diff --git a/backend/CIPHERDUCK.md b/backend/CIPHERDUCK.md
index da8beaaf5..213164501 100644
--- a/backend/CIPHERDUCK.md
+++ b/backend/CIPHERDUCK.md
@@ -23,15 +23,14 @@ backends.backends[0].bucket-prefix=cipherduck
 backends.backends[0].s3-type=minio
 backends.backends[0].admin-access-key-id=minioadmin
 backends.backends[0].admin-secret-key=minioadmin
-backends.backends[0].jwe.protocol=s3
-backends.backends[0].jwe.vendor=s3-sts
-backends.backends[0].jwe.scheme=http
+backends.backends[0].jwe.protocol=s3-sts
 backends.backends[0].jwe.hostname=minio
 backends.backends[0].jwe.port=9000
+backends.backends[0].jwe.scheme=http
 backends.backends[0].jwe.sts-endpoint=http://minio:9000
 backends.backends[0].jwe.oauth-redirect-url=x-cipherduck-action:oauth
-backends.backends[1].jwe.oauth-authorization-url=https://login1.staging.cryptomator.cloud/realms/cipherduck/protocol/openid-connect/auth
-backends.backends[1].jwe.oauth-token-url=https://login1.staging.cryptomator.cloud/realms/cipherduck/protocol/openid-connect/token
+backends.backends[0].jwe.oauth-authorization-url=http://localhost:8180/realms/cryptomator/protocol/openid-connect/auth
+backends.backends[0].jwe.oauth-token-url=http://localhost:8180/realms/cryptomator/protocol/openid-connect/token
 backends.backends[0].jwe.oauth-client-id=cryptomator
 backends.backends[0].jwe.authorization=AuthorizationCode
 ```
@@ -73,8 +72,7 @@ backends.backends[1].admin-secret-key=XXXX
 backends.backends[1].oidc-provider=arn:aws:iam::XXXX:oidc-provider/login1.staging.cryptomator.cloud/realms/cipherduck
 backends.backends[1].sts-role-arn-prefix=arn:aws:iam::XXXX:role/
 backends.backends[1].region=eu-central-1
-backends.backends[1].jwe.protocol=s3
-backends.backends[1].jwe.vendor=s3-sts
+backends.backends[1].jwe.protocol=s3-sts
 backends.backends[1].jwe.oauth-redirect-url=x-cipherduck-action:oauth
 backends.backends[1].jwe.oauth-authorization-url=https://login1.staging.cryptomator.cloud/realms/cipherduck/protocol/openid-connect/auth
 backends.backends[1].jwe.oauth-token-url=https://login1.staging.cryptomator.cloud/realms/cipherduck/protocol/openid-connect/token
diff --git a/backend/src/main/java/org/cryptomator/hub/api/ConfigResource.java b/backend/src/main/java/org/cryptomator/hub/api/ConfigResource.java
index 6784639b4..4ebb248bb 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/ConfigResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/ConfigResource.java
@@ -58,26 +58,27 @@ public ConfigDto getConfig() {
 		return new ConfigDto(keycloakPublicUrl, keycloakRealm, keycloakClientIdHub, keycloakClientIdCryptomator, authUri, tokenUri, Instant.now().truncatedTo(ChronoUnit.MILLIS), 0);
 	}
 
-	// / start cipherduck extension
-	@PermitAll
-	@GET
-	@Path("/cipherduckhubbookmark")
-	@Produces(MediaType.APPLICATION_XML)
-	@Operation(summary = "get cipherduck bookmark for this hub")
-	public String cipherduckhubbookmark(@Context UriInfo uriInfo) throws IOException {
-		final URI requestUri = uriInfo.getRequestUri();
-		String template = new String(ConfigResource.class.getResourceAsStream("/cipherduck/hubbookmark.duck").readAllBytes());
-		// nickname
-		template = template.replace("<string>Cipherduck</string>", String.format("<string>Cipherduck (%s://%s:%s)</string>", requestUri.getScheme(), requestUri.getHost(), requestUri.getPort()));
-		// scheme
-		template = template.replace("<string>hub-http</string>", String.format("<string>hub-%s</string>", requestUri.getScheme()));
-		// hostname
-		template = template.replace("<string>localhost</string>", String.format("<string>%s</string>", requestUri.getHost()));
-		// port
-		template = template.replace("<string>8080</string>", String.format("<string>%s</string>", requestUri.getPort()));
-		// UUID
-		template = template.replace("<string>c36acf24-e331-4919-9f19-ff52a08e7885</string>", String.format("<string>%s</string>", Settings.get().hubId));
-		return template;
+    // / start cipherduck extension
+    @PermitAll
+    @GET
+    @Path("/cipherduckhubbookmark")
+    @Produces(MediaType.APPLICATION_XML)
+    @Operation(summary = "get cipherduck bookmark for this hub")
+    public String cipherduckhubbookmark(@Context UriInfo uriInfo) throws IOException {
+        final URI requestUri = uriInfo.getRequestUri();
+        String template = new String(ConfigResource.class.getResourceAsStream("/cipherduck/hubbookmark.duck").readAllBytes());
+        String hubUrl = String.format("%s://%s:%s", requestUri.getScheme(), requestUri.getHost(), requestUri.getPort());
+        // nickname
+        template = template.replace("<string>Cipherduck</string>", String.format("<string>Cipherduck (%s)</string>", hubUrl));
+        // hostname
+        template = template.replace("<string>localhost</string>", String.format("<string>%s</string>", requestUri.getHost()));
+        // port
+        template = template.replace("<string>8080</string>", String.format("<string>%s</string>", requestUri.getPort()));
+        // UUID
+        template = template.replace("<string>c36acf24-e331-4919-9f19-ff52a08e7885</string>", String.format("<string>%s</string>", Settings.get().hubId));
+        // scheme
+        template = template.replace("<string>provider</string>", String.format("<string>hub-%s</string>", requestUri.getScheme()));
+        return template;
     }
 	// \ end cipherduck extension
 
diff --git a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEBackend.java b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEBackend.java
index 52537f61b..7d9e7adb1 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEBackend.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/cipherduck/VaultJWEBackend.java
@@ -5,43 +5,22 @@
 import java.util.Optional;
 
 public interface VaultJWEBackend {
-    @JsonProperty("protocol")
-    String protocol();
-
-    @JsonProperty("vendor")
-    Optional<String> vendor();
 
-    @JsonProperty("hostname")
-    Optional<String> hostname();
 
-    @JsonProperty("scheme")
-    Optional<String> scheme();
-
-    @JsonProperty("port")
-    Optional<Integer> port();
-
-    // TODO https://github.com/chenkins/cipherduck-hub/issues/3 for permanent credentials?
-    //    @JsonProperty("username")
-    //    String username();
-    //
-    //    @JsonProperty("password")
-    //    String password();
+    // TODO https://github.com/chenkins/cipherduck-hub/issues/4 how generic do we need - which can we put into protocols?
 
+    // (1) storage-specific for protocol
     @JsonProperty("region")
     Optional<String> region();
 
     @JsonProperty("stsEndpoint")
     Optional<String> stsEndpoint();
 
-    @JsonProperty("stsRoleArn")
-    Optional<String> stsRoleArn();
-
-    @JsonProperty("stsDurationSeconds")
-    Optional<Integer> stsDurationSeconds();
+    @JsonProperty("scheme")
+    Optional<String> scheme();
 
-    @JsonProperty("authorization")
-    Optional<String> authorization();
 
+    // (2) hub-specific for protocol
     @JsonProperty("oAuthAuthorizationUrl")
     Optional<String> oauthAuthorizationUrl();
 
@@ -51,6 +30,12 @@ public interface VaultJWEBackend {
     @JsonProperty("oAuthClientId")
     Optional<String> oauthClientId();
 
+
+    // (3) hub-independent for protocol
+    // TODO https://github.com/chenkins/cipherduck-hub/issues/3 we don't need them here.
+    @JsonProperty("authorization")
+    Optional<String> authorization();
+
     @JsonProperty("oAuthRedirectUrl")
     Optional<String> oauthRedirectUrl();
 
@@ -62,4 +47,34 @@ public interface VaultJWEBackend {
 
     @JsonProperty("tokenConfigurable")
     Optional<String> tokenConfigurable();
+
+
+    // (4) for bookmark
+    // TODO https://github.com/chenkins/cipherduck-hub/issues/3 add defaultPath, add UUID? = bucketName
+
+    @JsonProperty("protocol")
+    String protocol();
+
+    // TODO https://github.com/chenkins/cipherduck-hub/issues/3 how do we use vendor - if we can inject (1) and (2) on the fly, we can use separate Protocol/Vendor
+    @JsonProperty("vendor")
+    Optional<String> vendor();
+
+    @JsonProperty("hostname")
+    Optional<String> hostname();
+
+    @JsonProperty("port")
+    Optional<Integer> port();
+
+    // TODO https://github.com/chenkins/cipherduck-hub/issues/3 for permanent credentials?
+    //    @JsonProperty("username")
+    //    String username();
+    //
+    //    @JsonProperty("password")
+    //    String password();
+
+    @JsonProperty("stsRoleArn")
+    Optional<String> stsRoleArn();
+
+    @JsonProperty("stsDurationSeconds")
+    Optional<Integer> stsDurationSeconds();
 }
diff --git a/backend/src/main/resources/cipherduck/hubbookmark.duck b/backend/src/main/resources/cipherduck/hubbookmark.duck
index e88c1ff91..0d837765e 100644
--- a/backend/src/main/resources/cipherduck/hubbookmark.duck
+++ b/backend/src/main/resources/cipherduck/hubbookmark.duck
@@ -7,7 +7,7 @@
         <key>Protocol</key>
         <string>hub</string>
         <key>Provider</key>
-        <string>hub-http</string>
+        <string>provider</string>
         <key>Nickname</key>
         <string>Cipherduck</string>
         <key>Hostname</key>
diff --git a/frontend/src/components/CreateVaultS3.vue b/frontend/src/components/CreateVaultS3.vue
index 9ecb96606..e306bf0a4 100644
--- a/frontend/src/components/CreateVaultS3.vue
+++ b/frontend/src/components/CreateVaultS3.vue
@@ -362,8 +362,11 @@ async function createVault() {
     const bucketName = config["bucketPrefix"] + vaultId
 
     if(config.hasOwnProperty("stsRoleArnPrefix") && config["stsRoleArnPrefix"]){
+        // TODO https://github.com/chenkins/cipherduck-hub/issues/3 safe - side-effects?
         config["jwe"]["stsRoleArn"] = config["stsRoleArnPrefix"]  + bucketName
     }
+    // TODO https://github.com/chenkins/cipherduck-hub/issues/3 how do we use vendor?
+    config["jwe"]["vendor"] = config["id"];
     // \ end cipherduck extension
     const ownerJwe = await vaultKeys.value.encryptForUser(base64.parse(owner.publicKey)
       // / start cipherduck extension