diff --git a/console/src/api/client.ts b/console/src/api/client.ts
index d5380a60..c9ddb2df 100644
--- a/console/src/api/client.ts
+++ b/console/src/api/client.ts
@@ -321,6 +321,10 @@ export function fetchConfig(token: string): Promise<AdminConfigResponse> {
   return requestJson<AdminConfigResponse>('/api/admin/config', { token });
 }
 
+export function fetchEmailConfig(token: string): Promise<unknown> {
+  return requestJson<unknown>('/api/admin/email-config/fetch', { token });
+}
+
 export function saveConfig(
   token: string,
   config: AdminConfig,
diff --git a/console/src/api/types.ts b/console/src/api/types.ts
index 8dcb9e0c..bbdcc505 100644
--- a/console/src/api/types.ts
+++ b/console/src/api/types.ts
@@ -21,6 +21,10 @@ export interface GatewayStatus {
     expiresAt: number | null;
     reloginRequired: boolean;
   };
+  hybridai?: {
+    apiKeyConfigured: boolean;
+    apiKeySource: 'env' | 'runtime-secrets' | null;
+  };
   sandbox?: {
     mode: 'container' | 'host';
     activeSessions: number;
diff --git a/console/src/routes/channels.test.tsx b/console/src/routes/channels.test.tsx
index 3773ee66..c6f3c154 100644
--- a/console/src/routes/channels.test.tsx
+++ b/console/src/routes/channels.test.tsx
@@ -12,6 +12,7 @@ import { ToastProvider } from '../components/toast';
 import { ChannelsPage } from './channels';
 
 const fetchConfigMock = vi.fn<() => Promise<AdminConfigResponse>>();
+const fetchEmailConfigMock = vi.fn();
 const saveConfigMock = vi.fn();
 const setRuntimeSecretMock = vi.fn();
 const validateTokenMock = vi.fn();
@@ -19,6 +20,7 @@ const useAuthMock = vi.fn();
 
 vi.mock('../api/client', () => ({
   fetchConfig: () => fetchConfigMock(),
+  fetchEmailConfig: (...args: unknown[]) => fetchEmailConfigMock(...args),
   saveConfig: (...args: unknown[]) => saveConfigMock(...args),
   setRuntimeSecret: (...args: unknown[]) => setRuntimeSecretMock(...args),
   validateToken: (...args: unknown[]) => validateTokenMock(...args),
@@ -223,11 +225,16 @@ function renderChannelsPage(): void {
 describe('ChannelsPage', () => {
   beforeEach(() => {
     fetchConfigMock.mockReset();
+    fetchEmailConfigMock.mockReset();
     saveConfigMock.mockReset();
     setRuntimeSecretMock.mockReset();
     validateTokenMock.mockReset();
     useAuthMock.mockReset();
     const gatewayStatus = {
+      hybridai: {
+        apiKeyConfigured: false,
+        apiKeySource: null,
+      },
       discord: {
         tokenConfigured: false,
         tokenSource: null,
@@ -1034,12 +1041,103 @@ describe('ChannelsPage', () => {
 
     renderChannelsPage();
 
-    await screen.findByRole('button', { name: /Email/i });
-    fireEvent.click(screen.getByRole('button', { name: /Email/i }));
+    const [emailChannelButton] = await screen.findAllByRole('button', {
+      name: /Email/i,
+    });
+    fireEvent.click(emailChannelButton);
     screen.getByRole('button', { name: 'Change password' });
     expect(screen.queryByRole('button', { name: 'Set password' })).toBeNull();
   });
 
+  it('hides fetch email config when no HybridAI API key is configured', async () => {
+    fetchConfigMock.mockResolvedValue({
+      path: '/tmp/config.json',
+      config: makeConfig(),
+    });
+
+    renderChannelsPage();
+
+    const [emailChannelButton] = await screen.findAllByRole('button', {
+      name: /Email/i,
+    });
+    fireEvent.click(emailChannelButton);
+
+    expect(
+      screen.queryByRole('button', { name: 'Fetch HybridAI Agent Email' }),
+    ).toBeNull();
+  });
+
+  it('shows fetch email config when a HybridAI API key is configured', async () => {
+    fetchConfigMock.mockResolvedValue({
+      path: '/tmp/config.json',
+      config: makeConfig(),
+    });
+    validateTokenMock.mockResolvedValue({
+      status: 'ok',
+      webAuthConfigured: true,
+      version: 'test',
+      imageTag: null,
+      uptime: 1,
+      sessions: 0,
+      activeContainers: 0,
+      defaultModel: 'gpt-5',
+      ragDefault: true,
+      timestamp: new Date().toISOString(),
+      hybridai: {
+        apiKeyConfigured: true,
+        apiKeySource: 'runtime-secrets',
+      },
+      email: {
+        passwordConfigured: false,
+        passwordSource: null,
+      },
+      imessage: {
+        passwordConfigured: false,
+        passwordSource: null,
+      },
+      whatsapp: {
+        linked: false,
+        jid: null,
+        pairingQrText: null,
+        pairingUpdatedAt: null,
+      },
+    });
+    useAuthMock.mockReturnValue({
+      token: 'test-token',
+      gatewayStatus: {
+        hybridai: {
+          apiKeyConfigured: true,
+          apiKeySource: 'runtime-secrets',
+        },
+        email: {
+          passwordConfigured: false,
+          passwordSource: null,
+        },
+        imessage: {
+          passwordConfigured: false,
+          passwordSource: null,
+        },
+        whatsapp: {
+          linked: false,
+          jid: null,
+          pairingQrText: null,
+          pairingUpdatedAt: null,
+        },
+      },
+    });
+
+    renderChannelsPage();
+
+    const [emailChannelButton] = await screen.findAllByRole('button', {
+      name: /Email/i,
+    });
+    fireEvent.click(emailChannelButton);
+
+    expect(
+      screen.getByRole('button', { name: 'Fetch HybridAI Agent Email' }),
+    ).toBeTruthy();
+  });
+
   it('updates Telegram bot tokens through encrypted runtime secrets', async () => {
     fetchConfigMock.mockResolvedValue({
       path: '/tmp/config.json',
diff --git a/console/src/routes/channels.tsx b/console/src/routes/channels.tsx
index 066680f7..f49f1bc4 100644
--- a/console/src/routes/channels.tsx
+++ b/console/src/routes/channels.tsx
@@ -2,6 +2,7 @@ import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { useEffect, useState } from 'react';
 import {
   fetchConfig,
+  fetchEmailConfig,
   saveConfig,
   setRuntimeSecret,
   validateToken,
@@ -957,9 +958,89 @@ function EmailChannelEditor(props: {
   updateDraft: ConfigUpdater;
   passwordConfigured: boolean;
   passwordSource: SecretSource;
+  hybridaiApiKeyConfigured: boolean;
   token: string;
   onSecretSaved: () => void;
 }) {
+  const [fetchingEmailConfig, setFetchingEmailConfig] = useState(false);
+  const toast = useToast();
+
+  async function handleFetchEmailConfig() {
+    setFetchingEmailConfig(true);
+    try {
+      const result = (await fetchEmailConfig(props.token)) as {
+        handles?: Array<{
+          id?: string;
+          handle?: string;
+          status?: string;
+        }>;
+        credentials?: {
+          email?: string;
+          password?: string;
+          imap_host?: string;
+          imap_port?: number;
+          smtp_host?: string;
+          smtp_port?: number;
+        } | null;
+        handleId?: string;
+      };
+
+      const handles = result?.handles;
+      if (!Array.isArray(handles) || handles.length === 0) {
+        toast.info('No HybridAI agent handles found.');
+        return;
+      }
+
+      const creds = result?.credentials;
+      if (!creds) {
+        const summary = handles
+          .map((h) => `${h.handle} (${h.status})`)
+          .join(', ');
+        toast.info(
+          `Handles found: ${summary}. Could not retrieve mailbox credentials.`,
+        );
+        return;
+      }
+
+      props.updateDraft((current) => ({
+        ...current,
+        email: {
+          ...current.email,
+          ...(creds.email ? { address: creds.email } : {}),
+          ...(creds.imap_host ? { imapHost: creds.imap_host } : {}),
+          ...(creds.imap_port != null ? { imapPort: creds.imap_port } : {}),
+          ...(creds.smtp_host ? { smtpHost: creds.smtp_host } : {}),
+          ...(creds.smtp_port != null ? { smtpPort: creds.smtp_port } : {}),
+        },
+      }));
+
+      // Save password as runtime secret before showing success
+      if (creds.password) {
+        try {
+          await setRuntimeSecret(
+            props.token,
+            'EMAIL_PASSWORD',
+            creds.password,
+          );
+          props.onSecretSaved();
+        } catch (err) {
+          toast.error('Password could not be saved', getErrorMessage(err));
+          toast.info(
+            'Email fields were populated, but password was not saved.',
+          );
+          return;
+        }
+      }
+
+      const label = result.handleId || 'HybridAI';
+      toast.success(`Email config loaded from ${label}.`);
+    } catch (error) {
+      toast.error('Failed to fetch email config', getErrorMessage(error));
+    } finally {
+      setFetchingEmailConfig(false);
+    }
+  }
+
   return (
     <>
       <BooleanField
@@ -978,6 +1059,19 @@ function EmailChannelEditor(props: {
         }
       />
 
+      {props.hybridaiApiKeyConfigured ? (
+        <div className="button-row">
+          <button
+            type="button"
+            className="ghost-button"
+            disabled={fetchingEmailConfig}
+            onClick={handleFetchEmailConfig}
+          >
+            {fetchingEmailConfig ? 'Fetching…' : 'Fetch HybridAI Agent Email'}
+          </button>
+        </div>
+      ) : null}
+
       <div className="field-grid">
         <label className="field">
           <span>Address</span>
@@ -1967,6 +2061,7 @@ function renderSelectedEditor(
       source: SecretSource;
     };
   },
+  hybridaiApiKeyConfigured: boolean,
   whatsappStatus: {
     linked: boolean;
     pairingQrText: string | null;
@@ -2025,6 +2120,7 @@ function renderSelectedEditor(
           updateDraft={updateDraft}
           passwordConfigured={secretStatus.email.configured}
           passwordSource={secretStatus.email.source}
+          hybridaiApiKeyConfigured={hybridaiApiKeyConfigured}
           token={token}
           onSecretSaved={onSecretSaved}
         />
@@ -2150,6 +2246,8 @@ export function ChannelsPage() {
     linked: statusQuery.data?.whatsapp?.linked ?? false,
     pairingQrText: statusQuery.data?.whatsapp?.pairingQrText ?? null,
   };
+  const hybridaiApiKeyConfigured =
+    statusQuery.data?.hybridai?.apiKeyConfigured ?? false;
 
   return (
     <div className="page-stack">
@@ -2200,6 +2298,7 @@ export function ChannelsPage() {
                   updateDraft,
                   auth.token,
                   secretStatus,
+                  hybridaiApiKeyConfigured,
                   whatsappStatus,
                   () => {
                     void queryClient.invalidateQueries({
diff --git a/src/gateway/gateway-http-server.ts b/src/gateway/gateway-http-server.ts
index c85ab3a1..94bb7254 100644
--- a/src/gateway/gateway-http-server.ts
+++ b/src/gateway/gateway-http-server.ts
@@ -7,6 +7,7 @@ import path from 'node:path';
 import { createSilentReplyStreamFilter } from '../agent/silent-reply-stream.js';
 import { getAgentById, resolveAgentConfig } from '../agents/agent-registry.js';
 import { DEFAULT_AGENT_ID } from '../agents/agent-types.js';
+import { getHybridAIApiKey } from '../auth/hybridai-auth.js';
 import {
   type DiscordToolActionRequest,
   normalizeDiscordToolAction,
@@ -2500,6 +2501,143 @@ async function handleApiAdminConfig(
   sendJson(res, 200, saveGatewayAdminConfig(body.config as RuntimeConfig));
 }
 
+function extractUpstreamError(payload: unknown, status: number): string {
+  const record = payload as Record<string, unknown> | null;
+  const nested = record?.error;
+  return String(
+    (typeof record?.message === 'string' && record.message) ||
+      (typeof nested === 'string' && nested) ||
+      (nested &&
+        typeof nested === 'object' &&
+        typeof (nested as Record<string, unknown>).message === 'string' &&
+        (nested as Record<string, unknown>).message) ||
+      `HybridAI API returned HTTP ${status}`,
+  );
+}
+
+async function hybridAIFetch(
+  baseUrl: string,
+  apiKey: string,
+  path: string,
+  method: 'GET' | 'POST' = 'GET',
+): Promise<{ ok: boolean; status: number; payload: unknown }> {
+  const response = await fetch(`${baseUrl}${path}`, {
+    method,
+    headers: { Authorization: `Bearer ${apiKey}` },
+    signal: AbortSignal.timeout(10_000),
+  });
+
+  const contentType = response.headers.get('content-type') || '';
+  let payload: unknown;
+  if (contentType.includes('application/json')) {
+    payload = await response.json().catch(() => null);
+  } else {
+    const text = await response.text().catch(() => '');
+    try {
+      payload = JSON.parse(text);
+    } catch {
+      payload = text;
+    }
+  }
+
+  return { ok: response.ok, status: response.status, payload };
+}
+
+async function handleApiAdminEmailConfigFetch(
+  res: ServerResponse,
+): Promise<void> {
+  let apiKey: string;
+  try {
+    apiKey = getHybridAIApiKey();
+  } catch {
+    sendJson(res, 400, {
+      error:
+        'HYBRIDAI_API_KEY is not configured. Run `hybridclaw auth login hybridai` first.',
+    });
+    return;
+  }
+
+  const baseUrl = (HYBRIDAI_BASE_URL || 'https://hybridai.one').replace(
+    /\/+$/,
+    '',
+  );
+
+  // Step 1: list agent handles
+  let handlesResult: { ok: boolean; status: number; payload: unknown };
+  try {
+    handlesResult = await hybridAIFetch(
+      baseUrl,
+      apiKey,
+      '/api/v1/agent-handles/',
+    );
+  } catch (error) {
+    sendJson(res, 502, {
+      error: `Could not reach HybridAI API: ${error instanceof Error ? error.message : String(error)}`,
+    });
+    return;
+  }
+
+  if (!handlesResult.ok) {
+    sendJson(res, 502, {
+      error: extractUpstreamError(handlesResult.payload, handlesResult.status),
+    });
+    return;
+  }
+
+  const handlesPayload = handlesResult.payload as {
+    handles?: Array<{ id?: string; handle?: string; status?: string }>;
+  };
+  const handles = Array.isArray(handlesPayload?.handles)
+    ? handlesPayload.handles
+    : [];
+
+  if (handles.length === 0) {
+    res.setHeader('Cache-Control', 'no-store');
+    sendJson(res, 200, { handles: [], credentials: null });
+    return;
+  }
+
+  // Step 2: fetch mailbox credentials for the first active handle
+  const activeHandle =
+    handles.find((h) => h.status === 'active') || handles[0];
+  const handleId = activeHandle.id || activeHandle.handle;
+
+  if (!handleId) {
+    res.setHeader('Cache-Control', 'no-store');
+    sendJson(res, 200, { handles, credentials: null });
+    return;
+  }
+
+  let credResult: { ok: boolean; status: number; payload: unknown };
+  try {
+    credResult = await hybridAIFetch(
+      baseUrl,
+      apiKey,
+      `/api/v1/agent-handles/${encodeURIComponent(handleId)}/mailbox/credentials`,
+      'POST',
+    );
+  } catch (error) {
+    sendJson(res, 502, {
+      error: `Could not fetch mailbox credentials: ${error instanceof Error ? error.message : String(error)}`,
+    });
+    return;
+  }
+
+  if (!credResult.ok) {
+    sendJson(res, 502, {
+      error: extractUpstreamError(credResult.payload, credResult.status),
+    });
+    return;
+  }
+
+  res.setHeader('Cache-Control', 'no-store');
+  sendJson(res, 200, {
+    handles,
+    credentials: credResult.payload,
+    handleId,
+  });
+}
+
 async function handleApiAdminModels(
   req: IncomingMessage,
   res: ServerResponse,
@@ -3311,6 +3449,13 @@ export function startGatewayHttpServer(): GatewayHttpServer {
             await handleApiAdminConfig(req, res);
             return;
           }
+          if (
+            pathname === '/api/admin/email-config/fetch' &&
+            method === 'GET'
+          ) {
+            await handleApiAdminEmailConfigFetch(res);
+            return;
+          }
           if (pathname === '/api/admin/audit' && method === 'GET') {
             handleApiAdminAudit(res, url);
             return;
diff --git a/src/gateway/gateway-service.ts b/src/gateway/gateway-service.ts
index 306e115a..63465599 100644
--- a/src/gateway/gateway-service.ts
+++ b/src/gateway/gateway-service.ts
@@ -2950,6 +2950,7 @@ export function buildTokenUsageAuditPayload(
 
 export async function getGatewayStatus(): Promise<GatewayStatus> {
   const codex = getCodexAuthStatus();
+  const hybridai = getHybridAIAuthStatus();
   const [localBackendsResult, hybridaiResult, whatsappAuthResult] =
     await Promise.allSettled([
       localBackendsProbe.get(),
@@ -3059,6 +3060,10 @@ export async function getGatewayStatus(): Promise<GatewayStatus> {
       expiresAt: codex.expiresAt,
       reloginRequired: codex.reloginRequired,
     },
+    hybridai: {
+      apiKeyConfigured: hybridai.authenticated,
+      apiKeySource: hybridai.source,
+    },
     sandbox,
     observability: getObservabilityIngestState(),
     scheduler: {
diff --git a/src/gateway/gateway-types.ts b/src/gateway/gateway-types.ts
index 800b3ef6..6b2131dd 100644
--- a/src/gateway/gateway-types.ts
+++ b/src/gateway/gateway-types.ts
@@ -354,6 +354,10 @@ export interface GatewayStatus {
     expiresAt: number | null;
     reloginRequired: boolean;
   };
+  hybridai?: {
+    apiKeyConfigured: boolean;
+    apiKeySource: 'env' | 'runtime-secrets' | null;
+  };
   sandbox?: {
     mode: 'container' | 'host';
     modeExplicit: boolean;
diff --git a/tests/gateway-status.test.ts b/tests/gateway-status.test.ts
index f2a09212..e3d2848a 100644
--- a/tests/gateway-status.test.ts
+++ b/tests/gateway-status.test.ts
@@ -6,6 +6,7 @@ import { afterEach, expect, test, vi } from 'vitest';
 import type { RuntimeConfig } from '../src/config/runtime-config.js';
 
 const ORIGINAL_HOME = process.env.HOME;
+const ORIGINAL_CWD = process.cwd();
 const ORIGINAL_DISCORD_TOKEN = process.env.DISCORD_TOKEN;
 const ORIGINAL_HYBRIDAI_API_KEY = process.env.HYBRIDAI_API_KEY;
 const ORIGINAL_OPENROUTER_API_KEY = process.env.OPENROUTER_API_KEY;
@@ -66,6 +67,7 @@ afterEach(() => {
   vi.doUnmock('../src/providers/local-health.js');
   vi.resetModules();
   restoreEnvVar('HOME', ORIGINAL_HOME);
+  process.chdir(ORIGINAL_CWD);
   restoreEnvVar('DISCORD_TOKEN', ORIGINAL_DISCORD_TOKEN);
   restoreEnvVar('HYBRIDAI_API_KEY', ORIGINAL_HYBRIDAI_API_KEY);
   restoreEnvVar('OPENROUTER_API_KEY', ORIGINAL_OPENROUTER_API_KEY);
@@ -216,6 +218,10 @@ test('getGatewayStatus includes Codex auth state', async () => {
     );
   expect(codexRequest).toBeDefined();
   expect(codexRequest?.url.searchParams.get('client_version')).toBeTruthy();
+  expect(status.hybridai).toEqual({
+    apiKeyConfigured: true,
+    apiKeySource: 'env',
+  });
   expect(status.providerHealth?.hybridai).toMatchObject({
     kind: 'remote',
     reachable: true,
@@ -651,6 +657,32 @@ test('getGatewayStatus includes Discord token status from runtime secrets', asyn
   });
 });
 
+test('getGatewayStatus reports missing HybridAI API keys separately from provider health', async () => {
+  const homeDir = makeTempHome();
+  process.env.HOME = homeDir;
+  delete process.env.HYBRIDAI_API_KEY;
+  process.chdir(homeDir);
+  vi.resetModules();
+  mockHealthProbes();
+
+  const { initDatabase } = await import('../src/memory/db.ts');
+  const { getGatewayStatus } = await import(
+    '../src/gateway/gateway-service.ts'
+  );
+
+  initDatabase({ quiet: true });
+  const status = await getGatewayStatus();
+
+  expect(status.hybridai).toEqual({
+    apiKeyConfigured: false,
+    apiKeySource: null,
+  });
+  expect(status.providerHealth?.hybridai).toMatchObject({
+    kind: 'remote',
+    reachable: false,
+  });
+});
+
 test('status command includes the current session agent', async () => {
   const homeDir = makeTempHome();
   process.env.HOME = homeDir;