diff --git a/api/tacticalrmm/core/serializers.py b/api/tacticalrmm/core/serializers.py
index caa170e3..52c548de 100644
--- a/api/tacticalrmm/core/serializers.py
+++ b/api/tacticalrmm/core/serializers.py
@@ -6,37 +6,28 @@ from tacticalrmm.constants import ALL_TIMEZONES
 from .models import CodeSignToken, CoreSettings, CustomField, GlobalKVStore, URLAction
 
 
-class CoreSettingsSerializer(serializers.ModelSerializer):
+class HostedCoreMixin:
+    def to_representation(self, instance):
+        ret = super().to_representation(instance)  # type: ignore
+        if getattr(settings, "HOSTED", False):
+            for field in ("mesh_site", "mesh_token", "mesh_username"):
+                ret[field] = "n/a"
+        return ret
+
+
+class CoreSettingsSerializer(HostedCoreMixin, serializers.ModelSerializer):
     all_timezones = serializers.SerializerMethodField("all_time_zones")
-    mesh_site = serializers.SerializerMethodField()
-    mesh_token = serializers.SerializerMethodField()
-    mesh_username = serializers.SerializerMethodField()
 
     def all_time_zones(self, obj):
         return ALL_TIMEZONES
 
-    def get_mesh_site(self, obj):
-        if getattr(settings, "HOSTED", False):
-            return "n/a"
-        return obj.mesh_site
-
-    def get_mesh_token(self, obj):
-        if getattr(settings, "HOSTED", False):
-            return "n/a"
-        return obj.mesh_token
-
-    def get_mesh_username(self, obj):
-        if getattr(settings, "HOSTED", False):
-            return "n/a"
-        return obj.mesh_username
-
     class Meta:
         model = CoreSettings
         fields = "__all__"
 
 
 # for audting
-class CoreSerializer(serializers.ModelSerializer):
+class CoreSerializer(HostedCoreMixin, serializers.ModelSerializer):
     class Meta:
         model = CoreSettings
         fields = "__all__"
diff --git a/api/tacticalrmm/core/tests.py b/api/tacticalrmm/core/tests.py
index 40dd897a..259e8486 100644
--- a/api/tacticalrmm/core/tests.py
+++ b/api/tacticalrmm/core/tests.py
@@ -1,3 +1,4 @@
+import os
 from unittest.mock import patch
 
 import requests
@@ -109,18 +110,57 @@ class TestCoreTasks(TacticalTestCase):
 
     def test_edit_coresettings(self):
         url = "/core/settings/"
-
         # setup
         baker.make("automation.Policy", _quantity=2)
         # test normal request
         data = {
             "smtp_from_email": "newexample@example.com",
             "mesh_token": "New_Mesh_Token",
+            "mesh_site": "https://mesh.example.com",
+            "mesh_username": "bob",
         }
         r = self.client.put(url, data)
         self.assertEqual(r.status_code, 200)
-        self.assertEqual(get_core_settings().smtp_from_email, data["smtp_from_email"])
-        self.assertEqual(get_core_settings().mesh_token, data["mesh_token"])
+        core = get_core_settings()
+        self.assertEqual(core.smtp_from_email, "newexample@example.com")
+        self.assertEqual(core.mesh_token, "New_Mesh_Token")
+        self.assertEqual(core.mesh_site, "https://mesh.example.com")
+        self.assertEqual(core.mesh_username, "bob")
+
+        # test to_representation
+        r = self.client.get(url)
+        self.assertEqual(r.data["smtp_from_email"], "newexample@example.com")
+        self.assertEqual(r.data["mesh_token"], "New_Mesh_Token")
+        self.assertEqual(r.data["mesh_site"], "https://mesh.example.com")
+        self.assertEqual(r.data["mesh_username"], "bob")
+
+        self.check_not_authenticated("put", url)
+
+    @override_settings(HOSTED=True)
+    def test_hosted_edit_coresettings(self):
+        url = "/core/settings/"
+        baker.make("automation.Policy", _quantity=2)
+        data = {
+            "smtp_from_email": "newexample1@example.com",
+            "mesh_token": "abc123",
+            "mesh_site": "https://mesh15534.example.com",
+            "mesh_username": "jane",
+        }
+        r = self.client.put(url, data)
+        self.assertEqual(r.status_code, 200)
+        core = get_core_settings()
+        self.assertEqual(core.smtp_from_email, "newexample1@example.com")
+        self.assertIn("41410834b8bb4481446027f8", core.mesh_token)  # type: ignore
+        if "GHACTIONS" in os.environ:
+            self.assertEqual(core.mesh_site, "https://example.com")
+            self.assertEqual(core.mesh_username, "pipeline")
+
+        # test to_representation
+        r = self.client.get(url)
+        self.assertEqual(r.data["smtp_from_email"], "newexample1@example.com")
+        self.assertEqual(r.data["mesh_token"], "n/a")
+        self.assertEqual(r.data["mesh_site"], "n/a")
+        self.assertEqual(r.data["mesh_username"], "n/a")
 
         self.check_not_authenticated("put", url)
 
diff --git a/api/tacticalrmm/core/views.py b/api/tacticalrmm/core/views.py
index ac963b79..88453a4d 100644
--- a/api/tacticalrmm/core/views.py
+++ b/api/tacticalrmm/core/views.py
@@ -57,8 +57,15 @@ class GetEditCoreSettings(APIView):
         return Response(CoreSettingsSerializer(settings).data)
 
     def put(self, request):
+        data = request.data.copy()
+
+        if getattr(settings, "HOSTED", False):
+            data.pop("mesh_site")
+            data.pop("mesh_token")
+            data.pop("mesh_username")
+
         coresettings = CoreSettings.objects.first()
-        serializer = CoreSettingsSerializer(instance=coresettings, data=request.data)
+        serializer = CoreSettingsSerializer(instance=coresettings, data=data)
         serializer.is_valid(raise_exception=True)
         serializer.save()
         sync_mesh_perms_task.delay()