diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
index 5f462b170..ef1fe30df 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
@@ -1,6 +1,10 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import java.net.URI;
 
 // needs to be accessible by JSON decoder
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -9,8 +13,19 @@ public class HubConfig {
 	public String clientId;
 	public String authEndpoint;
 	public String tokenEndpoint;
-	public String devicesResourceUrl;
 	public String authSuccessUrl;
 	public String authErrorUrl;
+	public @Nullable String apiBaseUrl;
+	@Deprecated // use apiBaseUrl + "/devices/"
+	public String devicesResourceUrl;
 
+	public URI getApiBaseUrl() {
+		if (apiBaseUrl != null) {
+			return URI.create(apiBaseUrl);
+		} else {
+			// legacy approach
+			assert devicesResourceUrl != null;
+			return URI.create(devicesResourceUrl + "/..").normalize();
+		}
+	}
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 1f42e008b..88cd0bb45 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -111,7 +111,7 @@ public class ReceiveKeyController implements FxController {
 	 * STEP 2 (Request): GET user key for this device
 	 */
 	private void requestUserKey(String encryptedVaultKey) {
-		var deviceTokenUri = appendPath(URI.create(hubConfig.devicesResourceUrl), "/" + deviceId);
+		var deviceTokenUri = URI.create(hubConfig.getApiBaseUrl() + "/devices/" + deviceId);
 		var request = HttpRequest.newBuilder(deviceTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
@@ -241,10 +241,10 @@ public class ReceiveKeyController implements FxController {
 
 	private static URI getVaultBaseUri(Vault vault) {
 		try {
-			var kid = vault.getVaultConfigCache().get().getKeyId();
-			assert kid.getScheme().startsWith(SCHEME_PREFIX);
-			var hubUriScheme = kid.getScheme().substring(SCHEME_PREFIX.length());
-			return new URI(hubUriScheme, kid.getSchemeSpecificPart(), kid.getFragment());
+			var url = vault.getVaultConfigCache().get().getKeyId();
+			assert url.getScheme().startsWith(SCHEME_PREFIX);
+			var correctedScheme = url.getScheme().substring(SCHEME_PREFIX.length());
+			return new URI(correctedScheme, url.getSchemeSpecificPart(), url.getFragment());
 		} catch (IOException e) {
 			throw new UncheckedIOException(e);
 		} catch (URISyntaxException e) {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
index 1762e3b78..537afaa28 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
@@ -108,8 +108,7 @@ public class SetupDeviceController implements FxController {
 	public void register() {
 		workInProgress.set(true);
 
-		var apiRootUrl = URI.create(hubConfig.devicesResourceUrl + "/..").normalize(); // TODO: add url to vault config file, only use this as a fallback for legacy vaults
-		var deviceUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
+		var apiRootUrl = hubConfig.getApiBaseUrl();
 		var deviceKey = deviceKeyPair.getPublic().getEncoded();
 
 		var userReq = HttpRequest.newBuilder(apiRootUrl.resolve("users/me")) //
@@ -137,6 +136,7 @@ public class SetupDeviceController implements FxController {
 					var now = Instant.now().toString();
 					var dto = new CreateDeviceDto(deviceId, deviceNameField.getText(), BaseEncoding.base64().encode(deviceKey), "DESKTOP", jwe.serialize(), now);
 					var json = toJson(dto);
+					var deviceUri = apiRootUrl.resolve("devices/" + deviceId);
 					var putDeviceReq = HttpRequest.newBuilder(deviceUri) //
 							.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
 							.header("Authorization", "Bearer " + bearerToken) //