diff --git a/appservice/registration.go b/appservice/registration.go
index c0b62124..16c87fb9 100644
--- a/appservice/registration.go
+++ b/appservice/registration.go
@@ -29,6 +29,7 @@ type Registration struct {
 	SoruEphemeralEvents bool `yaml:"de.sorunome.msc2409.push_ephemeral,omitempty" json:"de.sorunome.msc2409.push_ephemeral,omitempty"`
 	EphemeralEvents     bool `yaml:"push_ephemeral,omitempty" json:"push_ephemeral,omitempty"`
 	MSC3202             bool `yaml:"org.matrix.msc3202,omitempty" json:"org.matrix.msc3202,omitempty"`
+	MSC4190             bool `yaml:"io.element.msc4190,omitempty" json:"io.element.msc4190,omitempty"`
 }
 
 // CreateRegistration creates a Registration with random appservice and homeserver tokens.
diff --git a/bridgev2/bridgeconfig/appservice.go b/bridgev2/bridgeconfig/appservice.go
index 5e482499..89ce5677 100644
--- a/bridgev2/bridgeconfig/appservice.go
+++ b/bridgev2/bridgeconfig/appservice.go
@@ -34,6 +34,7 @@ type AppserviceConfig struct {
 
 	EphemeralEvents   bool `yaml:"ephemeral_events"`
 	AsyncTransactions bool `yaml:"async_transactions"`
+	MSC4190           bool `yaml:"msc4190"`
 
 	UsernameTemplate string             `yaml:"username_template"`
 	usernameTemplate *template.Template `yaml:"-"`
@@ -77,6 +78,7 @@ func (asc *AppserviceConfig) copyToRegistration(registration *appservice.Registr
 	registration.RateLimited = &falseVal
 	registration.EphemeralEvents = asc.EphemeralEvents
 	registration.SoruEphemeralEvents = asc.EphemeralEvents
+	registration.MSC4190 = asc.MSC4190
 }
 
 // GenerateRegistration generates a registration file for the homeserver.
diff --git a/bridgev2/bridgeconfig/upgrade.go b/bridgev2/bridgeconfig/upgrade.go
index 4122f4d6..18446e13 100644
--- a/bridgev2/bridgeconfig/upgrade.go
+++ b/bridgev2/bridgeconfig/upgrade.go
@@ -78,6 +78,7 @@ func doUpgrade(helper up.Helper) {
 	helper.Copy(up.Str, "appservice", "bot", "avatar")
 	helper.Copy(up.Bool, "appservice", "ephemeral_events")
 	helper.Copy(up.Bool, "appservice", "async_transactions")
+	helper.Copy(up.Bool, "appservice", "msc4190")
 	helper.Copy(up.Str, "appservice", "as_token")
 	helper.Copy(up.Str, "appservice", "hs_token")
 	helper.Copy(up.Str, "appservice", "username_template")
diff --git a/bridgev2/matrix/crypto.go b/bridgev2/matrix/crypto.go
index 04654ff5..c395af83 100644
--- a/bridgev2/matrix/crypto.go
+++ b/bridgev2/matrix/crypto.go
@@ -241,23 +241,34 @@ func (helper *CryptoHelper) loginBot(ctx context.Context) (*mautrix.Client, bool
 	// Create a new client instance with the default AS settings (including as_token),
 	// the Login call will then override the access token in the client.
 	client := helper.bridge.AS.NewMautrixClient(helper.bridge.AS.BotMXID())
+
+	initialDeviceDisplayName := fmt.Sprintf("%s bridge", helper.bridge.Bridge.Network.GetName().DisplayName)
+	if helper.bridge.Config.AppService.MSC4190 {
+		helper.log.Debug().Msg("Creating bot device with msc4190")
+		err = client.CreateDeviceMSC4190(ctx, deviceID, initialDeviceDisplayName)
+		if err != nil {
+			return nil, deviceID != "", fmt.Errorf("failed to create device for bridge bot: %w", err)
+		}
+		helper.store.DeviceID = client.DeviceID
+		return client, deviceID != "", nil
+	}
+
 	flows, err := client.GetLoginFlows(ctx)
 	if err != nil {
 		return nil, deviceID != "", fmt.Errorf("failed to get supported login flows: %w", err)
 	} else if !flows.HasFlow(mautrix.AuthTypeAppservice) {
 		return nil, deviceID != "", fmt.Errorf("homeserver does not support appservice login")
 	}
+
 	resp, err := client.Login(ctx, &mautrix.ReqLogin{
 		Type: mautrix.AuthTypeAppservice,
 		Identifier: mautrix.UserIdentifier{
 			Type: mautrix.IdentifierTypeUser,
 			User: string(helper.bridge.AS.BotMXID()),
 		},
-		DeviceID:         deviceID,
-		StoreCredentials: true,
-
-		// TODO find proper bridge name
-		InitialDeviceDisplayName: "Megabridge", // fmt.Sprintf("%s bridge", helper.bridge.ProtocolName),
+		DeviceID:                 deviceID,
+		StoreCredentials:         true,
+		InitialDeviceDisplayName: initialDeviceDisplayName,
 	})
 	if err != nil {
 		return nil, deviceID != "", fmt.Errorf("failed to log in as bridge bot: %w", err)
diff --git a/bridgev2/matrix/mxmain/example-config.yaml b/bridgev2/matrix/mxmain/example-config.yaml
index 8b9682ba..44d4c3ba 100644
--- a/bridgev2/matrix/mxmain/example-config.yaml
+++ b/bridgev2/matrix/mxmain/example-config.yaml
@@ -186,6 +186,10 @@ appservice:
     # However, messages will not be guaranteed to be bridged in the same order they were sent in.
     # This value doesn't affect the registration file.
     async_transactions: false
+    # Wether to use MSC4190 to create DeviceIDs for ghost users.
+    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+    # Required when using encryption on the bridge and OIDC Auth (MSC3861) on the homeserver.
+    msc4190: false
 
     # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
     as_token: "This value is generated when generating the registration"
diff --git a/client.go b/client.go
index b237612b..5e232cf5 100644
--- a/client.go
+++ b/client.go
@@ -21,6 +21,7 @@ import (
 
 	"github.com/rs/zerolog"
 	"go.mau.fi/util/ptr"
+	"go.mau.fi/util/random"
 	"go.mau.fi/util/retryafter"
 	"golang.org/x/exp/maps"
 
@@ -897,6 +898,28 @@ func (cli *Client) Login(ctx context.Context, req *ReqLogin) (resp *RespLogin, e
 	return
 }
 
+// Create a Device for a user of the homeserver using appservice interface defined in MSC4190
+func (cli *Client) CreateDeviceMSC4190(ctx context.Context, deviceID id.DeviceID, initialDispalyName string) (err error) {
+	if len(deviceID) == 0 {
+		deviceID = id.DeviceID(random.String(10))
+	}
+	if !cli.SetAppServiceUserID {
+		return fmt.Errorf("CreateDeviceMSC4190 requires SetAppServiceUserID to be enabled")
+	}
+	if cli.AccessToken == "" {
+		return fmt.Errorf("CreateDeviceMSC4190 requires The AS AccessToken token to be set as the client AccessToken")
+	}
+	_, err = cli.MakeRequest(ctx, http.MethodPut, cli.BuildClientURL("v3", "devices", deviceID), ReqPutDevice{
+		DisplayName: initialDispalyName,
+	}, nil)
+	if err != nil {
+		return err
+	}
+	cli.DeviceID = deviceID
+	cli.SetAppServiceDeviceID = true
+	return nil
+}
+
 // Logout the current user. See https://spec.matrix.org/v1.2/client-server-api/#post_matrixclientv3logout
 // This does not clear the credentials from the client instance. See ClearCredentials() instead.
 func (cli *Client) Logout(ctx context.Context) (resp *RespLogout, err error) {
diff --git a/requests.go b/requests.go
index a6b0ea8b..78e8a36b 100644
--- a/requests.go
+++ b/requests.go
@@ -90,6 +90,9 @@ type ReqLogin struct {
 	// Whether or not the returned .well-known data should update the homeserver URL in the Client
 	StoreHomeserverURL bool `json:"-"`
 }
+type ReqPutDevice struct {
+	DisplayName string `json:"display_name,omitempty"`
+}
 
 type ReqUIAuthFallback struct {
 	Session string `json:"session"`