diff --git a/backend/atlas_portal/rate_limit.py b/backend/atlas_portal/rate_limit.py
index 9cbc98d..841e308 100644
--- a/backend/atlas_portal/rate_limit.py
+++ b/backend/atlas_portal/rate_limit.py
@@ -4,18 +4,18 @@ import time
 
 from . import settings
 
-_ACCESS_REQUEST_RATE: dict[str, list[float]] = {}
+_RATE_BUCKETS: dict[str, dict[str, list[float]]] = {}
 
 
-def rate_limit_allow(ip: str) -> bool:
-    if settings.ACCESS_REQUEST_RATE_LIMIT <= 0:
+def rate_limit_allow(ip: str, *, key: str, limit: int, window_sec: int) -> bool:
+    if limit <= 0:
         return True
     now = time.time()
-    window_start = now - settings.ACCESS_REQUEST_RATE_WINDOW_SEC
-    bucket = _ACCESS_REQUEST_RATE.setdefault(ip, [])
+    window_start = now - window_sec
+    buckets_by_ip = _RATE_BUCKETS.setdefault(key, {})
+    bucket = buckets_by_ip.setdefault(ip, [])
     bucket[:] = [t for t in bucket if t >= window_start]
-    if len(bucket) >= settings.ACCESS_REQUEST_RATE_LIMIT:
+    if len(bucket) >= limit:
         return False
     bucket.append(now)
     return True
-
diff --git a/backend/atlas_portal/routes/access_requests.py b/backend/atlas_portal/routes/access_requests.py
index 76272c7..bd503a9 100644
--- a/backend/atlas_portal/routes/access_requests.py
+++ b/backend/atlas_portal/routes/access_requests.py
@@ -37,7 +37,12 @@ def register(app) -> None:
             return jsonify({"error": "server not configured"}), 503
 
         ip = request.remote_addr or "unknown"
-        if not rate_limit_allow(ip):
+        if not rate_limit_allow(
+            ip,
+            key="access_request_submit",
+            limit=settings.ACCESS_REQUEST_SUBMIT_RATE_LIMIT,
+            window_sec=settings.ACCESS_REQUEST_SUBMIT_RATE_WINDOW_SEC,
+        ):
             return jsonify({"error": "rate limited"}), 429
 
         username, email, note = _extract_request_payload()
@@ -108,7 +113,12 @@ def register(app) -> None:
             return jsonify({"error": "server not configured"}), 503
 
         ip = request.remote_addr or "unknown"
-        if not rate_limit_allow(ip):
+        if not rate_limit_allow(
+            ip,
+            key="access_request_status",
+            limit=settings.ACCESS_REQUEST_STATUS_RATE_LIMIT,
+            window_sec=settings.ACCESS_REQUEST_STATUS_RATE_WINDOW_SEC,
+        ):
             return jsonify({"error": "rate limited"}), 429
 
         payload = request.get_json(silent=True) or {}
@@ -119,11 +129,19 @@ def register(app) -> None:
         try:
             with connect() as conn:
                 row = conn.execute(
-                    "SELECT status FROM access_requests WHERE request_code = %s",
+                    "SELECT status, username FROM access_requests WHERE request_code = %s",
                     (code,),
                 ).fetchone()
                 if not row:
                     return jsonify({"error": "not found"}), 404
-                return jsonify({"ok": True, "status": row["status"] or "unknown"})
+                status = row["status"] or "unknown"
+                response: dict[str, Any] = {
+                    "ok": True,
+                    "status": status,
+                    "username": row.get("username") or "",
+                }
+                if status == "approved":
+                    response["onboarding_url"] = f"/onboarding?code={code}"
+                return jsonify(response)
         except Exception:
             return jsonify({"error": "failed to load status"}), 502
diff --git a/backend/atlas_portal/routes/account.py b/backend/atlas_portal/routes/account.py
index c26854e..0bb514a 100644
--- a/backend/atlas_portal/routes/account.py
+++ b/backend/atlas_portal/routes/account.py
@@ -19,7 +19,26 @@ def register(app) -> None:
             return resp
 
         username = g.keycloak_username
-        mailu_username = f"{username}@{settings.MAILU_DOMAIN}" if username else ""
+        mailu_username = ""
+        if g.keycloak_email and g.keycloak_email.lower().endswith(f"@{settings.MAILU_DOMAIN.lower()}"):
+            mailu_username = g.keycloak_email
+        elif username:
+            mailu_username = f"{username}@{settings.MAILU_DOMAIN}"
+
+        mailu_app_password = ""
+        if admin_client().ready() and username:
+            try:
+                user = admin_client().find_user(username)
+                user_id = (user or {}).get("id") or ""
+                if user_id:
+                    full = admin_client().get_user(str(user_id))
+                    attrs = full.get("attributes") or {}
+                    if isinstance(attrs, dict):
+                        values = attrs.get("mailu_app_password") or []
+                        if isinstance(values, list) and values:
+                            mailu_app_password = str(values[0])
+            except Exception:
+                mailu_app_password = ""
 
         mailu_status = "ready"
         jellyfin_status = "ready"
@@ -31,7 +50,7 @@ def register(app) -> None:
         return jsonify(
             {
                 "user": {"username": username, "email": g.keycloak_email, "groups": g.keycloak_groups},
-                "mailu": {"status": mailu_status, "username": mailu_username},
+                "mailu": {"status": mailu_status, "username": mailu_username, "app_password": mailu_app_password},
                 "jellyfin": {"status": jellyfin_status, "username": username},
             }
         )
@@ -79,4 +98,3 @@ def register(app) -> None:
 
         best_effort_post(settings.JELLYFIN_SYNC_URL)
         return jsonify({"password": password})
-
diff --git a/backend/atlas_portal/settings.py b/backend/atlas_portal/settings.py
index 7751773..8105bde 100644
--- a/backend/atlas_portal/settings.py
+++ b/backend/atlas_portal/settings.py
@@ -61,6 +61,14 @@ PORTAL_ADMIN_GROUPS = [g.strip() for g in os.getenv("PORTAL_ADMIN_GROUPS", "admi
 ACCESS_REQUEST_ENABLED = _env_bool("ACCESS_REQUEST_ENABLED", "true")
 ACCESS_REQUEST_RATE_LIMIT = int(os.getenv("ACCESS_REQUEST_RATE_LIMIT", "5"))
 ACCESS_REQUEST_RATE_WINDOW_SEC = int(os.getenv("ACCESS_REQUEST_RATE_WINDOW_SEC", str(60 * 60)))
+ACCESS_REQUEST_SUBMIT_RATE_LIMIT = int(
+    os.getenv("ACCESS_REQUEST_SUBMIT_RATE_LIMIT", str(ACCESS_REQUEST_RATE_LIMIT))
+)
+ACCESS_REQUEST_SUBMIT_RATE_WINDOW_SEC = int(
+    os.getenv("ACCESS_REQUEST_SUBMIT_RATE_WINDOW_SEC", str(ACCESS_REQUEST_RATE_WINDOW_SEC))
+)
+ACCESS_REQUEST_STATUS_RATE_LIMIT = int(os.getenv("ACCESS_REQUEST_STATUS_RATE_LIMIT", "60"))
+ACCESS_REQUEST_STATUS_RATE_WINDOW_SEC = int(os.getenv("ACCESS_REQUEST_STATUS_RATE_WINDOW_SEC", "60"))
 
 MAILU_DOMAIN = os.getenv("MAILU_DOMAIN", "bstein.dev")
 MAILU_SYNC_URL = os.getenv(
diff --git a/frontend/src/router.js b/frontend/src/router.js
index 039941b..6e0605f 100644
--- a/frontend/src/router.js
+++ b/frontend/src/router.js
@@ -7,6 +7,7 @@ import MoneroView from "./views/MoneroView.vue";
 import AppsView from "./views/AppsView.vue";
 import AccountView from "./views/AccountView.vue";
 import RequestAccessView from "./views/RequestAccessView.vue";
+import OnboardingView from "./views/OnboardingView.vue";
 
 export default createRouter({
   history: createWebHistory(),
@@ -20,5 +21,6 @@ export default createRouter({
     { path: "/apps", name: "apps", component: AppsView },
     { path: "/account", name: "account", component: AccountView },
     { path: "/request-access", name: "request-access", component: RequestAccessView },
+    { path: "/onboarding", name: "onboarding", component: OnboardingView },
   ],
 });
diff --git a/frontend/src/views/AccountView.vue b/frontend/src/views/AccountView.vue
index 0d62ee4..e568a79 100644
--- a/frontend/src/views/AccountView.vue
+++ b/frontend/src/views/AccountView.vue
@@ -46,6 +46,22 @@
           </button>
         </div>
 
+        <div v-if="mailu.currentPassword" class="secret-box">
+          <div class="secret-head">
+            <div class="pill mono">Current password</div>
+            <div class="secret-actions">
+              <button class="copy mono" type="button" @click="copy(mailu.currentPassword)">copy</button>
+              <button class="copy mono" type="button" @click="mailu.revealPassword = !mailu.revealPassword">
+                {{ mailu.revealPassword ? "hide" : "show" }}
+              </button>
+            </div>
+          </div>
+          <div class="mono secret">{{ mailu.revealPassword ? mailu.currentPassword : "••••••••••••••••" }}</div>
+          <div class="hint mono">Use this in your mail client (IMAP/SMTP).</div>
+        </div>
+
+        <div v-else class="hint mono">No app password set yet. Rotate to generate one.</div>
+
         <div v-if="mailu.newPassword" class="secret-box">
           <div class="secret-head">
             <div class="pill mono pill-warn">Show once</div>
@@ -153,6 +169,8 @@ const mailu = reactive({
   imap: "mail.bstein.dev:993 (TLS)",
   smtp: "mail.bstein.dev:587 (STARTTLS)",
   username: "",
+  currentPassword: "",
+  revealPassword: false,
   rotating: false,
   newPassword: "",
   error: "",
@@ -194,6 +212,7 @@ async function refreshOverview() {
     const data = await resp.json();
     mailu.status = data.mailu?.status || "ready";
     mailu.username = data.mailu?.username || auth.username;
+    mailu.currentPassword = data.mailu?.app_password || "";
     jellyfin.status = data.jellyfin?.status || "ready";
     jellyfin.username = data.jellyfin?.username || auth.username;
   } catch (err) {
@@ -236,6 +255,8 @@ async function rotateMailu() {
     const data = await resp.json().catch(() => ({}));
     if (!resp.ok) throw new Error(data.error || `status ${resp.status}`);
     mailu.newPassword = data.password || "";
+    mailu.currentPassword = mailu.newPassword;
+    mailu.revealPassword = true;
     mailu.status = "updated";
   } catch (err) {
     mailu.error = err.message || "Rotation failed";
@@ -428,6 +449,12 @@ button.primary {
   margin-bottom: 8px;
 }
 
+.secret-actions {
+  display: inline-flex;
+  align-items: center;
+  gap: 8px;
+}
+
 .secret {
   word-break: break-word;
   color: var(--text-strong);
diff --git a/frontend/src/views/HomeView.vue b/frontend/src/views/HomeView.vue
index 39e6fb7..1ed32ca 100644
--- a/frontend/src/views/HomeView.vue
+++ b/frontend/src/views/HomeView.vue
@@ -28,7 +28,7 @@
               <span class="pill mono">k3s cluster</span>
             </div>
             <iframe
-              src="https://metrics.bstein.dev/d-solo/atlas-overview/atlas-overview?from=now-24h&to=now&refresh=1m&orgId=1&theme=dark&panelId=27&__feature.dashboardSceneSolo"
+              src="https://metrics.bstein.dev/d-solo/atlas-overview/atlas-overview?from=now-24h&to=now&refresh=1m&theme=dark&panelId=27&__feature.dashboardSceneSolo"
               width="100%"
               height="180"
               frameborder="0"
diff --git a/frontend/src/views/OnboardingView.vue b/frontend/src/views/OnboardingView.vue
new file mode 100644
index 0000000..4d6dad2
--- /dev/null
+++ b/frontend/src/views/OnboardingView.vue
@@ -0,0 +1,180 @@
+<template>
+  <div class="page">
+    <section class="card hero glass">
+      <div>
+        <p class="eyebrow">Atlas</p>
+        <h1>Onboarding</h1>
+        <p class="lede">Use your request code to view status and next steps.</p>
+      </div>
+    </section>
+
+    <section class="card module">
+      <div class="module-head">
+        <h2>Request Code</h2>
+        <span class="pill mono" :class="status ? 'pill-ok' : 'pill-warn'">
+          {{ status || "unknown" }}
+        </span>
+      </div>
+
+      <div class="status-form">
+        <input v-model="requestCode" class="input mono" type="text" placeholder="username~XXXXXXXXXX" :disabled="loading" />
+        <button class="primary" type="button" @click="check" :disabled="loading || !requestCode.trim()">
+          {{ loading ? "Checking..." : "Check" }}
+        </button>
+      </div>
+
+      <div v-if="status === 'approved'" class="steps">
+        <h3>Next steps</h3>
+        <ol>
+          <li>Log in at <a href="https://cloud.bstein.dev" target="_blank" rel="noreferrer">cloud.bstein.dev</a>.</li>
+          <li>Use your Keycloak username/password to access services.</li>
+          <li>If something doesn't work, contact the Atlas admin.</li>
+        </ol>
+      </div>
+
+      <div v-if="status === 'denied'" class="steps">
+        <h3>Denied</h3>
+        <p class="muted">This request was denied. Contact the Atlas admin if you think this is a mistake.</p>
+      </div>
+
+      <div v-if="error" class="error-box">
+        <div class="mono">{{ error }}</div>
+      </div>
+    </section>
+  </div>
+</template>
+
+<script setup>
+import { onMounted, ref } from "vue";
+import { useRoute } from "vue-router";
+
+const route = useRoute();
+
+const requestCode = ref("");
+const status = ref("");
+const loading = ref(false);
+const error = ref("");
+
+async function check() {
+  if (loading.value) return;
+  error.value = "";
+  loading.value = true;
+  try {
+    const resp = await fetch("/api/access/request/status", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ request_code: requestCode.value.trim() }),
+    });
+    const data = await resp.json().catch(() => ({}));
+    if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
+    status.value = data.status || "unknown";
+  } catch (err) {
+    error.value = err.message || "Failed to check status";
+  } finally {
+    loading.value = false;
+  }
+}
+
+onMounted(async () => {
+  const code = route.query.code || route.query.request_code || "";
+  if (typeof code === "string" && code.trim()) {
+    requestCode.value = code.trim();
+    await check();
+  }
+});
+</script>
+
+<style scoped>
+.page {
+  max-width: 960px;
+  margin: 0 auto;
+  padding: 32px 22px 72px;
+}
+
+.hero {
+  margin-bottom: 12px;
+  padding: 18px;
+}
+
+.eyebrow {
+  text-transform: uppercase;
+  letter-spacing: 0.08em;
+  color: var(--text-muted);
+  margin: 0 0 6px;
+  font-size: 13px;
+}
+
+h1 {
+  margin: 0 0 6px;
+  font-size: 32px;
+}
+
+.lede {
+  margin: 0;
+  color: var(--text-muted);
+  max-width: 640px;
+}
+
+.module {
+  padding: 18px;
+}
+
+.module-head {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 18px;
+}
+
+.status-form {
+  display: flex;
+  gap: 10px;
+  margin-top: 12px;
+}
+
+.input {
+  flex: 1;
+  padding: 10px 12px;
+  border-radius: 10px;
+  border: 1px solid rgba(255, 255, 255, 0.14);
+  background: rgba(0, 0, 0, 0.25);
+  color: var(--text-primary);
+}
+
+button.primary {
+  background: linear-gradient(90deg, #4f8bff, #7dd0ff);
+  color: #0b1222;
+  padding: 10px 14px;
+  border: none;
+  border-radius: 10px;
+  cursor: pointer;
+  font-weight: 700;
+}
+
+.steps {
+  margin-top: 16px;
+}
+
+.steps h3 {
+  margin: 0 0 8px;
+}
+
+.steps ol {
+  margin: 0;
+  padding-left: 18px;
+  color: var(--text-muted);
+}
+
+.muted {
+  color: var(--text-muted);
+}
+
+.error-box {
+  margin-top: 12px;
+  border-radius: 12px;
+  border: 1px solid rgba(255, 87, 87, 0.5);
+  background: rgba(255, 87, 87, 0.06);
+  padding: 10px 12px;
+}
+</style>
+
diff --git a/frontend/src/views/RequestAccessView.vue b/frontend/src/views/RequestAccessView.vue
index 0d36239..e22513b 100644
--- a/frontend/src/views/RequestAccessView.vue
+++ b/frontend/src/views/RequestAccessView.vue
@@ -105,6 +105,10 @@
             {{ checking ? "Checking..." : "Check" }}
           </button>
         </div>
+
+        <div v-if="status === 'approved' && onboardingUrl" class="actions" style="margin-top: 12px;">
+          <a class="primary" :href="onboardingUrl">Continue onboarding</a>
+        </div>
       </div>
 
       <div v-if="error" class="error-box">
@@ -134,6 +138,7 @@ const statusForm = reactive({
 });
 const checking = ref(false);
 const status = ref("");
+const onboardingUrl = ref("");
 
 async function submit() {
   if (submitting.value) return;
@@ -186,6 +191,7 @@ async function checkStatus() {
     const data = await resp.json().catch(() => ({}));
     if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
     status.value = data.status || "unknown";
+    onboardingUrl.value = data.onboarding_url || "";
   } catch (err) {
     error.value = err.message || "Failed to check status";
   } finally {