diff --git a/config.demo/src/.env b/config.demo/src/.env
index 70630d2c..11181e48 100644
--- a/config.demo/src/.env
+++ b/config.demo/src/.env
@@ -1,200 +1,196 @@
 APP_NAME=Kolab
 APP_ENV=local
 APP_KEY=
 APP_DEBUG=true
 APP_URL=https://{{ host }}
 APP_PASSPHRASE=simple123
 APP_PUBLIC_URL=https://{{ host }}
 APP_DOMAIN={{ host }}
 APP_WEBSITE_DOMAIN={{ host }}
 APP_THEME=default
 APP_TENANT_ID=5
 APP_LOCALE=en
 APP_LOCALES=
 
 APP_WITH_ADMIN=1
 APP_WITH_RESELLER=1
 APP_WITH_SERVICES=1
 APP_WITH_FILES=1
 
 APP_LDAP=1
 APP_IMAP=0
 
 APP_HEADER_CSP="connect-src 'self'; child-src 'self'; font-src 'self'; form-action 'self' data:; frame-ancestors 'self'; img-src blob: data: 'self' *; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; default-src 'self';"
 APP_HEADER_XFO=sameorigin
 
 SIGNUP_LIMIT_EMAIL=0
 SIGNUP_LIMIT_IP=0
 
 ASSET_URL=https://{{ host }}
 
 WEBMAIL_URL=/roundcubemail/
 SUPPORT_URL=/support
 SUPPORT_EMAIL=
 
 LOG_CHANNEL=stdout
 LOG_SLOW_REQUESTS=5
 LOG_DEPRECATIONS_CHANNEL=null
 LOG_LEVEL=debug
 
 DB_CONNECTION=mysql
 DB_DATABASE=kolabdev
 DB_HOST=mariadb
 DB_PASSWORD=kolab
 DB_ROOT_PASSWORD=Welcome2KolabSystems
 DB_PORT=3306
 DB_USERNAME=kolabdev
 
 BROADCAST_DRIVER=redis
 CACHE_DRIVER=redis
 
 QUEUE_CONNECTION=redis
 
 SESSION_DRIVER=file
 SESSION_LIFETIME=120
 
 OPENEXCHANGERATES_API_KEY="from openexchangerates.org"
 
 MFA_DSN=mysql://roundcube:kolab@mariadb/roundcube
 MFA_TOTP_DIGITS=6
 MFA_TOTP_INTERVAL=30
 MFA_TOTP_DIGEST=sha1
 
 IMAP_URI=ssl://kolab:11993
 IMAP_HOST=172.18.0.5
 IMAP_ADMIN_LOGIN=cyrus-admin
 IMAP_ADMIN_PASSWORD=Welcome2KolabSystems
 IMAP_VERIFY_HOST=false
 IMAP_VERIFY_PEER=false
 
 LDAP_BASE_DN="dc=mgmt,dc=com"
 LDAP_DOMAIN_BASE_DN="ou=Domains,dc=mgmt,dc=com"
 LDAP_HOSTS=kolab
 LDAP_PORT=389
 LDAP_SERVICE_BIND_DN="uid=kolab-service,ou=Special Users,dc=mgmt,dc=com"
 LDAP_SERVICE_BIND_PW="Welcome2KolabSystems"
 LDAP_USE_SSL=false
 LDAP_USE_TLS=false
 
 # Administrative
 LDAP_ADMIN_BIND_DN="cn=Directory Manager"
 LDAP_ADMIN_BIND_PW="Welcome2KolabSystems"
 LDAP_ADMIN_ROOT_DN="dc=mgmt,dc=com"
 
 # Hosted (public registration)
 LDAP_HOSTED_BIND_DN="uid=hosted-kolab-service,ou=Special Users,dc=mgmt,dc=com"
 LDAP_HOSTED_BIND_PW="Welcome2KolabSystems"
 LDAP_HOSTED_ROOT_DN="dc=hosted,dc=com"
 
 COTURN_PUBLIC_IP='{{ public_ip }}'
 COTURN_STATIC_SECRET="Welcome2KolabSystems"
 
 MEET_WEBHOOK_TOKEN=Welcome2KolabSystems
 MEET_SERVER_TOKEN=Welcome2KolabSystems
 MEET_SERVER_URLS=https://{{ host }}/meetmedia/api/
 MEET_SERVER_VERIFY_TLS=false
 
 MEET_WEBRTC_LISTEN_IP='172.18.0.1'
 MEET_PUBLIC_DOMAIN={{ host }}
 MEET_TURN_SERVER='turn:172.18.0.1:3478'
 MEET_LISTENING_HOST=172.18.0.1
 
 
 PGP_ENABLE=true
 PGP_BINARY=/usr/bin/gpg
 PGP_AGENT=/usr/bin/gpg-agent
 PGP_GPGCONF=/usr/bin/gpgconf
 PGP_LENGTH=
 
 # Set these to IP addresses you serve WOAT with.
 # Have the domain owner point _woat.<hosted-domain> NS RRs refer to ns0{1,2}.<provider-domain>
 WOAT_NS1=ns01.domain.tld
 WOAT_NS2=ns02.domain.tld
 
 REDIS_HOST=redis
 REDIS_PASSWORD=null
 REDIS_PORT=6379
 
 OCTANE_HTTP_HOST=0.0.0.0
 SWOOLE_PACKAGE_MAX_LENGTH=10485760
 
 PAYMENT_PROVIDER=
 MOLLIE_KEY=
 STRIPE_KEY=
 STRIPE_PUBLIC_KEY=
 STRIPE_WEBHOOK_SECRET=
 
 MAIL_DRIVER=log
 MAIL_MAILER=smtp
 MAIL_HOST=smtp.mailtrap.io
 MAIL_PORT=2525
 MAIL_USERNAME=null
 MAIL_PASSWORD=null
 MAIL_ENCRYPTION=null
 MAIL_FROM_ADDRESS="noreply@example.com"
 MAIL_FROM_NAME="Example.com"
 MAIL_REPLYTO_ADDRESS="replyto@example.com"
 MAIL_REPLYTO_NAME=null
 
 DNS_TTL=3600
 DNS_SPF="v=spf1 mx -all"
 DNS_STATIC="%s.    MX  10 ext-mx01.mykolab.com."
 DNS_COPY_FROM=null
 
 AWS_ACCESS_KEY_ID=
 AWS_SECRET_ACCESS_KEY=
 AWS_DEFAULT_REGION=us-east-1
 AWS_BUCKET=
 AWS_USE_PATH_STYLE_ENDPOINT=false
 
 PUSHER_APP_ID=
 PUSHER_APP_KEY=
 PUSHER_APP_SECRET=
 PUSHER_APP_CLUSTER=mt1
 
 MIX_ASSET_PATH='/'
 MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
 MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
 
 PASSWORD_POLICY=
 
 COMPANY_NAME=
 COMPANY_ADDRESS=
 COMPANY_DETAILS=
 COMPANY_EMAIL=
 COMPANY_LOGO=
 COMPANY_FOOTER=
 
 VAT_COUNTRIES=CH,LI
 VAT_RATE=7.7
 
 KB_ACCOUNT_DELETE=
 KB_ACCOUNT_SUSPENDED=
 KB_PAYMENT_SYSTEM=
 
 KOLAB_SSL_CERTIFICATE=/etc/pki/tls/certs/kolab.hosted.com.cert
 KOLAB_SSL_CERTIFICATE_FULLCHAIN=/etc/pki/tls/certs/kolab.hosted.com.chain.pem
 KOLAB_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/kolab.hosted.com.key
 
 PROXY_SSL_CERTIFICATE=/etc/certs/imap.hosted.com.cert
 PROXY_SSL_CERTIFICATE_KEY=/etc/certs/imap.hosted.com.key
 
 APP_KEY=base64:FG6ECzyAMSmyX+eYwO/FW3bwnarbKkBhqtO65vlMb1E=
 COTURN_STATIC_SECRET=uzYguvIl9tpZFMuQOE78DpOi6Jc7VFSD0UAnvgMsg5n4e74MgIf6vQvbc6LWzZjz
 
 MOLLIE_KEY="from mollie"
 STRIPE_KEY="from stripe"
 STRIPE_PUBLIC_KEY="from stripe"
 STRIPE_WEBHOOK_SECRET="from stripe"
 
 OX_API_KEY="from openexchange"
 FIREBASE_API_KEY="from firebase"
 
 #Generated by php artisan passport:client --password, but can be left hardcoded (the seeder will pick it up)
 PASSPORT_PROXY_OAUTH_CLIENT_ID=942edef5-3dbd-4a14-8e3e-d5d59b727bee
 PASSPORT_PROXY_OAUTH_CLIENT_SECRET=L6L0n56ecvjjK0cJMjeeV1pPAeffUBO0YSSH63wf
 
-#Generated by php artisan passport:client --password, but can be left hardcoded (the seeder will pick it up)
-PASSPORT_COMPANIONAPP_OAUTH_CLIENT_ID=9566e018-f05d-425c-9915-420cdb9258bb
-PASSPORT_COMPANIONAPP_OAUTH_CLIENT_SECRET=XjgV6SU9shO0QFKaU6pQPRC5rJpyRezDJTSoGLgz
-
diff --git a/src/config/auth.php b/src/config/auth.php
index e515469b..6dcaae0f 100644
--- a/src/config/auth.php
+++ b/src/config/auth.php
@@ -1,128 +1,123 @@
 <?php
 
 return [
 
     /*
     |--------------------------------------------------------------------------
     | Authentication Defaults
     |--------------------------------------------------------------------------
     |
     | This option controls the default authentication "guard" and password
     | reset options for your application. You may change these defaults
     | as required, but they're a perfect start for most applications.
     |
     */
 
     'defaults' => [
         'guard' => 'api',
         'passwords' => 'users',
     ],
 
     /*
     |--------------------------------------------------------------------------
     | Authentication Guards
     |--------------------------------------------------------------------------
     |
     | Next, you may define every authentication guard for your application.
     | Of course, a great default configuration has been defined for you
     | here which uses session storage and the Eloquent user provider.
     |
     | All authentication drivers have a user provider. This defines how the
     | users are actually retrieved out of your database or other storage
     | mechanisms used by this application to persist your user's data.
     |
     | Supported: "session", "token"
     |
     */
 
     'guards' => [
         'web' => [
             'driver' => 'session',
             'provider' => 'users',
         ],
 
         'api' => [
             'driver' => 'passport',
             'provider' => 'users',
         ],
     ],
 
     /*
     |--------------------------------------------------------------------------
     | User Providers
     |--------------------------------------------------------------------------
     |
     | All authentication drivers have a user provider. This defines how the
     | users are actually retrieved out of your database or other storage
     | mechanisms used by this application to persist your user's data.
     |
     | If you have multiple user tables or models you may configure multiple
     | sources which represent each model / table. These sources may then
     | be assigned to any extra authentication guards you have defined.
     |
     | Supported: "database", "eloquent"
     |
     */
 
     'providers' => [
         'users' => [
             'driver' => 'eloquent',
             'model' => App\User::class,
         ],
 
         // 'users' => [
         //     'driver' => 'database',
         //     'table' => 'users',
         // ],
     ],
 
     /*
     |--------------------------------------------------------------------------
     | Resetting Passwords
     |--------------------------------------------------------------------------
     |
     | You may specify multiple password reset configurations if you have more
     | than one user table or model in the application and you want to have
     | separate password reset settings based on the specific user types.
     |
     | The expire time is the number of minutes that the reset token should be
     | considered valid. This security feature keeps tokens short-lived so
     | they have less time to be guessed. You may change this as needed.
     |
     */
 
     'passwords' => [
         'users' => [
             'provider' => 'users',
             'table' => 'password_resets',
             'expire' => 60,
         ],
     ],
 
 
     /*
     |--------------------------------------------------------------------------
     | OAuth Proxy Authentication
     |--------------------------------------------------------------------------
     |
     | If you are planning to use your application to self-authenticate as a
     | proxy, you can define the client and grant type to use here. This is
     | sometimes the case when a trusted Single Page Application doesn't
     | use a backend to send the authentication request, but instead
     | relies on the API to handle proxying the request to itself.
     |
      */
 
     'proxy' => [
         'client_id' => env('PASSPORT_PROXY_OAUTH_CLIENT_ID'),
         'client_secret' => env('PASSPORT_PROXY_OAUTH_CLIENT_SECRET'),
     ],
 
-    'companion_app' => [
-        'client_id' => env('PASSPORT_COMPANIONAPP_OAUTH_CLIENT_ID'),
-        'client_secret' => env('PASSPORT_COMPANIONAPP_OAUTH_CLIENT_SECRET'),
-    ],
-
     'token_expiry_minutes' => env('OAUTH_TOKEN_EXPIRY', 60),
     'refresh_token_expiry_minutes' => env('OAUTH_REFRESH_TOKEN_EXPIRY', 30 * 24 * 60),
 ];