diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md
index a2cc9c09d..2b16be2ec 100644
--- a/docs/configuring-playbook-bot-draupnir.md
+++ b/docs/configuring-playbook-bot-draupnir.md
@@ -32,7 +32,7 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t
 
 You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.
 
-If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 
+If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_synapse_container_labels_client_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands.
 
 The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token.
 
diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md
index 3d12cd6a0..cca77e563 100644
--- a/docs/configuring-playbook-bot-mjolnir.md
+++ b/docs/configuring-playbook-bot-mjolnir.md
@@ -31,7 +31,7 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t
 
 You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.
 
-If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 
+If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_synapse_container_labels_client_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands.
 
 The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token.
 
diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md
index 43cff4a83..a92a94c4a 100644
--- a/docs/configuring-playbook-nginx.md
+++ b/docs/configuring-playbook-nginx.md
@@ -48,7 +48,7 @@ For more information about these variables, check the `roles/custom/matrix-nginx
 If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:
 
 ```yaml
-matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true
+matrix_synapse_container_labels_client_synapse_oidc_api_enabled: true
 ```
 
 ## Disable Nginx access logs
diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md
index fdd11f2e8..1f8f8adda 100644
--- a/docs/configuring-playbook-synapse-admin.md
+++ b/docs/configuring-playbook-synapse-admin.md
@@ -15,7 +15,7 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
 matrix_synapse_admin_enabled: true
 ```
 
-**Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`).
+**Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, the playbook **automatically** exposes the Synapse Admin API publicly for you (equivalent to `matrix_synapse_container_labels_client_synapse_admin_api_enabled: true`).
 
 
 ## Installing
diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md
index a2ee2a9a8..3f01b6a17 100644
--- a/docs/maintenance-synapse.md
+++ b/docs/maintenance-synapse.md
@@ -16,9 +16,9 @@ Table of contents:
 
 You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
 
-To make use of this API, **you'll need an admin access token** first. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
+To make use of this Synapse Admin API, **you'll need an admin access token** first. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
 
-Synapse's Admin API is not exposed to the internet by default. To expose it you will need to add `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` to your `vars.yml` file.
+Synapse's Admin API is not exposed to the internet by default, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). To expose it you will need to add `matrix_synapse_container_labels_client_synapse_admin_api_enabled: true` to your `vars.yml` file.
 
 Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md) documentation page for the actual purging instructions.
 
diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 4448e074e..b4fd573e3 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -2914,8 +2914,6 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |-
     }[matrix_homeserver_implementation]|int
   }}
 
-matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled or matrix_bot_matrix_registration_bot_enabled }}"
-
 matrix_nginx_proxy_proxy_matrix_enabled: true
 matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
@@ -3969,6 +3967,13 @@ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ ma
 matrix_synapse_reverse_proxy_companion_container_labels_client_root_redirection_enabled: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_root_redirection_url != '' }}"
 matrix_synapse_reverse_proxy_companion_container_labels_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
 
+# TODO - enable these (and potentially remove them above/below), when they land in matrix-synapse
+# matrix_synapse_reverse_proxy_companion_container_labels_client_root_redirection_enabled: "{{ matrix_synapse_container_labels_client_root_redirection_enabled != '' }}"
+# matrix_synapse_reverse_proxy_companion_container_labels_client_root_redirection_url: "{{ matrix_synapse_container_labels_client_root_redirection_url }}"
+# matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_client_synapse_client_api_enabled }}"
+# matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled: "{{ matrix_synapse_container_labels_client_synapse_oidc_api_enabled }}"
+# matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_client_synapse_admin_api_enabled }}"
+
 matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
 
 matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml
index 6ae3e2c76..116ed3058 100644
--- a/roles/custom/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml
@@ -325,30 +325,12 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080
 # This needs to be equal or higher than the maximum upload size accepted by Synapse.
 matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
 
-
-# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
-matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
-
-# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
-# Enable this if you need OpenID Connect authentication support.
-matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
-
-# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
-# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
-matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
-
 # `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
 # the location prefixes that get forwarded to the Matrix Client API server.
 # These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
 matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
   {{
     (['/_matrix'])
-    +
-    (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
-    +
-    (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
-    +
-    (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
   }}
 
 # Controls whether proxying for the Matrix Federation API should be done.
diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
index b1f2d4278..d60f7ce8d 100644
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
@@ -93,7 +93,37 @@ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entry
 matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints != 'web' }}"
 matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 
-# TODO - /_synapse public exposure, etc.?
+# Controls whether labels will be added that expose the /_synapse/client paths
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled: true
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_path_prefix: /_synapse/client
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_path_prefix }}`)"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority: 0
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints != 'web' }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# Controls whether labels will be added that expose the /_synapse/oidc paths
+# Enable this if you need OpenID Connect authentication support.
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled: false
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_path_prefix }}`)"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority: 0
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints != 'web' }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# Controls whether labels will be added that expose the /_synapse/admin paths
+# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled: false
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_path_prefix }}`)"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority: 0
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints != 'web' }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 
 # Controls whether labels will be added that expose the Server-Server API (Federation API).
 matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"
diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml
index af8081675..47854fc07 100644
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml
@@ -13,6 +13,10 @@
 
     - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled }}"}
 
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled }}"}
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled }}"}
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled }}"}
+
     - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}
     - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}
 
diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2
index 072277ec4..d40d36c2a 100644
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2
@@ -48,7 +48,7 @@ traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-root.tls.cert
 
 
 {#
-	Client-API
+	Client-API (/_matrix)
 #}
 {% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled %}
 
@@ -68,12 +68,87 @@ traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certR
 
 {% endif %}
 {#
-	/Client-API
+	/Client-API (/_matrix)
 #}
 
 
 {#
-	Federation-API
+	Synapse Admin API (/_synapse/client)
+#}
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_rule }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints }}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls | to_json }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+{#
+	/Synapse Admin API (/_synapse/client)
+#}
+
+
+{#
+	Synapse OIDC API (/_synapse/oidc)
+#}
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_rule }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints }}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls | to_json }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+{#
+	/Synapse OIDC API (/_synapse/oidc)
+#}
+
+
+{#
+	Synapse Admin API (/_synapse/admin)
+#}
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_rule }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints }}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls | to_json }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+{#
+	/Synapse Admin API (/_synapse/admin)
+#}
+
+
+{#
+	Federation-API (/_matrix)
 #}
 {% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled %}
 
@@ -93,7 +168,7 @@ traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls.c
 
 {% endif %}
 {#
-	/Federation-API
+	/Federation-API (/_matrix)
 #}
 
 {% endif %}
diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml
index 47cbc2a01..137a59737 100644
--- a/roles/custom/matrix-synapse/vars/main.yml
+++ b/roles/custom/matrix-synapse/vars/main.yml
@@ -18,7 +18,7 @@ matrix_synapse_email_smtp_enable_tls: true
 # because `matrix_synapse_workers_generic_worker_endpoints` also contains things like `/_synapse/client/`, etc.
 # While /_synapse/client/ endpoints are somewhat client-server API-related, they're:
 # - neither part of the client-server API spec (and are thus, different)
-# - nor always OK to forward to a worker (we're supposed to obey `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled`)
+# - nor always OK to forward to a worker (we're supposed to obey `matrix_synapse_companion_container_labels_client_synapse_client_api_enabled`)
 #
 # It's also not too many of these APIs (only `^/_synapse/client/password_reset/email/submit_token$` at the time of this writing / 2021-01-24),
 # so it's not that important whether we forward them or not.
diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
index 1532588f7..1e2331ca8 100644
--- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
@@ -84,6 +84,9 @@
     - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_enabled', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
     - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
     - {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain', 'new': '<superseded by matrix_synapse_container_labels_client_root_redirection_* or matrix_synapse_reverse_proxy_companion_container_labels_client_root_redirection_* or other equivalent variables based on the homeserver implementation you use>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_client_api_enabled'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_oidc_api_enabled'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_admin_api_enabled'}
 
 - name: (Deprecation) Catch and report matrix_postgres variables
   ansible.builtin.fail: