diff --git a/dex/robots.txt b/dex/robots.txt
new file mode 100644
index 0000000..43bc21d
--- /dev/null
+++ b/dex/robots.txt
@@ -0,0 +1,5 @@
+User-agent: *
+Disallow: /
+
+User-agent: LUN-4
+Allow: *
diff --git a/dex/static/main.css b/dex/static/main.css
new file mode 100644
index 0000000..25de9c0
--- /dev/null
+++ b/dex/static/main.css
@@ -0,0 +1,17 @@
+body,
+html {
+  margin: 0;
+  padding: 0;
+  width: 100vw;
+  height: 100vh;
+
+  overflow: hidden;
+}
+
+iframe {
+  width: 100vw;
+  height: 100vh;
+  border: none;
+  margin: 0;
+  padding: 0;
+}
diff --git a/dex/templates/approval.html b/dex/templates/approval.html
new file mode 100644
index 0000000..85f0bc7
--- /dev/null
+++ b/dex/templates/approval.html
@@ -0,0 +1,74 @@
+{{ template "header.html" . }}
+
+<script>
+  let source = null;
+  function sendToGluestick(msg) {
+    source.postMessage(msg, {
+      targetOrigin: '{{ print (extra "gluestick_url") }}'
+    });
+  }
+
+  document.addEventListener("DOMContentLoaded", () => {
+    window.addEventListener(
+      "message",
+      (e) => {
+        if (e.origin != '{{ print (extra "gluestick_url") }}') return;
+
+        switch (e.data.type) {
+          case "appResult":
+            submitApproval(e.data.success);
+            break;
+        }
+      },
+      false
+    );
+
+    const iframe = document.querySelector("iframe");
+    iframe.addEventListener("load", () => {
+      source = iframe.contentWindow;
+      sendToGluestick({ type: "hello" });
+      sendToGluestick({
+        type: "appInfo",
+        client: "{{ .Client }}",
+        scopes:
+        {{ if .Scopes }}
+          [
+          {{ range $scope := .Scopes }}
+            "{{ $scope }}",
+          {{ end }}
+          ]
+        {{ else }}
+          null
+        {{ end }}
+      });
+    });
+  });
+
+  async function submitApproval(doesApprove) {
+    const params = new URLSearchParams();
+    params.append("req", "{{ .AuthReqID }}");
+    params.append("approval", doesApprove ? "approve" : "rejected");
+
+    // cursed shit to work about cors
+    const form = document.createElement("form");
+    form.method = "POST";
+
+    const hiddenReq = document.createElement("input");
+    hiddenReq.type = "hidden";
+    hiddenReq.name = "req";
+    hiddenReq.value = "{{ .AuthReqID }}";
+    form.appendChild(hiddenReq);
+
+    const hiddenApproval = document.createElement("input");
+    hiddenApproval.type = "hidden";
+    hiddenApproval.name = "approval";
+    hiddenApproval.value = doesApprove ? "approve" : "rejected";
+    form.appendChild(hiddenApproval);
+
+    document.body.appendChild(form);
+    form.submit();
+  }
+</script>
+<iframe src='{{ print (extra "gluestick_url") "/dex/approval" }}'></iframe>
+
+{{ template "footer.html" . }}
diff --git a/dex/templates/device.html b/dex/templates/device.html
new file mode 100644
index 0000000..8a51fb3
--- /dev/null
+++ b/dex/templates/device.html
@@ -0,0 +1 @@
+{{ template "header.html" . }} {{ template "footer.html" . }}
diff --git a/dex/templates/device_success.html b/dex/templates/device_success.html
new file mode 100644
index 0000000..8a51fb3
--- /dev/null
+++ b/dex/templates/device_success.html
@@ -0,0 +1 @@
+{{ template "header.html" . }} {{ template "footer.html" . }}
diff --git a/dex/templates/error.html b/dex/templates/error.html
new file mode 100644
index 0000000..8a51fb3
--- /dev/null
+++ b/dex/templates/error.html
@@ -0,0 +1 @@
+{{ template "header.html" . }} {{ template "footer.html" . }}
diff --git a/dex/templates/footer.html b/dex/templates/footer.html
new file mode 100644
index 0000000..b605728
--- /dev/null
+++ b/dex/templates/footer.html
@@ -0,0 +1,2 @@
+  </body>
+</html>
diff --git a/dex/templates/header.html b/dex/templates/header.html
new file mode 100644
index 0000000..2bd5000
--- /dev/null
+++ b/dex/templates/header.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>gluestick</title>
+    <link rel="icon" href='{{ print (extra "gluestick_url") "/icon.svg" }}' />
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
+    <link href='{{ url .ReqPath "static/main.css" }}' rel="stylesheet" />
+  </head>
+
+  <body>
\ No newline at end of file
diff --git a/dex/templates/login.html b/dex/templates/login.html
new file mode 100644
index 0000000..8a51fb3
--- /dev/null
+++ b/dex/templates/login.html
@@ -0,0 +1 @@
+{{ template "header.html" . }} {{ template "footer.html" . }}
diff --git a/dex/templates/oob.html b/dex/templates/oob.html
new file mode 100644
index 0000000..8a51fb3
--- /dev/null
+++ b/dex/templates/oob.html
@@ -0,0 +1 @@
+{{ template "header.html" . }} {{ template "footer.html" . }}
diff --git a/dex/templates/password.html b/dex/templates/password.html
new file mode 100644
index 0000000..578e2a8
--- /dev/null
+++ b/dex/templates/password.html
@@ -0,0 +1,61 @@
+{{ template "header.html" . }}
+
+<script>
+  let source = null;
+  function sendToGluestick(msg) {
+    source.postMessage(msg, {
+      targetOrigin: '{{ print (extra "gluestick_url") }}'
+    });
+  }
+
+  document.addEventListener("DOMContentLoaded", () => {
+    window.addEventListener(
+      "message",
+      (e) => {
+        if (e.origin != '{{ print (extra "gluestick_url") }}') return;
+
+        switch (e.data.type) {
+          case "passwordSubmit":
+            const { username, password } = e.data;
+            submitLogin(username, password);
+            break;
+        }
+      },
+      false
+    );
+
+    const iframe = document.querySelector("iframe");
+    iframe.addEventListener("load", () => {
+      source = iframe.contentWindow;
+      sendToGluestick({ type: "hello" });
+    });
+  });
+
+  async function submitLogin(username, password) {
+    const params = new URLSearchParams();
+    params.append("login", username);
+    params.append("password", password);
+
+    const req = await fetch("{{ .PostURL }}", {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: params,
+      method: "POST",
+      redirect: "follow"
+    });
+
+    if (req.ok && req.redirected) {
+      window.location.href = req.url;
+      return;
+    }
+
+    sendToGluestick({
+      type: "passwordSubmitResult",
+      success: req.ok
+    });
+  }
+</script>
+<iframe src='{{ print (extra "gluestick_url") "/dex/password" }}'></iframe>
+
+{{ template "footer.html" . }}
diff --git a/environment.d.ts b/environment.d.ts
index 000a0b4..8943719 100644
--- a/environment.d.ts
+++ b/environment.d.ts
@@ -27,6 +27,7 @@ declare global {
       GITHUB_ORG: string;
 
       BASE_DOMAIN: string;
+      DEX_DOMAIN: string;
     }
   }
 }
diff --git a/next.config.js b/next.config.js
index 182ff7a..08d72fc 100644
--- a/next.config.js
+++ b/next.config.js
@@ -3,7 +3,18 @@ const nextConfig = {
   experimental: {
     appDir: true
   },
-  output: "standalone"
+  output: "standalone",
+
+  // Allow Dex to use gluestick in an iframe
+  headers: async () => {
+    return [{
+      source: "/dex/(.*)",
+      headers: [{
+        key: "Content-Security-Policy",
+        value: `frame-ancestors 'self' ${process.env.DEX_DOMAIN}`
+      }]
+    }]
+  }
 };
 
 module.exports = nextConfig;
diff --git a/src/app/dex/approval/DexApprovalForm.module.css b/src/app/dex/approval/DexApprovalForm.module.css
new file mode 100644
index 0000000..8640a65
--- /dev/null
+++ b/src/app/dex/approval/DexApprovalForm.module.css
@@ -0,0 +1,10 @@
+.buttons {
+  display: flex;
+  width: 100%;
+  justify-content: center;
+  gap: 1rem;
+}
+
+.approvalText {
+  padding: 1rem 0;
+}
diff --git a/src/app/dex/approval/DexApprovalForm.tsx b/src/app/dex/approval/DexApprovalForm.tsx
new file mode 100644
index 0000000..4e4a5e6
--- /dev/null
+++ b/src/app/dex/approval/DexApprovalForm.tsx
@@ -0,0 +1,59 @@
+"use client";
+
+import React from "react";
+import { AppInfo, useDex } from "../dex";
+import styles from "./DexApprovalForm.module.css";
+
+export default function DexApprovalForm({ domain }: { domain: string }) {
+  const [appInfo, setAppInfo] = React.useState<AppInfo | null>(null);
+
+  const sendToDex = useDex(domain, (msg) => {
+    switch (msg.type) {
+      case "appInfo":
+        setAppInfo(msg);
+        break;
+    }
+  });
+
+  if (appInfo === null) return <></>;
+
+  // Stolen from LoginForm
+  return (
+    <div>
+      <h1>Sign into {appInfo.client}</h1>
+
+      <div className={styles.approvalText}>
+        {appInfo.scopes != null ? (
+          <>
+            <p>{appInfo.client} would like to:</p>
+            <ul>
+              {appInfo.scopes.map((scope) => (
+                <li key={scope}>{scope}</li>
+              ))}
+            </ul>
+          </>
+        ) : (
+          <p>{appInfo.client} doesn't have any special permissions.</p>
+        )}
+      </div>
+
+      <div className={styles.buttons}>
+        <input
+          type="submit"
+          value="Allow"
+          onClick={() => {
+            sendToDex({ type: "appResult", success: true });
+          }}
+        />
+
+        <input
+          type="submit"
+          value="Deny"
+          onClick={() => {
+            sendToDex({ type: "appResult", success: false });
+          }}
+        />
+      </div>
+    </div>
+  );
+}
diff --git a/src/app/dex/approval/page.tsx b/src/app/dex/approval/page.tsx
new file mode 100644
index 0000000..8a1feb5
--- /dev/null
+++ b/src/app/dex/approval/page.tsx
@@ -0,0 +1,10 @@
+import styles from "@/app/page.module.css";
+import DexApprovalForm from "./DexApprovalForm";
+
+export default async function Page() {
+  return (
+    <main className={styles.main}>
+      <DexApprovalForm domain={process.env.DEX_DOMAIN} />
+    </main>
+  );
+}
diff --git a/src/app/dex/dex.tsx b/src/app/dex/dex.tsx
new file mode 100644
index 0000000..4c3e799
--- /dev/null
+++ b/src/app/dex/dex.tsx
@@ -0,0 +1,41 @@
+import React from "react";
+
+export type AppInfo = {
+  type: "appInfo";
+  client: string;
+  scopes: string[] | null;
+};
+
+export type Message =
+  | { type: "hello" }
+  | { type: "passwordSubmit"; username: string; password: string }
+  | { type: "passwordSubmitResult"; success: boolean }
+  | AppInfo
+  | { type: "appResult"; success: boolean };
+
+export function useDex(domain: string, handler: (msg: Message) => void) {
+  const [source, setSource] = React.useState<MessageEventSource | null>(null);
+
+  const sendToDex = (msg: Message, maybeSource?: MessageEventSource) => {
+    let realSource = maybeSource ?? source;
+    realSource!.postMessage(msg, {
+      targetOrigin: domain
+    });
+  };
+
+  React.useEffect(() => {
+    window.addEventListener("message", (e) => {
+      if (e.origin !== domain) return;
+      const message: Message = e.data;
+      setSource(e.source);
+
+      if (message.type === "hello") {
+        sendToDex({ type: "hello" }, e.source!);
+      }
+
+      handler(message);
+    });
+  }, []);
+
+  return sendToDex;
+}
diff --git a/src/app/dex/password/DexPasswordForm.tsx b/src/app/dex/password/DexPasswordForm.tsx
new file mode 100644
index 0000000..4248125
--- /dev/null
+++ b/src/app/dex/password/DexPasswordForm.tsx
@@ -0,0 +1,60 @@
+"use client";
+
+import React from "react";
+import { useDex } from "../dex";
+import { LoginFormValues, loginSchema } from "@/schemas";
+import { Form, Formik } from "formik";
+import PrettyForm from "@/components/PrettyForm";
+import Input from "@/components/Input";
+
+export default function DexPasswordForm({ domain }: { domain: string }) {
+  const [globalError, setGlobalError] = React.useState<string | null>(null);
+  const [submitting, setSubmitting] = React.useState(false);
+
+  const sendToDex = useDex(domain, (msg) => {
+    switch (msg.type) {
+      case "passwordSubmitResult":
+        setSubmitting(false);
+        if (!msg.success) setGlobalError("Invalid credentials.");
+        break;
+    }
+  });
+
+  async function handleFormSubmit({ username, password }: LoginFormValues) {
+    setSubmitting(true);
+    sendToDex({
+      type: "passwordSubmit",
+      username,
+      password
+    });
+  }
+
+  // Stolen from LoginForm
+  return (
+    <PrettyForm globalError={globalError}>
+      <Formik
+        initialValues={{ username: "", password: "" }}
+        onSubmit={handleFormSubmit}
+        validationSchema={loginSchema}
+      >
+        {() => (
+          <Form>
+            <Input
+              type="text"
+              placeholder="julian"
+              name="username"
+              label="Username"
+            />
+            <Input
+              type="password"
+              placeholder="deeznuts47"
+              name="password"
+              label="Password"
+            />
+            <input type="submit" value="Login" disabled={submitting} />
+          </Form>
+        )}
+      </Formik>
+    </PrettyForm>
+  );
+}
diff --git a/src/app/dex/password/page.tsx b/src/app/dex/password/page.tsx
new file mode 100644
index 0000000..2945687
--- /dev/null
+++ b/src/app/dex/password/page.tsx
@@ -0,0 +1,10 @@
+import styles from "@/app/page.module.css";
+import DexPasswordForm from "./DexPasswordForm";
+
+export default async function Page() {
+  return (
+    <main className={styles.main}>
+      <DexPasswordForm domain={process.env.DEX_DOMAIN} />
+    </main>
+  );
+}