feat(project-permissions): type fix

feat(project-permissions): allow users to sort permissions on the UI
Merge pull request #3476 from Infisical/ENG-2625
2025-08-05 07:30:33 +00:00 · 2025-04-25 19:51:08 -03:00 · 2025-04-25 19:35:42 -03:00 · 2025-04-25 15:44:37 -04:00 · 2025-04-25 16:43:22 -03:00 · 2025-04-25 16:35:57 -03:00
322 changed files with 5753 additions and 1120 deletions
--- a/backend/src/db/migrations/20250425163216_ssh-nullable-ca-defaults.ts
+++ b/backend/src/db/migrations/20250425163216_ssh-nullable-ca-defaults.ts
@@ -0,0 +1,47 @@
+import { Knex } from "knex";
+
+import { ProjectType, TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasDefaultUserCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultUserSshCaId");
+  const hasDefaultHostCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultHostSshCaId");
+
+  if (hasDefaultUserCaCol && hasDefaultHostCaCol) {
+    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
+      t.dropForeign(["defaultUserSshCaId"]);
+      t.dropForeign(["defaultHostSshCaId"]);
+    });
+    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
+      // allow nullable (does not wipe existing values)
+      t.uuid("defaultUserSshCaId").nullable().alter();
+      t.uuid("defaultHostSshCaId").nullable().alter();
+      // re-add with SET NULL behavior (previously CASCADE)
+      t.foreign("defaultUserSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
+      t.foreign("defaultHostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
+    });
+  }
+
+  // (dangtony98): backfill by adding null defaults CAs for all existing Infisical SSH projects
+  // that do not have an associated ProjectSshConfig record introduced in Infisical SSH V2.
+
+  const allProjects = await knex(TableName.Project).where("type", ProjectType.SSH).select("id");
+
+  const projectsWithConfig = await knex(TableName.ProjectSshConfig).select("projectId");
+  const projectIdsWithConfig = new Set(projectsWithConfig.map((config) => config.projectId));
+
+  const projectsNeedingConfig = allProjects.filter((project) => !projectIdsWithConfig.has(project.id));
+
+  if (projectsNeedingConfig.length > 0) {
+    const configsToInsert = projectsNeedingConfig.map((project) => ({
+      projectId: project.id,
+      defaultUserSshCaId: null,
+      defaultHostSshCaId: null,
+      createdAt: new Date(),
+      updatedAt: new Date()
+    }));
+
+    await knex.batchInsert(TableName.ProjectSshConfig, configsToInsert);
+  }
+}
+
+export async function down(): Promise<void> {}
--- a/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
-import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
+import { ApiDocsTags, DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
@@ -18,6 +18,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      body: z.object({
        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
@@ -65,6 +67,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
      }),
@@ -107,6 +111,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
      }),
@@ -160,6 +166,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
      }),
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/providers/models";
-import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
+import { ApiDocsTags, DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
@@ -21,6 +21,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      body: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
        provider: DynamicSecretProviderSchema.describe(DYNAMIC_SECRETS.CREATE.provider),
@@ -111,6 +113,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
      }),
@@ -179,6 +183,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
      }),
@@ -215,6 +221,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
        name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
      }),
@@ -253,6 +261,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      querystring: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.LIST.path),
@@ -284,18 +294,20 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
      params: z.object({
-        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
+        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.name)
      }),
      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.projectSlug),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.projectSlug),
        path: z
          .string()
          .trim()
          .default("/")
          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.environmentSlug)
+          .describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.environmentSlug)
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { GroupsSchema, OrgMembershipRole, UsersSchema } from "@app/db/schemas";
 import { EFilterReturnedUsers } from "@app/ee/services/group/group-types";
-import { GROUPS } from "@app/lib/api-docs";
+import { ApiDocsTags, GROUPS } from "@app/lib/api-docs";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -13,6 +13,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
      body: z.object({
        name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
        slug: slugSchema({ min: 5, max: 36 }).optional().describe(GROUPS.CREATE.slug),
@@ -40,6 +42,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
      }),
@@ -65,6 +69,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
      response: {
        200: GroupsSchema.array()
      }
@@ -87,6 +93,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "PATCH",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.UPDATE.id)
      }),
@@ -120,6 +128,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    method: "DELETE",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.DELETE.id)
      }),
@@ -145,6 +155,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    url: "/:id/users",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.LIST_USERS.id)
      }),
@@ -194,6 +206,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    url: "/:id/users/:username",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.ADD_USER.id),
        username: z.string().trim().describe(GROUPS.ADD_USER.username)
@@ -227,6 +241,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    url: "/:id/users/:username",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
      params: z.object({
        id: z.string().trim().describe(GROUPS.DELETE_USER.id),
        username: z.string().trim().describe(GROUPS.DELETE_USER.username)
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@@ -3,7 +3,7 @@ import { z } from "zod";

 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
-import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
+import { ApiDocsTags, IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -25,6 +25,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Create a permanent or a non expiry specific privilege for identity.",
      security: [
        {
@@ -85,6 +87,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Create a temporary or a expiring specific privilege for identity.",
      security: [
        {
@@ -157,6 +161,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Update a specific privilege of an identity.",
      security: [
        {
@@ -240,6 +246,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Delete a specific privilege of an identity.",
      security: [
        {
@@ -279,6 +287,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "Retrieve details of a specific privilege by privilege slug.",
      security: [
        {
@@ -319,6 +329,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
      description: "List of a specific privilege of an identity in a project.",
      security: [
        {
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
+import { ApiDocsTags, AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -17,6 +17,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
      description: "Return project secret snapshots ids",
      security: [
        {
--- a/backend/src/ee/routes/v1/project-template-router.ts
+++ b/backend/src/ee/routes/v1/project-template-router.ts
@@ -5,7 +5,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
-import { ProjectTemplates } from "@app/lib/api-docs";
+import { ApiDocsTags, ProjectTemplates } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -101,6 +101,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
      description: "List project templates for the current organization.",
      response: {
        200: z.object({
@@ -137,6 +139,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
      description: "Get a project template by ID.",
      params: z.object({
        templateId: z.string().uuid()
@@ -176,6 +180,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
      description: "Create a project template.",
      body: z.object({
        name: slugSchema({ field: "name" })
@@ -219,6 +225,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
      description: "Update a project template.",
      params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.UPDATE.templateId) }),
      body: z.object({
@@ -269,6 +277,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
      description: "Delete a project template.",
      params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),

--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { SecretSnapshotsSchema } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
+import { ApiDocsTags, PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
@@ -65,6 +65,8 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
      description: "Roll back project secrets to those captured in a secret snapshot version.",
      security: [
        {
--- a/backend/src/ee/routes/v1/ssh-certificate-authority-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-authority-router.ts
@@ -6,7 +6,7 @@ import { sanitizedSshCa } from "@app/ee/services/ssh/ssh-certificate-authority-s
 import { SshCaKeySource, SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
-import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { ApiDocsTags, SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,6 +20,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Create SSH CA",
      body: z
        .object({
@@ -92,6 +94,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Get SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET.sshCaId)
@@ -138,6 +142,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Get public key of SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_PUBLIC_KEY.sshCaId)
@@ -163,6 +169,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Update SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.sshCaId)
@@ -216,6 +224,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Delete SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.DELETE.sshCaId)
@@ -261,6 +271,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
      description: "Get list of certificate templates for the SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_CERTIFICATE_TEMPLATES.sshCaId)
--- a/backend/src/ee/routes/v1/ssh-certificate-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-router.ts
@@ -3,7 +3,7 @@ import { z } from "zod";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
-import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { ApiDocsTags, SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -20,6 +20,8 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificates],
      description: "Sign SSH public key",
      body: z.object({
        certificateTemplateId: z
@@ -100,6 +102,8 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificates],
      description: "Issue SSH credentials (certificate + key)",
      body: z.object({
        certificateTemplateId: z
--- a/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
@@ -8,7 +8,7 @@ import {
  isValidHostPattern,
  isValidUserPattern
 } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-validators";
-import { SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
+import { ApiDocsTags, SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -22,6 +22,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateTemplates],
      params: z.object({
        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.GET.certificateTemplateId)
      }),
@@ -61,6 +63,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateTemplates],
      body: z
        .object({
          sshCaId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.sshCaId),
@@ -141,6 +145,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateTemplates],
      body: z.object({
        status: z.nativeEnum(SshCertTemplateStatus).optional(),
        name: z
@@ -224,6 +230,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateTemplates],
      params: z.object({
        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.DELETE.certificateTemplateId)
      }),
--- a/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
@@ -4,7 +4,7 @@ import { z } from "zod";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
+import { ApiDocsTags, IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -21,6 +21,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Add an additional privilege for identity.",
      security: [
        {
@@ -84,6 +86,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Update a specific identity privilege.",
      security: [
        {
@@ -148,6 +152,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Delete the specified identity privilege.",
      security: [
        {
@@ -183,6 +189,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Retrieve details of a specific privilege by id.",
      security: [
        {
@@ -218,6 +226,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "Retrieve details of a specific privilege by slug.",
      security: [
        {
@@ -258,6 +268,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
      description: "List privileges for the specified identity by project.",
      security: [
        {
--- a/backend/src/ee/routes/v2/project-role-router.ts
+++ b/backend/src/ee/routes/v2/project-role-router.ts
@@ -4,7 +4,7 @@ import { z } from "zod";
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { PROJECT_ROLE } from "@app/lib/api-docs";
+import { ApiDocsTags, PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -20,6 +20,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
      description: "Create a project role",
      security: [
        {
@@ -75,6 +77,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
      description: "Update a project role",
      security: [
        {
@@ -130,6 +134,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
      description: "Delete a project role",
      security: [
        {
@@ -166,6 +172,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
      description: "List project role",
      security: [
        {
@@ -204,6 +212,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
      params: z.object({
        projectId: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.projectId),
        roleSlug: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.roleSlug)
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/aws-iam-user-secret-rotation-router.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/aws-iam-user-secret-rotation-router.ts
@@ -0,0 +1,19 @@
+import {
+  AwsIamUserSecretRotationGeneratedCredentialsSchema,
+  AwsIamUserSecretRotationSchema,
+  CreateAwsIamUserSecretRotationSchema,
+  UpdateAwsIamUserSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerAwsIamUserSecretRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.AwsIamUserSecret,
+    server,
+    responseSchema: AwsIamUserSecretRotationSchema,
+    createSchema: CreateAwsIamUserSecretRotationSchema,
+    updateSchema: UpdateAwsIamUserSecretRotationSchema,
+    generatedCredentialsSchema: AwsIamUserSecretRotationGeneratedCredentialsSchema
+  });
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts
@@ -1,6 +1,7 @@
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";

 import { registerAuth0ClientSecretRotationRouter } from "./auth0-client-secret-rotation-router";
+import { registerAwsIamUserSecretRotationRouter } from "./aws-iam-user-secret-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";

@@ -12,5 +13,6 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
 > = {
  [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
  [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
-  [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter
+  [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
+  [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter
 };
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts
@@ -9,7 +9,7 @@ import {
  TSecretRotationV2GeneratedCredentials,
  TSecretRotationV2Input
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { SecretRotations } from "@app/lib/api-docs";
+import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
 import { startsWithVowel } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -66,6 +66,8 @@ export const registerSecretRotationEndpoints = <
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: `List the ${rotationType} Rotations for the specified project.`,
      querystring: z.object({
        projectId: z.string().trim().min(1, "Project ID required").describe(SecretRotations.LIST(type).projectId)
@@ -109,6 +111,8 @@ export const registerSecretRotationEndpoints = <
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: `Get the specified ${rotationType} Rotation by ID.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.GET_BY_ID(type).rotationId)
@@ -151,6 +155,8 @@ export const registerSecretRotationEndpoints = <
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: `Get the specified ${rotationType} Rotation by name, secret path, environment and project ID.`,
      params: z.object({
        rotationName: z
@@ -215,6 +221,8 @@ export const registerSecretRotationEndpoints = <
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: `Create ${
        startsWithVowel(rotationType) ? "an" : "a"
      } ${rotationType} Rotation for the specified project.`,
@@ -254,6 +262,8 @@ export const registerSecretRotationEndpoints = <
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: `Update the specified ${rotationType} Rotation.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.UPDATE(type).rotationId)
@@ -296,6 +306,8 @@ export const registerSecretRotationEndpoints = <
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: `Delete the specified ${rotationType} Rotation.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.DELETE(type).rotationId)
@@ -349,6 +361,8 @@ export const registerSecretRotationEndpoints = <
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: `Get the generated credentials for the specified ${rotationType} Rotation.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.GET_GENERATED_CREDENTIALS_BY_ID(type).rotationId)
@@ -402,6 +416,8 @@ export const registerSecretRotationEndpoints = <
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: `Rotate the generated credentials for the specified ${rotationType} Rotation.`,
      params: z.object({
        rotationId: z.string().uuid().describe(SecretRotations.ROTATE(type).rotationId)
--- a/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts
+++ b/backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts
@@ -2,10 +2,11 @@ import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { Auth0ClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
+import { AwsIamUserSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
-import { SecretRotations } from "@app/lib/api-docs";
+import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -13,7 +14,8 @@ import { AuthMode } from "@app/services/auth/auth-type";
 const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
  PostgresCredentialsRotationListItemSchema,
  MsSqlCredentialsRotationListItemSchema,
-  Auth0ClientSecretRotationListItemSchema
+  Auth0ClientSecretRotationListItemSchema,
+  AwsIamUserSecretRotationListItemSchema
 ]);

 export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {
@@ -24,6 +26,8 @@ export const registerSecretRotationV2Router = async (server: FastifyZodProvider)
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: "List the available Secret Rotation Options.",
      response: {
        200: z.object({
@@ -45,6 +49,8 @@ export const registerSecretRotationV2Router = async (server: FastifyZodProvider)
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretRotations],
      description: "List all the Secret Rotations for the specified project.",
      querystring: z.object({
        projectId: z.string().trim().min(1, "Project ID required").describe(SecretRotations.LIST().projectId)
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -234,6 +234,7 @@ export enum EventType {
  GET_PROJECT_KMS_BACKUP = "get-project-kms-backup",
  LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup",
  ORG_ADMIN_ACCESS_PROJECT = "org-admin-accessed-project",
+  ORG_ADMIN_BYPASS_SSO = "org-admin-bypassed-sso",
  CREATE_CERTIFICATE_TEMPLATE = "create-certificate-template",
  UPDATE_CERTIFICATE_TEMPLATE = "update-certificate-template",
  DELETE_CERTIFICATE_TEMPLATE = "delete-certificate-template",
@@ -248,6 +249,8 @@ export enum EventType {
  DELETE_SLACK_INTEGRATION = "delete-slack-integration",
  GET_PROJECT_SLACK_CONFIG = "get-project-slack-config",
  UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config",
+  GET_PROJECT_SSH_CONFIG = "get-project-ssh-config",
+  UPDATE_PROJECT_SSH_CONFIG = "update-project-ssh-config",
  INTEGRATION_SYNCED = "integration-synced",
  CREATE_CMEK = "create-cmek",
  UPDATE_CMEK = "update-cmek",
@@ -1907,6 +1910,11 @@ interface OrgAdminAccessProjectEvent {
  }; // no metadata yet
 }

+interface OrgAdminBypassSSOEvent {
+  type: EventType.ORG_ADMIN_BYPASS_SSO;
+  metadata: Record<string, string>; // no metadata yet
+}
+
 interface CreateCertificateTemplateEstConfig {
  type: EventType.CREATE_CERTIFICATE_TEMPLATE_EST_CONFIG;
  metadata: {
@@ -1986,6 +1994,25 @@ interface GetProjectSlackConfig {
    id: string;
  };
 }
+
+interface GetProjectSshConfig {
+  type: EventType.GET_PROJECT_SSH_CONFIG;
+  metadata: {
+    id: string;
+    projectId: string;
+  };
+}
+
+interface UpdateProjectSshConfig {
+  type: EventType.UPDATE_PROJECT_SSH_CONFIG;
+  metadata: {
+    id: string;
+    projectId: string;
+    defaultUserSshCaId?: string | null;
+    defaultHostSshCaId?: string | null;
+  };
+}
+
 interface IntegrationSyncedEvent {
  type: EventType.INTEGRATION_SYNCED;
  metadata: {
@@ -2656,6 +2683,7 @@ export type Event =
  | GetProjectKmsBackupEvent
  | LoadProjectKmsBackupEvent
  | OrgAdminAccessProjectEvent
+  | OrgAdminBypassSSOEvent
  | CreateCertificateTemplate
  | UpdateCertificateTemplate
  | GetCertificateTemplate
@@ -2670,6 +2698,8 @@ export type Event =
  | GetSlackIntegration
  | UpdateProjectSlackConfig
  | GetProjectSlackConfig
+  | GetProjectSshConfig
+  | UpdateProjectSshConfig
  | IntegrationSyncedEvent
  | CreateCmekEvent
  | UpdateCmekEvent
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@@ -130,7 +130,17 @@ export const dynamicSecretLeaseServiceFactory = ({
      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max TTL" });
    }

-    const { entityId, data } = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
+    let result;
+    try {
+      result = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
+    } catch (error: unknown) {
+      if (error && typeof error === "object" && error !== null && "sqlMessage" in error) {
+        throw new BadRequestError({ message: error.sqlMessage as string });
+      }
+      throw error;
+    }
+    const { entityId, data } = result;
+
    const dynamicSecretLease = await dynamicSecretLeaseDAL.create({
      expireAt,
      version: 1,
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -965,7 +965,6 @@ const buildMemberPermissionRules = () => {
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);

-  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateAuthorities);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Create], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);
@@ -1031,7 +1030,6 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
--- a/backend/src/ee/services/secret-replication/secret-replication-service.ts
+++ b/backend/src/ee/services/secret-replication/secret-replication-service.ts
@@ -267,7 +267,6 @@ export const secretReplicationServiceFactory = ({
      const sourceLocalSecrets = await secretV2BridgeDAL.find({ folderId: folder.id, type: SecretType.Shared });
      const sourceSecretImports = await secretImportDAL.find({ folderId: folder.id });
      const sourceImportedSecrets = await fnSecretsV2FromImports({
-        projectId,
        secretImports: sourceSecretImports,
        secretDAL: secretV2BridgeDAL,
        folderDAL,
--- a/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-constants.ts
+++ b/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-constants.ts
@@ -0,0 +1,15 @@
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
+  name: "AWS IAM User Secret",
+  type: SecretRotation.AwsIamUserSecret,
+  connection: AppConnection.AWS,
+  template: {
+    secretsMapping: {
+      accessKeyId: "AWS_ACCESS_KEY_ID",
+      secretAccessKey: "AWS_SECRET_ACCESS_KEY"
+    }
+  }
+};
--- a/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-fns.ts
+++ b/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-fns.ts
@@ -0,0 +1,123 @@
+import AWS from "aws-sdk";
+
+import {
+  TAwsIamUserSecretRotationGeneratedCredentials,
+  TAwsIamUserSecretRotationWithConnection
+} from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-types";
+import {
+  TRotationFactory,
+  TRotationFactoryGetSecretsPayload,
+  TRotationFactoryIssueCredentials,
+  TRotationFactoryRevokeCredentials,
+  TRotationFactoryRotateCredentials
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { getAwsConnectionConfig } from "@app/services/app-connection/aws";
+
+const getCreateDate = (key: AWS.IAM.AccessKeyMetadata): number => {
+  return key.CreateDate ? new Date(key.CreateDate).getTime() : 0;
+};
+
+export const awsIamUserSecretRotationFactory: TRotationFactory<
+  TAwsIamUserSecretRotationWithConnection,
+  TAwsIamUserSecretRotationGeneratedCredentials
+> = (secretRotation) => {
+  const {
+    parameters: { region, userName },
+    connection,
+    secretsMapping
+  } = secretRotation;
+
+  const $rotateClientSecret = async () => {
+    const { credentials } = await getAwsConnectionConfig(connection, region);
+    const iam = new AWS.IAM({ credentials });
+
+    const { AccessKeyMetadata } = await iam.listAccessKeys({ UserName: userName }).promise();
+
+    if (AccessKeyMetadata && AccessKeyMetadata.length > 0) {
+      // Sort keys by creation date (oldest first)
+      const sortedKeys = [...AccessKeyMetadata].sort((a, b) => getCreateDate(a) - getCreateDate(b));
+
+      // If we already have 2 keys, delete the oldest one
+      if (sortedKeys.length >= 2) {
+        const accessId = sortedKeys[0].AccessKeyId || sortedKeys[1].AccessKeyId;
+        if (accessId) {
+          await iam
+            .deleteAccessKey({
+              UserName: userName,
+              AccessKeyId: accessId
+            })
+            .promise();
+        }
+      }
+    }
+
+    const { AccessKey } = await iam.createAccessKey({ UserName: userName }).promise();
+
+    return {
+      accessKeyId: AccessKey.AccessKeyId,
+      secretAccessKey: AccessKey.SecretAccessKey
+    };
+  };
+
+  const issueCredentials: TRotationFactoryIssueCredentials<TAwsIamUserSecretRotationGeneratedCredentials> = async (
+    callback
+  ) => {
+    const credentials = await $rotateClientSecret();
+
+    return callback(credentials);
+  };
+
+  const revokeCredentials: TRotationFactoryRevokeCredentials<TAwsIamUserSecretRotationGeneratedCredentials> = async (
+    generatedCredentials,
+    callback
+  ) => {
+    const { credentials } = await getAwsConnectionConfig(connection, region);
+    const iam = new AWS.IAM({ credentials });
+
+    await Promise.all(
+      generatedCredentials.map((generatedCredential) =>
+        iam
+          .deleteAccessKey({
+            UserName: userName,
+            AccessKeyId: generatedCredential.accessKeyId
+          })
+          .promise()
+      )
+    );
+
+    return callback();
+  };
+
+  const rotateCredentials: TRotationFactoryRotateCredentials<TAwsIamUserSecretRotationGeneratedCredentials> = async (
+    _,
+    callback
+  ) => {
+    const credentials = await $rotateClientSecret();
+
+    return callback(credentials);
+  };
+
+  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TAwsIamUserSecretRotationGeneratedCredentials> = (
+    generatedCredentials
+  ) => {
+    const secrets = [
+      {
+        key: secretsMapping.accessKeyId,
+        value: generatedCredentials.accessKeyId
+      },
+      {
+        key: secretsMapping.secretAccessKey,
+        value: generatedCredentials.secretAccessKey
+      }
+    ];
+
+    return secrets;
+  };
+
+  return {
+    issueCredentials,
+    revokeCredentials,
+    rotateCredentials,
+    getSecretsPayload
+  };
+};
--- a/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-schemas.ts
+++ b/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-schemas.ts
@@ -0,0 +1,68 @@
+import { z } from "zod";
+
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import {
+  BaseCreateSecretRotationSchema,
+  BaseSecretRotationSchema,
+  BaseUpdateSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
+import { SecretRotations } from "@app/lib/api-docs";
+import { SecretNameSchema } from "@app/server/lib/schemas";
+import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
+
+export const AwsIamUserSecretRotationGeneratedCredentialsSchema = z
+  .object({
+    accessKeyId: z.string(),
+    secretAccessKey: z.string()
+  })
+  .array()
+  .min(1)
+  .max(2);
+
+const AwsIamUserSecretRotationParametersSchema = z.object({
+  userName: z
+    .string()
+    .trim()
+    .min(1, "Client Name Required")
+    .describe(SecretRotations.PARAMETERS.AWS_IAM_USER_SECRET.userName),
+  region: z.nativeEnum(AWSRegion).describe(SecretRotations.PARAMETERS.AWS_IAM_USER_SECRET.region).optional()
+});
+
+const AwsIamUserSecretRotationSecretsMappingSchema = z.object({
+  accessKeyId: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AWS_IAM_USER_SECRET.accessKeyId),
+  secretAccessKey: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AWS_IAM_USER_SECRET.secretAccessKey)
+});
+
+export const AwsIamUserSecretRotationTemplateSchema = z.object({
+  secretsMapping: z.object({
+    accessKeyId: z.string(),
+    secretAccessKey: z.string()
+  })
+});
+
+export const AwsIamUserSecretRotationSchema = BaseSecretRotationSchema(SecretRotation.AwsIamUserSecret).extend({
+  type: z.literal(SecretRotation.AwsIamUserSecret),
+  parameters: AwsIamUserSecretRotationParametersSchema,
+  secretsMapping: AwsIamUserSecretRotationSecretsMappingSchema
+});
+
+export const CreateAwsIamUserSecretRotationSchema = BaseCreateSecretRotationSchema(
+  SecretRotation.AwsIamUserSecret
+).extend({
+  parameters: AwsIamUserSecretRotationParametersSchema,
+  secretsMapping: AwsIamUserSecretRotationSecretsMappingSchema
+});
+
+export const UpdateAwsIamUserSecretRotationSchema = BaseUpdateSecretRotationSchema(
+  SecretRotation.AwsIamUserSecret
+).extend({
+  parameters: AwsIamUserSecretRotationParametersSchema.optional(),
+  secretsMapping: AwsIamUserSecretRotationSecretsMappingSchema.optional()
+});
+
+export const AwsIamUserSecretRotationListItemSchema = z.object({
+  name: z.literal("AWS IAM User Secret"),
+  connection: z.literal(AppConnection.AWS),
+  type: z.literal(SecretRotation.AwsIamUserSecret),
+  template: AwsIamUserSecretRotationTemplateSchema
+});
--- a/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-types.ts
+++ b/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-types.ts
@@ -0,0 +1,24 @@
+import { z } from "zod";
+
+import { TAwsConnection } from "@app/services/app-connection/aws";
+
+import {
+  AwsIamUserSecretRotationGeneratedCredentialsSchema,
+  AwsIamUserSecretRotationListItemSchema,
+  AwsIamUserSecretRotationSchema,
+  CreateAwsIamUserSecretRotationSchema
+} from "./aws-iam-user-secret-rotation-schemas";
+
+export type TAwsIamUserSecretRotation = z.infer<typeof AwsIamUserSecretRotationSchema>;
+
+export type TAwsIamUserSecretRotationInput = z.infer<typeof CreateAwsIamUserSecretRotationSchema>;
+
+export type TAwsIamUserSecretRotationListItem = z.infer<typeof AwsIamUserSecretRotationListItemSchema>;
+
+export type TAwsIamUserSecretRotationWithConnection = TAwsIamUserSecretRotation & {
+  connection: TAwsConnection;
+};
+
+export type TAwsIamUserSecretRotationGeneratedCredentials = z.infer<
+  typeof AwsIamUserSecretRotationGeneratedCredentialsSchema
+>;
--- a/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/index.ts
+++ b/backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/index.ts
@@ -0,0 +1,3 @@
+export * from "./aws-iam-user-secret-rotation-constants";
+export * from "./aws-iam-user-secret-rotation-schemas";
+export * from "./aws-iam-user-secret-rotation-types";
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts
@@ -1,7 +1,8 @@
 export enum SecretRotation {
  PostgresCredentials = "postgres-credentials",
  MsSqlCredentials = "mssql-credentials",
-  Auth0ClientSecret = "auth0-client-secret"
+  Auth0ClientSecret = "auth0-client-secret",
+  AwsIamUserSecret = "aws-iam-user-secret"
 }

 export enum SecretRotationStatus {
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
@@ -4,6 +4,7 @@ import { getConfig } from "@app/lib/config/env";
 import { KmsDataKey } from "@app/services/kms/kms-types";

 import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
+import { AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION } from "./aws-iam-user-secret";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
@@ -18,7 +19,8 @@ import {
 const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2ListItem> = {
  [SecretRotation.PostgresCredentials]: POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION,
  [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION,
-  [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION
+  [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION,
+  [SecretRotation.AwsIamUserSecret]: AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION
 };

 export const listSecretRotationOptions = () => {
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts
@@ -3,12 +3,14 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums

 export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
  [SecretRotation.PostgresCredentials]: "PostgreSQL Credentials",
-  [SecretRotation.MsSqlCredentials]: "Microsoft SQL Sever Credentials",
-  [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret"
+  [SecretRotation.MsSqlCredentials]: "Microsoft SQL Server Credentials",
+  [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret",
+  [SecretRotation.AwsIamUserSecret]: "AWS IAM User Secret"
 };

 export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
  [SecretRotation.PostgresCredentials]: AppConnection.Postgres,
  [SecretRotation.MsSqlCredentials]: AppConnection.MsSql,
-  [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0
+  [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0,
+  [SecretRotation.AwsIamUserSecret]: AppConnection.AWS
 };
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts
@@ -77,6 +77,7 @@ import {
 import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";

+import { awsIamUserSecretRotationFactory } from "./aws-iam-user-secret/aws-iam-user-secret-rotation-fns";
 import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";

 export type TSecretRotationV2ServiceFactoryDep = {
@@ -114,7 +115,8 @@ type TRotationFactoryImplementation = TRotationFactory<
 const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplementation> = {
  [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
  [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation
+  [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation,
+  [SecretRotation.AwsIamUserSecret]: awsIamUserSecretRotationFactory as TRotationFactoryImplementation
 };

 export const secretRotationV2ServiceFactory = ({
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts
@@ -12,6 +12,13 @@ import {
  TAuth0ClientSecretRotationListItem,
  TAuth0ClientSecretRotationWithConnection
 } from "./auth0-client-secret";
+import {
+  TAwsIamUserSecretRotation,
+  TAwsIamUserSecretRotationGeneratedCredentials,
+  TAwsIamUserSecretRotationInput,
+  TAwsIamUserSecretRotationListItem,
+  TAwsIamUserSecretRotationWithConnection
+} from "./aws-iam-user-secret";
 import {
  TMsSqlCredentialsRotation,
  TMsSqlCredentialsRotationInput,
@@ -27,26 +34,34 @@ import {
 import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 import { SecretRotation } from "./secret-rotation-v2-enums";

-export type TSecretRotationV2 = TPostgresCredentialsRotation | TMsSqlCredentialsRotation | TAuth0ClientSecretRotation;
+export type TSecretRotationV2 =
+  | TPostgresCredentialsRotation
+  | TMsSqlCredentialsRotation
+  | TAuth0ClientSecretRotation
+  | TAwsIamUserSecretRotation;

 export type TSecretRotationV2WithConnection =
  | TPostgresCredentialsRotationWithConnection
  | TMsSqlCredentialsRotationWithConnection
-  | TAuth0ClientSecretRotationWithConnection;
+  | TAuth0ClientSecretRotationWithConnection
+  | TAwsIamUserSecretRotationWithConnection;

 export type TSecretRotationV2GeneratedCredentials =
  | TSqlCredentialsRotationGeneratedCredentials
-  | TAuth0ClientSecretRotationGeneratedCredentials;
+  | TAuth0ClientSecretRotationGeneratedCredentials
+  | TAwsIamUserSecretRotationGeneratedCredentials;

 export type TSecretRotationV2Input =
  | TPostgresCredentialsRotationInput
  | TMsSqlCredentialsRotationInput
-  | TAuth0ClientSecretRotationInput;
+  | TAuth0ClientSecretRotationInput
+  | TAwsIamUserSecretRotationInput;

 export type TSecretRotationV2ListItem =
  | TPostgresCredentialsRotationListItem
  | TMsSqlCredentialsRotationListItem
-  | TAuth0ClientSecretRotationListItem;
+  | TAuth0ClientSecretRotationListItem
+  | TAwsIamUserSecretRotationListItem;

 export type TSecretRotationV2Raw = NonNullable<Awaited<ReturnType<TSecretRotationV2DALFactory["findById"]>>>;

--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts
@@ -4,8 +4,11 @@ import { Auth0ClientSecretRotationSchema } from "@app/ee/services/secret-rotatio
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";

+import { AwsIamUserSecretRotationSchema } from "./aws-iam-user-secret";
+
 export const SecretRotationV2Schema = z.discriminatedUnion("type", [
  PostgresCredentialsRotationSchema,
  MsSqlCredentialsRotationSchema,
-  Auth0ClientSecretRotationSchema
+  Auth0ClientSecretRotationSchema,
+  AwsIamUserSecretRotationSchema
 ]);
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -8,6 +8,51 @@ import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connec
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";

+export enum ApiDocsTags {
+  Identities = "Identities",
+  TokenAuth = "Token Auth",
+  UniversalAuth = "Universal Auth",
+  GcpAuth = "GCP Auth",
+  AwsAuth = "AWS Auth",
+  AzureAuth = "Azure Auth",
+  KubernetesAuth = "Kubernetes Auth",
+  JwtAuth = "JWT Auth",
+  OidcAuth = "OIDC Auth",
+  Groups = "Groups",
+  Organizations = "Organizations",
+  Projects = "Projects",
+  ProjectUsers = "Project Users",
+  ProjectGroups = "Project Groups",
+  ProjectIdentities = "Project Identities",
+  ProjectRoles = "Project Roles",
+  ProjectTemplates = "Project Templates",
+  Environments = "Environments",
+  Folders = "Folders",
+  SecretTags = "Secret Tags",
+  Secrets = "Secrets",
+  DynamicSecrets = "Dynamic Secrets",
+  SecretImports = "Secret Imports",
+  SecretRotations = "Secret Rotations",
+  IdentitySpecificPrivilegesV1 = "Identity Specific Privileges",
+  IdentitySpecificPrivilegesV2 = "Identity Specific Privileges V2",
+  AppConnections = "App Connections",
+  SecretSyncs = "Secret Syncs",
+  Integrations = "Integrations",
+  ServiceTokens = "Service Tokens",
+  AuditLogs = "Audit Logs",
+  PkiCertificateAuthorities = "PKI Certificate Authorities",
+  PkiCertificates = "PKI Certificates",
+  PkiCertificateTemplates = "PKI Certificate Templates",
+  PkiCertificateCollections = "PKI Certificate Collections",
+  PkiAlerting = "PKI Alerting",
+  SshCertificates = "SSH Certificates",
+  SshCertificateAuthorities = "SSH Certificate Authorities",
+  SshCertificateTemplates = "SSH Certificate Templates",
+  KmsKeys = "KMS Keys",
+  KmsEncryption = "KMS Encryption",
+  KmsSigning = "KMS Signing"
+}
+
 export const GROUPS = {
  CREATE: {
    name: "The name of the group to create.",
@@ -888,7 +933,7 @@ export const DYNAMIC_SECRETS = {
    environmentSlug: "The slug of the environment to list folders from.",
    path: "The path to list folders from."
  },
-  LIST_LEAES_BY_NAME: {
+  LIST_LEASES_BY_NAME: {
    projectSlug: "The slug of the project to create dynamic secret in.",
    environmentSlug: "The slug of the environment to list folders from.",
    path: "The path to list folders from.",
@@ -1812,6 +1857,10 @@ export const AppConnections = {
    WINDMILL: {
      instanceUrl: "The Windmill instance URL to connect with (defaults to https://app.windmill.dev).",
      accessToken: "The access token to use to connect with Windmill."
+    },
+    TEAMCITY: {
+      instanceUrl: "The TeamCity instance URL to connect with.",
+      accessToken: "The access token to use to connect with TeamCity."
    }
  }
 };
@@ -1951,6 +2000,10 @@ export const SecretSyncs = {
    WINDMILL: {
      workspace: "The Windmill workspace to sync secrets to.",
      path: "The Windmill workspace path to sync secrets to."
+    },
+    TEAMCITY: {
+      project: "The TeamCity project to sync secrets to.",
+      buildConfig: "The TeamCity build configuration to sync secrets to."
    }
  }
 };
@@ -2015,6 +2068,10 @@ export const SecretRotations = {
    },
    AUTH0_CLIENT_SECRET: {
      clientId: "The client ID of the Auth0 Application to rotate the client secret for."
+    },
+    AWS_IAM_USER_SECRET: {
+      userName: "The name of the client to rotate credentials for.",
+      region: "The AWS region the client is present in."
    }
  },
  SECRETS_MAPPING: {
@@ -2025,6 +2082,10 @@ export const SecretRotations = {
    AUTH0_CLIENT_SECRET: {
      clientId: "The name of the secret that the client ID will be mapped to.",
      clientSecret: "The name of the secret that the rotated client secret will be mapped to."
+    },
+    AWS_IAM_USER_SECRET: {
+      accessKeyId: "The name of the secret that the access key ID will be mapped to.",
+      secretAccessKey: "The name of the secret that the rotated secret access key will be mapped to."
    }
  }
 };
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -73,6 +73,7 @@ const run = async () => {
  // eslint-disable-next-line
  process.on("SIGINT", async () => {
    await server.close();
+    await queue.shutdown();
    await db.destroy();
    await removeTemporaryBaseDirectory();
    hsmModule.finalize();
@@ -82,19 +83,22 @@ const run = async () => {
  // eslint-disable-next-line
  process.on("SIGTERM", async () => {
    await server.close();
+    await queue.shutdown();
    await db.destroy();
    await removeTemporaryBaseDirectory();
    hsmModule.finalize();
    process.exit(0);
  });

-  process.on("uncaughtException", (error) => {
-    logger.error(error, "CRITICAL ERROR: Uncaught Exception");
-  });
+  if (!envConfig.isDevelopmentMode) {
+    process.on("uncaughtException", (error) => {
+      logger.error(error, "CRITICAL ERROR: Uncaught Exception");
+    });

-  process.on("unhandledRejection", (error) => {
-    logger.error(error, "CRITICAL ERROR: Unhandled Promise Rejection");
-  });
+    process.on("unhandledRejection", (error) => {
+      logger.error(error, "CRITICAL ERROR: Unhandled Promise Rejection");
+    });
+  }

  await server.listen({
    port: envConfig.PORT,
--- a/backend/src/server/plugins/fastify-zod.ts
+++ b/backend/src/server/plugins/fastify-zod.ts
@@ -49,14 +49,17 @@ function resolveSchema(maybeSchema: ZodAny | { properties: ZodAny }): Pick<ZodAn
 }

 export const createJsonSchemaTransform = ({ skipList }: { skipList: readonly string[] }) => {
-  return ({ schema, url }: { schema: Schema; url: string }) => {
+  return ({ schema = {}, url }: { schema: Schema; url: string }) => {
    if (!schema) {
      return {
-        schema,
+        schema: { hide: true },
        url
      };
    }

+    if (typeof schema.hide === "undefined") {
+      schema.hide = true;
+    }
    const { response, headers, querystring, body, params, hide, ...rest } = schema;

    const transformed: FreeformRecord = {};
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -596,7 +596,14 @@ export const registerRoutes = async (
    kmsService
  });

-  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL, totpService });
+  const loginService = authLoginServiceFactory({
+    userDAL,
+    smtpService,
+    tokenService,
+    orgDAL,
+    totpService,
+    auditLogService
+  });
  const passwordService = authPaswordServiceFactory({
    tokenService,
    smtpService,
@@ -1089,7 +1096,8 @@ export const registerRoutes = async (
    secretApprovalRequestSecretDAL,
    kmsService,
    snapshotService,
-    resourceMetadataDAL
+    resourceMetadataDAL,
+    keyStore
  });

  const secretApprovalRequestService = secretApprovalRequestServiceFactory({
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-endpoints.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-endpoints.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { AppConnections } from "@app/lib/api-docs";
+import { ApiDocsTags, AppConnections } from "@app/lib/api-docs";
 import { startsWithVowel } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -43,6 +43,8 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AppConnections],
      description: `List the ${appName} Connections for the current organization.`,
      response: {
        200: z.object({ appConnections: sanitizedResponseSchema.array() })
@@ -76,6 +78,8 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AppConnections],
      description: `List the ${appName} Connections the current user has permission to establish connections with.`,
      response: {
        200: z.object({
@@ -120,6 +124,8 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AppConnections],
      description: `Get the specified ${appName} Connection by ID.`,
      params: z.object({
        connectionId: z.string().uuid().describe(AppConnections.GET_BY_ID(app).connectionId)
@@ -160,6 +166,8 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AppConnections],
      description: `Get the specified ${appName} Connection by name.`,
      params: z.object({
        connectionName: z
@@ -204,6 +212,8 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AppConnections],
      description: `Create ${
        startsWithVowel(appName) ? "an" : "a"
      } ${appName} Connection for the current organization.`,
@@ -247,6 +257,8 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AppConnections],
      description: `Update the specified ${appName} Connection.`,
      params: z.object({
        connectionId: z.string().uuid().describe(AppConnections.UPDATE(app).connectionId)
@@ -292,6 +304,8 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AppConnections],
      description: `Delete the specified ${appName} Connection.`,
      params: z.object({
        connectionId: z.string().uuid().describe(AppConnections.DELETE(app).connectionId)
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ApiDocsTags } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { Auth0ConnectionListItemSchema, SanitizedAuth0ConnectionSchema } from "@app/services/app-connection/auth0";
@@ -32,6 +33,10 @@ import {
  PostgresConnectionListItemSchema,
  SanitizedPostgresConnectionSchema
 } from "@app/services/app-connection/postgres";
+import {
+  SanitizedTeamCityConnectionSchema,
+  TeamCityConnectionListItemSchema
+} from "@app/services/app-connection/teamcity";
 import {
  SanitizedTerraformCloudConnectionSchema,
  TerraformCloudConnectionListItemSchema
@@ -58,7 +63,8 @@ const SanitizedAppConnectionSchema = z.union([
  ...SanitizedMsSqlConnectionSchema.options,
  ...SanitizedCamundaConnectionSchema.options,
  ...SanitizedWindmillConnectionSchema.options,
-  ...SanitizedAuth0ConnectionSchema.options
+  ...SanitizedAuth0ConnectionSchema.options,
+  ...SanitizedTeamCityConnectionSchema.options
 ]);

 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -75,7 +81,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  MsSqlConnectionListItemSchema,
  CamundaConnectionListItemSchema,
  WindmillConnectionListItemSchema,
-  Auth0ConnectionListItemSchema
+  Auth0ConnectionListItemSchema,
+  TeamCityConnectionListItemSchema
 ]);

 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {
@@ -86,6 +93,8 @@ export const registerAppConnectionRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AppConnections],
      description: "List the available App Connection Options.",
      response: {
        200: z.object({
@@ -107,6 +116,8 @@ export const registerAppConnectionRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AppConnections],
      description: "List all the App Connections for the current organization.",
      response: {
        200: z.object({ appConnections: SanitizedAppConnectionSchema.array() })
--- a/backend/src/server/routes/v1/app-connection-routers/aws-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/aws-connection-router.ts
@@ -59,4 +59,40 @@ export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
      return { kmsKeys };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/users`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          iamUsers: z
+            .object({
+              UserName: z.string(),
+              Arn: z.string()
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const iamUsers = await server.services.appConnection.aws.listIamUsers(
+        {
+          connectionId
+        },
+        req.permission
+      );
+
+      return { iamUsers };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -11,6 +11,7 @@ import { registerGitHubConnectionRouter } from "./github-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
+import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
 import { registerVercelConnectionRouter } from "./vercel-connection-router";
 import { registerWindmillConnectionRouter } from "./windmill-connection-router";
@@ -32,5 +33,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
    [AppConnection.MsSql]: registerMsSqlConnectionRouter,
    [AppConnection.Camunda]: registerCamundaConnectionRouter,
    [AppConnection.Windmill]: registerWindmillConnectionRouter,
-    [AppConnection.Auth0]: registerAuth0ConnectionRouter
+    [AppConnection.Auth0]: registerAuth0ConnectionRouter,
+    [AppConnection.TeamCity]: registerTeamCityConnectionRouter
  };
--- a/backend/src/server/routes/v1/app-connection-routers/teamcity-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/teamcity-connection-router.ts
@@ -0,0 +1,60 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateTeamCityConnectionSchema,
+  SanitizedTeamCityConnectionSchema,
+  UpdateTeamCityConnectionSchema
+} from "@app/services/app-connection/teamcity";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerTeamCityConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.TeamCity,
+    server,
+    sanitizedResponseSchema: SanitizedTeamCityConnectionSchema,
+    createSchema: CreateTeamCityConnectionSchema,
+    updateSchema: UpdateTeamCityConnectionSchema
+  });
+
+  // The following endpoints are for internal Infisical App use only and not part of the public API
+  server.route({
+    method: "GET",
+    url: `/:connectionId/projects`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string(),
+            buildTypes: z.object({
+              buildType: z
+                .object({
+                  id: z.string(),
+                  name: z.string()
+                })
+                .array()
+            })
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const projects = await server.services.appConnection.teamcity.listProjects(connectionId, req.permission);
+
+      return projects;
+    }
+  });
+};
--- a/backend/src/server/routes/v1/certificate-authority-router.ts
+++ b/backend/src/server/routes/v1/certificate-authority-router.ts
@@ -3,7 +3,7 @@ import { z } from "zod";

 import { CertificateAuthoritiesSchema, CertificateTemplatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { ApiDocsTags, CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -26,6 +26,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Create CA",
      body: z
        .object({
@@ -105,6 +107,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Get CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.GET.caId)
@@ -151,6 +155,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Get DER-encoded certificate of CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.GET_CERT_BY_ID.caId),
@@ -177,6 +183,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Update CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.UPDATE.caId)
@@ -231,6 +239,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Delete CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.DELETE.caId)
@@ -276,6 +286,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Get CA CSR",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.GET_CSR.caId)
@@ -321,6 +333,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Perform CA certificate renewal",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.RENEW_CA_CERT.caId)
@@ -376,6 +390,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Get list of past and current CA certificates for a CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.GET_CA_CERTS.caId)
@@ -424,6 +440,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Get current CA cert and cert chain of a CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.GET_CERT.caId)
@@ -473,6 +491,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Create intermediate CA certificate from parent CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.caId)
@@ -536,6 +556,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Import certificate and chain to CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.IMPORT_CERT.caId)
@@ -588,6 +610,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Issue certificate from CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.caId)
@@ -679,6 +703,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Sign certificate from CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.caId)
@@ -770,6 +796,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Get list of certificate templates for the CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.caId)
@@ -815,6 +843,8 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      description: "Get list of CRLs of the CA",
      params: z.object({
        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.GET_CRLS.caId)
--- a/backend/src/server/routes/v1/certificate-router.ts
+++ b/backend/src/server/routes/v1/certificate-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { CertificatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { CERTIFICATE_AUTHORITIES, CERTIFICATES } from "@app/lib/api-docs";
+import { ApiDocsTags, CERTIFICATE_AUTHORITIES, CERTIFICATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -24,6 +24,8 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificates],
      description: "Get certificate",
      params: z.object({
        serialNumber: z.string().trim().describe(CERTIFICATES.GET.serialNumber)
@@ -70,6 +72,8 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificates],
      description: "Issue certificate",
      body: z
        .object({
@@ -181,6 +185,8 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificates],
      description: "Sign certificate",
      body: z
        .object({
@@ -292,6 +298,8 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificates],
      description: "Revoke",
      params: z.object({
        serialNumber: z.string().trim().describe(CERTIFICATES.REVOKE.serialNumber)
@@ -346,6 +354,8 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificates],
      description: "Delete certificate",
      params: z.object({
        serialNumber: z.string().trim().describe(CERTIFICATES.DELETE.serialNumber)
@@ -392,6 +402,8 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificates],
      description: "Get certificate body of certificate",
      params: z.object({
        serialNumber: z.string().trim().describe(CERTIFICATES.GET_CERT.serialNumber)
--- a/backend/src/server/routes/v1/certificate-template-router.ts
+++ b/backend/src/server/routes/v1/certificate-template-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { CertificateTemplateEstConfigsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
+import { ApiDocsTags, CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -26,6 +26,8 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateTemplates],
      params: z.object({
        certificateTemplateId: z.string().describe(CERTIFICATE_TEMPLATES.GET.certificateTemplateId)
      }),
@@ -65,6 +67,8 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateTemplates],
      body: z.object({
        caId: z.string().describe(CERTIFICATE_TEMPLATES.CREATE.caId),
        pkiCollectionId: z.string().optional().describe(CERTIFICATE_TEMPLATES.CREATE.pkiCollectionId),
@@ -132,6 +136,8 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateTemplates],
      body: z.object({
        caId: z.string().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.caId),
        pkiCollectionId: z.string().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.pkiCollectionId),
@@ -198,6 +204,8 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateTemplates],
      params: z.object({
        certificateTemplateId: z.string().describe(CERTIFICATE_TEMPLATES.DELETE.certificateTemplateId)
      }),
@@ -238,6 +246,8 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateTemplates],
      description: "Create Certificate Template EST configuration",
      params: z.object({
        certificateTemplateId: z.string().trim()
@@ -292,6 +302,8 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateTemplates],
      description: "Update Certificate Template EST configuration",
      params: z.object({
        certificateTemplateId: z.string().trim()
@@ -340,6 +352,8 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateTemplates],
      description: "Get Certificate Template EST configuration",
      params: z.object({
        certificateTemplateId: z.string().trim()
--- a/backend/src/server/routes/v1/cmek-router.ts
+++ b/backend/src/server/routes/v1/cmek-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { InternalKmsSchema, KmsKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { KMS } from "@app/lib/api-docs";
+import { ApiDocsTags, KMS } from "@app/lib/api-docs";
 import { getBase64SizeInBytes, isBase64 } from "@app/lib/base64";
 import { AllowedEncryptionKeyAlgorithms, SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
 import { AsymmetricKeyAlgorithm, SigningAlgorithm } from "@app/lib/crypto/sign";
@@ -46,6 +46,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsKeys],
      description: "Create KMS key",
      body: z
        .object({
@@ -138,6 +140,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsKeys],
      description: "Update KMS key",
      params: z.object({
        keyId: z.string().uuid().describe(KMS.UPDATE_KEY.keyId)
@@ -187,6 +191,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsKeys],
      description: "Delete KMS key",
      params: z.object({
        keyId: z.string().uuid().describe(KMS.DELETE_KEY.keyId)
@@ -229,6 +235,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsKeys],
      description: "List KMS keys",
      querystring: z.object({
        projectId: z.string().describe(KMS.LIST_KEYS.projectId),
@@ -280,6 +288,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsKeys],
      description: "Get KMS key by ID",
      params: z.object({
        keyId: z.string().uuid().describe(KMS.GET_KEY_BY_ID.keyId)
@@ -321,6 +331,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsKeys],
      description: "Get KMS key by name",
      params: z.object({
        keyName: slugSchema({ field: "Key name" }).describe(KMS.GET_KEY_BY_NAME.keyName)
@@ -367,6 +379,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsEncryption],
      description: "Encrypt data with KMS key",
      params: z.object({
        keyId: z.string().uuid().describe(KMS.ENCRYPT.keyId)
@@ -412,6 +426,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsSigning],
      description:
        "Get the public key for a KMS key that is used for signing and verifying data. This endpoint is only available for asymmetric keys.",
      params: z.object({
@@ -454,6 +470,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsSigning],
      description: "List all available signing algorithms for a KMS key",
      params: z.object({
        keyId: z.string().uuid().describe(KMS.LIST_SIGNING_ALGORITHMS.keyId)
@@ -495,6 +513,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsSigning],
      description: "Sign data with a KMS key.",
      params: z.object({
        keyId: z.string().uuid().describe(KMS.SIGN.keyId)
@@ -548,6 +568,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsSigning],
      description: "Verify data signatures with a KMS key.",
      params: z.object({
        keyId: z.string().uuid().describe(KMS.VERIFY.keyId)
@@ -604,6 +626,8 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KmsEncryption],
      description: "Decrypt data with KMS key",
      params: z.object({
        keyId: z.string().uuid().describe(KMS.DECRYPT.keyId)
--- a/backend/src/server/routes/v1/identity-access-token-router.ts
+++ b/backend/src/server/routes/v1/identity-access-token-router.ts
@@ -1,6 +1,6 @@
 import { z } from "zod";

-import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, UNIVERSAL_AUTH } from "@app/lib/api-docs";
 import { writeLimit } from "@app/server/config/rateLimiter";

 export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvider) => {
@@ -11,6 +11,8 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Renew access token",
      body: z.object({
        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.RENEW_ACCESS_TOKEN.accessToken)
@@ -44,6 +46,8 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Revoke access token",
      body: z.object({
        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.REVOKE_ACCESS_TOKEN.accessToken)
--- a/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IdentityAwsAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { AWS_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, AWS_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -21,6 +21,8 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AwsAuth],
      description: "Login with AWS Auth",
      body: z.object({
        identityId: z.string().trim().describe(AWS_AUTH.LOGIN.identityId),
@@ -71,6 +73,8 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AwsAuth],
      description: "Attach AWS Auth configuration onto identity",
      security: [
        {
@@ -165,6 +169,8 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AwsAuth],
      description: "Update AWS Auth configuration on identity",
      security: [
        {
@@ -247,6 +253,8 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AwsAuth],
      description: "Retrieve AWS Auth configuration on identity",
      security: [
        {
@@ -293,6 +301,8 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AwsAuth],
      description: "Delete AWS Auth configuration on identity",
      security: [
        {
--- a/backend/src/server/routes/v1/identity-azure-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-azure-auth-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IdentityAzureAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { AZURE_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, AZURE_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -18,6 +18,8 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AzureAuth],
      description: "Login with Azure Auth",
      body: z.object({
        identityId: z.string().trim().describe(AZURE_AUTH.LOGIN.identityId),
@@ -66,6 +68,8 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AzureAuth],
      description: "Attach Azure Auth configuration onto identity",
      security: [
        {
@@ -159,6 +163,8 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AzureAuth],
      description: "Update Azure Auth configuration on identity",
      security: [
        {
@@ -247,6 +253,8 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AzureAuth],
      description: "Retrieve Azure Auth configuration on identity",
      security: [
        {
@@ -294,6 +302,8 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AzureAuth],
      description: "Delete Azure Auth configuration on identity",
      security: [
        {
--- a/backend/src/server/routes/v1/identity-gcp-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-gcp-auth-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IdentityGcpAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { GCP_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, GCP_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -18,9 +18,11 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.GcpAuth],
      description: "Login with GCP Auth",
      body: z.object({
-        identityId: z.string().trim().describe(GCP_AUTH.LOGIN.identityId).trim(),
+        identityId: z.string().trim().describe(GCP_AUTH.LOGIN.identityId),
        jwt: z.string()
      }),
      response: {
@@ -66,6 +68,8 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.GcpAuth],
      description: "Attach GCP Auth configuration onto identity",
      security: [
        {
@@ -157,6 +161,8 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.GcpAuth],
      description: "Update GCP Auth configuration on identity",
      security: [
        {
@@ -241,6 +247,8 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.GcpAuth],
      description: "Retrieve GCP Auth configuration on identity",
      security: [
        {
@@ -288,6 +296,8 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.GcpAuth],
      description: "Delete GCP Auth configuration on identity",
      security: [
        {
--- a/backend/src/server/routes/v1/identity-jwt-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-jwt-auth-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IdentityJwtAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { JWT_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, JWT_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -94,6 +94,8 @@ export const registerIdentityJwtAuthRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.JwtAuth],
      description: "Login with JWT Auth",
      body: z.object({
        identityId: z.string().trim().describe(JWT_AUTH.LOGIN.identityId),
@@ -144,6 +146,8 @@ export const registerIdentityJwtAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.JwtAuth],
      description: "Attach JWT Auth configuration onto identity",
      security: [
        {
@@ -211,6 +215,8 @@ export const registerIdentityJwtAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.JwtAuth],
      description: "Update JWT Auth configuration on identity",
      security: [
        {
@@ -275,6 +281,8 @@ export const registerIdentityJwtAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.JwtAuth],
      description: "Retrieve JWT Auth configuration on identity",
      security: [
        {
@@ -322,6 +330,8 @@ export const registerIdentityJwtAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.JwtAuth],
      description: "Delete JWT Auth configuration on identity",
      security: [
        {
--- a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { KUBERNETES_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, KUBERNETES_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -35,6 +35,8 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KubernetesAuth],
      description: "Login with Kubernetes Auth",
      body: z.object({
        identityId: z.string().trim().describe(KUBERNETES_AUTH.LOGIN.identityId),
@@ -85,6 +87,8 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KubernetesAuth],
      description: "Attach Kubernetes Auth configuration onto identity",
      security: [
        {
@@ -182,6 +186,8 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KubernetesAuth],
      description: "Update Kubernetes Auth configuration on identity",
      security: [
        {
@@ -278,6 +284,8 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KubernetesAuth],
      description: "Retrieve Kubernetes Auth configuration on identity",
      security: [
        {
@@ -325,6 +333,8 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.KubernetesAuth],
      description: "Delete Kubernetes Auth configuration on identity",
      security: [
        {
--- a/backend/src/server/routes/v1/identity-oidc-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-oidc-auth-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IdentityOidcAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { OIDC_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, OIDC_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -42,6 +42,8 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcAuth],
      description: "Login with OIDC Auth",
      body: z.object({
        identityId: z.string().trim().describe(OIDC_AUTH.LOGIN.identityId),
@@ -96,6 +98,8 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcAuth],
      description: "Attach OIDC Auth configuration onto identity",
      security: [
        {
@@ -195,6 +199,8 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcAuth],
      description: "Update OIDC Auth configuration on identity",
      security: [
        {
@@ -292,6 +298,8 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcAuth],
      description: "Retrieve OIDC Auth configuration on identity",
      security: [
        {
@@ -339,6 +347,8 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcAuth],
      description: "Delete OIDC Auth configuration on identity",
      security: [
        {
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgMembershipRole, OrgRolesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { IDENTITIES } from "@app/lib/api-docs";
+import { ApiDocsTags, IDENTITIES } from "@app/lib/api-docs";
 import { buildSearchZodSchema, SearchResourceOperators } from "@app/lib/search-resource/search";
 import { OrderByDirection } from "@app/lib/types";
 import { CharacterType, zodValidateCharacters } from "@app/lib/validator/validate-string";
@@ -32,6 +32,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Identities],
      description: "Create identity",
      security: [
        {
@@ -100,6 +102,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Identities],
      description: "Update identity",
      security: [
        {
@@ -158,6 +162,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Identities],
      description: "Delete identity",
      security: [
        {
@@ -205,6 +211,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Identities],
      description: "Get an identity by id",
      security: [
        {
@@ -260,6 +268,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Identities],
      description: "List identities",
      security: [
        {
@@ -308,6 +318,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Identities],
      description: "Search identities",
      security: [
        {
--- a/backend/src/server/routes/v1/identity-token-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-token-auth-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IdentityAccessTokensSchema, IdentityTokenAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { TOKEN_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, TOKEN_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -18,6 +18,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TokenAuth],
      description: "Attach Token Auth configuration onto identity",
      security: [
        {
@@ -108,6 +110,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TokenAuth],
      description: "Update Token Auth configuration on identity",
      security: [
        {
@@ -192,6 +196,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TokenAuth],
      description: "Retrieve Token Auth configuration on identity",
      security: [
        {
@@ -239,6 +245,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TokenAuth],
      description: "Delete Token Auth configuration on identity",
      security: [
        {
@@ -287,6 +295,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TokenAuth],
      description: "Create token for identity with Token Auth",
      security: [
        {
@@ -349,6 +359,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TokenAuth],
      description: "Get tokens for identity with Token Auth",
      security: [
        {
@@ -402,6 +414,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TokenAuth],
      description: "Update token for identity with Token Auth",
      security: [
        {
@@ -456,6 +470,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TokenAuth],
      description: "Revoke token for identity with Token Auth",
      security: [
        {
--- a/backend/src/server/routes/v1/identity-universal-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-universal-auth-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IdentityUaClientSecretsSchema, IdentityUniversalAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, UNIVERSAL_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -30,6 +30,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Login with Universal Auth",
      body: z.object({
        clientId: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientId),
@@ -78,6 +80,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Attach Universal Auth configuration onto identity",
      security: [
        {
@@ -175,6 +179,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Update Universal Auth configuration on identity",
      security: [
        {
@@ -271,6 +277,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Retrieve Universal Auth configuration on identity",
      security: [
        {
@@ -318,6 +326,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Delete Universal Auth configuration on identity",
      security: [
        {
@@ -365,6 +375,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Create Universal Auth Client Secret for identity",
      security: [
        {
@@ -421,6 +433,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "List Universal Auth Client Secrets for identity",
      security: [
        {
@@ -469,6 +483,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Get Universal Auth Client Secret for identity",
      security: [
        {
@@ -519,6 +535,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
      description: "Revoke Universal Auth Client Secrets for identity",
      security: [
        {
--- a/backend/src/server/routes/v1/integration-auth-router.ts
+++ b/backend/src/server/routes/v1/integration-auth-router.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { INTEGRATION_AUTH } from "@app/lib/api-docs";
+import { ApiDocsTags, INTEGRATION_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -19,6 +19,8 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "List of integrations available.",
      security: [
        {
@@ -57,6 +59,8 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Get details of an integration authorization by auth object id.",
      security: [
        {
@@ -92,6 +96,8 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Update the integration authentication object required for syncing secrets.",
      security: [
        {
@@ -153,6 +159,8 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Remove all integration's auth object from the project.",
      security: [
        {
@@ -202,6 +210,8 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Remove an integration auth object by object id.",
      security: [
        {
@@ -294,6 +304,8 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Create the integration authentication object required for syncing secrets.",
      security: [
        {
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { IntegrationsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { INTEGRATION } from "@app/lib/api-docs";
+import { ApiDocsTags, INTEGRATION } from "@app/lib/api-docs";
 import { removeTrailingSlash, shake } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -22,6 +22,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Create an integration to sync secrets.",
      security: [
        {
@@ -119,6 +121,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Update an integration by integration id",
      security: [
        {
@@ -178,6 +182,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Get an integration by integration id",
      security: [
        {
@@ -247,6 +253,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Remove an integration using the integration object ID",
      security: [
        {
@@ -315,6 +323,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "Manually trigger sync of an integration by integration id",
      security: [
        {
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -9,7 +9,7 @@ import {
  UsersSchema
 } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
+import { ApiDocsTags, AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
 import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { GenericResourceNameSchema, slugSchema } from "@app/server/lib/schemas";
@@ -109,6 +109,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AuditLogs],
      description: "Get all audit logs for an organization",
      querystring: z.object({
        projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
--- a/backend/src/server/routes/v1/pki-alert-router.ts
+++ b/backend/src/server/routes/v1/pki-alert-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { PkiAlertsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { ALERTS } from "@app/lib/api-docs";
+import { ALERTS, ApiDocsTags } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -16,6 +16,8 @@ export const registerPkiAlertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiAlerting],
      description: "Create PKI alert",
      body: z.object({
        projectId: z.string().trim().describe(ALERTS.CREATE.projectId),
@@ -68,6 +70,8 @@ export const registerPkiAlertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiAlerting],
      description: "Get PKI alert",
      params: z.object({
        alertId: z.string().trim().describe(ALERTS.GET.alertId)
@@ -108,6 +112,8 @@ export const registerPkiAlertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiAlerting],
      description: "Update PKI alert",
      params: z.object({
        alertId: z.string().trim().describe(ALERTS.UPDATE.alertId)
@@ -164,6 +170,8 @@ export const registerPkiAlertRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiAlerting],
      description: "Delete PKI alert",
      params: z.object({
        alertId: z.string().trim().describe(ALERTS.DELETE.alertId)
--- a/backend/src/server/routes/v1/pki-collection-router.ts
+++ b/backend/src/server/routes/v1/pki-collection-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { PkiCollectionItemsSchema, PkiCollectionsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PKI_COLLECTIONS } from "@app/lib/api-docs";
+import { ApiDocsTags, PKI_COLLECTIONS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -17,6 +17,8 @@ export const registerPkiCollectionRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateCollections],
      description: "Create PKI collection",
      body: z.object({
        projectId: z.string().trim().describe(PKI_COLLECTIONS.CREATE.projectId),
@@ -60,6 +62,8 @@ export const registerPkiCollectionRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateCollections],
      description: "Get PKI collection",
      params: z.object({
        collectionId: z.string().trim().describe(PKI_COLLECTIONS.GET.collectionId)
@@ -100,6 +104,8 @@ export const registerPkiCollectionRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateCollections],
      description: "Update PKI collection",
      params: z.object({
        collectionId: z.string().trim().describe(PKI_COLLECTIONS.UPDATE.collectionId)
@@ -146,6 +152,8 @@ export const registerPkiCollectionRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateCollections],
      description: "Delete PKI collection",
      params: z.object({
        collectionId: z.string().trim().describe(PKI_COLLECTIONS.DELETE.collectionId)
@@ -186,6 +194,8 @@ export const registerPkiCollectionRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateCollections],
      description: "Get items in PKI collection",
      params: z.object({
        collectionId: z.string().trim().describe(PKI_COLLECTIONS.LIST_ITEMS.collectionId)
@@ -247,6 +257,8 @@ export const registerPkiCollectionRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateCollections],
      description: "Add item to PKI collection",
      params: z.object({
        collectionId: z.string().trim().describe(PKI_COLLECTIONS.ADD_ITEM.collectionId)
@@ -298,6 +310,8 @@ export const registerPkiCollectionRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateCollections],
      description: "Remove item from PKI collection",
      params: z.object({
        collectionId: z.string().trim().describe(PKI_COLLECTIONS.DELETE_ITEM.collectionId),
--- a/backend/src/server/routes/v1/project-env-router.ts
+++ b/backend/src/server/routes/v1/project-env-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { ENVIRONMENTS } from "@app/lib/api-docs";
+import { ApiDocsTags, ENVIRONMENTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -13,9 +13,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    url: "/:workspaceId/environments/:envId",
    config: {
-      rateLimit: writeLimit
+      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Environments],
      description: "Get Environment",
      security: [
        {
@@ -65,6 +67,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Environments],
      description: "Get Environment by ID",
      security: [
        {
@@ -112,6 +116,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Environments],
      description: "Create environment",
      security: [
        {
@@ -171,6 +177,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Environments],
      description: "Update environment",
      security: [
        {
@@ -237,6 +245,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Environments],
      description: "Delete environment",
      security: [
        {
--- a/backend/src/server/routes/v1/project-membership-router.ts
+++ b/backend/src/server/routes/v1/project-membership-router.ts
@@ -8,7 +8,7 @@ import {
  UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECT_USERS } from "@app/lib/api-docs";
+import { ApiDocsTags, PROJECT_USERS } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -23,6 +23,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectUsers],
      description: "Return project user memberships",
      security: [
        {
@@ -141,6 +143,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectUsers],
      description: "Return project user memberships",
      security: [
        {
@@ -255,6 +259,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectUsers],
      description: "Update project user membership",
      security: [
        {
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -1,3 +1,4 @@
+import slugify from "@sindresorhus/slugify";
 import { z } from "zod";

 import {
@@ -6,6 +7,7 @@ import {
  ProjectMembershipsSchema,
  ProjectRolesSchema,
  ProjectSlackConfigsSchema,
+  ProjectSshConfigsSchema,
  ProjectType,
  SecretFoldersSchema,
  SortDirection,
@@ -13,7 +15,7 @@ import {
  UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
+import { ApiDocsTags, PROJECTS } from "@app/lib/api-docs";
 import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { re2Validator } from "@app/lib/zod";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -78,7 +80,17 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        includeGroupMembers: z
          .enum(["true", "false"])
          .default("false")
-          .transform((value) => value === "true")
+          .transform((value) => value === "true"),
+        roles: z
+          .string()
+          .trim()
+          .transform(decodeURIComponent)
+          .refine((value) => {
+            if (!value) return true;
+            const slugs = value.split(",");
+            return slugs.every((slug) => slugify(slug.trim(), { lowercase: true }) === slug.trim());
+          })
+          .optional()
      }),
      params: z.object({
        workspaceId: z.string().trim()
@@ -117,13 +129,15 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
+      const roles = (req.query.roles?.split(",") || []).filter(Boolean);
      const users = await server.services.projectMembership.getProjectMemberships({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        includeGroupMembers: req.query.includeGroupMembers,
        projectId: req.params.workspaceId,
-        actorOrgId: req.permission.orgId
+        actorOrgId: req.permission.orgId,
+        roles
      });

      return { users };
@@ -177,6 +191,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
      description: "Get project",
      security: [
        {
@@ -215,6 +231,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
      description: "Delete project",
      security: [
        {
@@ -290,6 +308,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
      description: "Update project",
      security: [
        {
@@ -513,6 +533,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "List integrations for a project.",
      security: [
        {
@@ -556,6 +578,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Integrations],
      description: "List integration auth objects for a workspace.",
      security: [
        {
@@ -613,6 +637,107 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "GET",
+    url: "/:workspaceId/ssh-config",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        workspaceId: z.string().trim()
+      }),
+      response: {
+        200: ProjectSshConfigsSchema.pick({
+          id: true,
+          createdAt: true,
+          updatedAt: true,
+          projectId: true,
+          defaultUserSshCaId: true,
+          defaultHostSshCaId: true
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const sshConfig = await server.services.project.getProjectSshConfig({
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.workspaceId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: sshConfig.projectId,
+        event: {
+          type: EventType.GET_PROJECT_SSH_CONFIG,
+          metadata: {
+            id: sshConfig.id,
+            projectId: sshConfig.projectId
+          }
+        }
+      });
+
+      return sshConfig;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:workspaceId/ssh-config",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        workspaceId: z.string().trim()
+      }),
+      body: z.object({
+        defaultUserSshCaId: z.string().optional(),
+        defaultHostSshCaId: z.string().optional()
+      }),
+      response: {
+        200: ProjectSshConfigsSchema.pick({
+          id: true,
+          createdAt: true,
+          updatedAt: true,
+          projectId: true,
+          defaultUserSshCaId: true,
+          defaultHostSshCaId: true
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const sshConfig = await server.services.project.updateProjectSshConfig({
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: sshConfig.projectId,
+        event: {
+          type: EventType.UPDATE_PROJECT_SSH_CONFIG,
+          metadata: {
+            id: sshConfig.id,
+            projectId: sshConfig.projectId,
+            defaultUserSshCaId: sshConfig.defaultUserSshCaId,
+            defaultHostSshCaId: sshConfig.defaultHostSshCaId
+          }
+        }
+      });
+
+      return sshConfig;
+    }
+  });
+
  server.route({
    method: "GET",
    url: "/:workspaceId/slack-config",
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { FOLDERS } from "@app/lib/api-docs";
+import { ApiDocsTags, FOLDERS } from "@app/lib/api-docs";
 import { prefixWithSlash, removeTrailingSlash } from "@app/lib/fn";
 import { isValidFolderName } from "@app/lib/validator";
 import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
@@ -19,6 +19,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      description: "Create folders",
      security: [
        {
@@ -98,6 +100,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      description: "Update folder",
      security: [
        {
@@ -181,6 +185,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      description: "Update folders by batch",
      security: [
        {
@@ -259,6 +265,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      description: "Delete a folder",
      security: [
        {
@@ -332,6 +340,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      description: "Get folders",
      security: [
        {
@@ -390,6 +400,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      description: "Get folder by id",
      security: [
        {
--- a/backend/src/server/routes/v1/secret-import-router.ts
+++ b/backend/src/server/routes/v1/secret-import-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { SecretImportsSchema, SecretsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SECRET_IMPORTS } from "@app/lib/api-docs";
+import { ApiDocsTags, SECRET_IMPORTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -18,6 +18,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretImports],
      description: "Create secret imports",
      security: [
        {
@@ -83,6 +85,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretImports],
      description: "Update secret imports",
      security: [
        {
@@ -157,6 +161,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretImports],
      description: "Delete secret imports",
      security: [
        {
@@ -263,6 +269,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretImports],
      description: "Get secret imports",
      security: [
        {
@@ -319,6 +327,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretImports],
      description: "Get single secret import",
      security: [
        {
@@ -421,6 +431,8 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretImports],
      querystring: z.object({
        workspaceId: z.string().trim(),
        environment: z.string().trim(),
--- a/backend/src/server/routes/v1/secret-sync-routers/index.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/index.ts
@@ -9,6 +9,7 @@ import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
+import { registerTeamCitySyncRouter } from "./teamcity-sync-router";
 import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
 import { registerVercelSyncRouter } from "./vercel-sync-router";
 import { registerWindmillSyncRouter } from "./windmill-sync-router";
@@ -27,5 +28,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
  [SecretSync.TerraformCloud]: registerTerraformCloudSyncRouter,
  [SecretSync.Camunda]: registerCamundaSyncRouter,
  [SecretSync.Vercel]: registerVercelSyncRouter,
-  [SecretSync.Windmill]: registerWindmillSyncRouter
+  [SecretSync.Windmill]: registerWindmillSyncRouter,
+  [SecretSync.TeamCity]: registerTeamCitySyncRouter
 };
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-endpoints.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-endpoints.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SecretSyncs } from "@app/lib/api-docs";
+import { ApiDocsTags, SecretSyncs } from "@app/lib/api-docs";
 import { startsWithVowel } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -51,6 +51,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: `List the ${destinationName} Syncs for the specified project.`,
      querystring: z.object({
        projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.LIST(destination).projectId)
@@ -94,6 +96,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: `Get the specified ${destinationName} Sync by ID.`,
      params: z.object({
        syncId: z.string().uuid().describe(SecretSyncs.GET_BY_ID(destination).syncId)
@@ -134,6 +138,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: `Get the specified ${destinationName} Sync by name and project ID.`,
      params: z.object({
        syncName: z.string().trim().min(1, "Sync name required").describe(SecretSyncs.GET_BY_NAME(destination).syncName)
@@ -182,6 +188,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: `Create ${
        startsWithVowel(destinationName) ? "an" : "a"
      } ${destinationName} Sync for the specified project environment.`,
@@ -221,6 +229,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: `Update the specified ${destinationName} Sync.`,
      params: z.object({
        syncId: z.string().uuid().describe(SecretSyncs.UPDATE(destination).syncId)
@@ -263,6 +273,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: `Delete the specified ${destinationName} Sync.`,
      params: z.object({
        syncId: z.string().uuid().describe(SecretSyncs.DELETE(destination).syncId)
@@ -312,6 +324,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: `Trigger a sync for the specified ${destinationName} Sync.`,
      params: z.object({
        syncId: z.string().uuid().describe(SecretSyncs.SYNC_SECRETS(destination).syncId)
@@ -344,6 +358,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: `Import secrets from the specified ${destinationName} Sync destination.`,
      params: z.object({
        syncId: z.string().uuid().describe(SecretSyncs.IMPORT_SECRETS(destination).syncId)
@@ -382,6 +398,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: `Remove previously synced secrets from the specified ${destinationName} Sync destination.`,
      params: z.object({
        syncId: z.string().uuid().describe(SecretSyncs.REMOVE_SECRETS(destination).syncId)
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SecretSyncs } from "@app/lib/api-docs";
+import { ApiDocsTags, SecretSyncs } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -23,6 +23,7 @@ import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/service
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
+import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/secret-sync/teamcity";
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
 import { WindmillSyncListItemSchema, WindmillSyncSchema } from "@app/services/secret-sync/windmill";
@@ -39,7 +40,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
  TerraformCloudSyncSchema,
  CamundaSyncSchema,
  VercelSyncSchema,
-  WindmillSyncSchema
+  WindmillSyncSchema,
+  TeamCitySyncSchema
 ]);

 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -54,7 +56,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
  TerraformCloudSyncListItemSchema,
  CamundaSyncListItemSchema,
  VercelSyncListItemSchema,
-  WindmillSyncListItemSchema
+  WindmillSyncListItemSchema,
+  TeamCitySyncListItemSchema
 ]);

 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
@@ -65,6 +68,8 @@ export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: "List the available Secret Sync Options.",
      response: {
        200: z.object({
@@ -86,6 +91,8 @@ export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretSyncs],
      description: "List all the Secret Syncs for the specified project.",
      querystring: z.object({
        projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.LIST().projectId)
--- a/backend/src/server/routes/v1/secret-sync-routers/teamcity-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/teamcity-sync-router.ts
@@ -0,0 +1,17 @@
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  CreateTeamCitySyncSchema,
+  TeamCitySyncSchema,
+  UpdateTeamCitySyncSchema
+} from "@app/services/secret-sync/teamcity";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerTeamCitySyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.TeamCity,
+    server,
+    responseSchema: TeamCitySyncSchema,
+    createSchema: CreateTeamCitySyncSchema,
+    updateSchema: UpdateTeamCitySyncSchema
+  });
--- a/backend/src/server/routes/v1/secret-tag-router.ts
+++ b/backend/src/server/routes/v1/secret-tag-router.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { SecretTagsSchema } from "@app/db/schemas";
-import { SECRET_TAGS } from "@app/lib/api-docs";
+import { ApiDocsTags, SECRET_TAGS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -15,6 +15,8 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      params: z.object({
        projectId: z.string().trim().describe(SECRET_TAGS.LIST.projectId)
      }),
@@ -44,6 +46,8 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      params: z.object({
        projectId: z.string().trim().describe(SECRET_TAGS.GET_TAG_BY_ID.projectId),
        tagId: z.string().trim().describe(SECRET_TAGS.GET_TAG_BY_ID.tagId)
@@ -75,6 +79,8 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      params: z.object({
        projectId: z.string().trim().describe(SECRET_TAGS.GET_TAG_BY_SLUG.projectId),
        tagSlug: z.string().trim().describe(SECRET_TAGS.GET_TAG_BY_SLUG.tagSlug)
@@ -107,6 +113,8 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      params: z.object({
        projectId: z.string().trim().describe(SECRET_TAGS.CREATE.projectId)
      }),
@@ -141,6 +149,8 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      params: z.object({
        projectId: z.string().trim().describe(SECRET_TAGS.UPDATE.projectId),
        tagId: z.string().trim().describe(SECRET_TAGS.UPDATE.tagId)
@@ -176,6 +186,8 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Folders],
      params: z.object({
        projectId: z.string().trim().describe(SECRET_TAGS.DELETE.projectId),
        tagId: z.string().trim().describe(SECRET_TAGS.DELETE.tagId)
--- a/backend/src/server/routes/v2/group-project-router.ts
+++ b/backend/src/server/routes/v2/group-project-router.ts
@@ -6,7 +6,7 @@ import {
  ProjectMembershipRole,
  ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
+import { ApiDocsTags, PROJECTS } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -22,6 +22,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectGroups],
      description: "Add group to project",
      security: [
        {
@@ -88,6 +90,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
    url: "/:projectId/groups/:groupId",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectGroups],
      description: "Update group in project",
      security: [
        {
@@ -147,6 +151,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectGroups],
      description: "Remove group from project",
      security: [
        {
@@ -185,6 +191,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectGroups],
      description: "Return list of groups in project",
      security: [
        {
@@ -243,6 +251,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectGroups],
      description: "Return project group",
      security: [
        {
--- a/backend/src/server/routes/v2/identity-org-router.ts
+++ b/backend/src/server/routes/v2/identity-org-router.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";

 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
-import { ORGANIZATIONS } from "@app/lib/api-docs";
+import { ApiDocsTags, ORGANIZATIONS } from "@app/lib/api-docs";
 import { OrderByDirection } from "@app/lib/types";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -17,6 +17,8 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Organizations],
      description: "Return organization identity memberships",
      security: [
        {
--- a/backend/src/server/routes/v2/identity-project-router.ts
+++ b/backend/src/server/routes/v2/identity-project-router.ts
@@ -6,7 +6,7 @@ import {
  ProjectMembershipRole,
  ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
-import { ORGANIZATIONS, PROJECT_IDENTITIES } from "@app/lib/api-docs";
+import { ApiDocsTags, ORGANIZATIONS, PROJECT_IDENTITIES } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { OrderByDirection } from "@app/lib/types";
@@ -27,6 +27,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectIdentities],
      description: "Create project identity membership",
      security: [
        {
@@ -101,6 +103,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectIdentities],
      description: "Update project identity memberships",
      security: [
        {
@@ -170,6 +174,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectIdentities],
      description: "Delete project identity memberships",
      security: [
        {
@@ -207,6 +213,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectIdentities],
      description: "Return project identity memberships",
      security: [
        {
@@ -300,6 +308,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectIdentities],
      description: "Return project identity membership",
      security: [
        {
@@ -360,6 +370,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectIdentities],
      params: z.object({
        identityMembershipId: z.string().trim()
      }),
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@@ -8,7 +8,7 @@ import {
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
-import { ORGANIZATIONS } from "@app/lib/api-docs";
+import { ApiDocsTags, ORGANIZATIONS } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { GenericResourceNameSchema } from "@app/server/lib/schemas";
@@ -24,6 +24,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Organizations],
      description: "Return organization user memberships",
      security: [
        {
@@ -72,6 +74,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Organizations],
      description: "Return projects in organization that user is apart of",
      security: [
        {
@@ -179,6 +183,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Organizations],
      description: "Update organization user memberships",
      security: [
        {
@@ -229,6 +235,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Organizations],
      description: "Delete organization user memberships",
      security: [
        {
--- a/backend/src/server/routes/v2/project-membership-router.ts
+++ b/backend/src/server/routes/v2/project-membership-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { OrgMembershipRole, ProjectMembershipRole, ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECT_USERS } from "@app/lib/api-docs";
+import { ApiDocsTags, PROJECT_USERS } from "@app/lib/api-docs";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -15,6 +15,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectUsers],
      description: "Invite members to project",
      security: [
        {
@@ -78,6 +80,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectUsers],
      description: "Remove members from project",
      security: [
        {
--- a/backend/src/server/routes/v2/project-router.ts
+++ b/backend/src/server/routes/v2/project-router.ts
@@ -14,7 +14,7 @@ import { sanitizedSshCa } from "@app/ee/services/ssh/ssh-certificate-authority-s
 import { sanitizedSshCertificate } from "@app/ee/services/ssh-certificate/ssh-certificate-schema";
 import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
 import { loginMappingSchema, sanitizedSshHost } from "@app/ee/services/ssh-host/ssh-host-schema";
-import { PROJECTS } from "@app/lib/api-docs";
+import { ApiDocsTags, PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -29,7 +29,8 @@ import { SanitizedProjectSchema } from "../sanitizedSchemas";

 const projectWithEnv = SanitizedProjectSchema.extend({
  _id: z.string(),
-  environments: z.object({ name: z.string(), slug: z.string(), id: z.string() }).array()
+  environments: z.object({ name: z.string(), slug: z.string(), id: z.string() }).array(),
+  kmsSecretManagerKeyId: z.string().nullable().optional()
 });

 export const registerProjectRouter = async (server: FastifyZodProvider) => {
@@ -150,6 +151,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
      description: "Create a new project",
      security: [
        {
@@ -224,6 +227,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
      description: "Delete project",
      security: [
        {
@@ -342,6 +347,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
      params: z.object({
        slug: slugSchema({ min: 5, max: 36 }).describe(PROJECTS.LIST_CAS.slug)
      }),
@@ -383,6 +390,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificates],
      params: z.object({
        slug: slugSchema({ min: 5, max: 36 }).describe(PROJECTS.LIST_CERTIFICATES.slug)
      }),
@@ -551,6 +560,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateTemplates],
      params: z.object({
        projectId: z.string().trim().describe(PROJECTS.LIST_SSH_CERTIFICATE_TEMPLATES.projectId)
      }),
@@ -581,6 +592,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
      params: z.object({
        projectId: z.string().trim().describe(PROJECTS.LIST_SSH_CAS.projectId)
      }),
--- a/backend/src/server/routes/v2/service-token-router.ts
+++ b/backend/src/server/routes/v2/service-token-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { ServiceTokensSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ApiDocsTags } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -25,6 +26,8 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.SERVICE_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ServiceTokens],
      description: "Return Infisical Token data",
      security: [
        {
--- a/backend/src/server/routes/v2/user-router.ts
+++ b/backend/src/server/routes/v2/user-router.ts
@@ -252,6 +252,31 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "DELETE",
+    url: "/me/sessions/:sessionId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        sessionId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.authToken.revokeMySessionById(req.permission.id, req.params.sessionId);
+      return {
+        message: "Successfully revoked session"
+      };
+    }
+  });
+
  server.route({
    method: "GET",
    url: "/me",
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@@ -3,7 +3,7 @@ import { z } from "zod";

 import { SecretApprovalRequestsSchema, SecretsSchema, SecretType, ServiceTokenScopes } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import { RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
+import { ApiDocsTags, RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { secretsLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -48,6 +48,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Attach tags to a secret",
      security: [
        {
@@ -103,6 +105,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: writeLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Detach tags from a secret",
      security: [
        {
@@ -158,6 +162,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "List secrets",
      security: [
        {
@@ -355,6 +361,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      params: z.object({
        secretId: z.string()
      }),
@@ -390,6 +398,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Get a secret by name",
      security: [
        {
@@ -496,6 +506,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Create secret",
      security: [
        {
@@ -609,6 +621,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Update secret",
      security: [
        {
@@ -729,6 +743,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Delete secret",
      security: [
        {
@@ -1486,6 +1502,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      body: z.object({
        projectSlug: z.string().trim(),
        sourceEnvironment: z.string().trim(),
@@ -1911,6 +1929,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Create many secrets",
      security: [
        {
@@ -2017,6 +2037,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Update many secrets",
      security: [
        {
@@ -2170,6 +2192,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Delete many secrets",
      security: [
        {
@@ -2266,6 +2290,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      rateLimit: secretsLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Secrets],
      description: "Get secret reference tree",
      security: [
        {
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@@ -12,7 +12,8 @@ export enum AppConnection {
  MsSql = "mssql",
  Camunda = "camunda",
  Windmill = "windmill",
-  Auth0 = "auth0"
+  Auth0 = "auth0",
+  TeamCity = "teamcity"
 }

 export enum AWSRegion {
--- a/backend/src/services/app-connection/app-connection-fns.ts
+++ b/backend/src/services/app-connection/app-connection-fns.ts
@@ -43,6 +43,11 @@ import {
 } from "./humanitec";
 import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
 import { getPostgresConnectionListItem, PostgresConnectionMethod } from "./postgres";
+import {
+  getTeamCityConnectionListItem,
+  TeamCityConnectionMethod,
+  validateTeamCityConnectionCredentials
+} from "./teamcity";
 import {
  getTerraformCloudConnectionListItem,
  TerraformCloudConnectionMethod,
@@ -71,7 +76,8 @@ export const listAppConnectionOptions = () => {
    getMsSqlConnectionListItem(),
    getCamundaConnectionListItem(),
    getWindmillConnectionListItem(),
-    getAuth0ConnectionListItem()
+    getAuth0ConnectionListItem(),
+    getTeamCityConnectionListItem()
  ].sort((a, b) => a.name.localeCompare(b.name));
 };

@@ -135,7 +141,8 @@ export const validateAppConnectionCredentials = async (
    [AppConnection.Vercel]: validateVercelConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.TerraformCloud]: validateTerraformCloudConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Auth0]: validateAuth0ConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Windmill]: validateWindmillConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Windmill]: validateWindmillConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.TeamCity]: validateTeamCityConnectionCredentials as TAppConnectionCredentialsValidator
  };

  return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -167,6 +174,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
    case MsSqlConnectionMethod.UsernameAndPassword:
      return "Username & Password";
    case WindmillConnectionMethod.AccessToken:
+    case TeamCityConnectionMethod.AccessToken:
      return "Access Token";
    case Auth0ConnectionMethod.ClientCredentials:
      return "Client Credentials";
@@ -214,5 +222,6 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
  [AppConnection.Camunda]: platformManagedCredentialsNotSupported,
  [AppConnection.Vercel]: platformManagedCredentialsNotSupported,
  [AppConnection.Windmill]: platformManagedCredentialsNotSupported,
-  [AppConnection.Auth0]: platformManagedCredentialsNotSupported
+  [AppConnection.Auth0]: platformManagedCredentialsNotSupported,
+  [AppConnection.TeamCity]: platformManagedCredentialsNotSupported
 };
--- a/backend/src/services/app-connection/app-connection-maps.ts
+++ b/backend/src/services/app-connection/app-connection-maps.ts
@@ -14,5 +14,6 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
  [AppConnection.MsSql]: "Microsoft SQL Server",
  [AppConnection.Camunda]: "Camunda",
  [AppConnection.Windmill]: "Windmill",
-  [AppConnection.Auth0]: "Auth0"
+  [AppConnection.Auth0]: "Auth0",
+  [AppConnection.TeamCity]: "TeamCity"
 };
--- a/backend/src/services/app-connection/app-connection-service.ts
+++ b/backend/src/services/app-connection/app-connection-service.ts
@@ -45,6 +45,8 @@ import { ValidateHumanitecConnectionCredentialsSchema } from "./humanitec";
 import { humanitecConnectionService } from "./humanitec/humanitec-connection-service";
 import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { ValidatePostgresConnectionCredentialsSchema } from "./postgres";
+import { ValidateTeamCityConnectionCredentialsSchema } from "./teamcity";
+import { teamcityConnectionService } from "./teamcity/teamcity-connection-service";
 import { ValidateTerraformCloudConnectionCredentialsSchema } from "./terraform-cloud";
 import { terraformCloudConnectionService } from "./terraform-cloud/terraform-cloud-connection-service";
 import { ValidateVercelConnectionCredentialsSchema } from "./vercel";
@@ -74,7 +76,8 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
  [AppConnection.MsSql]: ValidateMsSqlConnectionCredentialsSchema,
  [AppConnection.Camunda]: ValidateCamundaConnectionCredentialsSchema,
  [AppConnection.Windmill]: ValidateWindmillConnectionCredentialsSchema,
-  [AppConnection.Auth0]: ValidateAuth0ConnectionCredentialsSchema
+  [AppConnection.Auth0]: ValidateAuth0ConnectionCredentialsSchema,
+  [AppConnection.TeamCity]: ValidateTeamCityConnectionCredentialsSchema
 };

 export const appConnectionServiceFactory = ({
@@ -450,6 +453,7 @@ export const appConnectionServiceFactory = ({
    camunda: camundaConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
    vercel: vercelConnectionService(connectAppConnectionById),
    windmill: windmillConnectionService(connectAppConnectionById),
-    auth0: auth0ConnectionService(connectAppConnectionById, appConnectionDAL, kmsService)
+    auth0: auth0ConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
+    teamcity: teamcityConnectionService(connectAppConnectionById)
  };
 };
--- a/backend/src/services/app-connection/app-connection-types.ts
+++ b/backend/src/services/app-connection/app-connection-types.ts
@@ -63,6 +63,12 @@ import {
  TPostgresConnectionInput,
  TValidatePostgresConnectionCredentialsSchema
 } from "./postgres";
+import {
+  TTeamCityConnection,
+  TTeamCityConnectionConfig,
+  TTeamCityConnectionInput,
+  TValidateTeamCityConnectionCredentialsSchema
+} from "./teamcity";
 import {
  TTerraformCloudConnection,
  TTerraformCloudConnectionConfig,
@@ -97,6 +103,7 @@ export type TAppConnection = { id: string } & (
  | TCamundaConnection
  | TWindmillConnection
  | TAuth0Connection
+  | TTeamCityConnection
 );

 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -118,6 +125,7 @@ export type TAppConnectionInput = { id: string } & (
  | TCamundaConnectionInput
  | TWindmillConnectionInput
  | TAuth0ConnectionInput
+  | TTeamCityConnectionInput
 );

 export type TSqlConnectionInput = TPostgresConnectionInput | TMsSqlConnectionInput;
@@ -144,7 +152,8 @@ export type TAppConnectionConfig =
  | TSqlConnectionConfig
  | TCamundaConnectionConfig
  | TWindmillConnectionConfig
-  | TAuth0ConnectionConfig;
+  | TAuth0ConnectionConfig
+  | TTeamCityConnectionConfig;

 export type TValidateAppConnectionCredentialsSchema =
  | TValidateAwsConnectionCredentialsSchema
@@ -160,7 +169,8 @@ export type TValidateAppConnectionCredentialsSchema =
  | TValidateTerraformCloudConnectionCredentialsSchema
  | TValidateVercelConnectionCredentialsSchema
  | TValidateWindmillConnectionCredentialsSchema
-  | TValidateAuth0ConnectionCredentialsSchema;
+  | TValidateAuth0ConnectionCredentialsSchema
+  | TValidateTeamCityConnectionCredentialsSchema;

 export type TListAwsConnectionKmsKeys = {
  connectionId: string;
@@ -168,6 +178,10 @@ export type TListAwsConnectionKmsKeys = {
  destination: SecretSync.AWSParameterStore | SecretSync.AWSSecretsManager;
 };

+export type TListAwsConnectionIamUsers = {
+  connectionId: string;
+};
+
 export type TAppConnectionCredentialsValidator = (
  appConnection: TAppConnectionConfig
 ) => Promise<TAppConnection["credentials"]>;
--- a/backend/src/services/app-connection/aws/aws-connection-service.ts
+++ b/backend/src/services/app-connection/aws/aws-connection-service.ts
@@ -2,7 +2,10 @@ import AWS from "aws-sdk";

 import { OrgServiceActor } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import { TListAwsConnectionKmsKeys } from "@app/services/app-connection/app-connection-types";
+import {
+  TListAwsConnectionIamUsers,
+  TListAwsConnectionKmsKeys
+} from "@app/services/app-connection/app-connection-types";
 import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
 import { TAwsConnection } from "@app/services/app-connection/aws/aws-connection-types";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
@@ -70,6 +73,23 @@ const listAwsKmsKeys = async (
  return kmsKeys;
 };

+const listAwsIamUsers = async (appConnection: TAwsConnection) => {
+  const { credentials } = await getAwsConnectionConfig(appConnection);
+
+  const iam = new AWS.IAM({ credentials });
+
+  const userEntries: AWS.IAM.User[] = [];
+  let userMarker: string | undefined;
+  do {
+    // eslint-disable-next-line no-await-in-loop
+    const response = await iam.listUsers({ MaxItems: 100, Marker: userMarker }).promise();
+    userEntries.push(...(response.Users || []));
+    userMarker = response.Marker;
+  } while (userMarker);
+
+  return userEntries;
+};
+
 export const awsConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
  const listKmsKeys = async (
    { connectionId, region, destination }: TListAwsConnectionKmsKeys,
@@ -82,7 +102,16 @@ export const awsConnectionService = (getAppConnection: TGetAppConnectionFunc) =>
    return kmsKeys;
  };

+  const listIamUsers = async ({ connectionId }: TListAwsConnectionIamUsers, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.AWS, connectionId, actor);
+
+    const iamUsers = await listAwsIamUsers(appConnection);
+
+    return iamUsers;
+  };
+
  return {
-    listKmsKeys
+    listKmsKeys,
+    listIamUsers
  };
 };
--- a/backend/src/services/app-connection/teamcity/index.ts
+++ b/backend/src/services/app-connection/teamcity/index.ts
@@ -0,0 +1,4 @@
+export * from "./teamcity-connection-enums";
+export * from "./teamcity-connection-fns";
+export * from "./teamcity-connection-schemas";
+export * from "./teamcity-connection-types";
--- a/backend/src/services/app-connection/teamcity/teamcity-connection-enums.ts
+++ b/backend/src/services/app-connection/teamcity/teamcity-connection-enums.ts
@@ -0,0 +1,3 @@
+export enum TeamCityConnectionMethod {
+  AccessToken = "access-token"
+}
--- a/backend/src/services/app-connection/teamcity/teamcity-connection-fns.ts
+++ b/backend/src/services/app-connection/teamcity/teamcity-connection-fns.ts
@@ -0,0 +1,74 @@
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { TeamCityConnectionMethod } from "./teamcity-connection-enums";
+import {
+  TTeamCityConnection,
+  TTeamCityConnectionConfig,
+  TTeamCityListProjectsResponse
+} from "./teamcity-connection-types";
+
+export const getTeamCityInstanceUrl = async (config: TTeamCityConnectionConfig) => {
+  const instanceUrl = removeTrailingSlash(config.credentials.instanceUrl);
+
+  await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+  return instanceUrl;
+};
+
+export const getTeamCityConnectionListItem = () => {
+  return {
+    name: "TeamCity" as const,
+    app: AppConnection.TeamCity as const,
+    methods: Object.values(TeamCityConnectionMethod) as [TeamCityConnectionMethod.AccessToken]
+  };
+};
+
+export const validateTeamCityConnectionCredentials = async (config: TTeamCityConnectionConfig) => {
+  const instanceUrl = await getTeamCityInstanceUrl(config);
+
+  const { accessToken } = config.credentials;
+
+  try {
+    await request.get(`${instanceUrl}/app/rest/server`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json"
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  return config.credentials;
+};
+
+export const listTeamCityProjects = async (appConnection: TTeamCityConnection) => {
+  const instanceUrl = await getTeamCityInstanceUrl(appConnection);
+  const { accessToken } = appConnection.credentials;
+
+  const resp = await request.get<TTeamCityListProjectsResponse>(
+    `${instanceUrl}/app/rest/projects?fields=project(id,name,buildTypes(buildType(id,name)))`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json"
+      }
+    }
+  );
+
+  // Filter out the root project. Should not be seen by users.
+  return resp.data.project.filter((proj) => proj.id !== "_Root");
+};
--- a/backend/src/services/app-connection/teamcity/teamcity-connection-schemas.ts
+++ b/backend/src/services/app-connection/teamcity/teamcity-connection-schemas.ts
@@ -0,0 +1,70 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { TeamCityConnectionMethod } from "./teamcity-connection-enums";
+
+export const TeamCityConnectionAccessTokenCredentialsSchema = z.object({
+  accessToken: z
+    .string()
+    .trim()
+    .min(1, "Access Token required")
+    .describe(AppConnections.CREDENTIALS.TEAMCITY.accessToken),
+  instanceUrl: z
+    .string()
+    .trim()
+    .url("Invalid Instance URL")
+    .min(1, "Instance URL required")
+    .describe(AppConnections.CREDENTIALS.TEAMCITY.instanceUrl)
+});
+
+const BaseTeamCityConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.TeamCity) });
+
+export const TeamCityConnectionSchema = BaseTeamCityConnectionSchema.extend({
+  method: z.literal(TeamCityConnectionMethod.AccessToken),
+  credentials: TeamCityConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedTeamCityConnectionSchema = z.discriminatedUnion("method", [
+  BaseTeamCityConnectionSchema.extend({
+    method: z.literal(TeamCityConnectionMethod.AccessToken),
+    credentials: TeamCityConnectionAccessTokenCredentialsSchema.pick({
+      instanceUrl: true
+    })
+  })
+]);
+
+export const ValidateTeamCityConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(TeamCityConnectionMethod.AccessToken)
+      .describe(AppConnections.CREATE(AppConnection.TeamCity).method),
+    credentials: TeamCityConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.TeamCity).credentials
+    )
+  })
+]);
+
+export const CreateTeamCityConnectionSchema = ValidateTeamCityConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.TeamCity)
+);
+
+export const UpdateTeamCityConnectionSchema = z
+  .object({
+    credentials: TeamCityConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.TeamCity).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.TeamCity));
+
+export const TeamCityConnectionListItemSchema = z.object({
+  name: z.literal("TeamCity"),
+  app: z.literal(AppConnection.TeamCity),
+  methods: z.nativeEnum(TeamCityConnectionMethod).array()
+});
--- a/backend/src/services/app-connection/teamcity/teamcity-connection-service.ts
+++ b/backend/src/services/app-connection/teamcity/teamcity-connection-service.ts
@@ -0,0 +1,28 @@
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listTeamCityProjects } from "./teamcity-connection-fns";
+import { TTeamCityConnection } from "./teamcity-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TTeamCityConnection>;
+
+export const teamcityConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listProjects = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.TeamCity, connectionId, actor);
+
+    try {
+      const projects = await listTeamCityProjects(appConnection);
+      return projects;
+    } catch (error) {
+      return [];
+    }
+  };
+
+  return {
+    listProjects
+  };
+};
--- a/backend/src/services/app-connection/teamcity/teamcity-connection-types.ts
+++ b/backend/src/services/app-connection/teamcity/teamcity-connection-types.ts
@@ -0,0 +1,43 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateTeamCityConnectionSchema,
+  TeamCityConnectionSchema,
+  ValidateTeamCityConnectionCredentialsSchema
+} from "./teamcity-connection-schemas";
+
+export type TTeamCityConnection = z.infer<typeof TeamCityConnectionSchema>;
+
+export type TTeamCityConnectionInput = z.infer<typeof CreateTeamCityConnectionSchema> & {
+  app: AppConnection.TeamCity;
+};
+
+export type TValidateTeamCityConnectionCredentialsSchema = typeof ValidateTeamCityConnectionCredentialsSchema;
+
+export type TTeamCityConnectionConfig = DiscriminativePick<
+  TTeamCityConnectionInput,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
+
+export type TTeamCityProject = {
+  id: string;
+  name: string;
+};
+
+export type TTeamCityProjectWithBuildTypes = TTeamCityProject & {
+  buildTypes: {
+    buildType: {
+      id: string;
+      name: string;
+    }[];
+  };
+};
+
+export type TTeamCityListProjectsResponse = {
+  project: TTeamCityProjectWithBuildTypes[];
+};
--- a/backend/src/services/auth-token/auth-token-dal.ts
+++ b/backend/src/services/auth-token/auth-token-dal.ts
@@ -47,7 +47,10 @@ export const tokenDALFactory = (db: TDbClient) => {

  const findTokenSessions = async (filter: Partial<TAuthTokenSessions>, tx?: Knex) => {
    try {
-      const sessions = await (tx || db.replicaNode())(TableName.AuthTokenSession).where(filter);
+      const sessions = await (tx || db.replicaNode())(TableName.AuthTokenSession)
+        .where(filter)
+        .orderBy("lastUsed", "desc");
+
      return sessions;
    } catch (error) {
      throw new DatabaseError({ name: "Find all token session", error });
--- a/backend/src/services/auth-token/auth-token-service.ts
+++ b/backend/src/services/auth-token/auth-token-service.ts
@@ -151,6 +151,9 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu

  const revokeAllMySessions = async (userId: string) => tokenDAL.deleteTokenSession({ userId });

+  const revokeMySessionById = async (userId: string, sessionId: string) =>
+    tokenDAL.deleteTokenSession({ userId, id: sessionId });
+
  const validateRefreshToken = async (refreshToken?: string) => {
    const appCfg = getConfig();
    if (!refreshToken)
@@ -223,6 +226,7 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
    clearTokenSessionById,
    getTokenSessionByUser,
    revokeAllMySessions,
+    revokeMySessionById,
    validateRefreshToken,
    fnValidateJwtIdentity,
    getUserTokenSessionById
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -3,6 +3,8 @@ import jwt from "jsonwebtoken";
 import { Knex } from "knex";

 import { OrgMembershipRole, TUsers, UserDeviceSchema } from "@app/db/schemas";
+import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
@@ -11,6 +13,7 @@ import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, DatabaseError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
+import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";

 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
@@ -28,7 +31,15 @@ import {
  TOauthTokenExchangeDTO,
  TVerifyMfaTokenDTO
 } from "./auth-login-type";
-import { AuthMethod, AuthModeJwtTokenPayload, AuthModeMfaJwtTokenPayload, AuthTokenType, MfaMethod } from "./auth-type";
+import {
+  ActorType,
+  AuthMethod,
+  AuthModeJwtTokenPayload,
+  AuthModeMfaJwtTokenPayload,
+  AuthTokenType,
+  MfaMethod
+} from "./auth-type";
+import { removeTrailingSlash } from "@app/lib/fn";

 type TAuthLoginServiceFactoryDep = {
  userDAL: TUserDALFactory;
@@ -36,6 +47,7 @@ type TAuthLoginServiceFactoryDep = {
  tokenService: TAuthTokenServiceFactory;
  smtpService: TSmtpService;
  totpService: Pick<TTotpServiceFactory, "verifyUserTotp" | "verifyWithUserRecoveryCode">;
+  auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
 };

 export type TAuthLoginFactory = ReturnType<typeof authLoginServiceFactory>;
@@ -44,7 +56,8 @@ export const authLoginServiceFactory = ({
  tokenService,
  smtpService,
  orgDAL,
-  totpService
+  totpService,
+  auditLogService
 }: TAuthLoginServiceFactoryDep) => {
  /*
   * Private
@@ -412,6 +425,55 @@ export const authLoginServiceFactory = ({
      mfaMethod: decodedToken.mfaMethod
    });

+    // In the event of this being a break-glass request (non-saml / non-oidc, when either is enforced)
+    if (
+      selectedOrg.authEnforced &&
+      selectedOrg.bypassOrgAuthEnabled &&
+      !isAuthMethodSaml(decodedToken.authMethod) &&
+      decodedToken.authMethod !== AuthMethod.OIDC
+    ) {
+      await auditLogService.createAuditLog({
+        orgId: organizationId,
+        ipAddress,
+        userAgent,
+        userAgentType: getUserAgentType(userAgent),
+        actor: {
+          type: ActorType.USER,
+          metadata: {
+            email: user.email,
+            userId: user.id,
+            username: user.username
+          }
+        },
+        event: {
+          type: EventType.ORG_ADMIN_BYPASS_SSO,
+          metadata: {}
+        }
+      });
+
+      // Notify all admins via email (besides the actor)
+      const orgAdmins = await orgDAL.findOrgMembersByRole(organizationId, OrgMembershipRole.Admin);
+      const adminEmails = orgAdmins
+        .filter((admin) => admin.user.id !== user.id)
+        .map((admin) => admin.user.email)
+        .filter(Boolean) as string[];
+
+      if (adminEmails.length > 0) {
+        await smtpService.sendMail({
+          recipients: adminEmails,
+          subjectLine: "Security Alert: Admin SSO Bypass",
+          substitutions: {
+            email: user.email,
+            timestamp: new Date().toISOString(),
+            ip: ipAddress,
+            userAgent,
+            siteUrl: removeTrailingSlash(cfg.SITE_URL || "https://app.infisical.com")
+          },
+          template: SmtpTemplates.OrgAdminBreakglassAccess
+        });
+      }
+    }
+
    return {
      ...tokens,
      isMfaEnabled: false
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -68,6 +68,15 @@ const awsRegionFromHeader = (authorizationHeader: string): string | null => {
  return null;
 };

+function isValidAwsRegion(region: string | null): boolean {
+  const validRegionPattern = new RE2("^[a-z0-9-]+$");
+  if (typeof region !== "string" || region.length === 0 || region.length > 20) {
+    return false;
+  }
+
+  return validRegionPattern.test(region);
+}
+
 export const identityAwsAuthServiceFactory = ({
  identityAccessTokenDAL,
  identityAwsAuthDAL,
@@ -85,8 +94,12 @@ export const identityAwsAuthServiceFactory = ({

    const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
    const body: string = Buffer.from(iamRequestBody, "base64").toString();
-
    const region = headers.Authorization ? awsRegionFromHeader(headers.Authorization) : null;
+
+    if (!isValidAwsRegion(region)) {
+      throw new BadRequestError({ message: "Invalid AWS region" });
+    }
+
    const url = region ? `https://sts.${region}.amazonaws.com` : identityAwsAuth.stsEndpoint;

    const {
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -435,12 +435,16 @@ export const identityKubernetesAuthServiceFactory = ({
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });

+    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
+    if (!identityKubernetesAuth) {
+      throw new NotFoundError({ message: `Failed to find Kubernetes Auth for identity with ID ${identityId}` });
+    }
+
    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.KUBERNETES_AUTH)) {
      throw new BadRequestError({
        message: "The identity does not have Kubernetes Auth attached"
      });
    }
-    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });

    const { permission } = await permissionService.getOrgPermission(
      actor,
--- a/backend/src/services/integration-auth/integration-delete-secret.ts
+++ b/backend/src/services/integration-auth/integration-delete-secret.ts
@@ -50,7 +50,7 @@ const getIntegrationSecretsV2 = async (
  }

  // process secrets in current folder
-  const secrets = await secretV2BridgeDAL.findByFolderId({ folderId: dto.folderId, projectId: dto.projectId });
+  const secrets = await secretV2BridgeDAL.findByFolderId({ folderId: dto.folderId });

  secrets.forEach((secret) => {
    const secretKey = secret.key;
@@ -63,7 +63,6 @@ const getIntegrationSecretsV2 = async (
  // if no imports then return secrets in the current folder
  if (!secretImports.length) return content;
  const importedSecrets = await fnSecretsV2FromImports({
-    projectId: dto.projectId,
    decryptor: dto.decryptor,
    folderDAL,
    secretDAL: secretV2BridgeDAL,
--- a/backend/src/services/kms/kms-service.ts
+++ b/backend/src/services/kms/kms-service.ts
@@ -787,13 +787,19 @@ export const kmsServiceFactory = ({
            return projectDataKey;
          }
        }
+      } catch (error) {
+        logger.error(
+          error,
+          `getProjectSecretManagerKmsDataKey: Failed to get project data key for [projectId=${projectId}]`
+        );
+        throw error;
      } finally {
        await lock?.release();
      }
    }

    if (!project.kmsSecretManagerEncryptedDataKey) {
-      throw new Error("Missing project data key");
+      throw new BadRequestError({ message: "Missing project data key" });
    }

    const kmsDecryptor = await decryptWithKmsKey({
--- a/backend/src/services/org/org-dal.ts
+++ b/backend/src/services/org/org-dal.ts
@@ -2,6 +2,7 @@ import { Knex } from "knex";

 import { TDbClient } from "@app/db";
 import {
+  OrgMembershipRole,
  TableName,
  TOrganizations,
  TOrganizationsInsert,
@@ -216,9 +217,8 @@ export const orgDALFactory = (db: TDbClient) => {

  const findOrgMembersByUsername = async (orgId: string, usernames: string[], tx?: Knex) => {
    try {
-      const conn = tx || db;
+      const conn = tx || db.replicaNode();
      const members = await conn(TableName.OrgMembership)
-        // .replicaNode()(TableName.OrgMembership)
        .where(`${TableName.OrgMembership}.orgId`, orgId)
        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
        .leftJoin<TUserEncryptionKeys>(
@@ -251,6 +251,43 @@ export const orgDALFactory = (db: TDbClient) => {
    }
  };

+  const findOrgMembersByRole = async (orgId: string, role: OrgMembershipRole, tx?: Knex) => {
+    try {
+      const conn = tx || db.replicaNode();
+      const members = await conn(TableName.OrgMembership)
+        .where(`${TableName.OrgMembership}.orgId`, orgId)
+        .where(`${TableName.OrgMembership}.role`, role)
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin<TUserEncryptionKeys>(
+          TableName.UserEncryptionKey,
+          `${TableName.UserEncryptionKey}.userId`,
+          `${TableName.Users}.id`
+        )
+        .select(
+          conn.ref("id").withSchema(TableName.OrgMembership),
+          conn.ref("inviteEmail").withSchema(TableName.OrgMembership),
+          conn.ref("orgId").withSchema(TableName.OrgMembership),
+          conn.ref("role").withSchema(TableName.OrgMembership),
+          conn.ref("roleId").withSchema(TableName.OrgMembership),
+          conn.ref("status").withSchema(TableName.OrgMembership),
+          conn.ref("username").withSchema(TableName.Users),
+          conn.ref("email").withSchema(TableName.Users),
+          conn.ref("firstName").withSchema(TableName.Users),
+          conn.ref("lastName").withSchema(TableName.Users),
+          conn.ref("id").withSchema(TableName.Users).as("userId"),
+          conn.ref("publicKey").withSchema(TableName.UserEncryptionKey)
+        )
+        .where({ isGhost: false });
+
+      return members.map(({ username, email, firstName, lastName, userId, publicKey, ...data }) => ({
+        ...data,
+        user: { username, email, firstName, lastName, id: userId, publicKey }
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org members by role" });
+    }
+  };
+
  const findOrgGhostUser = async (orgId: string) => {
    try {
      const member = await db
@@ -472,6 +509,7 @@ export const orgDALFactory = (db: TDbClient) => {
    findAllOrgsByUserId,
    ghostUserExists,
    findOrgMembersByUsername,
+    findOrgMembersByRole,
    findOrgGhostUser,
    create,
    updateById,
--- a/backend/src/services/project-membership/project-membership-dal.ts
+++ b/backend/src/services/project-membership/project-membership-dal.ts
@@ -13,7 +13,7 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
  // special query
  const findAllProjectMembers = async (
    projectId: string,
-    filter: { usernames?: string[]; username?: string; id?: string } = {}
+    filter: { usernames?: string[]; username?: string; id?: string; roles?: string[] } = {}
  ) => {
    try {
      const docs = await db
@@ -31,6 +31,29 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
          if (filter.id) {
            void qb.where(`${TableName.ProjectMembership}.id`, filter.id);
          }
+          if (filter.roles && filter.roles.length > 0) {
+            void qb.whereExists((subQuery) => {
+              void subQuery
+                .select("role")
+                .from(TableName.ProjectUserMembershipRole)
+                .leftJoin(
+                  TableName.ProjectRoles,
+                  `${TableName.ProjectRoles}.id`,
+                  `${TableName.ProjectUserMembershipRole}.customRoleId`
+                )
+                .whereRaw("??.?? = ??.??", [
+                  TableName.ProjectUserMembershipRole,
+                  "projectMembershipId",
+                  TableName.ProjectMembership,
+                  "id"
+                ])
+                .where((subQb) => {
+                  void subQb
+                    .whereIn(`${TableName.ProjectUserMembershipRole}.role`, filter.roles as string[])
+                    .orWhereIn(`${TableName.ProjectRoles}.slug`, filter.roles as string[]);
+                });
+            });
+          }
        })
        .join<TUserEncryptionKeys>(
          TableName.UserEncryptionKey,
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
carlosmonastyrski	2e459c161d	feat(project-permissions): type fix	2025-04-25 19:51:08 -03:00
carlosmonastyrski	1e9722474f	feat(project-permissions): allow users to sort permissions on the UI	2025-04-25 19:35:42 -03:00
Andrey	cceb29b93a	Merge pull request #3476 from Infisical/ENG-2625 feat(secret-sync): TeamCity App Connection & Secret Sync	2025-04-25 15:44:37 -04:00
carlosmonastyrski	02b44365f1	Merge pull request #3470 from Infisical/feat/awsSecretRotationV2 feat(secret-rotation-v2): Add AWS IAM User Secret rotation	2025-04-25 16:43:22 -03:00
carlosmonastyrski	b506393765	feat(aws-iam-rotation): docs improvements	2025-04-25 16:35:57 -03:00
carlosmonastyrski	204269a10d	Merge pull request #3480 from Infisical/feat/paginationAndFilterOnProjectMembers feat(project-members): Persist pagination setting and add role filtering	2025-04-25 14:51:05 -03:00
BlackMagiq	cf1f83aaa3	Merge pull request #3446 from Infisical/ssh-non-interactive Improvements to Infisical V2: Support for Non-Interactive Mode, Updating Default SSH CAs.	2025-04-25 10:15:06 -07:00
Andrey	7894181234	Merge pull request #3490 from Infisical/ENG-2546 feat(auth): Persist pre-login-redirect path and redirect after login	2025-04-25 13:12:46 -04:00
Tuan Dang	0c214a2f26	Adjust CLI flags to be dash-case	2025-04-25 10:03:51 -07:00
Tuan Dang	f5862cbb9a	Merge	2025-04-25 09:32:48 -07:00
Tuan Dang	bb699ecb5f	Merge remote-tracking branch 'origin' into ssh-non-interactive	2025-04-25 09:31:39 -07:00
x	04b20ed11d	feat(auth): Persist pre-login-redirect path and redirect after login	2025-04-25 12:09:18 -04:00
Sheen	cd1e2af9bf	Merge pull request #3489 from Infisical/feat/add-user-get-token-and-revamp-session-management feat: add user get token CLI and revamp session management	2025-04-25 23:45:38 +08:00
carlosmonastyrski	7a4a877e39	feat(aws-iam-rotation): remove credentials validation due to excesive await time	2025-04-25 12:38:41 -03:00
carlosmonastyrski	8f670bde88	feat(aws-iam-rotation): add credentials validation	2025-04-25 12:06:30 -03:00
carlosmonastyrski	ff9011c899	feat(aws-iam-rotation): add view credentials component	2025-04-25 11:23:43 -03:00
carlosmonastyrski	57c96abe03	feat(aws-iam-rotation): address PR comments	2025-04-25 11:01:35 -03:00
Sheen Capadngan	178acc412d	misc: added optional accesS	2025-04-25 20:52:55 +08:00
Sheen Capadngan	b0288c49c0	feat: add user get token CLI and revamp session management	2025-04-25 20:43:20 +08:00
carlosmonastyrski	f5bb0d4a86	Merge pull request #3484 from Infisical/fix/dynamicSecretSqlErrorPropagation fix(dynamic-secret): improve error propagation and add FAQ to docs	2025-04-25 08:41:42 -03:00
x	7699705334	tiny encodeURIComponent tweak	2025-04-24 23:36:11 -04:00
x	7c49f6e302	review fixes	2025-04-24 23:30:35 -04:00
x	0882c181d0	docs(native-integrations): Add deprication warnings on Windmill + TeamCity	2025-04-24 21:55:44 -04:00
x	8672dd641a	Merge branch 'main' into ENG-2625	2025-04-24 21:26:05 -04:00
Maidul Islam	c613bb642e	Merge pull request #3485 from Infisical/daniel/kms-logs fix(kms): better error logs	2025-04-24 17:06:01 -07:00
Daniel Hougaard	90fdba0b77	Update kms-service.ts	2025-04-25 04:04:26 +04:00
Daniel Hougaard	795ce11062	Update kms-service.ts	2025-04-25 04:00:14 +04:00
Daniel Hougaard	2d4adfc651	fix(kms): better error logs	2025-04-25 03:54:59 +04:00
carlosmonastyrski	cb826f1a77	fix(dynamic-secret): improve error propagation and add FAQ to docs	2025-04-24 19:21:30 -03:00
Maidul Islam	55f6a06440	Merge pull request #2718 from akhilmhdh/doc/infisical-package docs: added new docs for infisical package installation instructions	2025-04-24 14:18:07 -07:00
Maidul Islam	a19e5ff905	add min version	2025-04-24 14:16:56 -07:00
Maidul Islam	dccada8a12	Update docs/self-hosting/deployment-options/native/linux-package/installation.mdx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-04-24 14:13:59 -07:00
Maidul Islam	68bbff455f	Update docs/self-hosting/overview.mdx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-04-24 14:12:59 -07:00
Maidul Islam	fcb59a1482	Update docs/self-hosting/overview.mdx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-04-24 14:12:45 -07:00
Maidul Islam	b92bc2183a	Update docs/self-hosting/deployment-options/native/linux-package/commands-configuration.mdx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-04-24 14:12:27 -07:00
Maidul Islam	aff318cf3c	Merge branch 'main' into doc/infisical-package	2025-04-24 14:12:01 -07:00
Maidul Islam	c97a3f07a7	update linux docs	2025-04-24 14:10:21 -07:00
carlosmonastyrski	8bf5b0f457	Merge pull request #3481 from Infisical/fix/AddDeleteProjectProtectedTooltip fix(delete-project): Add tooltip for delete project button when it has protection enabled	2025-04-24 12:59:35 -03:00
carlosmonastyrski	4973447676	feat(project-members): PR suggestions improvements	2025-04-24 12:21:19 -03:00
carlosmonastyrski	bd2e2b7931	feat(project-members): PR suggestions improvements	2025-04-24 12:14:06 -03:00
Andrey	13b7729af8	Merge pull request #3472 from Infisical/ENG-2618 Admin SSO bypass (break-glass login) sends out email to all org admins + creates audit log	2025-04-24 10:37:00 -04:00
x	e25c1199bc	Made email URL use SITE_URL	2025-04-24 10:24:42 -04:00
Akhil Mohan	6b3726957a	Merge pull request #3443 from akhilmhdh/doc/sql-change Updated doc to have europe infisical aws account id	2025-04-24 19:07:43 +05:30
carlosmonastyrski	c64e6310a6	fix(delete-project): Add tooltip for delete project button when it has protection enabled	2025-04-24 10:26:54 -03:00
carlosmonastyrski	aa893a40a9	feat(project-members): Persist pagination setting and add role filtering	2025-04-24 10:06:09 -03:00
Vlad Matsiiako	0e488d840f	Merge pull request #3479 from Infisical/update-org-structure-blueprint Update the organization structure guide to include organizations and …	2025-04-23 21:18:43 -07:00
ArshBallagan	d6186f1fe8	Update organization-structure.mdx	2025-04-23 17:48:26 -07:00
ArshBallagan	cd199f9d3e	Update the organization structure guide to include organizations and clusters	2025-04-23 17:44:51 -07:00
Scott Wilson	71258b6ea7	Merge pull request #3477 from Infisical/native-integration-deleted-import-fix Fix: Filter Out Deleted Imports with Replication	2025-04-23 17:22:04 -07:00
Scott Wilson	49c90c801e	fix: filter out deleted imports with replication	2025-04-23 17:03:33 -07:00
x	d019011822	Made findOrgMembersByUsername use replicaNode to stay consistent	2025-04-23 19:53:14 -04:00
x	8bd21ffa63	Attached settings URL to email, actor no longer a recipient, removed error handling for email send, used read replica node for findOrgMembersByRole	2025-04-23 19:46:25 -04:00
Maidul Islam	024a1891d3	Merge pull request #3450 from Infisical/google-cloud-run-guide Adding a guide on deploying Infisical using Google Cloud Run	2025-04-23 16:08:26 -07:00
Maidul Islam	ac7ac79463	add to nav bar	2025-04-23 16:00:30 -07:00
x	23df78eff8	feat(secret-sync): Only import secrets that have a value from destination to infisical:	2025-04-23 18:57:08 -04:00
x	84255d1b26	remove debug logs, update comments, other nitpicks	2025-04-23 18:44:14 -04:00
x	3a6b2a593b	Merge branch 'main' into ENG-2625	2025-04-23 17:59:34 -04:00
x	d3ee30f5e6	feat(secret-sync): TeamCity App Connection & Secret Sync	2025-04-23 17:58:59 -04:00
ArshBallagan	317b15157d	Update google-cloud-run.mdx	2025-04-23 10:44:39 -07:00
Daniel Hougaard	f145a00ef5	Merge pull request #3451 from Infisical/daniel/kms-improvements improvement(kms): return kms key id in project response	2025-04-23 21:35:51 +04:00
ArshBallagan	2e34167a24	Update google-cloud-run.mdx	2025-04-23 10:29:13 -07:00
Maidul Islam	0fc7d04455	Merge pull request #3475 from akhilmhdh/feat/secret-cache-v2 feat(api): implemented secret caching version 2	2025-04-23 09:58:00 -07:00
=	af12518f54	fix: resolved lints, addressed feedback from rabbit, reptile and maidul	2025-04-23 22:23:32 +05:30
Andrey	cc193b9a9f	Merge pull request #3459 from Infisical/ENG-2635 Moved certificate manager overview tabs to left sidebar	2025-04-23 12:42:48 -04:00
Sheen	0e95600db3	Merge pull request #3469 from Infisical/misc/reordered-kube-auth-not-found-check misc: reordered kube auth not found check	2025-04-23 22:18:54 +08:00
=	b60172f2be	feat(api): implemented secret caching version 2	2025-04-23 19:15:50 +05:30
ArshBallagan	bc1cce62ab	Adding more architecture detail to the Cloud Run document	2025-04-22 18:50:45 -07:00
Maidul Islam	b20e6a9265	Merge pull request #3473 from Infisical/add-winget-dcs docs: add winget docs	2025-04-22 15:43:36 -07:00
Maidul Islam	5de9bf25e0	add winget docs	2025-04-22 15:37:45 -07:00
carlosmonastyrski	5819b8c576	PR fix suggestions for aws secret rotations	2025-04-22 17:40:15 -03:00
x	a838f84601	Revert license overwrites, fix type errors, add error handling to email function	2025-04-22 14:58:17 -04:00
x	a32b590dc5	Merge branch 'main' into ENG-2618	2025-04-22 14:37:22 -04:00
x	b330fdbc58	Admin SSO bypass (breakglass login) sends out email to all org admins + creates audit log	2025-04-22 14:36:31 -04:00
Maidul Islam	4e10f51e50	Merge pull request #3455 from akhilmhdh/feat/hide-swagger Hide non public endpoints in swagger	2025-04-22 10:42:29 -07:00
carlosmonastyrski	b85809293c	Lint fix	2025-04-22 13:53:56 -03:00
carlosmonastyrski	f143d8c358	Merge branch 'main' into feat/awsSecretRotationV2	2025-04-22 13:46:35 -03:00
Scott Wilson	26c14119be	Merge pull request #3463 from Infisical/fix-enterprise-plan-display Fix: Correct Enterprise Plan Display	2025-04-22 09:33:31 -07:00
carlosmonastyrski	2e3330bf69	Add AWS secret rotation V2	2025-04-22 13:26:48 -03:00
Sheen Capadngan	778d6b9bbf	misc: reordered kube auth not found check	2025-04-22 23:06:47 +08:00
Akhil Mohan	b4e831d3e2	Merge pull request #3468 from akhilmhdh/fix/remove-banner feat: removed banner on ui for subscription crossing	2025-04-22 19:38:02 +05:30
=	8818d5c94b	feat: removed banner for now	2025-04-22 19:32:48 +05:30
=	8bfbac153c	feat: nit fixing	2025-04-22 12:44:45 +05:30
Maidul Islam	d7af9e84be	added more validation to region	2025-04-21 22:09:52 -07:00
Scott Wilson	f2a984e6b6	fix: correct plan check for when to display enterprise plan	2025-04-21 19:39:13 -07:00
Andrey	2cff90913b	Merge pull request #3461 from Infisical/ENG-2623 Removed low entropy password regexes that threw false positives	2025-04-21 22:25:58 -04:00
Daniel Hougaard	c783fa32e9	Merge pull request #3462 from Infisical/daniel/fix-saml-sso-creation fix: stuck on saml sso creation page	2025-04-22 06:19:52 +04:00
Daniel Hougaard	109971916b	fix: stuck on saml sso creation page	2025-04-22 06:07:14 +04:00
x	ddd46acbde	replace alerting icon with notification bell, add new notification bell lotties icon, update permission check wrapper to display access restricted popup	2025-04-21 19:01:12 -04:00
x	e6165f7790	remove commented code, combine a UI if-check, split permission check for cert section and pki collection section	2025-04-21 17:39:42 -04:00
x	ac12f9fc66	update file and export names to be accurate	2025-04-21 16:59:37 -04:00
x	7408d38065	fix an import issue	2025-04-21 16:51:30 -04:00
x	e0c458df4b	Merge branch 'ENG-2635' of https://github.com/Infisical/infisical into ENG-2635	2025-04-21 16:21:56 -04:00
x	6a751e720c	Changed cert-manager overview tabs to be proper routes	2025-04-21 16:16:47 -04:00
=	ca1f7d3448	feat: reptile and rabbit changes	2025-04-21 15:23:48 +05:30
=	4d569d70d6	fix: broken docs	2025-04-21 14:36:33 +05:30
=	5fccc62213	feat: updated docs to include various endpoints in cli only	2025-04-21 13:22:42 +05:30
Tuan Dang	1ea8e5a81e	Add frontend uniqueness check for ssh hostnames	2025-04-18 15:25:13 -07:00
Daniel Hougaard	39ff7fddee	improvement: add ID to external KMS list and add copy button	2025-04-19 00:20:18 +04:00
Daniel Hougaard	a0014230f9	improvement: include kms secret manager key ID on project response	2025-04-19 00:19:57 +04:00
ArshBallagan	60d0bc827c	Update google-cloud-run.mdx	2025-04-18 12:37:18 -07:00
ArshBallagan	6e9651d188	Adding a guide on deploying Infisical using Google Cloud Run	2025-04-18 11:35:59 -07:00
Tuan Dang	42aa3c3d46	Remove extra tx in ssh nullable ca defaults migration, update ssh docs	2025-04-18 11:06:59 -07:00
Tuan Dang	184d353de5	Update infisical ssh docs to clarify ssh connect command in different modes	2025-04-17 23:29:20 -07:00
Tuan Dang	b2360f9cc8	Reuse writeToFile fn in ssh connect command	2025-04-17 23:12:44 -07:00
Tuan Dang	846a5a6e19	impl improvements according to greptile	2025-04-17 23:08:33 -07:00
Tuan Dang	c6cd3a8cc0	Add audit logs to project ssh config endpoints	2025-04-17 23:00:46 -07:00
Tuan Dang	796f5510ca	Add cli docs for infisical ssh connect command	2025-04-17 22:40:43 -07:00
Tuan Dang	0265665e83	Make infisical ssh v2 work in non-interactive mode, allow reassignment of default ssh cas	2025-04-17 22:35:25 -07:00
=	79e425d807	feat: updated doc to have europe infisical aws account id	2025-04-17 14:25:55 +05:30
=	c1570930a9	docs: added new docs for infisical package installation instructions	2024-11-11 19:23:31 +05:30