diff --git a/helm/keycloak/conf/dev/secrets.yaml b/helm/keycloak/conf/dev/secrets.yaml
index ce0d4f369..880ec6e00 100644
--- a/helm/keycloak/conf/dev/secrets.yaml
+++ b/helm/keycloak/conf/dev/secrets.yaml
@@ -40,6 +40,7 @@ config-cli:
         CLIENT_ATINGI_SECRET: ENC[AES256_GCM,data:DlY0gi1K4PZhrwL0bUrbRdPkJj8OVPR/Henggpg=,iv:WIJmW95F6u+zkuQjTnRkqqJ58pYm9XWECKAJm1Q/gkY=,tag:wcB1LUwxwcMEubpy3MbH1A==,type:str]
         CLIENT_GOODWALL_SECRET: ENC[AES256_GCM,data:Y/IoysB71OyJtgQVgTa4Ypd19n1SsOmf1DoTKUg+KA==,iv:bs6fedJHR21Kr+dr29nQTNAVsoV0ztV8EjiOpku1EYA=,tag:OWBd7Y8RtR+Nodk0UKy70A==,type:str]
         CLIENT_YOMA_WEB_SECRET: ENC[AES256_GCM,data:6LJwVl9n5sN7BC5gR6twkO2l2v/mqy66KZQYbYJp,iv:FUAlvaJjkvrEK8i5XNSc3jag9NsVoSSs3trpAye/csU=,tag:/o/t+8wrGFvWemaTFcR3aQ==,type:str]
+        CLIENT_YOUTHHUB_SECRET: ENC[AES256_GCM,data:btr6Oo0FcA6POe9cPxg3/InbBfm1ZUWLCbfbiH4Gmw==,iv:KCG4VME1zeR9ZUyHgMJIUTQdr76toQFhV+AdBTPB9MM=,tag:aZvoMhcRa/EOXjl2Xz0CVA==,type:str]
 sops:
     kms:
         - arn: arn:aws:kms:eu-west-1:210913241065:alias/helm/yoma-dev
@@ -54,8 +55,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-07-29T07:21:28Z"
-    mac: ENC[AES256_GCM,data:f0IgtC3m48QjEfaxx23ZS6YFOkcCmhrCFZr4msYfltQ3k6qbk6Qbe7GvJLnWpHETB5+B6OjRVfPciC6p1Y3C4Juf+Xa++5PUPf9D5PxAKcNI/SL8LKhejgmARlE2JfbfYd7bWNJZvYJy6CGR+jlgE4RnxuU7XbYgKABxjMhF/A0=,iv:XF+41nyyJpG/y8vgU4xw3TUWsS1ABCnIZnBSbssIyPo=,tag:ZMyqGPn2MKRicykri5hKkQ==,type:str]
+    lastmodified: "2024-08-28T10:27:43Z"
+    mac: ENC[AES256_GCM,data:rLPy6oDRJdxYHgaTT0Oh6Wqt7oL6CS70+BXPxfXt/Vu7GNLHn+VPfJ5gcFD5/6t5NwtH6ZJXCLycebnU4LKT8RpeZ/Ry4iBfebQv4cyqGEfK+pEXmir6kiRtbQT0/MdhjSpYAknSMwfMPSqehaPhH4eKs1IUhMshwbVONsKUYzQ=,iv:jTYLNTT1Iu4xPK+gGUOTt/l5e093rNSnDQ5R85nWB7g=,tag:YAB5dA7sHZn29b8PpfyO7A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/helm/keycloak/conf/dev/values.yaml b/helm/keycloak/conf/dev/values.yaml
index 412b2713d..48b65258e 100644
--- a/helm/keycloak/conf/dev/values.yaml
+++ b/helm/keycloak/conf/dev/values.yaml
@@ -87,6 +87,8 @@ config-cli:
     CLIENT_ATINGI_URL_POST_LOGOUT_REDIRECT: https://keycloak-preprod.enovationaws.com/realms/master/broker/yoma-prod/endpoint
     CLIENT_GOODWALL_URL: https://dev.goodlab.io
     CLIENT_GOODWALL_URL_REDIRECT: goodwallauth://yomaredirect
+    CLIENT_YOUTHHUB_URL: ""
+    CLIENT_YOUTHUB_URL_REDIRECT: ""
 
   init:
     enabled: true
diff --git a/helm/keycloak/conf/local/secrets.yaml b/helm/keycloak/conf/local/secrets.yaml
index 963f8eac6..ff59ebb99 100644
--- a/helm/keycloak/conf/local/secrets.yaml
+++ b/helm/keycloak/conf/local/secrets.yaml
@@ -19,6 +19,7 @@ config-cli:
         CLIENT_ATINGI_SECRET: ENC[AES256_GCM,data:DlY0gi1K4PZhrwL0bUrbRdPkJj8OVPR/Henggpg=,iv:WIJmW95F6u+zkuQjTnRkqqJ58pYm9XWECKAJm1Q/gkY=,tag:wcB1LUwxwcMEubpy3MbH1A==,type:str]
         CLIENT_GOODWALL_SECRET: ENC[AES256_GCM,data:DzFuS3U4oTKZawUl7jg9ZGk38sD1rX6g32Vnhd8=,iv:id5nH3AklptsJ5aCwviIo23FGUe/+ZE/jOmNy4Cud/I=,tag:YZq8xsXvJfbzazXVuVa7kA==,type:str]
         CLIENT_YOMA_WEB_SECRET: ENC[AES256_GCM,data:UzBrGdSpa/Nmg1/Y4oBqERRpCSpLlgmNVPWoRg/H,iv:EOVVEVW5cQYqmUvAzjxI1ndXunLrjs6RS8gNheMF6ZY=,tag:igOVNfhqWHasgnMAIaizFQ==,type:str]
+        CLIENT_YOUTHHUB_SECRET: ENC[AES256_GCM,data:zeT55pDqD/map/TTAdAm6giSVtUlpkpGmYDB1c4H+g==,iv:dYAQsDlFEJbMtyaJx0o6++2f3rYrVsGs6mdMrHPsgyU=,tag:E1SCtQZWVcQPX8GS37IoFA==,type:str]
 sops:
     kms:
         - arn: arn:aws:kms:eu-west-1:210913241065:alias/helm/yoma-dev
@@ -33,8 +34,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-07-29T07:21:43Z"
-    mac: ENC[AES256_GCM,data:Ijbp2n4IOn+es3Uv8EWwlWNh1SJCtgGbov4ItTyyMqbbr5N3/mf0pFHodEq18fV5rqr9WAz8dEuCi3Xv0NJKpdh8epAe8O9nZkR0hwjtJO4Q+wP6Oph2dXTJ218ExqpzK58zyN2KKeYVAF45MCZGQRTUp4oU9BJeBvI22S6YmPU=,iv:e/KRfzqI08WCK+kdOdqe80hyAh4/l3IGH5/Ratc8nE4=,tag:8OoaxFR3fIoCbizs3hvojw==,type:str]
+    lastmodified: "2024-08-28T10:28:09Z"
+    mac: ENC[AES256_GCM,data:ruquB2U38rjmoCZeFozeqmkWQTYZyLhOGXZKjbEFNW6Ao0nnB2/yY/D+vMmmQU6BPkxK5XDwmw6wyvf1/xcotFmkhsZR3Q/0oT9MXkhcsZDAsGHzftH68Hk19gOSprSWS+HPbI8ZiQtOeXzdYo9la1u9WmD1GIQxUPb6ihr4vNA=,iv:Uss2URU0U8P+JoKgr2kGK3V8W9jG6pJ55GjFjBTI+Lw=,tag:gZJnzrDNrmlJBGNCBwcw3A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/helm/keycloak/conf/local/values.yaml b/helm/keycloak/conf/local/values.yaml
index 21e4e07b2..f82506fb6 100644
--- a/helm/keycloak/conf/local/values.yaml
+++ b/helm/keycloak/conf/local/values.yaml
@@ -139,6 +139,8 @@ config-cli:
     CLIENT_ATINGI_URL_POST_LOGOUT_REDIRECT: https://keycloak-preprod.enovationaws.com/realms/master/broker/yoma-prod/endpoint
     CLIENT_GOODWALL_URL: https://dev.goodlab.io
     CLIENT_GOODWALL_URL_REDIRECT: goodwallauth://yomaredirect
+    CLIENT_YOUTH_HUB_URL: ""
+    CLIENT_YOUTH_HUB_URL_REDIRECT: ""
 
   init:
     enabled: true
diff --git a/helm/keycloak/conf/prod/secrets.yaml b/helm/keycloak/conf/prod/secrets.yaml
index be5839278..1e94060bc 100644
--- a/helm/keycloak/conf/prod/secrets.yaml
+++ b/helm/keycloak/conf/prod/secrets.yaml
@@ -19,6 +19,7 @@ config-cli:
         CLIENT_ATINGI_SECRET: ENC[AES256_GCM,data:vE6SmopFwiyZLum5ieuggToFL42QNKFpCUDm1TWRGdCY6tp9o+bosUl7NXgvyZQZaAkDnARnK5p88yVopHxd0A==,iv:bv4PD4UnUwWk0IKfbuwX9v8ckfYHFDR09KplS0T4xwg=,tag:1paHr+pvPGSRAZe5kT4gyw==,type:str]
         CLIENT_GOODWALL_SECRET: ENC[AES256_GCM,data:C73yEEKzkVGmVcolcqqmmERQBm1z8HImt4/s3DsIRuYatvkhgSR3zwiLsvB583UbziyBPBdzT9BZ5WPrAVQfEQ==,iv:bNwjc70HtWSh7Dw7Fw7MkD0H/YfFeq3LqBejEiakKXc=,tag:HoZym31S/7EY8JGygHGN4w==,type:str]
         CLIENT_YOMA_WEB_SECRET: ENC[AES256_GCM,data:3r2qJjYy5glkPvZd8A0wq75Kij50XuFH9IufA7DcNvmfx4klDHEawN+l+q/irrQr/OMsexKCgV0xg6UuwV2x6w==,iv:kuymcYMqtc6hx8/Rv+4gYN00GccXWVcr/bbSkbKU2GE=,tag:6WM/PMi/7WVmEV8bRTRvxg==,type:str]
+        CLIENT_YOUTHHUB_SECRET: ENC[AES256_GCM,data:lJ81IKxoKhyjdINVGZlECuZTvE7nCliG5B4KQ5NPObyFlDy8QD4tTkPgokkuMhJ8FakgwJGiZH0ZwqfQ3wa5RA==,iv:5A89dC28DSq1a14aAjrE6LL2Lj5Yz4Ci/cvHhiNgt70=,tag:j1ytbLFiWKRC4qpwYiQ8/Q==,type:str]
 sops:
     kms:
         - arn: arn:aws:kms:eu-west-1:645438834644:alias/helm/yoma-prod
@@ -33,8 +34,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-07-29T07:21:52Z"
-    mac: ENC[AES256_GCM,data:V1e0QvQl4prFG7UXaQST2Oz/lzPOMk3Udr36pVsHK3lj9OXl1V4SuMzAWyLJjaMTBprDvkjh2xk5tkYjYwj6/6H/GnawHLdAdjpNQk4zd1v0iWP1KfngAOhNN4tDDuXekK5e5WrHUBoDvRyunXK2zgd27Im2IqtFczwgmZ/6mr8=,iv:jwh32O52eHk+DL9otJPxncTSgjG2fEoMA52QlvKzl3k=,tag:tbzXPsbGFWnZKfsOaCJBUQ==,type:str]
+    lastmodified: "2024-08-28T10:29:03Z"
+    mac: ENC[AES256_GCM,data:LCVlmn5AAKbnb0etqZ8vkWsYt/qFTDYRyeOd4k4FgP8v9iEM5ffJGJUzFnjaG06OoKMbX7UcJTFCRAQ44aueRJ59GE8WgFWgtKBfXh5gxgjNTpmg5ANWG4cx1GuopUaxfgbYOohwJQKy1eTAetxvKf5KsfL1aKXZMlY9xazSzNM=,iv:0eGvgsFNmek/waf487ZofWzvedAPa77KaefLWTocuJE=,tag:eAFPsmFUnPXxQ7oDK/lAtA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/helm/keycloak/conf/prod/values.yaml b/helm/keycloak/conf/prod/values.yaml
index bcdde4fba..35e8d4d76 100644
--- a/helm/keycloak/conf/prod/values.yaml
+++ b/helm/keycloak/conf/prod/values.yaml
@@ -106,6 +106,8 @@ config-cli:
     CLIENT_ATINGI_URL_POST_LOGOUT_REDIRECT: https://keycloak.atingi.org/realms/master/broker/yoma-prod/endpoint
     CLIENT_GOODWALL_URL: https://www.goodwall.io
     CLIENT_GOODWALL_URL_REDIRECT: goodwallauth://yomaredirect
+    CLIENT_YOUTH_HUB_URL: ""
+    CLIENT_YOUTH_HUB_URL_REDIRECT: ""
 
   init:
     enabled: true
diff --git a/helm/keycloak/conf/stage/secrets.yaml b/helm/keycloak/conf/stage/secrets.yaml
index 6db4a1df6..929dfeccb 100644
--- a/helm/keycloak/conf/stage/secrets.yaml
+++ b/helm/keycloak/conf/stage/secrets.yaml
@@ -19,6 +19,7 @@ config-cli:
         CLIENT_ATINGI_SECRET: ENC[AES256_GCM,data:m+fzZill4lqXRQeX3goQKyshdGyCoKNix2TMcsR8ri4=,iv:sVRhQBH904YUFv2GkTNPdxDV86F7pS1YMtzl2T6jC/U=,tag:Pg4LEIZP9JEIKa91e7EbJg==,type:str]
         CLIENT_GOODWALL_SECRET: ENC[AES256_GCM,data:hVpX9E7FsTrID/DVNExopvwR8QSidMVaoUjfSWqDa1w=,iv:7KA2c4jHPRjwkULWJy20SRQJcV6Cj9kDE1Uaf7soyNY=,tag:pa/mX7sAxO1Dx/9MXuu9Xg==,type:str]
         CLIENT_YOMA_WEB_SECRET: ENC[AES256_GCM,data:7D6yNZlI7POTGvKVW43NUyoVnypAwkqjir0qZIbqBDc=,iv:5WVMBei1FpuNvX4uIulWL10dbu35uJBzINYEYOwUcGA=,tag:NbopwOv/pAGpemBuaNIUBA==,type:str]
+        CLIENT_YOUTHHUB_SECRET: ENC[AES256_GCM,data:mi1UDCn2gEu19SWProEPVBEgMWwQyA7ZULwbeCCsBLk=,iv:L7kVMJN9ZEO25OAetYSRLCAz8wLueqTWfM+0aJq2tws=,tag:h7I9SO2hbjP+2xwnZyA+fw==,type:str]
 sops:
     kms:
         - arn: arn:aws:kms:eu-west-1:645438834644:alias/helm/yoma-stage
@@ -33,8 +34,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-07-29T07:22:03Z"
-    mac: ENC[AES256_GCM,data:VzQ9L9QcGWQkPVIEIVGtqJ4FdQroAV8TUs1cX9dFL0FiCKF8fhnj0yEMhY46uQqhGMpl6ljDPJniLQA8rhQPsLE/qk7n2pDN6jQpvbYN+dvDv9sHkmK+JKPJf4P0PyTz3/ufvMbfKPvInA4l5rOL7NrQTkKu/R1bc7dYV67vKtY=,iv:pk85jVmdI5Tg6kV8ZdhRkeJ2bFMC9yCuT2zsF+pIi0g=,tag:mAkeu1+IlkvO34toSF9w+w==,type:str]
+    lastmodified: "2024-08-28T10:29:24Z"
+    mac: ENC[AES256_GCM,data:uo6eR8BAH6UeTuO9EFWxK9X5GXxxiN2QhyYPMRbyCtEKoMFT6Fe6sM4kKCGln1G383HsGv3vK3C1Dk35MVLXRalmbE1/JEhd7f7laJ3Je+pdKhfGSFQtdHRVhvLyrvOcF5sRrc3Y4b38ovBQMW96Bi1R1WcTXSKX9PZo0Xd2L3A=,iv:Vzf7e7a1lCKs5ZxZORJaZt7fNDMvkX/+xqv+hMpodE4=,tag:W+Z+Fog6kmRrLGA6w08e4A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/helm/keycloak/conf/stage/values.yaml b/helm/keycloak/conf/stage/values.yaml
index 98818adb2..edbb96998 100644
--- a/helm/keycloak/conf/stage/values.yaml
+++ b/helm/keycloak/conf/stage/values.yaml
@@ -93,6 +93,8 @@ config-cli:
     CLIENT_ATINGI_URL_POST_LOGOUT_REDIRECT: https://keycloak-preprod.enovationaws.com/realms/master/broker/yoma-prod/endpoint
     CLIENT_GOODWALL_URL: https://dev.goodlab.io
     CLIENT_GOODWALL_URL_REDIRECT: goodwallauth://yomaredirect
+    CLIENT_YOUTH_HUB_URL: ""
+    CLIENT_YOUTH_HUB_URL_REDIRECT: ""
 
   init:
     enabled: true
diff --git a/src/api/docker-compose.yml b/src/api/docker-compose.yml
index f4c42582c..b26d8a284 100644
--- a/src/api/docker-compose.yml
+++ b/src/api/docker-compose.yml
@@ -153,6 +153,9 @@ services:
       CLIENT_YOMA_WEB_SECRET: superSecretYomaWebClientSecret
       CLIENT_ATINGI_SECRET: superSecretAtingiClientSecret
       CLIENT_GOODWALL_SECRET: superSecretAtingiClientSecret
+      CLIENT_YOUTH_HUB_SECRET: superSecretYouthHubClientSecret
+      CLIENT_YOUTHHUB_URL: ""
+      CLIENT_YOUTHHUB_URL_REDIRECT: ""
       SA_YOMA_API_PASSWORD: &KCAdminPassword superSecretYomaApiServiceAccountPassword
       SMTP_PASSWORD: superSecretSmtpPassword
     volumes:
diff --git a/src/keycloak/exports/01-yoma-realm.yaml b/src/keycloak/exports/01-yoma-realm.yaml
index daf4c5741..4d4399baf 100644
--- a/src/keycloak/exports/01-yoma-realm.yaml
+++ b/src/keycloak/exports/01-yoma-realm.yaml
@@ -881,6 +881,93 @@ clients:
       - address
       - phone
       - microprofile-jwt
+  - clientId: youthhub
+    name: youthhub
+    description: YouthHub SSO and M2M Partner (private client)
+    rootUrl: $(env:CLIENT_YOUTHHUB_URL)
+    adminUrl: $(env:CLIENT_YOUTHHUB_URL)
+    baseUrl: $(env:CLIENT_YOUTHHUB_URL)
+    surrogateAuthRequired: false
+    enabled: true
+    alwaysDisplayInConsole: false
+    clientAuthenticatorType: client-secret
+    secret: $(env:CLIENT_YOUTHHUB_SECRET)
+    redirectUris:
+      - "/*"
+      - $(env:CLIENT_YOUTHUB_URL_REDIRECT)
+    webOrigins:
+      - $(env:CLIENT_YOUTHHUB_URL)
+    notBefore: 0
+    bearerOnly: false
+    consentRequired: false
+    standardFlowEnabled: false
+    implicitFlowEnabled: false
+    directAccessGrantsEnabled: false
+    serviceAccountsEnabled: true
+    publicClient: false
+    frontchannelLogout: true
+    protocol: openid-connect
+    attributes:
+      backchannel.logout.revoke.offline.tokens: "false"
+      backchannel.logout.session.required: "true"
+      backchannel.logout.url: ""
+      display.on.consent.screen: "false"
+      frontchannel.logout.url: ""
+      login_theme: ""
+      oauth2.device.authorization.grant.enabled: "false"
+      oidc.ciba.grant.enabled: "false"
+    authenticationFlowBindingOverrides: {}
+    fullScopeAllowed: true
+    nodeReRegistrationTimeout: -1
+    protocolMappers:
+      - name: Client IP Address
+        protocol: openid-connect
+        protocolMapper: oidc-usersessionmodel-note-mapper
+        consentRequired: false
+        config:
+          user.session.note: clientAddress
+          id.token.claim: "true"
+          access.token.claim: "true"
+          claim.name: clientAddress
+          jsonType.label: String
+      - name: Client ID
+        protocol: openid-connect
+        protocolMapper: oidc-usersessionmodel-note-mapper
+        consentRequired: false
+        config:
+          user.session.note: client_id
+          id.token.claim: "true"
+          access.token.claim: "true"
+          claim.name: client_id
+          jsonType.label: String
+      - name: Client Host
+        protocol: openid-connect
+        protocolMapper: oidc-usersessionmodel-note-mapper
+        consentRequired: false
+        config:
+          user.session.note: clientHost
+          id.token.claim: "true"
+          access.token.claim: "true"
+          claim.name: clientHost
+          jsonType.label: String
+    defaultClientScopes:
+      - web-origins
+      - acr
+      - offline_access
+      - roles
+      - profile
+      - yoma-api
+      - audience_scope
+      - email
+    optionalClientScopes:
+      - address
+      - phone
+      - microprofile-jwt
+    access:
+      view: true
+      configure: true
+      manage: true
+    authorizationServicesEnabled: false
 clientScopes:
   - id: ae0e217d-ecf2-4c4b-bfd8-1a564c182328
     name: email