diff --git a/README.md b/README.md
index 2664dba9..c7ccdc5b 100644
--- a/README.md
+++ b/README.md
@@ -22,8 +22,8 @@ that make up the Bento platform.
 
 
 ## Requirements
-- Docker >= 24.0.4
-- Docker Compose >= 2.20.0 (plugin form: you should have the `docker compose` command available, without a dash)
+- Docker >= 25.0
+- Docker Compose >= 2.25.0 (plugin form: you should have the `docker compose` command available, without a dash)
 - Python >= 3.9 (for `bentoctl`); the services require Python 3.10 but this is included in their Docker images. 
 
 
@@ -36,14 +36,18 @@ that make up the Bento platform.
 * [Development](./docs/development.md)
 * [Troubleshooting guide](./docs/troubleshooting.md)
 * [Deployment](./docs/deployment.md)
+* [Monitoring](./docs/monitoring.md)
+* [Public discovery configuration](./docs/public_discovery.md)
 
 ### Data ingestion and usage
 
 * [Guide to genomic reference material in Bento](./docs/reference_material.md)
-* [Converting Phenopackets from V1 to V2 using `bentoctl`](./docs/phenopackets_v1_to_v2.md) 
+* [Converting Phenopackets from V1 to V2 using `bentoctl`](./docs/phenopackets_v1_to_v2.md)
+* [JSON Schemas for data types and discovery configuration](./docs/json-schemas.md)
 
 ### Migration documents
 
+* [v16 to v17](./docs/migrating_to_17.md)
 * [v15.2 to v16](./docs/migrating_to_16.md)
 * [v15.1 to v15.2](./docs/migrating_to_15_2.md)
 * [v15 to v15.1](./docs/migrating_to_15_1.md)
diff --git a/docker-compose.dev.yaml b/docker-compose.dev.yaml
index 96dddf5f..243e6bb1 100644
--- a/docker-compose.dev.yaml
+++ b/docker-compose.dev.yaml
@@ -65,6 +65,11 @@ services:
           - ${BENTOV2_DOMAIN}
           - ${BENTOV2_PORTAL_DOMAIN}
           - ${BENTOV2_AUTH_DOMAIN}
+      monitoring-net:
+          aliases:
+          - ${BENTOV2_DOMAIN}
+          - ${BENTOV2_PORTAL_DOMAIN}
+          - ${BENTOV2_AUTH_DOMAIN}
       public-net:
         aliases:
           - ${BENTOV2_DOMAIN}
@@ -172,7 +177,6 @@ services:
       - FLASK_DEBUG=True
       - BENTO_DEBUG=True
       - CHORD_DEBUG=True
-      - BENTO_BEACON_DEBUG=true
     ports:
       - "${BENTO_BEACON_EXTERNAL_PORT}:${BENTO_BEACON_INTERNAL_PORT}"
       - "${BENTO_BEACON_DEBUGGER_EXTERNAL_PORT}:${BENTO_BEACON_DEBUGGER_INTERNAL_PORT}"
@@ -232,3 +236,14 @@ services:
   cbioportal:
     ports:
       - "${BENTO_CBIOPORTAL_EXTERNAL_PORT}:${BENTO_CBIOPORTAL_INTERNAL_PORT}"
+
+  grafana:
+    ports:
+      - "3000:3000"
+    environment:
+    # Workaround for self signed certificates in dev
+      - GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE=true
+  
+  loki:
+    ports:
+      - "3100:3100"
diff --git a/docker-compose.local.yaml b/docker-compose.local.yaml
index 4962a249..5dbd201f 100644
--- a/docker-compose.local.yaml
+++ b/docker-compose.local.yaml
@@ -59,11 +59,6 @@ services:
       - BENTO_GIT_EMAIL
       - BENTO_GIT_REPOSITORY_DIR=/app
 
-  adminer:
-    # No Docker networks required, bound to host
-    ports:
-      - 8080:8080
-
   aggregation:
     image: ${BENTOV2_AGGREGATION_IMAGE}:${BENTOV2_AGGREGATION_VERSION_DEV}
     environment:
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 05c9e908..f91aaa52 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -13,6 +13,7 @@ include:
       - lib/event-relay/docker-compose.event-relay.yaml
       - lib/gohan/docker-compose.gohan.yaml  # Optional feature; controlled by a compose profile
       - lib/katsu/docker-compose.katsu.yaml
+      - lib/logs/docker-compose.logs.yaml
       - lib/notification/docker-compose.notification.yaml
       - lib/public/docker-compose.public.yaml  # Optional feature; controlled by a compose profile
       - lib/redis/docker-compose.redis.yaml
diff --git a/docs/deployment.md b/docs/deployment.md
index 1f3e2d6a..53f682f9 100644
--- a/docs/deployment.md
+++ b/docs/deployment.md
@@ -99,3 +99,11 @@ ls certs/gateway/letsencrypt/live/
 ```
 
 If all went well, the `old-bento.example.com` domain should be redirected to `bento.example.com` in a browser.
+
+## Discovery configuration
+
+Bento can serve censored data publicly if configured to do so. This allows anonymous users to take a glimpse into the
+data hosted by a Bento node.
+
+When deploying a Bento instance, make sure that the discovery settings are configured properly at the necessary levels.
+Consult the [public discovery](./public_discovery.md) documentation for more details.
diff --git a/docs/img/discovery_proj_creation.png b/docs/img/discovery_proj_creation.png
new file mode 100644
index 00000000..f2508f9f
Binary files /dev/null and b/docs/img/discovery_proj_creation.png differ
diff --git a/docs/img/discovery_proj_edit.png b/docs/img/discovery_proj_edit.png
new file mode 100644
index 00000000..bebc9be5
Binary files /dev/null and b/docs/img/discovery_proj_edit.png differ
diff --git a/docs/img/grafana_explore.png b/docs/img/grafana_explore.png
new file mode 100644
index 00000000..bf0fd336
Binary files /dev/null and b/docs/img/grafana_explore.png differ
diff --git a/docs/img/kc_grafana_join_group.png b/docs/img/kc_grafana_join_group.png
new file mode 100644
index 00000000..133de0aa
Binary files /dev/null and b/docs/img/kc_grafana_join_group.png differ
diff --git a/docs/installation.md b/docs/installation.md
index d70f84ce..6f9bc9e4 100644
--- a/docs/installation.md
+++ b/docs/installation.md
@@ -13,7 +13,7 @@ virtual environment.
 ### Instance-specific environment variable file: `local.env`
 
 Depending on your use, development or deployment, you will need to copy the right template file
-to `local.env` in the root of the `bentoV2` folder:
+to `local.env` in the root of the `bento` folder, i.e., the repository folder:
 
 ```bash
 # Dev
@@ -28,87 +28,16 @@ Then, modify the values as needed; depending on if you're using the instance for
 
 #### Development example
 
-The below is an example of a completed development configuration:
-
-```bash
-# in local.env:
-
-MODE=dev
-
-# Gateway/domains -----------------------------------------------------
-BENTOV2_DOMAIN=bentov2.local
-BENTOV2_PORTAL_DOMAIN=portal.${BENTOV2_DOMAIN}
-BENTOV2_AUTH_DOMAIN=bentov2auth.local
-# Unused if cBioPortal is disabled:
-BENTOV2_CBIOPORTAL_DOMAIN=cbioportal.${BENTOV2_DOMAIN}
-# ---------------------------------------------------------------------
-
-# Feature switches ----------------------------------------------------
-
-BENTOV2_USE_EXTERNAL_IDP=0
-BENTOV2_USE_BENTO_PUBLIC=1
-
-#  - Switch to enable TLS - defaults to true (i.e., use TLS):
-BENTO_GATEWAY_USE_TLS='true'
-
-BENTO_BEACON_ENABLED='true'
-BENTO_BEACON_UI_ENABLED='true'
-BENTO_CBIOPORTAL_ENABLED='false'
-BENTO_GOHAN_ENABLED='true'
-
-#  - Switch to enable French translation in Bento Public
-BENTO_PUBLIC_TRANSLATED='true'
-
-# ---------------------------------------------------------------------
-
-# Set this to a data storage location, optionally within the repo itself, like: /path-to-my-bentov2-repo/data
-# Data directories are split to better use SSD and HDD resources in prod.
-# In dev/local it is more convenient to use a single directory
-BENTO_FAST_DATA_DIR=./data 
-BENTO_SLOW_DATA_DIR=./data
-
-# Auth ----------------------------------------------------------------
-#  - Session secret should be set to a unique secure value.
-#    this adds security and allows sessions to exist across gateway restarts.
-#     - Empty by default, to be filled by local.env
-#  - IMPORTANT: set before starting gateway
-BENTOV2_SESSION_SECRET=my-very-secret-session-secret  # !!! ADD SOMETHING MORE SECURE !!!
-
-#  - Set auth DB password if using a local IDP
-BENTO_AUTH_DB_PASSWORD=some-secure-password
-#  - Always set authz DB password
-BENTO_AUTHZ_DB_PASSWORD=some-other-secure-password
-
-BENTOV2_AUTH_ADMIN_USER=admin
-BENTOV2_AUTH_ADMIN_PASSWORD=admin  # !!! obviously for dev only !!!
-
-BENTOV2_AUTH_TEST_USER=user
-BENTOV2_AUTH_TEST_PASSWORD=user  # !!! obviously for dev only !!!
-
-#  - WES Client ID/secret; client within BENTOV2_AUTH_REALM
-BENTO_WES_CLIENT_ID=wes
-BENTO_WES_CLIENT_SECRET=
-# --------------------------------------------------------------------
-
-# Gohan
-BENTOV2_GOHAN_ES_PASSWORD=devpassword567
-
-# Katsu
-BENTOV2_KATSU_DB_PASSWORD=devpassword123
-BENTOV2_KATSU_APP_SECRET=some-random-phrase-here   # !!! ADD SOMETHING MORE SECURE !!!
-
-# Development settings ------------------------------------------------
-
-# - Git configuration
-BENTO_GIT_NAME=David  # Change this to your name
-BENTO_GIT_EMAIL=do-not-reply@example.org  # Change this to your GitHub account email
-```
+For an example of a semi-completed development configuration, see [etc/bento_dev.env](../etc/bento_dev.env).
+In the step above, this file was copied to `local.env`, and **you must now edit `local.env` to specify secrets and other 
+deployment-specific values.**
 
 You should at least fill to the following settings in dev mode (it may differ for a production setup), which are not set 
 in the example file:
 * `BENTOV2_SESSION_SECRET`
 * `BENTO_AUTH_DB_PASSWORD`
 * `BENTO_AUTHZ_DB_PASSWORD`
+* `BENTO_AGGREGATION_CLIENT_SECRET`
 * `BENTO_WES_CLIENT_SECRET`
 
 If the internal OIDC identity provider (IdP) is being used (by default, Keycloak), variables specifying default 
@@ -158,6 +87,14 @@ If using Beacon, first copy the configuration file:
 Then update any config values as needed at `lib/beacon/config/beacon_config.json` 
 and `lib/beacon/config/beacon_cohort.json`.
 
+If using the Beacon network, copy the configuration file:
+
+```bash
+./bentoctl.bash init-config beacon-network
+```
+
+and update values at `lib/beacon/config/beacon_network_config.json`.
+
 
 ### Gohan configuration
 
@@ -276,8 +213,10 @@ specified in the step above.
 ./bentoctl.bash init-auth
 ```
 
-**If using an external identity provider**, only start the cluster's gateway
-after setting `CLIENT_SECRET` in your local environment file:
+After running `init-auth`, be sure to put all client secrets into your `local.env` file!
+
+**If using an external identity provider**, only start the cluster's gateway after setting various `*_CLIENT_SECRET` 
+variables in your local environment file:
 
 ```bash
 ./bentoctl.bash run gateway
@@ -297,7 +236,7 @@ utilize new variables generated during the OIDC configuration.
 
 ## 6. Configure permissions
 
-### a. Create superuser permissions in the new Bento authorization service
+### a. Create superuser permissions in the Bento authorization service
 
 First, run the authorization service and then open a shell into the container:
 
@@ -317,24 +256,54 @@ which in Keycloak should be a UUID.
 
 ### b. Create grants for the Workflow Execution Service (WES) OAuth2 client
 
-Run the following commands to set up authorization for the WES client. Don't forget to replace `ISSUER_HERE` by the 
-issuer URL!
+Run the following commands to set up authorization for the WES client. 
+**Don't forget to replace `<ISSUER_HERE>` with the issuer URL!**
 
 ```bash
 # This grant is a temporary hack to get permissions working for v12/v13. In the future, it should be removed.
 bento_authz create grant \
-  '{"iss": "ISSUER_HERE", "client": "wes"}' \
+  '{"iss": "<ISSUER_HERE>", "client": "wes"}' \
   '{"everything": true}' \
   'view:private_portal'
 
 # This grant gives permission to access and ingest data into all projects and the reference genome service
 bento_authz create grant \
-  '{"iss": "ISSUER_HERE", "client": "wes"}' \
+  '{"iss": "<ISSUER_HERE>", "client": "wes"}' \
   '{"everything": true}' \
   'query:data' 'ingest:data' 'ingest:reference_material' 'delete:reference_material'
 ```
 
-### c. *Optional step:* Assign portal access to all users in the instance realm
+### c. Create a grant for the aggregation and Beacon services
+
+Run the following commands to set up authorization for the aggregation/Beacon client. 
+**Don't forget to replace `<ISSUER_HERE>` with the issuer URL!**
+
+```bash
+# In the future, view:private_portal will need to be removed from this grant.
+bento_authz create grant \
+  '{"iss": "<ISSUER_HERE>", "client": "aggregation"}' \
+  '{"everything": true}' \
+  'query:data' 'view:private_portal'
+```
+
+
+### d. Configure public data access for all users, including anonymous visitors (if desired):
+
+To configure public data access, run the following command in the authorization service container. Note that with the
+`full` value, **THIS GIVES FULL DATA ACCESS TO EVERYONE WHO VISITS YOUR INSTANCE!**
+
+```bash
+# Configure public data access
+# ----------------------------
+# The level below ("counts") preserves previous functionality. Other possible options are:
+#  - none - will do nothing.
+#  - bool - for censored true/false discovery, but in effect right now forbids access.
+#  - counts - for censored count discovery.
+#  - full - allows full data access (record-level, including sensitive data such as IDs), uncensored counts, etc.
+bento_authz public-data-access counts
+```
+
+### e. Assign portal access to all users in the instance realm
 
 We added a special permission, `view:private_portal`, to Bento v12/v13 in order to carry forward the current
 'legacy' authorization behaviour for one more major version. This permission currently behaves as a super-permission,
diff --git a/docs/json-schemas.md b/docs/json-schemas.md
new file mode 100644
index 00000000..9e2c2a0f
--- /dev/null
+++ b/docs/json-schemas.md
@@ -0,0 +1,15 @@
+# JSON Schemas for data types and discovery configuration
+
+Bento's services perform some of the data validation using [JSON Schemas](https://json-schema.org/specification).
+
+For a given version, Bento's services expect data to respect the schemas in use for:
+- Phenopackets
+- Experiments
+- Discovery configuration
+
+Starting with Bento v17 ([Katsu v9.0.0](https://github.com/bento-platform/katsu/releases/tag/v9.0.0)), 
+the compiled JSON Schemas are published as Katsu release artifacts.
+
+| Bento Release                                                   | JSON Schemas Download                                                                                              |
+| --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| [v17](https://github.com/bento-platform/bento/releases/tag/v17) | [Katsu v9.0.0 json-schemas.zip](https://github.com/bento-platform/katsu/releases/download/v9.0.0/json-schemas.zip) |
diff --git a/docs/migrating_to_17.md b/docs/migrating_to_17.md
new file mode 100644
index 00000000..817b3c44
--- /dev/null
+++ b/docs/migrating_to_17.md
@@ -0,0 +1,122 @@
+# Migrating to Bento v17
+
+Key points:
+
+* Bento now has observability tools to help monitor the services (Grafana). Some setup is required for this feature to 
+  work.
+* Katsu discovery endpoints now have an authorization layer. 
+  * Data that used to be completely public by default (i.e., 
+    censored counts) now requires a permission (`query:project_level_counts` and/or `query:dataset_level_counts`), and 
+    thus a grant in the authorization service. 
+  * Beacon now requires a client ID/secret and an authorization service grant to access uncensored data.
+* Katsu discovery is now more granular, and can be configured to the project or dataset level, in addition to the 
+  instance level. See the [Public data discovery configuration](./public_discovery.md) document for more information.
+* ...
+
+
+## 1. Stop Bento
+
+```bash
+./bentoctl.bash stop
+```
+
+
+## 2. Checkout to v17 and pull new Docker images
+
+```bash
+# Checkout on the v17 tag
+git checkout v17
+# Pull new Docker images
+./bentoctl.bash pull
+```
+
+
+## 3. Set up credentials for aggregation/Beacon and, optionally, set up Grafana
+
+If you wish to enable Grafana, you first must enable the monitoring feature in your `local.env` file:
+
+```bash
+BENTO_MONITORING_ENABLED='true'
+```
+
+After enabling the Grafana feature flag for the first time, 
+you must initialize the Docker networks and mounted directories.
+```bash
+# Init new Docker networks and directories if using Grafana
+./bentoctl.bash init-docker
+./bentoctl.bash init-dirs
+```
+
+To create the client secrets for aggregation/Beacon and Grafana (if the latter is enabled), run the following commands:
+
+```bash
+./bentoctl.bash run auth && ./bentoctl.bash run gateway
+./bentoctl.bash init-auth
+```
+
+**Reminder:** Make sure to put the client secret(s) generated by `init-auth` into your `local.env` file!
+
+Aggregation/Beacon data access authorization will not work until an authorization service grant is configured; 
+see step 4 below.
+
+Grafana will not be accessible to users until they are given a valid role; 
+see the [monitoring user management](./monitoring.md#user-management) section for details.
+
+## 4. Set up aggregation/Beacon permissions and public data access grants
+
+Now that Beacon uses a client ID/secret to get authorized, uncensored data access for discovery, a grant must be 
+configured to give the aggregation/Beacon client data access.
+
+Another change to permissions: starting from Bento v17, anonymous visitors do not have access to see censored counts 
+data by default, even if a discovery configuration has been set up. For anonymous visitors to access data, a level 
+(`bool`, `counts`, `full`) must be chosen and passed to the `bento_authz` CLI command below.
+
+```bash
+./bentoctl.bash run authz
+./bentoctl.bash shell authz
+
+# Configure aggregation/Beacon permissions
+# ----------------------------------------
+# This assumes the aggregation/Beacon client ID is "aggregation". 
+# <ISSUER_HERE> MUST be replaced with your actual issuer value.
+#  - The query:data permission gives access to Katsu endpoints which are properly authz-enabled.
+#  - The view:private_portal permission gives access to Katsu and Gohan endpoints where the proxy still manages access.
+#    This permission will be removed in an uncoming version.
+bento_authz create grant \
+  '{"iss": "<ISSUER_HERE>", "client": "aggregation"}' \
+  '{"everything": true}' \
+  'query:data' 'view:private_portal'
+
+# Configure public data access
+# ----------------------------
+# The level below ("counts") preserves previous functionality. Other possible options are:
+#  - none - will do nothing.
+#  - bool - for censored true/false discovery, but in effect right now forbids access.
+#  - counts - for censored count discovery.
+#  - full - allows full data access (record-level, including sensitive data such as IDs), uncensored counts, etc.
+bento_authz public-data-access counts
+```
+
+
+## 5. Optionally, add Beacon network
+
+To host a network of beacons, with a corresponding UI in Bento Public, first copy the config file: 
+
+```bash
+./bentoctl.bash init-config beacon-network
+```
+
+
+
+then update values at `lib/beacon/config/beacon_network_config.json`. Activate the network by adding (or modifying) this value in local.env:
+
+
+```bash
+BENTO_BEACON_NETWORK_ENABLED='true'
+```
+
+## 6. Start Bento
+
+```bash
+./bentoctl.bash start
+```
diff --git a/docs/monitoring.md b/docs/monitoring.md
new file mode 100644
index 00000000..627983a4
--- /dev/null
+++ b/docs/monitoring.md
@@ -0,0 +1,93 @@
+# Bento Monitoring
+
+Previously, the only way to get the logs of a given service was to connect to the the server hosting Bento
+and getting the logs directly from Docker.
+Since v17, Bento includes tools that allow authenticated and authorized users to explore the services' logs
+in a convenient web application.
+
+The stack enabling this is composed by three open-source services:
+- Promtail: forwards the logs from Bento's services to the log database
+- Loki: stores the logs from Promtail and serves them to Grafana
+- Grafana: auth protected web application to query and analyse collected logs
+
+## Configuration
+
+Enable monitoring by setting the feature flag
+
+```bash
+BENTO_MONITORING_ENABLED='true'
+```
+
+Pull the images and prepare the network/directories for monitoring containers:
+
+```bash
+./bentoctl.bash pull
+./bentoctl.bash init-docker
+./bentoctl.bash init-dirs
+```
+
+Grafana is configured to only let in authenticated users from Bento's Keycloak realm, 
+if they have the required client permissions for Grafana.
+
+Create the Grafana OIDC client, its permissions and group mappings with the following:
+
+```bash
+./bentoctl.bash init-auth
+```
+
+Set the outputted value for `BENTO_GRAFANA_CLIENT_SECRET` in the `local.env` file and restart Grafana.
+
+```bash
+./bentoctl.bash restart grafana
+```
+
+## User management
+
+In order for a user to access Grafana, they must belong to a Grafana sub-group in Bento's Keycloak.
+
+Group role-mappings in Keycloak:
+- Grafana (parent group, no permission)
+    - Admin
+        - Editor permissions
+        - Administration of Grafana
+    - Editor
+        - Viewer permissions
+        - Can explore logs
+        - Can create dashboards for viewers
+    - Viewer
+        - Can view created dashboards
+
+The `admin`, `editor` and `viewer` roles are Grafana concepts. During authentication, Grafana will synchronize the 
+user's roles from Keycloak, and only let the user in if a valid role can be retrieved from the ID token.
+
+The `init-auth` step in the [configuration](#configuration) creates everything needed for this in Keycloak. 
+
+The only remaining step is to add users to Grafana groups:
+- In a browser, navigate to the Keycloak admin portal (your `BENTOV2_AUTH_DOMAIN`)
+- Authenticate using the admin credentials
+- By default the realm will be `Keycloak`, change it to Bento's realm (value of `BENTOV2_AUTH_REALM`)
+- Navigate to the `Users` tab
+- Select a user
+- Select the user's `Groups` tab
+- Click on the `Join Group` button
+- Select a Grafana sub-group and click on `Join`
+
+![Grafana sub-group attribution](./img/kc_grafana_join_group.png)
+
+## Using Grafana
+
+The user can now connect to `bento_web` and access Grafana from the header tabs!
+
+At the moment, no default dashboards are provided, so only users with `admin` or `editor` roles will have 
+access to data.
+
+To look at the raw logs for a service:
+- Select the `Explore` tab in Grafana
+- Select the `service_name` label filter
+- Select a service from the value drop down
+- In the top-right, click on `run query`, `live`, or `Last <time frame>` to fetch the logs
+
+The logs will appear at the bottom. The log query can be further modified with operations, allowing you to fine comb
+your logs effectively.
+
+![Grafana service logs querying](./img/grafana_explore.png)
diff --git a/docs/public_discovery.md b/docs/public_discovery.md
new file mode 100644
index 00000000..562261e1
--- /dev/null
+++ b/docs/public_discovery.md
@@ -0,0 +1,80 @@
+# Public data discovery configuration
+
+New in Bento v17.
+
+Previously, the public data configuration given to Katsu (`lib/katsu/config.json`) was applied on all the metadata 
+contained in the service. This configuration declares which fields can be queried publicly for discovery purposes, 
+which charts to display and which censorship rules to apply on the results.
+
+Katsu can hold multiple projects/datasets that may use different fields, require specific charts or custom
+`extra_properties` schemas at the project level.
+Therefore, there is a need to tailor the discovery configuration at different levels to properly represent the 
+particularities in the information of a project or dataset.
+
+Bento v17 gives the ability to specify a scoped Discovery configuration at the following levels:
+-   Dataset
+    -   Optional at dataset creation
+    -   For scoped queries on public endpoints targeting a project and dataset:
+        -   Katsu will use the dataset's discovery configuration, if one exists.
+        -   If no configuration is found, falls back to the parent project's discovery.
+-   Project
+    -   Optional at project creation
+    -   For scoped queries on public endpoints targeting a project only:
+        -   Katsu will use the project's discovery configuration, if one exists.
+        -   If no configuration is found, falls back to the node's config.
+-   Node
+    -   Optional during Katsu deployment
+    -   Uses the legacy `lib/katsu/config.json` file mount
+    -   For non-scoped queries on public endpoints:
+        -   Katsu will use the node's discovery, if one exists.
+        -   If no node configuration is found, Katsu will respond with a 404 status.
+    -   For scoped queries on public endpoints:
+        -   Katsu will fallback on the node's discovery if the project and/or dataset in the scope don't have one
+        -   If no node configuration is found, Katsu will respond with a 404 status.
+
+
+## Creating a discovery configuration file.
+
+Follow these steps in order to add public discovery for a given scope.
+
+1. Decide at which level the discovery configuration will be applied.
+2. Create a copy of `etc/katsu.config.example.json`, use it as a base template
+3. Modify the `fields` section so that it includes the fields of interest.
+4. Modify the `search` section, include the fields from the previous section to make them searchable
+5. Modify the `overview` section in order to specify which fields should be rendered as charts and how.
+6. Set the desired censorship rules in the `rules` section.
+
+The resulting JSON file needs to respect the JSON-schema defined in Katsu [here](https://github.com/bento-platform/katsu/blob/develop/chord_metadata_service/discovery/schemas.py).
+
+## Using a discovery configuration file.
+
+With the valid discovery configuration file in hand, you can now add it to Katsu.
+
+### Apply the discovery configuration at the node level:
+
+This operation must be done by a Bento node administrator.
+```bash
+# Move the file to Katsu's config volume
+cp <discovery config JSON file> ./lib/katsu/config.json
+
+# restart Katsu to load the config.
+./bentoctl.bash restart katsu
+```
+
+### Apply the discovery configuration at the project or dataset level
+
+These operations must be performed in `bento_web` by an authenticated user 
+with the `edit:dataset`, `create:dataset`, `edit:project`, `create:project` permissions.
+
+Before creating/editing a project/dataset to specify a discovery configuration, 
+make sure that the JSON file is in Bento's dropbox.
+
+At project/dataset creation, leaving the discovery field empty is permitted.
+Specify a discovery config by selecting the desired file from the drop-down options.
+
+![Specifying a discovery at project creation.](./img/discovery_proj_creation.png)
+
+During project/dataset editing, three radio buttons are shown, allowing the user to pick the existing value,
+a new value from file, or none. The 'none' option is equivalent to leaving the field empty at creation.
+
+![Modifying the discovery when editing a project](./img/discovery_proj_edit.png)
diff --git a/etc/bento.env b/etc/bento.env
index 7ec69b2f..f19bfb37 100644
--- a/etc/bento.env
+++ b/etc/bento.env
@@ -17,8 +17,11 @@ BENTO_AUTHZ_SERVICE_URL=${BENTOV2_PUBLIC_URL}/api/authorization/
 
 BENTO_CORS_ORIGINS="${BENTOV2_PUBLIC_URL};${BENTOV2_PORTAL_PUBLIC_URL}"
 
-BENTOV2_HEALTHCHECK_TIMEOUT=5s
-BENTOV2_HEALTHCHECK_INTERVAL=5m
+BENTO_HEALTHCHECK_TIMEOUT=5s
+BENTO_HEALTHCHECK_INTERVAL=5m
+# Faster interval for services while they're starting:
+BENTO_HEALTHCHECK_START_PERIOD=75s
+BENTO_HEALTHCHECK_START_INTERVAL=5s
 
 BENTO_STD_SERVICE_INTERNAL_PORT=5000
 
@@ -31,7 +34,7 @@ BENTOV2_GATEWAY_INTERNAL_CERTS_DIR=/usr/local/openresty/nginx/certs
 
 # Gateway
 BENTOV2_GATEWAY_IMAGE=ghcr.io/bento-platform/bento_gateway
-BENTOV2_GATEWAY_VERSION=0.12.0
+BENTOV2_GATEWAY_VERSION=0.13.0
 BENTOV2_GATEWAY_VERSION_DEV=${BENTOV2_GATEWAY_VERSION}-dev
 BENTOV2_GATEWAY_CONTAINER_NAME=${BENTOV2_PREFIX}-gateway
 
@@ -44,7 +47,7 @@ BENTOV2_GATEWAY_CPUS=2
 
 # - Keycloak IdP - 'auth'
 BENTOV2_AUTH_IMAGE=ghcr.io/bento-platform/bento_keycloak_dist
-BENTOV2_AUTH_VERSION=2024.06.03
+BENTOV2_AUTH_VERSION=2024.09.26
 BENTOV2_AUTH_CONTAINER_NAME=${BENTOV2_PREFIX}-auth
 BENTO_AUTH_NETWORK=${BENTOV2_PREFIX}-auth-net
 BENTOV2_AUTH_SERVICE_HOST=0.0.0.0
@@ -77,7 +80,7 @@ BENTO_AUTH_DB_NETWORK="${BENTOV2_PREFIX}-auth-db-net"
 
 # - Authz service
 BENTO_AUTHZ_IMAGE=ghcr.io/bento-platform/bento_authorization_service
-BENTO_AUTHZ_VERSION=0.9.2
+BENTO_AUTHZ_VERSION=0.10.1
 BENTO_AUTHZ_VERSION_DEV=${BENTO_AUTHZ_VERSION}-dev
 BENTO_AUTHZ_CONTAINER_NAME=${BENTOV2_PREFIX}-authz
 BENTO_AUTHZ_NETWORK=${BENTOV2_PREFIX}-authz-net
@@ -97,7 +100,7 @@ BENTO_AUTHZ_DB_MEM_LIM=1G
 # Web
 BENTO_WEB_CUSTOM_HEADER=
 BENTOV2_WEB_IMAGE=ghcr.io/bento-platform/bento_web
-BENTOV2_WEB_VERSION=5.0.1
+BENTOV2_WEB_VERSION=6.0.0
 BENTOV2_WEB_VERSION_DEV=${BENTOV2_WEB_VERSION}-dev
 BENTOV2_WEB_CONTAINER_NAME=${BENTOV2_PREFIX}-web
 BENTO_WEB_NETWORK=${BENTOV2_PREFIX}-web-net
@@ -109,7 +112,7 @@ BENTOV2_WEB_CPUS=2
 
 # Drop-Box
 BENTOV2_DROP_BOX_IMAGE=ghcr.io/bento-platform/bento_drop_box_service
-BENTOV2_DROP_BOX_VERSION=1.1.8
+BENTOV2_DROP_BOX_VERSION=1.1.10
 BENTOV2_DROP_BOX_VERSION_DEV=${BENTOV2_DROP_BOX_VERSION}-dev
 BENTOV2_DROP_BOX_CONTAINER_NAME=${BENTOV2_PREFIX}-drop-box
 BENTO_DROP_BOX_NETWORK=${BENTOV2_PREFIX}-drop-box-net
@@ -123,7 +126,7 @@ BENTOV2_DROP_BOX_CPUS=3
 
 # Service Registry
 BENTOV2_SERVICE_REGISTRY_IMAGE=ghcr.io/bento-platform/bento_service_registry
-BENTOV2_SERVICE_REGISTRY_VERSION=1.4.1
+BENTOV2_SERVICE_REGISTRY_VERSION=1.4.2
 BENTOV2_SERVICE_REGISTRY_VERSION_DEV=${BENTOV2_SERVICE_REGISTRY_VERSION}-dev
 BENTOV2_SERVICE_REGISTRY_CONTAINER_NAME=${BENTOV2_PREFIX}-service-registry
 BENTO_SERVICE_REGISTRY_NETWORK=${BENTOV2_PREFIX}-service-registry-net
@@ -133,9 +136,11 @@ BENTOV2_SERVICE_REGISTRY_EXTERNAL_PORT=5010
 BENTOV2_SERVICE_REGISTRY_MEM_LIM=1G
 BENTOV2_SERVICE_REGISTRY_CPUS=1
 
+BENTO_SERVICE_REGISTRY_URL=${BENTOV2_PUBLIC_URL}/api/service-registry
+
 # Notification
 BENTOV2_NOTIFICATION_IMAGE=ghcr.io/bento-platform/bento_notification_service
-BENTOV2_NOTIFICATION_VERSION=3.1.4
+BENTOV2_NOTIFICATION_VERSION=3.1.6
 BENTOV2_NOTIFICATION_VERSION_DEV=${BENTOV2_NOTIFICATION_VERSION}-dev
 BENTOV2_NOTIFICATION_CONTAINER_NAME=${BENTOV2_PREFIX}-notification
 BENTO_NOTIFICATION_NETWORK=${BENTOV2_PREFIX}-notification-net
@@ -150,7 +155,7 @@ BENTOV2_NOTIFICATION_CPUS=2
 
 # Aggregation
 BENTOV2_AGGREGATION_IMAGE=ghcr.io/bento-platform/bento_aggregation_service
-BENTOV2_AGGREGATION_VERSION=0.19.5
+BENTOV2_AGGREGATION_VERSION=0.19.8
 BENTOV2_AGGREGATION_VERSION_DEV=${BENTOV2_AGGREGATION_VERSION}-dev
 BENTOV2_AGGREGATION_CONTAINER_NAME=${BENTOV2_PREFIX}-aggregation
 BENTO_AGGREGATION_NETWORK=${BENTOV2_PREFIX}-aggregation-net
@@ -165,7 +170,7 @@ BENTOV2_AGGREGATION_CPUS=2
 
 # Event-Relay
 BENTOV2_EVENT_RELAY_IMAGE=ghcr.io/bento-platform/bento_event_relay
-BENTOV2_EVENT_RELAY_VERSION=3.1.3
+BENTOV2_EVENT_RELAY_VERSION=3.1.5
 BENTOV2_EVENT_RELAY_VERSION_DEV=${BENTOV2_EVENT_RELAY_VERSION}-dev
 BENTOV2_EVENT_RELAY_CONTAINER_NAME=${BENTOV2_PREFIX}-event-relay
 BENTO_EVENT_RELAY_NETWORK=${BENTOV2_PREFIX}-event-relay-net
@@ -179,7 +184,7 @@ BENTOV2_EVENT_RELAY_CPUS=1
 # Reference
 #  - Service
 BENTO_REFERENCE_IMAGE=ghcr.io/bento-platform/bento_reference_service
-BENTO_REFERENCE_VERSION=0.2.2
+BENTO_REFERENCE_VERSION=0.3.0
 BENTO_REFERENCE_VERSION_DEV=${BENTO_REFERENCE_VERSION}-dev
 BENTO_REFERENCE_CONTAINER_NAME=${BENTOV2_PREFIX}-reference
 BENTO_REFERENCE_NETWORK=${BENTOV2_PREFIX}-reference-net
@@ -201,7 +206,7 @@ BENTO_REFERENCE_DB_USER="reference_user"
 
 # WES
 BENTOV2_WES_IMAGE=ghcr.io/bento-platform/bento_wes
-BENTOV2_WES_VERSION=0.14.2
+BENTOV2_WES_VERSION=0.14.5
 BENTOV2_WES_VERSION_DEV=${BENTOV2_WES_VERSION}-dev
 BENTOV2_WES_CONTAINER_NAME=${BENTOV2_PREFIX}-wes
 BENTO_WES_NETWORK=${BENTOV2_PREFIX}-wes-net
@@ -228,7 +233,7 @@ BENTOV2_WES_WORKFLOW_TIMEOUT=172800
 
 # DRS
 BENTOV2_DRS_IMAGE=ghcr.io/bento-platform/bento_drs
-BENTOV2_DRS_VERSION=0.17.1
+BENTOV2_DRS_VERSION=0.18.0
 BENTOV2_DRS_VERSION_DEV=${BENTOV2_DRS_VERSION}-dev
 BENTOV2_DRS_CONTAINER_NAME=${BENTOV2_PREFIX}-drs
 BENTO_DRS_NETWORK=${BENTOV2_PREFIX}-drs-net
@@ -249,6 +254,10 @@ BENTOV2_DRS_DEBUGGER_EXTERNAL_PORT=5682
 BENTOV2_DRS_MEM_LIM=2G
 BENTOV2_DRS_CPUS=2
 
+# Canonical/world-resolvable URL for DRS
+#  TODO: services should use the service registry instead
+BENTO_DRS_URL=${BENTOV2_PUBLIC_URL}/api/drs
+
 # Katsu-DB
 BENTOV2_KATSU_DB_IMAGE=postgres
 BENTOV2_KATSU_DB_VERSION=13
@@ -269,7 +278,7 @@ BENTOV2_KATSU_DB_CPUS=4
 
 # Katsu
 BENTOV2_KATSU_IMAGE=ghcr.io/bento-platform/katsu
-BENTOV2_KATSU_VERSION=8.0.1
+BENTOV2_KATSU_VERSION=9.0.0
 BENTOV2_KATSU_VERSION_DEV=${BENTOV2_KATSU_VERSION}-dev
 BENTOV2_KATSU_CONTAINER_NAME=${BENTOV2_PREFIX}-katsu
 BENTO_KATSU_NETWORK=${BENTOV2_PREFIX}-katsu-net
@@ -290,6 +299,10 @@ BENTOV2_KATSU_CPUS=4
 # urls in templates.
 CHORD_METADATA_SUB_PATH=/api/metadata
 
+# Canonical/world-resolvable URL for Katsu
+#  TODO: services should use the service registry instead
+BENTO_KATSU_URL=${BENTOV2_PORTAL_PUBLIC_URL}${CHORD_METADATA_SUB_PATH}
+
 # Redis
 BENTOV2_REDIS_BASE_IMAGE=redis
 BENTOV2_REDIS_BASE_IMAGE_VERSION=7.0.15-alpine
@@ -312,7 +325,7 @@ BENTOV2_GOHAN_DATA_ROOT=${BENTO_FAST_DATA_DIR}/gohan
 
 # -- API
 BENTOV2_GOHAN_API_IMAGE=ghcr.io/bento-platform/gohan-api
-BENTOV2_GOHAN_API_VERSION=5.0.1
+BENTOV2_GOHAN_API_VERSION=5.0.2
 BENTOV2_GOHAN_API_VERSION_DEV=${BENTOV2_GOHAN_API_VERSION}-dev
 
 BENTOV2_GOHAN_API_CONTAINER_NAME=${BENTOV2_PREFIX}-gohan-api
@@ -336,12 +349,16 @@ BENTOV2_GOHAN_API_AUTHZ_ENABLED=false
 #BENTOV2_GOHAN_API_AUTHZ_AGREED_DISABLED_RISK=false
 BENTOV2_GOHAN_API_AUTHZ_REQHEADS=X-CUSTOM-1,X-CUSTOM-2
 
+# Canonical/world-resolvable URL for Gohan
+#  - TODO: services should use the service registry instead
+BENTO_GOHAN_URL=${BENTOV2_PORTAL_PUBLIC_URL}/api/gohan
+
 # -- Elasticsearch
 BENTOV2_GOHAN_ES_USERNAME=elastic
 # BENTOV2_GOHAN_ES_PASSWORD comes from default_config
 
 BENTOV2_GOHAN_ES_IMAGE=ghcr.io/bento-platform/gohan-elasticsearch
-BENTOV2_GOHAN_ES_VERSION=5.0.1
+BENTOV2_GOHAN_ES_VERSION=5.0.2
 
 BENTOV2_GOHAN_ES_CONTAINER_NAME=${BENTOV2_PREFIX}-gohan-elasticsearch
 BENTO_GOHAN_ES_NETWORK=${BENTOV2_PREFIX}-gohan-elasticsearch-net
@@ -371,7 +388,7 @@ BENTOV2_GOHAN_PRIVATE_AUTHZ_URL=http://${BENTOV2_GOHAN_AUTHZ_OPA_CONTAINER_NAME}
 # Bento-Public
 
 BENTO_PUBLIC_IMAGE=ghcr.io/bento-platform/bento_public
-BENTO_PUBLIC_VERSION=0.19.1
+BENTO_PUBLIC_VERSION=0.20.0
 BENTO_PUBLIC_VERSION_DEV=${BENTO_PUBLIC_VERSION}-dev
 BENTO_PUBLIC_CONTAINER_NAME=${BENTOV2_PREFIX}-public
 BENTO_PUBLIC_NETWORK=${BENTOV2_PREFIX}-public-net
@@ -382,7 +399,6 @@ BENTO_PUBLIC_EXTERNAL_PORT=8090
 BENTO_PUBLIC_DEBUG=false
 BENTO_PUBLIC_SERVICE_ID=${BENTOV2_PREFIX}-public
 BENTO_PUBLIC_CLIENT_NAME=BentoPublicDev
-BENTO_PUBLIC_KATSU_URL=http://${BENTOV2_KATSU_CONTAINER_NAME}:${BENTOV2_KATSU_INTERNAL_PORT}
 BENTO_PUBLIC_WES_URL=http://${BENTOV2_WES_CONTAINER_NAME}:${BENTOV2_WES_INTERNAL_PORT}
 BENTO_PUBLIC_GOHAN_URL=http://${BENTOV2_GOHAN_API_CONTAINER_NAME}:${BENTOV2_GOHAN_API_INTERNAL_PORT}
 BENTO_PUBLIC_PORTAL_URL=${BENTOV2_PORTAL_PUBLIC_URL}
@@ -392,7 +408,7 @@ BENTO_PUBLIC_PORTAL_URL=${BENTOV2_PORTAL_PUBLIC_URL}
 BENTO_BEACON_CONTAINER_NAME=${BENTOV2_PREFIX}-beacon
 BENTO_BEACON_NETWORK=${BENTOV2_PREFIX}-beacon-net
 BENTO_BEACON_IMAGE=ghcr.io/bento-platform/bento_beacon
-BENTO_BEACON_VERSION=0.15.2
+BENTO_BEACON_VERSION=0.16.0
 BENTO_BEACON_VERSION_DEV=${BENTO_BEACON_VERSION}-dev
 BENTO_BEACON_INTERNAL_PORT=${BENTO_STD_SERVICE_INTERNAL_PORT}
 BENTO_BEACON_EXTERNAL_PORT=5000
@@ -402,10 +418,8 @@ BENTO_BEACON_MEM_LIM=2G
 BENTO_BEACON_CPUS=2
 BENTO_BEACON_CONFIG_DIR=${PWD}/lib/beacon/config
 
-BENTO_BEACON_GOHAN_BASE_URL=http://${BENTOV2_GOHAN_API_CONTAINER_NAME}:${BENTOV2_GOHAN_API_INTERNAL_PORT}
 BENTO_BEACON_KATSU_TIMEOUT=60
 BENTO_BEACON_GOHAN_TIMEOUT=60
-BENTO_BEACON_OIDC_ISSUER=${BENTOV2_AUTH_PUBLIC_URL}/auth/realms/${BENTOV2_AUTH_REALM}
 
 # cBioPortal
 
@@ -440,3 +454,22 @@ BENTO_CBIOPORTAL_SESSION_DATABASE_IMAGE_VERSION=6.0.15
 BENTO_CBIOPORTAL_SESSION_DATABASE_CONTAINER_NAME=${BENTOV2_PREFIX}-cbioportal-session-db
 BENTO_CBIOPORTAL_SESSION_DATABASE_DATA_DIR=${BENTO_FAST_DATA_DIR}/cbioportal/session_db
 # Uses BENTO_CBIOPORTAL_SESSION_NETWORK as the network
+
+# Monitoring
+BENTO_MONITORING_NETWORK=${BENTOV2_PREFIX}-monitoring-net
+BENTO_PRIVATE_GRAFANA_URL=${BENTOV2_PORTAL_PUBLIC_URL}/api/grafana
+BENTO_PUBLIC_GRAFANA_URL=${BENTOV2_PORTAL_PUBLIC_URL}/grafana
+BENTO_LOKI_IMAGE=grafana/loki
+BENTO_LOKI_IMAGE_VERSION=3.1.1
+BENTO_LOKI_CONTAINER_NAME=${BENTOV2_PREFIX}-loki
+BENTO_LOKI_TEMP_DIR=${BENTO_SLOW_DATA_DIR}/loki/tmp
+BENTO_GRAFANA_IMAGE=grafana/grafana
+BENTO_GRAFANA_IMAGE_VERSION=11.1.5
+BENTO_GRAFANA_CONTAINER_NAME=${BENTOV2_PREFIX}-grafana
+BENTO_GRAFANA_LIB_DIR=${BENTO_SLOW_DATA_DIR}/grafana/lib
+# JMESPath to recover the user's role from the ID token
+BENTO_GRAFANA_ROLE_ATTRIBUTE_PATH="contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || contains(resource_access.grafana.roles[*], 'viewer') && 'Viewer' || 'None'"
+BENTO_GRAFANA_SIGNOUT_REDIRECT_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/${BENTOV2_AUTH_REALM}/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2F${BENTOV2_PORTAL_DOMAIN}%2Fapi%2Fgrafana%2Flogin
+BENTO_PROMTAIL_IMAGE=grafana/promtail
+BENTO_PROMTAIL_IMAGE_VERSION=2.9.10
+BENTO_PROMTAIL_CONTAINER_NAME=${BENTOV2_PREFIX}-promtail
diff --git a/etc/bento_deploy.env b/etc/bento_deploy.env
index 86a5c98a..24f63cc1 100644
--- a/etc/bento_deploy.env
+++ b/etc/bento_deploy.env
@@ -10,8 +10,10 @@ BENTO_GATEWAY_USE_TLS='true'
 
 BENTO_BEACON_ENABLED='false'  # Set to true if using Beacon!
 BENTO_BEACON_UI_ENABLED='false'
+BENTO_BEACON_NETWORK_ENABLED='false'
 BENTO_CBIOPORTAL_ENABLED='false'
 BENTO_GOHAN_ENABLED='true'
+BENTO_MONITORING_ENABLED='false'
 
 #  - Switch to enable French translation in Bento Public
 BENTO_PUBLIC_TRANSLATED='true'
@@ -50,9 +52,17 @@ BENTOV2_AUTH_TEST_PASSWORD=
 BENTO_AUTH_DB_PASSWORD=  # TODO: SET ME WHEN DEPLOYING!
 BENTO_AUTHZ_DB_PASSWORD=  # TODO: SET ME WHEN DEPLOYING!
 
+#  - Aggregation/Beacon client ID/secret; client within BENTOV2_AUTH_REALM
+BENTO_AGGREGATION_CLIENT_ID=aggregation
+BENTO_AGGREGATION_CLIENT_SECRET=  # TODO: SET ME WHEN DEPLOYING!
+
 #  - WES Client ID/secret; client within BENTOV2_AUTH_REALM
 BENTO_WES_CLIENT_ID=wes
 BENTO_WES_CLIENT_SECRET=  # TODO: SET ME WHEN DEPLOYING!
+
+#  - Grafana Client ID/secret; client within BENTOV2_AUTH_REALM
+BENTO_GRAFANA_CLIENT_ID=grafana
+BENTO_GRAFANA_CLIENT_SECRET=  # TODO: SET ME WHEN DEPLOYING IF GRAFANA IS ENABLED!
 # ---------------------------------------------------------------------
 
 BENTO_WEB_CUSTOM_HEADER=
diff --git a/etc/bento_dev.env b/etc/bento_dev.env
index 884d1d65..00ec3541 100644
--- a/etc/bento_dev.env
+++ b/etc/bento_dev.env
@@ -10,8 +10,10 @@ BENTO_GATEWAY_USE_TLS='true'
 
 BENTO_BEACON_ENABLED='true'
 BENTO_BEACON_UI_ENABLED='true'
+BENTO_BEACON_NETWORK_ENABLED='false'
 BENTO_CBIOPORTAL_ENABLED='false'
 BENTO_GOHAN_ENABLED='true'
+BENTO_MONITORING_ENABLED='false'
 
 #  - Switch to enable French translation in Bento Public
 BENTO_PUBLIC_TRANSLATED='true'
@@ -37,22 +39,30 @@ BENTOV2_CBIOPORTAL_DOMAIN=cbioportal.${BENTOV2_DOMAIN}
 #    this adds security and allows sessions to exist across gateway restarts.
 #     - Empty by default, to be filled by local.env
 #  - IMPORTANT: set before starting gateway
-BENTOV2_SESSION_SECRET=
+BENTOV2_SESSION_SECRET=my-very-secret-session-secret  # !!! ADD SOMETHING MORE SECURE !!!
 
 #  - Set auth DB password if using a local IDP
-BENTO_AUTH_DB_PASSWORD=
+BENTO_AUTH_DB_PASSWORD=some-secure-password  # !!! obviously for dev only !!!
 #  - Always set authz DB password
-BENTO_AUTHZ_DB_PASSWORD=
+BENTO_AUTHZ_DB_PASSWORD=some-other-secure-password  # !!! obviously for dev only !!!
 
-BENTOV2_AUTH_ADMIN_USER=
-BENTOV2_AUTH_ADMIN_PASSWORD=
+BENTOV2_AUTH_ADMIN_USER=admin
+BENTOV2_AUTH_ADMIN_PASSWORD=admin  # !!! obviously for dev only !!!
 
-BENTOV2_AUTH_TEST_USER=
-BENTOV2_AUTH_TEST_PASSWORD=
+BENTOV2_AUTH_TEST_USER=user
+BENTOV2_AUTH_TEST_PASSWORD=user  # !!! obviously for dev only !!!
+
+#  - Aggregation/Beacon client ID/secret; client within BENTOV2_AUTH_REALM
+BENTO_AGGREGATION_CLIENT_ID=aggregation
+BENTO_AGGREGATION_CLIENT_SECRET=
 
 #  - WES Client ID/secret; client within BENTOV2_AUTH_REALM
 BENTO_WES_CLIENT_ID=wes
 BENTO_WES_CLIENT_SECRET=
+
+#  - Grafana Client ID/secret; client within BENTOV2_AUTH_REALM
+BENTO_GRAFANA_CLIENT_ID=grafana
+BENTO_GRAFANA_CLIENT_SECRET=
 # --------------------------------------------------------------------
 
 # Gohan
@@ -60,7 +70,7 @@ BENTOV2_GOHAN_ES_PASSWORD=devpassword567
 
 # Katsu
 BENTOV2_KATSU_DB_PASSWORD=devpassword123
-BENTOV2_KATSU_APP_SECRET=some-random-phrase-here
+BENTOV2_KATSU_APP_SECRET=some-random-phrase-here  # !!! obviously for dev only !!!
 
 # Reference
 BENTO_REFERENCE_DB_PASSWORD=devpassword456
diff --git a/etc/default_config.env b/etc/default_config.env
index 949f7309..d150afdc 100644
--- a/etc/default_config.env
+++ b/etc/default_config.env
@@ -15,8 +15,10 @@ BENTO_GATEWAY_USE_TLS='true'
 
 BENTO_BEACON_ENABLED='true'
 BENTO_BEACON_UI_ENABLED='true'
+BENTO_BEACON_NETWORK_ENABLED='false'
 BENTO_CBIOPORTAL_ENABLED='false'
 BENTO_GOHAN_ENABLED='true'
+BENTO_MONITORING_ENABLED='false'
 
 #  - Switch to enable French translation in Bento Public
 BENTO_PUBLIC_TRANSLATED='true'
@@ -78,9 +80,15 @@ BENTOV2_AUTH_TEST_PASSWORD=
 #  - Auth (Keycloak) DB credentials
 BENTO_AUTH_DB_PASSWORD=
 BENTO_AUTHZ_DB_PASSWORD=
+#  - Aggregation/Beacon client ID/secret; secret to be filled by local.env - client within BENTOV2_AUTH_REALM
+BENTO_AGGREGATION_CLIENT_ID=aggregation
+BENTO_AGGREGATION_CLIENT_SECRET=
 #  - cBioPortal Client ID/secret; secret to be filled by local.env - client within BENTOV2_AUTH_REALM
 BENTO_CBIOPORTAL_CLIENT_ID=cbioportal
 BENTO_CBIOPORTAL_CLIENT_SECRET=
+#  - Grafana Client ID/secret; secret to be filled by local.env client within BENTOV2_AUTH_REALM
+BENTO_GRAFANA_CLIENT_ID=grafana
+BENTO_GRAFANA_CLIENT_SECRET=
 #  - WES Client ID/secret; secret to be filled by local.env - client within BENTOV2_AUTH_REALM
 BENTO_WES_CLIENT_ID=wes
 BENTO_WES_CLIENT_SECRET=
diff --git a/etc/templates/beacon/beacon_network_config.example.json b/etc/templates/beacon/beacon_network_config.example.json
new file mode 100644
index 00000000..4637be11
--- /dev/null
+++ b/etc/templates/beacon/beacon_network_config.example.json
@@ -0,0 +1,10 @@
+{
+    "beacons": [
+        "https://bqc19.bento.sd4h.ca/api/beacon",
+        "https://staging.bento.sd4h.ca/api/beacon",
+        "https://qa.bento.sd4h.ca/api/beacon",
+        "https://bentov2.local/api/beacon"
+    ],
+    "network_default_timeout_seconds": 30,
+    "network_variants_query_timeout_seconds": 120
+}
diff --git a/etc/templates/translations/en.example.json b/etc/templates/translations/en.example.json
index e272b39d..d7462bf4 100644
--- a/etc/templates/translations/en.example.json
+++ b/etc/templates/translations/en.example.json
@@ -1,13 +1,116 @@
 {
+  "years": "years",
+  "MALE": "MALE",
+  "FEMALE": "FEMALE",
   "Age": "Age",
+  "Age at arrival": "Age at arrival",
   "Sex": "Sex",
+  "Sex at birth": "Sex at birth",
   "Verbal consent date": "Verbal Consent Date",
   "Functional status": "Functional Status",
   "Lab Test Result": "Lab Test Results",
   "Experiment Types": "Experiment Types",
+  "Types of experiments performed on a sample": "Types of experiments performed on a sample",
   "Demographics": "Demographics",
-  "MALE": "MALE",
-  "FEMALE": "FEMALE",
   "I have no problems in walking about": "I have no problems in walking about",
-  "Results": "Results"
-}
\ No newline at end of file
+  "Results": "Results",
+  "General": "General",
+  "Measurements": "Measurements",
+  "Medical Actions": "Medical Actions",
+  "Interpretations": "Interpretations",
+  "Experiments": "Experiments",
+  "Date of initial verbal consent (participant, legal representative or tutor), yyyy-mm-dd": "Date of initial verbal consent (participant, legal representative or tutor), yyyy-mm-dd",
+  "Covid severity": "Covid severity",
+  "Dead": "Dead",
+  "Moderate": "Moderate",
+  "Uninfected": "Uninfected",
+  "Severe": "Severe",
+  "Mild": "Mild",
+  "Mobility": "Mobility",
+  "I have slight problems in walking about": "I have slight problems in walking about",
+  "I have moderate problems in walking about": "I have moderate problems in walking about",
+  "I have severe problems in walking about": "I have severe problems in walking about",
+  "I am unable to walk about": "I am unable to walk about",
+  "Smoking Status": "Smoking Status",
+  "Non-smoker": "Non-smoker",
+  "Smoker": "Smoker",
+  "Former smoker": "Former smoker",
+  "Passive smoker": "Passive smoker",
+  "Not specified": "Not specified",
+  "Phenotypic Features": "Phenotypic Features",
+  "Individual phenotypic features, observed as either present or absent": "Individual phenotypic features, observed as either present or absent",
+  "Abdominal pain": "Abdominal pain",
+  "Asthma": "Asthma",
+  "Cardiac arrest": "Cardiac arrest",
+  "Chest pain": "Chest pain",
+  "Cough": "Cough",
+  "Dementia": "Dementia",
+  "Fever": "Fever",
+  "Headache": "Headache",
+  "HIV Infection": "HIV Infection",
+  "Hyperglycemia": "Hyperglycemia",
+  "Hypertension": "Hypertension",
+  "Loss of appetite": "Loss of appetite",
+  "Loss of sense of smell": "Loss of sense of smell",
+  "Nausea": "Nausea",
+  "Patient immunosuppressed": "Patient immunosuppressed",
+  "Pneumothorax": "Pneumothorax",
+  "Pulmonary hypertension": "Pulmonary hypertension",
+  "Viral pneumonia/pneumonitis": "Viral pneumonia/pneumonitis",
+  "blood": "blood",
+  "Plasma": "Plasma",
+  "Serum": "Serum",
+  "autoimmune disorder of cardiovascular system": "autoimmune disorder of cardiovascular system",
+  "coronary artery disease, autosomal dominant, 1": "coronary artery disease, autosomal dominant, 1",
+  "COVID-19": "COVID-19",
+  "Cystic fibrosis": "Cystic fibrosis",
+  "diabetes mellitus": "diabetes mellitus",
+  "Glioblastoma": "Glioblastoma",
+  "Hashimoto Thyroiditis": "Hashimoto Thyroiditis",
+  "Marfan syndrome": "Marfan syndrome",
+  "Miller syndrome": "Miller syndrome",
+  "Non-Hodgkin Lymphoma": "Non-Hodgkin Lymphoma",
+  "Polycythemia vera": "Polycythemia vera",
+  "Rheumatologic disease": "Rheumatologic disease",
+  "Takotsubo cardiomyopathy": "Takotsubo cardiomyopathy",
+  "viral pneumonia": "viral pneumonia",
+  "Sampled Tissues": "Sampled Tissues",
+  "Tissue from which the biosample was extracted": "Tissue from which the biosample was extracted",
+  "Diseases": "Diseases",
+  "Diseases observed as either present or absent": "Diseases observed as either present or absent",
+  "Numeric measures from a laboratory test": "Numeric measures from a laboratory test",
+  "BMI": "BMI",
+  "Body Mass Index": "Body Mass Index",
+  "Medical Procedures": "Medical Procedures",
+  "A clinical procedure performed on a subject": "A clinical procedure performed on a subject",
+  "Liver Biopsy": "Liver Biopsy",
+  "Magnetic Resonance Imaging": "Magnetic Resonance Imaging",
+  "Positron Emission Tomography": "Positron Emission Tomography",
+  "Punch Biopsy": "Punch Biopsy",
+  "X-Ray Imaging": "X-Ray Imaging",
+  "Medical Treatments": "Medical Treatments",
+  "Treatment with an agent such as a drug": "Treatment with an agent such as a drug",
+  "Ibuprofen": "Ibuprofen",
+  "Acetaminophen": "Acetaminophen",
+  "Genomic Interpretations": "Genomic Interpretations",
+  "Interpretation for an individual variant or gene (CANDIDATE, CONTRIBUTORY, etc)": "Interpretation for an individual variant or gene (CANDIDATE, CONTRIBUTORY, etc)",
+  "CONTRIBUTORY": "CONTRIBUTORY",
+  "Variant Pathogenicity": "Variant Pathogenicity",
+  "ACMG Pathogenicity category for a particular variant (BENIGN, PATHOGENIC, etc)": "ACMG Pathogenicity category for a particular variant (BENIGN, PATHOGENIC, etc)",
+  "PATHOGENIC": "PATHOGENIC",
+  "Metabolite profiling": "Metabolite profiling",
+  "Neutralizing antibody titers": "Neutralizing antibody titers",
+  "Other": "Other",
+  "Proteomic profiling": "Proteomic profiling",
+  "RNA-Seq": "RNA-Seq",
+  "WGS": "WGS",
+  "Study Types": "Study Types",
+  "Study type of the experiment (e.g. Genomics, Transcriptomics, etc.)": "Study type of the experiment (e.g. Genomics, Transcriptomics, etc.)",
+  "Genomics": "Genomics",
+  "Metabolomics": "Metabolomics",
+  "Proteomics": "Proteomics",
+  "Serology": "Serology",
+  "Transcriptomics": "Transcriptomics",
+  "Results File Types": "Results File Types",
+  "File type of experiment results files": "File type of experiment results files"
+}
diff --git a/etc/templates/translations/fr.example.json b/etc/templates/translations/fr.example.json
index 97d12d8f..5ffbe0bd 100644
--- a/etc/templates/translations/fr.example.json
+++ b/etc/templates/translations/fr.example.json
@@ -1,13 +1,116 @@
 {
+  "years": "années",
   "MALE": "HOMME",
   "FEMALE": "FEMME",
   "Age": "Âge",
+  "Age at arrival": "Âge à l'arrivée",
   "Sex": "Sexe",
+  "Sex at birth": "Sexe à la naissance",
   "Demographics": "Démographie",
-  "Verbal consent date": "Date de consentement verbal",
+  "Verbal consent date": "Date du consentement verbal",
   "Functional status": "Statut fonctionnel",
   "Lab Test Result": "Résultats des tests de laboratoire",
   "Experiment Types": "Types d'expériences",
-  "I have no problems in walking about": "Je n’ai aucun problème à marcher",
-  "Results": "Résultats"
-}
\ No newline at end of file
+  "Types of experiments performed on a sample": "Types d'expériences réalisées sur un échantillon",
+  "I have no problems in walking about": "Je n'ai aucun problème à marcher",
+  "Results": "Résultats",
+  "General": "Général",
+  "Measurements": "Mesures",
+  "Medical Actions": "Actions médicales",
+  "Interpretations": "Interprétations",
+  "Experiments": "Expériences",
+  "Date of initial verbal consent (participant, legal representative or tutor), yyyy-mm-dd": "Date du consentement verbal initial (participant, représentant légal ou tuteur), aaaa-mm-jj",
+  "Covid severity": "Gravité de la Covid",
+  "Dead": "Décédé",
+  "Moderate": "Modéré",
+  "Uninfected": "Non infecté",
+  "Severe": "Sévère",
+  "Mild": "Léger",
+  "Mobility": "Mobilité",
+  "I have slight problems in walking about": "J'ai de légers problèmes à marcher",
+  "I have moderate problems in walking about": "J'ai des problèmes modérés à marcher",
+  "I have severe problems in walking about": "J'ai de graves problèmes à marcher",
+  "I am unable to walk about": "Je ne peux pas marcher",
+  "Smoking Status": "Statut tabagique",
+  "Non-smoker": "Non-fumeur",
+  "Smoker": "Fumeur",
+  "Former smoker": "Ex-fumeur",
+  "Passive smoker": "Tabagisme passif",
+  "Not specified": "Non spécifié",
+  "Phenotypic Features": "Caractéristiques phénotypiques",
+  "Individual phenotypic features, observed as either present or absent": "Caractéristiques phénotypiques individuelles, observées comme présentes ou absentes",
+  "Abdominal pain": "Douleur abdominale",
+  "Asthma": "Asthme",
+  "Cardiac arrest": "Arrêt cardiaque",
+  "Chest pain": "Douleur thoracique",
+  "Cough": "Toux",
+  "Dementia": "Démence",
+  "Fever": "Fièvre",
+  "Headache": "Mal de tête",
+  "HIV Infection": "Infection VIH",
+  "Hyperglycemia": "Hyperglycémie",
+  "Hypertension": "Hypertension",
+  "Loss of appetite": "Perte d'appétit",
+  "Loss of sense of smell": "Perte de l'odorat",
+  "Nausea": "Nausée",
+  "Patient immunosuppressed": "Patient immunodéprimé",
+  "Pneumothorax": "Pneumothorax",
+  "Pulmonary hypertension": "Hypertension pulmonaire",
+  "Viral pneumonia/pneumonitis": "Pneumonie/pneumonite virale",
+  "blood": "sang",
+  "Plasma": "Plasma",
+  "Serum": "Sérum",
+  "autoimmune disorder of cardiovascular system": "trouble auto-immun du système cardiovasculaire",
+  "coronary artery disease, autosomal dominant, 1": "maladie coronarienne, autosomique dominante, 1",
+  "COVID-19": "COVID-19",
+  "Cystic fibrosis": "Fibrose kystique",
+  "diabetes mellitus": "diabète sucré",
+  "Glioblastoma": "Glioblastome",
+  "Hashimoto Thyroiditis": "Thyroïdite de Hashimoto",
+  "Marfan syndrome": "Syndrome de Marfan",
+  "Miller syndrome": "Syndrome de Miller",
+  "Non-Hodgkin Lymphoma": "Lymphome non hodgkinien",
+  "Polycythemia vera": "Polycythémie vraie",
+  "Rheumatologic disease": "Problèmes rhumatologiques",
+  "Takotsubo cardiomyopathy": "Cardiomyopathie de Takotsubo",
+  "viral pneumonia": "pneumonie virale",
+  "Sampled Tissues": "Tissus échantillonnés",
+  "Tissue from which the biosample was extracted": "Tissu à partir duquel le biosample a été extrait",
+  "Diseases": "Maladies",
+  "Diseases observed as either present or absent": "Maladies observées comme présentes ou absentes",
+  "Numeric measures from a laboratory test": "Mesures numériques d'un test de laboratoire",
+  "BMI": "BMI",
+  "Body Mass Index": "Indice de masse corporelle",
+  "Medical Procedures": "Procédures médicales",
+  "A clinical procedure performed on a subject": "Une procédure clinique réalisée sur un sujet",
+  "Liver Biopsy": "Biopsie du foie",
+  "Magnetic Resonance Imaging": "Imagerie par résonance magnétique",
+  "Positron Emission Tomography": "Tomographie par émission de positrons",
+  "Punch Biopsy": "Biopsie au punch",
+  "X-Ray Imaging": "Imagerie par rayons X",
+  "Medical Treatments": "Traitements médicaux",
+  "Treatment with an agent such as a drug": "Traitement avec un agent tel qu'un médicament",
+  "Ibuprofen": "Ibuprofène",
+  "Acetaminophen": "Acétaminophène",
+  "Genomic Interpretations": "Interprétations génomiques",
+  "Interpretation for an individual variant or gene (CANDIDATE, CONTRIBUTORY, etc)": "Interprétation pour un variant individuel ou un gène (CANDIDAT, CONTRIBUTEUR, etc)",
+  "CONTRIBUTORY": "CONTRIBUTEUR",
+  "Variant Pathogenicity": "Pathogénicité du variant",
+  "ACMG Pathogenicity category for a particular variant (BENIGN, PATHOGENIC, etc)": "Catégorie de pathogénicité ACMG pour un variant particulier (BÉNIN, PATHOGÈNE, etc)",
+  "PATHOGENIC": "PATHOGÈNE",
+  "Metabolite profiling": "Profilage des métabolites",
+  "Neutralizing antibody titers": "Titres des anticorps neutralisants",
+  "Other": "Autre",
+  "Proteomic profiling": "Profilage protéomique",
+  "RNA-Seq": "Séquençage ARN",
+  "WGS": "Séquençage génomique complet",
+  "Study Types": "Types d'étude",
+  "Study type of the experiment (e.g. Genomics, Transcriptomics, etc.)": "Type d'étude de l'expérience (par exemple, Génomique, Transcriptomique, etc.)",
+  "Genomics": "Génomique",
+  "Metabolomics": "Métabolomique",
+  "Proteomics": "Protéomique",
+  "Serology": "Sérologie",
+  "Transcriptomics": "Transcriptomique",
+  "Results File Types": "Types de fichiers de résultats",
+  "File type of experiment results files": "Type de fichier des résultats d'expériences"
+}
diff --git a/lib/aggregation/docker-compose.aggregation.yaml b/lib/aggregation/docker-compose.aggregation.yaml
index 3b673e88..b7db9c37 100644
--- a/lib/aggregation/docker-compose.aggregation.yaml
+++ b/lib/aggregation/docker-compose.aggregation.yaml
@@ -8,8 +8,8 @@ services:
       - BENTO_DEBUG=False
       - USE_GOHAN=true
       - CORS_ORIGINS=${BENTO_CORS_ORIGINS}
-      - KATSU_URL=${BENTOV2_PORTAL_PUBLIC_URL}/api/metadata/
-      - SERVICE_REGISTRY_URL=${BENTOV2_PUBLIC_URL}/api/service-registry/
+      - KATSU_URL=${BENTO_KATSU_URL}/
+      - SERVICE_REGISTRY_URL=${BENTO_SERVICE_REGISTRY_URL}/
       - BENTO_AUTHZ_SERVICE_URL
     networks: 
       - aggregation-net
@@ -20,8 +20,10 @@ services:
     cpu_shares: 512
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_AGGREGATION_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   aggregation-net:
diff --git a/lib/auth/docker-compose.auth.yaml b/lib/auth/docker-compose.auth.yaml
index 53f70822..766d6ab9 100644
--- a/lib/auth/docker-compose.auth.yaml
+++ b/lib/auth/docker-compose.auth.yaml
@@ -35,8 +35,12 @@ services:
     cpu_shares: 512
     healthcheck:
       test: [ "CMD", "curl", "https://localhost:8443", "-k" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      # interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      # For Docker <25 and Compose <2.24.x, start_interval doesn't work - use a shorter interval for now
+      interval: 45s
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
     profiles:
       - auth
 
@@ -53,8 +57,12 @@ services:
       - ${BENTOV2_AUTH_VOL_DIR}:/var/lib/postgresql/data
     healthcheck:
       test: [ "CMD", "pg_isready", "-q", "-d", "${BENTO_AUTH_DB}", "-U", "${BENTO_AUTH_DB_USER}" ]
-      timeout: 5s
-      interval: 15s  # Faster interval for auth-db, which auth requires to be healthy
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      # interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      # For Docker <25 and Compose <2.24.x, start_interval doesn't work - use a shorter interval for now
+      interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
     profiles:
       - auth
 
diff --git a/lib/authz/docker-compose.authz.yaml b/lib/authz/docker-compose.authz.yaml
index 8f4df22d..9196bdbb 100644
--- a/lib/authz/docker-compose.authz.yaml
+++ b/lib/authz/docker-compose.authz.yaml
@@ -19,6 +19,12 @@ services:
     networks:
       - authz-net
       - authz-db-net
+    healthcheck:
+      test: [ "CMD", "curl", "http://localhost:${BENTO_AUTHZ_INTERNAL_PORT}/service-info" ]
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
   authz-db:
     image: postgres:${BENTO_AUTHZ_DB_VERSION}
@@ -34,8 +40,12 @@ services:
       - ${BENTO_AUTHZ_DB_VOL_DIR}:/var/lib/postgresql/data
     healthcheck:
       test: [ "CMD", "pg_isready", "-q", "-d", "${BENTO_AUTHZ_DB}", "-U", "${BENTO_AUTHZ_DB_USER}" ]
-      timeout: 5s
-      interval: 15s  # Faster interval for authz-db, which authz requires to be healthy
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      # interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      # For Docker <25 and Compose <2.24.x, start_interval doesn't work - use a shorter interval for now
+      interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   authz-net:
diff --git a/lib/beacon/docker-compose.beacon.yaml b/lib/beacon/docker-compose.beacon.yaml
index 3a512284..9890d291 100644
--- a/lib/beacon/docker-compose.beacon.yaml
+++ b/lib/beacon/docker-compose.beacon.yaml
@@ -5,9 +5,9 @@ services:
     container_name: ${BENTO_BEACON_CONTAINER_NAME}
     environment:
       - BENTO_UID
-      - GOHAN_BASE_URL=${BENTO_BEACON_GOHAN_BASE_URL}
+      - GOHAN_BASE_URL=${BENTO_GOHAN_URL}
       - KATSU_TIMEOUT=${BENTO_BEACON_KATSU_TIMEOUT}
-      - KATSU_BASE_URL=http://${BENTOV2_KATSU_CONTAINER_NAME}:${BENTOV2_KATSU_INTERNAL_PORT}
+      - KATSU_BASE_URL=${BENTO_KATSU_URL}
       - GOHAN_TIMEOUT=${BENTO_BEACON_GOHAN_TIMEOUT}
       - BENTO_BEACON_INTERNAL_PORT
       - INTERNAL_PORT=${BENTO_BEACON_INTERNAL_PORT}
@@ -15,22 +15,28 @@ services:
       - BENTO_BEACON_DEBUGGER_INTERNAL_PORT
       - BENTO_BEACON_DEBUGGER_EXTERNAL_PORT
       - CONFIG_ABSOLUTE_PATH=/config/
-      - OIDC_ISSUER=${BENTO_BEACON_OIDC_ISSUER}
-      - CLIENT_ID=${BENTOV2_AUTH_CLIENT_ID}
       - BEACON_BASE_URL=${BENTOV2_PUBLIC_URL}/api/beacon
       - BENTO_BEACON_VERSION=${BENTO_BEACON_VERSION}
       - BENTO_PUBLIC_CLIENT_NAME
       - BENTOV2_DOMAIN
       - BENTOV2_PUBLIC_URL
       - BENTO_BEACON_UI_ENABLED
+      - BENTO_BEACON_NETWORK_ENABLED
+      - DRS_URL=${BENTO_DRS_URL}
+      # Authorization
       - BENTO_AUTHZ_SERVICE_URL
-      - DRS_URL=${BENTOV2_PUBLIC_URL}/api/drs
+      - BENTO_OPENID_CONFIG_URL
+      - BEACON_CLIENT_ID=${BENTO_AGGREGATION_CLIENT_ID}
+      - BEACON_CLIENT_SECRET=${BENTO_AGGREGATION_CLIENT_SECRET}
     volumes:
       - ${BENTO_BEACON_CONFIG_DIR}:/config:ro
     networks: 
       - beacon-net
       - gohan-api-net
       - katsu-net
+    depends_on:
+      auth:
+        condition: service_healthy
     expose:
       - ${BENTO_BEACON_INTERNAL_PORT}
     mem_limit: ${BENTO_BEACON_MEM_LIM} # for mem_limit to work, make sure docker-compose is v2.4
@@ -38,8 +44,10 @@ services:
     cpu_shares: 512
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTO_BEACON_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
     profiles:
       - beacon
 
diff --git a/lib/drop-box/docker-compose.drop-box.yaml b/lib/drop-box/docker-compose.drop-box.yaml
index cd475c82..af1abaa7 100644
--- a/lib/drop-box/docker-compose.drop-box.yaml
+++ b/lib/drop-box/docker-compose.drop-box.yaml
@@ -21,8 +21,10 @@ services:
     cpu_shares: 1024
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_DROP_BOX_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   drop-box-net:
diff --git a/lib/drs/docker-compose.drs.yaml b/lib/drs/docker-compose.drs.yaml
index 09c56b9d..85725da3 100644
--- a/lib/drs/docker-compose.drs.yaml
+++ b/lib/drs/docker-compose.drs.yaml
@@ -8,7 +8,7 @@ services:
       - BENTO_DRS_CONTAINER_DATA_VOLUME_DIR  # Special container-only variable to specify where the volume is mounted
       - DATABASE=${BENTO_DRS_CONTAINER_DATA_VOLUME_DIR}/db/  # slightly confused naming, folder for database to go in
       - DATA=${BENTO_DRS_CONTAINER_DATA_VOLUME_DIR}/obj/  # DRS file objects, vs. the database
-      - SERVICE_BASE_URL=${BENTOV2_PUBLIC_URL}/api/drs
+      - SERVICE_BASE_URL=${BENTO_DRS_URL}
       - INTERNAL_PORT=${BENTOV2_DRS_INTERNAL_PORT}
       - DRS_INGEST_TMP_DIR=${BENTO_DRS_CONTAINER_TMP_VOLUME_DIR}  # Volume for writing possibly large temporary files to
       - CORS_ORIGINS=${BENTO_CORS_ORIGINS}
@@ -27,8 +27,10 @@ services:
     cpu_shares: 512
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_DRS_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   drs-net:
diff --git a/lib/event-relay/docker-compose.event-relay.yaml b/lib/event-relay/docker-compose.event-relay.yaml
index f78f59c9..3319d530 100644
--- a/lib/event-relay/docker-compose.event-relay.yaml
+++ b/lib/event-relay/docker-compose.event-relay.yaml
@@ -54,8 +54,10 @@ services:
     cpu_shares: 512
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_EVENT_RELAY_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   event-relay-net:
diff --git a/lib/gateway/docker-compose.gateway.yaml b/lib/gateway/docker-compose.gateway.yaml
index 83b9385e..c0a9ef65 100644
--- a/lib/gateway/docker-compose.gateway.yaml
+++ b/lib/gateway/docker-compose.gateway.yaml
@@ -22,6 +22,7 @@ services:
       - BENTO_BEACON_ENABLED
       - BENTO_CBIOPORTAL_ENABLED
       - BENTO_GOHAN_ENABLED
+      - BENTO_MONITORING_ENABLED
 
       - BENTOV2_GATEWAY_CONTAINER_NAME
 
@@ -76,6 +77,7 @@ services:
       - BENTO_BEACON_INTERNAL_PORT
       - BENTO_CBIOPORTAL_CONTAINER_NAME
       - BENTO_CBIOPORTAL_INTERNAL_PORT
+      - BENTO_GRAFANA_CONTAINER_NAME
     networks:
       - aggregation-net
       - auth-net
@@ -87,6 +89,7 @@ services:
       - event-relay-net
       - gohan-api-net
       - katsu-net
+      - monitoring-net
       - notification-net
       - public-net
       - reference-net
@@ -114,8 +117,10 @@ services:
         "--resolve", "${BENTOV2_PORTAL_DOMAIN}:443:127.0.0.1",
         "https://${BENTOV2_PORTAL_DOMAIN}"
       ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 
 # Lots of networks! Here, we have more or less one network per service, plus a few ones for databases
@@ -166,6 +171,9 @@ networks:
   katsu-net:
     external: true
     name: ${BENTO_KATSU_NETWORK}
+  monitoring-net:
+    external: true
+    name: ${BENTO_MONITORING_NETWORK}
   notification-net:
     external: true
     name: ${BENTO_NOTIFICATION_NETWORK}
diff --git a/lib/gateway/services/grafana.conf.tpl b/lib/gateway/services/grafana.conf.tpl
new file mode 100644
index 00000000..214968a3
--- /dev/null
+++ b/lib/gateway/services/grafana.conf.tpl
@@ -0,0 +1,13 @@
+# env: BENTO_MONITORING_ENABLED
+location /api/grafana { return 302 https://${BENTOV2_PORTAL_DOMAIN}/api/grafana/; }
+location /api/grafana/ {
+    # Reverse proxy settings
+    include /gateway/conf/proxy.conf;
+    include /gateway/conf/proxy_extra.conf;
+    
+    # Immediate set/re-use means we don't get resolve errors if not up (as opposed to passing as a literal)
+    set $upstream_grafana http://${BENTO_GRAFANA_CONTAINER_NAME}:3000;
+    
+    proxy_pass $upstream_grafana;
+    error_log /var/log/bentov2_grafana_errors.log;
+}
diff --git a/lib/gateway/services/katsu.conf.tpl b/lib/gateway/services/katsu.conf.tpl
index 81e47553..6e265483 100644
--- a/lib/gateway/services/katsu.conf.tpl
+++ b/lib/gateway/services/katsu.conf.tpl
@@ -11,9 +11,6 @@ location /api/metadata/ {
     return 400;
     proxy_pass http://${BENTOV2_KATSU_CONTAINER_NAME}:${BENTOV2_KATSU_INTERNAL_PORT}$uri;
 
-    # CORS
-    include /usr/local/openresty/nginx/conf/cors.conf;
-
     # Errors
     error_log /var/log/bentov2_metadata_errors.log;
 }
diff --git a/lib/gohan/docker-compose.gohan.yaml b/lib/gohan/docker-compose.gohan.yaml
index 4dd36062..06a0827c 100644
--- a/lib/gohan/docker-compose.gohan.yaml
+++ b/lib/gohan/docker-compose.gohan.yaml
@@ -46,8 +46,10 @@ services:
       - ${BENTOV2_GOHAN_API_INTERNAL_PORT}
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_GOHAN_API_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
     depends_on:
       - gohan-elasticsearch
     profiles:
@@ -73,8 +75,10 @@ services:
       - ${BENTO_GOHAN_ES_JVM_OPTIONS_DIR}:/usr/share/elasticsearch/config/jvm.options.d
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_GOHAN_ES_INTERNAL_PORT_1}" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
     profiles:
       - gohan
 
diff --git a/lib/katsu/docker-compose.katsu.yaml b/lib/katsu/docker-compose.katsu.yaml
index e8da7e3f..f2c0b176 100644
--- a/lib/katsu/docker-compose.katsu.yaml
+++ b/lib/katsu/docker-compose.katsu.yaml
@@ -25,10 +25,15 @@ services:
       - DRS_URL=http://${BENTOV2_DRS_CONTAINER_NAME}:${BENTOV2_DRS_INTERNAL_PORT}
       - SERVICE_TEMP=/app/tmp
       - SERVICE_SECRET_KEY=${BENTOV2_KATSU_APP_SECRET}
+      - SERVICE_URL_BASE_PATH=${BENTOV2_PUBLIC_URL}/api/metadata
       - DJANGO_SETTINGS_MODULE=chord_metadata_service.metadata.settings
       - BENTOV2_PORTAL_DOMAIN
-        # Allow access by container name or localhost for healthchecks:
-      - KATSU_ALLOWED_HOSTS=${BENTOV2_KATSU_CONTAINER_NAME},localhost
+        # Allow access by public, container name, or localhost for healthchecks:
+      - KATSU_ALLOWED_HOSTS=${BENTOV2_DOMAIN},${BENTOV2_KATSU_CONTAINER_NAME},localhost
+        # Authz
+      - BENTO_AUTHZ_ENABLED=True
+      - BENTO_AUTHZ_SERVICE_URL
+      - CORS_ORIGINS=${BENTO_CORS_ORIGINS}
     # configs:
     #   - source: chord-metadata-settings
     #     target: /katsu/metadata/settings.py
@@ -50,8 +55,10 @@ services:
     cpu_shares: 1024
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_KATSU_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 
   katsu-db:
@@ -77,8 +84,12 @@ services:
     cpu_shares: 1024
     healthcheck:
       test: [ "CMD", "pg_isready", "-q", "-d", "${BENTOV2_KATSU_DB}", "-U", "${BENTOV2_KATSU_DB_USER}" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: 15s  # Faster interval for services which others may require to be healthy
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      # interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      # For Docker <25 and Compose <2.24.x, start_interval doesn't work - use a shorter interval for now
+      interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   drs-net:
diff --git a/lib/logs/docker-compose.logs.yaml b/lib/logs/docker-compose.logs.yaml
new file mode 100644
index 00000000..8ea24e3b
--- /dev/null
+++ b/lib/logs/docker-compose.logs.yaml
@@ -0,0 +1,102 @@
+services: 
+  grafana:
+    image: ${BENTO_GRAFANA_IMAGE}:${BENTO_GRAFANA_IMAGE_VERSION}
+    container_name: ${BENTO_GRAFANA_CONTAINER_NAME}
+    environment:
+      - GF_PATHS_PROVISIONING=/etc/grafana/provisioning
+      - GF_SERVER_ROOT_URL=${BENTO_PRIVATE_GRAFANA_URL}
+      - GF_SERVER_SERVE_FROM_SUB_PATH=true
+      - GF_SECURITY_COOKIE_SAMESITE=none
+      - GF_SECURITY_COOKIE_SECURE=true
+      - GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION=true
+      # --- Only allow logins through OAUTH
+      - GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN=true
+      - GF_AUTH_GENERIC_OAUTH_ENABLED=true
+      - GF_AUTH_DISABLE_LOGIN=true
+      # ---
+      - GF_AUTH_GENERIC_OAUTH_NAME=Keycloak-OAuth
+      - GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${BENTO_GRAFANA_CLIENT_ID}
+      - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${BENTO_GRAFANA_CLIENT_SECRET}
+      - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile offline_access roles
+      - GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
+      - GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=preferred_username
+      - GF_AUTH_GENERIC_OAUTH_USE_PKCE=true
+      - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/${BENTOV2_AUTH_REALM}/protocol/openid-connect/auth
+      - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/${BENTOV2_AUTH_REALM}/protocol/openid-connect/token
+      - GF_AUTH_GENERIC_OAUTH_API_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/${BENTOV2_AUTH_REALM}/protocol/openid-connect/userinfo
+      # Role mapping based on Grafana client role membership
+      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=${BENTO_GRAFANA_ROLE_ATTRIBUTE_PATH}
+      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT=true
+      # Allows authentication for users that don't have an email
+      - GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email || preferred_username || sub
+      - GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL=${BENTO_GRAFANA_SIGNOUT_REDIRECT_URL}
+      - GF_AUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true
+      - GF_LOG_LEVEL=info
+    entrypoint:
+      - sh
+      - -euc
+      - |
+        mkdir -p /etc/grafana/provisioning/datasources
+        cat <<EOF > /etc/grafana/provisioning/datasources/ds.yaml
+        apiVersion: 1
+        datasources:
+        - name: Loki
+          type: loki
+          access: proxy
+          orgId: 1
+          url: http://loki:3100
+          basicAuth: false
+          isDefault: true
+          version: 1
+          editable: true
+        EOF
+        /run.sh
+    user:
+      ${BENTO_UID}
+    volumes:
+      - ${BENTO_GRAFANA_LIB_DIR}:/var/lib/grafana
+    expose:
+      - 3000
+    healthcheck:
+      test: [ "CMD", "curl", "http://localhost:3000"]
+      timeout: 5s
+      interval: 15s
+    profiles:
+      - monitoring
+    networks:
+      - monitoring-net
+
+  loki:
+    container_name: ${BENTO_LOKI_CONTAINER_NAME}
+    image: ${BENTO_LOKI_IMAGE}:${BENTO_LOKI_IMAGE_VERSION}
+    volumes:
+      - ${BENTO_LOKI_TEMP_DIR}:/tmp/loki
+      - ${PWD}/lib/logs/loki-config.yaml:/etc/loki/loki-config.yaml
+    expose:
+      - 3100
+    command: -config.file=/etc/loki/loki-config.yaml
+    user:
+      ${BENTO_UID}
+    networks:
+      - monitoring-net
+    profiles:
+      - monitoring
+
+  promtail:
+    container_name: ${BENTO_PROMTAIL_CONTAINER_NAME}
+    image: ${BENTO_PROMTAIL_IMAGE}:${BENTO_PROMTAIL_IMAGE_VERSION}
+    volumes:
+      - "/var/lib/docker/containers:/var/lib/docker/containers"
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "${PWD}/lib/logs/promtail-config.yaml:/etc/promtail/config.yaml"
+    command: "-config.file=/etc/promtail/config.yaml"  
+    networks:
+      - monitoring-net
+    profiles:
+      - monitoring
+
+networks:
+   monitoring-net:
+    external: true
+    name: ${BENTO_MONITORING_NETWORK}
diff --git a/lib/logs/loki-config.yaml b/lib/logs/loki-config.yaml
new file mode 100644
index 00000000..8e47a677
--- /dev/null
+++ b/lib/logs/loki-config.yaml
@@ -0,0 +1,33 @@
+
+# This is a complete configuration to deploy Loki backed by the filesystem.
+# The index will be shipped to the storage via tsdb-shipper.
+
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+
+common:
+  ring:
+    instance_addr: 127.0.0.1
+    kvstore:
+      store: inmemory
+  replication_factor: 1
+  path_prefix: /tmp/loki
+
+schema_config:
+  configs:
+  - from: 2020-05-15
+    store: tsdb
+    object_store: filesystem
+    schema: v13
+    index:
+      prefix: index_
+      period: 24h
+
+storage_config:
+  filesystem:
+    directory: /tmp/loki/chunks
+
+limits_config:
+  reject_old_samples: false
diff --git a/lib/logs/promtail-config.yaml b/lib/logs/promtail-config.yaml
new file mode 100644
index 00000000..fe6d644c
--- /dev/null
+++ b/lib/logs/promtail-config.yaml
@@ -0,0 +1,24 @@
+server:
+    http_listen_port: 9080
+    grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+
+scrape_configs:
+  - job_name: docker
+    pipeline_stages:
+      - static_labels:
+          job: docker
+          host: docker
+          agent: promtail
+    docker_sd_configs:
+      - host: unix:///var/run/docker.sock
+        refresh_interval: 5s
+    relabel_configs:
+      - source_labels: ['__meta_docker_container_name']
+        regex: '/(.*)'
+        target_label: 'container'
diff --git a/lib/notification/docker-compose.notification.yaml b/lib/notification/docker-compose.notification.yaml
index 9198f7a5..d6b343b8 100644
--- a/lib/notification/docker-compose.notification.yaml
+++ b/lib/notification/docker-compose.notification.yaml
@@ -24,8 +24,10 @@ services:
     cpu_shares: 512
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_NOTIFICATION_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   notification-net:
diff --git a/lib/public/docker-compose.public.yaml b/lib/public/docker-compose.public.yaml
index 25ec8f7a..489b86d5 100644
--- a/lib/public/docker-compose.public.yaml
+++ b/lib/public/docker-compose.public.yaml
@@ -11,31 +11,31 @@ services:
       - BENTO_UID
       - BENTO_PUBLIC_SERVICE_ID
       - BENTO_PUBLIC_CLIENT_NAME
-      - BENTO_PUBLIC_KATSU_URL
-      - BENTO_PUBLIC_WES_URL
-      - BENTO_PUBLIC_GOHAN_URL
       - BENTO_PUBLIC_PORTAL_URL
       - BENTO_PUBLIC_TRANSLATED
       - BENTO_BEACON_UI_ENABLED
+      - BENTO_BEACON_NETWORK_ENABLED
       - BEACON_URL=${BENTOV2_PUBLIC_URL}/api/beacon
-      - INTERNAL_PORT=${BENTO_PUBLIC_INTERNAL_PORT}
       - BENTO_PUBLIC_URL=${BENTOV2_PUBLIC_URL}
+      - BENTO_PUBLIC_PORT=${BENTO_PUBLIC_INTERNAL_PORT}
       - OPENID_CONFIG_URL=${BENTOV2_AUTH_PUBLIC_URL}${BENTOV2_AUTH_WELLKNOWN_PATH}
       - CLIENT_ID=${BENTOV2_AUTH_CLIENT_ID}
     expose:
       - "${BENTO_PUBLIC_INTERNAL_PORT}"
     volumes:
-      - ${PWD}/lib/public/translations/en.json:/bento-public/www/public/locales/en/translation_en.json:ro
-      - ${PWD}/lib/public/translations/fr.json:/bento-public/www/public/locales/fr/translation_fr.json:ro
+      - ${PWD}/lib/public/translations/en.json:/bento-public/dist/public/locales/en/translation_en.json:ro
+      - ${PWD}/lib/public/translations/fr.json:/bento-public/dist/public/locales/fr/translation_fr.json:ro
 
-      - ${PWD}/lib/public/en_about.html:/bento-public/www/public/en_about.html:ro
-      - ${PWD}/lib/public/fr_about.html:/bento-public/www/public/fr_about.html:ro
+      - ${PWD}/lib/public/en_about.html:/bento-public/dist/public/en_about.html:ro
+      - ${PWD}/lib/public/fr_about.html:/bento-public/dist/public/fr_about.html:ro
 
-      - ${PWD}/lib/public/branding.png:/bento-public/www/public/assets/branding.png:ro
+      - ${PWD}/lib/public/branding.png:/bento-public/dist/public/assets/branding.png:ro
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTO_PUBLIC_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
     profiles:
       - public
 
diff --git a/lib/redis/docker-compose.redis.yaml b/lib/redis/docker-compose.redis.yaml
index de903b92..a3fade15 100644
--- a/lib/redis/docker-compose.redis.yaml
+++ b/lib/redis/docker-compose.redis.yaml
@@ -13,8 +13,10 @@ services:
     cpu_shares: 512
     healthcheck:
       test: [ "CMD", "redis-cli", "ping" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: 15s  # Faster interval for services which others may require to be healthy
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   redis-net:
diff --git a/lib/reference/docker-compose.reference.yaml b/lib/reference/docker-compose.reference.yaml
index 3242d78f..163af4e6 100644
--- a/lib/reference/docker-compose.reference.yaml
+++ b/lib/reference/docker-compose.reference.yaml
@@ -7,6 +7,9 @@ services:
       - reference-db-net
     expose:
       - ${BENTO_REFERENCE_INTERNAL_PORT}
+    depends_on:
+      reference-db:
+        condition: service_healthy
     environment:
       - BENTO_UID
       - BENTO_DEBUG=False
@@ -19,9 +22,11 @@ services:
     volumes:
       - ${BENTO_REFERENCE_TMP_VOL_DIR}:/reference/tmp
     healthcheck:
-      test: [ "CMD", "wget", "-q0-", "http://localhost:${BENTO_REFERENCE_INTERNAL_PORT}/service-info", "&&", "echo" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      test: [ "CMD", "curl", "http://localhost:${BENTO_REFERENCE_INTERNAL_PORT}/service-info" ]
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
   reference-db:
     image: ${BENTO_REFERENCE_DB_IMAGE}:${BENTO_REFERENCE_DB_VERSION}
@@ -40,6 +45,14 @@ services:
       - POSTGRES_DB=${BENTO_REFERENCE_DB_NAME}
     volumes:
       - ${BENTO_REFERENCE_DB_VOL_DIR}:/var/lib/postgresql/data
+    healthcheck:
+      test: [ "CMD", "pg_isready", "-q", "-d", "${BENTO_REFERENCE_DB_NAME}", "-U", "${BENTO_REFERENCE_DB_USER}" ]
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      # interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      # For Docker <25 and Compose <2.24.x, start_interval doesn't work - use a shorter interval for now
+      interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   reference-net:
diff --git a/lib/service-registry/docker-compose.service-registry.yaml b/lib/service-registry/docker-compose.service-registry.yaml
index dd6812e9..284a3326 100644
--- a/lib/service-registry/docker-compose.service-registry.yaml
+++ b/lib/service-registry/docker-compose.service-registry.yaml
@@ -41,8 +41,10 @@ services:
     cpu_shares: 256
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_SERVICE_REGISTRY_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   service-registry-net:
diff --git a/lib/web/docker-compose.web.yaml b/lib/web/docker-compose.web.yaml
index 1de72f2f..e595fdf1 100644
--- a/lib/web/docker-compose.web.yaml
+++ b/lib/web/docker-compose.web.yaml
@@ -9,6 +9,7 @@ services:
     environment:
       - BENTO_UID
       - BENTO_CBIOPORTAL_ENABLED
+      - BENTO_MONITORING_ENABLED
       - BENTO_CBIOPORTAL_PUBLIC_URL
       - BENTO_DROP_BOX_FS_BASE_PATH
       - BENTO_URL=${BENTOV2_PORTAL_PUBLIC_URL}
@@ -20,9 +21,11 @@ services:
     cpus: ${BENTOV2_WEB_CPUS}
     cpu_shares: 512
     healthcheck:
-      test: [ "CMD", "wget", "-q0-", "http://localhost:${BENTOV2_WEB_INTERNAL_PORT}/service-info", "&&", "echo" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      test: [ "CMD", "curl", "http://localhost:${BENTOV2_WEB_INTERNAL_PORT}/service-info" ]
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
 
 networks:
   web-net:
diff --git a/lib/wes/docker-compose.wes.yaml b/lib/wes/docker-compose.wes.yaml
index 8699ec57..dbcd9585 100644
--- a/lib/wes/docker-compose.wes.yaml
+++ b/lib/wes/docker-compose.wes.yaml
@@ -24,11 +24,11 @@ services:
       - WORKFLOW_HOST_ALLOW_LIST=${BENTOV2_GOHAN_API_CONTAINER_NAME}:${BENTOV2_GOHAN_API_INTERNAL_PORT},${BENTOV2_DOMAIN},${BENTOV2_PORTAL_DOMAIN},${BENTOV2_KATSU_CONTAINER_NAME}:${BENTOV2_KATSU_INTERNAL_PORT}
 
       # Service URLS
-      - DRS_URL=${BENTOV2_PUBLIC_URL}/api/drs
-      - GOHAN_URL=${BENTOV2_PORTAL_PUBLIC_URL}/api/gohan
-      - KATSU_URL=${BENTOV2_PORTAL_PUBLIC_URL}/api/metadata
+      - DRS_URL=${BENTO_DRS_URL}
+      - GOHAN_URL=${BENTO_GOHAN_URL}
+      - KATSU_URL=${BENTO_KATSU_URL}
       - BENTO_AUTHZ_SERVICE_URL
-      - SERVICE_REGISTRY_URL=${BENTOV2_PUBLIC_URL}/api/service-registry
+      - SERVICE_REGISTRY_URL=${BENTO_SERVICE_REGISTRY_URL}
 
       - INTERNAL_PORT=${BENTOV2_WES_INTERNAL_PORT}
       - WORKFLOW_TIMEOUT=${BENTOV2_WES_WORKFLOW_TIMEOUT}
@@ -49,8 +49,10 @@ services:
     cpu_shares: 1024
     healthcheck:
       test: [ "CMD", "curl", "http://localhost:${BENTOV2_WES_INTERNAL_PORT}/service-info" ]
-      timeout: ${BENTOV2_HEALTHCHECK_TIMEOUT}
-      interval: ${BENTOV2_HEALTHCHECK_INTERVAL}
+      timeout: ${BENTO_HEALTHCHECK_TIMEOUT}
+      interval: ${BENTO_HEALTHCHECK_INTERVAL}
+      start_period: ${BENTO_HEALTHCHECK_START_PERIOD}
+      start_interval: ${BENTO_HEALTHCHECK_START_INTERVAL}
     volumes:
       - ${BENTOV2_WES_VOL_DIR}:/wes/data
       - ${BENTOV2_WES_VOL_TMP_DIR}:/wes/tmp
diff --git a/py_bentoctl/auth_helper.py b/py_bentoctl/auth_helper.py
index 9d9b2437..b8667e7f 100644
--- a/py_bentoctl/auth_helper.py
+++ b/py_bentoctl/auth_helper.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 
 import docker
+import json
 import os
 import requests
 import subprocess
@@ -36,12 +37,21 @@
 AUTH_TEST_PASSWORD = os.getenv("BENTOV2_AUTH_TEST_PASSWORD")
 AUTH_CONTAINER_NAME = os.getenv("BENTOV2_AUTH_CONTAINER_NAME")
 
+AGGREGATION_CLIENT_ID = os.getenv("BENTO_AGGREGATION_CLIENT_ID")
+
 CBIOPORTAL_CLIENT_ID = os.getenv("BENTO_CBIOPORTAL_CLIENT_ID")
 
 WES_CLIENT_ID = os.getenv("BENTO_WES_CLIENT_ID")
 WES_WORKFLOW_TIMEOUT = int(os.getenv("BENTOV2_WES_WORKFLOW_TIMEOUT"))
 
-KC_CLIENTS_ENDPOINT = f"admin/realms/{AUTH_REALM}/clients"
+GRAFANA_CLIENT_ID = os.getenv("BENTO_GRAFANA_CLIENT_ID")
+GRAFANA_PRIVATE_URL = os.getenv("BENTO_PRIVATE_GRAFANA_URL")
+GRAFANA_ROLES = ("admin", "editor", "viewer")
+
+KC_ADMIN_API_ENDPOINT = f"admin/realms/{AUTH_REALM}"
+KC_ADMIN_API_GROUP_ENDPOINT = f"{KC_ADMIN_API_ENDPOINT}/groups"
+KC_ADMIN_API_CLIENTS_ENDPOINT = f"{KC_ADMIN_API_ENDPOINT}/clients"
+KC_ADMIN_API_CLIENT_SCOPES = f"{KC_ADMIN_API_ENDPOINT}/client-scopes"
 
 
 def check_auth_admin_user():
@@ -79,12 +89,18 @@ def keycloak_req(
             **(dict(data=data) if data else {}),
             **(dict(json=json) if json else {}),
             **kwargs)
+    if method == "put":
+        return requests.put(
+            make_keycloak_url(path),
+            **(dict(data=data) if data else {}),
+            **(dict(json=json) if json else {}),
+            **kwargs)
 
     raise NotImplementedError
 
 
-def fetch_existing_client_id(token: str, client_id: str) -> Optional[str]:
-    existing_clients_res = keycloak_req(KC_CLIENTS_ENDPOINT, bearer_token=token)
+def fetch_existing_client_id(token: str, client_id: str, verbose: bool = True) -> Optional[str]:
+    existing_clients_res = keycloak_req(KC_ADMIN_API_CLIENTS_ENDPOINT, bearer_token=token)
     existing_clients = existing_clients_res.json()
 
     if not existing_clients_res.ok:
@@ -93,12 +109,118 @@ def fetch_existing_client_id(token: str, client_id: str) -> Optional[str]:
 
     for client in existing_clients:
         if client["clientId"] == client_id:
-            warn(f"    Found existing client: {client_id}; using that.")
+            if verbose:
+                warn(f"    Found existing client: {client_id}; using that.")
             return client["id"]
 
     return None
 
 
+def fetch_existing_client_role(token: str, client_id: str, role_name: str, verbose: bool = True) -> Optional[dict]:
+    client_roles_endpoint = f"{KC_ADMIN_API_CLIENTS_ENDPOINT}/{client_id}/roles"
+
+    existing_role_res = keycloak_req(f"{client_roles_endpoint}/{role_name}", bearer_token=token)
+    if not existing_role_res.ok:
+        return
+
+    if verbose:
+        warn(f"    Found existing role: {role_name}; using that.")
+    return existing_role_res.json()
+
+
+def fetch_existing_group_rep_or_exit(
+        token: str,
+        group_name: str,
+        parent_rep: dict | None = None,
+        verbose: bool = True) -> Optional[dict]:
+    endpoint = KC_ADMIN_API_GROUP_ENDPOINT
+    if parent_rep:
+        endpoint = f"{KC_ADMIN_API_GROUP_ENDPOINT}/{parent_rep['id']}/children"
+    existing_groups_res = keycloak_req(endpoint, bearer_token=token)
+
+    if not existing_groups_res.ok:
+        err(f"    Failed to fetch group id associated with name: {group_name}")
+        exit(1)
+
+    existing_groups = existing_groups_res.json()
+    for group in existing_groups:
+        if group["name"] == group_name:
+            if verbose:
+                warn(f"    Found existing group: {group['path']} ; using that.")
+            return group
+
+    return None
+
+
+def create_client_role_or_exit(token: str, client_id: str, role_name: str) -> Optional[dict]:
+    # Check if client role alread exists
+    if existing_role := fetch_existing_client_role(token, client_id, role_name):
+        return existing_role
+
+    # Create client role if needed
+    client_roles_endpoint = f"{KC_ADMIN_API_CLIENTS_ENDPOINT}/{client_id}/roles"
+    res = keycloak_req(client_roles_endpoint, bearer_token=token, method="post", json={
+        "clientRole": True,
+        "name": role_name,
+    })
+
+    if not res.ok:
+        err(f"    Failed to create {client_id} client role : {role_name}; {res.status_code}")
+        exit(1)
+
+    # role creation response returns no data, fetch the created RoleRepresentation for later use
+    created_role_rep = fetch_existing_client_role(token, client_id, role_name, verbose=False)
+    cprint(f"    Created client role: {role_name}.", "green")
+    return created_role_rep
+
+
+def create_group_or_exit(token: str, group_rep: dict, parent_group_rep: dict = None) -> Optional[dict]:
+    # try to get existing group first
+    if existing_group := fetch_existing_group_rep_or_exit(token, group_rep["name"], parent_group_rep):
+        return existing_group
+
+    # group creation endpoint
+    group_endpoint = KC_ADMIN_API_GROUP_ENDPOINT
+    if parent_group_rep:
+        # use sub-group creation endpoint if a parent group is passed
+        group_endpoint = f"{group_endpoint}/{parent_group_rep['id']}/children"
+
+    res = keycloak_req(f"{group_endpoint}", bearer_token=token, method="post", json=group_rep)
+    if not res.ok:
+        err(f"    Failed to create group: {group_rep}; {res.status_code}")
+        exit(1)
+
+    # group creation response returns no data, fetch the created GroupRepresentation for later use
+    created_group = fetch_existing_group_rep_or_exit(token, group_rep["name"], parent_group_rep, verbose=False)
+
+    cprint(f"    Created group: {created_group['path']}", "green")
+    return created_group
+
+
+def add_client_role_mapping_to_group_or_exit(token: str, group_rep: dict, client_id: str, role_rep: dict) -> None:
+    role_mappings_endpoint = f"{KC_ADMIN_API_GROUP_ENDPOINT}/{group_rep['id']}/role-mappings/clients/{client_id}"
+    existing_mappings_res = keycloak_req(role_mappings_endpoint, bearer_token=token)
+    if existing_mappings_res.ok:
+        target_role_name = role_rep["name"]
+        for role_map in existing_mappings_res.json():
+            if target_role_name == role_map["name"]:
+                warn(f"    Found existing client-level group role: {group_rep['path']}; using that.")
+                return
+
+    # create client role-mapping for given group
+    client_res = keycloak_req(
+        role_mappings_endpoint,
+        method="post",
+        bearer_token=token,
+        data=json.dumps([role_rep])   # RoleRepresentation needs to be in an array and sent as data
+    )
+    if not client_res.ok:
+        err(f"    Failed to add client-level role {role_rep['name']} to group {group_rep['path']}")
+        exit(1)
+
+    cprint(f"    Created client-level role mapping for group: {group_rep['path']}", "green")
+
+
 def create_keycloak_client_or_exit(
     token: str,
     client_id: str,
@@ -110,7 +232,7 @@ def create_keycloak_client_or_exit(
     access_token_lifespan: int,
     use_refresh_tokens: bool,
 ) -> None:
-    res = keycloak_req(KC_CLIENTS_ENDPOINT, bearer_token=token, method="post", json={
+    res = keycloak_req(KC_ADMIN_API_CLIENTS_ENDPOINT, bearer_token=token, method="post", json={
         "clientId": client_id,
         "enabled": True,
         "protocol": "openid-connect",
@@ -154,7 +276,52 @@ def create_keycloak_client_or_exit(
 
 
 def get_keycloak_client_secret(client_id: str, token: str):
-    return keycloak_req(f"{KC_CLIENTS_ENDPOINT}/{client_id}/client-secret", bearer_token=token)
+    return keycloak_req(f"{KC_ADMIN_API_CLIENTS_ENDPOINT}/{client_id}/client-secret", bearer_token=token)
+
+
+def create_client_and_secret_for_service(
+    client_id: str,
+    env_var_to_set: str,
+    private_url: str | None,
+    token: str,
+    is_service_account: bool = False,
+    to_restart: str = "the gateway",
+    token_lifespan: int = 900,    # default access token lifespan: 15 minutes
+    use_refresh_tokens: bool = False,  # by default, don't use refresh tokens! (they're less secure)
+):
+    client_kc_id: Optional[str] = fetch_existing_client_id(token, client_id)
+
+    if client_kc_id is None:
+        create_keycloak_client_or_exit(
+            token,
+            client_id,
+            standard_flow_enabled=not is_service_account,
+            service_accounts_enabled=is_service_account,
+            public_client=False,
+            redirect_uris=[
+                f"{private_url}/*"
+            ] if not is_service_account else [],  # Not used for client credentials access
+            web_origins=[private_url] if not is_service_account else [],  # "
+            access_token_lifespan=token_lifespan,
+            use_refresh_tokens=use_refresh_tokens,
+        )
+        client_kc_id = fetch_existing_client_id(token, client_id, verbose=False)
+
+    # Fetch and print secret
+
+    client_secret_res = get_keycloak_client_secret(client_kc_id, token)
+
+    client_secret_data = client_secret_res.json()
+    if not client_secret_res.ok:
+        err(f"    Failed to get client secret for {client_id}; {client_secret_res.status_code} "
+            f"{client_secret_data}")
+        exit(1)
+
+    client_secret = client_secret_data["value"]
+    cprint(
+        f"    Please set {env_var_to_set} to {client_secret} in local.env and restart {to_restart}",
+        attrs=["bold"],
+    )
 
 
 def init_auth(docker_client: docker.DockerClient):
@@ -226,74 +393,99 @@ def create_web_client_if_needed(token: str) -> None:
             use_refresh_tokens=True,
         )
 
-    # noinspection PyUnusedLocal
-    def create_cbioportal_client_if_needed(token: str) -> None:
-        cbio_client_kc_id: Optional[str] = fetch_existing_client_id(token, CBIOPORTAL_CLIENT_ID)
-
-        if cbio_client_kc_id is None:
-            # Create the cBioportal client
-            create_keycloak_client_or_exit(
-                token,
-                CBIOPORTAL_CLIENT_ID,
-                standard_flow_enabled=True,
-                service_accounts_enabled=False,
-                public_client=False,
-                redirect_uris=[f"{CBIOPORTAL_URL}{AUTH_LOGIN_REDIRECT_PATH}"],
-                web_origins=[CBIOPORTAL_URL],
-                access_token_lifespan=900,  # 15 minutes
-                use_refresh_tokens=True,
-            )
-            cbio_client_kc_id = fetch_existing_client_id(token, CBIOPORTAL_CLIENT_ID)
-
-        # Fetch and print secret
-
-        client_secret_res = get_keycloak_client_secret(cbio_client_kc_id, token)
-
-        client_secret_data = client_secret_res.json()
-        if not client_secret_res.ok:
-            err(f"    Failed to get client secret for {CBIOPORTAL_CLIENT_ID}; {client_secret_res.status_code} "
-                f"{client_secret_data}")
+    def create_grafana_client_if_needed(token: str) -> None:
+        create_client_and_secret_for_service(
+            GRAFANA_CLIENT_ID, "BENTO_GRAFANA_CLIENT_SECRET", GRAFANA_PRIVATE_URL, token, to_restart="Grafana"
+        )
+
+    def create_grafana_client_roles_if_needed(token: str, client_id: str) -> Optional[dict]:
+        role_representations = {}
+        for role_name in GRAFANA_ROLES:
+            client_role = create_client_role_or_exit(token, client_id, role_name)
+            role_representations[role_name] = client_role
+        return role_representations
+
+    def create_grafana_client_groups_if_needed(token: str, role_mappings: dict, client_id: str) -> None:
+        # create parent grafana group (no role mapping)
+        parent_group = {"name": "grafana"}
+        parent_group = create_group_or_exit(token, parent_group)
+
+        # create subgroups with client-role mappings
+        sub_groups = [{"name": g} for g in GRAFANA_ROLES]
+        for subgroup in sub_groups:
+            group_rep = create_group_or_exit(token, subgroup, parent_group_rep=parent_group)
+            role_rep = role_mappings[subgroup["name"]]
+            add_client_role_mapping_to_group_or_exit(token, group_rep, client_id, role_rep)
+
+    # Modifies the "roles" client scope mapper, so that client-level roles are included in the ID token
+    def set_include_client_roles_in_id_tokens(token: str):
+        # Retrieve the 'roles' client-scope
+        client_scopes_res = keycloak_req(KC_ADMIN_API_CLIENT_SCOPES, bearer_token=token)
+        if not client_scopes_res.ok:
+            err(f"    Failed to retrieve client scopes: {client_scopes_res.status_code}")
             exit(1)
+        client_scopes = client_scopes_res.json()
 
-        client_secret = client_secret_data["value"]
-        cprint(
-            f"    Please set BENTO_CBIOPORTAL_CLIENT_SECRET to {client_secret} in local.env and restart the "
-            f"gateway",
-            attrs=["bold"],
-        )
+        roles_client_scope = None
+        for scope in client_scopes:
+            if "roles" == scope["name"]:
+                roles_client_scope = scope
+                break
 
-    def create_wes_client_if_needed(token: str) -> None:
-        wes_client_kc_id: Optional[str] = fetch_existing_client_id(token, WES_CLIENT_ID)
-
-        if wes_client_kc_id is None:
-            # Create the Bento WES client
-            create_keycloak_client_or_exit(
-                token,
-                WES_CLIENT_ID,
-                standard_flow_enabled=False,
-                service_accounts_enabled=True,
-                public_client=False,  # Use client secret for this one
-                redirect_uris=[],  # Not used with a standard/web flow - just client credentials
-                web_origins=[],  # "
-                access_token_lifespan=WES_WORKFLOW_TIMEOUT,  # WES workflow lifespan
-                use_refresh_tokens=False,  # No refreshing these allowed!
-            )
-            wes_client_kc_id = fetch_existing_client_id(token, WES_CLIENT_ID)
-
-        # Fetch and print secret
-
-        client_secret_res = get_keycloak_client_secret(wes_client_kc_id, token)
-
-        client_secret_data = client_secret_res.json()
-        if not client_secret_res.ok:
-            err(f"    Failed to get client secret for {WES_CLIENT_ID}; {client_secret_res.status_code} "
-                f"{client_secret_data}")
+        if not roles_client_scope:
+            # 'roles' is a predefined scope, so it should always be there by default
+            err("    Failed to retrieve the 'roles' client scope.")
             exit(1)
 
-        client_secret = client_secret_data["value"]
-        cprint(
-            f"    Please set BENTO_WES_CLIENT_SECRET to {client_secret} in local.env and restart WES",
-            attrs=["bold"],
+        # Find the 'client roles' protocol mapper
+        roles_mapper = None
+        for mapper in roles_client_scope["protocolMappers"]:
+            if "client roles" == mapper["name"]:
+                roles_mapper = mapper
+
+        if not roles_mapper:
+            # 'client roles' is a predefined mapper, so it should always be there by default
+            err("    Failed to retrieve the 'client roles' protocol mapper.")
+            exit(1)
+
+        # Update mapper config's id.token.claim if needed
+        if "id.token.claim" not in roles_mapper["config"] or roles_mapper["config"]["id.token.claim"] == "false":
+            roles_mapper["config"]["id.token.claim"] = "true"
+            mapper_endpoint = f"{KC_ADMIN_API_CLIENT_SCOPES}/{roles_client_scope['id']}" +  \
+                f"/protocol-mappers/models/{roles_mapper['id']}"
+            update_mapper_res = keycloak_req(mapper_endpoint, bearer_token=token, method="put", json=roles_mapper)
+            if not update_mapper_res.ok:
+                err(f"    Failed to modify 'client roles' mapper: {update_mapper_res.status_code}")
+                exit(1)
+            cprint("    Updated 'client roles' scope mapper to include roles in the ID token.", "green")
+        elif roles_mapper["config"]["id.token.claim"] == "true":
+            warn("    The 'client roles' scope mapper already includes roles in the ID token.")
+
+    def create_aggregation_client_if_needed(token: str) -> None:
+        create_client_and_secret_for_service(
+            AGGREGATION_CLIENT_ID,
+            "BENTO_AGGREGATION_CLIENT_SECRET",
+            None,
+            token,
+            is_service_account=True,
+            to_restart="Aggregation and Beacon",
+        )
+
+    # noinspection PyUnusedLocal
+    def create_cbioportal_client_if_needed(token: str) -> None:
+        create_client_and_secret_for_service(
+            CBIOPORTAL_CLIENT_ID, "BENTO_CBIOPORTAL_CLIENT_SECRET", CBIOPORTAL_URL, token, use_refresh_tokens=True
+        )
+
+    def create_wes_client_if_needed(token: str) -> None:
+        create_client_and_secret_for_service(
+            WES_CLIENT_ID,
+            "BENTO_WES_CLIENT_SECRET",
+            None,
+            token,
+            is_service_account=True,
+            to_restart="WES",
+            token_lifespan=WES_WORKFLOW_TIMEOUT,
         )
 
     def create_test_user_if_needed(token: str) -> None:
@@ -364,6 +556,10 @@ def success():
     create_web_client_if_needed(access_token)
     success()
 
+    info(f"  Creating aggregation/Beacon client: {AGGREGATION_CLIENT_ID}")
+    create_aggregation_client_if_needed(access_token)
+    success()
+
     # TODO: if cBioPortal ever needs auth implemented, re-enable this and set up Bento Gateway to handle cBioPortal
     #  client authorization.
     #   - David L, 2024-03-25
@@ -376,6 +572,19 @@ def success():
     create_wes_client_if_needed(access_token)
     success()
 
+    if c.BENTO_FEATURE_MONITORING.enabled:
+        info(f"  Creating Grafana client: {GRAFANA_CLIENT_ID}")
+        create_grafana_client_if_needed(access_token)
+        grafana_client_id = fetch_existing_client_id(access_token, GRAFANA_CLIENT_ID, verbose=False)
+        role_mappings = create_grafana_client_roles_if_needed(access_token, grafana_client_id)
+        create_grafana_client_groups_if_needed(access_token, role_mappings, grafana_client_id)
+        set_include_client_roles_in_id_tokens(access_token)
+        cprint(
+            f"    Add users to the relevant Grafana sub-groups to give them access: {' '.join(GRAFANA_ROLES)}",
+            attrs=["bold"],
+        )
+        success()
+
     info(f"  Creating user: {AUTH_TEST_USER}")
     create_test_user_if_needed(access_token)
     success()
diff --git a/py_bentoctl/config.py b/py_bentoctl/config.py
index be1c06dc..dbf33762 100644
--- a/py_bentoctl/config.py
+++ b/py_bentoctl/config.py
@@ -103,6 +103,9 @@ def __init__(self, enabled: bool, profile: str):
     enabled=_env_get_bool("BENTO_CBIOPORTAL_ENABLED", default=False), profile="cbioportal")
 BENTO_FEATURE_GOHAN = BentoOptionalFeature(
     enabled=_env_get_bool("BENTO_GOHAN_ENABLED", default=False), profile="gohan")
+BENTO_FEATURE_MONITORING = BentoOptionalFeature(
+    enabled=_env_get_bool("BENTO_MONITORING_ENABLED", default=False), profile="monitoring")
+
 BENTO_FEATURE_PUBLIC = BentoOptionalFeature(enabled=BENTOV2_USE_BENTO_PUBLIC, profile="public")
 BENTO_FEATURE_REDIRECT = BentoOptionalFeature(enabled=bool(BENTO_DOMAIN_REDIRECT), profile="redirect")
 
diff --git a/py_bentoctl/entry.py b/py_bentoctl/entry.py
index 14c297f9..53d0cd3a 100644
--- a/py_bentoctl/entry.py
+++ b/py_bentoctl/entry.py
@@ -282,7 +282,11 @@ class InitConfig(SubCommand):
     @staticmethod
     def add_args(sp):
         sp.add_argument(
-            "service", type=str, choices=["katsu", "beacon"], help="Prepares services for deployment.")
+            "service",
+            type=str,
+            choices=["katsu", "beacon", "beacon-network"],
+            help="Prepares services for deployment."
+        )
         sp.add_argument(
             "--force", "-f", action="store_true",
             help="Overwrites any existing config.")
diff --git a/py_bentoctl/other_helpers.py b/py_bentoctl/other_helpers.py
index 40dbf6ac..0d4d87cf 100644
--- a/py_bentoctl/other_helpers.py
+++ b/py_bentoctl/other_helpers.py
@@ -222,6 +222,9 @@ def init_dirs():
         **({"auth": "BENTOV2_AUTH_VOL_DIR"} if not c.BENTOV2_USE_EXTERNAL_IDP else {}),
         #  - cBioPortal
         **({"cbioportal": "BENTO_CBIOPORTAL_STUDY_DIR"} if c.BENTO_FEATURE_CBIOPORTAL.enabled else {}),
+        #  - Monitoring: Grafana/Loki
+        **({"grafana": "BENTO_GRAFANA_LIB_DIR"} if c.BENTO_FEATURE_MONITORING else {}),
+        **({"loki": "BENTO_LOKI_TEMP_DIR"} if c.BENTO_FEATURE_MONITORING else {}),
     }
 
     # Some of these don't use the Bento user inside their containers, so ignore if need be
@@ -287,6 +290,7 @@ def init_docker(client: docker.DockerClient):
         ("BENTO_GOHAN_ES_NETWORK", dict(driver="bridge", internal=True)),  # Does not need to access the web
         ("BENTO_KATSU_NETWORK", dict(driver="bridge")),
         ("BENTO_KATSU_DB_NETWORK", dict(driver="bridge", internal=True)),  # Does not need to access the web
+        ("BENTO_MONITORING_NETWORK", dict(driver="bridge")),
         ("BENTO_NOTIFICATION_NETWORK", dict(driver="bridge")),
         ("BENTO_PUBLIC_NETWORK", dict(driver="bridge")),
         ("BENTO_REDIS_NETWORK", dict(driver="bridge", internal=True)),  # Does not need to access the web
@@ -627,12 +631,14 @@ def init_config(service: str, force: bool = False):
         _init_katsu_config(force)
     elif service == "beacon":
         _init_beacon_config(force)
+    elif service == "beacon-network":
+        _init_beacon_network_config(force)
 
 
 def _init_beacon_config(force: bool):
     root_path = pathlib.Path.cwd()
     template_dir = (root_path / "etc" / "templates" / "beacon")
-    dest_dir = (root_path / "lib" / "beacon" / "config")
+    dest_dir = pathlib.Path(os.environ["BENTO_BEACON_CONFIG_DIR"])
 
     config_template_path = (template_dir / "beacon_config.example.json")
     config_dest_path = (dest_dir / "beacon_config.json")
@@ -644,6 +650,17 @@ def _init_beacon_config(force: bool):
     _file_copy(cohort_template_path, cohort_dest_path, force)
 
 
+def _init_beacon_network_config(force: bool):
+    root_path = pathlib.Path.cwd()
+    template_dir = (root_path / "etc" / "templates" / "beacon")
+    dest_dir = pathlib.Path(os.environ["BENTO_BEACON_CONFIG_DIR"])
+
+    network_config_template_path = (template_dir / "beacon_network_config.example.json")
+    network_config_dest_path = (dest_dir / "beacon_network_config.json")
+
+    _file_copy(network_config_template_path, network_config_dest_path, force)
+
+
 def _init_katsu_config(force: bool):
     root_path = pathlib.Path.cwd()
     katsu_config_template_path = (root_path / "etc" / "katsu.config.example.json")
diff --git a/requirements.txt b/requirements.txt
index fb6abb82..7bccf668 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,20 +1,20 @@
 certifi==2024.7.4
-cffi==1.16.0
+cffi==1.17.0
 charset-normalizer==3.3.2
 cryptography==43.0.1
-debugpy==1.8.2
+debugpy==1.8.5
 docker==7.1.0
-flake8==7.1.0
+flake8==7.1.1
 idna==3.7
 mccabe==0.7.0
 packaging==24.1
-pycodestyle==2.12.0
+pycodestyle==2.12.1
 pycparser==2.22
 pyflakes==3.2.0
 pyhumps==3.8.0
-PyYAML==6.0.1
+PyYAML==6.0.2
 requests==2.32.3
 termcolor==2.4.0
-tqdm==4.66.4
+tqdm==4.66.5
 urllib3==2.2.2
 websocket-client==1.8.0