diff --git a/go.mod b/go.mod
index e67d8dd..05e5ad5 100644
--- a/go.mod
+++ b/go.mod
@@ -15,10 +15,10 @@ require (
 	github.com/onsi/gomega v1.38.2
 	github.com/openmcp-project/cluster-provider-gardener/api v0.3.0
 	github.com/openmcp-project/control-plane-operator v0.1.12
-	github.com/openmcp-project/controller-utils v0.16.0
+	github.com/openmcp-project/controller-utils v0.19.0
 	github.com/openmcp-project/mcp-operator/api v0.35.2
-	github.com/openmcp-project/openmcp-operator/api v0.10.0
-	github.com/openmcp-project/openmcp-operator/lib v0.10.0
+	github.com/openmcp-project/openmcp-operator/api v0.12.0
+	github.com/openmcp-project/openmcp-operator/lib v0.12.0
 	github.com/openmcp-project/service-provider-landscaper v0.4.0
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.10
@@ -43,7 +43,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/fatih/color v1.18.0 // indirect
-	github.com/fluxcd/pkg/apis/kustomize v1.10.0 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v1.12.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gardener/component-spec/bindings-go v0.0.98 // indirect
@@ -71,7 +71,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/openmcp-project/controller-utils/api v0.16.0 // indirect
+	github.com/openmcp-project/controller-utils/api v0.19.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
@@ -88,7 +88,7 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
+	golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b // indirect
 	golang.org/x/mod v0.27.0 // indirect
 	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
diff --git a/go.sum b/go.sum
index d50e85b..20f31a8 100644
--- a/go.sum
+++ b/go.sum
@@ -27,8 +27,8 @@ github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjT
 github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/fluxcd/pkg/apis/kustomize v1.10.0 h1:47EeSzkQvlQZdH92vHMe2lK2iR8aOSEJq95avw5idts=
-github.com/fluxcd/pkg/apis/kustomize v1.10.0/go.mod h1:UsqMV4sqNa1Yg0pmTsdkHRJr7bafBOENIJoAN+3ezaQ=
+github.com/fluxcd/pkg/apis/kustomize v1.12.0 h1:KvZN6xwgP/dNSeckL4a/Uv715XqiN1C3xS+jGcPejtE=
+github.com/fluxcd/pkg/apis/kustomize v1.12.0/go.mod h1:OojLxIdKm1JAAdh3sL4j4F+vfrLKb7kq1vr8bpyEKgg=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
@@ -112,14 +112,14 @@ github.com/openmcp-project/cluster-provider-gardener/api v0.3.0 h1:KVnpvhEFgNA3G
 github.com/openmcp-project/cluster-provider-gardener/api v0.3.0/go.mod h1:kQQ68UM/tSqwRytGXiBdwxgbNz2i1RF0L5t8vf7akJg=
 github.com/openmcp-project/control-plane-operator v0.1.12 h1:g/SbNAnQnlkuVB31O2+ZhUpoab/vnH2tXNVNwZ3Y3gY=
 github.com/openmcp-project/control-plane-operator v0.1.12/go.mod h1:dSFqUTbiNnqGzS4Umy8AndBi2QBPpqEUsdainA8KVEI=
-github.com/openmcp-project/controller-utils v0.16.0 h1:m7j+FGjLONix6VtZFxT2lIORobDg7hrJ4fKroHuv5QQ=
-github.com/openmcp-project/controller-utils v0.16.0/go.mod h1:b0IZGgTiAyuiXiQ/necY7C5UVtrSmdjajRWzSRKkNcA=
-github.com/openmcp-project/controller-utils/api v0.16.0 h1:gFI5kgSANuzpF4RQ1JyTZn+2eXuVRGzJGBFzEo3OXjg=
-github.com/openmcp-project/controller-utils/api v0.16.0/go.mod h1:vJLFwuqyElkiP0DjkWYRSH0DjCxWrM0+uiS7ck1ncUs=
-github.com/openmcp-project/openmcp-operator/api v0.10.0 h1:+3Pwz7esGwBKmE4Q861rKv5AZdKicdCbmWbu1bqc5h8=
-github.com/openmcp-project/openmcp-operator/api v0.10.0/go.mod h1:8PexUhnIukhbjTA5ybxo86vh6W3FNzfHEhC86770MRs=
-github.com/openmcp-project/openmcp-operator/lib v0.10.0 h1:rhlyGso5HSkGaD/SLJ0kE1Jb1Bpa/ioWphQppYQ3poA=
-github.com/openmcp-project/openmcp-operator/lib v0.10.0/go.mod h1:TnSUCkUXVa9dWzcix8wMvp3vYM0a3wVmu3DZMj7YXD4=
+github.com/openmcp-project/controller-utils v0.19.0 h1:D4Ht3LI/Ue5yk2wdAnJEpChUVmB6xM7kglwhn7a2J3g=
+github.com/openmcp-project/controller-utils v0.19.0/go.mod h1:zxcbcmedLdlQ//X/nwdPvq/nM3ikyR13DbOivou2I4Y=
+github.com/openmcp-project/controller-utils/api v0.19.0 h1:2wOiLtHLVYeCSDxWJrCqCiFAxircAQ2EONIwq3QuZSI=
+github.com/openmcp-project/controller-utils/api v0.19.0/go.mod h1:qsvVfsL3xeeJ9keiKVMa50VOWmr+uR0VVejmQ7FCH18=
+github.com/openmcp-project/openmcp-operator/api v0.12.0 h1:g3Q0VFNsggDmMD4r+RmtiNwGohzu2JfEqp4RtlT5b1A=
+github.com/openmcp-project/openmcp-operator/api v0.12.0/go.mod h1:malWxgwCmDPeNklWe23rw9f9cvmq6LdIxlKmvqcYMqw=
+github.com/openmcp-project/openmcp-operator/lib v0.12.0 h1:lPvuPH7dqgcPmw58bL5eUJ4+/kcFYEPFP5OHcmYxljg=
+github.com/openmcp-project/openmcp-operator/lib v0.12.0/go.mod h1:fsuMuyBanhyh7zYdgxLxIvbM3iEFnF7MsLRQjSx3SCk=
 github.com/openmcp-project/service-provider-landscaper v0.4.0 h1:H55q5whlcb1fyhY7/dkeigcp9UPXZQj+WDI57XVY4vY=
 github.com/openmcp-project/service-provider-landscaper v0.4.0/go.mod h1:5VU8eJ5nA2Kz0Kc4qbmw6ocMNCgLKzDu5mX6w5hOHa8=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -184,8 +184,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
-golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
+golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b h1:DXr+pvt3nC887026GRP39Ej11UATqWDmWuS99x26cD0=
+golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
@@ -223,8 +223,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
 golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
-golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/internal/controller/core/apiserver/controller_test.go b/internal/controller/core/apiserver/controller_test.go
index b857934..ea7f8a3 100644
--- a/internal/controller/core/apiserver/controller_test.go
+++ b/internal/controller/core/apiserver/controller_test.go
@@ -351,7 +351,8 @@ var _ = Describe("CO-1153 APIServer Controller", func() {
 
 			cr := &clustersv1alpha1.ClusterRequest{}
 			cr.Name = as.Name
-			cr.Namespace = openmcpclusterutils.StableRequestNamespace(as.Namespace)
+			cr.Namespace, err = openmcpclusterutils.StableMCPNamespace(as.Name, as.Namespace)
+			Expect(err).NotTo(HaveOccurred())
 			Expect(env.Client(testutils.LaaSCoreCluster).Get(env.Ctx, client.ObjectKeyFromObject(cr), cr)).To(Succeed())
 
 			Expect(env.Client(testutils.CrateCluster).Get(env.Ctx, client.ObjectKeyFromObject(as), as)).To(Succeed())
diff --git a/internal/controller/core/apiserver/v2.go b/internal/controller/core/apiserver/v2.go
index d252ad7..b5532fe 100644
--- a/internal/controller/core/apiserver/v2.go
+++ b/internal/controller/core/apiserver/v2.go
@@ -55,7 +55,11 @@ func v2HandleCreateOrUpdate(ctx context.Context, as *openmcpv1alpha1.APIServer,
 
 	// instead of calling a handler, create a ClusterRequest and an AccessRequest
 	// ensure namespace, because this is created on the platform cluster
-	nsName := openmcpclusterutils.StableRequestNamespace(as.Namespace)
+	nsName, err := openmcpclusterutils.StableMCPNamespace(as.Name, as.Namespace)
+	if err != nil {
+		rerr := openmcperrors.WithReason(fmt.Errorf("failed to compute stable namespace for APIServer %s/%s: %w", as.Namespace, as.Name, err), clustersconst.ReasonInternalError)
+		return ctrl.Result{}, nil, clusterConditions(false, rerr.Reason(), rerr.Error(), clusterRequestGrantedCon, clusterReadyCon, accessRequestGrantedCon), rerr
+	}
 	nsm := resources.NewNamespaceMutator(nsName)
 	nsm.MetadataMutator().WithLabels(map[string]string{
 		openmcpv1alpha1.V1MCPReferenceLabelNamespace: as.Namespace,
@@ -306,7 +310,14 @@ func v2HandleDelete(ctx context.Context, as *openmcpv1alpha1.APIServer, platform
 	}
 
 	// instead of calling a handler, remove AccessRequest and ClusterRequest
-	nsName := openmcpclusterutils.StableRequestNamespace(as.Namespace)
+	nsName, err := openmcpclusterutils.StableMCPNamespace(as.Name, as.Namespace)
+	if err != nil {
+		rerr := openmcperrors.WithReason(fmt.Errorf("failed to compute stable namespace for APIServer %s/%s: %w", as.Namespace, as.Name, err), clustersconst.ReasonInternalError)
+		accessRequestDeletedCon.Status = openmcpv1alpha1.ComponentConditionStatusFalse
+		accessRequestDeletedCon.Reason = rerr.Reason()
+		accessRequestDeletedCon.Message = err.Error()
+		return ctrl.Result{}, nil, clusterConditions(false, rerr.Reason(), rerr.Error(), accessRequestDeletedCon, clusterRequestDeletedCon), rerr
+	}
 
 	// remove AccessRequest
 	ar := &clustersv1alpha1.AccessRequest{}
@@ -480,9 +491,12 @@ func (m *AccessRequestMutator) Mutate(r *clustersv1alpha1.AccessRequest) error {
 		r.Spec.RequestRef.Name = m.refName
 		r.Spec.RequestRef.Namespace = m.refNamespace
 	}
-	r.Spec.Permissions = make([]clustersv1alpha1.PermissionsRequest, len(m.permissions))
+	if r.Spec.Token == nil {
+		r.Spec.Token = &clustersv1alpha1.TokenConfig{}
+	}
+	r.Spec.Token.Permissions = make([]clustersv1alpha1.PermissionsRequest, len(m.permissions))
 	for i, perm := range m.permissions {
-		r.Spec.Permissions[i] = *perm.DeepCopy()
+		r.Spec.Token.Permissions[i] = *perm.DeepCopy()
 	}
 	return m.meta.Mutate(r)
 }