diff --git a/README.md b/README.md
index 41d852b..7c31a0b 100755
--- a/README.md
+++ b/README.md
@@ -872,12 +872,33 @@ token survives restarts. In dev, `docker-compose.override.yml` bind-mounts `./.m
 
 #### Headless / one-time bootstrap
 
-The OAuth redirect targets `localhost:3334`. Either authorize via the wizard link with port
-`3334` mapped (the default), **or** run the flow once on the host to pre-populate the cache,
-then start the proxy with the same dir mounted:
+The OAuth redirect targets `localhost:3334`, so that port must be reachable from the
+machine running your browser (the default `docker-compose.yml` maps it). The **first**
+grant always needs a human in a browser once — there's no static key — but mcpproxy
+automates everything around it so you rarely touch a host shell:
+
+**1. Automatic refresh on restart.** On startup the proxy *warms* every `mcp-remote`
+bridge it finds in your configs: with a valid cache the token refreshes silently before
+the first tool call; if re-authorization is needed, the authorization URL is logged and
+surfaced as a banner in the UI. Disable with `MCPPROXY_WARM_REMOTE=0`.
+
+**2. Bootstrap from the browser (no host shell / `docker exec`).** The UI has a built-in
+terminal. In **+ New Provider → Remote MCP Server**, click **🖥 Bootstrap / Authorize in
+terminal** to run `npx -y mcp-remote <url>` live, watch its output, click the auth link,
+and complete the flow — the token cache is written under `MCP_REMOTE_CONFIG_DIR`. An
+existing provider whose refresh token has lapsed shows a **🔐 Re-authorize** button in its
+editor that does the same. The terminal is gated by `MCPPROXY_WEB_TERMINAL` (default on);
+set it to `0` to disable. *(It's a real shell in the container — keep the UI on a trusted
+network, as you already must for the secrets editor and command introspection.)*
+
+**3. Pre-populate on the host.** If you'd rather warm the cache before the container ever
+starts, run the flow once on the host (deriving URLs from your configs) and start the proxy
+with the same dir mounted:
 
 ```bash
-MCP_REMOTE_CONFIG_DIR=./.mcp-auth npx -y mcp-remote https://mcp.asana.com/v2/mcp
+./run_local.sh --bootstrap-auth                       # every configured mcp-remote provider
+./run_local.sh --bootstrap-auth https://mcp.asana.com/v2/mcp   # or an explicit URL
+# equivalently: MCP_REMOTE_CONFIG_DIR=./.mcp-auth python3 bootstrap_auth.py
 # authorize in the browser, then `docker compose up` — tools work with no further prompts
 ```
 
diff --git a/bootstrap_auth.py b/bootstrap_auth.py
new file mode 100644
index 0000000..959e6f6
--- /dev/null
+++ b/bootstrap_auth.py
@@ -0,0 +1,109 @@
+#!/usr/bin/env python3
+"""
+bootstrap_auth.py — Pre-populate the mcp-remote OAuth token cache on the host.
+
+Remote, OAuth-protected MCP servers are bridged with ``npx -y mcp-remote <url>``
+and cache their tokens under ``MCP_REMOTE_CONFIG_DIR``.  The very first OAuth
+grant needs a human in a browser once; afterwards mcp-remote refreshes silently.
+
+This script reads the configured providers, finds every ``package.command`` that
+runs ``mcp-remote``, and runs each one with stdin/stdout attached so you can
+complete the browser flow.  The resulting token cache is written to
+``MCP_REMOTE_CONFIG_DIR`` (default ``./.mcp-auth``, matching the dev
+docker-compose bind mount) so a subsequent ``docker compose up`` starts with the
+cache already warm — no interactive prompts in the container.
+
+Usage:
+    python3 bootstrap_auth.py                 # bootstrap every remote provider
+    python3 bootstrap_auth.py <url> [<url>…]  # bootstrap explicit URL(s)
+
+Environment:
+    MCP_TOOL_CONFIG_DIR   where provider YAMLs live (default ./tools, then /app/tools)
+    MCP_REMOTE_CONFIG_DIR where mcp-remote caches tokens (default ./.mcp-auth)
+"""
+
+import os
+import shlex
+import subprocess
+import sys
+from pathlib import Path
+
+import yaml
+
+
+def _config_dir() -> Path:
+    env = os.environ.get("MCP_TOOL_CONFIG_DIR")
+    if env:
+        return Path(env)
+    if Path("tools").is_dir():
+        return Path("tools")
+    return Path("/app/tools")
+
+
+def extract_remote_commands(specs: list[dict]) -> list[str]:
+    """Return every package command that bridges a remote server via mcp-remote."""
+    commands: list[str] = []
+    for spec in specs:
+        pkg = spec.get("package") or {}
+        command = (pkg.get("command") or "").strip()
+        if command and "mcp-remote" in command and command not in commands:
+            commands.append(command)
+    return commands
+
+
+def command_url(command: str) -> str | None:
+    """Best-effort: pull the first http(s) URL out of an mcp-remote command."""
+    for token in shlex.split(command):
+        if token.startswith("http://") or token.startswith("https://"):
+            return token
+    return None
+
+
+def load_specs(config_dir: Path) -> list[dict]:
+    specs: list[dict] = []
+    for path in sorted(config_dir.glob("*.yaml")):
+        try:
+            specs.append(yaml.safe_load(path.read_text(encoding="utf-8")) or {})
+        except Exception as exc:  # noqa: BLE001
+            print(f"  ! skipping {path.name}: {exc}")
+    return specs
+
+
+def run_bootstrap(commands: list[str], cache_dir: Path) -> None:
+    cache_dir.mkdir(parents=True, exist_ok=True)
+    env = os.environ.copy()
+    env["MCP_REMOTE_CONFIG_DIR"] = str(cache_dir)
+    print(f"→ token cache: {cache_dir}\n")
+    for command in commands:
+        url = command_url(command) or command
+        print(f"=== Authorizing {url} ===")
+        print(f"    running: {command}")
+        print("    Complete the browser flow, then press Ctrl-C to continue.\n")
+        try:
+            subprocess.run(shlex.split(command), env=env, check=False)
+        except KeyboardInterrupt:
+            print("\n    (moving on)\n")
+    print("✓ Done. Start the proxy with the same MCP_REMOTE_CONFIG_DIR mounted.")
+
+
+def main(argv: list[str]) -> int:
+    if argv:
+        commands = [f"npx -y mcp-remote {url}" for url in argv]
+    else:
+        config_dir = _config_dir()
+        if not config_dir.is_dir():
+            print(f"✗ config dir not found: {config_dir} (set MCP_TOOL_CONFIG_DIR)")
+            return 1
+        commands = extract_remote_commands(load_specs(config_dir))
+        if not commands:
+            print(f"No mcp-remote providers found in {config_dir}. "
+                  "Pass server URL(s) explicitly to bootstrap them anyway.")
+            return 0
+
+    cache_dir = Path(os.environ.get("MCP_REMOTE_CONFIG_DIR", "./.mcp-auth"))
+    run_bootstrap(commands, cache_dir)
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main(sys.argv[1:]))
diff --git a/frontend/app.py b/frontend/app.py
index ede1226..3ce3e8f 100644
--- a/frontend/app.py
+++ b/frontend/app.py
@@ -15,17 +15,24 @@
 GET  /api/env                   — list .env vars (values masked)
 POST /api/env                   — upsert vars into .env  {vars: {KEY: VALUE}}
 POST /api/restart               — send SIGTERM to restart server
+GET  /api/config                — UI feature flags (e.g. web_terminal)
+WS   /ws/terminal               — interactive PTY terminal (optional ?cmd=…)
 """
 
 import ast
 import asyncio
+import fcntl
 import json
 import os
+import pty
 import re
 import shlex
+import shutil
 import signal
+import struct
 import subprocess
 import sys
+import termios
 import textwrap
 import threading
 import traceback
@@ -33,12 +40,29 @@
 from typing import Any
 
 import yaml
-from fastapi import FastAPI, HTTPException, Request
+from fastapi import FastAPI, HTTPException, Request, WebSocket, WebSocketDisconnect
 from fastapi.responses import HTMLResponse, JSONResponse, StreamingResponse
 
 from config import CONFIG_DIR, ENV_FILE, REPOS_DIR
 
 
+# ---------------------------------------------------------------------------
+# Web terminal feature gate
+# ---------------------------------------------------------------------------
+#
+# The /ws/terminal endpoint streams a real PTY to the browser so the mcp-remote
+# OAuth bootstrap (and any other command) can be driven from the UI without a
+# host shell or `docker exec`.  This is arbitrary command execution over HTTP —
+# consistent with what the proxy already does (introspect spawns arbitrary
+# commands; code providers exec() Python) and intended for a trusted,
+# single-user/local admin UI.  It can be switched off with MCPPROXY_WEB_TERMINAL=0.
+
+def _web_terminal_enabled() -> bool:
+    return os.environ.get("MCPPROXY_WEB_TERMINAL", "1").strip().lower() not in (
+        "0", "false", "no", "off", ""
+    )
+
+
 # ---------------------------------------------------------------------------
 # .env helpers
 # ---------------------------------------------------------------------------
@@ -831,6 +855,108 @@ def _send():
         threading.Thread(target=_send, daemon=True).start()
         return {"ok": True}
 
+    # ── Client config (feature flags) ──────────────────────────────────────────
+
+    @app.get("/api/config")
+    async def client_config() -> dict:
+        """Expose UI feature flags so the front end can hide disabled features."""
+        return {"ok": True, "web_terminal": _web_terminal_enabled()}
+
+    # ── Interactive web terminal (PTY over WebSocket) ──────────────────────────
+
+    @app.websocket("/ws/terminal")
+    async def terminal_ws(ws: WebSocket) -> None:
+        """Bridge a browser xterm.js session to a PTY-backed subprocess.
+
+        With an optional ``?cmd=`` query the given command is run (used by the
+        wizard / Re-authorize buttons to launch ``npx -y mcp-remote <url>`` so
+        the OAuth bootstrap can be completed entirely from the browser); with no
+        ``cmd`` an interactive login shell is started.  The subprocess inherits
+        the proxy's environment, so MCP_REMOTE_CONFIG_DIR (set by compose) points
+        the token cache at the persisted volume automatically.
+        """
+        await ws.accept()
+        if not _web_terminal_enabled():
+            await ws.send_text("\r\n[web terminal disabled — set MCPPROXY_WEB_TERMINAL=1 to enable]\r\n")
+            await ws.close(code=1008)
+            return
+
+        cmd = (ws.query_params.get("cmd") or "").strip()
+        shell = shutil.which("bash") or shutil.which("sh") or "/bin/sh"
+        argv = [shell, "-lc", cmd] if cmd else [shell, "-il"]
+
+        pid, master_fd = pty.fork()
+        if pid == 0:
+            # Child: exec the shell/command with the PTY as its controlling tty.
+            try:
+                os.execvpe(argv[0], argv, os.environ.copy())
+            except Exception:
+                os._exit(127)
+
+        loop = asyncio.get_running_loop()
+
+        def _set_winsize(rows: int, cols: int) -> None:
+            try:
+                fcntl.ioctl(master_fd, termios.TIOCSWINSZ,
+                            struct.pack("HHHH", max(rows, 1), max(cols, 1), 0, 0))
+            except OSError:
+                pass
+
+        async def pty_to_ws() -> None:
+            while True:
+                try:
+                    data = await loop.run_in_executor(None, os.read, master_fd, 65536)
+                except OSError:
+                    data = b""  # PTY closed (child exited) → EIO on Linux
+                if not data:
+                    break
+                await ws.send_bytes(data)
+
+        async def ws_to_pty() -> None:
+            while True:
+                msg = await ws.receive()
+                if msg.get("type") == "websocket.disconnect":
+                    break
+                text = msg.get("text")
+                if text is not None:
+                    try:
+                        ctrl = json.loads(text)
+                    except (ValueError, TypeError):
+                        ctrl = None
+                    if isinstance(ctrl, dict) and "resize" in ctrl:
+                        cols, rows = ctrl["resize"]
+                        _set_winsize(int(rows), int(cols))
+                        continue
+                    if isinstance(ctrl, dict) and "input" in ctrl:
+                        os.write(master_fd, str(ctrl["input"]).encode())
+                        continue
+                    os.write(master_fd, text.encode())
+                elif msg.get("bytes") is not None:
+                    os.write(master_fd, msg["bytes"])
+
+        reader = asyncio.ensure_future(pty_to_ws())
+        writer = asyncio.ensure_future(ws_to_pty())
+        try:
+            await asyncio.wait({reader, writer}, return_when=asyncio.FIRST_COMPLETED)
+        except WebSocketDisconnect:
+            pass
+        finally:
+            for task in (reader, writer):
+                task.cancel()
+            try:
+                os.kill(pid, signal.SIGKILL)
+                os.waitpid(pid, 0)
+            except OSError:
+                pass
+            try:
+                os.close(master_fd)
+            except OSError:
+                pass
+            try:
+                await ws.close()
+            except RuntimeError:
+                pass
+
     # ── HTML UI ───────────────────────────────────────────────────────────────
 
     @app.get("/", response_class=HTMLResponse)
@@ -853,6 +979,7 @@ async def index():
 <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
 <link href="https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.16/codemirror.min.css" rel="stylesheet">
 <link href="https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.16/theme/dracula.min.css" rel="stylesheet">
+<link href="https://cdn.jsdelivr.net/npm/xterm@5.3.0/css/xterm.min.css" rel="stylesheet">
 <style>
 :root{--bg:#1e1e2e;--surface:#181825;--border:#313244;--muted:#a6adc8;--accent:#89b4fa;--green:#a6e3a1;--red:#f38ba8;--yellow:#f9e2af;--teal:#94e2d5}
 *{box-sizing:border-box}
@@ -937,10 +1064,18 @@ async def index():
   <span class="navbar-brand">⚡ mcpproxy</span>
   <div class="d-flex gap-2 ms-3">
     <button class="btn btn-sm btn-success" onclick="openWizard()">+ New Provider</button>
+    <button class="btn btn-sm btn-outline-light" id="terminal-btn" style="display:none"
+      onclick="openTerminal()" title="Open an interactive shell in the server container">🖥 Terminal</button>
   </div>
   <span class="ms-auto text-muted" style="font-size:.75em">MCP :8888 &nbsp;|&nbsp; UI :8889</span>
 </nav>
 
+<!-- Pending OAuth authorization banner (surfaced by the startup warm-up) -->
+<div id="auth-banner" class="restart-bar" style="display:none;background:#2a2518;border-color:#f9e2af60;border-radius:0;margin:0">
+  <span style="color:var(--yellow)">🔐</span>
+  <span id="auth-banner-msg" style="color:#cdd6f4;font-size:.875em"></span>
+</div>
+
 <!-- Toast -->
 <div class="toast-container position-fixed top-0 end-0 p-3" style="z-index:9999">
   <div id="toast" class="toast text-white border-0" role="alert">
@@ -1011,7 +1146,12 @@ async def index():
 
         <!-- Package command box -->
         <div class="section-box" id="package-box" style="display:none">
-          <div class="section-title">📦 Package Command</div>
+          <div class="section-title">
+            📦 Package Command
+            <button class="btn btn-sm btn-outline-warning py-0" id="reauth-btn" style="display:none"
+              onclick="reauthorizeProvider()"
+              title="Re-run the mcp-remote OAuth flow in a terminal to refresh a lapsed token">🔐 Re-authorize</button>
+          </div>
           <input id="f-command" class="form-control font-monospace"
             placeholder="npx @playwright/mcp@latest --isolated  ·  uvx mcp-server-fetch  ·  python -m mcp_server_github  ·  mcp-server-github"
             style="font-size:.875em"
@@ -1194,6 +1334,11 @@ async def index():
             <div class="text-muted mt-1" style="font-size:.8em">The remote MCP server endpoint. mcpproxy bridges it with <code>npx -y mcp-remote &lt;url&gt;</code> — transport is auto-detected.</div>
           </div>
           <div class="text-muted" style="font-size:.8em">When you click <b>Next</b> the server is introspected automatically; its tools become the dropdown options in the editor. If the server is OAuth-protected, a clickable <b>🔐 Authorize</b> link appears — complete the browser flow and introspection continues. The token is cached and refreshed automatically afterwards.</div>
+          <div class="mt-2" id="wz-remote-bootstrap-wrap" style="display:none">
+            <button class="btn btn-sm btn-outline-warning py-0" onclick="wzBootstrapRemote()"
+              title="Run npx -y mcp-remote <url> in a terminal and complete the OAuth flow before introspecting">🖥 Bootstrap / Authorize in terminal</button>
+            <span class="text-muted ms-2" style="font-size:.8em">Headless option: watch the live <code>mcp-remote</code> output, click the auth link, and pre-populate the token cache.</span>
+          </div>
           <div id="wz-remote-result" class="mt-2"></div>
         </div>
 
@@ -1304,9 +1449,32 @@ async def index():
   </div>
 </div>
 
+<!-- Terminal modal -->
+<div class="modal fade" id="terminal-modal" tabindex="-1">
+  <div class="modal-dialog modal-xl modal-dialog-scrollable">
+    <div class="modal-content">
+      <div class="modal-header">
+        <h5 class="modal-title">🖥 <span id="terminal-title">Terminal</span></h5>
+        <button type="button" class="btn-close btn-close-white" data-bs-dismiss="modal"></button>
+      </div>
+      <div class="modal-body">
+        <div id="terminal-host" style="height:60vh;background:#000;border:1px solid var(--border);border-radius:6px;padding:6px"></div>
+        <div class="text-muted mt-2" style="font-size:.8em">
+          A live shell inside the server container. For an OAuth bootstrap, watch for the
+          <code>authorization required … visit:</code> line, open it, and complete the browser
+          flow — the token cache is written under <code>MCP_REMOTE_CONFIG_DIR</code>. Press
+          <code>Ctrl-C</code> to stop a running command.
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
+
 <script src="https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.16/codemirror.min.js"></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.16/mode/python/python.min.js"></script>
 <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
+<script src="https://cdn.jsdelivr.net/npm/xterm@5.3.0/lib/xterm.min.js"></script>
+<script src="https://cdn.jsdelivr.net/npm/xterm-addon-fit@0.8.0/lib/xterm-addon-fit.min.js"></script>
 <script>
 // ─────────────────────────────────────────────────────────────────────────────
 // State
@@ -1314,7 +1482,9 @@ async def index():
 let currentName = null;
 let currentProvider = null;   // the structured JSON object being edited
 let codeEditor = null;        // CodeMirror instance for the code block
-let secretsModal = null, wizModal = null;
+let secretsModal = null, wizModal = null, termModal = null;
+let webTerminalEnabled = false;
+let term = null, termFit = null, termSock = null;  // xterm.js terminal state
 let wzType = null;            // 'code' | 'package' | 'repository' | 'remote'
 let wzStep = 'type';
 let wzIntrospectedTools = []; // tools returned by introspect
@@ -1346,14 +1516,47 @@ async def index():
   });
   secretsModal = new bootstrap.Modal('#secrets-modal');
   wizModal     = new bootstrap.Modal('#wizard-modal');
+  termModal    = new bootstrap.Modal('#terminal-modal');
+  document.getElementById('terminal-modal').addEventListener('hidden.bs.modal', closeTerminal);
   // Wizard: live function detection as the user types into the code textarea
   document.getElementById('wz-code-input').addEventListener('input', () => {
     clearTimeout(_wzAnalyzeDebounce);
     _wzAnalyzeDebounce = setTimeout(() => wzAnalyze().catch(() => {}), 300);
   });
+  loadConfig();
+  pollPendingAuth();
+  setInterval(pollPendingAuth, 5000);
   loadList();
 });
 
+// ─────────────────────────────────────────────────────────────────────────────
+// Client config + pending-auth banner
+// ─────────────────────────────────────────────────────────────────────────────
+async function loadConfig() {
+  try {
+    const c = await api('GET', '/api/config');
+    webTerminalEnabled = !!c.web_terminal;
+  } catch { webTerminalEnabled = false; }
+  document.getElementById('terminal-btn').style.display = webTerminalEnabled ? '' : 'none';
+}
+
+async function pollPendingAuth() {
+  let pending = {};
+  try {
+    const r = await api('GET', '/api/pending-auth');
+    pending = (r && r.pending) || {};
+  } catch { return; }
+  const cmds = Object.keys(pending);
+  const banner = document.getElementById('auth-banner');
+  if (!cmds.length) { banner.style.display = 'none'; return; }
+  const links = cmds.map(cmd =>
+    `<a href="${esc(pending[cmd])}" target="_blank" rel="noopener">authorize ${esc(cmd.replace(/^.*mcp-remote\s+/, '') || cmd)}</a>`
+  ).join(' · ');
+  document.getElementById('auth-banner-msg').innerHTML =
+    `Authorization required for ${cmds.length} remote provider(s): ${links} — complete the browser flow; the token refreshes automatically afterwards.`;
+  banner.style.display = '';
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // API
 // ─────────────────────────────────────────────────────────────────────────────
@@ -1572,6 +1775,9 @@ async def index():
 
   if (isPkg) {
     document.getElementById('f-command').value = p.command || '';
+    const isRemote = /\bmcp-remote\b/.test(p.command || '');
+    document.getElementById('reauth-btn').style.display =
+      (isRemote && webTerminalEnabled) ? '' : 'none';
   }
   if (isRepo) {
     document.getElementById('f-repo-url').value = p.repo_url || '';
@@ -2047,6 +2253,75 @@ async def index():
   catch(e) { toast('Signal sent', true); }
 }
 
+// ─────────────────────────────────────────────────────────────────────────────
+// Interactive web terminal (xterm.js ↔ /ws/terminal PTY bridge)
+// ─────────────────────────────────────────────────────────────────────────────
+function openTerminal(cmd, title) {
+  if (!webTerminalEnabled) { toast('Web terminal is disabled (MCPPROXY_WEB_TERMINAL=0)', false); return; }
+  document.getElementById('terminal-title').textContent = title || 'Terminal';
+  termModal.show();
+  // Defer until the modal is laid out so fit() measures real dimensions.
+  setTimeout(() => startTerminal(cmd), 250);
+}
+
+function startTerminal(cmd) {
+  closeTerminal();
+  const host = document.getElementById('terminal-host');
+  host.innerHTML = '';
+  term = new Terminal({fontSize: 13, fontFamily: "'JetBrains Mono',Consolas,monospace",
+    theme: {background: '#000000'}, cursorBlink: true, convertEol: true});
+  termFit = new FitAddon.FitAddon();
+  term.loadAddon(termFit);
+  term.open(host);
+  try { termFit.fit(); } catch {}
+
+  const proto = location.protocol === 'https:' ? 'wss' : 'ws';
+  let url = `${proto}://${location.host}/ws/terminal`;
+  if (cmd) url += '?cmd=' + encodeURIComponent(cmd);
+  termSock = new WebSocket(url);
+  termSock.binaryType = 'arraybuffer';
+  const dec = new TextDecoder();
+  termSock.onopen = () => sendResize();
+  termSock.onmessage = ev => {
+    term.write(typeof ev.data === 'string' ? ev.data : dec.decode(new Uint8Array(ev.data)));
+  };
+  termSock.onclose = () => { if (term) term.write('\r\n\x1b[33m[session ended]\x1b[0m\r\n'); };
+  term.onData(d => { if (termSock && termSock.readyState === 1) termSock.send(JSON.stringify({input: d})); });
+  term.onResize(() => sendResize());
+  window.addEventListener('resize', _termResize);
+}
+
+function sendResize() {
+  if (!term || !termSock || termSock.readyState !== 1) return;
+  try { termFit.fit(); } catch {}
+  termSock.send(JSON.stringify({resize: [term.cols, term.rows]}));
+}
+function _termResize() { try { termFit && termFit.fit(); sendResize(); } catch {} }
+
+function closeTerminal() {
+  window.removeEventListener('resize', _termResize);
+  if (termSock) { try { termSock.close(); } catch {} termSock = null; }
+  if (term) { try { term.dispose(); } catch {} term = null; }
+  termFit = null;
+  pollPendingAuth();  // the bootstrap may have just cleared a pending auth
+}
+
+// Re-run the mcp-remote OAuth flow for the currently-open provider.
+function reauthorizeProvider() {
+  const cmd = (document.getElementById('f-command').value || '').trim();
+  if (!cmd) { toast('No command to re-authorize', false); return; }
+  openTerminal(cmd, `Re-authorize ${currentName || ''}`);
+}
+
+// Wizard: bootstrap the remote provider's token cache from a terminal.
+function wzBootstrapRemote() {
+  const url = (document.getElementById('wz-remote-url').value || '').trim();
+  if (!/^https?:\/\//i.test(url)) {
+    document.getElementById('wz-error').textContent = 'Enter a server URL first.'; return;
+  }
+  openTerminal('npx -y mcp-remote ' + url, 'Bootstrap ' + url);
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // Secrets modal
 // ─────────────────────────────────────────────────────────────────────────────
@@ -2112,6 +2387,10 @@ async def index():
   document.getElementById('wz-back-btn').style.display = step === 'type' ? 'none' : '';
   document.getElementById('wz-next-btn').textContent = step === 'secrets' ? 'Finish' : 'Next →';
   document.getElementById('wz-error').textContent = '';
+  // The terminal-bootstrap shortcut only makes sense on the remote step when
+  // the web terminal feature is enabled.
+  const bootstrapWrap = document.getElementById('wz-remote-bootstrap-wrap');
+  if (bootstrapWrap) bootstrapWrap.style.display = (step === 'remote' && webTerminalEnabled) ? '' : 'none';
 }
 
 function openWizard() {
diff --git a/run_local.sh b/run_local.sh
index 2295cc7..707409e 100755
--- a/run_local.sh
+++ b/run_local.sh
@@ -31,6 +31,19 @@ ok()   { printf '✓  %s\n' "$*"; }
 
 python3 --version >/dev/null 2>&1 || die "python3 is required but was not found in PATH."
 
+# ─────────────────────────────────────────────────────────────────────────────
+# Optional: --bootstrap-auth — pre-populate the mcp-remote OAuth token cache on
+# the host, then exit.  Run this once before `docker compose up` so OAuth-bridge
+# providers (e.g. Asana) start with a warm cache and need no interactive prompts.
+# ─────────────────────────────────────────────────────────────────────────────
+if [[ "${1:-}" == "--bootstrap-auth" ]]; then
+  shift
+  export MCP_TOOL_CONFIG_DIR="${MCP_TOOL_CONFIG_DIR:-$TOOLS_CONFIG_DIR}"
+  export MCP_REMOTE_CONFIG_DIR="${MCP_REMOTE_CONFIG_DIR:-$ROOT_DIR/.mcp-auth}"
+  info "Bootstrapping mcp-remote OAuth token cache → $MCP_REMOTE_CONFIG_DIR"
+  exec python3 "$ROOT_DIR/bootstrap_auth.py" "$@"
+fi
+
 # ─────────────────────────────────────────────────────────────────────────────
 # Step 1 — Generate .env.example if it doesn't exist
 # ─────────────────────────────────────────────────────────────────────────────
diff --git a/server.py b/server.py
index 9919ea4..bcee447 100755
--- a/server.py
+++ b/server.py
@@ -640,6 +640,65 @@ def register_builtin_tools() -> None:
         traceback.print_exc()
 
 
+# ---------------------------------------------------------------------------
+# Remote OAuth-bridge warm-up
+# ---------------------------------------------------------------------------
+
+def _remote_bridge_commands() -> list[str]:
+    """Return every package command that bridges a remote server via mcp-remote.
+
+    These are the providers whose OAuth token cache benefits from being warmed
+    on startup so the access token refreshes silently (and any needed
+    re-authorization is surfaced) before the first tool call.
+    """
+    commands: list[str] = []
+    for spec in load_provider_specs(CONFIG_DIR):
+        command = _get_package_command(spec)
+        if command and "mcp-remote" in command:
+            commands.append(command)
+    return commands
+
+
+def _warm_remote_providers() -> None:
+    """Introspect each mcp-remote bridge once at startup.
+
+    A throwaway introspect spawns the bridge, which — with a valid cache —
+    refreshes the on-disk OAuth token silently (the real, lazily-created session
+    then picks it up on first call).  When re-authorization is required the
+    bridge prints an authorization URL that ``process_runner`` scrapes into
+    ``pending_auth_urls`` and logs, so the UI banner can surface it instead of
+    the user discovering it only on the first failed tool call.  Disable with
+    MCPPROXY_WARM_REMOTE=0.
+    """
+    commands = _remote_bridge_commands()
+    if not commands:
+        return
+    import asyncio
+
+    from process_runner import introspect
+
+    async def _warm_all() -> None:
+        for command in commands:
+            print(f"[mcpproxy] warming mcp-remote bridge: {command}")
+            try:
+                await introspect(command)
+                print(f"[mcpproxy] token cache ready for: {command}")
+            except Exception as exc:  # noqa: BLE001 — best-effort warm-up
+                print(f"[mcpproxy] warm-up for '{command}' did not complete: {exc}")
+
+    try:
+        asyncio.run(_warm_all())
+    except Exception as exc:  # noqa: BLE001
+        print(f"_warm_remote_providers error: {exc}")
+        traceback.print_exc()
+
+
+def _warm_remote_enabled() -> bool:
+    return os.environ.get("MCPPROXY_WARM_REMOTE", "1").strip().lower() not in (
+        "0", "false", "no", "off", ""
+    )
+
+
 # ---------------------------------------------------------------------------
 # Entry point
 # ---------------------------------------------------------------------------
@@ -659,6 +718,11 @@ def _run_ui() -> None:
         ui_thread = threading.Thread(target=_run_ui, daemon=True, name="ui-server")
         ui_thread.start()
         print(f"UI server starting on http://{UI_HOST}:{UI_PORT}")
+        if _warm_remote_enabled():
+            warm_thread = threading.Thread(
+                target=_warm_remote_providers, daemon=True, name="remote-warmup"
+            )
+            warm_thread.start()
         mcp.run(transport="streamable-http", host=MCP_HOST, port=MCP_PORT)
     except Exception as exc:
         print(f"main error: {exc}")
diff --git a/tests/test_bootstrap_auth.py b/tests/test_bootstrap_auth.py
new file mode 100644
index 0000000..101762a
--- /dev/null
+++ b/tests/test_bootstrap_auth.py
@@ -0,0 +1,69 @@
+"""Tests for the mcp-remote token-cache bootstrap automation.
+
+Covers the pure command-extraction helpers used by both the host bootstrap
+script (bootstrap_auth.py) and the server startup warm-up (server.py).
+"""
+import yaml
+
+import bootstrap_auth
+import server
+
+
+# ---------------------------------------------------------------------------
+# bootstrap_auth.extract_remote_commands / command_url
+# ---------------------------------------------------------------------------
+
+class TestExtractRemoteCommands:
+    def test_finds_mcp_remote_commands(self):
+        specs = [
+            {"package": {"command": "npx -y mcp-remote https://mcp.asana.com/v2/mcp"}},
+            {"package": {"command": "uvx mcp-server-fetch"}},   # not a bridge
+            {"code": "async def f(): ..."},                       # code provider
+        ]
+        assert bootstrap_auth.extract_remote_commands(specs) == [
+            "npx -y mcp-remote https://mcp.asana.com/v2/mcp"
+        ]
+
+    def test_deduplicates(self):
+        cmd = "npx -y mcp-remote https://x/mcp"
+        specs = [{"package": {"command": cmd}}, {"package": {"command": cmd}}]
+        assert bootstrap_auth.extract_remote_commands(specs) == [cmd]
+
+    def test_empty_when_no_packages(self):
+        assert bootstrap_auth.extract_remote_commands([{}, {"code": "x"}]) == []
+
+    def test_command_url_extracts_first_http_token(self):
+        assert (bootstrap_auth.command_url("npx -y mcp-remote https://mcp.asana.com/v2/mcp")
+                == "https://mcp.asana.com/v2/mcp")
+
+    def test_command_url_none_when_absent(self):
+        assert bootstrap_auth.command_url("npx -y mcp-remote") is None
+
+
+# ---------------------------------------------------------------------------
+# server warm-up helpers
+# ---------------------------------------------------------------------------
+
+class TestServerWarmup:
+    def test_remote_bridge_commands_reads_config_dir(self, tmp_path, monkeypatch):
+        (tmp_path / "asana.yaml").write_text(
+            yaml.safe_dump({"package": {"command": "npx -y mcp-remote https://mcp.asana.com/v2/mcp"}}),
+            encoding="utf-8",
+        )
+        (tmp_path / "fetch.yaml").write_text(
+            yaml.safe_dump({"package": {"command": "uvx mcp-server-fetch"}}),
+            encoding="utf-8",
+        )
+        monkeypatch.setattr(server, "CONFIG_DIR", tmp_path)
+        assert server._remote_bridge_commands() == [
+            "npx -y mcp-remote https://mcp.asana.com/v2/mcp"
+        ]
+
+    def test_warm_enabled_default(self, monkeypatch):
+        monkeypatch.delenv("MCPPROXY_WARM_REMOTE", raising=False)
+        assert server._warm_remote_enabled() is True
+
+    def test_warm_disabled(self, monkeypatch):
+        for val in ("0", "false", "no", "off", ""):
+            monkeypatch.setenv("MCPPROXY_WARM_REMOTE", val)
+            assert server._warm_remote_enabled() is False
diff --git a/tests/test_frontend.py b/tests/test_frontend.py
index d69fe04..24adf79 100644
--- a/tests/test_frontend.py
+++ b/tests/test_frontend.py
@@ -1109,3 +1109,34 @@ def test_returns_keys_for_existing_workdir(self, client, tmp_path):
     def test_missing_workdir_400(self, client):
         r = client.post("/api/scan-env-example", json={})
         assert r.status_code == 400
+
+
+class TestClientConfig:
+    def test_web_terminal_enabled_by_default(self, client, monkeypatch):
+        monkeypatch.delenv("MCPPROXY_WEB_TERMINAL", raising=False)
+        body = client.get("/api/config").json()
+        assert body["ok"] is True
+        assert body["web_terminal"] is True
+
+    def test_web_terminal_disabled(self, client, monkeypatch):
+        monkeypatch.setenv("MCPPROXY_WEB_TERMINAL", "0")
+        assert client.get("/api/config").json()["web_terminal"] is False
+
+
+class TestWebTerminal:
+    def test_runs_command_and_streams_output(self, client, monkeypatch):
+        monkeypatch.setenv("MCPPROXY_WEB_TERMINAL", "1")
+        chunks: list[bytes] = []
+        with client.websocket_connect("/ws/terminal?cmd=echo+marker_7788") as ws:
+            try:
+                for _ in range(50):
+                    chunks.append(ws.receive_bytes())
+            except Exception:
+                pass  # disconnect once the command exits and the PTY closes
+        assert b"marker_7788" in b"".join(chunks)
+
+    def test_disabled_gate_closes_with_message(self, client, monkeypatch):
+        monkeypatch.setenv("MCPPROXY_WEB_TERMINAL", "0")
+        with client.websocket_connect("/ws/terminal") as ws:
+            msg = ws.receive_text()
+        assert "disabled" in msg.lower()