diff --git a/protos/message.proto b/protos/message.proto
index 721af450b..69f60ab86 100644
--- a/protos/message.proto
+++ b/protos/message.proto
@@ -88,10 +88,11 @@ message LoginRequest {
   string my_platform = 13;
   bytes hwid = 14;
   string avatar = 17;
+  bytes easy_access_challenge = 18;
 }
 
 message Terminal {
-  string service_id = 1;  // Service ID for reconnecting to existing session
+  string service_id = 1; // Service ID for reconnecting to existing session
 }
 
 message Auth2FA {
@@ -439,7 +440,7 @@ message FileTransferDigest {
   bool is_upload = 5;
   bool is_identical = 6;
   uint64 transferred_size = 7; // For resume. Indicates the size of the file already transferred
-  bool is_resume = 8;          // For resume. Indicates if the transfer is a resume.
+  bool is_resume = 8; // For resume. Indicates if the transfer is a resume.
                                // `is_resume` can let the controlled side know whether to check the `.digest` file.
                                // When `is_resume` is false, `.digest` exists, the same file does not exist,
                                // the controlled side should not check `.digest`, it should confirm with a new transfer request.
@@ -889,7 +890,7 @@ message ScreenshotResponse {
 
 // Terminal messages - standalone feature like FileAction
 message OpenTerminal {
-  int32 terminal_id = 1;  // 0 for default terminal
+  int32 terminal_id = 1; // 0 for default terminal
   uint32 rows = 2;
   uint32 cols = 3;
 }
@@ -924,7 +925,7 @@ message TerminalOpened {
   bool success = 2;
   string message = 3;
   uint32 pid = 4;
-  string service_id = 5;  // Service ID for persistent sessions
+  string service_id = 5; // Service ID for persistent sessions
   repeated int32 persistent_sessions = 6; // Used to restore the persistent sessions.
 }
 
diff --git a/protos/rendezvous.proto b/protos/rendezvous.proto
index fb0c75d1a..3ab50d96b 100644
--- a/protos/rendezvous.proto
+++ b/protos/rendezvous.proto
@@ -30,7 +30,8 @@ message PunchHoleRequest {
   bytes socket_addr_v6 = 10;
 }
 
-message ControlPermissions {
+// Data passed from server to controlled device (via PunchHole / FetchLocalAddr / RequestRelay)
+message ControlledConfig {
   enum Permission {
     keyboard = 0;
     remote_printer = 1;
@@ -45,7 +46,9 @@ message ControlPermissions {
     block_input = 10;
     remote_modify = 11;
   }
-  uint64 permissions = 1;
+  uint64 control_permissions = 1;
+  bytes easy_access_signature = 2; // server signature for easy access challenge
+  bytes manager_id = 3; // user manager uuid
 }
 
 message PunchHole {
@@ -56,7 +59,8 @@ message PunchHole {
   bool force_relay = 5;
   int32 upnp_port = 6;
   bytes socket_addr_v6 = 7;
-  ControlPermissions control_permissions = 8;
+  ControlledConfig controlled_config = 8;
+  bytes request_id = 9;
 }
 
 message TestNatRequest {
@@ -83,6 +87,7 @@ message PunchHoleSent {
   string version = 5;
   int32 upnp_port = 6;
   bytes socket_addr_v6 = 7;
+  bytes request_id = 8;
 }
 
 message RegisterPk {
@@ -107,6 +112,11 @@ message RegisterPkResponse {
   int32 keep_alive = 2;
 }
 
+// Data passed from server to controller (via PunchHoleResponse / RelayResponse)
+message ControllerConfig {
+  bytes easy_access_challenge = 1; // encrypted, opaque to both peers
+}
+
 message PunchHoleResponse {
   bytes socket_addr = 1;
   bytes pk = 2;
@@ -127,6 +137,7 @@ message PunchHoleResponse {
   bool is_udp = 9;
   int32 upnp_port = 10;
   bytes socket_addr_v6 = 11;
+  ControllerConfig controller_config = 12;
 }
 
 message ConfigUpdate {
@@ -143,7 +154,8 @@ message RequestRelay {
   string licence_key = 6;
   ConnType conn_type = 7;
   string token = 8;
-  ControlPermissions control_permissions = 9;
+  ControlledConfig controlled_config = 9;
+  bytes request_id = 10;
 }
 
 message RelayResponse {
@@ -159,6 +171,8 @@ message RelayResponse {
   int32 feedback = 9;
   bytes socket_addr_v6 = 10;
   int32 upnp_port = 11;
+  ControllerConfig controller_config = 12;
+  bytes request_id = 13;
 }
 
 message SoftwareUpdate { string url = 1; }
@@ -171,7 +185,8 @@ message FetchLocalAddr {
   bytes socket_addr = 1;
   string relay_server = 2;
   bytes socket_addr_v6 = 3;
-  ControlPermissions control_permissions = 4;
+  ControlledConfig controlled_config = 4;
+  bytes request_id = 5;
 }
 
 message LocalAddr {
@@ -181,6 +196,7 @@ message LocalAddr {
   string id = 4;
   string version = 5;
   bytes socket_addr_v6 = 6;
+  bytes request_id = 7;
 }
 
 message PeerDiscovery {
diff --git a/src/config.rs b/src/config.rs
index 31811d400..288fe04c9 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -2539,6 +2539,11 @@ pub fn is_disable_installation() -> bool {
     is_some_hard_opton("disable-installation")
 }
 
+#[inline]
+pub fn is_allow_easy_access() -> bool {
+    is_some_hard_opton("allow-easy-access")
+}
+
 // This function must be kept the same as the one in flutter and sciter code.
 // flutter: flutter/lib/common.dart -> option2bool()
 // sciter: Does not have the function, but it should be kept the same.