diff --git a/Dockerfile b/Dockerfile
index b7d00c864..f6aac80b8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,7 +22,7 @@ RUN mvn -Pstandalone clean install
 
 # ==============================
 
-FROM atomgraph/letsencrypt-tomcat:10.1.34
+FROM atomgraph/letsencrypt-tomcat:10.1.46
 
 LABEL maintainer="martynas@atomgraph.com"
 
@@ -72,14 +72,12 @@ ENV OWNER_CERT_ALIAS=root-owner
 ENV OWNER_KEYSTORE=/var/linkeddatahub/ssl/owner/keystore.p12
 ENV OWNER_CERT=/var/linkeddatahub/ssl/owner/cert.pem
 ENV OWNER_PUBLIC_KEY=/var/linkeddatahub/ssl/owner/public.pem
-ENV OWNER_PRIVATE_KEY=/var/linkeddatahub/ssl/owner/private.key
 
 ENV SECRETARY_COMMON_NAME=LinkedDataHub
 ENV SECRETARY_CERT_ALIAS=root-secretary
 ENV SECRETARY_KEYSTORE=/var/linkeddatahub/ssl/secretary/keystore.p12
 ENV SECRETARY_CERT=/var/linkeddatahub/ssl/secretary/cert.pem
 ENV SECRETARY_PUBLIC_KEY=/var/linkeddatahub/ssl/secretary/public.pem
-ENV SECRETARY_PRIVATE_KEY=/var/linkeddatahub/ssl/secretary/private.key
 
 ENV CLIENT_KEYSTORE_MOUNT=/var/linkeddatahub/ssl/secretary/keystore.p12
 ENV CLIENT_KEYSTORE="$CATALINA_HOME/webapps/ROOT/WEB-INF/keystore.p12"
@@ -147,12 +145,16 @@ COPY platform/import-letsencrypt-stg-roots.sh import-letsencrypt-stg-roots.sh
 
 COPY platform/select-root-services.rq select-root-services.rq
 
-# copy the metadata of the built-in secretary agent
+# copy the metadata of built-in agents
 
 COPY platform/root-secretary.trig.template root-secretary.trig.template
 
 COPY platform/root-owner.trig.template root-owner.trig.template
 
+# copy the metadata of the namespace ontology
+
+COPY platform/namespace-ontology.trig.template namespace-ontology.trig.template
+
 # copy default datasets
 
 COPY platform/datasets/admin.trig /var/linkeddatahub/datasets/admin.trig
@@ -197,7 +199,7 @@ RUN useradd --no-log-init -U ldh && \
 RUN ./import-letsencrypt-stg-roots.sh
 
 HEALTHCHECK --start-period=80s --retries=5 \
-    CMD curl -f -I "http://localhost:${HTTP_PORT}/ns" -H "Accept: application/n-triples" || exit 1 # relies on public access to the namespace document
+    CMD curl -f -I "http://localhost:7070/ns" -H "Accept: application/n-triples" || exit 1 # relies on public access to the namespace document
 
 USER ldh
 
diff --git a/bin/admin/acl/make-public.sh b/bin/admin/acl/make-public.sh
index 95b1ee1ec..4cc906c01 100755
--- a/bin/admin/acl/make-public.sh
+++ b/bin/admin/acl/make-public.sh
@@ -58,7 +58,13 @@ if [ -z "$base" ] ; then
     exit 1
 fi
 
-target="${base}admin/acl/authorizations/public/"
+admin_uri() {
+    local uri="$1"
+    echo "$uri" | sed 's|://|://admin.|'
+}
+
+admin_base=$(admin_uri "$base")
+target="${admin_base}acl/authorizations/public/"
 
 if [ -n "$proxy" ]; then
     # rewrite target hostname to proxy hostname
@@ -73,7 +79,7 @@ curl -X PATCH \
     -H "Content-Type: application/sparql-update" \
     "$target" \
      --data-binary @- <<EOF
-BASE <${base}admin/>
+BASE <${admin_base}>
 
 PREFIX  acl: <http://www.w3.org/ns/auth/acl#>
 PREFIX  def: <https://w3id.org/atomgraph/linkeddatahub/default#>
@@ -84,10 +90,10 @@ PREFIX  foaf: <http://xmlns.com/foaf/0.1/>
 INSERT
 {
   <acl/authorizations/public/#this> acl:accessToClass def:Root, dh:Container, dh:Item, nfo:FileDataObject ;
-      acl:accessTo <../sparql> .
+      acl:accessTo <${base}sparql> .
 
   <acl/authorizations/public/#sparql-post> a acl:Authorization ;
-      acl:accessTo <../sparql> ;
+      acl:accessTo <${base}sparql> ;
       acl:mode acl:Append ;
       acl:agentClass foaf:Agent, acl:AuthenticatedAgent . # hacky way to allow queries over POST
 }
diff --git a/bin/webid-keygen-pem.sh b/bin/webid-keygen-pem.sh
index cc7d8c2ee..d5b93ac82 100755
--- a/bin/webid-keygen-pem.sh
+++ b/bin/webid-keygen-pem.sh
@@ -4,7 +4,7 @@
 
 if [ "$#" -ne 6 ]; then
   echo "Usage:   $0" '$alias $cert_file $keystore_password $key_password $webid_uri $validity' >&2
-  echo "Example: $0 martynas martynas.localhost.p12 Martynas Martynas https://localhost:4443/admin/acl/agents/ce84eb31-cc1e-41f4-9e29-dacd417b9818/#this 365" >&2
+  echo "Example: $0 martynas martynas.localhost.p12 Martynas Martynas https://admin.localhost:4443/acl/agents/ce84eb31-cc1e-41f4-9e29-dacd417b9818/#this 365" >&2
   exit 1
 fi
 
diff --git a/bin/webid-keygen.sh b/bin/webid-keygen.sh
index 7d7fc8594..787180f22 100755
--- a/bin/webid-keygen.sh
+++ b/bin/webid-keygen.sh
@@ -4,7 +4,7 @@
 
 if [ "$#" -ne 6 ]; then
   echo "Usage:   $0" '$alias $cert_file $keystore_password $key_password $webid_uri $validity' >&2
-  echo "Example: $0 martynas martynas.localhost.p12 Password Password https://localhost:4443/admin/acl/agents/ce84eb31-cc1e-41f4-9e29-dacd417b9818/#this 3650" >&2
+  echo "Example: $0 martynas martynas.localhost.p12 Password Password https://admin.localhost:4443/acl/agents/ce84eb31-cc1e-41f4-9e29-dacd417b9818/#this 3650" >&2
   exit 1
 fi
 
diff --git a/config/system.trig b/config/system.trig
index 2fdf7c99c..647f582c7 100644
--- a/config/system.trig
+++ b/config/system.trig
@@ -1,4 +1,5 @@
 @prefix lapp:	<https://w3id.org/atomgraph/linkeddatahub/apps#> .
+@prefix ldh:	<https://w3id.org/atomgraph/linkeddatahub#> .
 @prefix a:	<https://w3id.org/atomgraph/core#> .
 @prefix ac:	<https://w3id.org/atomgraph/client#> .
 @prefix rdf:	<http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@@ -16,7 +17,8 @@
 
 <urn:linkeddatahub:apps/admin> a lapp:Application, lapp:AdminApplication ;
     dct:title "LinkedDataHub admin" ;
-    ldt:base <admin/> ;
+    # ldt:base <https://admin.localhost:4443/> ;
+    ldh:origin <https://admin.localhost:4443> ;
     ldt:ontology <https://w3id.org/atomgraph/linkeddatahub/admin#> ;
     ldt:service <urn:linkeddatahub:services/admin> ;
     ac:stylesheet <static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/admin/layout.xsl> ;
@@ -35,8 +37,9 @@
 
 <urn:linkeddatahub:apps/end-user> a lapp:Application, lapp:EndUserApplication ;
     dct:title "LinkedDataHub" ;
-    ldt:base <> ;
-    ldt:ontology <ns#> ;
+    # ldt:base <https://localhost:4443/> ;
+    ldh:origin <https://localhost:4443> ;
+    ldt:ontology <https://localhost:4443/ns#> ;
     ldt:service <urn:linkeddatahub:services/end-user> ;
     lapp:adminApplication <urn:linkeddatahub:apps/admin> ;
     lapp:frontendProxy <http://varnish-frontend:6060/> ;
diff --git a/docker-compose.yml b/docker-compose.yml
index 0e6d3ce14..f4f3d8dad 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -56,6 +56,11 @@ services:
       - MAIL_SMTP_HOST=email-server
       - MAIL_SMTP_PORT=25
       - MAIL_USER=linkeddatahub@localhost
+      - REMOTE_IP_VALVE=true
+      - REMOTE_IP_VALVE_PROTOCOL_HEADER=X-Forwarded-Proto
+      - REMOTE_IP_VALVE_PORT_HEADER=X-Forwarded-Port
+      - REMOTE_IP_VALVE_REMOTE_IP_HEADER=X-Forwarded-For
+      - REMOTE_IP_VALVE_HOST_HEADER=X-Forwarded-Host
       - OWNER_MBOX=${OWNER_MBOX}
       #- OWNER_URI=${OWNER_URI}
       - OWNER_GIVEN_NAME=${OWNER_GIVEN_NAME}
@@ -163,7 +168,7 @@ configs:
           # server with optional client cert authentication
           server {
               listen 8443 ssl;
-              server_name ${HOST};
+              server_name *.${HOST} ${HOST};
               ssl_certificate /etc/nginx/ssl/server.crt;
               ssl_certificate_key /etc/nginx/ssl/server.key;
               ssl_session_cache shared:SSL:1m;
@@ -175,6 +180,11 @@ configs:
                   #proxy_cache backcache;
                   limit_req zone=linked_data burst=30 nodelay;
 
+                  proxy_set_header Host $$host;
+                  proxy_set_header X-Forwarded-Host $$host;
+                  proxy_set_header X-Forwarded-Proto $$scheme;
+                  proxy_set_header X-Forwarded-Port ${HTTPS_PORT};
+
                   proxy_set_header Client-Cert '';
                   proxy_set_header Client-Cert $$ssl_client_escaped_cert;
 
@@ -185,6 +195,11 @@ configs:
                   proxy_pass http://linkeddatahub;
                   limit_req zone=static_files burst=20 nodelay;
 
+                  proxy_set_header Host $$host;
+                  proxy_set_header X-Forwarded-Host $$host;
+                  proxy_set_header X-Forwarded-Proto $$scheme;
+                  proxy_set_header X-Forwarded-Port ${HTTPS_PORT};
+
                   proxy_set_header Client-Cert '';
                   proxy_set_header Client-Cert $$ssl_client_escaped_cert;
 
@@ -202,7 +217,7 @@ configs:
           # server with client cert authentication on
           server {
               listen 9443 ssl;
-              server_name ${HOST};
+              server_name *.${HOST} ${HOST};
               ssl_certificate /etc/nginx/ssl/server.crt;
               ssl_certificate_key /etc/nginx/ssl/server.key;
               ssl_session_cache shared:SSL:1m;  
@@ -214,6 +229,11 @@ configs:
                   #proxy_cache backcache;
                   limit_req zone=linked_data burst=30 nodelay;
 
+                  proxy_set_header Host $$host;
+                  proxy_set_header X-Forwarded-Host $$host;
+                  proxy_set_header X-Forwarded-Proto $$scheme;
+                  proxy_set_header X-Forwarded-Port ${HTTPS_PORT};
+
                   proxy_set_header Client-Cert '';
                   proxy_set_header Client-Cert $$ssl_client_escaped_cert;
               }
@@ -226,7 +246,7 @@ configs:
 
           server {
               listen 8080;
-              server_name ${HOST};
+              server_name *.${HOST} ${HOST};
           
               location / {
                   return 301 https://$$server_name:${HTTPS_PORT}$$request_uri;
diff --git a/http-tests/access/group-authorization.sh b/http-tests/access/group-authorization.sh
index eb91aa837..69e5378c2 100755
--- a/http-tests/access/group-authorization.sh
+++ b/http-tests/access/group-authorization.sh
@@ -19,7 +19,7 @@ ntriples=$(curl -k -s -G \
   "${ADMIN_BASE_URL}access"
 )
 
-if echo "$ntriples" | grep -q '<http://www.w3.org/ns/auth/acl#agentGroup> <https://localhost:4443/admin/acl/groups/writers/#this>'; then
+if echo "$ntriples" | grep -q "<http://www.w3.org/ns/auth/acl#agentGroup> <${ADMIN_BASE_URL}acl/groups/writers/#this>"; then
   exit 1
 fi
 
@@ -50,6 +50,6 @@ ntriples=$(curl -k -s -G \
   "${ADMIN_BASE_URL}access"
 )
 
-if ! echo "$ntriples" | grep -q '<http://www.w3.org/ns/auth/acl#agentGroup> <https://localhost:4443/admin/acl/groups/writers/#this>'; then
+if ! echo "$ntriples" | grep -q "<http://www.w3.org/ns/auth/acl#agentGroup> <${ADMIN_BASE_URL}acl/groups/writers/#this>"; then
   exit 1
 fi
diff --git a/http-tests/run.sh b/http-tests/run.sh
index 6360c315d..9b071ca4c 100755
--- a/http-tests/run.sh
+++ b/http-tests/run.sh
@@ -110,7 +110,7 @@ export HTTP_TEST_ROOT="$PWD"
 export END_USER_ENDPOINT_URL="http://localhost:3031/ds/"
 export ADMIN_ENDPOINT_URL="http://localhost:3030/ds/"
 export END_USER_BASE_URL="https://localhost:4443/"
-export ADMIN_BASE_URL="https://localhost:4443/admin/"
+export ADMIN_BASE_URL="https://admin.localhost:4443/"
 export END_USER_VARNISH_SERVICE="varnish-end-user"
 export ADMIN_VARNISH_SERVICE="varnish-admin"
 export FRONTEND_VARNISH_SERVICE="varnish-frontend"
diff --git a/platform/datasets/admin.trig b/platform/datasets/admin.trig
index 720af6949..76fa774bb 100644
--- a/platform/datasets/admin.trig
+++ b/platform/datasets/admin.trig
@@ -391,7 +391,6 @@ WHERE
 
 ### ADMIN-SPECIFIC
 
-@prefix ns:	<../ns#> .
 @prefix lacl:	<https://w3id.org/atomgraph/linkeddatahub/admin/acl#> .
 @prefix adm:	<https://w3id.org/atomgraph/linkeddatahub/admin#> .
 @prefix rdfs:	<http://www.w3.org/2000/01/rdf-schema#> .
@@ -637,44 +636,6 @@ WHERE
 
 }
 
-# public namespace
-
-<acl/authorizations/public-namespace/>
-{
-
-    <acl/authorizations/public-namespace/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "Public namespace access" ;
-        foaf:primaryTopic <acl/authorizations/public-namespace/#this> .
-
-    <acl/authorizations/public-namespace/#this> a acl:Authorization ;
-        rdfs:label "Public namespace access" ;
-        rdfs:comment "Allows non-authenticated access" ;
-        acl:accessTo <../ns> ; # end-user ontologies are public
-        acl:mode acl:Read, acl:Append ; # allow queries over GET as well as POST
-        acl:agentClass foaf:Agent, acl:AuthenticatedAgent .
-
-}
-
-# SPARQL endpoint
-
-<acl/authorizations/sparql-endpoint/>
-{
-
-    <acl/authorizations/sparql-endpoint/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "SPARQL endpoint access" ;
-        foaf:primaryTopic <acl/authorizations/sparql-endpoint/#this> .
-
-    <acl/authorizations/sparql-endpoint/#this> a acl:Authorization ;
-        rdfs:label "SPARQL endpoint access" ;
-        rdfs:comment "Allows only authenticated access" ;
-        acl:accessTo <../sparql> ;
-        acl:mode acl:Read, acl:Append ; # allow queries over GET as well as POST
-        acl:agentClass acl:AuthenticatedAgent .
-
-}
-
 # access endpoint
 
 <acl/authorizations/access/>
@@ -804,52 +765,12 @@ WHERE
         rdfs:label "Full control" ;
         rdfs:comment "Allows full read/write access to all application resources" ;
         acl:accessToClass dh:Item, dh:Container, def:Root ;
-        acl:accessTo <../sparql>, <../importer>, <../add>, <../generate>, <../ns>, <clear>, <transform> ;
+        acl:accessTo <clear>, <transform> ;
         acl:mode acl:Read, acl:Append, acl:Write, acl:Control ;
         acl:agentGroup <acl/groups/owners/#this> .
 
 }
 
-# write/append access
-
-<acl/authorizations/write-append/>
-{
-
-    <acl/authorizations/write-append/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "Write/append access" ;
-        foaf:primaryTopic <acl/authorizations/write-append/#this> .
-
-    <acl/authorizations/write-append/#this> a acl:Authorization ;
-        rdfs:label "Write/append access" ;
-        rdfs:comment "Allows write access to all documents and containers" ;
-        acl:accessToClass dh:Item, dh:Container, def:Root ;
-        acl:accessTo <../sparql>, <../importer>, <../add>, <../generate>, <../ns> ;
-        acl:mode acl:Write, acl:Append ;
-        acl:agentGroup <acl/groups/owners/#this>, <acl/groups/writers/#this> .
-
-}
-
-# read access
-
-<acl/authorizations/read/>
-{
-
-    <acl/authorizations/read/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "Read access" ;
-        foaf:primaryTopic <acl/authorizations/read/#this> .
-
-    <acl/authorizations/read/#this> a acl:Authorization ;
-        rdfs:label "Read access" ;
-        rdfs:comment "Allows read access to all resources" ;
-        acl:accessToClass dh:Item, dh:Container, def:Root, <http://www.semanticdesktop.org/ontologies/2007/03/22/nfo#FileDataObject> ;
-        acl:accessTo <../sparql> ;
-        acl:mode acl:Read ;
-        acl:agentGroup <acl/groups/owners/#this>, <acl/groups/writers/#this>, <acl/groups/readers/#this> .
-
-}
-
 # GROUPS
 
 # owners
@@ -917,24 +838,3 @@ WHERE
         rdf:value ldh:ChildrenView .
 
 }
-
-# ONTOLOGIES
-
-# namespace
-
-<ontologies/namespace/>
-{
-
-    <ontologies/namespace/> a dh:Item ;
-        sioc:has_container <ontologies/> ;
-        dct:title "Namespace" ;
-        foaf:primaryTopic ns: .
-
-    ns: a owl:Ontology ;
-        rdfs:label "Namespace" ;
-        rdfs:comment "Namespace of the application" ;
-        foaf:isPrimaryTopicOf <../ns> ;
-        owl:imports <https://w3id.org/atomgraph/linkeddatahub/default#> ;
-        owl:versionInfo "1.0-SNAPSHOT" .
-
-}
\ No newline at end of file
diff --git a/platform/entrypoint.sh b/platform/entrypoint.sh
index d6a50090d..32372d577 100755
--- a/platform/entrypoint.sh
+++ b/platform/entrypoint.sh
@@ -13,40 +13,62 @@ fi
 # change server configuration
 
 if [ -n "$HTTP" ]; then
-    HTTP_PARAM="--stringparam http $HTTP "
+    HTTP_PARAM="--stringparam Connector.http $HTTP "
 fi
 
 if [ -n "$HTTP_SCHEME" ]; then
-    HTTP_SCHEME_PARAM="--stringparam http.scheme $HTTP_SCHEME "
+    HTTP_SCHEME_PARAM="--stringparam Connector.scheme.http $HTTP_SCHEME "
 fi
 
 if [ -n "$HTTP_PORT" ]; then
-    HTTP_PORT_PARAM="--stringparam http.port $HTTP_PORT "
+    HTTP_PORT_PARAM="--stringparam Connector.port.http $HTTP_PORT "
 fi
 
 if [ -n "$HTTP_PROXY_NAME" ]; then
     lc_proxy_name=$(echo "$HTTP_PROXY_NAME" | tr '[:upper:]' '[:lower:]') # make sure it's lower-case
-    HTTP_PROXY_NAME_PARAM="--stringparam http.proxyName $lc_proxy_name "
+    HTTP_PROXY_NAME_PARAM="--stringparam Connector.proxyName.http $lc_proxy_name "
 fi
 
 if [ -n "$HTTP_PROXY_PORT" ]; then
-    HTTP_PROXY_PORT_PARAM="--stringparam http.proxyPort $HTTP_PROXY_PORT "
+    HTTP_PROXY_PORT_PARAM="--stringparam Connector.proxyPort.http $HTTP_PROXY_PORT "
 fi
 
 if [ -n "$HTTP_REDIRECT_PORT" ]; then
-    HTTP_REDIRECT_PORT_PARAM="--stringparam http.redirectPort $HTTP_REDIRECT_PORT "
+    HTTP_REDIRECT_PORT_PARAM="--stringparam Connector.redirectPort.http $HTTP_REDIRECT_PORT "
 fi
 
 if [ -n "$HTTP_CONNECTION_TIMEOUT" ]; then
-    HTTP_CONNECTION_TIMEOUT_PARAM="--stringparam http.connectionTimeout $HTTP_CONNECTION_TIMEOUT "
+    HTTP_CONNECTION_TIMEOUT_PARAM="--stringparam Connector.connectionTimeout.http $HTTP_CONNECTION_TIMEOUT "
 fi
 
 if [ -n "$HTTP_COMPRESSION" ]; then
-    HTTP_COMPRESSION_PARAM="--stringparam http.compression $HTTP_COMPRESSION "
+    HTTP_COMPRESSION_PARAM="--stringparam Connector.compression.http $HTTP_COMPRESSION "
 fi
 
 if [ -n "$HTTPS" ]; then
-    HTTPS_PARAM="--stringparam https $HTTPS "
+    HTTPS_PARAM="--stringparam Connector.https $HTTPS "
+fi
+
+# RemoteIpValve configuration takes precedence over Connector proxy settings
+
+if [ -n "$REMOTE_IP_VALVE" ]; then
+    REMOTE_IP_VALVE_PARAM="--stringparam RemoteIpValve $REMOTE_IP_VALVE "
+fi
+
+if [ -n "$REMOTE_IP_VALVE_PROTOCOL_HEADER" ]; then
+    REMOTE_IP_VALVE_PROTOCOL_HEADER_PARAM="--stringparam RemoteIpValve.protocolHeader $REMOTE_IP_VALVE_PROTOCOL_HEADER "
+fi
+
+if [ -n "$REMOTE_IP_VALVE_PORT_HEADER" ]; then
+    REMOTE_IP_VALVE_PORT_HEADER_PARAM="--stringparam RemoteIpValve.portHeader $REMOTE_IP_VALVE_PORT_HEADER "
+fi
+
+if [ -n "$REMOTE_IP_VALVE_REMOTE_IP_HEADER" ]; then
+    REMOTE_IP_VALVE_REMOTE_IP_HEADER_PARAM="--stringparam RemoteIpValve.remoteIpHeader $REMOTE_IP_VALVE_REMOTE_IP_HEADER "
+fi
+
+if [ -n "$REMOTE_IP_VALVE_HOST_HEADER" ]; then
+    REMOTE_IP_VALVE_HOST_HEADER_PARAM="--stringparam RemoteIpValve.hostHeader $REMOTE_IP_VALVE_HOST_HEADER "
 fi
 
 transform="xsltproc \
@@ -60,6 +82,11 @@ transform="xsltproc \
   $HTTP_CONNECTION_TIMEOUT_PARAM \
   $HTTP_COMPRESSION_PARAM \
   $HTTPS_PARAM \
+  $REMOTE_IP_VALVE_PARAM \
+  $REMOTE_IP_VALVE_PROTOCOL_HEADER_PARAM \
+  $REMOTE_IP_VALVE_PORT_HEADER_PARAM \
+  $REMOTE_IP_VALVE_REMOTE_IP_HEADER_PARAM \
+  $REMOTE_IP_VALVE_HOST_HEADER_PARAM \
   conf/letsencrypt-tomcat.xsl \
   conf/server.xml"
 
@@ -184,25 +211,35 @@ if [ -z "$MAIL_USER" ]; then
     exit 1
 fi
 
-# construct base URI (ignore default HTTP and HTTPS ports)
+# construct base URI and origins (ignore default HTTP and HTTPS ports for URI, but always include port for origins)
 
 if [ "$PROTOCOL" = "https" ]; then
     if [ "$HTTPS_PROXY_PORT" = 443 ]; then
         export BASE_URI="${PROTOCOL}://${HOST}${ABS_PATH}"
+        export ADMIN_BASE_URI="${PROTOCOL}://admin.${HOST}${ABS_PATH}"
     else
         export BASE_URI="${PROTOCOL}://${HOST}:${HTTPS_PROXY_PORT}${ABS_PATH}"
+        export ADMIN_BASE_URI="${PROTOCOL}://admin.${HOST}:${HTTPS_PROXY_PORT}${ABS_PATH}"
     fi
+    export ORIGIN="${PROTOCOL}://${HOST}:${HTTPS_PROXY_PORT}"
 else
     if [ "$HTTP_PROXY_PORT" = 80 ]; then
         export BASE_URI="${PROTOCOL}://${HOST}${ABS_PATH}"
+        export ADMIN_BASE_URI="${PROTOCOL}://admin.${HOST}${ABS_PATH}"
     else
         export BASE_URI="${PROTOCOL}://${HOST}:${HTTP_PROXY_PORT}${ABS_PATH}"
+        export ADMIN_BASE_URI="${PROTOCOL}://admin.${HOST}:${HTTP_PROXY_PORT}${ABS_PATH}"
     fi
+    export ORIGIN="${PROTOCOL}://${HOST}:${HTTP_PROXY_PORT}"
 fi
 
 BASE_URI=$(echo "$BASE_URI" | tr '[:upper:]' '[:lower:]') # make sure it's lower-case
+ADMIN_BASE_URI=$(echo "$ADMIN_BASE_URI" | tr '[:upper:]' '[:lower:]') # make sure it's lower-case
+ORIGIN=$(echo "$ORIGIN" | tr '[:upper:]' '[:lower:]') # make sure it's lower-case
 
 printf "\n### Base URI: %s\n" "$BASE_URI"
+printf "\n### Admin Base URI: %s\n" "$ADMIN_BASE_URI"
+printf "\n### Origin: %s\n" "$ORIGIN"
 
 # functions that wait for other services to start
 
@@ -308,7 +345,6 @@ generate_cert()
     local keystore_password="${11}"
     local cert_output="${12}"
     local public_key_output="${13}"
-    local private_key_output="${14}"
 
     # Build the Distinguished Name (DN) string, only including components if they're non-empty
     dname="CN=${common_name}"
@@ -358,11 +394,11 @@ get_modulus()
 }
 
 OWNER_UUID=$(uuidgen | tr '[:upper:]' '[:lower:]') # lowercase
-OWNER_URI="${OWNER_URI:-${BASE_URI}admin/acl/agents/${OWNER_UUID}/#this}" # WebID URI. Can be external!
+OWNER_URI="${OWNER_URI:-${ADMIN_BASE_URI}acl/agents/${OWNER_UUID}/#this}" # WebID URI. Can be external!
 OWNER_COMMON_NAME="$OWNER_GIVEN_NAME $OWNER_FAMILY_NAME" # those are required
 
 SECRETARY_UUID=$(uuidgen | tr '[:upper:]' '[:lower:]') # lowercase
-SECRETARY_URI="${SECRETARY_URI:-${BASE_URI}admin/acl/agents/${SECRETARY_UUID}/#this}" # WebID URI. Can be external!
+SECRETARY_URI="${SECRETARY_URI:-${ADMIN_BASE_URI}acl/agents/${SECRETARY_UUID}/#this}" # WebID URI. Can be external!
 
 OWNER_DATASET_PATH="/var/linkeddatahub/datasets/owner/${OWNER_CERT_ALIAS}.trig"
 
@@ -385,13 +421,13 @@ if [ ! -f "$OWNER_PUBLIC_KEY" ]; then
                   "$OWNER_ORG_UNIT" "$OWNER_ORGANIZATION" \
                   "$OWNER_LOCALITY" "$OWNER_STATE_OR_PROVINCE" "$OWNER_COUNTRY_NAME" \
                   "$CERT_VALIDITY" "$OWNER_KEYSTORE" "$OWNER_CERT_PASSWORD" \
-                  "$OWNER_CERT" "$OWNER_PUBLIC_KEY" "$OWNER_PRIVATE_KEY"
+                  "$OWNER_CERT" "$OWNER_PUBLIC_KEY"
 
     # write owner's metadata to a file
 
     mkdir -p "$(dirname "$OWNER_DATASET_PATH")"
 
-    OWNER_DOC_URI="${BASE_URI}admin/acl/agents/${OWNER_UUID}/"
+    OWNER_DOC_URI="${ADMIN_BASE_URI}acl/agents/${OWNER_UUID}/"
     OWNER_KEY_UUID=$(uuidgen | tr '[:upper:]' '[:lower:]') # lowercase
     OWNER_PUBLIC_KEY_MODULUS=$(get_modulus "$OWNER_PUBLIC_KEY")
 
@@ -422,13 +458,13 @@ if [ ! -f "$SECRETARY_PUBLIC_KEY" ]; then
                   "" "" \
                   "" "" "" \
                   "$CERT_VALIDITY" "$SECRETARY_KEYSTORE" "$SECRETARY_CERT_PASSWORD" \
-                  "$SECRETARY_CERT" "$SECRETARY_PUBLIC_KEY" "$SECRETARY_PRIVATE_KEY"
+                  "$SECRETARY_CERT" "$SECRETARY_PUBLIC_KEY"
 
     # write secretary's metadata to a file
 
     mkdir -p "$(dirname "$SECRETARY_DATASET_PATH")"
 
-    SECRETARY_DOC_URI="${BASE_URI}admin/acl/agents/${SECRETARY_UUID}/"
+    SECRETARY_DOC_URI="${ADMIN_BASE_URI}acl/agents/${SECRETARY_UUID}/"
     SECRETARY_KEY_UUID=$(uuidgen | tr '[:upper:]' '[:lower:]') # lowercase
     SECRETARY_PUBLIC_KEY_MODULUS=$(get_modulus "$SECRETARY_PUBLIC_KEY")
 
@@ -476,7 +512,7 @@ readarray apps < <(xmlstarlet sel -B \
     -o "\"" \
     -v "srx:binding[@name = 'endUserApp']" \
     -o "\" \"" \
-    -v "srx:binding[@name = 'endUserBase']" \
+    -v "srx:binding[@name = 'endUserOrigin']" \
     -o "\" \"" \
     -v "srx:binding[@name = 'endUserQuadStore']" \
     -o "\" \"" \
@@ -490,7 +526,7 @@ readarray apps < <(xmlstarlet sel -B \
     -o "\" \"" \
     -v "srx:binding[@name = 'adminApp']" \
     -o "\" \"" \
-    -v "srx:binding[@name = 'adminBase']" \
+    -v "srx:binding[@name = 'adminOrigin']" \
     -o "\" \"" \
     -v "srx:binding[@name = 'adminQuadStore']" \
     -o "\" \"" \
@@ -508,21 +544,21 @@ readarray apps < <(xmlstarlet sel -B \
 for app in "${apps[@]}"; do
     app_array=(${app})
     end_user_app="${app_array[0]//\"/}"
-    end_user_base_uri="${app_array[1]//\"/}"
+    end_user_origin="${app_array[1]//\"/}"
     end_user_quad_store_url="${app_array[2]//\"/}"
     end_user_endpoint_url="${app_array[3]//\"/}"
     end_user_service_auth_user="${app_array[4]//\"/}"
     end_user_service_auth_pwd="${app_array[5]//\"/}"
     end_user_owner="${app_array[6]//\"/}"
     admin_app="${app_array[7]//\"/}"
-    admin_base_uri="${app_array[8]//\"/}"
+    admin_origin="${app_array[8]//\"/}"
     admin_quad_store_url="${app_array[9]//\"/}"
     admin_endpoint_url="${app_array[10]//\"/}"
     admin_service_auth_user="${app_array[11]//\"/}"
     admin_service_auth_pwd="${app_array[12]//\"/}"
     admin_owner="${app_array[13]//\"/}"
 
-    printf "\n### Processing dataspace. End-user app: %s Admin app: %s\n" "$end_user_app" "$admin_app"
+    printf "\n### Processing dataspace. End-user app: %s (origin: %s) Admin app: %s (origin: %s)\n" "$end_user_app" "$end_user_origin" "$admin_app" "$admin_origin"
 
     if [ -z "$end_user_app" ]; then
         printf "\nEnd-user app URI could not be extracted from %s. Exiting...\n" "$CONTEXT_DATASET"
@@ -536,8 +572,8 @@ for app in "${apps[@]}"; do
         printf "\nAdmin app URI could not be extracted for the <%s> app. Exiting...\n" "$end_user_app"
         exit 1
     fi
-    if [ -z "$admin_base_uri" ]; then
-        printf "\nAdmin base URI extracted for the <%s> app. Exiting...\n" "$end_user_app"
+    if [ -z "$admin_origin" ]; then
+        printf "\nAdmin origin could not be extracted for the <%s> app. Exiting...\n" "$end_user_app"
         exit 1
     fi
     if [ -z "$admin_quad_store_url" ]; then
@@ -545,13 +581,15 @@ for app in "${apps[@]}"; do
         exit 1
     fi
 
-    # check if this app is the root app
-    if [ "$end_user_base_uri" = "$BASE_URI" ]; then
+    # check if this app is the root app by comparing origins
+    if [ "$end_user_origin" = "$ORIGIN" ]; then
         root_end_user_app="$end_user_app"
+        root_end_user_origin="$end_user_origin"
         root_end_user_quad_store_url="$end_user_quad_store_url"
         root_end_user_service_auth_user="$end_user_service_auth_user"
         root_end_user_service_auth_pwd="$end_user_service_auth_pwd"
         root_admin_app="$admin_app"
+        root_admin_origin="$admin_origin"
         root_admin_quad_store_url="$admin_quad_store_url"
         root_admin_service_auth_user="$admin_service_auth_user"
         root_admin_service_auth_pwd="$admin_service_auth_pwd"
@@ -601,7 +639,7 @@ for app in "${apps[@]}"; do
                 curl "$ADMIN_DATASET_URL" > "$ADMIN_DATASET" ;;
         esac
 
-        trig --base="$end_user_base_uri" "$END_USER_DATASET" > /var/linkeddatahub/based-datasets/end-user.nq
+        trig --base="$BASE_URI" "$END_USER_DATASET" > /var/linkeddatahub/based-datasets/end-user.nq
 
         printf "\n### Waiting for %s...\n" "$end_user_quad_store_url"
         wait_for_url "$end_user_quad_store_url" "$end_user_service_auth_user" "$end_user_service_auth_pwd" "$TIMEOUT" "application/n-quads"
@@ -609,7 +647,7 @@ for app in "${apps[@]}"; do
         printf "\n### Loading end-user dataset into the triplestore...\n"
         append_quads "$end_user_quad_store_url" "$end_user_service_auth_user" "$end_user_service_auth_pwd" /var/linkeddatahub/based-datasets/end-user.nq "application/n-quads"
 
-        trig --base="$admin_base_uri" "$ADMIN_DATASET" > /var/linkeddatahub/based-datasets/admin.nq
+        trig --base="$ADMIN_BASE_URI" "$ADMIN_DATASET" > /var/linkeddatahub/based-datasets/admin.nq
 
         printf "\n### Waiting for %s...\n" "$admin_quad_store_url"
         wait_for_url "$admin_quad_store_url" "$admin_service_auth_user" "$admin_service_auth_pwd" "$TIMEOUT" "application/n-quads"
@@ -617,12 +655,21 @@ for app in "${apps[@]}"; do
         printf "\n### Loading admin dataset into the triplestore...\n"
         append_quads "$admin_quad_store_url" "$admin_service_auth_user" "$admin_service_auth_pwd" /var/linkeddatahub/based-datasets/admin.nq "application/n-quads"
 
-        trig --base="$admin_base_uri" --output=nq "$OWNER_DATASET_PATH" > /var/linkeddatahub/based-datasets/root-owner.nq
+        NAMESPACE_ONTOLOGY_DATASET_PATH="/var/linkeddatahub/datasets/namespace-ontology.trig"
+        export END_USER_BASE_URI="$BASE_URI"
+        envsubst < namespace-ontology.trig.template > "$NAMESPACE_ONTOLOGY_DATASET_PATH"
+
+        trig --base="$ADMIN_BASE_URI" --output=nq "$NAMESPACE_ONTOLOGY_DATASET_PATH" > /var/linkeddatahub/based-datasets/namespace-ontology.nq
+
+        printf "\n### Loading namespace ontology into the admin triplestore...\n"
+        append_quads "$admin_quad_store_url" "$admin_service_auth_user" "$admin_service_auth_pwd" /var/linkeddatahub/based-datasets/namespace-ontology.nq "application/n-quads"
+
+        trig --base="$ADMIN_BASE_URI" --output=nq "$OWNER_DATASET_PATH" > /var/linkeddatahub/based-datasets/root-owner.nq
 
         printf "\n### Uploading the metadata of the owner agent...\n\n"
         append_quads "$admin_quad_store_url" "$admin_service_auth_user" "$admin_service_auth_pwd" /var/linkeddatahub/based-datasets/root-owner.nq "application/n-quads"
 
-        trig --base="$admin_base_uri" --output=nq "$SECRETARY_DATASET_PATH" > /var/linkeddatahub/based-datasets/root-secretary.nq
+        trig --base="$ADMIN_BASE_URI" --output=nq "$SECRETARY_DATASET_PATH" > /var/linkeddatahub/based-datasets/root-secretary.nq
 
         printf "\n### Uploading the metadata of the secretary agent...\n\n"
         append_quads "$admin_quad_store_url" "$admin_service_auth_user" "$admin_service_auth_pwd" /var/linkeddatahub/based-datasets/root-secretary.nq "application/n-quads"
@@ -632,11 +679,11 @@ done
 rm -f root_service_metadata.xml
 
 if [ -z "$root_end_user_app" ]; then
-    printf "\nRoot end-user app with base URI <%s> not found. Exiting...\n" "$BASE_URI"
+    printf "\nRoot end-user app with origin <%s> not found. Exiting...\n" "$ORIGIN"
     exit 1
 fi
 if [ -z "$root_admin_app" ]; then
-    printf "\nRoot admin app (for end-user app with base URI <%s>) not found. Exiting...\n" "$BASE_URI"
+    printf "\nRoot admin app (for end-user app with origin <%s>) not found. Exiting...\n" "$ORIGIN"
     exit 1
 fi
 
diff --git a/platform/namespace-ontology.trig.template b/platform/namespace-ontology.trig.template
new file mode 100644
index 000000000..9282d81a7
--- /dev/null
+++ b/platform/namespace-ontology.trig.template
@@ -0,0 +1,134 @@
+@prefix def:	<https://w3id.org/atomgraph/linkeddatahub/default#> .
+@prefix ldh:	<https://w3id.org/atomgraph/linkeddatahub#> .
+@prefix ac:	<https://w3id.org/atomgraph/client#> .
+@prefix rdf:	<http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd:	<http://www.w3.org/2001/XMLSchema#> .
+@prefix dh:	<https://www.w3.org/ns/ldt/document-hierarchy#> .
+@prefix sd:     <http://www.w3.org/ns/sparql-service-description#> .
+@prefix sp:	<http://spinrdf.org/sp#> .
+@prefix sioc:	<http://rdfs.org/sioc/ns#> .
+@prefix foaf:	<http://xmlns.com/foaf/0.1/> .
+@prefix dct:	<http://purl.org/dc/terms/> .
+@prefix spin:	<http://spinrdf.org/spin#> .
+@prefix lacl:	<https://w3id.org/atomgraph/linkeddatahub/admin/acl#> .
+@prefix adm:	<https://w3id.org/atomgraph/linkeddatahub/admin#> .
+@prefix rdfs:	<http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl:	<http://www.w3.org/2002/07/owl#> .
+@prefix acl:	<http://www.w3.org/ns/auth/acl#> .
+@prefix cert:	<http://www.w3.org/ns/auth/cert#> .
+@prefix spin:	<http://spinrdf.org/spin#> .
+
+# namespace ontology
+
+<${ADMIN_BASE_URI}ontologies/namespace/>
+{
+    <${ADMIN_BASE_URI}ontologies/namespace/> a dh:Item ;
+        sioc:has_container <${ADMIN_BASE_URI}ontologies/> ;
+        dct:title "Namespace" ;
+        foaf:primaryTopic <${END_USER_BASE_URI}ns#> .
+
+    <${END_USER_BASE_URI}ns#> a owl:Ontology ;
+        rdfs:label "Namespace" ;
+        rdfs:comment "Namespace of the application" ;
+        foaf:isPrimaryTopicOf <${END_USER_BASE_URI}ns> ;
+        owl:imports <https://w3id.org/atomgraph/linkeddatahub/default#> ;
+        owl:versionInfo "1.0-SNAPSHOT" .
+}
+
+# public namespace authorization
+
+<${ADMIN_BASE_URI}acl/authorizations/public-namespace/>
+{
+
+    <${ADMIN_BASE_URI}acl/authorizations/public-namespace/> a dh:Item ;
+        sioc:has_container <${ADMIN_BASE_URI}acl/authorizations/> ;
+        dct:title "Public namespace access" ;
+        foaf:primaryTopic <${ADMIN_BASE_URI}acl/authorizations/public-namespace/#this> .
+
+    <${ADMIN_BASE_URI}acl/authorizations/public-namespace/#this> a acl:Authorization ;
+        rdfs:label "Public namespace access" ;
+        rdfs:comment "Allows non-authenticated access" ;
+        acl:accessTo <${END_USER_BASE_URI}ns> ; # end-user ontologies are public
+        acl:mode acl:Read, acl:Append ; # allow queries over GET as well as POST
+        acl:agentClass foaf:Agent, acl:AuthenticatedAgent .
+
+}
+
+# SPARQL endpoint authorization
+
+<${ADMIN_BASE_URI}acl/authorizations/sparql-endpoint/>
+{
+
+    <${ADMIN_BASE_URI}acl/authorizations/sparql-endpoint/> a dh:Item ;
+        sioc:has_container <${ADMIN_BASE_URI}acl/authorizations/> ;
+        dct:title "SPARQL endpoint access" ;
+        foaf:primaryTopic <${ADMIN_BASE_URI}acl/authorizations/sparql-endpoint/#this> .
+
+    <${ADMIN_BASE_URI}acl/authorizations/sparql-endpoint/#this> a acl:Authorization ;
+        rdfs:label "SPARQL endpoint access" ;
+        rdfs:comment "Allows only authenticated access" ;
+        acl:accessTo <${END_USER_BASE_URI}sparql> ;
+        acl:mode acl:Read, acl:Append ; # allow queries over GET as well as POST
+        acl:agentClass acl:AuthenticatedAgent .
+
+}
+
+# write/append authorization
+
+<${ADMIN_BASE_URI}acl/authorizations/write-append/>
+{
+
+    <${ADMIN_BASE_URI}acl/authorizations/write-append/> a dh:Item ;
+        sioc:has_container <${ADMIN_BASE_URI}acl/authorizations/> ;
+        dct:title "Write/append access" ;
+        foaf:primaryTopic <${ADMIN_BASE_URI}acl/authorizations/write-append/#this> .
+
+    <${ADMIN_BASE_URI}acl/authorizations/write-append/#this> a acl:Authorization ;
+        rdfs:label "Write/append access" ;
+        rdfs:comment "Allows write access to all documents and containers" ;
+        acl:accessToClass dh:Item, dh:Container, def:Root ;
+        acl:accessTo <${END_USER_BASE_URI}sparql>, <${END_USER_BASE_URI}importer>, <${END_USER_BASE_URI}add>, <${END_USER_BASE_URI}generate>, <${END_USER_BASE_URI}ns> ;
+        acl:mode acl:Write, acl:Append ;
+        acl:agentGroup <${ADMIN_BASE_URI}acl/groups/owners/#this>, <${ADMIN_BASE_URI}acl/groups/writers/#this> .
+
+}
+
+# full access authorization
+
+<${ADMIN_BASE_URI}acl/authorizations/full-control/>
+{
+
+    <${ADMIN_BASE_URI}acl/authorizations/full-control/> a dh:Item ;
+        sioc:has_container <${ADMIN_BASE_URI}acl/authorizations/> ;
+        dct:title "Full control" ;
+        foaf:primaryTopic <${ADMIN_BASE_URI}acl/authorizations/full-control/#this> .
+
+    <${ADMIN_BASE_URI}acl/authorizations/full-control/#this> a acl:Authorization ;
+        rdfs:label "Full control" ;
+        rdfs:comment "Allows full read/write access to all application resources" ;
+        acl:accessToClass dh:Item, dh:Container, def:Root ;
+        acl:accessTo <${END_USER_BASE_URI}sparql>, <${END_USER_BASE_URI}importer>, <${END_USER_BASE_URI}add>, <${END_USER_BASE_URI}generate>, <${END_USER_BASE_URI}ns> ;
+        acl:mode acl:Read, acl:Append, acl:Write, acl:Control ;
+        acl:agentGroup <${ADMIN_BASE_URI}acl/groups/owners/#this> .
+
+}
+
+# read access
+
+<${ADMIN_BASE_URI}acl/authorizations/read/>
+{
+
+    <${ADMIN_BASE_URI}acl/authorizations/read/> a dh:Item ;
+        sioc:has_container <${ADMIN_BASE_URI}acl/authorizations/> ;
+        dct:title "Read access" ;
+        foaf:primaryTopic <${ADMIN_BASE_URI}acl/authorizations/read/#this> .
+
+    <${ADMIN_BASE_URI}acl/authorizations/read/#this> a acl:Authorization ;
+        rdfs:label "Read access" ;
+        rdfs:comment "Allows read access to all resources" ;
+        acl:accessToClass dh:Item, dh:Container, def:Root, <http://www.semanticdesktop.org/ontologies/2007/03/22/nfo#FileDataObject> ;
+        acl:accessTo <${END_USER_BASE_URI}sparql> ;
+        acl:mode acl:Read ;
+        acl:agentGroup <${ADMIN_BASE_URI}acl/groups/owners/#this>, <${ADMIN_BASE_URI}acl/groups/writers/#this>, <${ADMIN_BASE_URI}acl/groups/readers/#this> .
+
+}
diff --git a/platform/select-root-services.rq b/platform/select-root-services.rq
index 658fa4d61..2a307e4e1 100644
--- a/platform/select-root-services.rq
+++ b/platform/select-root-services.rq
@@ -2,15 +2,16 @@ PREFIX ldt:     <https://www.w3.org/ns/ldt#>
 PREFIX sd:      <http://www.w3.org/ns/sparql-service-description#>
 PREFIX a:       <https://w3id.org/atomgraph/core#>
 PREFIX lapp:    <https://w3id.org/atomgraph/linkeddatahub/apps#>
+PREFIX ldh:     <https://w3id.org/atomgraph/linkeddatahub#>
 PREFIX foaf:    <http://xmlns.com/foaf/0.1/>
 
-SELECT ?endUserApp ?endUserBase ?endUserQuadStore ?endUserEndpoint ?endUserAuthUser ?endUserAuthPwd ?endUserMaker ?adminApp ?adminBase ?adminQuadStore ?adminEndpoint ?adminAuthUser ?adminAuthPwd ?adminMaker
+SELECT ?endUserApp ?endUserOrigin ?endUserQuadStore ?endUserEndpoint ?endUserAuthUser ?endUserAuthPwd ?endUserMaker ?adminApp ?adminOrigin ?adminQuadStore ?adminEndpoint ?adminAuthUser ?adminAuthPwd ?adminMaker
 {
-    ?endUserApp ldt:base ?endUserBase ;
+    ?endUserApp ldh:origin ?endUserOrigin ;
         ldt:service ?endUserService ;
         lapp:adminApplication ?adminApp .
         ?adminApp ldt:service ?adminService ;
-            ldt:base ?adminBase .
+            ldh:origin ?adminOrigin .
     ?endUserService a:quadStore ?endUserQuadStore ;
         sd:endpoint ?endUserEndpoint .
     ?adminService a:quadStore ?adminQuadStore ;
diff --git a/pom.xml b/pom.xml
index 0f9b5d06e..b918c2e42 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
 
     <groupId>com.atomgraph</groupId>
     <artifactId>linkeddatahub</artifactId>
-    <version>5.0.23</version>
+    <version>5.0.24-SNAPSHOT</version>
     <packaging>${packaging.type}</packaging>
 
     <name>AtomGraph LinkedDataHub</name>
@@ -46,7 +46,7 @@
         <url>https://github.com/AtomGraph/LinkedDataHub</url>
         <connection>scm:git:git://github.com/AtomGraph/LinkedDataHub.git</connection>
         <developerConnection>scm:git:git@github.com:AtomGraph/LinkedDataHub.git</developerConnection>
-        <tag>linkeddatahub-5.0.23</tag>
+        <tag>linkeddatahub-2.1.1</tag>
     </scm>
 
     <repositories>
diff --git a/src/main/java/com/atomgraph/linkeddatahub/Application.java b/src/main/java/com/atomgraph/linkeddatahub/Application.java
index 49192395b..07bce7672 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/Application.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/Application.java
@@ -123,7 +123,6 @@
 import com.atomgraph.linkeddatahub.writer.factory.ModeFactory;
 import com.atomgraph.linkeddatahub.writer.function.DecodeURI;
 import com.atomgraph.server.mapper.NotAcceptableExceptionMapper;
-import com.atomgraph.server.vocabulary.LDT;
 import com.atomgraph.server.mapper.OntologyExceptionMapper;
 import com.atomgraph.server.mapper.jena.DatatypeFormatExceptionMapper;
 import com.atomgraph.server.mapper.jena.QueryParseExceptionMapper;
@@ -664,7 +663,7 @@ public Application(final ServletConfig servletConfig, final MediaTypes mediaType
             
             if (proxyHostname != null)
             {
-                ClientRequestFilter rewriteFilter = new ClientUriRewriteFilter(baseURI, proxyScheme, proxyHostname, proxyPort); // proxyPort can be null
+                ClientRequestFilter rewriteFilter = new ClientUriRewriteFilter(proxyScheme, proxyHostname, proxyPort); // proxyPort can be null
                 
                 client.register(rewriteFilter);
                 externalClient.register(rewriteFilter);
@@ -1172,23 +1171,9 @@ public void handleAuthorizationCreated(AuthorizationCreated event) throws Messag
      * @param absolutePath request URL without the query string
      * @return app resource or null, if none matched
      */
-    public Resource matchApp(Resource type, URI absolutePath)
+    public Resource matchApp(URI absolutePath)
     {
-        return matchApp(getContextModel(), type, absolutePath); // make sure we return an immutable model
-    }
-    
-    /**
-     * Matches application by type and request URL in a given application model.
-     * It finds the apps where request URL is relative to the app base URI, and returns the one with the longest match.
-     * 
-     * @param appModel application model
-     * @param type application type
-     * @param absolutePath request URL without the query string
-     * @return app resource or null, if none matched
-     */
-    public Resource matchApp(Model appModel, Resource type, URI absolutePath)
-    {
-        return getLongestURIResource(getLengthMap(getRelativeBaseApps(appModel, type, absolutePath)));
+        return getAppByOrigin(getContextModel(), LAPP.Application, absolutePath); // make sure we return an immutable model
     }
     
     /**
@@ -1207,35 +1192,63 @@ public Resource getLongestURIResource(Map<Integer, Resource> lengthMap)
     }
     
     /**
-     * Builds a base URI to application resource map from the application model.
+     * Normalizes a URI origin by adding explicit default ports (80 for HTTP, 443 for HTTPS).
+     * An origin consists of scheme, hostname, and port.
+     * This allows comparing origins with implicit and explicit default ports.
+     *
+     * @param uri the URI to normalize
+     * @return normalized origin string in format "scheme://host:port"
+     * @see <a href="https://developer.mozilla.org/en-US/docs/Glossary/Origin">Origin - MDN Web Docs</a>
+     */
+    public static String normalizeOrigin(URI uri)
+    {
+        if (uri == null) throw new IllegalArgumentException("URI cannot be null");
+
+        String scheme = uri.getScheme();
+        String host = uri.getHost();
+        int port = uri.getPort();
+
+        if (port == -1)
+        {
+            if ("https".equals(scheme)) port = 443;
+            else if ("http".equals(scheme)) port = 80;
+        }
+
+        return scheme + "://" + host + ":" + port;
+    }
+
+    /**
+     * Finds application by origin matching from the application model.
      * Applications are filtered by type first.
-     * 
+     *
      * @param model application model
      * @param type application type
      * @param absolutePath request URL (without the query string)
-     * @return URI to app map
+     * @return app resource or null if no match found
      */
-    public Map<URI, Resource> getRelativeBaseApps(Model model, Resource type, URI absolutePath)
+    public Resource getAppByOrigin(Model model, Resource type, URI absolutePath)
     {
         if (model == null) throw new IllegalArgumentException("Model cannot be null");
         if (type == null) throw new IllegalArgumentException("Resource cannot be null");
         if (absolutePath == null) throw new IllegalArgumentException("URI cannot be null");
 
-        Map<URI, Resource> apps = new HashMap<>();
-        
+        String requestOrigin = normalizeOrigin(absolutePath);
+
         ResIterator it = model.listSubjectsWithProperty(RDF.type, type);
         try
         {
             while (it.hasNext())
             {
                 Resource app = it.next();
-                
-                if (!app.hasProperty(LDT.base))
-                    throw new InternalServerErrorException(new IllegalStateException("Application resource <" + app.getURI() + "> has no ldt:base value"));
-                
-                URI base = URI.create(app.getPropertyResourceValue(LDT.base).getURI());
-                URI relative = base.relativize(absolutePath);
-                if (!relative.isAbsolute()) apps.put(base, app);
+
+                // Use origin-based matching - return immediately on match since origins are unique
+                if (app.hasProperty(LDH.origin))
+                {
+                    URI appOriginURI = URI.create(app.getPropertyResourceValue(LDH.origin).getURI());
+                    String normalizedAppOrigin = normalizeOrigin(appOriginURI);
+
+                    if (requestOrigin.equals(normalizedAppOrigin)) return app;
+                }
             }
         }
         finally
@@ -1243,7 +1256,7 @@ public Map<URI, Resource> getRelativeBaseApps(Model model, Resource type, URI ab
             it.close();
         }
 
-        return apps;
+        return null;
     }
     
     /**
diff --git a/src/main/java/com/atomgraph/linkeddatahub/apps/model/Application.java b/src/main/java/com/atomgraph/linkeddatahub/apps/model/Application.java
index eeb505f5d..dcb914c46 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/apps/model/Application.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/apps/model/Application.java
@@ -57,14 +57,28 @@ public interface Application extends Resource, com.atomgraph.core.model.Applicat
     
     /**
      * Returns the application's base URI.
-     * 
+     *
      * @return URI of the base resource
      */
     URI getBaseURI();
-    
+
+    /**
+     * Returns the application's origin resource.
+     *
+     * @return origin resource
+     */
+    Resource getOrigin();
+
+    /**
+     * Returns the application's origin URI.
+     *
+     * @return URI of the origin resource
+     */
+    URI getOriginURI();
+
     /**
      * Returns applications service.
-     * 
+     *
      * @return service resource
      */
     @Override
diff --git a/src/main/java/com/atomgraph/linkeddatahub/apps/model/impl/ApplicationImpl.java b/src/main/java/com/atomgraph/linkeddatahub/apps/model/impl/ApplicationImpl.java
index 7c2bbfc66..649291121 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/apps/model/impl/ApplicationImpl.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/apps/model/impl/ApplicationImpl.java
@@ -21,6 +21,7 @@
 import com.atomgraph.linkeddatahub.model.Service;
 import com.atomgraph.linkeddatahub.vocabulary.FOAF;
 import com.atomgraph.linkeddatahub.vocabulary.LAPP;
+import com.atomgraph.linkeddatahub.vocabulary.LDH;
 import com.atomgraph.server.vocabulary.LDT;
 import org.apache.jena.enhanced.EnhGraph;
 import org.apache.jena.graph.Node;
@@ -55,14 +56,26 @@ public ApplicationImpl(Node n, EnhGraph g)
     @Override
     public Resource getBase()
     {
-        return getPropertyResourceValue(LDT.base);
+        return getModel().createResource(getOriginURI().resolve("/").toString());
     }
     
     @Override
     public URI getBaseURI()
     {
-        if (getBase() != null) return URI.create(getBase().getURI());
-        
+        return getOriginURI().resolve("/");
+    }
+
+    @Override
+    public Resource getOrigin()
+    {
+        return getPropertyResourceValue(LDH.origin);
+    }
+
+    @Override
+    public URI getOriginURI()
+    {
+        if (getOrigin() != null) return URI.create(getOrigin().getURI());
+
         return null;
     }
 
diff --git a/src/main/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilter.java b/src/main/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilter.java
index db62d4dea..ec5fe4e97 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilter.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilter.java
@@ -20,12 +20,13 @@
 import java.net.URI;
 import jakarta.ws.rs.client.ClientRequestContext;
 import jakarta.ws.rs.client.ClientRequestFilter;
+import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.core.UriBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Client request filter that rewrites the target URL using a proxy URL.
+ * Client request filter that rewrites the target <samp>localhost</samp> URLs to internal proxy URLs.
  * 
  * @author {@literal Martynas Jusevičius <martynas@atomgraph.com>}
  */
@@ -34,21 +35,18 @@ public class ClientUriRewriteFilter implements ClientRequestFilter
 
     private static final Logger log = LoggerFactory.getLogger(ClientUriRewriteFilter.class);
 
-    private final URI baseURI;
     private final String scheme, hostname;
     private final Integer port;
 
     /**
      * Constructs filter from URI components.
      * 
-     * @param baseURI base URI
      * @param scheme new scheme
      * @param hostname new hostname
      * @param port new port number
      */
-    public ClientUriRewriteFilter(URI baseURI, String scheme, String hostname, Integer port)
+    public ClientUriRewriteFilter(String scheme, String hostname, Integer port)
     {
-        this.baseURI = baseURI;
         this.scheme = scheme;
         this.hostname = hostname;
         this.port = port;
@@ -57,7 +55,12 @@ public ClientUriRewriteFilter(URI baseURI, String scheme, String hostname, Integ
     @Override
     public void filter(ClientRequestContext cr) throws IOException
     {
-        if (getBaseURI().relativize(cr.getUri()).isAbsolute()) return; // don't rewrite URIs that are not relative to the base URI (e.g. SPARQL Protocol URLs)
+        if (!cr.getUri().getHost().equals("localhost") && !cr.getUri().getHost().endsWith(".localhost")) return;
+        
+        // Preserve original host for nginx routing
+        String originalHost = cr.getUri().getHost();
+        if (cr.getUri().getPort() != -1) originalHost += ":" + cr.getUri().getPort();
+        cr.getHeaders().putSingle(HttpHeaders.HOST, originalHost);
 
         String newScheme = cr.getUri().getScheme();
         if (getScheme() != null) newScheme  = getScheme();
@@ -68,17 +71,7 @@ public void filter(ClientRequestContext cr) throws IOException
         if (log.isDebugEnabled()) log.debug("Rewriting client request URI from '{}' to '{}'", cr.getUri(), newUri);
         cr.setUri(newUri);
     }
-    
-    /**
-     * Base URI of the application
-     * 
-     * @return base URI
-     */
-    public URI getBaseURI()
-    {
-        return baseURI;
-    }
-    
+
     /**
      * Scheme component of the new (rewritten) URI.
      * 
diff --git a/src/main/java/com/atomgraph/linkeddatahub/resource/Namespace.java b/src/main/java/com/atomgraph/linkeddatahub/resource/Namespace.java
index 1efa29e00..d70b63f16 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/resource/Namespace.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/resource/Namespace.java
@@ -98,6 +98,22 @@ public Namespace(@Context Request request, @Context UriInfo uriInfo,
         this.system = system;
     }
 
+    /**
+     * If SPARQL query is provided, returns its result over the in-memory namespace ontology graph.
+     * If query is not provided
+     * <ul>
+     * <li>returns constructed instance if <samp>forClass</samp> URL param value (ontology class URI) is provided</li>
+     * <li>otherwise, returns the namespace ontology graph (which is standalone, i.e. <em>not</em> the full ontology imports closure)</li>
+     * </ul>
+     * 
+     * @param query SPARQL query string (optional)
+     * @param defaultGraphUris default graph URI (ignored)
+     * @param namedGraphUris named graph URIs (ignored)
+     * 
+     * {@link com.atomgraph.linkeddatahub.server.model.impl.Dispatcher#getNamespace()}
+     * 
+     * @return response
+     */
     @Override
     @GET
     public Response get(@QueryParam(QUERY) Query query,
@@ -122,11 +138,11 @@ public Response get(@QueryParam(QUERY) Query query,
             
             if (getApplication().canAs(EndUserApplication.class))
             {
-                String ontologyURI = getURI().toString() + "#"; // TO-DO: hard-coding "#" is not great. Replace with RDF property lookup.
+                // the application ontology MUST use a <ns> URI! This is the URI this ontology endpoint is deployed on by the Dispatcher class
+                String ontologyURI = getApplication().getOntology().getURI();
                 if (log.isDebugEnabled()) log.debug("Returning namespace ontology from OntDocumentManager: {}", ontologyURI);
                 // not returning the injected in-memory ontology because it has inferences applied to it
-                OntologyModelGetter modelGetter = new OntologyModelGetter(getApplication().as(EndUserApplication.class),
-                        getSystem().getOntModelSpec(), getSystem().getOntologyQuery(), getSystem().getClient(), getSystem().getMediaTypes());
+                OntologyModelGetter modelGetter = new OntologyModelGetter(getApplication().as(EndUserApplication.class), getSystem().getOntModelSpec(), getSystem().getOntologyQuery());
                 return getResponseBuilder(modelGetter.getModel(ontologyURI)).build();
             }
             else throw new BadRequestException("SPARQL query string not provided");
diff --git a/src/main/java/com/atomgraph/linkeddatahub/resource/acl/Access.java b/src/main/java/com/atomgraph/linkeddatahub/resource/acl/Access.java
index f72a85376..a72180fc4 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/resource/acl/Access.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/resource/acl/Access.java
@@ -107,12 +107,7 @@ public Response get(@QueryParam(QUERY) Query unused,
             @QueryParam(DEFAULT_GRAPH_URI) List<URI> defaultGraphUris, @QueryParam(NAMED_GRAPH_URI) List<URI> namedGraphUris)
     {
         final Agent agent = getAgentContext().map(AgentContext::getAgent).orElse(null);
-//        final Agent agent = ModelFactory.createDefaultModel().
-//                createResource(getUriInfo().getQueryParameters().getFirst("agent")).
-//                addProperty(RDF.type, FOAF.Agent).
-//                as(Agent.class);
-                
-        //final ParameterizedSparqlString pss = getApplication().canAs(EndUserApplication.class) ? getACLQuery() : getOwnerACLQuery();        
+   
         try
         {
             if (!getUriInfo().getQueryParameters().containsKey(SPIN.THIS_VAR_NAME)) throw new BadRequestException("?this query param is not provided");
diff --git a/src/main/java/com/atomgraph/linkeddatahub/resource/admin/Clear.java b/src/main/java/com/atomgraph/linkeddatahub/resource/admin/Clear.java
index afe779b8e..fa539312a 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/resource/admin/Clear.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/resource/admin/Clear.java
@@ -101,8 +101,7 @@ public Response post(@FormParam("uri") String ontologyURI, @HeaderParam("Referer
             
             // !!! we need to reload the ontology model before returning a response, to make sure the next request already gets the new version !!!
             // same logic as in OntologyFilter. TO-DO: encapsulate?
-            OntologyModelGetter modelGetter = new OntologyModelGetter(app,
-                    ontModelSpec, getSystem().getOntologyQuery(), getSystem().getNoCertClient(), getSystem().getMediaTypes());
+            OntologyModelGetter modelGetter = new OntologyModelGetter(app, ontModelSpec, getSystem().getOntologyQuery());
             ontModelSpec.setImportModelGetter(modelGetter);
             if (log.isDebugEnabled()) log.debug("Started loading ontology with URI '{}' from the admin dataset", ontologyURI);
             Model baseModel = modelGetter.getModel(ontologyURI);
diff --git a/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/ApplicationFilter.java b/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/ApplicationFilter.java
index 8bd3f2737..183f6d8b2 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/ApplicationFilter.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/ApplicationFilter.java
@@ -59,7 +59,7 @@ public class ApplicationFilter implements ContainerRequestFilter
     public void filter(ContainerRequestContext request) throws IOException
     {
         // there always have to be an app
-        Resource appResource = getSystem().matchApp(LAPP.Application, request.getUriInfo().getAbsolutePath());
+        Resource appResource = getSystem().matchApp(request.getUriInfo().getAbsolutePath());
         if (appResource == null) throw new IllegalStateException("Request URI '" + request.getUriInfo().getAbsolutePath() + "' has not matched any lapp:Application");
 
         // instead of InfModel, do faster explicit checks for subclasses and add rdf:type
diff --git a/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/OntologyFilter.java b/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/OntologyFilter.java
index cf002de2a..0e9676b32 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/OntologyFilter.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/server/filter/request/OntologyFilter.java
@@ -115,8 +115,7 @@ public Ontology getOntology(Application app, String uri)
             // only create InfModel if ontology is not already cached
             if (!ontModelSpec.getDocumentManager().getFileManager().hasCachedModel(uri))
             {
-                OntologyModelGetter modelGetter = new OntologyModelGetter(app.as(EndUserApplication.class),
-                        ontModelSpec, getSystem().getOntologyQuery(), getSystem().getNoCertClient(), getSystem().getMediaTypes());
+                OntologyModelGetter modelGetter = new OntologyModelGetter(app.as(EndUserApplication.class), ontModelSpec, getSystem().getOntologyQuery());
                 ontModelSpec.setImportModelGetter(modelGetter);
                 if (log.isDebugEnabled()) log.debug("Started loading ontology with URI '{}' from the admin dataset", uri);
                 Model baseModel = modelGetter.getModel(uri);
diff --git a/src/main/java/com/atomgraph/linkeddatahub/server/util/OntologyModelGetter.java b/src/main/java/com/atomgraph/linkeddatahub/server/util/OntologyModelGetter.java
index 8aa7caadc..1ea63a98e 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/server/util/OntologyModelGetter.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/server/util/OntologyModelGetter.java
@@ -17,10 +17,8 @@
 package com.atomgraph.linkeddatahub.server.util;
 
 import com.atomgraph.client.vocabulary.LDT;
-import com.atomgraph.core.MediaTypes;
 import com.atomgraph.linkeddatahub.apps.model.EndUserApplication;
 import com.atomgraph.server.exception.OntologyException;
-import jakarta.ws.rs.client.Client;
 import org.apache.jena.ontology.OntModelSpec;
 import org.apache.jena.query.ParameterizedSparqlString;
 import org.apache.jena.query.Query;
@@ -44,21 +42,6 @@ public class OntologyModelGetter implements org.apache.jena.rdf.model.ModelGette
     private final EndUserApplication app;
     private final OntModelSpec ontModelSpec;
     private final Query ontologyQuery;
-
-    
-    /**
-     * Constructs ontology getter for application.
-     * 
-     * @param app end-user application resource
-     * @param ontModelSpec ontology specification
-     * @param ontologyQuery SPARQL query that loads ontology terms
-     * @param client HTTP client
-     * @param mediaTypes registry of readable/writable media types
-     */
-    public OntologyModelGetter(EndUserApplication app, OntModelSpec ontModelSpec, Query ontologyQuery, Client client, MediaTypes mediaTypes)
-    {
-        this(app, ontModelSpec, ontologyQuery);
-    }
     
     /**
      * Constructs ontology getter for application.
diff --git a/src/main/java/com/atomgraph/linkeddatahub/vocabulary/LDH.java b/src/main/java/com/atomgraph/linkeddatahub/vocabulary/LDH.java
index 555ffdce5..cea639a6a 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/vocabulary/LDH.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/vocabulary/LDH.java
@@ -101,6 +101,9 @@ public static String getURI()
     /** Service property */
     public static final ObjectProperty service = m_model.createObjectProperty( NS + "service" );
 
+    /** Origin property for subdomain-based application matching */
+    public static final ObjectProperty origin = m_model.createObjectProperty( NS + "origin" );
+
     /**
      * For shape property */
     public static final ObjectProperty forShape = m_model.createObjectProperty( NS + "forShape" );
diff --git a/src/main/java/com/atomgraph/linkeddatahub/writer/XSLTWriterBase.java b/src/main/java/com/atomgraph/linkeddatahub/writer/XSLTWriterBase.java
index 2bdb6ac97..85c0011e6 100644
--- a/src/main/java/com/atomgraph/linkeddatahub/writer/XSLTWriterBase.java
+++ b/src/main/java/com/atomgraph/linkeddatahub/writer/XSLTWriterBase.java
@@ -130,6 +130,7 @@ public <T extends XdmValue> Map<QName, XdmValue> getParameters(MultivaluedMap<St
             com.atomgraph.linkeddatahub.apps.model.Application app = getApplication().get();
             if (log.isDebugEnabled()) log.debug("Passing $lapp:Application to XSLT: <{}>", app);
             params.put(new QName("ldt", LDT.base.getNameSpace(), LDT.base.getLocalName()), new XdmAtomicValue(app.getBaseURI()));
+            params.put(new QName("ldh", LDH.origin.getNameSpace(), LDH.origin.getLocalName()), new XdmAtomicValue(app.getOriginURI()));
             params.put(new QName("ldt", LDT.ontology.getNameSpace(), LDT.ontology.getLocalName()), new XdmAtomicValue(URI.create(app.getOntology().getURI())));
             params.put(new QName("lapp", LAPP.Application.getNameSpace(), LAPP.Application.getLocalName()),
                 getXsltExecutable().getProcessor().newDocumentBuilder().build(getSource(getAppModel(app, true))));
diff --git a/src/main/resources/com/atomgraph/linkeddatahub/lapp.ttl b/src/main/resources/com/atomgraph/linkeddatahub/lapp.ttl
index fee16d648..81402fb3d 100644
--- a/src/main/resources/com/atomgraph/linkeddatahub/lapp.ttl
+++ b/src/main/resources/com/atomgraph/linkeddatahub/lapp.ttl
@@ -17,8 +17,8 @@
 
 : a owl:Ontology ;
     owl:imports ldh:, ldt:, sp:, spin: ;
-    rdfs:label "AtomGraph Application ontology" ;
-    rdfs:comment "Ontology of AtomGraph applications" ;
+    rdfs:label "LinkedDataHub application ontology" ;
+    rdfs:comment "Ontology of LinkedDataHub applications" ;
     owl:versionInfo "1.1.4" .
 
 # PROPERTIES
diff --git a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/constructor.xsl b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/constructor.xsl
index 51f3a2bb4..9aa44bbef 100644
--- a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/constructor.xsl
+++ b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/constructor.xsl
@@ -485,7 +485,8 @@ exclude-result-prefixes="#all"
         <xsl:variable name="button-div" select=".." as="element()"/>
         <xsl:variable name="type" select="ancestor::form/@about" as="xs:anyURI"/> <!-- the URI of the class that constructors are attached to -->
         <xsl:variable name="query-string" select="replace($type-graph-query, '$Type', '&lt;' || $type || '&gt;', 'q')" as="xs:string"/>
-        <xsl:variable name="results-uri" select="ac:build-uri(resolve-uri('admin/sparql', $ldt:base), map{ 'query': $query-string })" as="xs:anyURI"/>
+        <xsl:variable name="admin-base-uri" select="xs:anyURI(replace($ldt:base, '^(https?://)', '$1admin.'))" as="xs:anyURI"/>
+        <xsl:variable name="results-uri" select="ac:build-uri(resolve-uri('sparql', $admin-base-uri), map{ 'query': $query-string })" as="xs:anyURI"/>
         <xsl:variable name="request-uri" select="ldh:href($results-uri, map{})" as="xs:anyURI"/>
 
         <ixsl:set-style name="cursor" select="'default'" object="ixsl:page()//body"/>
@@ -595,7 +596,8 @@ exclude-result-prefixes="#all"
                 <xsl:sequence select="ixsl:call($form-data, 'append', [ 'uri', $ontology-uri ])[current-date() lt xs:date('2000-01-01')]"/>
 
                 <!-- clear this ontology first, then proceed to clear the namespace ontology -->
-                <ixsl:schedule-action http-request="map{ 'method': 'POST', 'href': resolve-uri('admin/clear', ldt:base()), 'media-type': 'application/x-www-form-urlencoded', 'body': $form-data, 'headers': map{ 'Accept': 'application/rdf+xml' } }">
+                <xsl:variable name="admin-base-uri" select="xs:anyURI(replace(ldt:base(), '^(https?://)', '$1admin.'))" as="xs:anyURI"/>
+                <ixsl:schedule-action http-request="map{ 'method': 'POST', 'href': resolve-uri('clear', $admin-base-uri), 'media-type': 'application/x-www-form-urlencoded', 'body': $form-data, 'headers': map{ 'Accept': 'application/rdf+xml' } }">
                     <xsl:call-template name="ldh:ClearNamespace"/>
                 </ixsl:schedule-action>
             </xsl:when>
@@ -678,7 +680,8 @@ exclude-result-prefixes="#all"
         <xsl:variable name="form-data" select="ldh:new('URLSearchParams', [ ldh:new('FormData', []) ])"/>
         <xsl:sequence select="ixsl:call($form-data, 'append', [ 'uri', $ontology-uri ])[current-date() lt xs:date('2000-01-01')]"/>
 
-        <ixsl:schedule-action http-request="map{ 'method': 'POST', 'href': resolve-uri('admin/clear', ldt:base()), 'media-type': 'application/x-www-form-urlencoded', 'body': $form-data, 'headers': map{ 'Accept': 'application/rdf+xml' } }">
+        <xsl:variable name="admin-base-uri" select="xs:anyURI(replace(ldt:base(), '^(https?://)', '$1admin.'))" as="xs:anyURI"/>
+        <ixsl:schedule-action http-request="map{ 'method': 'POST', 'href': resolve-uri('clear', $admin-base-uri), 'media-type': 'application/x-www-form-urlencoded', 'body': $form-data, 'headers': map{ 'Accept': 'application/rdf+xml' } }">
             <!-- bogus template call required because of Saxon-JS 2.4 bug: https://saxonica.plan.io/issues/5597 -->
             <xsl:call-template name="ldh:NoOp"/>
         </ixsl:schedule-action>
diff --git a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/functions.xsl b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/functions.xsl
index b5c1ad3a7..5e28ae843 100644
--- a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/functions.xsl
+++ b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/functions.xsl
@@ -91,14 +91,6 @@ exclude-result-prefixes="#all"
     <xsl:function name="sd:endpoint" as="xs:anyURI">
         <xsl:sequence select="xs:anyURI(ixsl:get(ixsl:window(), 'LinkedDataHub.endpoint'))"/>
     </xsl:function>
-
-    <!-- finds the app with the longest matching base URI -->
-    <xsl:function name="ldh:match-app" as="element()?">
-        <xsl:param name="uri" as="xs:anyURI"/>
-        <xsl:param name="apps" as="document-node()"/>
-        
-        <xsl:sequence select="let $max-length := max($apps//rdf:Description[ldt:base/@rdf:resource[starts-with($uri, .)]]/string-length(ldt:base/@rdf:resource)) return ($apps//rdf:Description[ldt:base/@rdf:resource[starts-with($uri, .)]][string-length(ldt:base/@rdf:resource) eq $max-length])[1]"/>
-    </xsl:function>
     
     <xsl:function name="ldh:query-type" as="xs:string?">
         <xsl:param name="query-string" as="xs:string"/>
diff --git a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/modal.xsl b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/modal.xsl
index 959148b02..9ec93b640 100644
--- a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/modal.xsl
+++ b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/client/modal.xsl
@@ -343,7 +343,8 @@ LIMIT   10
         <xsl:param name="id" select="'request-access'" as="xs:string?"/>
         <xsl:param name="button-class" select="'btn btn-primary btn-access-form'" as="xs:string?"/>
         <xsl:param name="accept-charset" select="'UTF-8'" as="xs:string?"/>
-        <xsl:param name="action" select="resolve-uri('admin/access/request', $ldt:base)" as="xs:anyURI"/> <!-- TO-DO: handle for admin apps -->
+        <xsl:param name="admin-base-uri" select="xs:anyURI(replace($ldt:base, '^(https?://)', '$1admin.'))" as="xs:anyURI"/>
+        <xsl:param name="action" select="resolve-uri('access/request', $admin-base-uri)" as="xs:anyURI"/> <!-- TO-DO: handle for admin apps -->
         <xsl:param name="legend-label" select="ac:label(key('resources', 'request-access', document(resolve-uri('static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/translations.rdf', $ac:contextUri))))" as="xs:string"/>
         <xsl:param name="agent" as="xs:anyURI"/>
         
@@ -705,7 +706,8 @@ LIMIT   10
     
     <xsl:template match="button[contains-token(@class, 'btn-access-form')]" mode="ixsl:onclick">
         <!-- TO-DO: fix for admin apps -->
-        <xsl:variable name="request-uri" select="ldh:href(resolve-uri('admin/access', $ldt:base), map{ 'this': string(ac:absolute-path(ldh:base-uri(.))) })" as="xs:anyURI"/>
+        <xsl:param name="admin-base-uri" select="xs:anyURI(replace($ldt:base, '^(https?://)', '$1admin.'))" as="xs:anyURI"/>
+        <xsl:variable name="request-uri" select="ldh:href(ac:build-uri(resolve-uri('access', $admin-base-uri), map{ 'this': string(ac:absolute-path(ldh:base-uri(.))) }))" as="xs:anyURI"/>
         <xsl:variable name="request" as="item()*">
             <ixsl:schedule-action http-request="map{ 'method': 'GET', 'href': $request-uri, 'headers': map{ 'Accept': 'application/rdf+xml' } }">
                 <xsl:call-template name="onAccessResponseLoad">
@@ -781,76 +783,63 @@ LIMIT   10
         <xsl:variable name="control-groups" select="descendant::div[contains-token(@class, 'control-group')]" as="element()*"/>
         <xsl:variable name="required-control-groups" select="$control-groups[contains-token(@class, 'required')]" as="element()*"/>
         <xsl:variable name="timeout" select="30000" as="xs:integer"/> <!-- schema load query timeout in milliseconds -->
-        
+
         <!-- clear the errors initially -->
         <xsl:for-each select="$control-groups">
-            <xsl:sequence select="ixsl:call(ixsl:get(., 'classList'), 'toggle', [ 'error', false() ])[current-date() lt xs:date('2000-01-01')]"/>        
+            <xsl:sequence select="ixsl:call(ixsl:get(., 'classList'), 'toggle', [ 'error', false() ])[current-date() lt xs:date('2000-01-01')]"/>
         </xsl:for-each>
-        
-        <xsl:choose>
-            <!-- required input values missing, throw an error -->
-            <xsl:when test="exists($required-control-groups/descendant::input[@name = ('ol', 'ou')][not(ixsl:get(., 'value'))])">
-                <xsl:sequence select="ixsl:call(ixsl:event(), 'preventDefault', [])"/>
-                <xsl:sequence select="$required-control-groups[descendant::input[@name = ('ol', 'ou')][not(ixsl:get(., 'value'))]]/ixsl:call(ixsl:get(., 'classList'), 'toggle', [ 'error', true() ])[current-date() lt xs:date('2000-01-01')]"/>
-            </xsl:when>
-            <!-- all required values present/valid, load schema -->
-            <xsl:otherwise>
-                <ixsl:set-style name="cursor" select="'progress'" object="ixsl:page()//body"/>
 
-                <!-- pre-process form before submitting it -->
-                <xsl:apply-templates select="ancestor::form" mode="ldh:FormPreSubmit"/>
-
-                <xsl:variable name="service-control-group" select="$fieldset/descendant::div[contains-token(@class, 'control-group')][input[@name = 'pu'][@value = '&ldh;service']]" as="element()"/>
-                <xsl:variable name="service-uri" select="$service-control-group/descendant::input[@name = 'ou']/ixsl:get(., 'value')" as="xs:anyURI?"/>
-                <xsl:variable name="limit-control-group" select="$fieldset/descendant::div[contains-token(@class, 'control-group')][input[@name = 'pu'][@value = '&sp;limit']]" as="element()"/>
-                <xsl:variable name="limit-string" select="$limit-control-group/descendant::input[@name = 'ol']/ixsl:get(., 'value')" as="xs:string"/>
-                <xsl:variable name="limit" select="xs:integer($limit-string)" as="xs:integer"/>
-                <xsl:variable name="select-string" select="$endpoint-classes-string" as="xs:string"/>
-                <xsl:variable name="select-json" as="item()">
-                    <xsl:variable name="select-builder" select="ixsl:call(ixsl:get(ixsl:get(ixsl:window(), 'SPARQLBuilder'), 'SelectBuilder'), 'fromString', [ $select-string ])"/>
-                    <xsl:sequence select="ixsl:call($select-builder, 'build', [])"/>
-                </xsl:variable>
-                <xsl:variable name="select-json-string" select="ixsl:call(ixsl:get(ixsl:window(), 'JSON'), 'stringify', [ $select-json ])" as="xs:string"/>
-                <xsl:variable name="select-xml" select="json-to-xml($select-json-string)" as="document-node()"/>
-                <!-- set LIMIT $limit -->
-                <xsl:variable name="select-xml" as="document-node()">
-                    <xsl:document>
-                        <xsl:apply-templates select="$select-xml" mode="ldh:replace-limit">
-                            <xsl:with-param name="limit" select="$limit" tunnel="yes"/>
-                        </xsl:apply-templates>
-                    </xsl:document>
-                </xsl:variable>
-                <xsl:variable name="query-json-string" select="xml-to-json($select-xml)" as="xs:string"/>
-                <xsl:variable name="query-json" select="ixsl:call(ixsl:get(ixsl:window(), 'JSON'), 'parse', [ $query-json-string ])"/>
-                <xsl:variable name="query-string" select="ixsl:call(ixsl:call(ixsl:get(ixsl:get(ixsl:window(), 'SPARQLBuilder'), 'SelectBuilder'), 'fromQuery', [ $query-json ]), 'toString', [])" as="xs:string"/>
-                <!-- use the specified endpoint if any, fall back to the internal one otherwise -->
-                <xsl:variable name="endpoint" as="xs:anyURI">
-                    <xsl:choose>
-                        <xsl:when test="$service-uri">
-                            <!-- TO-DO: asynchronous request -->
-                            <xsl:variable name="service-doc" select="document(ac:build-uri($ldt:base, map{ 'uri': ac:document-uri($service-uri), 'accept': 'application/rdf+xml' }))" as="document-node()"/> <!-- TO-DO: replace with <ixsl:schedule-action> -->
-                            <xsl:sequence select="key('resources', $service-uri, $service-doc)/sd:endpoint/@rdf:resource"/>
-                         </xsl:when>
-                         <xsl:otherwise>
-                             <xsl:sequence select="sd:endpoint()"/>
-                         </xsl:otherwise>
-                    </xsl:choose>
-                </xsl:variable>    
-                <xsl:variable name="results-uri" select="ac:build-uri($endpoint, map{ 'query': $query-string })" as="xs:anyURI"/>
-                <xsl:variable name="request-uri" select="ldh:href($results-uri)" as="xs:anyURI"/>
+        <ixsl:set-style name="cursor" select="'progress'" object="ixsl:page()//body"/>
 
-                <xsl:variable name="request" as="item()*">
-                    <ixsl:schedule-action http-request="map{ 'method': 'GET', 'href': $request-uri, 'headers': map{ 'Accept': 'application/sparql-results+xml' } }" wait="$timeout">
-                        <xsl:call-template name="onEndpointClassesLoad">
-                            <xsl:with-param name="container" select="$fieldset"/>
-                        </xsl:call-template>
-                    </ixsl:schedule-action>
-                </xsl:variable>
-                <xsl:sequence select="$request[current-date() lt xs:date('2000-01-01')]"/>
-            </xsl:otherwise>
-        </xsl:choose>
+        <xsl:variable name="service-control-group" select="$fieldset/descendant::div[contains-token(@class, 'control-group')][input[@name = 'pu'][@value = '&ldh;service']]" as="element()"/>
+        <xsl:variable name="service-uri" select="$service-control-group/descendant::input[@name = 'ou']/ixsl:get(., 'value')" as="xs:anyURI?"/>
+        <xsl:variable name="limit-control-group" select="$fieldset/descendant::div[contains-token(@class, 'control-group')][input[@name = 'pu'][@value = '&sp;limit']]" as="element()"/>
+        <xsl:variable name="limit-string" select="$limit-control-group/descendant::input[@name = 'ol']/ixsl:get(., 'value')" as="xs:string"/>
+        <xsl:variable name="limit" select="xs:integer($limit-string)" as="xs:integer"/>
+        <xsl:variable name="select-string" select="$endpoint-classes-string" as="xs:string"/>
+        <xsl:variable name="select-json" as="item()">
+            <xsl:variable name="select-builder" select="ixsl:call(ixsl:get(ixsl:get(ixsl:window(), 'SPARQLBuilder'), 'SelectBuilder'), 'fromString', [ $select-string ])"/>
+            <xsl:sequence select="ixsl:call($select-builder, 'build', [])"/>
+        </xsl:variable>
+        <xsl:variable name="select-json-string" select="ixsl:call(ixsl:get(ixsl:window(), 'JSON'), 'stringify', [ $select-json ])" as="xs:string"/>
+        <xsl:variable name="select-xml" select="json-to-xml($select-json-string)" as="document-node()"/>
+        <!-- set LIMIT $limit -->
+        <xsl:variable name="select-xml" as="document-node()">
+            <xsl:document>
+                <xsl:apply-templates select="$select-xml" mode="ldh:replace-limit">
+                    <xsl:with-param name="limit" select="$limit" tunnel="yes"/>
+                </xsl:apply-templates>
+            </xsl:document>
+        </xsl:variable>
+        <xsl:variable name="query-json-string" select="xml-to-json($select-xml)" as="xs:string"/>
+        <xsl:variable name="query-json" select="ixsl:call(ixsl:get(ixsl:window(), 'JSON'), 'parse', [ $query-json-string ])"/>
+        <xsl:variable name="query-string" select="ixsl:call(ixsl:call(ixsl:get(ixsl:get(ixsl:window(), 'SPARQLBuilder'), 'SelectBuilder'), 'fromQuery', [ $query-json ]), 'toString', [])" as="xs:string"/>
+        <!-- use the specified endpoint if any, fall back to the internal one otherwise -->
+        <xsl:variable name="endpoint" as="xs:anyURI">
+            <xsl:choose>
+                <xsl:when test="$service-uri">
+                    <!-- TO-DO: asynchronous request -->
+                    <xsl:variable name="service-doc" select="document(ac:build-uri($ldt:base, map{ 'uri': ac:document-uri($service-uri), 'accept': 'application/rdf+xml' }))" as="document-node()"/> <!-- TO-DO: replace with <ixsl:schedule-action> -->
+                    <xsl:sequence select="key('resources', $service-uri, $service-doc)/sd:endpoint/@rdf:resource"/>
+                 </xsl:when>
+                 <xsl:otherwise>
+                     <xsl:sequence select="sd:endpoint()"/>
+                 </xsl:otherwise>
+            </xsl:choose>
+        </xsl:variable>    
+        <xsl:variable name="results-uri" select="ac:build-uri($endpoint, map{ 'query': $query-string })" as="xs:anyURI"/>
+        <xsl:variable name="request-uri" select="ldh:href($results-uri)" as="xs:anyURI"/>
+
+        <xsl:variable name="request" as="item()*">
+            <ixsl:schedule-action http-request="map{ 'method': 'GET', 'href': $request-uri, 'headers': map{ 'Accept': 'application/sparql-results+xml' } }" wait="$timeout">
+                <xsl:call-template name="onEndpointClassesLoad">
+                    <xsl:with-param name="container" select="$fieldset"/>
+                </xsl:call-template>
+            </ixsl:schedule-action>
+        </xsl:variable>
+        <xsl:sequence select="$request[current-date() lt xs:date('2000-01-01')]"/>
     </xsl:template>
-    
+
     <!-- validate form before submitting it and show errors on required control-groups where input values are missing -->
     <xsl:template match="form[@id = 'form-request-access']" mode="ixsl:onsubmit" priority="1">
         <xsl:sequence select="ixsl:call(ixsl:event(), 'preventDefault', [])"/>
@@ -965,16 +954,6 @@ LIMIT   10
                 
                 <xsl:choose>
                     <xsl:when test="?status = (200, 204)">
-<!--                         load document 
-                        <xsl:variable name="request" as="item()*">
-                            <ixsl:schedule-action http-request="map{ 'method': 'GET', 'href': $uri, 'headers': map{ 'Accept': 'application/xhtml+xml' } }">
-                                <xsl:call-template name="ldh:DocumentLoaded">
-                                    <xsl:with-param name="href" select="ac:build-uri(ac:absolute-path($uri), map{ 'mode': '&ac;ReadMode'})"/>
-                                </xsl:call-template>
-                            </ixsl:schedule-action>
-                        </xsl:variable>
-                        <xsl:sequence select="$request[current-date() lt xs:date('2000-01-01')]"/>-->
-                        
                         <xsl:variable name="request" select="map{ 'method': 'GET', 'href': $uri, 'headers': map{ 'Accept': 'application/xhtml+xml' } }" as="map(*)"/>
                         <xsl:variable name="context" select="
                           map{
@@ -1020,18 +999,6 @@ LIMIT   10
             <xsl:when test="ixsl:get($form, 'id') = 'form-generate-containers'">
                 <xsl:variable name="control-group" select="$form/descendant::div[contains-token(@class, 'control-group')][input[@name = 'pu'][@value = '&sioc;has_parent']]" as="element()*"/>
                 <xsl:variable name="uri" select="$control-group/descendant::input[@name = 'ou']/ixsl:get(., 'value')" as="xs:anyURI"/>
-                
-<!--                 load document 
-                <xsl:variable name="request" as="item()*">
-                    <ixsl:schedule-action http-request="map{ 'method': 'GET', 'href': $uri, 'headers': map{ 'Accept': 'application/xhtml+xml' } }">
-                        <xsl:call-template name="ldh:DocumentLoaded">
-                            <xsl:with-param name="href" select="ac:absolute-path($uri)"/>
-                            <xsl:with-param name="refresh-content" select="true()"/>  make sure content (e.g. containers) do not use a stale response 
-                        </xsl:call-template>
-                    </ixsl:schedule-action>
-                </xsl:variable>
-                <xsl:sequence select="$request[current-date() lt xs:date('2000-01-01')]"/>-->
-                
                 <xsl:variable name="request" select="map{ 'method': 'GET', 'href': $uri, 'headers': map{ 'Accept': 'application/xhtml+xml' } }" as="map(*)"/>
                 <xsl:variable name="context" select="
                   map{
@@ -1105,7 +1072,7 @@ LIMIT   10
         <xsl:context-item as="map(*)" use="required"/>
         <xsl:param name="container" as="element()"/>
         <xsl:param name="arg-bnode-id" select="'generate'" as="xs:string"/>
-        
+
         <!-- append the controls for the class list if they don't exist -->
         <xsl:for-each select="$container[not(./div[contains-token(@class, 'endpoint-classes')])]">
             <xsl:result-document href="http://github.com/?." method="ixsl:append-content">
@@ -1122,7 +1089,7 @@ LIMIT   10
             <xsl:when test="?status = 200 and ?media-type = 'application/sparql-results+xml'">
                 <xsl:for-each select="?body">
                     <xsl:variable name="results" select="." as="document-node()"/>
-                    
+
                     <!-- populate the class list within div.controls -->
                     <xsl:for-each select="$container//div[contains-token(@class, 'endpoint-classes')]/div">
                         <xsl:result-document href="http://github.com/?." method="ixsl:replace-content">
diff --git a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl
index 6d4b128cc..126381977 100644
--- a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl
+++ b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl
@@ -97,6 +97,7 @@ exclude-result-prefixes="#all">
     <xsl:output method="xhtml" encoding="UTF-8" indent="yes" omit-xml-declaration="yes" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" media-type="application/xhtml+xml"/>
 
     <xsl:param name="ldh:base" as="xs:anyURI" static="yes"/>
+    <xsl:param name="ldh:origin" as="xs:anyURI"/>
     <xsl:param name="ldh:requestUri" as="xs:anyURI"/>
     <xsl:param name="ac:endpoint" select="resolve-uri('sparql', $ldt:base)" as="xs:anyURI"/>
     <xsl:param name="sd:endpoint" as="xs:anyURI?"/>
@@ -267,12 +268,10 @@ LIMIT   100
 
     <xsl:template match="rdf:RDF" mode="xhtml:Title">
         <title>
-            <xsl:if test="$lapp:Application">
-                <xsl:value-of>
-                    <xsl:apply-templates select="$lapp:Application//*[ldt:base/@rdf:resource = $ldt:base]" mode="ac:label"/>
-                </xsl:value-of>
-                <xsl:text> - </xsl:text>
-            </xsl:if>
+            <xsl:value-of>
+                <xsl:apply-templates select="$lapp:Application//*[ldh:origin/@rdf:resource = $ldh:origin]" mode="ac:label"/>
+            </xsl:value-of>
+            <xsl:text> - </xsl:text>
 
             <xsl:apply-templates mode="#current"/>
         </title>
@@ -326,8 +325,8 @@ LIMIT   100
             </xsl:for-each>
         </xsl:for-each>
 
-        <xsl:if test="$lapp:Application//*[ldt:base/@rdf:resource = $ldt:base]">
-            <meta property="og:site_name" content="{ac:label($lapp:Application//*[ldt:base/@rdf:resource = $ldt:base])}"/>
+        <xsl:if test="$lapp:Application//*[ldh:origin/@rdf:resource = $ldh:origin]">
+            <meta property="og:site_name" content="{ac:label($lapp:Application//*[ldh:origin/@rdf:resource = $ldh:origin])}"/>
         </xsl:if>
     </xsl:template>
 
@@ -550,12 +549,12 @@ LIMIT   100
 
     <xsl:template match="rdf:RDF | srx:sparql" mode="bs2:Brand">
         <a class="brand" href="http://github.com/%7B$ldt:base%7D">
-            <xsl:if test="$lapp:Application//*[ldt:base/@rdf:resource = $ldt:base]/rdf:type/@rdf:resource = '&lapp;AdminApplication'">
+            <xsl:if test="$lapp:Application//*[ldh:origin/@rdf:resource = $ldh:origin]/rdf:type/@rdf:resource = '&lapp;AdminApplication'">
                 <xsl:attribute name="class" select="'brand admin'"/>
             </xsl:if>
 
             <xsl:value-of>
-                <xsl:apply-templates select="$lapp:Application//*[ldt:base/@rdf:resource = $ldt:base]" mode="ac:label"/>
+                <xsl:apply-templates select="$lapp:Application//*[ldh:origin/@rdf:resource = $ldh:origin]" mode="ac:label"/>
             </xsl:value-of>
         </a>
     </xsl:template>
@@ -714,14 +713,14 @@ LIMIT   100
                             </button>
                             <ul class="dropdown-menu pull-right">
                                 <xsl:variable name="apps" select="document($app-request-uri)" as="document-node()"/>
-                                <xsl:for-each select="$apps//*[ldt:base/@rdf:resource]">
+                                <xsl:for-each select="$apps//*[ldh:origin/@rdf:resource]">
                                     <xsl:sort select="ac:label(.)" order="ascending" lang="{$ldt:lang}"/>
                                     <li>
 <!--                                        <xsl:if test="$active">
                                             <xsl:attribute name="class" select="'active'"/>
                                         </xsl:if>-->
 
-                                        <a href="http://github.com/%7Bldt:base/@rdf:resource%7D" title="{ldt:base/@rdf:resource}">
+                                        <a href="http://github.com/%7Bldh:origin/@rdf:resource%7D" title="{ldh:origin/@rdf:resource}">
                                             <xsl:apply-templates select="." mode="ac:label"/>
                                         </a>
                                     </li>
@@ -756,10 +755,12 @@ LIMIT   100
         <xsl:apply-templates select="." mode="bs2:SignUp"/>
     </xsl:template>
 
+    <!-- SIGNUP -->
+    
     <xsl:template match="rdf:RDF[not($foaf:Agent//@rdf:about)][$lapp:Application//rdf:type/@rdf:resource = '&lapp;EndUserApplication'] | srx:sparql[not($foaf:Agent//@rdf:about)][$lapp:Application//rdf:type/@rdf:resource = '&lapp;EndUserApplication']" mode="bs2:SignUp" priority="1">
-        <!-- resolve links against the base URI of LinkedDataHub and not of the current app, as we want signups to always go the root app -->
-        <xsl:param name="google-signup-uri" select="ac:build-uri(resolve-uri('admin/oauth2/authorize/google', $ldh:base), map{ 'referer': string(ac:absolute-path(ldh:request-uri())) })" as="xs:anyURI"/>
-        <xsl:param name="webid-signup-uri" select="resolve-uri('admin/sign%20up', $ldh:base)" as="xs:anyURI"/>
+        <!-- resolve links against the origin URI of the admin app -->
+        <xsl:param name="google-signup-uri" select="ac:build-uri(resolve-uri('oauth2/authorize/google', $lapp:Application//*[rdf:type/@rdf:resource = '&lapp;AdminApplication']/ldh:origin/@rdf:resource), map{ 'referer': string(ac:absolute-path(ldh:request-uri())) })" as="xs:anyURI"/>
+        <xsl:param name="webid-signup-uri" select="resolve-uri('sign%20up', $lapp:Application//*[rdf:type/@rdf:resource = '&lapp;AdminApplication']/ldh:origin/@rdf:resource)" as="xs:anyURI"/>
         <xsl:param name="google-signup" select="exists($google:clientID)" as="xs:boolean"/>
         <xsl:param name="webid-signup" select="$ldhc:enableWebIDSignUp" as="xs:boolean"/>
         
@@ -773,7 +774,7 @@ LIMIT   100
                     </a>
                 </xsl:if>
                 <xsl:if test="$webid-signup">
-                    <a class="btn btn-primary" href="http://github.com/%7Bif%20(not(starts-with($ldt:base,%20$ldh:base)))%20then%20ac:build-uri((),%20map%7B'uri': string($webid-signup-uri) }) else $webid-signup-uri}">
+                    <a class="btn btn-primary" href="http://github.com/%7Bif%20(not(starts-with($ldt:base,%20$ldh:origin)))%20then%20ac:build-uri((),%20map%7B'uri': string($webid-signup-uri) }) else $webid-signup-uri}">
                         <xsl:value-of>
                             <xsl:apply-templates select="key('resources', 'sign-up', document('translations.rdf'))" mode="ac:label"/>
                         </xsl:value-of>
@@ -785,7 +786,7 @@ LIMIT   100
     
     <xsl:template match="*" mode="bs2:SignUp"/>
     
-    <xsl:template match="*[ldt:base/@rdf:resource]" mode="bs2:AppListItem">
+    <xsl:template match="*[ldh:origin/@rdf:resource]" mode="bs2:AppListItem">
         <xsl:param name="active" as="xs:boolean?"/>
         
         <li>
@@ -793,7 +794,7 @@ LIMIT   100
                 <xsl:attribute name="class" select="'active'"/>
             </xsl:if>
 
-            <a href="http://github.com/%7Bldt:base/@rdf:resource[starts-with(.,%20$ac:contextUri)]%7D" title="{ldt:base/@rdf:resource[starts-with(., $ac:contextUri)]}">
+            <a href="http://github.com/%7Bldh:origin/@rdf:resource%7D" title="{ldh:origin/@rdf:resource}">
                 <xsl:value-of>
                     <xsl:apply-templates select="." mode="ac:label"/>
                 </xsl:value-of>
@@ -1216,10 +1217,10 @@ LIMIT   100
             </button>
 
             <ul class="dropdown-menu">
-                <xsl:if test="$foaf:Agent//@rdf:about and $lapp:Application//*[ldt:base/@rdf:resource = $ldt:base]/rdf:type/@rdf:resource = '&lapp;EndUserApplication'">
+                <xsl:if test="$foaf:Agent//@rdf:about and $lapp:Application//*[ldh:origin/@rdf:resource = $ldh:origin]/rdf:type/@rdf:resource = '&lapp;EndUserApplication'">
                     <li>
                         <xsl:for-each select="$lapp:Application">
-                            <a href="http://github.com/%7Bkey('resources', //*[ldt:base/@rdf:resource = $ldt:base]/lapp:adminApplication/(@rdf:resource, @rdf:nodeID))/ldt:base/@rdf:resource[starts-with(., $ac:contextUri)]}" target="_blank">
+                            <a href="http://github.com/%7Bkey('resources', //*[ldh:origin/@rdf:resource = $ldh:origin]/lapp:adminApplication/(@rdf:resource, @rdf:nodeID))/ldh:origin/@rdf:resource}" target="_blank">
                                 <xsl:value-of>
                                     <xsl:apply-templates select="key('resources', 'administration', document('translations.rdf'))" mode="ac:label"/>
                                 </xsl:value-of>
diff --git a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/client.xsl b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/client.xsl
index d3f246974..5e824c94d 100644
--- a/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/client.xsl
+++ b/src/main/webapp/static/com/atomgraph/linkeddatahub/xsl/client.xsl
@@ -493,11 +493,11 @@ WHERE
                 <xsl:result-document href="#breadcrumb-nav" method="ixsl:replace-content">
                     <!-- show label if the resource is external -->
                     <xsl:if test="not(starts-with($uri, $ldt:base))">
-                        <xsl:variable name="app" select="ldh:match-app($uri, ixsl:get(ixsl:window(), 'LinkedDataHub.apps'))" as="element()?"/>
+                        <xsl:variable name="app" select="ixsl:get(ixsl:window(), 'LinkedDataHub.apps')//rdf:Description[ldh:origin/@rdf:resource = ldh:origin(ldt:base())]" as="element()?"/>
                         <xsl:choose>
                             <!-- if a known app matches $uri, show link to its ldt:base -->
                             <xsl:when test="$app">
-                                <a href="http://github.com/%7B$app/ldt:base/@rdf:resource%7D" class="label label-info pull-left">
+                                <a href="http://github.com/%7B$app/ldh:origin/@rdf:resource%7D" class="label label-info pull-left">
                                     <xsl:apply-templates select="$app" mode="ac:label"/>
                                 </a>
                             </xsl:when>