diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml
index ded93d49..e8004990 100644
--- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml
+++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml
@@ -31,3 +31,5 @@ workshopBaseImagePullPolicy: #@ workshop_base_image_pull_policy
 #@ if data.values.lookupService.enabled:
 --- #@ template.replace(library.get("lookup-service").with_data_values(lookup_service_values(), plain=True).eval())
 #@ end
+
+--- #@ template.replace(library.get("lookup-service-token").with_data_values({}, plain=True).eval())
diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterrolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterrolebindings.yaml
new file mode 100644
index 00000000..05f2f3f1
--- /dev/null
+++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterrolebindings.yaml
@@ -0,0 +1,13 @@
+#! Cluster role bindings for the remote access.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: educates-remote-access
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: educates-remote-access
+subjects:
+- kind: ServiceAccount
+  name: remote-access
+  namespace: educates
diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterroles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterroles.yaml
new file mode 100644
index 00000000..b945fded
--- /dev/null
+++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterroles.yaml
@@ -0,0 +1,26 @@
+#! Cluster role for the remote access clients.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: educates-remote-access
+rules:
+  - apiGroups:
+      - training.educates.dev
+    resources:
+      - trainingportals
+      - workshopenvironments
+      - workshopsessions
+      - workshopallocations
+      - workshops
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/secrets.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/secrets.yaml
similarity index 100%
rename from carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/secrets.yaml
rename to carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/secrets.yaml
diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/serviceaccounts.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/serviceaccounts.yaml
new file mode 100644
index 00000000..b31894cb
--- /dev/null
+++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/serviceaccounts.yaml
@@ -0,0 +1,8 @@
+#! ServiceAccount for remote access clients.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: remote-access
+  namespace: educates
+  annotations:
+    kapp.k14s.io/change-group: "educates/sa-with-separate-token-secret"
diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml
index 103ac292..9a710104 100644
--- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml
+++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml
@@ -1,4 +1,3 @@
----
 #! Cluster role bindings for the lookup service.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -12,17 +11,3 @@ subjects:
 - kind: ServiceAccount
   name: lookup-service
   namespace: educates
----
-#! Cluster role bindings for the remote access.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: educates-remote-access
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: educates-remote-access
-subjects:
-- kind: ServiceAccount
-  name: remote-access
-  namespace: educates
diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml
index 861315fb..c4ddc10b 100644
--- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml
+++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml
@@ -1,4 +1,3 @@
----
 #! Cluster role for the lookup service application.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -73,30 +72,3 @@ rules:
       - get
       - list
       - watch
----
-#! Cluster role for the remote access clients.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: educates-remote-access
-rules:
-  - apiGroups:
-      - training.educates.dev
-    resources:
-      - trainingportals
-      - workshopenvironments
-      - workshopsessions
-      - workshopallocations
-      - workshops
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - get
-      - list
-      - watch
diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml
index 13226d24..807d973e 100644
--- a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml
+++ b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml
@@ -1,16 +1,6 @@
----
 #! ServiceAccount to run the lookup service application.
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: lookup-service
   namespace: educates
----
-#! ServiceAccount for remote access clients.
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: remote-access
-  namespace: educates
-  annotations:
-    kapp.k14s.io/change-group: "educates/sa-with-separate-token-secret"
diff --git a/project-docs/custom-resources/training-portal.md b/project-docs/custom-resources/training-portal.md
index 3e10bc47..44a8034d 100644
--- a/project-docs/custom-resources/training-portal.md
+++ b/project-docs/custom-resources/training-portal.md
@@ -182,6 +182,19 @@ spec:
 
 When a name conflict occurs, the value of this label will override any value specified in the workshop default section, or the workshop definition.
 
+Labels for the training portal
+------------------------------
+
+As well as being able to provide additional labels for individual workshops, it is also possible to add labels to the training portal. These labels are distinct from labels added to metadata for Kubernetes resources and are specific to Educates. They can be used by a lookup service to identify the purpose of training portals.
+
+```yaml
+spec:
+  portal:
+    labels:
+    - name: environment
+      value: staging
+```
+
 Setting caps on individual users
 --------------------------------
 
diff --git a/project-docs/release-notes/version-3.0.0.md b/project-docs/release-notes/version-3.0.0.md
index 3bf90747..6bb66e8a 100644
--- a/project-docs/release-notes/version-3.0.0.md
+++ b/project-docs/release-notes/version-3.0.0.md
@@ -41,6 +41,12 @@ New Features
   of the existing workshop session by looking up via the REST API, sessions
   which are active for the user.
 
+* An initial version of a new lookup service has been integrated which provide
+  a REST API for request workshop sessions which can sit in front of multiple
+  training portals, on the same cluster or across multiple clusters. We are
+  still fine tuning this so documentation isn't yet available, buf if interested
+  then ask about it on the Educates community Slack channel.
+
 Features Changed
 ----------------