diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index fd291c512..1df6871a3 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -160,7 +160,13 @@ export const resources = pgTable("resources", {
     postAuthPath: text("postAuthPath"),
     health: varchar("health").default("unknown"), // "healthy", "unhealthy", "unknown"
     wildcard: boolean("wildcard").notNull().default(false),
-    browserAccessType: text("browserAccessType").default("http") // rdp, ssh, http, vnc
+    browserAccessType: text("browserAccessType").default("http"), // rdp, ssh, http, vnc
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: varchar("authDaemonMode", { length: 32 })
+        .$type<"site" | "remote" | "native">()
+        .default("site")
 });
 
 export const labels = pgTable("labels", {
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 113f4c443..04eba1c21 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -181,7 +181,13 @@ export const resources = sqliteTable("resources", {
     postAuthPath: text("postAuthPath"),
     health: text("health").default("unknown"), // "healthy", "unhealthy", "unknown"
     wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false),
-    browserAccessType: text("browserAccessType").default("http") // rdp, ssh, http, vnc
+    browserAccessType: text("browserAccessType").default("http"), // rdp, ssh, http, vnc
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: text("authDaemonMode")
+        .$type<"site" | "remote" | "native">()
+        .default("site")
 });
 
 export const labels = sqliteTable("labels", {
diff --git a/server/routers/resource/getBrowserTarget.ts b/server/routers/resource/getBrowserTarget.ts
index 3ea1c4aa2..f18419a95 100644
--- a/server/routers/resource/getBrowserTarget.ts
+++ b/server/routers/resource/getBrowserTarget.ts
@@ -21,6 +21,11 @@ export type GetBrowserTargetResponse = {
     ip: string;
     port: number;
     authToken: string;
+    orgId: string;
+    resourceId: number;
+    niceId: string;
+    pamMode: "passthrough" | "push" | null;
+    authDaemonMode: "site" | "remote" | "native" | null;
 };
 
 export async function getBrowserTarget(
@@ -47,7 +52,12 @@ export async function getBrowserTarget(
             .select({
                 destination: browserGatewayTarget.destination,
                 destinationPort: browserGatewayTarget.destinationPort,
-                authToken: browserGatewayTarget.authToken
+                authToken: browserGatewayTarget.authToken,
+                resourceId: resources.resourceId,
+                niceId: resources.niceId,
+                orgId: resources.orgId,
+                pamMode: resources.pamMode,
+                authDaemonMode: resources.authDaemonMode
             })
             .from(browserGatewayTarget)
             .innerJoin(
@@ -57,7 +67,7 @@ export async function getBrowserTarget(
             .where(eq(resources.fullDomain, fullDomain))
             .limit(1);
 
-        const decryptAuthToken = decrypt(
+        const decryptedAuthToken = decrypt(
             browserTarget.authToken,
             config.getRawConfig().server.secret!
         );
@@ -75,7 +85,12 @@ export async function getBrowserTarget(
             data: {
                 ip: browserTarget.destination,
                 port: browserTarget.destinationPort,
-                authToken: decryptAuthToken
+                authToken: decryptedAuthToken,
+                pamMode: browserTarget.pamMode,
+                authDaemonMode: browserTarget.authDaemonMode,
+                orgId: browserTarget.orgId,
+                resourceId: browserTarget.resourceId,
+                niceId: browserTarget.niceId
             },
             success: true,
             error: false,
diff --git a/src/app/ssh/SshClient.tsx b/src/app/ssh/SshClient.tsx
index d8a07770f..9472e9bee 100644
--- a/src/app/ssh/SshClient.tsx
+++ b/src/app/ssh/SshClient.tsx
@@ -6,12 +6,8 @@ import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { Textarea } from "@/components/ui/textarea";
-
-type Target = {
-    ip: string;
-    port: number;
-    authToken: string;
-};
+import type { SignSshKeyResponse } from "@server/private/routers/ssh";
+import { GetBrowserTargetResponse } from "@server/routers/resource";
 
 type FormState = {
     username: string;
@@ -19,12 +15,23 @@ type FormState = {
     privateKey: string;
 };
 
+type ConnectCredentials = {
+    username: string;
+    password?: string;
+    privateKey?: string;
+    certificate?: string;
+};
+
 export default function SshClient({
     target,
-    error
+    error,
+    signedKeyData,
+    privateKey: signedPrivateKey
 }: {
-    target: Target | null;
+    target: GetBrowserTargetResponse | null;
     error: string | null;
+    signedKeyData?: SignSshKeyResponse | null;
+    privateKey?: string | null;
 }) {
     const STORAGE_KEY = "pangolin_ssh_credentials";
 
@@ -148,7 +155,19 @@ export default function SshClient({
         };
     }, []);
 
-    function connect() {
+    // Auto-connect when signed key data is provided (push PAM mode).
+    useEffect(() => {
+        if (signedKeyData && signedPrivateKey && target) {
+            connect({
+                username: signedKeyData.sshUsername,
+                privateKey: signedPrivateKey,
+                certificate: signedKeyData.certificate
+            });
+        }
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, []);
+
+    function connect(override?: ConnectCredentials) {
         setConnectError(null);
         setConnecting(true);
 
@@ -158,11 +177,16 @@ export default function SshClient({
             return;
         }
 
+        const username = override?.username ?? form.username;
+        const password = override?.password ?? form.password;
+        const privateKey = override?.privateKey ?? form.privateKey;
+        const certificate = override?.certificate;
+
         const proxyAddress = `${window.location.protocol === "https:" ? "wss" : "ws"}://${window.location.host}/gateway/ssh`;
         const url = new URL(proxyAddress);
         url.searchParams.set("host", target.ip ?? "");
         url.searchParams.set("port", String(target.port ?? 22));
-        url.searchParams.set("username", form.username);
+        url.searchParams.set("username", username);
         url.searchParams.set("authToken", target.authToken ?? "");
 
         const ws = new WebSocket(url.toString(), ["ssh"]);
@@ -174,14 +198,17 @@ export default function SshClient({
             ws.send(
                 JSON.stringify({
                     type: "auth",
-                    password: form.password,
-                    privateKey: form.privateKey
+                    password,
+                    privateKey,
+                    certificate
                 })
             );
-            try {
-                localStorage.setItem(STORAGE_KEY, JSON.stringify(form));
-            } catch {
-                // ignore
+            if (!override) {
+                try {
+                    localStorage.setItem(STORAGE_KEY, JSON.stringify(form));
+                } catch {
+                    // ignore
+                }
             }
             setConnecting(false);
             setConnected(true);
@@ -240,6 +267,43 @@ export default function SshClient({
         );
     }
 
+    // In push mode, show a connecting/connected state without the login form.
+    if (signedKeyData && signedPrivateKey) {
+        return (
+            <div className="min-h-screen bg-background">
+                {!connected && (
+                    <div className="flex min-h-screen items-center justify-center">
+                        <p className="text-muted-foreground">
+                            {connectError
+                                ? connectError
+                                : connecting
+                                  ? "Connecting…"
+                                  : "Initializing…"}
+                        </p>
+                    </div>
+                )}
+                {connected && (
+                    <div className="flex h-screen flex-col bg-neutral-900">
+                        <div className="flex flex-wrap items-center gap-2 bg-black p-2 text-white">
+                            <Button
+                                size="sm"
+                                variant="destructive"
+                                onClick={disconnect}
+                            >
+                                Terminate
+                            </Button>
+                        </div>
+                        <div
+                            ref={terminalRef}
+                            className="flex-1 overflow-hidden"
+                            style={{ minHeight: 0 }}
+                        />
+                    </div>
+                )}
+            </div>
+        );
+    }
+
     return (
         <div className="min-h-screen bg-background">
             {!connected && (
@@ -335,7 +399,7 @@ export default function SshClient({
                         )}
 
                         <Button
-                            onClick={connect}
+                            onClick={() => connect()}
                             loading={connecting}
                             disabled={
                                 !form.username ||
diff --git a/src/app/ssh/page.tsx b/src/app/ssh/page.tsx
index f54f121c6..efe98b794 100644
--- a/src/app/ssh/page.tsx
+++ b/src/app/ssh/page.tsx
@@ -3,6 +3,42 @@ import { priv } from "@app/lib/api";
 import { AxiosResponse } from "axios";
 import { GetBrowserTargetResponse } from "@server/routers/resource";
 import SshClient from "./SshClient";
+import { SignSshKeyResponse } from "@server/private/routers/ssh";
+import crypto from "crypto";
+
+function generateEphemeralKeyPair(): {
+    privateKeyPem: string;
+    publicKeyOpenSSH: string;
+} {
+    const { publicKey: pubKeyObj, privateKey: privKeyObj } =
+        crypto.generateKeyPairSync("ed25519");
+
+    const privateKeyPem = privKeyObj.export({
+        type: "pkcs8",
+        format: "pem"
+    }) as string;
+
+    // Build OpenSSH wire format: uint32-length-prefixed strings
+    const pubKeyDer = pubKeyObj.export({
+        type: "spki",
+        format: "der"
+    }) as Buffer;
+    const rawPubKey = pubKeyDer.subarray(pubKeyDer.length - 32); // last 32 bytes are the Ed25519 key
+
+    function encodeField(b: Buffer): Buffer {
+        const len = Buffer.allocUnsafe(4);
+        len.writeUInt32BE(b.length, 0);
+        return Buffer.concat([len, b]);
+    }
+
+    const keyBlob = Buffer.concat([
+        encodeField(Buffer.from("ssh-ed25519")),
+        encodeField(rawPubKey)
+    ]);
+    const publicKeyOpenSSH = `ssh-ed25519 ${keyBlob.toString("base64")}`;
+
+    return { privateKeyPem, publicKeyOpenSSH };
+}
 
 export const dynamic = "force-dynamic";
 
@@ -15,7 +51,9 @@ export default async function SshPage() {
     const host = headersList.get("host") || "";
     const hostname = host.split(":")[0];
 
-    let target: { ip: string; port: number; authToken: string } | null = null;
+    let target: GetBrowserTargetResponse | null = null;
+    let signedKeyData: SignSshKeyResponse | null = null;
+    let privateKey: string | null = null;
     let error: string | null = null;
 
     try {
@@ -23,10 +61,32 @@ export default async function SshPage() {
             `/resource/browser-target?fullDomain=${encodeURIComponent(hostname)}`
         );
         target = res.data.data;
+
+        if (target.pamMode === "push") {
+            const { privateKeyPem, publicKeyOpenSSH } =
+                generateEphemeralKeyPair();
+            privateKey = privateKeyPem;
+            const res = await priv.post<AxiosResponse<SignSshKeyResponse>>(
+                `/org/${target.orgId}/ssh/sign-key`,
+                {
+                    publicKey: publicKeyOpenSSH,
+                    resource: target.niceId
+                }
+            );
+            signedKeyData = res.data.data;
+            console.log("Received signed SSH key:", signedKeyData);
+        }
     } catch (error) {
         console.error("Error fetching browser target:", error);
         error = "No resource found for this domain";
     }
 
-    return <SshClient target={target} error={error} />;
+    return (
+        <SshClient
+            target={target}
+            error={error}
+            signedKeyData={signedKeyData}
+            privateKey={privateKey}
+        />
+    );
 }