diff --git a/microagent-init.sh b/microagent-init.sh
index bd3e164..7e8263c 100644
--- a/microagent-init.sh
+++ b/microagent-init.sh
@@ -7,6 +7,8 @@ log() {
   printf '[microagent-init] %s\n' "$*" >&2
 }
 
+MMDS_IPV4_ADDRESS="169.254.170.2"
+
 read_machine_name() {
   if [ -r /etc/microagent/machine-name ]; then
     tr -d '\r\n' </etc/microagent/machine-name
@@ -19,6 +21,74 @@ read_machine_name() {
   printf 'microagentcomputer'
 }
 
+fetch_mmds_metadata() {
+  local iface="${1:-}"
+  local token payload attempt=0
+
+  [ -n "$iface" ] || return 1
+
+  ip route replace "${MMDS_IPV4_ADDRESS}/32" dev "$iface" >/dev/null 2>&1 || return 1
+
+  while [ "$attempt" -lt 50 ]; do
+    token="$(curl -fsS -X PUT "http://${MMDS_IPV4_ADDRESS}/latest/api/token" \
+      -H 'X-metadata-token-ttl-seconds: 30' 2>/dev/null || true)"
+    if [ -n "$token" ]; then
+      payload="$(curl -fsS "http://${MMDS_IPV4_ADDRESS}/latest/meta-data" \
+        -H 'Accept: application/json' \
+        -H "X-metadata-token: ${token}" 2>/dev/null || true)"
+      if [ -n "$payload" ]; then
+        printf '%s' "$payload"
+        return 0
+      fi
+    fi
+    attempt=$((attempt + 1))
+    sleep 0.1
+  done
+  return 1
+}
+
+apply_guest_metadata() {
+  local payload="${1:-}"
+  local machine_name
+
+  [ -n "$payload" ] || return 1
+  install -d -m 0755 /etc/microagent
+
+  machine_name="$(printf '%s' "$payload" | jq -r '.hostname // .machine_id // empty')"
+  if [ -n "$machine_name" ]; then
+    printf '%s\n' "$machine_name" >/etc/microagent/machine-name
+    printf '%s\n' "$machine_name" >/etc/hostname
+    cat >/etc/hosts <<EOF
+127.0.0.1 localhost
+127.0.1.1 $machine_name
+::1 localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+EOF
+    hostname "$machine_name" >/dev/null 2>&1 || true
+  fi
+
+  if printf '%s' "$payload" | jq -e '.authorized_keys | length > 0' >/dev/null 2>&1; then
+    log "installing MMDS authorized_keys for node"
+    install -d -m 0700 -o node -g node /home/node/.ssh
+    printf '%s' "$payload" | jq -r '.authorized_keys[]' >/home/node/.ssh/authorized_keys
+    chmod 0600 /home/node/.ssh/authorized_keys
+    chown node:node /home/node/.ssh/authorized_keys
+    printf '%s' "$payload" | jq -r '.authorized_keys[]' >/etc/microagent/authorized_keys
+    chmod 0600 /etc/microagent/authorized_keys
+  fi
+
+  if printf '%s' "$payload" | jq -e '.trusted_user_ca_keys | length > 0' >/dev/null 2>&1; then
+    log "installing MMDS trusted user CA keys"
+    printf '%s' "$payload" | jq -r '.trusted_user_ca_keys[]' >/etc/microagent/trusted_user_ca_keys
+    chmod 0644 /etc/microagent/trusted_user_ca_keys
+  fi
+
+  printf '%s' "$payload" | jq '{authorized_keys, trusted_user_ca_keys, login_webhook}' >/etc/microagent/guest-config.json
+  chmod 0600 /etc/microagent/guest-config.json
+  return 0
+}
+
 mountpoint -q /proc || mount -t proc proc /proc
 mountpoint -q /sys || mount -t sysfs sysfs /sys
 mountpoint -q /dev || mount -t devtmpfs devtmpfs /dev
@@ -73,6 +143,12 @@ if ! /usr/local/bin/microagent-network-up >/var/log/network.log 2>&1; then
   exit 1
 fi
 
+primary_iface="$(find /sys/class/net -mindepth 1 -maxdepth 1 -printf '%f\n' | grep -v '^lo$' | head -n1 || true)"
+if metadata_payload="$(fetch_mmds_metadata "$primary_iface")"; then
+  log "applying guest metadata from MMDS"
+  apply_guest_metadata "$metadata_payload" || true
+fi
+
 machine_name="$(read_machine_name)"
 export COMPUTER_NAME="$machine_name"
 printf '%s\n' "$machine_name" >/etc/hostname