diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index 38c3874..915e380 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -41,6 +41,14 @@ if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
   add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
 fi
 
+if [ -z "$TRANSFAIR_AUTH" ]; then
+  if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
+    log "INFO" "Now generating basic auth user for transfair API (see adduser in bridgehead for more information). "
+    generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
+    add_basic_auth_user "transfair" $generated_passwd "TRANSFAIR_AUTH" $PROJECT
+  fi
+fi
+
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \
diff --git a/modules/transfair-compose.yml b/modules/transfair-compose.yml
index adf0fb4..9dd0c64 100644
--- a/modules/transfair-compose.yml
+++ b/modules/transfair-compose.yml
@@ -24,6 +24,17 @@ services:
     volumes:
       - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.transfair-strip.stripprefix.prefixes=/transfair"
+      - "traefik.http.routers.transfair.middlewares=transfair-strip,transfair-auth"
+      - "traefik.http.routers.transfair.rule=PathPrefix(`/transfair`)"
+      - "traefik.http.services.transfair.loadbalancer.server.port=8080"
+      - "traefik.http.routers.transfair.tls=true"
+  
+  traefik:
+    labels:
+      - "traefik.http.middlewares.transfair-auth.basicauth.users=${TRANSFAIR_AUTH}"
 
   transfair-input-blaze:
     image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
@@ -37,6 +48,13 @@ services:
     volumes:
       - "transfair-input-blaze-data:/app/data"
     profiles: ["transfair-input-blaze"]
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.transfair-input-blaze.rule=PathPrefix(`/data-delivery`)"
+      - "traefik.http.middlewares.transfair-input-strip.stripprefix.prefixes=/data-delivery"
+      - "traefik.http.services.transfair-input-blaze.loadbalancer.server.port=8080"
+      - "traefik.http.routers.transfair-input-blaze.middlewares=transfair-input-strip,transfair-auth"
+      - "traefik.http.routers.transfair-input-blaze.tls=true"
 
   transfair-request-blaze:
     image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
@@ -50,6 +68,13 @@ services:
     volumes:
       - "transfair-request-blaze-data:/app/data"
     profiles: ["transfair-request-blaze"]
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.transfair-request-blaze.rule=PathPrefix(`/data-requests`)"
+      - "traefik.http.middlewares.transfair-request-strip.stripprefix.prefixes=/data-requests"
+      - "traefik.http.services.transfair-request-blaze.loadbalancer.server.port=8080"
+      - "traefik.http.routers.transfair-request-blaze.middlewares=transfair-request-strip,transfair-auth"
+      - "traefik.http.routers.transfair-request-blaze.tls=true"
 
 volumes:
   transfair-input-blaze-data: