diff --git a/README.md b/README.md
index 7152443..7f1097b 100644
--- a/README.md
+++ b/README.md
@@ -47,8 +47,9 @@ auto-clear; the server still sees only ciphertext.
 | `docs/`               | Architecture and security docs.                             |
 
 Read the full design in [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md), the
-threat model in [`docs/SECURITY.md`](docs/SECURITY.md), and a screenshot
-walkthrough of every screen in [`docs/USER_GUIDE.md`](docs/USER_GUIDE.md).
+threat model in [`docs/SECURITY.md`](docs/SECURITY.md), a screenshot walkthrough
+of every screen in [`docs/USER_GUIDE.md`](docs/USER_GUIDE.md), and the
+white-label branding guide in [`docs/BRANDING.md`](docs/BRANDING.md).
 
 ## Installation
 
diff --git a/docs/BRANDING.md b/docs/BRANDING.md
new file mode 100644
index 0000000..58111b2
--- /dev/null
+++ b/docs/BRANDING.md
@@ -0,0 +1,123 @@
+# Branding & white-label customisation
+
+Passman ships unbranded by default. Operators who want to deploy it
+under their own name and colours edit a single file —
+`packages/web/public/branding.json` — without rebuilding the web bundle.
+
+The same web image can therefore serve any number of customers; mount a
+different `branding.json` per deployment via Kubernetes ConfigMap, a
+Docker bind mount, or a templated CI step.
+
+## What you can customise
+
+| Field            | Type   | Effect                                                                     |
+| ---------------- | ------ | -------------------------------------------------------------------------- |
+| `appName`        | string | Shown in the sidebar, browser tab title, and login/register heroes.        |
+| `tagline`        | string | One-liner displayed under "Unlock your vault" / "Create your vault".       |
+| `logoUrl`        | string | Same-origin path / `https://` URL / `data:` URL. Empty = default mark.     |
+| `brandColor`     | hex    | Primary accent (#RRGGBB, #RGB, or #RRGGBBAA). Drives the Connect button, focus rings, every accent surface. |
+| `brandColorDark` | hex    | Hover / gradient stop — defaults to a darkened brandColor.                 |
+| `supportEmail`   | string | Adds a `Support` mailto link in the user card. Empty hides it.             |
+| `footerText`     | string | Small footer line in the sidebar (e.g. "© Acme Corp · Internal use only").  |
+
+Every field is optional — anything you leave out falls through to the
+defaults baked into `DEFAULT_BRANDING` in
+[`packages/web/src/branding/defaults.ts`](../packages/web/src/branding/defaults.ts).
+
+## Quick start (60 seconds)
+
+1. **Replace the logo** — drop your SVG (or PNG, but SVG renders crisper) into
+   `packages/web/public/branding/logo.svg`. There's an example at
+   [`packages/web/public/branding/logo.example.svg`](../packages/web/public/branding/logo.example.svg)
+   you can copy as a starting point.
+
+2. **Edit `packages/web/public/branding.json`:**
+
+   ```jsonc
+   {
+     "appName": "Acme Vault",
+     "tagline": "Your team's credentials, safely off the cloud.",
+     "logoUrl": "/branding/logo.svg",
+     "brandColor": "#0a66c2",
+     "brandColorDark": "#084d92",
+     "supportEmail": "vault-support@acme.example",
+     "footerText": "© Acme Corp · Internal use only"
+   }
+   ```
+
+   A reference is committed at
+   [`packages/web/public/branding.example.json`](../packages/web/public/branding.example.json).
+
+3. **Reload the page.** Vite serves both files from `/`, the React app
+   fetches `/branding.json` on boot, and the document re-themes
+   immediately. No build step needed in dev.
+
+4. **For production**, the same files are copied to `dist/` by `vite
+   build`. To swap branding without rebuilding, mount your own
+   `branding.json` and `branding/logo.svg` over the served `dist/`
+   directory at deploy time.
+
+## CSP & security
+
+The default index.html has a strict Content-Security-Policy. Logo URLs
+must satisfy `img-src 'self' data:` — i.e.:
+
+- **Same-origin paths** (`/branding/logo.svg`) — works out of the box.
+- **`data:` URLs** — also allowed; useful for inlining a small SVG
+  directly in `branding.json` if you can't serve a separate file.
+- **Cross-origin URLs (`https://cdn.example/...`)** — blocked by the
+  default CSP. Either widen `img-src` in
+  [`packages/web/index.html`](../packages/web/index.html) or proxy the
+  asset under your own origin.
+
+The branding loader rejects unsafe schemes (`javascript:`, `file://`,
+`ftp://` …) silently and falls back to the default mark — a safety net
+for the case where `branding.json` is ever filled by user input rather
+than an operator.
+
+## What is NOT customised (and why)
+
+- **Encryption defaults** — Argon2id parameters, AES-256-GCM, the
+  zero-knowledge protocol. These are security-critical; changing them
+  belongs in the server's config, not a customer-facing brand file.
+- **Per-user themes** — `branding.json` is instance-wide. A customer
+  who needs per-user theming should layer that on top of this feature
+  (e.g. let a user pick from a list the operator has approved).
+- **Dark / light mode toggle** — Passman is dark-first by design. The
+  brand colour is the only colour token an operator overrides today.
+- **Extension popup** — the Manifest V3 popup is a separate context
+  with its own bundle. Branding the extension is tracked as a
+  follow-up; for now the popup keeps the default mark.
+
+## Testing your override locally
+
+```bash
+# in repo root
+npm run dev --workspace=@passman/web
+# open http://localhost:5173 — your branding.json is served at /branding.json
+```
+
+The login page should now show your logo + appName + tagline above the
+form, and the brand colour should drive the Unlock button + every
+accent in the vault.
+
+If the change doesn't appear, open DevTools → Network and confirm
+`/branding.json` returns your override. A failed fetch (404, network
+error, malformed JSON) silently falls back to defaults.
+
+## How it works
+
+The branding system is implemented in
+[`packages/web/src/branding/`](../packages/web/src/branding/):
+
+- `types.ts` — the `Branding` shape and partial `BrandingOverride`
+- `defaults.ts` — frozen `DEFAULT_BRANDING`
+- `load.ts` — fetch + sanitise + merge, plus `applyBranding()` that
+  writes `--brand` / `--brand-2` / `--brand-soft` / `--brand-line` CSS
+  variables on `:root` so any already-painted accent re-themes
+- `BrandingProvider.tsx` — React context provider that fetches once on
+  mount; components read it with `useBranding()`
+
+The provider does NOT block render — the first paint uses defaults and
+the customer's branding takes effect on the second render. That keeps
+the app booting under any failure mode.
diff --git a/docs/USER_GUIDE.md b/docs/USER_GUIDE.md
index 6c859b4..0f009d8 100644
--- a/docs/USER_GUIDE.md
+++ b/docs/USER_GUIDE.md
@@ -296,7 +296,31 @@ matches the URL stored on the item.
 
 ---
 
-## 7. Tips
+## 7. White-label branding
+
+Passman ships unbranded by default, but a single `branding.json` file
+swaps the logo, app name, tagline, and accent colour app-wide. No
+rebuild required — operators edit one file (or mount it as a
+ConfigMap) and the same web bundle serves any company.
+
+The login page below shows what the default and a custom override look
+like side by side:
+
+| Default                        | White-labelled                          |
+| ------------------------------ | --------------------------------------- |
+| ![Default Passman](img/login.png) | ![Acme Vault override](img/login-whitelabel.png) |
+
+The brand colour cascades to every accent in the UI — the Connect
+button on every grid row, the focus rings, the protocol pills, the
+selection highlight. Setting `brandColor` once re-themes the whole
+product.
+
+See [`docs/BRANDING.md`](BRANDING.md) for the full field reference,
+CSP notes, and a 60-second quick-start.
+
+---
+
+## 8. Tips
 
 - **Use the protocol field.** Even if Passman can infer the protocol
   from the port, declaring it explicitly is what unlocks the right
diff --git a/docs/img/login-whitelabel.png b/docs/img/login-whitelabel.png
new file mode 100644
index 0000000..0f864e6
Binary files /dev/null and b/docs/img/login-whitelabel.png differ
diff --git a/docs/img/login.png b/docs/img/login.png
index 6e5e1a1..85a75bc 100644
Binary files a/docs/img/login.png and b/docs/img/login.png differ
diff --git a/docs/img/register.png b/docs/img/register.png
index 008375e..7d6284b 100644
Binary files a/docs/img/register.png and b/docs/img/register.png differ
diff --git a/docs/preview/index.html b/docs/preview/index.html
index 1b7d1f7..9fda7b1 100644
--- a/docs/preview/index.html
+++ b/docs/preview/index.html
@@ -14,7 +14,8 @@
       <h1>Passman screenshots</h1>
       <ul>
         <li><a href="register.html">Register</a></li>
-        <li><a href="login.html">Login</a></li>
+        <li><a href="login.html">Login &mdash; default branding</a></li>
+        <li><a href="login-whitelabel.html">Login &mdash; with white-label override (Acme)</a></li>
         <li><a href="vault.html">Vault &mdash; sidebar dashboard</a></li>
         <li><a href="vault-connect.html">Vault &mdash; Connect dialog (JDBC / SSH / RDP / copy-command)</a></li>
         <li><a href="vault-add.html">Vault &mdash; add credential form</a></li>
diff --git a/docs/preview/login-whitelabel.html b/docs/preview/login-whitelabel.html
new file mode 100644
index 0000000..eb61b75
--- /dev/null
+++ b/docs/preview/login-whitelabel.html
@@ -0,0 +1,43 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Acme Vault — Unlock</title>
+    <link rel="stylesheet" href="../../packages/web/src/styles.css" />
+    <style>
+      /* Equivalent to applyBranding({ brandColor: "#0a66c2" }) at runtime — */
+      /* the React app sets these in JS so any already-painted accent re-themes. */
+      :root {
+        --brand: #0a66c2;
+        --brand-2: #084d92;
+        --brand-soft: rgba(10, 102, 194, 0.12);
+        --brand-line: rgba(10, 102, 194, 0.32);
+      }
+    </style>
+  </head>
+  <body>
+    <main class="auth-container">
+      <div class="auth-brand">
+        <img class="brand-logo" width="28" height="28"
+             src="../../packages/web/public/branding/logo.example.svg"
+             alt="Acme Vault logo" />
+        <span class="auth-brand-name">Acme Vault</span>
+      </div>
+      <h1>Unlock your vault</h1>
+      <p class="auth-tagline">Your team's credentials, safely off the cloud.</p>
+      <form>
+        <label>
+          Email
+          <input type="email" value="ops@acme.example" />
+        </label>
+        <label>
+          Master password
+          <input type="password" value="............" />
+        </label>
+        <button type="submit">Unlock</button>
+      </form>
+      <p>New here? <a href="register.html">Create a vault</a></p>
+    </main>
+  </body>
+</html>
diff --git a/docs/preview/login.html b/docs/preview/login.html
index 9bc6ce5..c681234 100644
--- a/docs/preview/login.html
+++ b/docs/preview/login.html
@@ -8,7 +8,12 @@
   </head>
   <body>
     <main class="auth-container">
+      <div class="auth-brand">
+        <div class="brand-mark brand-mark-lg"></div>
+        <span class="auth-brand-name">Passman</span>
+      </div>
       <h1>Unlock your vault</h1>
+      <p class="auth-tagline">Zero-knowledge password manager</p>
       <form>
         <label>
           Email
diff --git a/docs/preview/register.html b/docs/preview/register.html
index e28baa4..6143ccf 100644
--- a/docs/preview/register.html
+++ b/docs/preview/register.html
@@ -8,7 +8,12 @@
   </head>
   <body>
     <main class="auth-container">
+      <div class="auth-brand">
+        <div class="brand-mark brand-mark-lg"></div>
+        <span class="auth-brand-name">Passman</span>
+      </div>
       <h1>Create your vault</h1>
+      <p class="auth-tagline">Zero-knowledge password manager</p>
       <p class="warning">
         ⚠️ Your master password is the only key. We can't recover it. If you
         forget it, your vault is permanently inaccessible.
diff --git a/packages/web/public/branding.example.json b/packages/web/public/branding.example.json
new file mode 100644
index 0000000..4590961
--- /dev/null
+++ b/packages/web/public/branding.example.json
@@ -0,0 +1,9 @@
+{
+  "appName": "Acme Vault",
+  "tagline": "Your team's credentials, safely off the cloud.",
+  "logoUrl": "/branding/logo.svg",
+  "brandColor": "#0a66c2",
+  "brandColorDark": "#084d92",
+  "supportEmail": "vault-support@acme.example",
+  "footerText": "© Acme Corp · Internal use only"
+}
diff --git a/packages/web/public/branding.json b/packages/web/public/branding.json
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/packages/web/public/branding.json
@@ -0,0 +1 @@
+{}
diff --git a/packages/web/public/branding/logo.example.svg b/packages/web/public/branding/logo.example.svg
new file mode 100644
index 0000000..38719df
--- /dev/null
+++ b/packages/web/public/branding/logo.example.svg
@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="22" height="22" aria-label="Acme Vault logo">
+  <defs>
+    <linearGradient id="g" x1="0" y1="0" x2="1" y2="1">
+      <stop offset="0%" stop-color="#0a66c2"/>
+      <stop offset="100%" stop-color="#084d92"/>
+    </linearGradient>
+  </defs>
+  <rect x="1" y="1" width="22" height="22" rx="6" fill="url(#g)"/>
+  <path d="M7 9h10v2H7zm0 4h10v2H7zm0-7h10v2H7z" fill="#fff" opacity="0.92"/>
+</svg>
diff --git a/packages/web/src/branding/BrandingProvider.tsx b/packages/web/src/branding/BrandingProvider.tsx
new file mode 100644
index 0000000..b1c6379
--- /dev/null
+++ b/packages/web/src/branding/BrandingProvider.tsx
@@ -0,0 +1,44 @@
+import { createContext, useContext, useEffect, useState } from "react";
+
+import { DEFAULT_BRANDING } from "./defaults.js";
+import { applyBranding, loadBranding } from "./load.js";
+import type { Branding } from "./types.js";
+
+const BrandingContext = createContext<Branding>(DEFAULT_BRANDING);
+
+interface Props {
+  children: React.ReactNode;
+}
+
+/**
+ * Fetches `/branding.json` once, applies the resulting brand to the
+ * document (page title + CSS variables), and exposes the merged branding
+ * via React context. Components read it with `useBranding()`.
+ *
+ * The first paint uses defaults — overrides take effect on the second
+ * render once the fetch resolves. We deliberately do NOT block render
+ * on the fetch: the app should boot even if branding.json is unreachable.
+ */
+export function BrandingProvider({ children }: Props) {
+  const [brand, setBrand] = useState<Branding>(DEFAULT_BRANDING);
+
+  useEffect(() => {
+    let cancelled = false;
+    void loadBranding().then((b) => {
+      if (cancelled) return;
+      setBrand(b);
+      applyBranding(b);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  return (
+    <BrandingContext.Provider value={brand}>{children}</BrandingContext.Provider>
+  );
+}
+
+export function useBranding(): Branding {
+  return useContext(BrandingContext);
+}
diff --git a/packages/web/src/branding/defaults.ts b/packages/web/src/branding/defaults.ts
new file mode 100644
index 0000000..ec9a457
--- /dev/null
+++ b/packages/web/src/branding/defaults.ts
@@ -0,0 +1,21 @@
+import type { Branding } from "./types.js";
+
+/**
+ * Default brand identity. These are the values an unbranded `passman` ships
+ * with and the fallback when `branding.json` is missing, malformed, or fails
+ * to fetch. Anything left out of an operator's `branding.json` falls through
+ * to these.
+ *
+ * Hex colour values mirror the design tokens in `styles.css`. Keep them in
+ * sync — the loader writes the `--brand` / `--brand-2` CSS variables at
+ * runtime, but the rest of the design system is defined in CSS.
+ */
+export const DEFAULT_BRANDING: Branding = Object.freeze({
+  appName: "Passman",
+  tagline: "Zero-knowledge password manager",
+  logoUrl: "",
+  brandColor: "#3ECF8E",
+  brandColorDark: "#14B884",
+  supportEmail: "",
+  footerText: "",
+});
diff --git a/packages/web/src/branding/index.ts b/packages/web/src/branding/index.ts
new file mode 100644
index 0000000..3e39141
--- /dev/null
+++ b/packages/web/src/branding/index.ts
@@ -0,0 +1,4 @@
+export { BrandingProvider, useBranding } from "./BrandingProvider.js";
+export { DEFAULT_BRANDING } from "./defaults.js";
+export { applyBranding, loadBranding, mergeBranding } from "./load.js";
+export type { Branding, BrandingOverride } from "./types.js";
diff --git a/packages/web/src/branding/load.ts b/packages/web/src/branding/load.ts
new file mode 100644
index 0000000..0af0973
--- /dev/null
+++ b/packages/web/src/branding/load.ts
@@ -0,0 +1,128 @@
+import { DEFAULT_BRANDING } from "./defaults.js";
+import type { Branding, BrandingOverride } from "./types.js";
+
+const HEX_COLOR = /^#([0-9a-f]{3}|[0-9a-f]{6}|[0-9a-f]{8})$/i;
+const SAFE_LOGO_PROTOCOLS = new Set(["http:", "https:", "data:"]);
+
+/**
+ * Validate + sanitise an operator-supplied override before merging into
+ * defaults. Bad values are quietly dropped (and logged in dev) rather
+ * than rejected — a typo in `branding.json` shouldn't break the app.
+ */
+function sanitise(raw: unknown): BrandingOverride {
+  if (!raw || typeof raw !== "object") return {};
+  const r = raw as Record<string, unknown>;
+  const out: BrandingOverride = {};
+
+  if (typeof r.appName === "string" && r.appName.trim().length > 0) {
+    // Cap to a length that fits the sidebar and the page title without truncation.
+    out.appName = r.appName.slice(0, 64);
+  }
+  if (typeof r.tagline === "string") {
+    out.tagline = r.tagline.slice(0, 160);
+  }
+  if (typeof r.logoUrl === "string") {
+    out.logoUrl = sanitiseLogoUrl(r.logoUrl);
+  }
+  if (typeof r.brandColor === "string" && HEX_COLOR.test(r.brandColor)) {
+    out.brandColor = r.brandColor;
+  }
+  if (typeof r.brandColorDark === "string" && HEX_COLOR.test(r.brandColorDark)) {
+    out.brandColorDark = r.brandColorDark;
+  }
+  if (typeof r.supportEmail === "string") {
+    out.supportEmail = r.supportEmail.slice(0, 254);
+  }
+  if (typeof r.footerText === "string") {
+    out.footerText = r.footerText.slice(0, 200);
+  }
+  return out;
+}
+
+/**
+ * Allow:
+ * - same-origin paths (start with `/`) — most common case, served from `public/`
+ * - https:// URLs — assume the operator has the appropriate `img-src` CSP rule
+ * - data: URLs — let operators inline a small SVG without serving a separate file
+ *
+ * Reject anything else (`javascript:`, `file://`, etc.) — those are XSS vectors
+ * even when set by the operator if `branding.json` ever becomes user-supplied.
+ */
+function sanitiseLogoUrl(value: string): string {
+  if (value === "") return "";
+  if (value.startsWith("/")) return value;
+  try {
+    const url = new URL(value);
+    if (SAFE_LOGO_PROTOCOLS.has(url.protocol)) return value;
+  } catch {
+    /* fall through */
+  }
+  return "";
+}
+
+/** Merge an override over the frozen defaults; returns a new object. */
+export function mergeBranding(override: BrandingOverride): Branding {
+  return { ...DEFAULT_BRANDING, ...override };
+}
+
+/**
+ * Fetch `/branding.json` from the deployment's same-origin and merge into
+ * defaults. Any failure (404, network, JSON parse error, missing fields)
+ * falls back to defaults so the app always boots into a usable state.
+ */
+export async function loadBranding(
+  url = "/branding.json",
+  fetchImpl: typeof fetch = globalThis.fetch,
+): Promise<Branding> {
+  try {
+    const resp = await fetchImpl(url, { cache: "no-store" });
+    if (!resp.ok) return mergeBranding({});
+    const json = (await resp.json()) as unknown;
+    return mergeBranding(sanitise(json));
+  } catch {
+    // Operators don't always ship a branding.json; that's fine.
+    return mergeBranding({});
+  }
+}
+
+/**
+ * Push the merged branding into the document — sets the page title, the
+ * favicon (when a logo URL is set), and the `--brand` / `--brand-2` CSS
+ * variables so any accent already painted re-themes immediately.
+ */
+export function applyBranding(brand: Branding): void {
+  if (typeof document === "undefined") return;
+  document.title = brand.appName;
+  const root = document.documentElement;
+  root.style.setProperty("--brand", brand.brandColor);
+  root.style.setProperty("--brand-2", brand.brandColorDark);
+  // Re-derive the soft / line variants so the alpha-tinted accents stay in sync.
+  root.style.setProperty(
+    "--brand-soft",
+    hexWithAlpha(brand.brandColor, 0.12),
+  );
+  root.style.setProperty(
+    "--brand-line",
+    hexWithAlpha(brand.brandColor, 0.32),
+  );
+}
+
+/** Compose a #RRGGBB hex with an alpha channel into the same `rgba(...)` form
+ * that the design tokens use. Pass-through for already-prefixed alpha hex. */
+function hexWithAlpha(hex: string, alpha: number): string {
+  // We accept #RGB / #RRGGBB / #RRGGBBAA forms; for the alpha-prefixed form
+  // we strip the existing alpha and apply the new one.
+  let r = 0;
+  let g = 0;
+  let b = 0;
+  if (hex.length === 4) {
+    r = parseInt(hex[1]! + hex[1]!, 16);
+    g = parseInt(hex[2]! + hex[2]!, 16);
+    b = parseInt(hex[3]! + hex[3]!, 16);
+  } else if (hex.length === 7 || hex.length === 9) {
+    r = parseInt(hex.slice(1, 3), 16);
+    g = parseInt(hex.slice(3, 5), 16);
+    b = parseInt(hex.slice(5, 7), 16);
+  }
+  return `rgba(${r}, ${g}, ${b}, ${alpha})`;
+}
diff --git a/packages/web/src/branding/types.ts b/packages/web/src/branding/types.ts
new file mode 100644
index 0000000..04a3e93
--- /dev/null
+++ b/packages/web/src/branding/types.ts
@@ -0,0 +1,34 @@
+/**
+ * Runtime branding shape. The web app fetches `/branding.json` on boot and
+ * merges its contents over `DEFAULT_BRANDING`. Every field is optional in
+ * the on-disk form — operators only override what they want changed, and
+ * a missing or malformed `branding.json` falls back to the defaults
+ * (existing deployments need zero changes).
+ */
+export interface Branding {
+  /** Product name shown in the sidebar, page title, and login/register heroes. */
+  appName: string;
+  /** Optional one-liner shown under the appName on the auth pages. */
+  tagline: string;
+  /**
+   * Logo image URL. Same-origin paths (e.g. `/branding/logo.svg`) are
+   * preferred — the strict CSP blocks remote images. An empty string
+   * shows the default brand mark (a green gradient square).
+   */
+  logoUrl: string;
+  /**
+   * Primary brand colour. Applied via the `--brand` CSS variable so it
+   * cascades to every accent in the UI (Connect button, focus rings,
+   * pill backgrounds, engine-tile borders for missing engine accents).
+   */
+  brandColor: string;
+  /** Darker shade used for hover / gradient stops. Defaults to a darkened brandColor. */
+  brandColorDark: string;
+  /** Optional support contact shown in error messages and the user card. */
+  supportEmail: string;
+  /** Optional small text shown in the sidebar footer. Empty hides it. */
+  footerText: string;
+}
+
+/** Partial-override shape an operator can put in `branding.json`. */
+export type BrandingOverride = Partial<Branding>;
diff --git a/packages/web/src/main.tsx b/packages/web/src/main.tsx
index d362efd..cb35124 100644
--- a/packages/web/src/main.tsx
+++ b/packages/web/src/main.tsx
@@ -2,6 +2,7 @@ import { StrictMode } from "react";
 import { createRoot } from "react-dom/client";
 
 import { App } from "./App.js";
+import { BrandingProvider } from "./branding/index.js";
 import "./styles.css";
 
 const root = document.getElementById("root");
@@ -9,6 +10,8 @@ if (!root) throw new Error("#root element missing");
 
 createRoot(root).render(
   <StrictMode>
-    <App />
+    <BrandingProvider>
+      <App />
+    </BrandingProvider>
   </StrictMode>,
 );
diff --git a/packages/web/src/pages/LoginPage.tsx b/packages/web/src/pages/LoginPage.tsx
index 6ab8299..fae8116 100644
--- a/packages/web/src/pages/LoginPage.tsx
+++ b/packages/web/src/pages/LoginPage.tsx
@@ -4,11 +4,14 @@ import { useNavigate } from "react-router-dom";
 import { deriveLoginAuthKey, unlock } from "@passman/core";
 
 import { ApiError, api } from "../api/client.js";
+import { useBranding } from "../branding/index.js";
 import { useSession } from "../stores/session.js";
+import { BrandHeader } from "./vault/BrandHeader.js";
 
 export function LoginPage() {
   const nav = useNavigate();
   const setSession = useSession((s) => s.setSession);
+  const branding = useBranding();
   const [email, setEmail] = useState("");
   const [password, setPassword] = useState("");
   const [error, setError] = useState<string | null>(null);
@@ -60,7 +63,11 @@ export function LoginPage() {
 
   return (
     <main className="auth-container">
+      <BrandHeader />
       <h1>Unlock your vault</h1>
+      {branding.tagline && (
+        <p className="auth-tagline">{branding.tagline}</p>
+      )}
       <form onSubmit={onSubmit}>
         <label>
           Email
diff --git a/packages/web/src/pages/RegisterPage.tsx b/packages/web/src/pages/RegisterPage.tsx
index dac7753..66f70bc 100644
--- a/packages/web/src/pages/RegisterPage.tsx
+++ b/packages/web/src/pages/RegisterPage.tsx
@@ -4,9 +4,12 @@ import { useNavigate } from "react-router-dom";
 import { buildRegistration } from "@passman/core";
 
 import { ApiError, api } from "../api/client.js";
+import { useBranding } from "../branding/index.js";
+import { BrandHeader } from "./vault/BrandHeader.js";
 
 export function RegisterPage() {
   const nav = useNavigate();
+  const branding = useBranding();
   const [email, setEmail] = useState("");
   const [password, setPassword] = useState("");
   const [confirm, setConfirm] = useState("");
@@ -47,7 +50,11 @@ export function RegisterPage() {
 
   return (
     <main className="auth-container">
+      <BrandHeader />
       <h1>Create your vault</h1>
+      {branding.tagline && (
+        <p className="auth-tagline">{branding.tagline}</p>
+      )}
       <p className="warning">
         ⚠️ Your master password is the only key. We can't recover it. If you
         forget it, your vault is permanently inaccessible.
diff --git a/packages/web/src/pages/vault/BrandHeader.tsx b/packages/web/src/pages/vault/BrandHeader.tsx
new file mode 100644
index 0000000..bdaa589
--- /dev/null
+++ b/packages/web/src/pages/vault/BrandHeader.tsx
@@ -0,0 +1,27 @@
+import { useBranding } from "../../branding/index.js";
+
+/**
+ * Logo + app-name pair shown above the auth pages. Mirrors the
+ * sidebar's `.brand` element so a customer's logo lands in both
+ * places consistently. Falls back to the default gradient mark
+ * when no `logoUrl` is configured.
+ */
+export function BrandHeader() {
+  const brand = useBranding();
+  return (
+    <div className="auth-brand">
+      {brand.logoUrl ? (
+        <img
+          className="brand-logo"
+          src={brand.logoUrl}
+          alt={`${brand.appName} logo`}
+          width={28}
+          height={28}
+        />
+      ) : (
+        <div className="brand-mark brand-mark-lg" />
+      )}
+      <span className="auth-brand-name">{brand.appName}</span>
+    </div>
+  );
+}
diff --git a/packages/web/src/pages/vault/Sidebar.tsx b/packages/web/src/pages/vault/Sidebar.tsx
index 1b56c29..00bfdf3 100644
--- a/packages/web/src/pages/vault/Sidebar.tsx
+++ b/packages/web/src/pages/vault/Sidebar.tsx
@@ -1,5 +1,6 @@
 import { useMemo, useState } from "react";
 
+import { useBranding } from "../../branding/index.js";
 import { effectiveProtocol, protocolLabel } from "../../connect/index.js";
 import { IconSearch } from "./icons.js";
 import type { DecryptedItem, GroupKey } from "./types.js";
@@ -24,6 +25,7 @@ interface Props {
 
 export function Sidebar({ email, items, scope, onScopeChange }: Props) {
   const [filter, setFilter] = useState("");
+  const branding = useBranding();
 
   const ipBuckets = useMemo(() => bucket(items, "ip"), [items]);
   const portBuckets = useMemo(() => bucket(items, "port"), [items]);
@@ -36,7 +38,18 @@ export function Sidebar({ email, items, scope, onScopeChange }: Props) {
   return (
     <aside className="vault-side">
       <div className="brand">
-        <div className="brand-mark" /> Passman
+        {branding.logoUrl ? (
+          <img
+            className="brand-logo"
+            src={branding.logoUrl}
+            alt={`${branding.appName} logo`}
+            width={22}
+            height={22}
+          />
+        ) : (
+          <div className="brand-mark" />
+        )}{" "}
+        {branding.appName}
       </div>
 
       <div className="side-search">
@@ -123,9 +136,23 @@ export function Sidebar({ email, items, scope, onScopeChange }: Props) {
           <div className="email" title={email ?? ""}>
             {email ?? "Unknown"}
           </div>
-          <small>Vault unlocked</small>
+          <small>
+            Vault unlocked
+            {branding.supportEmail && (
+              <>
+                {" · "}
+                <a href={`mailto:${branding.supportEmail}`}>Support</a>
+              </>
+            )}
+          </small>
         </div>
       </div>
+
+      {branding.footerText && (
+        <div className="brand-footer" title={branding.footerText}>
+          {branding.footerText}
+        </div>
+      )}
     </aside>
   );
 }
diff --git a/packages/web/src/styles.css b/packages/web/src/styles.css
index 442e7bf..696f277 100644
--- a/packages/web/src/styles.css
+++ b/packages/web/src/styles.css
@@ -364,6 +364,50 @@ aside.vault-side {
   box-shadow: 0 0 14px rgba(62, 207, 142, 0.35);
   flex-shrink: 0;
 }
+.brand-mark.brand-mark-lg {
+  width: 32px;
+  height: 32px;
+  border-radius: 8px;
+}
+.brand-logo {
+  width: 22px;
+  height: 22px;
+  border-radius: 6px;
+  flex-shrink: 0;
+  object-fit: contain;
+}
+.brand-logo[width="28"] { width: 28px; height: 28px; border-radius: 8px; }
+
+.brand-footer {
+  margin-top: 0.7rem;
+  padding: 0.5rem 0.6rem 0;
+  border-top: 1px solid var(--line);
+  font-size: 0.7rem;
+  color: var(--muted-2);
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+}
+
+/* Branded header on the auth pages — sits above "Unlock your vault" /
+   "Create your vault" so the customer's logo + product name are the
+   first things a user sees. */
+.auth-brand {
+  display: flex;
+  align-items: center;
+  gap: 0.55rem;
+  margin-bottom: 1rem;
+  font-weight: 600;
+  font-size: 1rem;
+  letter-spacing: -0.015em;
+}
+.auth-brand .auth-brand-name { color: var(--fg); }
+
+.auth-tagline {
+  margin: -0.15rem 0 0.85rem;
+  font-size: 0.85rem;
+  color: var(--muted);
+}
 
 .side-search {
   position: relative;
diff --git a/packages/web/tests/branding.test.ts b/packages/web/tests/branding.test.ts
new file mode 100644
index 0000000..714b36e
--- /dev/null
+++ b/packages/web/tests/branding.test.ts
@@ -0,0 +1,208 @@
+/**
+ * Tests for the branding loader. Exercises:
+ * - frozen defaults (no field is undefined)
+ * - field-level sanitisation (invalid colour rejected, dangerous logoUrl
+ *   rejected, oversized strings truncated)
+ * - merge semantics (only declared overrides override; everything else
+ *   stays at the default)
+ * - fetch-failure fallback (network error / 404 / non-JSON / empty body)
+ */
+import { describe, expect, it } from "vitest";
+
+import { DEFAULT_BRANDING } from "../src/branding/defaults.js";
+import { loadBranding, mergeBranding } from "../src/branding/load.js";
+
+describe("DEFAULT_BRANDING", () => {
+  it("has every field set so a missing branding.json never leaves a hole", () => {
+    expect(typeof DEFAULT_BRANDING.appName).toBe("string");
+    expect(DEFAULT_BRANDING.appName.length).toBeGreaterThan(0);
+    expect(typeof DEFAULT_BRANDING.tagline).toBe("string");
+    expect(typeof DEFAULT_BRANDING.logoUrl).toBe("string");
+    expect(DEFAULT_BRANDING.brandColor).toMatch(/^#[0-9a-f]{6}$/i);
+    expect(DEFAULT_BRANDING.brandColorDark).toMatch(/^#[0-9a-f]{6}$/i);
+    expect(typeof DEFAULT_BRANDING.supportEmail).toBe("string");
+    expect(typeof DEFAULT_BRANDING.footerText).toBe("string");
+  });
+
+  it("is immutable", () => {
+    expect(Object.isFrozen(DEFAULT_BRANDING)).toBe(true);
+  });
+});
+
+describe("mergeBranding", () => {
+  it("returns the defaults when given an empty override", () => {
+    expect(mergeBranding({})).toEqual(DEFAULT_BRANDING);
+  });
+
+  it("applies only the declared keys", () => {
+    const merged = mergeBranding({ appName: "Acme Vault" });
+    expect(merged.appName).toBe("Acme Vault");
+    expect(merged.brandColor).toBe(DEFAULT_BRANDING.brandColor);
+    expect(merged.tagline).toBe(DEFAULT_BRANDING.tagline);
+  });
+
+  it("does not mutate the frozen defaults", () => {
+    mergeBranding({ appName: "Other" });
+    expect(DEFAULT_BRANDING.appName).toBe("Passman");
+  });
+});
+
+describe("loadBranding (sanitisation)", () => {
+  function fetchReturning(body: unknown): typeof fetch {
+    return (async () =>
+      ({
+        ok: true,
+        async json() {
+          return body;
+        },
+      }) as unknown as Response) as typeof fetch;
+  }
+
+  it("accepts a well-formed override and merges it over defaults", async () => {
+    const brand = await loadBranding(
+      "/branding.json",
+      fetchReturning({
+        appName: "Acme",
+        brandColor: "#0a66c2",
+        brandColorDark: "#084d92",
+        tagline: "Built for ops.",
+      }),
+    );
+    expect(brand.appName).toBe("Acme");
+    expect(brand.brandColor).toBe("#0a66c2");
+    expect(brand.brandColorDark).toBe("#084d92");
+    expect(brand.tagline).toBe("Built for ops.");
+    // Untouched keys stay at the default.
+    expect(brand.logoUrl).toBe(DEFAULT_BRANDING.logoUrl);
+  });
+
+  it("rejects a non-hex brand colour and falls back to the default", async () => {
+    const brand = await loadBranding(
+      "/branding.json",
+      fetchReturning({ brandColor: "javascript:alert(1)" }),
+    );
+    expect(brand.brandColor).toBe(DEFAULT_BRANDING.brandColor);
+  });
+
+  it("rejects malformed hex (too few / too many digits)", async () => {
+    const brand = await loadBranding(
+      "/branding.json",
+      fetchReturning({ brandColor: "#GGG" }),
+    );
+    expect(brand.brandColor).toBe(DEFAULT_BRANDING.brandColor);
+  });
+
+  it("accepts same-origin paths for logoUrl", async () => {
+    const brand = await loadBranding(
+      "/branding.json",
+      fetchReturning({ logoUrl: "/branding/logo.svg" }),
+    );
+    expect(brand.logoUrl).toBe("/branding/logo.svg");
+  });
+
+  it("accepts https:// and data: URLs for logoUrl", async () => {
+    expect(
+      (
+        await loadBranding(
+          "/branding.json",
+          fetchReturning({ logoUrl: "https://cdn.example.com/logo.svg" }),
+        )
+      ).logoUrl,
+    ).toBe("https://cdn.example.com/logo.svg");
+    expect(
+      (
+        await loadBranding(
+          "/branding.json",
+          fetchReturning({ logoUrl: "data:image/svg+xml;base64,PHN2ZyAvPg==" }),
+        )
+      ).logoUrl,
+    ).toBe("data:image/svg+xml;base64,PHN2ZyAvPg==");
+  });
+
+  it("rejects javascript: and other non-safe protocols for logoUrl", async () => {
+    for (const bad of [
+      "javascript:alert(1)",
+      "file:///etc/passwd",
+      "ftp://logo.example/img.png",
+    ]) {
+      const brand = await loadBranding(
+        "/branding.json",
+        fetchReturning({ logoUrl: bad }),
+      );
+      expect(brand.logoUrl).toBe("");
+    }
+  });
+
+  it("truncates oversized strings to a sane cap", async () => {
+    const longName = "A".repeat(500);
+    const brand = await loadBranding(
+      "/branding.json",
+      fetchReturning({ appName: longName }),
+    );
+    // 64-char cap per the loader.
+    expect(brand.appName.length).toBe(64);
+  });
+
+  it("ignores unknown keys", async () => {
+    const brand = await loadBranding(
+      "/branding.json",
+      fetchReturning({ surpriseField: "nope", appName: "Acme" }),
+    );
+    expect((brand as unknown as { surpriseField?: string }).surpriseField).toBeUndefined();
+    expect(brand.appName).toBe("Acme");
+  });
+});
+
+describe("loadBranding (fetch failure modes)", () => {
+  it("falls back to defaults on a network error", async () => {
+    const brand = await loadBranding(
+      "/branding.json",
+      (async () => {
+        throw new TypeError("network down");
+      }) as unknown as typeof fetch,
+    );
+    expect(brand).toEqual(DEFAULT_BRANDING);
+  });
+
+  it("falls back to defaults on a non-2xx response", async () => {
+    const brand = await loadBranding(
+      "/branding.json",
+      (async () =>
+        ({
+          ok: false,
+          async json() {
+            return {};
+          },
+        }) as unknown as Response) as typeof fetch,
+    );
+    expect(brand).toEqual(DEFAULT_BRANDING);
+  });
+
+  it("falls back to defaults on a non-JSON body", async () => {
+    const brand = await loadBranding(
+      "/branding.json",
+      (async () =>
+        ({
+          ok: true,
+          async json() {
+            throw new SyntaxError("not json");
+          },
+        }) as unknown as Response) as typeof fetch,
+    );
+    expect(brand).toEqual(DEFAULT_BRANDING);
+  });
+
+  it("returns defaults for an empty JSON body ({})", async () => {
+    const brand = await loadBranding(
+      "/branding.json",
+      (async () =>
+        ({
+          ok: true,
+          async json() {
+            return {};
+          },
+        }) as unknown as Response) as typeof fetch,
+    );
+    expect(brand).toEqual(DEFAULT_BRANDING);
+  });
+});