return nil
+}
+
+func mappingSummary(rule proxy.TranslationRule) string {
+	mode := "header"
+	switch {
+	case strings.EqualFold(rule.InjectHeaderName, "Authorization") && rule.InjectHeaderValueFormat == "Bearer {value}":
+		mode = "bearer"
+	case rule.InjectHeaderValueFormat == "{value}":
+		mode = fmt.Sprintf("header %s", rule.InjectHeaderName)
+	default:
+		mode = fmt.Sprintf("header %s", rule.InjectHeaderName)
+	}
+
+	path := rule.PathPattern
+	if path == "" {
+		path = "*"
+	}
+
+	var extras []string
+	if rule.MatchHeaderName != "" {
+		extras = append(extras, fmt.Sprintf("placeholder via %s", rule.MatchHeaderName))
+	}
+
+	summary := fmt.Sprintf("%s %s %s", mode, rule.HostPattern, path)
+	if len(extras) > 0 {
+		summary += " (" + strings.Join(extras, ", ") + ")"
+	}
+	return summary
+}
diff --git a/cmd/sandworm/token_commands_test.go b/cmd/sandworm/token_commands_test.go
new file mode 100644
index 0000000..f723304
--- /dev/null
+++ b/cmd/sandworm/token_commands_test.go
@@ -0,0 +1,35 @@
+package main
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/poolsideai/sandworm/pkg/proxy"
+	"github.com/stretchr/testify/require"
+)
+
+func TestWriteTokenConfig(t *testing.T) {
+	token := &proxy.TranslationToken{
+		Name:  "default",
+		Token: "sand_test",
+	}
+	args := tokenArgs{
+		BindHost: "127.0.0.1",
+		Port:     2137,
+		CAPath:   "/tmp/sandworm-ca.pem",
+	}
+
+	var out bytes.Buffer
+	require.NoError(t, writeTokenConfig(&out, token, "TEST CA\n", args))
+
+	got := out.String()
+	for _, want := range []string{
+		`export SANDWORM_PROXY_URL="http://x:sand_test@127.0.0.1:2137"`,
+		`export SANDWORM_CA_PATH="/tmp/sandworm-ca.pem"`,
+		`export NODE_EXTRA_CA_CERTS="/tmp/sandworm-ca.pem"`,
+		"TEST CA",
+	} {
+		require.Truef(t, strings.Contains(got, want), "generated config missing %q:\n%s", want, got)
+	}
+}
diff --git a/go.mod b/go.mod
index 98427ae..de8d96f 100644
--- a/go.mod
+++ b/go.mod
@@ -7,14 +7,28 @@ toolchain go1.24.11
 require github.com/spf13/cobra v1.8.1
 
 require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/miekg/dns v1.1.69 // indirect
+	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/vishvananda/netlink v1.3.1 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
+	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
 	golang.org/x/mod v0.30.0 // indirect
 	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	modernc.org/libc v1.66.10 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.39.1 // indirect
 )
diff --git a/go.sum b/go.sum
index 8e6f70b..4a3ebc1 100644
--- a/go.sum
+++ b/go.sum
@@ -1,17 +1,35 @@
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
 github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
+github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
+github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
+golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
 golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
@@ -19,10 +37,20 @@ golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
 golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
 golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+modernc.org/libc v1.66.10 h1:yZkb3YeLx4oynyR+iUsXsybsX4Ubx7MQlSYEw4yj59A=
+modernc.org/libc v1.66.10/go.mod h1:8vGSEwvoUoltr4dlywvHqjtAqHBaw0j1jI7iFBTAr2I=
+modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
+modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/sqlite v1.39.1 h1:H+/wGFzuSCIEVCvXYVHX5RQglwhMOvtHSv+VtidL2r4=
+modernc.org/sqlite v1.39.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
diff --git a/integration_test.go b/integration_test.go
index b7ff2bd..a9115fd 100644
--- a/integration_test.go
+++ b/integration_test.go
@@ -12,6 +12,7 @@ import (
 	"testing"
 
 	"github.com/poolsideai/sandworm/pkg/proxy"
+	"github.com/stretchr/testify/require"
 )
 
 const (
@@ -173,7 +174,7 @@ func runTestSuite(t *testing.T, suite testSuite) {
 
 func startSandworm(t *testing.T, allowedDomains, allowedCIDRs string) (context.Context, context.CancelFunc, int) {
 	port := findAvailablePort(t)
-	
+
 	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
 		Level: slog.LevelWarn,
 	}))
@@ -196,13 +197,17 @@ func startSandworm(t *testing.T, allowedDomains, allowedCIDRs string) (context.C
 		}
 	}
 
-	proxyServer := proxy.NewProxy(port, "", "allow", allowedDomainsList, allowedCIDRsList, nil, nil, "", nil, 0)
+	proxyServer, err := proxy.NewProxy(proxy.Options{
+		Port:           port,
+		Mode:           "allow",
+		AllowedDomains: allowedDomainsList,
+		AllowedCIDRs:   allowedCIDRsList,
+	})
+	require.NoError(t, err, "failed to create proxy")
 
 	ctx, cancel := context.WithCancel(context.Background())
 
-	if err := proxyServer.Start(ctx); err != nil {
-		t.Fatalf("Failed to start proxy: %v", err)
-	}
+	require.NoError(t, proxyServer.Start(ctx), "failed to start proxy")
 
 	return ctx, cancel, port
 }
@@ -232,13 +237,17 @@ func startSandwormBlockMode(t *testing.T, blockedDomains, blockedCIDRs string) (
 		}
 	}
 
-	proxyServer := proxy.NewProxy(port, "", "block", nil, nil, blockedDomainsList, blockedCIDRsList, "", nil, 0)
+	proxyServer, err := proxy.NewProxy(proxy.Options{
+		Port:           port,
+		Mode:           "block",
+		BlockedDomains: blockedDomainsList,
+		BlockedCIDRs:   blockedCIDRsList,
+	})
+	require.NoError(t, err, "failed to create proxy")
 
 	ctx, cancel := context.WithCancel(context.Background())
 
-	if err := proxyServer.Start(ctx); err != nil {
-		t.Fatalf("Failed to start proxy: %v", err)
-	}
+	require.NoError(t, proxyServer.Start(ctx), "failed to start proxy")
 
 	return ctx, cancel, port
 }
@@ -251,15 +260,14 @@ func findAvailablePort(t *testing.T) int {
 			return port
 		}
 	}
-	t.Fatal("No available ports found")
+	require.FailNow(t, "No available ports found")
 	return 0
 }
 
-
 func createProxyClient(port int) *http.Client {
 	proxyURL := fmt.Sprintf("http://localhost:%d", port)
 	proxyURLParsed, _ := url.Parse(proxyURL)
-	
+
 	return &http.Client{
 		Transport: &http.Transport{
 			Proxy: http.ProxyURL(proxyURLParsed),
@@ -277,6 +285,6 @@ func testProxy(client *http.Client, targetURL string) string {
 	if resp.StatusCode >= 200 && resp.StatusCode < 400 {
 		return "ALLOWED"
 	}
-	
+
 	return "BLOCKED"
 }
diff --git a/pkg/proxy/admin_panel.html b/pkg/proxy/admin_panel.html
index 2f5cf41..6cf00b1 100644
--- a/pkg/proxy/admin_panel.html
+++ b/pkg/proxy/admin_panel.html
@@ -142,6 +142,12 @@
             margin: 0;
             width: auto;
         }
+        pre {
+            background: var(--logs-bg);
+            padding: 12px;
+            border-radius: 5px;
+            overflow-x: auto;
+        }
     </style>
     <script>
         function refreshData() {
@@ -208,10 +214,109 @@
             })
             .catch(console.error);
         }
+
+        function refreshTranslationData() {
+            fetch('/admin/api/token-translation/status')
+                .then(response => response.json())
+                .then(status => {
+                    const section = document.getElementById('token-translation-section');
+                    if (!status.enabled) {
+                        section.style.display = 'none';
+                        return null;
+                    }
+                    section.style.display = 'block';
+                    return Promise.all([
+                        fetch('/admin/api/token-translation/tokens').then(r => r.json()),
+                        fetch('/admin/api/token-translation/rules').then(r => r.json())
+                    ]);
+                })
+                .then(data => {
+                    if (!data) return;
+                    renderTranslationTokens(data[0]);
+                    renderTranslationRules(data[0], data[1]);
+                })
+                .catch(console.error);
+        }
+
+        function renderTranslationTokens(tokens) {
+            document.getElementById('translation-tokens').innerHTML = tokens.map(token =>
+                '<tr><td>' + token.name + '</td><td><code>' + token.token + '</code></td><td><button onclick="deleteTranslationToken(' + token.id + ')">delete</button> <button onclick="loadTranslationConfig(' + token.id + ')">config</button></td></tr>'
+            ).join('');
+            document.getElementById('rule-token-id').innerHTML = '<option value="">all proxy tokens</option>' + tokens.map(token =>
+                '<option value="' + token.id + '">' + token.name + '</option>'
+            ).join('');
+        }
+
+        function renderTranslationRules(tokens, rules) {
+            const tokenNames = {};
+            tokens.forEach(token => { tokenNames[token.id] = token.name; });
+            document.getElementById('translation-rules').innerHTML = rules.map(rule =>
+                '<tr><td>' + rule.name + '</td><td><code>' + rule.hostPattern + '</code><br><code>' + (rule.pathPattern || '*') + '</code></td><td>' + (rule.tokenId ? tokenNames[rule.tokenId] : 'all') + '</td><td><code>' + rule.injectHeaderName + '</code></td><td><button onclick="deleteTranslationRule(' + rule.id + ')">delete</button></td></tr>'
+            ).join('');
+        }
+
+        function createTranslationToken() {
+            fetch('/admin/api/token-translation/tokens', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ name: document.getElementById('token-name').value })
+            }).then(() => {
+                document.getElementById('token-name').value = '';
+                refreshTranslationData();
+            }).catch(console.error);
+        }
+
+        function deleteTranslationToken(id) {
+            fetch('/admin/api/token-translation/tokens/' + id, { method: 'DELETE' })
+                .then(() => refreshTranslationData())
+                .catch(console.error);
+        }
+
+        function createTranslationRule() {
+            const tokenId = document.getElementById('rule-token-id').value;
+            fetch('/admin/api/token-translation/rules', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    name: document.getElementById('rule-name').value,
+                    tokenId: tokenId ? parseInt(tokenId, 10) : null,
+                    hostPattern: document.getElementById('rule-host').value,
+                    pathPattern: document.getElementById('rule-path').value || '*',
+                    matchHeaderName: document.getElementById('rule-match-header').value,
+                    matchHeaderValue: document.getElementById('rule-match-value').value,
+                    injectHeaderName: document.getElementById('rule-inject-header').value,
+                    injectHeaderValueFormat: document.getElementById('rule-format').value || '{value}',
+                    removeHeaderName: document.getElementById('rule-remove-header').value,
+                    secretValue: document.getElementById('rule-secret').value,
+                    enabled: true
+                })
+            }).then(() => {
+                ['rule-name', 'rule-host', 'rule-path', 'rule-match-header', 'rule-match-value', 'rule-inject-header', 'rule-format', 'rule-remove-header', 'rule-secret'].forEach(id => {
+                    document.getElementById(id).value = '';
+                });
+                refreshTranslationData();
+            }).catch(console.error);
+        }
+
+        function deleteTranslationRule(id) {
+            fetch('/admin/api/token-translation/rules/' + id, { method: 'DELETE' })
+                .then(() => refreshTranslationData())
+                .catch(console.error);
+        }
+
+        function loadTranslationConfig(id) {
+            fetch('/admin/api/token-translation/config?token_id=' + id)
+                .then(response => response.json())
+                .then(config => {
+                    document.getElementById('translation-config').textContent = JSON.stringify(config, null, 2);
+                })
+                .catch(console.error);
+        }
         
         setInterval(refreshData, 2000);
         window.onload = function() {
             refreshData();
+            refreshTranslationData();
             // Add event listeners for filter checkboxes
             document.getElementById('show-allowed').addEventListener('change', filterAndDisplayLogs);
             document.getElementById('show-blocked').addEventListener('change', filterAndDisplayLogs);
@@ -238,6 +343,50 @@ <h1>sandworm network proxy</h1>
                 </div>
             </div>
         </div>
+
+        <div class="section" id="token-translation-section" style="display: none;">
+            <h2>token translation</h2>
+            <p>Host/path based header translation with optional per-proxy-token scoping. HTTPS translation works through the generated local CA.</p>
+            <div class="two-column">
+                <div class="column">
+                    <div class="section">
+                        <h3>proxy tokens</h3>
+                        <div class="rules-form">
+                            <input id="token-name" placeholder="token name">
+                            <button onclick="createTranslationToken()">create token</button>
+                        </div>
+                        <table>
+                            <thead><tr><th>name</th><th>token</th><th>actions</th></tr></thead>
+                            <tbody id="translation-tokens"></tbody>
+                        </table>
+                    </div>
+                </div>
+                <div class="column">
+                    <div class="section">
+                        <h3>new rule</h3>
+                        <div class="rules-form">
+                            <input id="rule-name" placeholder="rule name">
+                            <select id="rule-token-id"><option value="">all proxy tokens</option></select>
+                            <input id="rule-host" placeholder="host pattern (e.g. api.openai.com)">
+                            <input id="rule-path" placeholder="path pattern (e.g. /v1/*)">
+                            <input id="rule-match-header" placeholder="match header name (optional)">
+                            <input id="rule-match-value" placeholder="match header value (optional fake token)">
+                            <input id="rule-inject-header" placeholder="inject header name">
+                            <input id="rule-format" placeholder="inject value format (default {value})">
+                            <input id="rule-remove-header" placeholder="remove header name (optional)">
+                            <input id="rule-secret" placeholder="real secret value">
+                            <button onclick="createTranslationRule()">create rule</button>
+                        </div>
+                    </div>
+                </div>
+            </div>
+            <table>
+                <thead><tr><th>name</th><th>match</th><th>scope</th><th>inject</th><th>actions</th></tr></thead>
+                <tbody id="translation-rules"></tbody>
+            </table>
+            <h3>token config</h3>
+            <pre id="translation-config">Select a token to render proxy env vars and the generated CA certificate.</pre>
+        </div>
         
         <div style="display: flex; gap: 20px; flex-wrap: wrap; align-items: stretch;">
             <div style="flex: 1; min-width: 300px; display: flex;">
diff --git a/pkg/proxy/http_admin.go b/pkg/proxy/http_admin.go
index 7360eda..179da0d 100644
--- a/pkg/proxy/http_admin.go
+++ b/pkg/proxy/http_admin.go
@@ -3,6 +3,7 @@ package proxy
 import (
 	_ "embed"
 	"encoding/json"
+	"fmt"
 	"html/template"
 	"log/slog"
 	"net"
@@ -41,12 +42,23 @@ type AdminStatsResponse struct {
 	RecentRequests  []RequestLog  `json:"recentRequests"`
 }
 
+type TokenTranslationStatus struct {
+	Enabled bool `json:"enabled"`
+}
+
 func (p *Proxy) setupAdminHandlers() *http.ServeMux {
 	mux := http.NewServeMux()
 
 	mux.HandleFunc("/", p.handleAdminPanel)
 	mux.HandleFunc("/admin/api/stats", p.handleAdminStats)
 	mux.HandleFunc("/admin/api/rules", p.handleAdminRules)
+	mux.HandleFunc("/admin/api/token-translation/status", p.handleTranslationStatus)
+	mux.HandleFunc("/admin/api/token-translation/tokens", p.handleTranslationTokens)
+	mux.HandleFunc("/admin/api/token-translation/tokens/", p.handleTranslationTokenByID)
+	mux.HandleFunc("/admin/api/token-translation/rules", p.handleTranslationRules)
+	mux.HandleFunc("/admin/api/token-translation/rules/", p.handleTranslationRuleByID)
+	mux.HandleFunc("/admin/api/token-translation/config", p.handleTranslationConfig)
+	mux.HandleFunc("/admin/api/token-translation/ca", p.handleTranslationCA)
 
 	return mux
 }
@@ -267,3 +279,188 @@ func (p *Proxy) handleAdminRules(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(map[string]interface{}{"success": true})
 }
+
+func (p *Proxy) handleTranslationStatus(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(TokenTranslationStatus{Enabled: p.translationStore != nil})
+}
+
+func (p *Proxy) handleTranslationTokens(w http.ResponseWriter, r *http.Request) {
+	if p.translationStore == nil {
+		http.Error(w, "token translation disabled", http.StatusNotFound)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+
+	switch r.Method {
+	case http.MethodGet:
+		_ = json.NewEncoder(w).Encode(p.translationStore.ListTokens())
+	case http.MethodPost:
+		var request struct {
+			Name string `json:"name"`
+		}
+		if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
+			http.Error(w, "invalid json", http.StatusBadRequest)
+			return
+		}
+		token, err := p.translationStore.CreateToken(request.Name)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.WriteHeader(http.StatusCreated)
+		_ = json.NewEncoder(w).Encode(token)
+	default:
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+	}
+}
+
+func (p *Proxy) handleTranslationTokenByID(w http.ResponseWriter, r *http.Request) {
+	if p.translationStore == nil {
+		http.Error(w, "token translation disabled", http.StatusNotFound)
+		return
+	}
+	if r.Method != http.MethodDelete {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	id, err := strconv.ParseInt(strings.TrimPrefix(r.URL.Path, "/admin/api/token-translation/tokens/"), 10, 64)
+	if err != nil {
+		http.Error(w, "invalid token id", http.StatusBadRequest)
+		return
+	}
+	if err := p.translationStore.DeleteToken(id); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	_ = json.NewEncoder(w).Encode(map[string]bool{"success": true})
+}
+
+func (p *Proxy) handleTranslationRules(w http.ResponseWriter, r *http.Request) {
+	if p.translationStore == nil {
+		http.Error(w, "token translation disabled", http.StatusNotFound)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	switch r.Method {
+	case http.MethodGet:
+		rules := p.translationStore.ListRules()
+		for i := range rules {
+			rules[i].SecretValue = ""
+		}
+		_ = json.NewEncoder(w).Encode(rules)
+	case http.MethodPost:
+		var request TranslationRule
+		if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
+			http.Error(w, "invalid json", http.StatusBadRequest)
+			return
+		}
+		rule, err := p.translationStore.CreateRule(request)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+		rule.SecretValue = ""
+		w.WriteHeader(http.StatusCreated)
+		_ = json.NewEncoder(w).Encode(rule)
+	default:
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+	}
+}
+
+func (p *Proxy) handleTranslationRuleByID(w http.ResponseWriter, r *http.Request) {
+	if p.translationStore == nil {
+		http.Error(w, "token translation disabled", http.StatusNotFound)
+		return
+	}
+	if r.Method != http.MethodDelete {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	id, err := strconv.ParseInt(strings.TrimPrefix(r.URL.Path, "/admin/api/token-translation/rules/"), 10, 64)
+	if err != nil {
+		http.Error(w, "invalid rule id", http.StatusBadRequest)
+		return
+	}
+	if err := p.translationStore.DeleteRule(id); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	_ = json.NewEncoder(w).Encode(map[string]bool{"success": true})
+}
+
+func (p *Proxy) handleTranslationConfig(w http.ResponseWriter, r *http.Request) {
+	if p.translationStore == nil || p.translationCA == nil {
+		http.Error(w, "token translation disabled", http.StatusNotFound)
+		return
+	}
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	tokens := p.translationStore.ListTokens()
+	if len(tokens) == 0 {
+		http.Error(w, "no translation tokens available", http.StatusConflict)
+		return
+	}
+
+	selected := tokens[0]
+	if rawID := r.URL.Query().Get("token_id"); rawID != "" {
+		id, err := strconv.ParseInt(rawID, 10, 64)
+		if err != nil {
+			http.Error(w, "invalid token id", http.StatusBadRequest)
+			return
+		}
+		found := false
+		for _, token := range tokens {
+			if token.ID == id {
+				selected = token
+				found = true
+				break
+			}
+		}
+		if !found {
+			http.Error(w, "token not found", http.StatusNotFound)
+			return
+		}
+	}
+
+	host := r.Host
+	if parsedHost, _, err := net.SplitHostPort(r.Host); err == nil {
+		host = parsedHost
+	}
+	proxyURL := buildProxyURL(host, p.port, selected.Token)
+	response := TranslationConfigResponse{
+		ProxyURL: proxyURL,
+		Env: map[string]string{
+			"HTTP_PROXY":          proxyURL,
+			"HTTPS_PROXY":         proxyURL,
+			"http_proxy":          proxyURL,
+			"https_proxy":         proxyURL,
+			"SSL_CERT_FILE":       "/tmp/sandworm-ca.pem",
+			"NODE_EXTRA_CA_CERTS": "/tmp/sandworm-ca.pem",
+		},
+		CACertificatePEM:       p.translationCA.CACertPEM(),
+		CACertificatePath:      "/tmp/sandworm-ca.pem",
+		TokenTranslationDBPath: p.translationStore.DBPath(),
+	}
+	_ = json.NewEncoder(w).Encode(response)
+}
+
+func (p *Proxy) handleTranslationCA(w http.ResponseWriter, r *http.Request) {
+	if p.translationCA == nil {
+		http.Error(w, "token translation disabled", http.StatusNotFound)
+		return
+	}
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	w.Header().Set("Content-Type", "application/x-pem-file")
+	w.Header().Set("Content-Disposition", `inline; filename="sandworm-ca.pem"`)
+	_, _ = fmt.Fprint(w, p.translationCA.CACertPEM())
+}
diff --git a/pkg/proxy/mitm.go b/pkg/proxy/mitm.go
new file mode 100644
index 0000000..1a8eb03
--- /dev/null
+++ b/pkg/proxy/mitm.go
@@ -0,0 +1,284 @@
+package proxy
+
+import (
+	"bufio"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"log/slog"
+	"math/big"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	metaCACertPEM = "ca_cert_pem"
+	metaCAKeyPEM  = "ca_key_pem"
+)
+
+type certificateAuthority struct {
+	store *TranslationStore
+
+	mu        sync.Mutex
+	caCert    *x509.Certificate
+	caKey     *rsa.PrivateKey
+	caPEM     string
+	certCache map[string]*tls.Certificate
+}
+
+func newCertificateAuthority(store *TranslationStore) (*certificateAuthority, error) {
+	ca := &certificateAuthority{
+		store:     store,
+		certCache: make(map[string]*tls.Certificate),
+	}
+	if err := ca.loadOrCreate(); err != nil {
+		return nil, err
+	}
+	return ca, nil
+}
+
+func (c *certificateAuthority) CACertPEM() string {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.caPEM
+}
+
+func (c *certificateAuthority) loadOrCreate() error {
+	certPEM, err := c.store.Meta(metaCACertPEM)
+	if err != nil {
+		return err
+	}
+	keyPEM, err := c.store.Meta(metaCAKeyPEM)
+	if err != nil {
+		return err
+	}
+	if certPEM == "" || keyPEM == "" {
+		return c.createAndPersist()
+	}
+	return c.loadFromPEM(certPEM, keyPEM)
+}
+
+func (c *certificateAuthority) loadFromPEM(certPEM, keyPEM string) error {
+	certBlock, _ := pem.Decode([]byte(certPEM))
+	keyBlock, _ := pem.Decode([]byte(keyPEM))
+	if certBlock == nil || keyBlock == nil {
+		return fmt.Errorf("invalid persisted CA material")
+	}
+	cert, err := x509.ParseCertificate(certBlock.Bytes)
+	if err != nil {
+		return err
+	}
+	key, err := x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+	if err != nil {
+		return err
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.caCert = cert
+	c.caKey = key
+	c.caPEM = certPEM
+	return nil
+}
+
+func (c *certificateAuthority) createAndPersist() error {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return err
+	}
+	serial, err := rand.Int(rand.Reader, big.NewInt(1<<62))
+	if err != nil {
+		return err
+	}
+	template := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName:   "sandworm token translation CA",
+			Organization: []string{"sandworm"},
+		},
+		NotBefore:             time.Now().Add(-time.Hour),
+		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature,
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+		MaxPathLen:            1,
+	}
+	der, err := x509.CreateCertificate(rand.Reader, template, template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		return err
+	}
+	certPEM := string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}))
+	keyPEM := string(pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}))
+	if err := c.store.UpsertMeta(metaCACertPEM, certPEM); err != nil {
+		return err
+	}
+	if err := c.store.UpsertMeta(metaCAKeyPEM, keyPEM); err != nil {
+		return err
+	}
+	return c.loadFromPEM(certPEM, keyPEM)
+}
+
+func (c *certificateAuthority) certificateForHost(host string) (*tls.Certificate, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if cert, ok := c.certCache[host]; ok {
+		return cert, nil
+	}
+	serial, err := rand.Int(rand.Reader, big.NewInt(1<<62))
+	if err != nil {
+		return nil, err
+	}
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	template := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName: host,
+		},
+		NotBefore:   time.Now().Add(-time.Hour),
+		NotAfter:    time.Now().Add(365 * 24 * time.Hour),
+		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		DNSNames:    []string{host},
+	}
+	der, err := x509.CreateCertificate(rand.Reader, template, c.caCert, &privateKey.PublicKey, c.caKey)
+	if err != nil {
+		return nil, err
+	}
+	cert := &tls.Certificate{
+		Certificate: [][]byte{der, c.caCert.Raw},
+		PrivateKey:  privateKey,
+		Leaf:        template,
+	}
+	c.certCache[host] = cert
+	return cert, nil
+}
+
+func (p *Proxy) handleConnectMITM(w http.ResponseWriter, r *http.Request, host, port, proxyToken string) {
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
+		return
+	}
+	clientConn, buf, err := hijacker.Hijack()
+	if err != nil {
+		http.Error(w, "Failed to hijack connection", http.StatusInternalServerError)
+		return
+	}
+	defer clientConn.Close()
+
+	if _, err := io.WriteString(clientConn, "HTTP/1.1 200 Connection Established\r\n\r\n"); err != nil {
+		return
+	}
+	if buf.Reader.Buffered() > 0 {
+		_, _ = buf.Reader.Discard(buf.Reader.Buffered())
+	}
+
+	cert, err := p.translationCA.certificateForHost(host)
+	if err != nil {
+		slog.Error("Failed to create MITM certificate", "host", host, "error", err)
+		return
+	}
+	tlsConn := tls.Server(clientConn, &tls.Config{
+		Certificates: []tls.Certificate{*cert},
+	})
+	if err := tlsConn.Handshake(); err != nil {
+		slog.Debug("MITM TLS handshake failed", "host", host, "error", err)
+		return
+	}
+	defer tlsConn.Close()
+
+	reader := bufio.NewReader(tlsConn)
+	writer := bufio.NewWriter(tlsConn)
+	req, err := http.ReadRequest(reader)
+	if err != nil {
+		if !errorsIsEOF(err) {
+			slog.Debug("MITM request read failed", "host", host, "error", err)
+		}
+		return
+	}
+	req.URL.Scheme = "https"
+	req.URL.Host = net.JoinHostPort(host, port)
+	req.Host = net.JoinHostPort(host, port)
+
+	resp, err := p.forwardTranslatedRequest(req, host, req.URL.Path, proxyToken, true)
+	if err != nil {
+		_, _ = writer.WriteString("HTTP/1.1 502 Bad Gateway\r\nConnection: close\r\nContent-Length: 11\r\n\r\nBad Gateway")
+		_ = writer.Flush()
+		_ = req.Body.Close()
+		return
+	}
+	if err := writeMITMResponse(writer, resp); err != nil {
+		_ = resp.Body.Close()
+		_ = req.Body.Close()
+		return
+	}
+	_ = writer.Flush()
+	_ = resp.Body.Close()
+	_ = req.Body.Close()
+}
+
+func errorsIsEOF(err error) bool {
+	return err == io.EOF || strings.Contains(err.Error(), "closed network connection")
+}
+
+func writeMITMResponse(writer *bufio.Writer, resp *http.Response) error {
+	removeHopByHopHeaders(resp.Header)
+	resp.Header.Set("Connection", "close")
+
+	if _, err := fmt.Fprintf(writer, "HTTP/1.1 %s\r\n", resp.Status); err != nil {
+		return err
+	}
+	if _, err := fmt.Fprintf(writer, "Connection: close\r\n"); err != nil {
+		return err
+	}
+	if err := resp.Header.WriteSubset(writer, map[string]bool{"Connection": true}); err != nil {
+		return err
+	}
+	if _, err := writer.WriteString("\r\n"); err != nil {
+		return err
+	}
+	_, err := io.Copy(writer, resp.Body)
+	return err
+}
+
+func (p *Proxy) forwardTranslatedRequest(in *http.Request, host, path, proxyToken string, secure bool) (*http.Response, error) {
+	targetURL := &url.URL{
+		Scheme: "http",
+		Host:   in.Host,
+		Path:   in.URL.Path,
+	}
+	if secure {
+		targetURL.Scheme = "https"
+		targetURL.Host = in.Host
+	}
+	if in.URL.RawQuery != "" {
+		targetURL.RawQuery = in.URL.RawQuery
+	}
+
+	req, err := http.NewRequestWithContext(in.Context(), in.Method, targetURL.String(), in.Body)
+	if err != nil {
+		return nil, err
+	}
+	removeHopByHopHeaders(in.Header)
+	for name, values := range in.Header {
+		for _, value := range values {
+			req.Header.Add(name, value)
+		}
+	}
+	req.Host = targetURL.Host
+	if p.translationStore != nil {
+		applyTranslationRules(req.Header, host, path, proxyToken, p.translationStore.ListRules())
+	}
+	return p.httpClient.Do(req)
+}
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
index bec64c8..34f845c 100644
--- a/pkg/proxy/proxy.go
+++ b/pkg/proxy/proxy.go
@@ -63,74 +63,114 @@ type Proxy struct {
 
 	dnsPort   int
 	dnsServer *DNSServer
+
+	translationStore *TranslationStore
+	translationCA    *certificateAuthority
+	httpClient       *http.Client
+}
+
+type Options struct {
+	Port           int
+	AdminBind      string
+	Mode           string
+	AllowedDomains []string
+	AllowedCIDRs   []string
+	BlockedDomains []string
+	BlockedCIDRs   []string
+	IPProxyRange   string
+	IPPorts        []int
+	DNSPort        int
+	TokenDB        string
 }
 
-func NewProxy(port int, adminBind string, mode string, allowedDomains []string, allowedCIDRs []string, blockedDomains []string, blockedCIDRs []string, ipProxyRange string, ipPorts []int, dnsPort int) *Proxy {
-	if mode != "block" {
-		mode = "allow"
+func NewProxy(opts Options) (*Proxy, error) {
+	if opts.Mode != "block" {
+		opts.Mode = "allow"
 	}
 
 	var domains []string
-	for _, domain := range allowedDomains {
+	for _, domain := range opts.AllowedDomains {
 		if domain != "" {
 			domains = append(domains, domain)
 		}
 	}
 
 	cidrMap := make(map[string]bool)
-	for _, cidr := range allowedCIDRs {
+	for _, cidr := range opts.AllowedCIDRs {
 		if cidr != "" {
 			cidrMap[cidr] = true
 		}
 	}
 
 	var blocked []string
-	for _, domain := range blockedDomains {
+	for _, domain := range opts.BlockedDomains {
 		if domain != "" {
 			blocked = append(blocked, domain)
 		}
 	}
 
 	blockedCIDRMap := make(map[string]bool)
-	for _, cidr := range blockedCIDRs {
+	for _, cidr := range opts.BlockedCIDRs {
 		if cidr != "" {
 			blockedCIDRMap[cidr] = true
 		}
 	}
 
-	if ipProxyRange == "" && len(ipPorts) > 0 {
+	if opts.IPProxyRange == "" && len(opts.IPPorts) > 0 {
 		slog.Error("IP ports specified without IP proxy range; ignoring IP ports")
-		ipPorts = nil
+		opts.IPPorts = nil
 	}
 
 	proxy := &Proxy{
-		mode:           mode,
+		mode:           opts.Mode,
 		allowedDomains: domains,
 		allowedCIDRs:   cidrMap,
 		blockedDomains: blocked,
 		blockedCIDRs:   blockedCIDRMap,
-		port:           port,
-		adminBind:      adminBind,
+		port:           opts.Port,
+		adminBind:      opts.AdminBind,
 		requestStats:   make(map[string]*RequestStats),
 		recentRequests: make([]RequestLog, 0),
 		maxRecentReqs:  100,
-		ipProxyRange:   ipProxyRange,
-		ipPorts:        ipPorts,
+		ipProxyRange:   opts.IPProxyRange,
+		ipPorts:        opts.IPPorts,
 		domainIPMap:    make(map[string]net.IP),
 		ipDomainMap:    make(map[string]string),
 		ipHopStats:     make(map[string]int),
-		dnsPort:        dnsPort,
+		dnsPort:        opts.DNSPort,
+		httpClient: &http.Client{
+			Timeout: 30 * time.Second,
+			Transport: &http.Transport{
+				Proxy:                 nil,
+				TLSHandshakeTimeout:   10 * time.Second,
+				ResponseHeaderTimeout: 30 * time.Second,
+				ExpectContinueTimeout: time.Second,
+			},
+		},
+	}
+
+	if opts.TokenDB != "" {
+		store, err := NewTranslationStore(opts.TokenDB)
+		if err != nil {
+			return nil, err
+		}
+		ca, err := newCertificateAuthority(store)
+		if err != nil {
+			return nil, err
+		}
+		proxy.translationStore = store
+		proxy.translationCA = ca
 	}
 
-	if ipProxyRange != "" {
+	if opts.IPProxyRange != "" {
 		proxy.setupIPMapping()
 	}
 
-	if dnsPort > 0 && ipProxyRange != "" {
-		proxy.dnsServer = NewDNSServer(dnsPort, proxy)
+	if opts.DNSPort > 0 && opts.IPProxyRange != "" {
+		proxy.dnsServer = NewDNSServer(opts.DNSPort, proxy)
 	}
 
-	return proxy
+	return proxy, nil
 }
 
 func matchesDomain(host string, domains []string) (bool, string) {
@@ -262,6 +302,12 @@ func (p *Proxy) handleConnect(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	proxyToken := extractProxyToken(r.Header)
+	if p.translationStore != nil && p.translationCA != nil && len(p.translationStore.RulesForHost(proxyToken, host)) > 0 {
+		p.handleConnectMITM(w, r, host, port, proxyToken)
+		return
+	}
+
 	slog.Debug("CONNECT tunnel establishing", "host", host, "port", port)
 	destConn, err := net.Dial("tcp", net.JoinHostPort(host, port))
 	if err != nil {
@@ -362,10 +408,6 @@ func (p *Proxy) handleHTTP(w http.ResponseWriter, r *http.Request) {
 		targetURL.Host = host
 	}
 
-	client := &http.Client{
-		Timeout: 30 * time.Second,
-	}
-
 	req, err := http.NewRequest(r.Method, targetURL.String(), r.Body)
 	if err != nil {
 		slog.Error("Failed to create HTTP request", "error", err)
@@ -373,14 +415,18 @@ func (p *Proxy) handleHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	proxyToken := extractProxyToken(r.Header)
 	removeHopByHopHeaders(r.Header)
 	for name, values := range r.Header {
 		for _, value := range values {
 			req.Header.Add(name, value)
 		}
 	}
+	if p.translationStore != nil {
+		applyTranslationRules(req.Header, hostOnly, targetURL.Path, proxyToken, p.translationStore.ListRules())
+	}
 
-	resp, err := client.Do(req)
+	resp, err := p.httpClient.Do(req)
 	if err != nil {
 		slog.Error("Failed to forward HTTP request", "host", hostOnly, "error", err)
 		http.Error(w, "Bad Gateway", http.StatusBadGateway)
@@ -629,6 +675,11 @@ func (p *Proxy) Stop(ctx context.Context) error {
 			errs = append(errs, fmt.Errorf("DNS server shutdown: %w", err))
 		}
 	}
+	if p.translationStore != nil {
+		if err := p.translationStore.Close(); err != nil {
+			errs = append(errs, fmt.Errorf("translation store shutdown: %w", err))
+		}
+	}
 	return errors.Join(errs...)
 }
 
diff --git a/pkg/proxy/token_store.go b/pkg/proxy/token_store.go
new file mode 100644
index 0000000..0668bdd
--- /dev/null
+++ b/pkg/proxy/token_store.go
@@ -0,0 +1,398 @@
+package proxy
+
+import (
+	"database/sql"
+	"errors"
+	"fmt"
+	"strings"
+	"sync"
+	"time"
+
+	_ "modernc.org/sqlite"
+)
+
+type TranslationStore struct {
+	db     *sql.DB
+	dbPath string
+
+	mu     sync.RWMutex
+	tokens []TranslationToken
+	rules  []TranslationRule
+}
+
+func NewTranslationStore(dbPath string) (*TranslationStore, error) {
+	db, err := sql.Open("sqlite", dbPath)
+	if err != nil {
+		return nil, fmt.Errorf("open sqlite db: %w", err)
+	}
+	db.SetMaxOpenConns(1)
+
+	store := &TranslationStore{
+		db:     db,
+		dbPath: dbPath,
+	}
+	if err := store.init(); err != nil {
+		_ = db.Close()
+		return nil, err
+	}
+	return store, nil
+}
+
+func (s *TranslationStore) init() error {
+	stmts := []string{
+		`PRAGMA foreign_keys=ON;`,
+		`PRAGMA journal_mode=WAL;`,
+		`CREATE TABLE IF NOT EXISTS translation_tokens (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			name TEXT NOT NULL,
+			token TEXT NOT NULL UNIQUE,
+			created_at TEXT NOT NULL,
+			updated_at TEXT NOT NULL
+		);`,
+		`CREATE TABLE IF NOT EXISTS translation_rules (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			name TEXT NOT NULL,
+			token_id INTEGER NULL REFERENCES translation_tokens(id) ON DELETE SET NULL,
+			host_pattern TEXT NOT NULL,
+			path_pattern TEXT NOT NULL DEFAULT '*',
+			match_header_name TEXT NOT NULL DEFAULT '',
+			match_header_value TEXT NOT NULL DEFAULT '',
+			inject_header_name TEXT NOT NULL,
+			inject_header_value_format TEXT NOT NULL DEFAULT '{value}',
+			remove_header_name TEXT NOT NULL DEFAULT '',
+			secret_value TEXT NOT NULL,
+			enabled INTEGER NOT NULL DEFAULT 1,
+			created_at TEXT NOT NULL,
+			updated_at TEXT NOT NULL
+		);`,
+		`CREATE TABLE IF NOT EXISTS translation_meta (
+			key TEXT PRIMARY KEY,
+			value TEXT NOT NULL
+		);`,
+	}
+	for _, stmt := range stmts {
+		if _, err := s.db.Exec(stmt); err != nil {
+			return fmt.Errorf("init sqlite schema: %w", err)
+		}
+	}
+	if err := s.reload(); err != nil {
+		return err
+	}
+	if len(s.tokens) == 0 {
+		if _, err := s.CreateToken("default"); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *TranslationStore) Close() error {
+	return s.db.Close()
+}
+
+func (s *TranslationStore) DBPath() string {
+	return s.dbPath
+}
+
+func (s *TranslationStore) reload() error {
+	tokens, err := s.loadTokens()
+	if err != nil {
+		return err
+	}
+	rules, err := s.loadRules()
+	if err != nil {
+		return err
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.tokens = tokens
+	s.rules = rules
+	return nil
+}
+
+func (s *TranslationStore) loadTokens() ([]TranslationToken, error) {
+	rows, err := s.db.Query(`SELECT id, name, token, created_at, updated_at FROM translation_tokens ORDER BY id`)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var tokens []TranslationToken
+	for rows.Next() {
+		var token TranslationToken
+		if err := rows.Scan(&token.ID, &token.Name, &token.Token, &token.CreatedAt, &token.UpdatedAt); err != nil {
+			return nil, err
+		}
+		tokens = append(tokens, token)
+	}
+	return tokens, rows.Err()
+}
+
+func (s *TranslationStore) loadRules() ([]TranslationRule, error) {
+	rows, err := s.db.Query(`
+		SELECT
+			r.id,
+			r.name,
+			r.token_id,
+			COALESCE(t.name, ''),
+			COALESCE(t.token, ''),
+			r.host_pattern,
+			r.path_pattern,
+			r.match_header_name,
+			r.match_header_value,
+			r.inject_header_name,
+			r.inject_header_value_format,
+			r.remove_header_name,
+			r.secret_value,
+			r.enabled
+		FROM translation_rules r
+		LEFT JOIN translation_tokens t ON t.id = r.token_id
+		ORDER BY r.id
+	`)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var rules []TranslationRule
+	for rows.Next() {
+		var rule TranslationRule
+		var tokenID sql.NullInt64
+		if err := rows.Scan(
+			&rule.ID,
+			&rule.Name,
+			&tokenID,
+			&rule.TokenName,
+			&rule.ScopedToken,
+			&rule.HostPattern,
+			&rule.PathPattern,
+			&rule.MatchHeaderName,
+			&rule.MatchHeaderValue,
+			&rule.InjectHeaderName,
+			&rule.InjectHeaderValueFormat,
+			&rule.RemoveHeaderName,
+			&rule.SecretValue,
+			&rule.Enabled,
+		); err != nil {
+			return nil, err
+		}
+		if tokenID.Valid {
+			rule.TokenID = &tokenID.Int64
+		}
+		rules = append(rules, rule)
+	}
+	return rules, rows.Err()
+}
+
+func (s *TranslationStore) ListTokens() []TranslationToken {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	out := make([]TranslationToken, len(s.tokens))
+	copy(out, s.tokens)
+	return out
+}
+
+func (s *TranslationStore) ListRules() []TranslationRule {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	out := make([]TranslationRule, len(s.rules))
+	copy(out, s.rules)
+	return out
+}
+
+func (s *TranslationStore) CreateToken(name string) (*TranslationToken, error) {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		name = "token"
+	}
+	tokenValue, err := generateTranslationToken()
+	if err != nil {
+		return nil, err
+	}
+	now := time.Now().UTC().Format(time.RFC3339)
+
+	existing, err := s.FindTokenByName(name)
+	if err == nil {
+		if _, err := s.db.Exec(`UPDATE translation_tokens SET token = ?, updated_at = ? WHERE id = ?`, tokenValue, now, existing.ID); err != nil {
+			return nil, err
+		}
+		if err := s.reload(); err != nil {
+			return nil, err
+		}
+		existing.Token = tokenValue
+		existing.UpdatedAt = now
+		return existing, nil
+	}
+	if !strings.Contains(err.Error(), "not found") {
+		return nil, err
+	}
+
+	res, err := s.db.Exec(`INSERT INTO translation_tokens(name, token, created_at, updated_at) VALUES (?, ?, ?, ?)`, name, tokenValue, now, now)
+	if err != nil {
+		return nil, err
+	}
+	id, err := res.LastInsertId()
+	if err != nil {
+		return nil, err
+	}
+	if err := s.reload(); err != nil {
+		return nil, err
+	}
+	return &TranslationToken{ID: id, Name: name, Token: tokenValue, CreatedAt: now, UpdatedAt: now}, nil
+}
+
+func (s *TranslationStore) DeleteToken(id int64) error {
+	tx, err := s.db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+
+	if _, err := tx.Exec(`DELETE FROM translation_rules WHERE token_id = ?`, id); err != nil {
+		return err
+	}
+	if _, err := tx.Exec(`DELETE FROM translation_tokens WHERE id = ?`, id); err != nil {
+		return err
+	}
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+	return s.reload()
+}
+
+func (s *TranslationStore) CreateRule(rule TranslationRule) (*TranslationRule, error) {
+	rule.Name = strings.TrimSpace(rule.Name)
+	rule.HostPattern = strings.TrimSpace(rule.HostPattern)
+	rule.PathPattern = strings.TrimSpace(rule.PathPattern)
+	rule.MatchHeaderName = strings.TrimSpace(rule.MatchHeaderName)
+	rule.MatchHeaderValue = strings.TrimSpace(rule.MatchHeaderValue)
+	rule.InjectHeaderName = strings.TrimSpace(rule.InjectHeaderName)
+	rule.InjectHeaderValueFormat = strings.TrimSpace(rule.InjectHeaderValueFormat)
+	rule.RemoveHeaderName = strings.TrimSpace(rule.RemoveHeaderName)
+	if rule.Name == "" || rule.HostPattern == "" || rule.InjectHeaderName == "" || rule.SecretValue == "" {
+		return nil, errors.New("name, hostPattern, injectHeaderName, and secretValue are required")
+	}
+	if rule.PathPattern == "" {
+		rule.PathPattern = "*"
+	}
+	if rule.InjectHeaderValueFormat == "" {
+		rule.InjectHeaderValueFormat = "{value}"
+	}
+	now := time.Now().UTC().Format(time.RFC3339)
+
+	if existing := s.findRuleByIdentity(rule); existing != nil {
+		if _, err := s.db.Exec(`
+			UPDATE translation_rules
+			SET name = ?, secret_value = ?, enabled = ?, updated_at = ?
+			WHERE id = ?`,
+			rule.Name, rule.SecretValue, rule.Enabled, now, existing.ID,
+		); err != nil {
+			return nil, err
+		}
+		if err := s.reload(); err != nil {
+			return nil, err
+		}
+		for _, loaded := range s.ListRules() {
+			if loaded.ID == existing.ID {
+				return &loaded, nil
+			}
+		}
+		return nil, errors.New("updated rule was not reloaded")
+	}
+
+	var tokenID any
+	if rule.TokenID != nil {
+		tokenID = *rule.TokenID
+	}
+	res, err := s.db.Exec(`
+		INSERT INTO translation_rules(
+			name, token_id, host_pattern, path_pattern, match_header_name, match_header_value,
+			inject_header_name, inject_header_value_format, remove_header_name, secret_value, enabled, created_at, updated_at
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		rule.Name, tokenID, rule.HostPattern, rule.PathPattern, rule.MatchHeaderName, rule.MatchHeaderValue,
+		rule.InjectHeaderName, rule.InjectHeaderValueFormat, rule.RemoveHeaderName, rule.SecretValue, rule.Enabled, now, now,
+	)
+	if err != nil {
+		return nil, err
+	}
+	id, err := res.LastInsertId()
+	if err != nil {
+		return nil, err
+	}
+	if err := s.reload(); err != nil {
+		return nil, err
+	}
+	for _, loaded := range s.ListRules() {
+		if loaded.ID == id {
+			return &loaded, nil
+		}
+	}
+	return nil, errors.New("created rule was not reloaded")
+}
+
+func (s *TranslationStore) findRuleByIdentity(rule TranslationRule) *TranslationRule {
+	for _, existing := range s.ListRules() {
+		if sameOptionalInt64(existing.TokenID, rule.TokenID) &&
+			existing.HostPattern == rule.HostPattern &&
+			existing.PathPattern == rule.PathPattern &&
+			existing.MatchHeaderName == rule.MatchHeaderName &&
+			existing.MatchHeaderValue == rule.MatchHeaderValue &&
+			existing.InjectHeaderName == rule.InjectHeaderName &&
+			existing.InjectHeaderValueFormat == rule.InjectHeaderValueFormat &&
+			existing.RemoveHeaderName == rule.RemoveHeaderName {
+			ruleCopy := existing
+			return &ruleCopy
+		}
+	}
+	return nil
+}
+
+func sameOptionalInt64(a, b *int64) bool {
+	switch {
+	case a == nil && b == nil:
+		return true
+	case a != nil && b != nil:
+		return *a == *b
+	default:
+		return false
+	}
+}
+
+func (s *TranslationStore) DeleteRule(id int64) error {
+	if _, err := s.db.Exec(`DELETE FROM translation_rules WHERE id = ?`, id); err != nil {
+		return err
+	}
+	return s.reload()
+}
+
+func (s *TranslationStore) RulesForHost(token, host string) []TranslationRule {
+	var matched []TranslationRule
+	for _, rule := range s.ListRules() {
+		if !rule.Enabled || !hostPatternMatches(host, rule.HostPattern) {
+			continue
+		}
+		if rule.TokenID != nil && rule.ScopedToken == "" {
+			continue
+		}
+		if rule.ScopedToken != "" && rule.ScopedToken != token {
+			continue
+		}
+		matched = append(matched, rule)
+	}
+	return matched
+}
+
+func (s *TranslationStore) UpsertMeta(key, value string) error {
+	_, err := s.db.Exec(`INSERT INTO translation_meta(key, value) VALUES(?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value`, key, value)
+	return err
+}
+
+func (s *TranslationStore) Meta(key string) (string, error) {
+	var value string
+	err := s.db.QueryRow(`SELECT value FROM translation_meta WHERE key = ?`, key).Scan(&value)
+	if errors.Is(err, sql.ErrNoRows) {
+		return "", nil
+	}
+	return value, err
+}
diff --git a/pkg/proxy/token_translation.go b/pkg/proxy/token_translation.go
new file mode 100644
index 0000000..bc45c3a
--- /dev/null
+++ b/pkg/proxy/token_translation.go
@@ -0,0 +1,146 @@
+package proxy
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+type TranslationToken struct {
+	ID        int64  `json:"id"`
+	Name      string `json:"name"`
+	Token     string `json:"token"`
+	CreatedAt string `json:"createdAt"`
+	UpdatedAt string `json:"updatedAt"`
+}
+
+type TranslationRule struct {
+	ID                      int64  `json:"id"`
+	Name                    string `json:"name"`
+	TokenID                 *int64 `json:"tokenId,omitempty"`
+	TokenName               string `json:"tokenName,omitempty"`
+	HostPattern             string `json:"hostPattern"`
+	PathPattern             string `json:"pathPattern"`
+	MatchHeaderName         string `json:"matchHeaderName,omitempty"`
+	MatchHeaderValue        string `json:"matchHeaderValue,omitempty"`
+	InjectHeaderName        string `json:"injectHeaderName"`
+	InjectHeaderValueFormat string `json:"injectHeaderValueFormat"`
+	RemoveHeaderName        string `json:"removeHeaderName,omitempty"`
+	SecretValue             string `json:"secretValue,omitempty"`
+	Enabled                 bool   `json:"enabled"`
+	ScopedToken             string `json:"-"`
+}
+
+type TranslationConfigResponse struct {
+	ProxyURL               string            `json:"proxyURL"`
+	Env                    map[string]string `json:"env"`
+	CACertificatePEM       string            `json:"caCertificatePEM"`
+	CACertificatePath      string            `json:"caCertificatePath"`
+	TokenTranslationDBPath string            `json:"tokenTranslationDbPath"`
+}
+
+func generateTranslationToken() (string, error) {
+	buf := make([]byte, 24)
+	if _, err := rand.Read(buf); err != nil {
+		return "", err
+	}
+	return "sand_" + base64.RawURLEncoding.EncodeToString(buf), nil
+}
+
+func extractProxyToken(header http.Header) string {
+	value := header.Get("Proxy-Authorization")
+	if value == "" {
+		return ""
+	}
+	encoded := strings.TrimSpace(strings.TrimPrefix(value, "Basic "))
+	if encoded == value {
+		return ""
+	}
+	decoded, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return ""
+	}
+	decodedStr := string(decoded)
+	parts := strings.SplitN(decodedStr, ":", 2)
+	switch {
+	case len(parts) == 2 && parts[1] != "":
+		return parts[1]
+	case len(parts) > 0:
+		return parts[0]
+	default:
+		return ""
+	}
+}
+
+func hostPatternMatches(host, pattern string) bool {
+	host = strings.ToLower(strings.TrimSpace(host))
+	pattern = strings.ToLower(strings.TrimSpace(pattern))
+	if pattern == "" || host == "" {
+		return false
+	}
+	if host == pattern {
+		return true
+	}
+	if strings.HasPrefix(pattern, "*.") {
+		suffix := pattern[2:]
+		return host == suffix || strings.HasSuffix(host, "."+suffix)
+	}
+	return false
+}
+
+func pathPatternMatches(path, pattern string) bool {
+	if pattern == "" || pattern == "*" {
+		return true
+	}
+	if !strings.HasPrefix(path, "/") {
+		path = "/" + path
+	}
+	if !strings.HasPrefix(pattern, "/") {
+		pattern = "/" + pattern
+	}
+	if prefix := strings.TrimSuffix(pattern, "/*"); prefix != pattern {
+		return path == prefix || strings.HasPrefix(path, prefix+"/")
+	}
+	return path == pattern
+}
+
+func applyTranslationRules(headers http.Header, host, path, proxyToken string, rules []TranslationRule) int {
+	applied := 0
+	for _, rule := range rules {
+		if !rule.Enabled || !hostPatternMatches(host, rule.HostPattern) || !pathPatternMatches(path, rule.PathPattern) {
+			continue
+		}
+		if rule.ScopedToken != "" && rule.ScopedToken != proxyToken {
+			continue
+		}
+
+		var matchedValue string
+		if rule.MatchHeaderName != "" {
+			matchedValue = headers.Get(rule.MatchHeaderName)
+			if matchedValue == "" {
+				continue
+			}
+			if rule.MatchHeaderValue != "" && matchedValue != rule.MatchHeaderValue {
+				continue
+			}
+		}
+
+		if rule.RemoveHeaderName != "" {
+			headers.Del(rule.RemoveHeaderName)
+		}
+
+		value := strings.ReplaceAll(rule.InjectHeaderValueFormat, "{value}", rule.SecretValue)
+		if strings.Contains(value, "{matched}") {
+			value = strings.ReplaceAll(value, "{matched}", matchedValue)
+		}
+		headers.Set(rule.InjectHeaderName, value)
+		applied++
+	}
+	return applied
+}
+
+func buildProxyURL(host string, port int, token string) string {
+	return fmt.Sprintf("http://x:%s@%s:%d", token, host, port)
+}
diff --git a/pkg/proxy/token_translation_test.go b/pkg/proxy/token_translation_test.go
new file mode 100644
index 0000000..4110850
--- /dev/null
+++ b/pkg/proxy/token_translation_test.go
@@ -0,0 +1,218 @@
+package proxy
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestApplyTranslationRules(t *testing.T) {
+	headers := http.Header{}
+	headers.Set("Authorization", "Bearer FAKE")
+
+	rules := []TranslationRule{{
+		Name:                    "replace auth",
+		HostPattern:             "api.example.com",
+		PathPattern:             "/v1/*",
+		MatchHeaderName:         "Authorization",
+		MatchHeaderValue:        "Bearer FAKE",
+		InjectHeaderName:        "Authorization",
+		InjectHeaderValueFormat: "Bearer {value}",
+		SecretValue:             "REAL",
+		Enabled:                 true,
+	}}
+
+	applied := applyTranslationRules(headers, "api.example.com", "/v1/chat/completions", "", rules)
+	require.Equal(t, 1, applied, "expected one applied rule")
+	require.Equal(t, "Bearer REAL", headers.Get("Authorization"), "expected translated header")
+}
+
+func TestTranslationStoreAndHTTPProxyFlow(t *testing.T) {
+	tmpDir := t.TempDir()
+	dbPath := filepath.Join(tmpDir, "translations.sqlite")
+
+	var seenAuthorization string
+	upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		seenAuthorization = r.Header.Get("Authorization")
+		_, _ = w.Write([]byte("ok"))
+	}))
+	defer upstream.Close()
+
+	upstreamURL, err := url.Parse(upstream.URL)
+	require.NoError(t, err)
+	host, _, err := net.SplitHostPort(upstreamURL.Host)
+	require.NoError(t, err, "split upstream host")
+
+	port := pickFreePort(t)
+	proxyServer, err := NewProxy(Options{
+		Port:           port,
+		AdminBind:      "127.0.0.1",
+		Mode:           "allow",
+		AllowedDomains: []string{host},
+		TokenDB:        dbPath,
+	})
+	require.NoError(t, err, "create proxy")
+
+	tokens := proxyServer.translationStore.ListTokens()
+	require.NotEmpty(t, tokens, "expected default proxy token")
+
+	_, err = proxyServer.translationStore.CreateRule(TranslationRule{
+		Name:                    "translate auth",
+		TokenID:                 &tokens[0].ID,
+		HostPattern:             host,
+		PathPattern:             "*",
+		MatchHeaderName:         "Authorization",
+		MatchHeaderValue:        "Bearer FAKE",
+		InjectHeaderName:        "Authorization",
+		InjectHeaderValueFormat: "Bearer {value}",
+		SecretValue:             "REAL_SECRET",
+		Enabled:                 true,
+	})
+	require.NoError(t, err, "create rule")
+
+	require.NoError(t, proxyServer.Start(t.Context()), "start proxy")
+	defer func() {
+		_ = proxyServer.Stop(context.Background())
+	}()
+
+	proxyURL, err := url.Parse(fmt.Sprintf("http://localhost:%d", port))
+	require.NoError(t, err, "parse proxy url")
+	proxyURL.User = url.UserPassword("x", tokens[0].Token)
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			Proxy: http.ProxyURL(proxyURL),
+		},
+	}
+
+	req, err := http.NewRequest(http.MethodGet, upstream.URL, nil)
+	require.NoError(t, err, "create request")
+	req.Header.Set("Authorization", "Bearer FAKE")
+
+	resp, err := client.Do(req)
+	require.NoError(t, err, "proxy request failed")
+	_ = resp.Body.Close()
+
+	require.Equal(t, "Bearer REAL_SECRET", seenAuthorization, "expected translated auth header")
+
+	configResp, err := http.Get(fmt.Sprintf("http://127.0.0.1:%d/admin/api/token-translation/config?token_id=%d", port+1, tokens[0].ID))
+	require.NoError(t, err, "get config")
+	defer configResp.Body.Close()
+
+	var config TranslationConfigResponse
+	require.NoError(t, json.NewDecoder(configResp.Body).Decode(&config), "decode config")
+	require.NotEmpty(t, config.ProxyURL, "expected proxy url in config response")
+	require.NotEmpty(t, config.CACertificatePEM, "expected ca certificate in config response")
+
+	_, err = os.Stat(dbPath)
+	require.NoError(t, err, "expected sqlite db to exist")
+}
+
+func TestExtractProxyToken(t *testing.T) {
+	headers := http.Header{}
+	headers.Set("Proxy-Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("x:sand_token")))
+	require.Equal(t, "sand_token", extractProxyToken(headers))
+}
+
+func TestNormalizePathPattern(t *testing.T) {
+	cases := map[string]string{
+		"":       "*",
+		"*":      "*",
+		"/v1/":   "/v1/*",
+		"/v1/*":  "/v1/*",
+		"/exact": "/exact",
+	}
+	for input, want := range cases {
+		if got := NormalizePathPattern(input); got != want {
+			t.Errorf("NormalizePathPattern(%q) = %q, want %q", input, got, want)
+		}
+	}
+}
+
+func TestAddBearerMappingCreatesDefaultToken(t *testing.T) {
+	store, err := OpenTranslationStore(filepath.Join(t.TempDir(), "easy.sqlite"))
+	require.NoError(t, err, "open store")
+	defer store.Close()
+
+	rule, token, err := AddBearerMapping(store, "", "", "api.example.com", "/v1/", "REAL", "PLACEHOLDER")
+	require.NoError(t, err, "add bearer mapping")
+	require.Equal(t, DefaultProxyToken, token.Name, "expected default token name")
+	require.Equal(t, "/v1/*", rule.PathPattern, "expected normalized path pattern")
+	require.Equal(t, "Bearer PLACEHOLDER", rule.MatchHeaderValue, "expected placeholder match")
+}
+
+func TestRevokeTokenByName(t *testing.T) {
+	store, err := OpenTranslationStore(filepath.Join(t.TempDir(), "tokens.sqlite"))
+	require.NoError(t, err, "open store")
+	defer store.Close()
+
+	_, err = store.EnsureToken("secondary")
+	require.NoError(t, err, "ensure token")
+	token, err := store.FindTokenByName("secondary")
+	require.NoError(t, err, "find token")
+	_, _, err = AddBearerMapping(store, "secondary", "", "api.github.com", "", "REAL", "")
+	require.NoError(t, err, "add scoped mapping")
+	require.NoError(t, store.RevokeTokenByName("secondary"), "revoke token")
+	_, err = store.FindTokenByName("secondary")
+	require.Error(t, err, "expected revoked token lookup to fail")
+	for _, rule := range store.ListRules() {
+		if rule.TokenID != nil && *rule.TokenID == token.ID {
+			require.FailNow(t, "expected revoke to delete token-scoped mappings")
+		}
+	}
+}
+
+func TestCreateTokenRotatesSameNameInPlace(t *testing.T) {
+	store, err := OpenTranslationStore(filepath.Join(t.TempDir(), "rotate.sqlite"))
+	require.NoError(t, err, "open store")
+	defer store.Close()
+
+	first, err := store.CreateToken("agent")
+	require.NoError(t, err, "create first token")
+	second, err := store.CreateToken("agent")
+	require.NoError(t, err, "create second token")
+
+	require.Equal(t, first.ID, second.ID, "expected token rotation in place")
+	require.NotEqual(t, first.Token, second.Token, "expected rotated token value to change")
+}
+
+func TestAddBearerMappingIsIdempotentPerIdentity(t *testing.T) {
+	store, err := OpenTranslationStore(filepath.Join(t.TempDir(), "dedupe.sqlite"))
+	require.NoError(t, err, "open store")
+	defer store.Close()
+
+	first, token, err := AddBearerMapping(store, "", "", "api.github.com", "", "ONE", "")
+	require.NoError(t, err, "add first mapping")
+	second, _, err := AddBearerMapping(store, "", "", "api.github.com", "", "TWO", "")
+	require.NoError(t, err, "add second mapping")
+
+	require.Equal(t, first.ID, second.ID, "expected duplicate add to update existing mapping")
+
+	rules := store.ListRules()
+	count := 0
+	for _, rule := range rules {
+		if rule.TokenID != nil && *rule.TokenID == token.ID && rule.HostPattern == "api.github.com" {
+			count++
+			require.Equal(t, "TWO", rule.SecretValue, "expected latest secret value to win")
+		}
+	}
+	require.Equal(t, 1, count, "expected exactly one github mapping for token")
+}
+
+func pickFreePort(t *testing.T) int {
+	t.Helper()
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err, "pick free port")
+	defer l.Close()
+	return l.Addr().(*net.TCPAddr).Port
+}
diff --git a/pkg/proxy/token_workflow.go b/pkg/proxy/token_workflow.go
new file mode 100644
index 0000000..c136f44
--- /dev/null
+++ b/pkg/proxy/token_workflow.go
@@ -0,0 +1,137 @@
+package proxy
+
+import (
+	"fmt"
+	"strings"
+)
+
+const (
+	DefaultTokenDBPath   = "./sandworm.db"
+	DefaultProxyToken    = "default"
+	DefaultCACertOutPath = "/tmp/sandworm-ca.pem"
+)
+
+func OpenTranslationStore(dbPath string) (*TranslationStore, error) {
+	if strings.TrimSpace(dbPath) == "" {
+		dbPath = DefaultTokenDBPath
+	}
+	return NewTranslationStore(dbPath)
+}
+
+func (s *TranslationStore) EnsureToken(name string) (*TranslationToken, error) {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		name = DefaultProxyToken
+	}
+	for _, token := range s.ListTokens() {
+		if token.Name == name {
+			tokenCopy := token
+			return &tokenCopy, nil
+		}
+	}
+	return s.CreateToken(name)
+}
+
+func NormalizePathPattern(path string) string {
+	path = strings.TrimSpace(path)
+	switch {
+	case path == "":
+		return "*"
+	case path == "*":
+		return "*"
+	case strings.HasSuffix(path, "/*"):
+		return path
+	case strings.HasSuffix(path, "/"):
+		return strings.TrimSuffix(path, "/") + "/*"
+	default:
+		return path
+	}
+}
+
+func AddBearerMapping(store *TranslationStore, tokenName, name, host, path, secret, placeholder string) (*TranslationRule, *TranslationToken, error) {
+	token, err := store.EnsureToken(tokenName)
+	if err != nil {
+		return nil, nil, err
+	}
+	ruleName := strings.TrimSpace(name)
+	if ruleName == "" {
+		ruleName = host
+	}
+	rule := TranslationRule{
+		Name:                    ruleName,
+		TokenID:                 &token.ID,
+		HostPattern:             strings.TrimSpace(host),
+		PathPattern:             NormalizePathPattern(path),
+		InjectHeaderName:        "Authorization",
+		InjectHeaderValueFormat: "Bearer {value}",
+		SecretValue:             strings.TrimSpace(secret),
+		Enabled:                 true,
+	}
+	placeholder = strings.TrimSpace(placeholder)
+	if placeholder != "" {
+		rule.MatchHeaderName = "Authorization"
+		rule.MatchHeaderValue = "Bearer " + placeholder
+	}
+	created, err := store.CreateRule(rule)
+	if err != nil {
+		return nil, nil, err
+	}
+	return created, token, nil
+}
+
+func AddHeaderMapping(store *TranslationStore, tokenName, name, host, path, secret, headerName, placeholder string) (*TranslationRule, *TranslationToken, error) {
+	token, err := store.EnsureToken(tokenName)
+	if err != nil {
+		return nil, nil, err
+	}
+	ruleName := strings.TrimSpace(name)
+	if ruleName == "" {
+		ruleName = fmt.Sprintf("%s:%s", host, headerName)
+	}
+	rule := TranslationRule{
+		Name:                    ruleName,
+		TokenID:                 &token.ID,
+		HostPattern:             strings.TrimSpace(host),
+		PathPattern:             NormalizePathPattern(path),
+		InjectHeaderName:        strings.TrimSpace(headerName),
+		InjectHeaderValueFormat: "{value}",
+		SecretValue:             strings.TrimSpace(secret),
+		Enabled:                 true,
+	}
+	placeholder = strings.TrimSpace(placeholder)
+	if placeholder != "" {
+		rule.MatchHeaderName = rule.InjectHeaderName
+		rule.MatchHeaderValue = placeholder
+	}
+	created, err := store.CreateRule(rule)
+	if err != nil {
+		return nil, nil, err
+	}
+	return created, token, nil
+}
+
+func EnsureTranslationCA(store *TranslationStore) (*certificateAuthority, error) {
+	return newCertificateAuthority(store)
+}
+
+func (s *TranslationStore) FindTokenByName(name string) (*TranslationToken, error) {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return nil, fmt.Errorf("token name is required")
+	}
+	for _, token := range s.ListTokens() {
+		if token.Name == name {
+			tokenCopy := token
+			return &tokenCopy, nil
+		}
+	}
+	return nil, fmt.Errorf("token %q not found", name)
+}
+
+func (s *TranslationStore) RevokeTokenByName(name string) error {
+	token, err := s.FindTokenByName(name)
+	if err != nil {
+		return err
+	}
+	return s.DeleteToken(token.ID)
+}