diff --git a/next.config.js b/next.config.js
index fd90d7c..a77079a 100644
--- a/next.config.js
+++ b/next.config.js
@@ -2,7 +2,40 @@
 const nextConfig = {
   typescript: {
     ignoreBuildErrors: true,
-  }
+  },
+  // Configure headers for iframe support
+  async headers() {
+    return [
+      // Default security headers for main app
+      {
+        source: '/((?!iframe).*)',
+        headers: [
+          {
+            key: 'X-Frame-Options',
+            value: 'DENY',
+          },
+          {
+            key: 'Content-Security-Policy',
+            value: "frame-ancestors 'none';",
+          },
+        ],
+      },
+      // Iframe-friendly headers only for /iframe routes
+      {
+        source: '/iframe/:path*',
+        headers: [
+          {
+            key: 'X-Frame-Options',
+            value: 'ALLOWALL',
+          },
+          {
+            key: 'Content-Security-Policy',
+            value: "frame-ancestors *; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
+          },
+        ],
+      },
+    ]
+  },
 }
 
 module.exports = nextConfig
diff --git a/src/app/iframe/layout.tsx b/src/app/iframe/layout.tsx
new file mode 100644
index 0000000..e73586d
--- /dev/null
+++ b/src/app/iframe/layout.tsx
@@ -0,0 +1,46 @@
+import '../globals.css'
+import type { Metadata } from 'next'
+import Provider from '@/components/W3UIProvider'
+import Toaster from '@/components/Toaster'
+import { Provider as MigrationsProvider } from '@/components/MigrationsProvider'
+import { IframeProvider } from '@/contexts/IframeContext'
+import IframeHeader from '@/components/IframeHeader'
+import IframeAuthenticator from '@/components/IframeAuthenticator'
+
+export const metadata: Metadata = {
+  title: 'Storacha Workspaces',
+  description: 'Manage your Storacha storage spaces',
+}
+
+export default function IframeLayout({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  return (
+    <html lang="en">
+      <head>
+        <link rel="preconnect" href="https://fonts.googleapis.com" />
+        <link rel="preconnect" href="https://fonts.gstatic.com" crossOrigin='anonymous' />
+        <link href="https://fonts.googleapis.com/css2?family=Epilogue:ital@0;1&display=swap" rel="stylesheet" />
+        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
+      </head>
+      <body className='bg-white min-h-screen overflow-hidden'>
+        <IframeProvider>
+          <Provider>
+            <MigrationsProvider>
+              <IframeAuthenticator>
+                <div className="flex flex-col h-screen">
+                  <main className="flex-1 overflow-auto">
+                    {children}
+                  </main>
+                </div>
+              </IframeAuthenticator>
+            </MigrationsProvider>
+          </Provider>
+          <Toaster />
+        </IframeProvider>
+      </body>
+    </html>
+  )
+} 
\ No newline at end of file
diff --git a/src/app/iframe/page.tsx b/src/app/iframe/page.tsx
new file mode 100644
index 0000000..58565dc
--- /dev/null
+++ b/src/app/iframe/page.tsx
@@ -0,0 +1,14 @@
+import { Suspense } from 'react'
+import IframeDashboard from '@/components/IframeDashboard'
+
+export default function IframePage() {
+  return (
+    <div className="flex h-full min-h-0">
+      <div className="flex-1 overflow-auto min-w-0">
+        <Suspense fallback={<div className="p-4">Loading...</div>}>
+          <IframeDashboard />
+        </Suspense>
+      </div>
+    </div>
+  )
+} 
\ No newline at end of file
diff --git a/src/app/iframe/space/[did]/layout.tsx b/src/app/iframe/space/[did]/layout.tsx
new file mode 100644
index 0000000..7845d8d
--- /dev/null
+++ b/src/app/iframe/space/[did]/layout.tsx
@@ -0,0 +1,21 @@
+import { PropsWithChildren, ReactNode } from 'react'
+import IframeCompactSidebar from '@/components/IframeCompactSidebar'
+
+export const runtime = 'edge'
+
+interface LayoutProps extends PropsWithChildren {
+  params: {
+    did: string
+  }
+}
+
+export default function IframeSpaceLayout({ children }: LayoutProps): ReactNode {
+  return (
+    <div className="flex h-full min-h-0">
+      <IframeCompactSidebar />
+      <div className="flex-1 overflow-auto bg-white min-w-0">
+        {children}
+      </div>
+    </div>
+  )
+} 
\ No newline at end of file
diff --git a/src/app/iframe/space/[did]/page.tsx b/src/app/iframe/space/[did]/page.tsx
new file mode 100644
index 0000000..8da4d89
--- /dev/null
+++ b/src/app/iframe/space/[did]/page.tsx
@@ -0,0 +1,96 @@
+'use client'
+
+import { UploadsList } from '@/components/UploadsList'
+import { useW3, UnknownLink, UploadListSuccess, Authenticator } from '@w3ui/react'
+import useSWR from 'swr'
+import { useRouter, usePathname } from 'next/navigation'
+import { createUploadsListKey } from '@/cache'
+import { Breadcrumbs } from '@/components/Breadcrumbs'
+import { logAndCaptureError } from '@/sentry'
+import { AuthenticationEnsurer } from '@/components/Authenticator'
+import { SpaceEnsurer } from '@/components/SpaceEnsurer'
+import { MaybePlanGate } from '@/components/PlanGate'
+import IframeAuthenticator from '@/components/IframeAuthenticator'
+
+const pageSize = 15
+
+interface PageProps {
+  params: {
+    did: string
+  },
+  searchParams: {
+    cursor: string
+    pre: string
+  }
+}
+
+export default function IframeSpacePage({ params, searchParams }: PageProps): JSX.Element {
+  return (
+    <IframeAuthenticator>
+      <AuthenticationEnsurer>
+        <MaybePlanGate>
+          <SpaceEnsurer>
+            <SpacePageContent params={params} searchParams={searchParams} />
+          </SpaceEnsurer>
+        </MaybePlanGate>
+      </AuthenticationEnsurer>
+    </IframeAuthenticator>
+  )
+}
+
+function SpacePageContent({ params, searchParams }: PageProps): JSX.Element {
+  const [{ client, spaces }] = useW3()
+  const spaceDID = decodeURIComponent(params.did)
+  const space = spaces.find(s => s.did() === spaceDID)
+
+  const key = space ? createUploadsListKey(space.did(), searchParams.cursor, searchParams.pre === 'true') : ''
+  const { data: uploads, isLoading, isValidating, mutate } = useSWR<UploadListSuccess|undefined>(key, {
+    fetcher: async () => {
+      if (!client || !space) return
+
+      if (client.currentSpace()?.did() !== space.did()) {
+        await client.setCurrentSpace(space.did())
+      }
+
+      return await client.capability.upload.list({
+        cursor: searchParams.cursor,
+        pre: searchParams.pre === 'true',
+        size: pageSize
+      })
+    },
+    onError: logAndCaptureError,
+    keepPreviousData: true
+  })
+
+  const router = useRouter()
+  const pathname = usePathname()
+
+  if (!space) return <div className="p-6"><div>Space not found</div></div>
+
+  const handleSelect = (root: UnknownLink) => router.push(`${pathname}/root/${root}`)
+  const handleNext = uploads?.after && (uploads.results.length === pageSize)
+    ? () => router.push(`${pathname}?cursor=${uploads.after}`)
+    : undefined
+  const handlePrev = searchParams.cursor && uploads?.before
+    ? () => router.push(`${pathname}?cursor=${uploads.before ?? ''}&pre=true`)
+    : undefined
+  const handleRefresh = () => mutate()
+
+  return (
+    <div className="p-4 max-w-6xl mx-auto">
+      <div className="mb-4">
+        <Breadcrumbs space={space.did()} />
+      </div>
+      <UploadsList
+        space={space}
+        uploads={uploads?.results ?? []}
+        loading={isLoading}
+        validating={isValidating}
+        onSelect={handleSelect}
+        onNext={handleNext}
+        onPrev={handlePrev}
+        onRefresh={handleRefresh}
+      />
+    </div>
+  )
+} 
\ No newline at end of file
diff --git a/src/components/IframeAuthenticator.tsx b/src/components/IframeAuthenticator.tsx
new file mode 100644
index 0000000..858d11f
--- /dev/null
+++ b/src/components/IframeAuthenticator.tsx
@@ -0,0 +1,219 @@
+'use client'
+
+import { useIframe } from '@/contexts/IframeContext'
+import { useW3, Authenticator } from '@w3ui/react'
+import { useEffect, useState, ReactNode } from 'react'
+import { Logo } from '@/brand'
+
+interface IframeAuthenticatorProps {
+  children: ReactNode
+}
+
+export default function IframeAuthenticator({ children }: IframeAuthenticatorProps) {
+  const { isIframe, isClient, parentUser, sendMessageToParent } = useIframe()
+  const [{ accounts }] = useW3()
+  const [authState, setAuthState] = useState<'pending' | 'authenticating' | 'authenticated' | 'failed'>('pending')
+  const [error, setError] = useState<string | null>(null)
+  
+  const isAuthenticated = accounts.length > 0
+
+  // Programmatic DMAIL authentication
+  useEffect(() => {
+    const authenticateWithDmail = async () => {
+      if (!parentUser?.email || authState !== 'pending' || isAuthenticated) return
+
+      try {
+        setAuthState('authenticating')
+        sendMessageToParent({
+          type: 'AUTH_STATUS',
+          status: 'authenticating',
+          email: parentUser.email
+        })
+
+        // Step 1: Validate user with DMAIL API (simulated)
+        console.log('🔐 Starting DMAIL OAuth authentication for:', parentUser.email)
+        const dmailValidation = await validateDmailUser(parentUser)
+        if (!dmailValidation.valid) {
+          throw new Error(`User ${parentUser.email} not found in DMAIL system`)
+        }
+
+        // Step 2: Simulate programmatic OAuth that bypasses email verification
+        await simulateProgrammaticAuth(parentUser.email)
+        
+        setAuthState('authenticated')
+        sendMessageToParent({
+          type: 'AUTH_STATUS',
+          status: 'authenticated',
+          email: parentUser.email
+        })
+
+      } catch (err) {
+        console.error('DMAIL authentication failed:', err)
+        setError(err instanceof Error ? err.message : 'Authentication failed')
+        setAuthState('failed')
+        sendMessageToParent({
+          type: 'AUTH_STATUS',
+          status: 'failed',
+          email: parentUser.email,
+          error: err instanceof Error ? err.message : 'Authentication failed'
+        })
+      }
+    }
+
+    if (parentUser?.email && !isAuthenticated) {
+      authenticateWithDmail()
+    }
+  }, [parentUser, authState, isAuthenticated, sendMessageToParent])
+
+  // Monitor authentication state and notify parent
+  useEffect(() => {
+    if (isAuthenticated && parentUser) {
+      console.log('✅ User authenticated successfully!')
+      sendMessageToParent({
+        type: 'AUTH_STATUS',
+        status: 'authenticated',
+        email: parentUser.email
+      })
+    }
+  }, [isAuthenticated, parentUser, sendMessageToParent])
+
+  // Notify parent when user credentials are received
+  useEffect(() => {
+    if (parentUser && !isAuthenticated) {
+      sendMessageToParent({
+        type: 'AUTH_RECEIVED',
+        user: parentUser
+      })
+    }
+  }, [parentUser, isAuthenticated, sendMessageToParent])
+
+  // Don't render until client-side
+  if (!isClient) {
+    return (
+      <div className="flex items-center justify-center h-screen bg-gray-50">
+        <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-blue-600"></div>
+      </div>
+    )
+  }
+
+  // If not in iframe, use regular authenticator
+  if (!isIframe) {
+    return <Authenticator>{children}</Authenticator>
+  }
+
+  // If no parent user provided, show waiting state
+  if (!parentUser) {
+    return (
+      <div className="flex items-center justify-center h-screen bg-gray-50">
+        <div className="text-center p-8">
+          <div className="animate-pulse mb-4">
+            <div className="w-16 h-16 bg-blue-200 rounded-full mx-auto mb-4"></div>
+          </div>
+          <h3 className="text-lg font-semibold text-gray-700 mb-2">
+            Waiting for Authentication
+          </h3>
+          <p className="text-gray-500">
+            Waiting for user credentials from email provider...
+          </p>
+        </div>
+      </div>
+    )
+  }
+
+  // Show authentication progress
+  if (authState === 'authenticating') {
+    return (
+      <div className="flex flex-col items-center justify-center h-screen bg-gray-50">
+        <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-blue-600 mb-4"></div>
+        <h3 className="text-lg font-semibold text-gray-700 mb-2">
+          Authenticating with DMAIL
+        </h3>
+        <p className="text-gray-600">
+          Validating {parentUser.email}...
+        </p>
+        <p className="text-sm text-gray-500 mt-2">
+          This should take just a moment
+        </p>
+      </div>
+    )
+  }
+
+  // Show authentication failure
+  if (authState === 'failed') {
+    return (
+      <div className="flex flex-col items-center justify-center h-screen bg-gray-50">
+        <div className="bg-red-50 border border-red-200 rounded-lg p-6 max-w-md">
+          <div className="flex items-center mb-4">
+            <div className="w-6 h-6 bg-red-100 rounded-full flex items-center justify-center mr-3">
+              <span className="text-red-600 text-sm">✗</span>
+            </div>
+            <h3 className="text-lg font-medium text-red-800">Authentication Failed</h3>
+          </div>
+          <p className="text-red-700 mb-4">{error}</p>
+          <button
+            onClick={() => {
+              setAuthState('pending')
+              setError(null)
+            }}
+            className="w-full bg-red-600 text-white py-2 px-4 rounded-md hover:bg-red-700 transition-colors"
+          >
+            Retry Authentication
+          </button>
+        </div>
+      </div>
+    )
+  }
+
+  // If user is authenticated OR we completed our simulation, show the console
+  if (isAuthenticated || authState === 'authenticated') {
+    return <Authenticator>{children}</Authenticator>
+  }
+
+  // Default: show preparation state
+  return (
+    <div className="flex items-center justify-center h-screen bg-gray-50">
+      <div className="text-center p-8">
+        <Logo className="w-16 h-16 mx-auto mb-4 text-blue-600" />
+        <h3 className="text-lg font-semibold text-gray-700 mb-2">
+          Preparing Workspace
+        </h3>
+        <p className="text-gray-500">
+          Setting up your Storacha workspace...
+        </p>
+      </div>
+    </div>
+  )
+}
+
+/**
+ * Validate user exists in DMAIL system
+ */
+async function validateDmailUser(user: { email: string, id: string, name?: string }): Promise<{ valid: boolean, plan?: string }> {
+  // Simulate API call to DMAIL
+  await new Promise(resolve => setTimeout(resolve, 1500))
+  
+  // Simulate validation logic
+  if (user.email.endsWith('@dmail.ai')) {
+    console.log('✅ User validated with DMAIL API:', user.email)
+    return { valid: true, plan: 'pro' }
+  }
+  
+  throw new Error('User not found in DMAIL system')
+}
+
+/**
+ * Simulate programmatic authentication that would happen after DMAIL OAuth validation
+ */
+async function simulateProgrammaticAuth(email: string) {
+  console.log('🔐 Simulating DMAIL OAuth backend flow for:', email)
+  
+  // Simulate the OAuth flow timing
+  await new Promise(resolve => setTimeout(resolve, 2000))
+  
+  console.log('✅ Programmatic authentication completed for:', email)
+  console.log('📝 In production, this would:')
+  console.log('   1. Validate user with DMAIL API')
+  console.log('   2. Issue Access.confirm delegation on backend')
+  console.log('   3. Use w3up client to claim delegated access')
+  console.log('   4. User would be authenticated with Storacha')
+} 
\ No newline at end of file
diff --git a/src/components/IframeDashboard.tsx b/src/components/IframeDashboard.tsx
new file mode 100644
index 0000000..966e00c
--- /dev/null
+++ b/src/components/IframeDashboard.tsx
@@ -0,0 +1,69 @@
+'use client'
+
+import { useW3, Space } from '@w3ui/react'
+import { DidIcon } from '@/components/DidIcon'
+import Link from 'next/link'
+import { H1, H2 } from '@/components/Text'
+import { ReactNode } from 'react'
+import { AuthenticationEnsurer } from '@/components/Authenticator'
+import { SpaceEnsurer } from '@/components/SpaceEnsurer'
+import { MaybePlanGate } from '@/components/PlanGate'
+import IframeAuthenticator from '@/components/IframeAuthenticator'
+
+export default function IframeDashboard(): ReactNode {
+  return (
+    <IframeAuthenticator>
+      <AuthenticationEnsurer>
+        <MaybePlanGate>
+          <SpaceEnsurer>
+            <SpacePage />
+          </SpaceEnsurer>
+        </MaybePlanGate>
+      </AuthenticationEnsurer>
+    </IframeAuthenticator>
+  )
+}
+
+function SpacePage(): ReactNode {
+  const [{ spaces }] = useW3()
+
+  if (spaces.length === 0) {
+    return (
+      <div className="p-4 max-w-3xl mx-auto">
+        <H1 className="text-xl mb-4">Welcome to Storacha Workspaces</H1>
+        <p className="text-gray-600">
+          No spaces found. Create your first space to get started.
+        </p>
+      </div>
+    )
+  }
+
+  return (
+    <div className="p-4 max-w-4xl mx-auto">
+      <H1 className="text-xl mb-2">Your Workspaces</H1>
+      <H2 className="text-base mb-4 text-gray-600">Select a Space to Manage</H2>
+      <div className='border rounded-lg border-hot-red bg-white shadow-sm'>
+        {spaces.map(s => <Item space={s} key={s.did()} />)}
+      </div>
+    </div>
+  )
+}
+
+function Item({ space }: { space: Space }) {
+  return (
+    <Link 
+      href={`/iframe/space/${space.did()}`} 
+      className='flex flex-row items-start gap-4 p-4 text-left hover:bg-hot-yellow-light border-b last:border-0 border-hot-red first:rounded-t-2xl last:rounded-b-2xl'
+    >
+      <DidIcon did={space.did()} />
+      <div className='grow overflow-hidden whitespace-nowrap text-ellipsis'>
+        <span className='font-epilogue text-lg text-hot-red leading-5 m-0'>
+          {space.name || 'Untitled'}
+        </span>
+        <span className='font-mono text-xs block'>
+          {space.did()}
+        </span>
+      </div>
+    </Link>
+  )
+} 
\ No newline at end of file
diff --git a/src/contexts/IframeContext.tsx b/src/contexts/IframeContext.tsx
new file mode 100644
index 0000000..2ef13ad
--- /dev/null
+++ b/src/contexts/IframeContext.tsx
@@ -0,0 +1,101 @@
+'use client'
+
+import { createContext, useContext, useEffect, useState, ReactNode } from 'react'
+
+interface IframeContextType {
+  isIframe: boolean
+  isClient: boolean
+  parentOrigin: string | null
+  parentUser: { email: string; id: string } | null
+  sendMessageToParent: (data: any) => void
+  requestParentNavigation: (url: string) => void
+}
+
+const IframeContext = createContext<IframeContextType | undefined>(undefined)
+
+export function IframeProvider({ children }: { children: ReactNode }) {
+  const [isIframe, setIsIframe] = useState(false)
+  const [parentOrigin, setParentOrigin] = useState<string | null>(null)
+  const [isClient, setIsClient] = useState(false)
+  const [parentUser, setParentUser] = useState<{ email: string; id: string } | null>(null)
+
+  useEffect(() => {
+    // Mark as client-side rendered
+    setIsClient(true)
+    
+    // Detect if running in iframe
+    const inIframe = window.self !== window.top
+    setIsIframe(inIframe)
+
+    if (inIframe) {
+      // Listen for messages from parent
+      const handleMessage = (event: MessageEvent) => {
+        // Validate origin - in production, whitelist specific domains
+        if (event.origin !== parentOrigin && parentOrigin === null) {
+          setParentOrigin(event.origin)
+        }
+
+        // Handle parent messages
+        if (event.data.type === 'IFRAME_INIT') {
+          sendMessageToParent({ 
+            type: 'CONSOLE_READY',
+            url: window.location.href
+          })
+        }
+
+        if (event.data.type === 'USER_AUTH') {
+          console.log('🔐 Received user authentication from parent:', event.data.user)
+          setParentUser(event.data.user)
+          sendMessageToParent({
+            type: 'AUTH_RECEIVED',
+            user: event.data.user
+          })
+        }
+      }
+
+      window.addEventListener('message', handleMessage)
+      
+      // Notify parent that iframe is loaded
+      window.parent?.postMessage({ 
+        type: 'CONSOLE_LOADED',
+        url: window.location.href 
+      }, '*')
+
+      return () => window.removeEventListener('message', handleMessage)
+    }
+  }, [parentOrigin])
+
+  const sendMessageToParent = (data: any) => {
+    if (isIframe && window.parent) {
+      window.parent.postMessage(data, parentOrigin || '*')
+    }
+  }
+
+  const requestParentNavigation = (url: string) => {
+    sendMessageToParent({
+      type: 'REQUEST_NAVIGATION',
+      url
+    })
+  }
+
+  return (
+    <IframeContext.Provider value={{
+      isIframe,
+      isClient,
+      parentOrigin,
+      parentUser,
+      sendMessageToParent,
+      requestParentNavigation
+    }}>
+      {children}
+    </IframeContext.Provider>
+  )
+}
+
+export function useIframe() {
+  const context = useContext(IframeContext)
+  if (context === undefined) {
+    throw new Error('useIframe must be used within an IframeProvider')
+  }
+  return context
+} 
\ No newline at end of file