diff --git a/.gitignore b/.gitignore
index e11168c3..6b716252 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,3 +30,6 @@ tags
 
 #OSX Stuff
 .DS_Store
+
+branding
+secrets
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 817b4cfc..acc777fc 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -90,8 +90,8 @@ set(MultiMC_DISCORD_URL "" CACHE STRING "URL for the Discord guild.")
 # Subreddit URL
 set(MultiMC_SUBREDDIT_URL "" CACHE STRING "URL for the subreddit.")
 
-# MSA Client ID
-set(MultiMC_MSA_CLIENT_ID "" CACHE STRING "Client ID used for MSA authentication")
+
+option(MultiMC_EMBED_SECRETS "Determines whether to embed secrets. Secrets are separate and non-public." OFF)
 
 #### Check the current Git commit and branch
 include(GetGitRevisionDescription)
@@ -287,5 +287,9 @@ add_subdirectory(libraries/katabasis) # An OAuth2 library that tried to do too m
 
 add_subdirectory(buildconfig)
 
+if(MultiMC_EMBED_SECRETS)
+    add_subdirectory(secrets)
+endif()
+
 # NOTE: this must always be last to appease the CMake deity of quirky install command evaluation order.
 add_subdirectory(launcher)
diff --git a/buildconfig/BuildConfig.cpp.in b/buildconfig/BuildConfig.cpp.in
index 9d4771b4..60d417a6 100644
--- a/buildconfig/BuildConfig.cpp.in
+++ b/buildconfig/BuildConfig.cpp.in
@@ -35,7 +35,6 @@ Config::Config()
     PASTE_EE_KEY = "@MultiMC_PASTE_EE_API_KEY@";
     IMGUR_CLIENT_ID = "@MultiMC_IMGUR_CLIENT_ID@";
     META_URL = "@MultiMC_META_URL@";
-    MSA_CLIENT_ID = "@MultiMC_MSA_CLIENT_ID@";
 
     BUG_TRACKER_URL = "@MultiMC_BUG_TRACKER_URL@";
     DISCORD_URL = "@MultiMC_DISCORD_URL@";
diff --git a/buildconfig/BuildConfig.h b/buildconfig/BuildConfig.h
index 71880109..de7d4b49 100644
--- a/buildconfig/BuildConfig.h
+++ b/buildconfig/BuildConfig.h
@@ -75,11 +75,6 @@ public:
      */
     QString META_URL;
 
-    /**
-     * MSA client ID - registered with Azure / Microsoft, needs correct setup on MS side.
-     */
-    QString MSA_CLIENT_ID;
-
     QString BUG_TRACKER_URL;
     QString DISCORD_URL;
     QString SUBREDDIT_URL;
diff --git a/launcher/CMakeLists.txt b/launcher/CMakeLists.txt
index 84a03895..81740adb 100644
--- a/launcher/CMakeLists.txt
+++ b/launcher/CMakeLists.txt
@@ -947,6 +947,10 @@ install(TARGETS MultiMC
     RUNTIME DESTINATION ${BINARY_DEST_DIR} COMPONENT Runtime
 )
 
+if(MultiMC_EMBED_SECRETS)
+    target_link_libraries(MultiMC_logic secrets)
+endif()
+
 #### The MultiMC bundle mess! ####
 # Bundle utilities are used to complete the portable packages - they add all the libraries that would otherwise be missing on the target system.
 # NOTE: it seems that this absolutely has to be here, and nowhere else.
diff --git a/launcher/LaunchController.cpp b/launcher/LaunchController.cpp
index 11780625..82c97ecf 100644
--- a/launcher/LaunchController.cpp
+++ b/launcher/LaunchController.cpp
@@ -171,9 +171,16 @@ void LaunchController::login() {
                 break;
             }
             case AuthSession::RequiresOAuth: {
-                // FIXME: add UI for expired / broken MS accounts
+                auto errorString = tr("Microsoft account has expired and needs to be logged into manually again.");
+                QMessageBox::warning(
+                    nullptr,
+                    tr("Microsoft Account refresh failed"),
+                    errorString,
+                    QMessageBox::StandardButton::Ok,
+                    QMessageBox::StandardButton::Ok
+                );
                 tryagain = false;
-                emitFailed(tr("Microsoft account has expired and needs to be logged into again."));
+                emitFailed(errorString);
                 return;
             }
             case AuthSession::PlayableOffline: {
diff --git a/launcher/minecraft/auth/MinecraftAccount.cpp b/launcher/minecraft/auth/MinecraftAccount.cpp
index 671f9c38..4231d6b0 100644
--- a/launcher/minecraft/auth/MinecraftAccount.cpp
+++ b/launcher/minecraft/auth/MinecraftAccount.cpp
@@ -245,7 +245,12 @@ void MinecraftAccount::authFailed(QString reason)
         emit changed();
         if (session)
         {
-            session->status = AuthSession::RequiresPassword;
+            if(data.type == AccountType::MSA) {
+                session->status = AuthSession::RequiresOAuth;
+            }
+            else {
+                session->status = AuthSession::RequiresPassword;
+            }
             session->auth_server_online = true;
             fillSession(session);
         }
diff --git a/launcher/minecraft/auth/flows/AuthContext.cpp b/launcher/minecraft/auth/flows/AuthContext.cpp
index ed8acd40..9ae99453 100644
--- a/launcher/minecraft/auth/flows/AuthContext.cpp
+++ b/launcher/minecraft/auth/flows/AuthContext.cpp
@@ -17,7 +17,10 @@
 #include "AuthContext.h"
 #include "katabasis/Globals.h"
 #include "katabasis/Requestor.h"
-#include "BuildConfig.h"
+
+#ifdef EMBED_SECRETS
+#include "Secrets.h"
+#endif
 
 using OAuth2 = Katabasis::OAuth2;
 using Requestor = Katabasis::Requestor;
@@ -49,12 +52,13 @@ void AuthContext::finishActivity() {
 }
 
 void AuthContext::initMSA() {
+#ifdef EMBED_SECRETS
     if(m_oauth2) {
         return;
     }
     Katabasis::OAuth2::Options opts;
     opts.scope = "XboxLive.signin offline_access";
-    opts.clientIdentifier = BuildConfig.MSA_CLIENT_ID;
+    opts.clientIdentifier = Secrets::getMSAClientID('-');
     opts.authorizationUrl = "https://login.microsoftonline.com/consumers/oauth2/v2.0/devicecode";
     opts.accessTokenUrl = "https://login.microsoftonline.com/consumers/oauth2/v2.0/token";
     opts.listenerPorts = {28562, 28563, 28564, 28565, 28566};
@@ -66,6 +70,7 @@ void AuthContext::initMSA() {
     connect(m_oauth2, &OAuth2::linkingSucceeded, this, &AuthContext::onOAuthLinkingSucceeded);
     connect(m_oauth2, &OAuth2::showVerificationUriAndCode, this, &AuthContext::showVerificationUriAndCode);
     connect(m_oauth2, &OAuth2::activityChanged, this, &AuthContext::onOAuthActivityChanged);
+#endif
 }
 
 void AuthContext::initMojang() {
diff --git a/launcher/pages/global/AccountListPage.cpp b/launcher/pages/global/AccountListPage.cpp
index d71b942e..45b778de 100644
--- a/launcher/pages/global/AccountListPage.cpp
+++ b/launcher/pages/global/AccountListPage.cpp
@@ -72,9 +72,9 @@ AccountListPage::AccountListPage(QWidget *parent)
 
     // Xbox authentication won't work without a client identifier, so disable the button
     // if the build didn't specify one (GH-4012)
-    if (BuildConfig.MSA_CLIENT_ID.isEmpty()) {
-        ui->actionAddMicrosoft->setVisible(false);
-    }
+#ifndef EMBED_SECRETS
+    ui->actionAddMicrosoft->setVisible(false);
+#endif
 }
 
 AccountListPage::~AccountListPage()
diff --git a/libraries/katabasis/src/OAuth2.cpp b/libraries/katabasis/src/OAuth2.cpp
index 9756d377..260aa9c1 100644
--- a/libraries/katabasis/src/OAuth2.cpp
+++ b/libraries/katabasis/src/OAuth2.cpp
@@ -570,6 +570,7 @@ void OAuth2::onRefreshFinished() {
         emit refreshFinished(QNetworkReply::NoError);
         qDebug() << "New token expires in" << expires() << "seconds";
     } else {
+        emit linkingFailed();
         qDebug() << "OAuth2::onRefreshFinished: Error" << (int)refreshReply->error() << refreshReply->errorString();
     }
     refreshReply->deleteLater();