Merge pull request #1346 from akhilmhdh/fix/multi-line-fixed

fix: resolved encoding issue in multi line input
Merge pull request #1347 from Infisical/daniel/even-more-pg-endpoint-fixes
2025-04-07 08:38:28 +00:00 · 2024-01-29 18:41:55 +05:30 · 2024-01-29 07:58:19 -05:00 · 2024-01-29 16:55:37 +04:00 · 2024-01-29 16:55:36 +04:00 · 2024-01-29 18:22:09 +05:30
1653 changed files with 145036 additions and 71453 deletions
--- a/.env.example
+++ b/.env.example
@ -1,24 +1,12 @@
 # Keys
 # Required key for platform encryption/decryption ops
-# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NOT BE USED FOR PRODUCTION
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218

 # JWT
 # Required secrets to sign JWT tokens
-JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
-JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
-JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
-JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
-JWT_SERVICE_TOKEN_SECRET=f32f716d70a42c5703f4656015e76200
-JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
-
-# JWT lifetime
-# Optional lifetimes for JWT tokens expressed in seconds or a string 
-# describing a time span (e.g. 60, "2 days", "10h", "7d")
-JWT_AUTH_LIFETIME=
-JWT_REFRESH_LIFETIME=
-JWT_SIGNUP_LIFETIME=
-JWT_PROVIDER_AUTH_LIFETIME=
+# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
+AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=

 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@ -68,5 +56,12 @@ SENTRY_DSN=
 POSTHOG_HOST=
 POSTHOG_PROJECT_API_KEY=

-CLIENT_ID_GOOGLE=
-CLIENT_SECRET_GOOGLE=
+# SSO-specific variables
+CLIENT_ID_GOOGLE_LOGIN=
+CLIENT_SECRET_GOOGLE_LOGIN=
+
+CLIENT_ID_GITHUB_LOGIN=
+CLIENT_SECRET_GITHUB_LOGIN=
+
+CLIENT_ID_GITLAB_LOGIN=
+CLIENT_SECRET_GITLAB_LOGIN=
--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@ -3,6 +3,7 @@ on:
  push:
    tags:
      - "infisical/v*.*.*"
+      - "!infisical/v*.*.*-postgres"

 jobs:
  backend-image:
--- a/.github/workflows/release-standalone-docker-img-postgres-offical.yml
+++ b/.github/workflows/release-standalone-docker-img-postgres-offical.yml
@ -0,0 +1,57 @@
+name: Release standalone docker image
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*-postgres"
+
+jobs:
+  infisical-standalone:
+    name: Build infisical standalone image postgres
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: version output
+        run: |
+          echo "Output Value: ${{ steps.version.outputs.major }}"
+          echo "Output Value: ${{ steps.version.outputs.minor }}"
+          echo "Output Value: ${{ steps.version.outputs.patch }}"
+          echo "Output Value: ${{ steps.version.outputs.version }}"
+          echo "Output Value: ${{ steps.version.outputs.version_type }}"
+          echo "Output Value: ${{ steps.version.outputs.increment }}"
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          tags: |
+            infisical/infisical:latest-postgres
+            infisical/infisical:${{ steps.commit.outputs.short }}
+            infisical/infisical:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          file: Dockerfile.standalone-infisical
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/release-standalone-docker-img.yml
+++ b/.github/workflows/release-standalone-docker-img.yml
@ -3,6 +3,7 @@ on:
  push:
    tags:
      - "infisical/v*.*.*"
+      - "!infisical/v*.*.*-postgres"

 jobs:
  infisical-standalone:
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,7 @@
 # backend
 node_modules
 .env
+.env.test
 .env.dev
 .env.gamma
 .env.prod
@ -61,4 +62,4 @@ yarn-error.log*
 # Editor specific
 .vscode/*

-frontend-build
+frontend-build
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -108,7 +108,7 @@ brews:
      zsh_completion.install "completions/infisical.zsh" => "_infisical"
      fish_completion.install "completions/infisical.fish"
      man1.install "manpages/infisical.1.gz"
-  - name: 'infisical@{{.Version}}'
+  - name: "infisical@{{.Version}}"
    tap:
      owner: Infisical
      name: homebrew-get-cli
@ -186,12 +186,14 @@ aurs:
      # man pages
      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"

-# dockers:
-#   - dockerfile: cli/docker/Dockerfile
-#     goos: linux
-#     goarch: amd64
-#     ids:
-#       - infisical
-#     image_templates:
-#       - "infisical/cli:{{ .Version }}"
-#       - "infisical/cli:latest"
+dockers:
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Version }}"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}"
+      - "infisical/cli:{{ .Major }}"
+      - "infisical/cli:latest"
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -2,7 +2,7 @@ ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id

-FROM  node:16-alpine AS base
+FROM  node:20-alpine AS base

 FROM base AS frontend-dependencies

@ -73,6 +73,7 @@ RUN npm ci --only-production

 COPY /backend .
 COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
+RUN npm i -D tsconfig-paths
 RUN npm run build

 # Production stage
@ -103,14 +104,17 @@ ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
 WORKDIR / 

 COPY --from=backend-runner /app /backend
+COPY --from=backend-runner /app/dist/services/smtp/templates /backend/dist/templates

 COPY --from=frontend-runner /app ./backend/frontend-build

+
 ENV PORT 8080
+ENV HOST=0.0.0.0
 ENV HTTPS_ENABLED false 
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
-
+ENV STANDALONE_MODE true
 WORKDIR /backend

 ENV TELEMETRY_ENABLED true
@ -119,10 +123,8 @@ HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \
  CMD node healthcheck.js

 EXPOSE 8080
+EXPOSE 443

 USER non-root-user

 CMD ["./standalone-entrypoint.sh"]
-
-
-
--- a/3
+++ b/3
@ -7,6 +7,9 @@ push:
 up-dev:
 	docker-compose -f docker-compose.dev.yml up --build

+up-pg-dev:
+	docker compose -f docker-compose.pg.yml up --build
+
 i-dev:
 	infisical run -- docker-compose -f docker-compose.dev.yml up --build

--- a/README.md
+++ b/README.md
@ -129,7 +129,7 @@ Note that this security address should be used only for undisclosed vulnerabilit

 ## Contributing

-Whether it's big or small, we love contributions. Check out our guide to see how to [get started](https://infisical.com/docs/contributing/overview).
+Whether it's big or small, we love contributions. Check out our guide to see how to [get started](https://infisical.com/docs/contributing/getting-started).

 Not sure where to get started? You can:

--- a/backend-mongo/.dockerignore
+++ b/backend-mongo/.dockerignore
@ -0,0 +1,11 @@
+node_modules
+.env
+.env.*
+.git
+.gitignore
+Dockerfile
+.dockerignore
+docker-compose.*
+.DS_Store
+*.swp
+*~
--- a/backend-mongo/.eslintignore
+++ b/backend-mongo/.eslintignore
@ -0,0 +1,2 @@
+node_modules
+built
--- a/backend-mongo/.eslintrc
+++ b/backend-mongo/.eslintrc
--- a/backend-mongo/.prettierrc
+++ b/backend-mongo/.prettierrc
--- a/backend-mongo/Dockerfile
+++ b/backend-mongo/Dockerfile
@ -0,0 +1,33 @@
+# Build stage
+FROM node:16-alpine AS build
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci --only-production
+
+COPY . .
+RUN npm run build
+
+# Production stage
+FROM node:16-alpine
+
+WORKDIR /app
+
+ENV npm_config_cache /home/node/.npm
+
+COPY package*.json ./
+RUN npm ci --only-production && npm cache clean --force
+
+COPY --from=build /app .
+
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.8.1 && apk add --no-cache git
+
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
+  CMD node healthcheck.js
+
+EXPOSE 4000
+
+CMD ["node", "build/index.js"]
--- a/backend-mongo/environment.d.ts
+++ b/backend-mongo/environment.d.ts
--- a/backend-mongo/healthcheck.js
+++ b/backend-mongo/healthcheck.js
--- a/backend-mongo/img/dashboard.png
+++ b/backend-mongo/img/dashboard.png
--- a/backend-mongo/jest.config.ts
+++ b/backend-mongo/jest.config.ts
--- a/backend-mongo/nodemon.json
+++ b/backend-mongo/nodemon.json
@ -0,0 +1,6 @@
+{
+    "watch": ["src"],
+    "ext": ".ts,.js",
+    "ignore": [],
+    "exec": "ts-node ./src/index.ts"
+}
--- a/backend-mongo/package-lock.json
+++ b/backend-mongo/package-lock.json
--- a/backend-mongo/package.json
+++ b/backend-mongo/package.json
@ -0,0 +1,148 @@
+{
+  "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.319.0",
+    "@casl/ability": "^6.5.0",
+    "@casl/mongoose": "^7.2.1",
+    "@godaddy/terminus": "^4.12.0",
+    "@node-saml/passport-saml": "^4.0.4",
+    "@octokit/rest": "^19.0.5",
+    "@sentry/node": "^7.77.0",
+    "@sentry/tracing": "^7.48.0",
+    "@serdnam/pino-cloudwatch-transport": "^1.0.4",
+    "@types/crypto-js": "^4.1.1",
+    "@types/libsodium-wrappers": "^0.7.10",
+    "@ucast/mongo2js": "^1.3.4",
+    "ajv": "^8.12.0",
+    "argon2": "^0.30.3",
+    "aws-sdk": "^2.1364.0",
+    "axios": "^1.6.0",
+    "axios-retry": "^3.4.0",
+    "bcrypt": "^5.1.0",
+    "bigint-conversion": "^2.4.0",
+    "cookie-parser": "^1.4.6",
+    "cors": "^2.8.5",
+    "crypto-js": "^4.2.0",
+    "dotenv": "^16.0.1",
+    "express": "^4.18.1",
+    "express-async-errors": "^3.1.1",
+    "express-rate-limit": "^6.7.0",
+    "express-validator": "^6.14.2",
+    "handlebars": "^4.7.7",
+    "helmet": "^5.1.1",
+    "infisical-node": "^1.2.1",
+    "ioredis": "^5.3.2",
+    "jmespath": "^0.16.0",
+    "js-yaml": "^4.1.0",
+    "jsonwebtoken": "^9.0.0",
+    "jsrp": "^0.2.4",
+    "libsodium-wrappers": "^0.7.10",
+    "lodash": "^4.17.21",
+    "mongoose": "^7.4.1",
+    "mysql2": "^3.6.2",
+    "nanoid": "^3.3.6",
+    "node-cache": "^5.1.2",
+    "nodemailer": "^6.8.0",
+    "ora": "^5.4.1",
+    "passport": "^0.6.0",
+    "passport-github": "^1.1.0",
+    "passport-gitlab2": "^5.0.0",
+    "passport-google-oauth20": "^2.0.0",
+    "pg": "^8.11.3",
+    "pino": "^8.16.1",
+    "pino-http": "^8.5.1",
+    "posthog-node": "^2.6.0",
+    "probot": "^12.3.3",
+    "query-string": "^7.1.3",
+    "rate-limit-mongo": "^2.3.2",
+    "rimraf": "^3.0.2",
+    "swagger-ui-express": "^4.6.2",
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1",
+    "typescript": "^4.9.3",
+    "utility-types": "^3.10.0",
+    "zod": "^3.22.3"
+  },
+  "overrides": {
+    "rate-limit-mongo": {
+      "mongodb": "5.8.0"
+    }
+  },
+  "name": "infisical-api",
+  "version": "1.0.0",
+  "main": "src/index.js",
+  "scripts": {
+    "start": "node build/index.js",
+    "dev": "nodemon index.js",
+    "swagger-autogen": "node ./swagger/index.ts",
+    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build && cp -R ./src/data ./build",
+    "lint": "eslint . --ext .ts",
+    "lint-and-fix": "eslint . --ext .ts --fix",
+    "lint-staged": "lint-staged",
+    "pretest": "docker compose -f test-resources/docker-compose.test.yml up -d",
+    "test": "cross-env NODE_ENV=test jest --verbose --testTimeout=10000 --detectOpenHandles; npm run posttest",
+    "test:ci": "npm test -- --watchAll=false --ci --reporters=default --reporters=jest-junit --reporters=github-actions --coverage --testLocationInResults --json --outputFile=coverage/report.json",
+    "posttest": "docker compose -f test-resources/docker-compose.test.yml down"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Infisical/infisical-api.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/Infisical/infisical-api/issues"
+  },
+  "homepage": "https://github.com/Infisical/infisical-api#readme",
+  "description": "",
+  "devDependencies": {
+    "@jest/globals": "^29.3.1",
+    "@posthog/plugin-scaffold": "^1.3.4",
+    "@swc/core": "^1.3.99",
+    "@swc/helpers": "^0.5.3",
+    "@types/bcrypt": "^5.0.0",
+    "@types/bcryptjs": "^2.4.2",
+    "@types/bull": "^4.10.0",
+    "@types/cookie-parser": "^1.4.3",
+    "@types/cors": "^2.8.12",
+    "@types/express": "^4.17.14",
+    "@types/jest": "^29.5.0",
+    "@types/jmespath": "^0.15.1",
+    "@types/jsonwebtoken": "^8.5.9",
+    "@types/lodash": "^4.14.191",
+    "@types/node": "^18.11.3",
+    "@types/nodemailer": "^6.4.6",
+    "@types/passport": "^1.0.12",
+    "@types/pg": "^8.10.7",
+    "@types/picomatch": "^2.3.0",
+    "@types/pino": "^7.0.5",
+    "@types/supertest": "^2.0.12",
+    "@types/swagger-jsdoc": "^6.0.1",
+    "@types/swagger-ui-express": "^4.1.3",
+    "@typescript-eslint/eslint-plugin": "^5.54.0",
+    "@typescript-eslint/parser": "^5.40.1",
+    "cross-env": "^7.0.3",
+    "eslint": "^8.26.0",
+    "eslint-plugin-unused-imports": "^2.0.0",
+    "install": "^0.13.0",
+    "jest": "^29.3.1",
+    "jest-junit": "^15.0.0",
+    "nodemon": "^2.0.19",
+    "npm": "^8.19.3",
+    "pino-pretty": "^10.2.3",
+    "regenerator-runtime": "^0.14.0",
+    "smee-client": "^1.2.3",
+    "supertest": "^6.3.3",
+    "swagger-autogen": "^2.23.5",
+    "ts-jest": "^29.0.3",
+    "ts-node": "^10.9.1"
+  },
+  "jest-junit": {
+    "outputDirectory": "reports",
+    "outputName": "jest-junit.xml",
+    "ancestorSeparator": " › ",
+    "uniqueOutputName": "false",
+    "suiteNameTemplate": "{filepath}",
+    "classNameTemplate": "{classname}",
+    "titleTemplate": "{title}"
+  }
+}
--- a/backend-mongo/spec.json
+++ b/backend-mongo/spec.json
--- a/backend-mongo/src/bootstrap.ts
+++ b/backend-mongo/src/bootstrap.ts
@ -0,0 +1,43 @@
+import ora from "ora";
+import nodemailer from "nodemailer";
+import { getSmtpHost, getSmtpPort } from "./config";
+import { logger } from "./utils/logging";
+import mongoose from "mongoose";
+import { redisClient } from "./services/RedisService";
+
+type BootstrapOpt = {
+  transporter: nodemailer.Transporter;
+};
+
+export const bootstrap = async ({ transporter }: BootstrapOpt) => {
+  const spinner = ora().start();
+  spinner.info("Checking configurations...");
+  spinner.info("Testing smtp connection");
+
+  await transporter
+    .verify()
+    .then(async () => {
+      spinner.succeed("SMTP successfully connected");
+    })
+    .catch(async (err) => {
+      spinner.fail(`SMTP - Failed to connect to ${await getSmtpHost()}:${await getSmtpPort()}`);
+      logger.error(err);
+    });
+
+  spinner.info("Testing mongodb connection");
+  if (mongoose.connection.readyState !== mongoose.ConnectionStates.connected) {
+    spinner.fail("Mongo DB - Failed to connect");
+  } else {
+    spinner.succeed("Mongodb successfully connected");
+  }
+
+  spinner.info("Testing redis connection");
+  const redisPing = await redisClient?.ping();
+  if (!redisPing) {
+    spinner.fail("Redis - Failed to connect");
+  } else {
+    spinner.succeed("Redis successfully connected");
+  }
+
+  spinner.stop();
+};
--- a/backend-mongo/src/config/index.ts
+++ b/backend-mongo/src/config/index.ts
@ -0,0 +1,176 @@
+import { GITLAB_URL } from "../variables";
+
+import InfisicalClient from "infisical-node";
+
+export const client = new InfisicalClient({
+  token: process.env.INFISICAL_TOKEN!
+});
+
+export const getIsMigrationMode = async () =>
+  (await client.getSecret("MIGRATION_MODE")).secretValue === "true";
+
+export const getPort = async () => (await client.getSecret("PORT")).secretValue || 4000;
+export const getEncryptionKey = async () => {
+  const secretValue = (await client.getSecret("ENCRYPTION_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
+};
+export const getRootEncryptionKey = async () => {
+  const secretValue = (await client.getSecret("ROOT_ENCRYPTION_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
+};
+export const getInviteOnlySignup = async () =>
+  (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true";
+export const getSaltRounds = async () =>
+  parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
+export const getAuthSecret = async () =>
+  (await client.getSecret("JWT_AUTH_SECRET")).secretValue ??
+  (await client.getSecret("AUTH_SECRET")).secretValue;
+export const getJwtAuthLifetime = async () =>
+  (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
+export const getJwtMfaLifetime = async () =>
+  (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
+export const getJwtRefreshLifetime = async () =>
+  (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
+export const getJwtServiceSecret = async () =>
+  (await client.getSecret("JWT_SERVICE_SECRET")).secretValue; // TODO: deprecate (related to ST V1)
+export const getJwtSignupLifetime = async () =>
+  (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
+export const getJwtProviderAuthLifetime = async () =>
+  (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
+export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue;
+export const getNodeEnv = async () =>
+  (await client.getSecret("NODE_ENV")).secretValue || "production";
+export const getVerboseErrorOutput = async () =>
+  (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
+export const getLokiHost = async () => (await client.getSecret("LOKI_HOST")).secretValue;
+export const getClientIdAzure = async () => (await client.getSecret("CLIENT_ID_AZURE")).secretValue;
+export const getClientIdHeroku = async () =>
+  (await client.getSecret("CLIENT_ID_HEROKU")).secretValue;
+export const getClientIdVercel = async () =>
+  (await client.getSecret("CLIENT_ID_VERCEL")).secretValue;
+export const getClientIdNetlify = async () =>
+  (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
+export const getClientIdGitHub = async () =>
+  (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
+export const getClientIdGitLab = async () =>
+  (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
+export const getClientIdBitBucket = async () =>
+  (await client.getSecret("CLIENT_ID_BITBUCKET")).secretValue;
+export const getClientIdGCPSecretManager = async () =>
+  (await client.getSecret("CLIENT_ID_GCP_SECRET_MANAGER")).secretValue;
+export const getClientSecretAzure = async () =>
+  (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
+export const getClientSecretHeroku = async () =>
+  (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
+export const getClientSecretVercel = async () =>
+  (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
+export const getClientSecretNetlify = async () =>
+  (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
+export const getClientSecretGitHub = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
+export const getClientSecretGitLab = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
+export const getClientSecretBitBucket = async () =>
+  (await client.getSecret("CLIENT_SECRET_BITBUCKET")).secretValue;
+export const getClientSecretGCPSecretManager = async () =>
+  (await client.getSecret("CLIENT_SECRET_GCP_SECRET_MANAGER")).secretValue;
+export const getClientSlugVercel = async () =>
+  (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
+
+export const getClientIdGoogleLogin = async () =>
+  (await client.getSecret("CLIENT_ID_GOOGLE_LOGIN")).secretValue;
+export const getClientSecretGoogleLogin = async () =>
+  (await client.getSecret("CLIENT_SECRET_GOOGLE_LOGIN")).secretValue;
+export const getClientIdGitHubLogin = async () =>
+  (await client.getSecret("CLIENT_ID_GITHUB_LOGIN")).secretValue;
+export const getClientSecretGitHubLogin = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITHUB_LOGIN")).secretValue;
+export const getClientIdGitLabLogin = async () =>
+  (await client.getSecret("CLIENT_ID_GITLAB_LOGIN")).secretValue;
+export const getClientSecretGitLabLogin = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITLAB_LOGIN")).secretValue;
+export const getUrlGitLabLogin = async () =>
+  (await client.getSecret("URL_GITLAB_LOGIN")).secretValue || GITLAB_URL;
+
+export const getAwsCloudWatchLog = async () => {
+  const logGroupName =
+    (await client.getSecret("AWS_CLOUDWATCH_LOG_GROUP_NAME")).secretValue || "infisical-log-stream";
+  const region = (await client.getSecret("AWS_CLOUDWATCH_LOG_REGION")).secretValue;
+  const accessKeyId = (await client.getSecret("AWS_CLOUDWATCH_LOG_ACCESS_KEY_ID")).secretValue;
+  const accessKeySecret = (await client.getSecret("AWS_CLOUDWATCH_LOG_ACCESS_KEY_SECRET"))
+    .secretValue;
+  const interval = parseInt(
+    (await client.getSecret("AWS_CLOUDWATCH_LOG_INTERVAL")).secretValue || 1000,
+    10
+  );
+  if (!region || !accessKeyId || !accessKeySecret) return;
+  return { logGroupName, region, accessKeySecret, accessKeyId, interval };
+};
+
+export const getPostHogHost = async () =>
+  (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
+export const getPostHogProjectApiKey = async () =>
+  (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue ||
+  "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
+export const getSentryDSN = async () => (await client.getSecret("SENTRY_DSN")).secretValue;
+export const getSiteURL = async () => (await client.getSecret("SITE_URL")).secretValue;
+export const getSmtpHost = async () => (await client.getSecret("SMTP_HOST")).secretValue;
+export const getSmtpSecure = async () =>
+  (await client.getSecret("SMTP_SECURE")).secretValue === "true" || false;
+export const getSmtpPort = async () =>
+  parseInt((await client.getSecret("SMTP_PORT")).secretValue) || 587;
+export const getSmtpUsername = async () => (await client.getSecret("SMTP_USERNAME")).secretValue;
+export const getSmtpPassword = async () => (await client.getSecret("SMTP_PASSWORD")).secretValue;
+export const getSmtpFromAddress = async () =>
+  (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
+export const getSmtpFromName = async () =>
+  (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";
+
+export const getSecretScanningWebhookProxy = async () =>
+  (await client.getSecret("SECRET_SCANNING_WEBHOOK_PROXY")).secretValue;
+export const getSecretScanningWebhookSecret = async () =>
+  (await client.getSecret("SECRET_SCANNING_WEBHOOK_SECRET")).secretValue;
+export const getSecretScanningGitAppId = async () =>
+  (await client.getSecret("SECRET_SCANNING_GIT_APP_ID")).secretValue;
+export const getSecretScanningPrivateKey = async () =>
+  (await client.getSecret("SECRET_SCANNING_PRIVATE_KEY")).secretValue;
+
+export const getRedisUrl = async () => (await client.getSecret("REDIS_URL")).secretValue;
+export const getIsInfisicalCloud = async () =>
+  (await client.getSecret("INFISICAL_CLOUD")).secretValue === "true";
+
+export const getLicenseKey = async () => {
+  const secretValue = (await client.getSecret("LICENSE_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
+};
+export const getLicenseServerKey = async () => {
+  const secretValue = (await client.getSecret("LICENSE_SERVER_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
+};
+export const getLicenseServerUrl = async () =>
+  (await client.getSecret("LICENSE_SERVER_URL")).secretValue || "https://portal.infisical.com";
+
+export const getTelemetryEnabled = async () =>
+  (await client.getSecret("TELEMETRY_ENABLED")).secretValue !== "false" && true;
+export const getLoopsApiKey = async () => (await client.getSecret("LOOPS_API_KEY")).secretValue;
+export const getSmtpConfigured = async () =>
+  (await client.getSecret("SMTP_HOST")).secretValue == "" ||
+  (await client.getSecret("SMTP_HOST")).secretValue == undefined
+    ? false
+    : true;
+export const getHttpsEnabled = async () => {
+  if ((await getNodeEnv()) != "production") {
+    // no https for anything other than prod
+    return false;
+  }
+
+  if (
+    (await client.getSecret("HTTPS_ENABLED")).secretValue == undefined ||
+    (await client.getSecret("HTTPS_ENABLED")).secretValue == ""
+  ) {
+    // default when no value present
+    return true;
+  }
+
+  return (await client.getSecret("HTTPS_ENABLED")).secretValue === "true" && true;
+};
--- a/backend-mongo/src/config/request.ts
+++ b/backend-mongo/src/config/request.ts
--- a/backend-mongo/src/config/serverConfig.ts
+++ b/backend-mongo/src/config/serverConfig.ts
@ -0,0 +1,24 @@
+import { IServerConfig, ServerConfig } from "../models/serverConfig";
+
+let serverConfig: IServerConfig;
+
+export const serverConfigInit = async () => {
+  const cfg = await ServerConfig.findOne({}).lean();
+  if (!cfg) {
+    const cfg = new ServerConfig();
+    await cfg.save();
+    serverConfig = cfg.toObject();
+  } else {
+    serverConfig = cfg;
+  }
+  return serverConfig;
+};
+
+export const getServerConfig = () => serverConfig;
+
+export const updateServerConfig = async (data: Partial<IServerConfig>) => {
+  const cfg = await ServerConfig.findByIdAndUpdate(serverConfig._id, data, { new: true });
+  if (!cfg) throw new Error("Failed to update server config");
+  serverConfig = cfg.toObject();
+  return serverConfig;
+};
--- a/backend-mongo/src/config/storage.ts
+++ b/backend-mongo/src/config/storage.ts
--- a/backend-mongo/src/controllers/v1/adminController.ts
+++ b/backend-mongo/src/controllers/v1/adminController.ts
@ -0,0 +1,101 @@
+import { Request, Response } from "express";
+import { getHttpsEnabled, getIsMigrationMode } from "../../config";
+import { getServerConfig, updateServerConfig as setServerConfig } from "../../config/serverConfig";
+import { initializeDefaultOrg, issueAuthTokens } from "../../helpers";
+import { validateRequest } from "../../helpers/validation";
+import { User } from "../../models";
+import { TelemetryService } from "../../services";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
+import * as reqValidator from "../../validation/admin";
+
+export const getServerConfigInfo = async (_req: Request, res: Response) => {
+  const config = getServerConfig();
+  const isMigrationModeOn = await getIsMigrationMode();
+  return res.send({ config: { ...config, isMigrationModeOn } });
+};
+
+export const updateServerConfig = async (req: Request, res: Response) => {
+  const {
+    body: { allowSignUp }
+  } = await validateRequest(reqValidator.UpdateServerConfigV1, req);
+  const config = await setServerConfig({ allowSignUp });
+  return res.send({ config });
+};
+
+export const adminSignUp = async (req: Request, res: Response) => {
+  const cfg = getServerConfig();
+  if (cfg.initialized) throw UnauthorizedRequestError({ message: "Admin has been created" });
+  const {
+    body: {
+      email,
+      publicKey,
+      salt,
+      lastName,
+      verifier,
+      firstName,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,
+      encryptedPrivateKey,
+      encryptedPrivateKeyIV,
+      encryptedPrivateKeyTag
+    }
+  } = await validateRequest(reqValidator.SignupV1, req);
+  let user = await User.findOne({ email });
+  if (user) throw BadRequestError({ message: "User already exist" });
+  user = new User({
+    email,
+    firstName,
+    lastName,
+    encryptionVersion: 2,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    iv: encryptedPrivateKeyIV,
+    tag: encryptedPrivateKeyTag,
+    salt,
+    verifier,
+    superAdmin: true
+  });
+  await user.save();
+  await initializeDefaultOrg({ organizationName: "Admin Org", user });
+
+  await setServerConfig({ initialized: true });
+
+  // issue tokens
+  const tokens = await issueAuthTokens({
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? ""
+  });
+
+  const token = tokens.token;
+
+  const postHogClient = await TelemetryService.getPostHogClient();
+  if (postHogClient) {
+    postHogClient.capture({
+      event: "admin initialization",
+      properties: {
+        email: user.email,
+        lastName,
+        firstName
+      }
+    });
+  }
+
+  // store (refresh) token in httpOnly cookie
+  res.cookie("jid", tokens.refreshToken, {
+    httpOnly: true,
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled()
+  });
+
+  return res.status(200).send({
+    message: "Successfully set up admin account",
+    user,
+    token
+  });
+};
--- a/backend-mongo/src/controllers/v1/authController.ts
+++ b/backend-mongo/src/controllers/v1/authController.ts
@ -3,28 +3,41 @@ import jwt from "jsonwebtoken";
 import * as bigintConversion from "bigint-conversion";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require("jsrp");
-import { LoginSRPDetail, TokenVersion, User } from "../../models";
+import { 
+  LoginSRPDetail,
+  TokenVersion,
+  User
+} from "../../models";
 import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth";
 import { checkUserDevice } from "../../helpers/user";
-import { ACTION_LOGIN, ACTION_LOGOUT } from "../../variables";
-import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
-import { EELogService } from "../../ee/services";
-import { getUserAgentType } from "../../utils/posthog";
+import { AuthTokenType } from "../../variables";
+import { 
+  BadRequestError, 
+  UnauthorizedRequestError
+} from "../../utils/errors";
 import {
+  getAuthSecret,
  getHttpsEnabled,
  getJwtAuthLifetime,
-  getJwtAuthSecret,
-  getJwtRefreshSecret
 } from "../../config";
 import { ActorType } from "../../ee/models";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";

 declare module "jsonwebtoken" {
+  export interface AuthnJwtPayload extends jwt.JwtPayload {
+    authTokenType: AuthTokenType;
+  }
  export interface UserIDJwtPayload extends jwt.JwtPayload {
    userId: string;
    refreshVersion?: number;
  }
+  export interface IdentityAccessTokenJwtPayload extends jwt.JwtPayload {
+    _id: string;
+    clientSecretId: string;
+    identityAccessTokenId: string;
+    authTokenType: string;
+  }
 }

 /**
@ -134,19 +147,6 @@ export const login2 = async (req: Request, res: Response) => {
          secure: await getHttpsEnabled()
        });

-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id
-        });
-
-        loginAction &&
-          (await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ipAddress: req.realIP
-          }));
-
        // return (access) token in response
        return res.status(200).send({
          token: tokens.token,
@ -183,19 +183,6 @@ export const logout = async (req: Request, res: Response) => {
    secure: (await getHttpsEnabled()) as boolean
  });

-  const logoutAction = await EELogService.createAction({
-    name: ACTION_LOGOUT,
-    userId: req.user._id
-  });
-
-  logoutAction &&
-    (await EELogService.createLog({
-      userId: req.user._id,
-      actions: [logoutAction],
-      channel: getUserAgentType(req.headers["user-agent"]),
-      ipAddress: req.realIP
-    }));
-
  return res.status(200).send({
    message: "Successfully logged out."
  });
@ -238,6 +225,7 @@ export const checkAuth = async (req: Request, res: Response) => {
 * @returns
 */
 export const getNewToken = async (req: Request, res: Response) => {
+
  const refreshToken = req.cookies.jid;

  if (!refreshToken)
@ -245,7 +233,9 @@ export const getNewToken = async (req: Request, res: Response) => {
      message: "Failed to find refresh token in request cookies"
    });

-  const decodedToken = <jwt.UserIDJwtPayload>jwt.verify(refreshToken, await getJwtRefreshSecret());
+  const decodedToken = <jwt.UserIDJwtPayload>jwt.verify(refreshToken, await getAuthSecret());
+  
+  if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN) throw UnauthorizedRequestError();

  const user = await User.findOne({
    _id: decodedToken.userId
@ -268,12 +258,13 @@ export const getNewToken = async (req: Request, res: Response) => {

  const token = createToken({
    payload: {
+      authTokenType: AuthTokenType.ACCESS_TOKEN,
      userId: decodedToken.userId,
      tokenVersionId: tokenVersion._id.toString(),
      accessVersion: tokenVersion.refreshVersion
    },
    expiresIn: await getJwtAuthLifetime(),
-    secret: await getJwtAuthSecret()
+    secret: await getAuthSecret()
  });

  return res.status(200).send({
@ -283,4 +274,4 @@ export const getNewToken = async (req: Request, res: Response) => {

 export const handleAuthProviderCallback = (req: Request, res: Response) => {
  res.redirect(`/login/provider/success?token=${encodeURIComponent(req.providerAuthToken)}`);
-};
+};
--- a/backend-mongo/src/controllers/v1/botController.ts
+++ b/backend-mongo/src/controllers/v1/botController.ts
@ -7,7 +7,7 @@ import * as reqValidator from "../../validation/bot";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { BadRequestError } from "../../utils/errors";
@ -28,7 +28,11 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
  const {
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetBotByWorkspaceIdV1, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -70,7 +74,11 @@ export const setBotActiveState = async (req: Request, res: Response) => {
  }
  const userId = req.user._id;

-  const { permission } = await getUserProjectPermissions(userId, bot.workspace.toString());
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: bot.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Integrations
--- a/backend-mongo/src/controllers/v1/index.ts
+++ b/backend-mongo/src/controllers/v1/index.ts
@ -1,4 +1,5 @@
 import * as authController from "./authController";
+import * as universalAuthController from "./universalAuthController";
 import * as botController from "./botController";
 import * as integrationAuthController from "./integrationAuthController";
 import * as integrationController from "./integrationController";
@ -16,8 +17,11 @@ import * as workspaceController from "./workspaceController";
 import * as secretScanningController from "./secretScanningController";
 import * as webhookController from "./webhookController";
 import * as secretImpsController from "./secretImpsController";
+import * as adminController from "./adminController";
+
 export {
  authController,
+  universalAuthController,
  botController,
  integrationAuthController,
  integrationController,
@ -34,5 +38,6 @@ export {
  workspaceController,
  secretScanningController,
  webhookController,
-  secretImpsController
+  secretImpsController,
+  adminController
 };
--- a/backend-mongo/src/controllers/v1/integrationAuthController.ts
+++ b/backend-mongo/src/controllers/v1/integrationAuthController.ts
@ -2,7 +2,7 @@ import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { standardRequest } from "../../config/request";
 import { getApps, getTeams, revokeAccess } from "../../integrations";
-import { Bot, IntegrationAuth, Workspace } from "../../models";
+import { Bot, IIntegrationAuth, Integration, IntegrationAuth, Workspace } from "../../models";
 import { EventType } from "../../ee/models";
 import { IntegrationService } from "../../services";
 import { EEAuditLogService } from "../../ee/services";
@ -10,6 +10,7 @@ import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
  INTEGRATION_BITBUCKET_API_URL,
+  INTEGRATION_CHECKLY_API_URL,
  INTEGRATION_GCP_SECRET_MANAGER,
  INTEGRATION_NORTHFLANK_API_URL,
  INTEGRATION_QOVERY_API_URL,
@ -24,11 +25,10 @@ import * as reqValidator from "../../validation/integrationAuth";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { getIntegrationAuthAccessHelper } from "../../helpers";
-import { ObjectId } from "mongodb";

 /***
 * Return integration authorization with id [integrationAuthId]
@ -40,15 +40,15 @@ export const getIntegrationAuth = async (req: Request, res: Response) => {

  const integrationAuth = await IntegrationAuth.findById(integrationAuthId);

-  if (!integrationAuth)
-    return res.status(400).send({
-      message: "Failed to find integration authorization"
-    });
+  if (!integrationAuth) return res.status(400).send({
+    message: "Failed to find integration authorization"
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -79,7 +79,11 @@ export const oAuthExchange = async (req: Request, res: Response) => {
  } = await validateRequest(reqValidator.OauthExchangeV1, req);
  if (!INTEGRATION_SET.has(integration)) throw new Error("Failed to validate integration");

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.Integrations
@ -126,12 +130,15 @@ export const oAuthExchange = async (req: Request, res: Response) => {
 export const saveIntegrationToken = async (req: Request, res: Response) => {
  // TODO: refactor
  // TODO: check if access token is valid for each integration
-  let integrationAuth;
  const {
    body: { workspaceId, integration, url, accessId, namespace, accessToken, refreshToken }
  } = await validateRequest(reqValidator.SaveIntegrationAccessTokenV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.Integrations
@ -144,31 +151,21 @@ export const saveIntegrationToken = async (req: Request, res: Response) => {

  if (!bot) throw new Error("Bot must be enabled to save integration access token");

-  integrationAuth = await IntegrationAuth.findOneAndUpdate(
-    {
-      workspace: new Types.ObjectId(workspaceId),
-      integration
-    },
-    {
-      workspace: new Types.ObjectId(workspaceId),
-      integration,
-      url,
-      namespace,
-      algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_UTF8,
-      ...(integration === INTEGRATION_GCP_SECRET_MANAGER
-        ? {
-            metadata: {
-              authMethod: "serviceAccount"
-            }
+  let integrationAuth = await new IntegrationAuth({
+    workspace: new Types.ObjectId(workspaceId),
+    integration,
+    url,
+    namespace,
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_UTF8,
+    ...(integration === INTEGRATION_GCP_SECRET_MANAGER
+      ? {
+          metadata: {
+            authMethod: "serviceAccount"
          }
-        : {})
-    },
-    {
-      new: true,
-      upsert: true
-    }
-  );
+        }
+      : {})
+  }).save();

  // encrypt and save integration access details
  if (refreshToken) {
@ -180,12 +177,12 @@ export const saveIntegrationToken = async (req: Request, res: Response) => {

  // encrypt and save integration access details
  if (accessId || accessToken) {
-    integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+    integrationAuth = (await IntegrationService.setIntegrationAuthAccess({
      integrationAuthId: integrationAuth._id.toString(),
      accessId,
      accessToken,
      accessExpiresAt: undefined
-    });
+    })) as IIntegrationAuth;
  }

  if (!integrationAuth) throw new Error("Failed to save integration access token");
@ -222,13 +219,14 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken, accessId } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -260,13 +258,14 @@ export const getIntegrationAuthTeams = async (req: Request, res: Response) => {

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -296,13 +295,14 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -345,6 +345,60 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
  });
 };

+/**
+ * Return list of Checkly groups for a specific user
+ * @param req
+ * @param res
+ */
+export const getIntegrationAuthChecklyGroups = async (req: Request, res: Response) => {
+  const {
+    params: { integrationAuthId },
+    query: { accountId }
+  } = await validateRequest(reqValidator.GetIntegrationAuthChecklyGroupsV1, req);
+  
+  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.Integrations
+  );
+
+  interface ChecklyGroup {
+    id: number;
+    name: string;
+  }
+  
+  if (accountId && accountId !== "") {
+    const { data }: { data: ChecklyGroup[] } = (
+      await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/check-groups`, {
+          headers: {
+              Authorization: `Bearer ${accessToken}`,
+              Accept: "application/json",
+              "X-Checkly-Account": accountId
+          }
+      })
+    );
+    
+    return res.status(200).send({
+      groups: data.map((g: ChecklyGroup) => ({
+        name: g.name,
+        groupId: g.id,
+      }))
+    });
+  }
+
+  return res.status(200).send({
+    groups: []
+  });
+}
+
 /**
 * Return list of Qovery Orgs for a specific user
 * @param req
@ -357,13 +411,14 @@ export const getIntegrationAuthQoveryOrgs = async (req: Request, res: Response)

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -409,13 +464,14 @@ export const getIntegrationAuthQoveryProjects = async (req: Request, res: Respon
  
  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -470,13 +526,14 @@ export const getIntegrationAuthQoveryEnvironments = async (req: Request, res: Re

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -531,13 +588,14 @@ export const getIntegrationAuthQoveryApps = async (req: Request, res: Response)

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -592,13 +650,14 @@ export const getIntegrationAuthQoveryContainers = async (req: Request, res: Resp

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -653,13 +712,14 @@ export const getIntegrationAuthQoveryJobs = async (req: Request, res: Response)

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -715,13 +775,14 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -808,13 +869,14 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -932,13 +994,14 @@ export const getIntegrationAuthBitBucketWorkspaces = async (req: Request, res: R

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -988,13 +1051,14 @@ export const getIntegrationAuthNorthflankSecretGroups = async (req: Request, res

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -1076,13 +1140,14 @@ export const getIntegrationAuthTeamCityBuildConfigs = async (req: Request, res:
  
  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -1132,26 +1197,78 @@ export const getIntegrationAuthTeamCityBuildConfigs = async (req: Request, res:
  });
 };

+/**
+ * Delete all integration authorizations and integrations for workspace with id [workspaceId]
+ * with integration name [integration]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteIntegrationAuths = async (req: Request, res: Response) => {
+  const {
+    query: { integration, workspaceId }
+  } = await validateRequest(reqValidator.DeleteIntegrationAuthsV1, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.Integrations
+  );
+  
+  const integrationAuths = await IntegrationAuth.deleteMany({
+    integration,
+    workspace: new Types.ObjectId(workspaceId)
+  });
+
+  const integrations = await Integration.deleteMany({
+    integration,
+    workspace: new Types.ObjectId(workspaceId)
+  });
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UNAUTHORIZE_INTEGRATION,
+      metadata: {
+        integration
+      }
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );
+
+  return res.status(200).send({
+    integrationAuths,
+    integrations
+  });
+}
+
 /**
 * Delete integration authorization with id [integrationAuthId]
 * @param req
 * @param res
 * @returns
 */
-export const deleteIntegrationAuth = async (req: Request, res: Response) => {
+export const deleteIntegrationAuthById = async (req: Request, res: Response) => {
  const {
    params: { integrationAuthId }
  } = await validateRequest(reqValidator.DeleteIntegrationAuthV1, req);

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.Integrations
--- a/backend-mongo/src/controllers/v1/integrationController.ts
+++ b/backend-mongo/src/controllers/v1/integrationController.ts
@ -13,7 +13,7 @@ import * as reqValidator from "../../validation/integration";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";

@ -51,11 +51,12 @@ export const createIntegration = async (req: Request, res: Response) => {
    );

  if (!integrationAuth) throw BadRequestError({ message: "Integration auth not found" });
-
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integrationAuth.workspace._id.toString()
-  );
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integrationAuth.workspace._id
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.Integrations
@ -164,10 +165,11 @@ export const updateIntegration = async (req: Request, res: Response) => {
  const integration = await Integration.findById(integrationId);
  if (!integration) throw BadRequestError({ message: "Integration not found" });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integration.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integration.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Integrations
@ -234,10 +236,11 @@ export const deleteIntegration = async (req: Request, res: Response) => {
  const integration = await Integration.findById(integrationId);
  if (!integration) throw BadRequestError({ message: "Integration not found" });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    integration.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: integration.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.Integrations
@ -248,6 +251,21 @@ export const deleteIntegration = async (req: Request, res: Response) => {
  });

  if (!deletedIntegration) throw new Error("Failed to find integration");
+ 
+  const numOtherIntegrationsUsingSameAuth = await Integration.countDocuments({
+    integrationAuth: deletedIntegration.integrationAuth,
+    _id: {
+      $nin: [deletedIntegration._id]
+    }
+  });
+  
+  if (numOtherIntegrationsUsingSameAuth === 0) {
+    // no other integrations are using the same integration auth
+    // -> delete integration auth associated with the integration being deleted
+    await IntegrationAuth.deleteOne({
+      _id: deletedIntegration.integrationAuth
+    });
+  }

  await EEAuditLogService.createAuditLog(
    req.authData,
@ -285,7 +303,11 @@ export const manualSync = async (req: Request, res: Response) => {
    body: { workspaceId, environment }
  } = await validateRequest(reqValidator.ManualSyncV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Integrations
--- a/backend-mongo/src/controllers/v1/keyController.ts
+++ b/backend-mongo/src/controllers/v1/keyController.ts
@ -9,7 +9,7 @@ import * as reqValidator from "../../validation/key";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";

@ -26,7 +26,11 @@ export const uploadKey = async (req: Request, res: Response) => {
    body: { key }
  } = await validateRequest(reqValidator.UploadKeyV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Member
--- a/backend-mongo/src/controllers/v1/membershipController.ts
+++ b/backend-mongo/src/controllers/v1/membershipController.ts
@ -4,15 +4,15 @@ import { IUser, Key, Membership, MembershipOrg, User, Workspace } from "../../mo
 import { EventType, Role } from "../../ee/models";
 import { deleteMembership as deleteMember, findMembership } from "../../helpers/membership";
 import { sendMail } from "../../helpers/nodemailer";
-import { ACCEPTED, ADMIN, CUSTOM, MEMBER, VIEWER } from "../../variables";
+import { ACCEPTED, ADMIN, CUSTOM, MEMBER, NO_ACCESS, VIEWER } from "../../variables";
 import { getSiteURL } from "../../config";
-import { EEAuditLogService } from "../../ee/services";
+import { EEAuditLogService, EELicenseService } from "../../ee/services";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/membership";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { BadRequestError } from "../../utils/errors";
@ -63,11 +63,12 @@ export const deleteMembership = async (req: Request, res: Response) => {
  if (!membershipToDelete) {
    throw new Error("Failed to delete workspace membership that doesn't exist");
  }
-
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    membershipToDelete.workspace.toString()
-  );
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: membershipToDelete.workspace
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.Member
@ -118,16 +119,17 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
    throw new Error("Failed to find membership to change role");
  }

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    membershipToChangeRole.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: membershipToChangeRole.workspace
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Member
  );

-  const isCustomRole = ![ADMIN, MEMBER, VIEWER].includes(role);
+  const isCustomRole = ![ADMIN, MEMBER, VIEWER, NO_ACCESS].includes(role);
  if (isCustomRole) {
    const wsRole = await Role.findOne({
      slug: role,
@ -135,6 +137,13 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
      workspace: membershipToChangeRole.workspace
    });
    if (!wsRole) throw BadRequestError({ message: "Role not found" });
+
+    const plan = await EELicenseService.getPlan(wsRole.organization);
+
+    if (!plan.rbac) return res.status(400).send({
+      message: "Failed to assign custom role due to RBAC restriction. Upgrade plan to assign custom role to member."
+    });
+
    const membership = await Membership.findByIdAndUpdate(membershipId, {
      role: CUSTOM,
      customRole: wsRole
@ -191,7 +200,12 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
    params: { workspaceId },
    body: { email }
  } = await validateRequest(InviteUserToWorkspaceV1, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.Member
--- a/backend-mongo/src/controllers/v1/membershipOrgController.ts
+++ b/backend-mongo/src/controllers/v1/membershipOrgController.ts
@ -8,11 +8,11 @@ import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
 import { EELicenseService } from "../../ee/services";
-import { ACCEPTED, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables";
+import { ACCEPTED, AuthTokenType, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables";
 import * as reqValidator from "../../validation/membershipOrg";
 import {
+  getAuthSecret,
  getJwtSignupLifetime,
-  getJwtSignupSecret,
  getSiteURL,
  getSmtpConfigured
 } from "../../config";
@ -21,7 +21,7 @@ import { validateRequest } from "../../helpers/validation";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
 import { ForbiddenError } from "@casl/ability";

@ -44,11 +44,12 @@ export const deleteMembershipOrg = async (req: Request, _res: Response) => {
  if (!membershipOrgToDelete) {
    throw new Error("Failed to delete organization membership that doesn't exist");
  }
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: membershipOrgToDelete.organization
+  });

-  const { permission, membership: membershipOrg } = await getUserOrgPermissions(
-    req.user._id,
-    membershipOrgToDelete.organization.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.Member
@ -60,7 +61,7 @@ export const deleteMembershipOrg = async (req: Request, _res: Response) => {
  });

  await updateSubscriptionOrgQuantity({
-    organizationId: membershipOrg.organization.toString()
+    organizationId: membershipOrgToDelete.organization.toString()
  });

  return membershipOrgToDelete;
@ -96,7 +97,11 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
    body: { inviteeEmail, organizationId }
  } = await validateRequest(reqValidator.InviteUserToOrgv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Member
@ -272,10 +277,11 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
  // generate temporary signup token
  const token = createToken({
    payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
      userId: user._id.toString()
    },
    expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
  });

  return res.status(200).send({
--- a/backend-mongo/src/controllers/v1/organizationController.ts
+++ b/backend-mongo/src/controllers/v1/organizationController.ts
@ -1,4 +1,5 @@
 import { Request, Response } from "express";
+import { Types } from "mongoose";
 import {
  IncidentContactOrg,
  Membership,
@ -14,7 +15,7 @@ import { ACCEPTED } from "../../variables";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
 import { OrganizationNotFoundError } from "../../utils/errors";
 import { ForbiddenError } from "@casl/ability";
@ -44,7 +45,10 @@ export const getOrganization = async (req: Request, res: Response) => {
  } = await validateRequest(reqValidator.GetOrgv1, req);

  // ensure user has membership
-  await getUserOrgPermissions(req.user._id, organizationId);
+  await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  })

  const organization = await Organization.findById(organizationId);
  if (!organization) {
@ -68,8 +72,12 @@ export const getOrganizationMembers = async (req: Request, res: Response) => {
  const {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgMembersv1, req);
-
-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Member
@ -95,7 +103,10 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgWorkspacesv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  })
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Workspace
@ -137,7 +148,10 @@ export const changeOrganizationName = async (req: Request, res: Response) => {
    body: { name }
  } = await validateRequest(reqValidator.ChangeOrgNamev1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Settings
@ -172,7 +186,10 @@ export const getOrganizationIncidentContacts = async (req: Request, res: Respons
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgIncidentContactv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.IncidentAccount
@ -199,7 +216,10 @@ export const addOrganizationIncidentContact = async (req: Request, res: Response
    body: { email }
  } = await validateRequest(reqValidator.CreateOrgIncideContact, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.IncidentAccount
@ -228,7 +248,10 @@ export const deleteOrganizationIncidentContact = async (req: Request, res: Respo
    body: { email }
  } = await validateRequest(reqValidator.DelOrgIncideContact, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.IncidentAccount
@ -257,7 +280,10 @@ export const createOrganizationPortalSession = async (req: Request, res: Respons
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlanBillingInfov1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Billing
@ -321,7 +347,10 @@ export const getOrganizationMembersAndTheirWorkspaces = async (req: Request, res
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgMembersv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Member
--- a/backend-mongo/src/controllers/v1/passwordController.ts
+++ b/backend-mongo/src/controllers/v1/passwordController.ts
@ -5,12 +5,12 @@ import * as bigintConversion from "bigint-conversion";
 import { BackupPrivateKey, LoginSRPDetail, User } from "../../models";
 import { clearTokens, createToken, sendMail } from "../../helpers";
 import { TokenService } from "../../services";
-import { TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
+import { AuthTokenType, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
 import { BadRequestError } from "../../utils/errors";
 import {
+  getAuthSecret,
  getHttpsEnabled,
  getJwtSignupLifetime,
-  getJwtSignupSecret,
  getSiteURL
 } from "../../config";
 import { ActorType } from "../../ee/models";
@ -88,10 +88,11 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
  // generate temporary password-reset token
  const token = createToken({
    payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
      userId: user._id.toString()
    },
    expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
  });

  return res.status(200).send({
--- a/backend-mongo/src/controllers/v1/secretController.ts
+++ b/backend-mongo/src/controllers/v1/secretController.ts
--- a/backend-mongo/src/controllers/v1/secretImpsController.ts
+++ b/backend-mongo/src/controllers/v1/secretImpsController.ts
@ -1,4 +1,6 @@
+
 import { Request, Response } from "express";
+import { Types } from "mongoose";
 import { isValidScope } from "../../helpers";
 import { Folder, IServiceTokenData, SecretImport, ServiceTokenData } from "../../models";
 import { getAllImportedSecrets } from "../../services/SecretImportService";
@ -15,14 +17,14 @@ import * as reqValidator from "../../validation/secretImports";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError, subject } from "@casl/ability";

 export const createSecretImp = async (req: Request, res: Response) => {
  /* 
    #swagger.summary = 'Create secret import'
-    #swagger.description = 'Create a new secret import for a specified workspace and environment'
+    #swagger.description = 'Create secret import'

    #swagger.requestBody = {
        content: {
@ -32,36 +34,36 @@ export const createSecretImp = async (req: Request, res: Response) => {
                    "properties": {
                        "workspaceId": {
                            "type": "string",
-                            "description": "ID of the workspace where the secret import will be created",
+                            "description": "ID of workspace where to create secret import",
                            "example": "someWorkspaceId"
                        },
                        "environment": {
                            "type": "string",
-                            "description": "Environment to import to",
-                            "example": "production"
+                            "description": "Slug of environment where to create secret import",
+                            "example": "dev"
                        },
-                        "folderId": {
+                        "directory": {
                            "type": "string",
-                            "description": "Folder ID. Use root for the root folder.",
-                            "example": "my_folder"
+                            "description": "Path where to create secret import like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                        },
                        "secretImport": {
                            "type": "object",
                            "properties": {
                              "environment": {
                                "type": "string",
-                                "description": "Import from environment",
+                                "description": "Slug of environment to import from",
                                "example": "development"
                              },
                              "secretPath": {
                                "type": "string",
-                                "description": "Import from secret path",
+                                "description": "Path where to import from like / or /foo/bar.",
                                "example": "/user/oauth"
                              }
                            }
                        }
                    },
-                    "required": ["workspaceId", "environment", "folderName"]
+                    "required": ["workspaceId", "environment", "directory", "secretImport"]
                }
            }
        }
@ -105,11 +107,21 @@ export const createSecretImp = async (req: Request, res: Response) => {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
  } else {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
    );
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment: secretImport.environment, secretPath: secretImport.secretPath })
+    );
+
  }

  const folders = await Folder.findOne({
@ -206,12 +218,12 @@ export const createSecretImp = async (req: Request, res: Response) => {
 */
 export const updateSecretImport = async (req: Request, res: Response) => {
  /*
-    #swagger.summary = 'Update a secret import'
-    #swagger.description = 'Updates an existing secret import based on the provided ID and new import details'
+    #swagger.summary = 'Update secret import'
+    #swagger.description = 'Update secret import'

    #swagger.parameters['id'] = {
        in: 'path',
-        description: 'ID of the secret import to be updated',
+        description: 'ID of secret import to update',
        required: true,
        type: 'string',
        example: 'import12345'
@ -225,19 +237,19 @@ export const updateSecretImport = async (req: Request, res: Response) => {
                    "properties": {
                        "secretImports": {
                            "type": "array",
-                            "description": "List of new secret imports",
+                            "description": "List of secret imports to update to",
                            "items": {
                                "type": "object",
                                "properties": {
                                    "environment": {
                                        "type": "string",
-                                        "description": "Environment of the secret import",
-                                        "example": "production"
+                                        "description": "Slug of environment to import from",
+                                        "example": "dev"
                                    },
                                    "secretPath": {
                                        "type": "string",
-                                        "description": "Path of the secret import",
-                                        "example": "/path/to/secret"
+                                        "description": "Path where to import secrets from like / or /foo/bar",
+                                        "example": "/foo/bar"
                                    }
                                },
                                "required": ["environment", "secretPath"]
@ -313,10 +325,11 @@ export const updateSecretImport = async (req: Request, res: Response) => {
    }
  } else {
    // non token entry check
-    const { permission } = await getUserProjectPermissions(
-      req.user._id,
-      importSecDoc.workspace.toString()
-    );
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: importSecDoc.workspace
+    });
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Secrets, {
@ -324,6 +337,13 @@ export const updateSecretImport = async (req: Request, res: Response) => {
        secretPath
      })
    );
+
+    secretImports.forEach(({ environment, secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    })
  }

  const orderBefore = importSecDoc.imports;
@ -364,7 +384,7 @@ export const deleteSecretImport = async (req: Request, res: Response) => {

    #swagger.parameters['id'] = {
        in: 'path',
-        description: 'ID of the secret import',
+        description: 'ID of parent secret import document from which to delete secret import',
        required: true,
        type: 'string',
        example: '12345abcde'
@ -378,12 +398,12 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
                    "properties": {
                        "secretImportEnv": {
                            "type": "string",
-                            "description": "Import from environment",
+                            "description": "Slug of environment of import to delete",
                            "example": "someWorkspaceId"
                        },
                        "secretImportPath": {
                            "type": "string",
-                            "description": "Import from secret path",
+                            "description": "Path like / or /foo/bar of import to delete",
                            "example": "production"
                        }
                    },
@ -442,10 +462,11 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
  } else {
-    const { permission } = await getUserProjectPermissions(
-      req.user._id,
-      importSecDoc.workspace.toString()
-    );
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: importSecDoc.workspace
+    });
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      subject(ProjectPermissionSub.Secrets, {
@ -489,12 +510,12 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
 */
 export const getSecretImports = async (req: Request, res: Response) => {
  /*
-    #swagger.summary = 'Retrieve secret imports'
-    #swagger.description = 'Fetches the secret imports based on the workspaceId, environment, and folderId'
+    #swagger.summary = 'Get secret imports'
+    #swagger.description = 'Get secret imports'

    #swagger.parameters['workspaceId'] = {
        in: 'query',
-        description: 'ID of the workspace of secret imports to get',
+        description: 'ID of workspace where to get secret imports from',
        required: true,
        type: 'string',
        example: 'workspace12345'
@ -502,15 +523,15 @@ export const getSecretImports = async (req: Request, res: Response) => {

    #swagger.parameters['environment'] = {
        in: 'query',
-        description: 'Environment of secret imports to get',
+        description: 'Slug of environment where to get secret imports from',
        required: true,
        type: 'string',
        example: 'production'
    }

-    #swagger.parameters['folderId'] = {
+    #swagger.parameters['directory'] = {
        in: 'query',
-        description: 'ID of the folder containing the secret imports. Default: root',
+        description: 'Path where to get secret imports from like / or /foo/bar. Default is /',
        required: false,
        type: 'string',
        example: 'folder12345'
@ -524,8 +545,7 @@ export const getSecretImports = async (req: Request, res: Response) => {
                    "type": "object",
                    "properties": {
                        "secretImport": {
-                            "type": "object",
-                            "description": "Details of a secret import"
+                          $ref: '#/definitions/SecretImport'
                        }
                    }
                }
@ -551,7 +571,11 @@ export const getSecretImports = async (req: Request, res: Response) => {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
  } else {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, {
@ -605,7 +629,11 @@ export const getAllSecretsFromImport = async (req: Request, res: Response) => {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
  } else {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, {
@ -658,10 +686,11 @@ export const getAllSecretsFromImport = async (req: Request, res: Response) => {
    permissionCheckFn = (env: string, secPath: string) =>
      isValidScope(req.authData.authPayload as IServiceTokenData, env, secPath);
  } else {
-    const { permission } = await getUserProjectPermissions(
-      req.user._id,
-      importSecDoc.workspace.toString()
-    );
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: importSecDoc.workspace
+    });
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, {
--- a/backend-mongo/src/controllers/v1/secretScanningController.ts
+++ b/backend-mongo/src/controllers/v1/secretScanningController.ts
@ -21,7 +21,7 @@ import * as reqValidator from "../../validation/secretScanning";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
 import { ForbiddenError } from "@casl/ability";

@ -37,8 +37,11 @@ export const createInstallationSession = async (req: Request, res: Response) =>
      message: "Failed to find organization"
    });
  }
-
-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.SecretScanning
@ -70,11 +73,12 @@ export const linkInstallationToOrganization = async (req: Request, res: Response
  if (!installationSession) {
    throw UnauthorizedRequestError();
  }
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: installationSession.organization
+  });

-  const { permission } = await getUserOrgPermissions(
-    req.user._id,
-    installationSession.organization.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.SecretScanning
@ -142,7 +146,10 @@ export const getRisksForOrganization = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgRisksv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.SecretScanning
@ -162,7 +169,10 @@ export const updateRisksStatus = async (req: Request, res: Response) => {
    body: { status }
  } = await validateRequest(reqValidator.UpdateRiskStatusv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.SecretScanning
--- a/backend-mongo/src/controllers/v1/secretsFolderController.ts
+++ b/backend-mongo/src/controllers/v1/secretsFolderController.ts
@ -17,7 +17,7 @@ import {
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import * as reqValidator from "../../validation/folders";
@ -27,11 +27,12 @@ const ERR_FOLDER_NOT_FOUND = BadRequestError({ message: "The folder doesn't exis
 // verify workspace id/environment
 export const createFolder = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Create a folder'
-    #swagger.description = 'Create a new folder in a specified workspace and environment'
+    #swagger.summary = 'Create folder'
+    #swagger.description = 'Create folder'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

    #swagger.requestBody = {
@ -42,23 +43,23 @@ export const createFolder = async (req: Request, res: Response) => {
                    "properties": {
                        "workspaceId": {
                            "type": "string",
-                            "description": "ID of the workspace where the folder will be created",
+                            "description": "ID of the workspace where to create folder",
                            "example": "someWorkspaceId"
                        },
                        "environment": {
                            "type": "string",
-                            "description": "Environment where the folder will reside",
+                            "description": "Slug of environment where to create folder",
                            "example": "production"
                        },
                        "folderName": {
                            "type": "string",
-                            "description": "Name of the folder to be created",
+                            "description": "Name of folder to create",
                            "example": "my_folder"
                        },
-                        "parentFolderId": {
+                        "directory": {
                            "type": "string",
-                            "description": "ID of the parent folder under which this folder will be created. If not specified, it will be created at the root level.",
-                            "example": "someParentFolderId"
+                            "description": "Path where to create folder like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                        }
                    },
                    "required": ["workspaceId", "environment", "folderName"]
@ -78,14 +79,21 @@ export const createFolder = async (req: Request, res: Response) => {
                            "properties": {
                                "id": {
                                    "type": "string",
+                                    "description": "ID of folder",
                                    "example": "someFolderId"
                                },
                                "name": {
                                    "type": "string",
+                                    "description": "Name of folder",
                                    "example": "my_folder"
+                                },
+                                "version": {
+                                    "type": "number",
+                                    "description": "Version of folder",
+                                    "example": 1
                                }
                            },
-                            "description": "Details of the created folder"
+                            "description": "Details of created folder"
                        }
                    }
                }
@ -117,7 +125,11 @@ export const createFolder = async (req: Request, res: Response) => {
    }
  } else {
    // user check
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
@ -219,18 +231,18 @@ export const createFolder = async (req: Request, res: Response) => {
 */
 export const updateFolderById = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Update a folder by ID'
-    #swagger.description = 'Update the name of a folder in a specified workspace and environment by its ID'
+    #swagger.summary = 'Update folder'
+    #swagger.description = 'Update folder'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

-    #swagger.parameters['folderId'] = {
-        "description": "ID of the folder to be updated",
+    #swagger.parameters['folderName'] = {
+        "description": "Name of folder to update",
        "required": true,
-        "type": "string",
-        "in": "path"
+        "type": "string"
    }

    #swagger.requestBody = {
@ -241,18 +253,23 @@ export const updateFolderById = async (req: Request, res: Response) => {
                    "properties": {
                        "workspaceId": {
                            "type": "string",
-                            "description": "ID of the workspace where the folder is located",
+                            "description": "ID of workspace where to update folder",
                            "example": "someWorkspaceId"
                        },
                        "environment": {
                            "type": "string",
-                            "description": "Environment where the folder is located",
+                            "description": "Slug of environment where to update folder",
                            "example": "production"
                        },
                        "name": {
                            "type": "string",
-                            "description": "New name for the folder",
+                            "description": "Name of folder to update to",
                            "example": "updated_folder_name"
+                        },
+                        "directory": {
+                            "type": "string",
+                            "description": "Path where to update folder like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                        }
                    },
                    "required": ["workspaceId", "environment", "name"]
@ -269,6 +286,7 @@ export const updateFolderById = async (req: Request, res: Response) => {
                    "properties": {
                        "message": {
                            "type": "string",
+                            "description": "Success message",
                            "example": "Successfully updated folder"
                        },
                        "folder": {
@ -276,11 +294,13 @@ export const updateFolderById = async (req: Request, res: Response) => {
                            "properties": {
                                "name": {
                                    "type": "string",
+                                    "description": "Name of updated folder",
                                    "example": "updated_folder_name"
                                },
                                "id": {
                                    "type": "string",
-                                    "example": "someFolderId"
+                                    "description": "ID of created folder",
+                                    "example": "abc123"
                                }
                            },
                            "description": "Details of the updated folder"
@ -316,7 +336,11 @@ export const updateFolderById = async (req: Request, res: Response) => {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
  } else {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+  
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
@ -387,15 +411,16 @@ export const updateFolderById = async (req: Request, res: Response) => {
 */
 export const deleteFolder = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Delete a folder by ID'
-    #swagger.description = 'Delete the specified folder from a specified workspace and environment using its ID'
+    #swagger.summary = 'Delete folder'
+    #swagger.description = 'Delete folder'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

-    #swagger.parameters['folderId'] = {
-        "description": "ID of the folder to be deleted",
+    #swagger.parameters['folderName'] = {
+        "description": "Name of folder to delete",
        "required": true,
        "type": "string",
        "in": "path"
@ -409,13 +434,18 @@ export const deleteFolder = async (req: Request, res: Response) => {
                    "properties": {
                        "workspaceId": {
                            "type": "string",
-                            "description": "ID of the workspace where the folder is located",
+                            "description": "ID of the workspace where to delete folder",
                            "example": "someWorkspaceId"
                        },
                        "environment": {
                            "type": "string",
-                            "description": "Environment where the folder is located",
+                            "description": "Slug of environment where to delete folder",
                            "example": "production"
+                        },
+                        "directory": {
+                            "type": "string",
+                            "description": "Path where to delete folder like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                        }
                    },
                    "required": ["workspaceId", "environment"]
@ -432,6 +462,7 @@ export const deleteFolder = async (req: Request, res: Response) => {
                    "properties": {
                        "message": {
                            "type": "string",
+                            "description": "Success message",
                            "example": "successfully deleted folders"
                        },
                        "folders": {
@ -441,15 +472,17 @@ export const deleteFolder = async (req: Request, res: Response) => {
                                "properties": {
                                    "id": {
                                        "type": "string",
-                                        "example": "someFolderId"
+                                        "description": "ID of deleted folder",
+                                        "example": "abc123"
                                    },
                                    "name": {
                                        "type": "string",
+                                        "description": "Name of deleted folder",
                                        "example": "someFolderName"
                                    }
                                }
                            },
-                            "description": "List of IDs and names of the deleted folders"
+                            "description": "List of IDs and names of deleted folders"
                        }
                    }
                }
@ -477,7 +510,11 @@ export const deleteFolder = async (req: Request, res: Response) => {
    }
  } else {
    // check that user is a member of the workspace
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
@ -540,43 +577,37 @@ export const deleteFolder = async (req: Request, res: Response) => {

 /**
 * Get folders for workspace with id [workspaceId] and environment [environment]
- * considering [parentFolderId] and [parentFolderPath]
+ * considering directory/path [directory]
 * @param req
 * @param res
 * @returns
 */
 export const getFolders = async (req: Request, res: Response) => {
  /*
-    #swagger.summary = 'Retrieve folders based on specific conditions'
-    #swagger.description = 'Fetches folders from the specified workspace and environment, optionally providing either a parentFolderId or a parentFolderPath to narrow down results'
+    #swagger.summary = 'Get folders'
+    #swagger.description = 'Get folders'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

    #swagger.parameters['workspaceId'] = {
-        "description": "ID of the workspace from which the folders are to be fetched",
+        "description": "ID of the workspace where to get folders from",
        "required": true,
        "type": "string",
        "in": "query"
    }

    #swagger.parameters['environment'] = {
-        "description": "Environment where the folder is located",
+        "description": "Slug of environment where to get folders from",
        "required": true,
        "type": "string",
        "in": "query"
    }

-    #swagger.parameters['parentFolderId'] = {
-        "description": "ID of the parent folder",
-        "required": false,
-        "type": "string",
-        "in": "query"
-    }
-
-    #swagger.parameters['parentFolderPath'] = {
-        "description": "Path of the parent folder, like /folder1/folder2",
+    #swagger.parameters['directory'] = {
+        "description": "Path where to get fodlers from like / or /foo/bar. Default is /",
        "required": false,
        "type": "string",
        "in": "query"
@ -604,23 +635,6 @@ export const getFolders = async (req: Request, res: Response) => {
                                }
                            },
                            "description": "List of folders"
-                        },
-                        "dir": {
-                            "type": "array",
-                            "items": {
-                                "type": "object",
-                                "properties": {
-                                    "name": {
-                                        "type": "string",
-                                        "example": "parentFolderName"
-                                    },
-                                    "id": {
-                                        "type": "string",
-                                        "example": "parentFolderId"
-                                    }
-                                }
-                            },
-                            "description": "List of directories"
                        }
                    }
                }
@ -647,7 +661,10 @@ export const getFolders = async (req: Request, res: Response) => {
    }
  } else {
    // check that user is a member of the workspace
-    await getUserProjectPermissions(req.user._id, workspaceId);
+    await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
  }

  const folders = await Folder.findOne({ workspace: workspaceId, environment });
--- a/backend-mongo/src/controllers/v1/serviceTokenController.ts
+++ b/backend-mongo/src/controllers/v1/serviceTokenController.ts
--- a/backend-mongo/src/controllers/v1/signupController.ts
+++ b/backend-mongo/src/controllers/v1/signupController.ts
@ -2,16 +2,15 @@ import { Request, Response } from "express";
 import { AuthMethod, User } from "../../models";
 import { checkEmailVerification, sendEmailVerification } from "../../helpers/signup";
 import { createToken } from "../../helpers/auth";
-import { BadRequestError } from "../../utils/errors";
 import {
-  getInviteOnlySignup,
+  getAuthSecret,
  getJwtSignupLifetime,
-  getJwtSignupSecret,
  getSmtpConfigured
 } from "../../config";
 import { validateUserEmail } from "../../validation";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
+import { AuthTokenType } from "../../variables";

 /**
 * Signup step 1: Initialize account for user under email [email] and send a verification code
@ -67,16 +66,6 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
    });
  }

-  if (await getInviteOnlySignup()) {
-    // Only one user can create an account without being invited. The rest need to be invited in order to make an account
-    const userCount = await User.countDocuments({});
-    if (userCount != 0) {
-      throw BadRequestError({
-        message: "New user sign ups are not allowed at this time. You must be invited to sign up."
-      });
-    }
-  }
-
  // verify email
  if (await getSmtpConfigured()) {
    await checkEmailVerification({
@ -95,10 +84,11 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
  // generate temporary signup token
  const token = createToken({
    payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
      userId: user._id.toString()
    },
    expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
  });

  return res.status(200).send({
--- a/backend-mongo/src/controllers/v1/universalAuthController.ts
+++ b/backend-mongo/src/controllers/v1/universalAuthController.ts
--- a/backend-mongo/src/controllers/v1/userActionController.ts
+++ b/backend-mongo/src/controllers/v1/userActionController.ts
--- a/backend-mongo/src/controllers/v1/userController.ts
+++ b/backend-mongo/src/controllers/v1/userController.ts
--- a/backend-mongo/src/controllers/v1/webhookController.ts
+++ b/backend-mongo/src/controllers/v1/webhookController.ts
@ -1,27 +1,36 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
-import { client, getRootEncryptionKey } from "../../config";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
 import { Webhook } from "../../models";
 import { getWebhookPayload, triggerWebhookRequest } from "../../services/WebhookService";
 import { BadRequestError, ResourceNotFoundError } from "../../utils/errors";
 import { EEAuditLogService } from "../../ee/services";
 import { EventType } from "../../ee/models";
-import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_BASE64 } from "../../variables";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/webhooks";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";

 export const createWebhook = async (req: Request, res: Response) => {
  const {
    body: { webhookUrl, webhookSecretKey, environment, workspaceId, secretPath }
  } = await validateRequest(reqValidator.CreateWebhookV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.Webhooks
@ -31,17 +40,31 @@ export const createWebhook = async (req: Request, res: Response) => {
    workspace: workspaceId,
    environment,
    secretPath,
-    url: webhookUrl,
-    algorithm: ALGORITHM_AES_256_GCM,
-    keyEncoding: ENCODING_SCHEME_BASE64
+    url: webhookUrl
  });

  if (webhookSecretKey) {
+    const encryptionKey = await getEncryptionKey();
    const rootEncryptionKey = await getRootEncryptionKey();
-    const { ciphertext, iv, tag } = client.encryptSymmetric(webhookSecretKey, rootEncryptionKey);
-    webhook.iv = iv;
-    webhook.tag = tag;
-    webhook.encryptedSecretKey = ciphertext;
+
+    if (rootEncryptionKey) {
+      const { ciphertext, iv, tag } = client.encryptSymmetric(webhookSecretKey, rootEncryptionKey);
+      webhook.iv = iv;
+      webhook.tag = tag;
+      webhook.encryptedSecretKey = ciphertext;
+      webhook.algorithm = ALGORITHM_AES_256_GCM;
+      webhook.keyEncoding = ENCODING_SCHEME_BASE64;
+    } else if (encryptionKey) {
+      const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+        plaintext: webhookSecretKey,
+        key: encryptionKey
+      });
+      webhook.iv = iv;
+      webhook.tag = tag;
+      webhook.encryptedSecretKey = ciphertext;
+      webhook.algorithm = ALGORITHM_AES_256_GCM;
+      webhook.keyEncoding = ENCODING_SCHEME_UTF8;
+    }
  }

  await webhook.save();
@ -79,11 +102,11 @@ export const updateWebhook = async (req: Request, res: Response) => {
  if (!webhook) {
    throw BadRequestError({ message: "Webhook not found!!" });
  }
-
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    webhook.workspace.toString()
-  );
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: webhook.workspace
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Webhooks
@ -127,10 +150,11 @@ export const deleteWebhook = async (req: Request, res: Response) => {
    throw ResourceNotFoundError({ message: "Webhook not found!!" });
  }

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    webhook.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: webhook.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.Webhooks
@ -174,10 +198,11 @@ export const testWebhook = async (req: Request, res: Response) => {
    throw BadRequestError({ message: "Webhook not found!!" });
  }

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    webhook.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: webhook.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Webhooks
@ -217,8 +242,12 @@ export const listWebhooks = async (req: Request, res: Response) => {
  const {
    query: { environment, workspaceId, secretPath }
  } = await validateRequest(reqValidator.ListWebhooksV1, req);
-
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Webhooks
--- a/backend-mongo/src/controllers/v1/workspaceController.ts
+++ b/backend-mongo/src/controllers/v1/workspaceController.ts
@ -17,7 +17,7 @@ import { OrganizationNotFoundError } from "../../utils/errors";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
 import { ForbiddenError } from "@casl/ability";
 import { validateRequest } from "../../helpers/validation";
@ -25,7 +25,7 @@ import * as reqValidator from "../../validation";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";

 /**
@ -39,7 +39,11 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetWorkspacePublicKeysV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Member
@ -72,7 +76,11 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetWorkspaceMembershipsV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Member
@ -144,7 +152,10 @@ export const createWorkspace = async (req: Request, res: Response) => {
    });
  }

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Workspace
@ -195,7 +206,11 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
    params: { workspaceId }
  } = await validateRequest(reqValidator.DeleteWorkspaceV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.Workspace
@ -223,7 +238,11 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
    body: { name }
  } = await validateRequest(reqValidator.ChangeWorkspaceNameV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Workspace
@ -257,7 +276,12 @@ export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
  const {
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetWorkspaceIntegrationsV1, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -283,7 +307,11 @@ export const getWorkspaceIntegrationAuthorizations = async (req: Request, res: R
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetWorkspaceIntegrationAuthorizationsV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Integrations
@ -309,7 +337,11 @@ export const getWorkspaceServiceTokens = async (req: Request, res: Response) =>
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetWorkspaceServiceTokensV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.ServiceTokens
--- a/backend-mongo/src/controllers/v2/authController.ts
+++ b/backend-mongo/src/controllers/v2/authController.ts
@ -8,11 +8,9 @@ import { createToken, issueAuthTokens } from "../../helpers/auth";
 import { checkUserDevice } from "../../helpers/user";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
-import { EELogService } from "../../ee/services";
 import { BadRequestError, InternalServerError } from "../../utils/errors";
-import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables";
-import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
-import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config";
+import { AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables";
+import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";

@ -109,10 +107,11 @@ export const login2 = async (req: Request, res: Response) => {
          // generate temporary MFA token
          const token = createToken({
            payload: {
+              authTokenType: AuthTokenType.MFA_TOKEN,
              userId: user._id.toString()
            },
            expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret()
+            secret: await getAuthSecret()
          });

          const code = await TokenService.createToken({
@ -189,19 +188,6 @@ export const login2 = async (req: Request, res: Response) => {
          response.protectedKeyTag = user.protectedKeyTag;
        }

-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id
-        });
-
-        loginAction &&
-          (await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ipAddress: req.ip
-          }));
-
        return res.status(200).send(response);
      }

@ -218,20 +204,16 @@ export const login2 = async (req: Request, res: Response) => {
 * @param res
 */
 export const sendMfaToken = async (req: Request, res: Response) => {
-  const {
-    body: { email }
-  } = await validateRequest(reqValidator.SendMfaTokenV2, req);
-
  const code = await TokenService.createToken({
    type: TOKEN_EMAIL_MFA,
-    email
+    email: req.user.email
  });

  // send MFA code [code] to [email]
  await sendMail({
    template: "emailMfa.handlebars",
    subjectLine: "Infisical MFA code",
-    recipients: [email],
+    recipients: [req.user.email],
    substitutions: {
      code
    }
@ -250,17 +232,17 @@ export const sendMfaToken = async (req: Request, res: Response) => {
 */
 export const verifyMfaToken = async (req: Request, res: Response) => {
  const {
-    body: { email, mfaToken }
+    body: { mfaToken }
  } = await validateRequest(reqValidator.VerifyMfaTokenV2, req);

  await TokenService.validateToken({
    type: TOKEN_EMAIL_MFA,
-    email,
+    email: req.user.email,
    token: mfaToken
  });

  const user = await User.findOne({
-    email
+    email: req.user.email
  }).select(
    "+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices"
  );
@ -329,18 +311,5 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
    resObj.protectedKeyTag = user.protectedKeyTag;
  }

-  const loginAction = await EELogService.createAction({
-    name: ACTION_LOGIN,
-    userId: user._id
-  });
-
-  loginAction &&
-    (await EELogService.createLog({
-      userId: user._id,
-      actions: [loginAction],
-      channel: getUserAgentType(req.headers["user-agent"]),
-      ipAddress: req.realIP
-    }));
-
  return res.status(200).send(resObj);
 };
--- a/backend-mongo/src/controllers/v2/environmentController.ts
+++ b/backend-mongo/src/controllers/v2/environmentController.ts
@ -12,18 +12,15 @@ import {
 import { EventType, SecretVersion } from "../../ee/models";
 import { EEAuditLogService, EELicenseService } from "../../ee/services";
 import { BadRequestError, WorkspaceNotFoundError } from "../../utils/errors";
-import _ from "lodash";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/environments";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { SecretImport } from "../../models";
-import { ServiceAccountWorkspacePermission } from "../../models";
 import { Webhook } from "../../models";

 /**
@ -39,29 +36,16 @@ export const createWorkspaceEnvironment = async (req: Request, res: Response) =>
    #swagger.description = 'Create environment'

    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
    }]

 	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
+		"description": "ID of workspace where to create environment",
 		"required": true,
-		"type": "string"
+		"type": "string",
+    "in": "path"
 	}
-
-  /*
-    #swagger.summary = 'Create environment'
-    #swagger.description = 'Create environment'
-
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	}
-
+  
  #swagger.requestBody = {
      content: {
          "application/json": {
@ -70,12 +54,12 @@ export const createWorkspaceEnvironment = async (req: Request, res: Response) =>
                  "properties": {
                      "environmentName": {
                          "type": "string",
-                          "description": "Name of the environment",
+                          "description": "Name of the environment to create",
                          "example": "development"
                      },
                      "environmentSlug": {
                          "type": "string",
-                          "description": "Slug of the environment",
+                          "description": "Slug of environment to create",
                          "example": "dev-environment"
                      }
                  },
@ -86,45 +70,53 @@ export const createWorkspaceEnvironment = async (req: Request, res: Response) =>
  }

  #swagger.responses[200] = {
-      content: {
-          "application/json": {
-              "schema": {
-                  "type": "object",
-                  "properties": {
-                      "message": {
-                          "type": "string",
-                          "example": "Successfully created new environment"
-                      },
-                      "workspace": {
-                          "type": "string",
-                          "example": "someWorkspaceId"
-                      },
-                      "environment": {
-                          "type": "object",
-                          "properties": {
-                              "name": {
-                                  "type": "string",
-                                  "example": "someEnvironmentName"
-                              },
-                              "slug": {
-                                  "type": "string",
-                                  "example": "someEnvironmentSlug"
-                              }
-                          }
-                      }
-                  },
-                  "description": "Response after creating a new environment"
-              }
-          }
-      }
-  }
+        content: {
+            "application/json": {
+                "schema": {
+                    "type": "object",
+                    "properties": {
+                        "message": {
+                            "type": "string",
+                            "description": "Sucess message",
+                            "example": "Successfully created environment"
+                        },
+                        "workspace": {
+                            "type": "string",
+                            "description": "ID of workspace where environment was created",
+                            "example": "abc123"
+                        },
+                        "environment": {
+                            "type": "object",
+                            "properties": {
+                                "name": {
+                                    "type": "string",
+                                    "description": "Name of created environment",
+                                    "example": "Staging"
+                                },
+                                "slug": {
+                                    "type": "string",
+                                    "description": "Slug of created environment",
+                                    "example": "staging"
+                                }
+                            }
+                        }
+                    },
+                    "description": "Details of the created environment"
+                }
+            }
+        }
+    }
  */
  const {
    params: { workspaceId },
    body: { environmentName, environmentSlug }
  } = await validateRequest(reqValidator.CreateWorkspaceEnvironmentV2, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.Environments
@ -201,7 +193,11 @@ export const reorderWorkspaceEnvironments = async (req: Request, res: Response)
    body: { environmentName, environmentSlug, otherEnvironmentSlug, otherEnvironmentName }
  } = await validateRequest(reqValidator.ReorderWorkspaceEnvironmentsV2, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Environments
@ -247,15 +243,19 @@ export const reorderWorkspaceEnvironments = async (req: Request, res: Response)
 */
 export const renameWorkspaceEnvironment = async (req: Request, res: Response) => {
  /*
-    #swagger.summary = 'Rename workspace environment'
-    #swagger.description = 'Rename a specific environment within a workspace'
+    #swagger.summary = 'Update environment'
+    #swagger.description = 'Update environment'
+
+    #swagger.security = [{
+        "apiKeyAuth": [],
+    }]

    #swagger.parameters['workspaceId'] = {
-    "description": "ID of the workspace",
-    "required": true,
-    "type": "string",
-        "in": "path"
-  }
+      "description": "ID of workspace where to update environment",
+      "required": true,
+      "type": "string",
+      "in": "path"
+    }

    #swagger.requestBody = {
        content: {
@ -265,17 +265,17 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
                    "properties": {
                        "environmentName": {
                            "type": "string",
-                            "description": "New name for the environment",
+                            "description": "Name of environment to update to",
                            "example": "Staging-Renamed"
                        },
                        "environmentSlug": {
                            "type": "string",
-                            "description": "New slug for the environment",
+                            "description": "Slug of environment to update to",
                            "example": "staging-renamed"
                        },
                        "oldEnvironmentSlug": {
                            "type": "string",
-                            "description": "Current slug of the environment to rename",
+                            "description": "Current slug of environment",
                            "example": "staging-old"
                        }
                    },
@ -293,21 +293,25 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
                    "properties": {
                        "message": {
                            "type": "string",
+                            "description": "Success message",
                            "example": "Successfully update environment"
                        },
                        "workspace": {
                            "type": "string",
-                            "example": "someWorkspaceId"
+                            "description": "ID of workspace where environment was updated",
+                            "example": "abc123"
                        },
                        "environment": {
                            "type": "object",
                            "properties": {
                                "name": {
                                    "type": "string",
+                                    "description": "Name of updated environment",
                                    "example": "Staging-Renamed"
                                },
                                "slug": {
                                    "type": "string",
+                                    "description": "Slug of updated environment",
                                    "example": "staging-renamed"
                                }
                            }
@ -324,7 +328,11 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
    body: { environmentName, environmentSlug, oldEnvironmentSlug }
  } = await validateRequest(reqValidator.UpdateWorkspaceEnvironmentV2, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Environments
@ -400,11 +408,6 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
    { arrayFilters: [{ "element.environment": oldEnvironmentSlug }] },
  );

-  await ServiceAccountWorkspacePermission.updateMany(
-    { workspace: workspaceId, environment: oldEnvironmentSlug },
-    { environment: environmentSlug }
-  );
-
  await Webhook.updateMany(
    { workspace: workspaceId, environment: oldEnvironmentSlug },
    { environment: environmentSlug }
@ -453,19 +456,19 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
 */
 export const deleteWorkspaceEnvironment = async (req: Request, res: Response) => {
  /*
-    #swagger.summary = 'Delete workspace environment'
-    #swagger.description = 'Delete a specific environment from a workspace'
+    #swagger.summary = 'Delete environment'
+    #swagger.description = 'Delete environment'

    #swagger.security = [{
        "apiKeyAuth": []
    }]

    #swagger.parameters['workspaceId'] = {
-		"description": "ID of the workspace",
-		"required": true,
-		"type": "string",
-        "in": "path"
-	}
+      "description": "ID of workspace where to delete environment",
+      "required": true,
+      "type": "string",
+      "in": "path"
+	  }

    #swagger.requestBody = {
        content: {
@ -475,8 +478,8 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
                    "properties": {
                        "environmentSlug": {
                            "type": "string",
-                            "description": "Slug of the environment to delete",
-                            "example": "dev-environment"
+                            "description": "Slug of environment to delete",
+                            "example": "dev"
                        }
                    },
                    "required": ["environmentSlug"]
@ -493,15 +496,18 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
                    "properties": {
                        "message": {
                            "type": "string",
+                            "description": "Success message",
                            "example": "Successfully deleted environment"
                        },
                        "workspace": {
                            "type": "string",
-                            "example": "someWorkspaceId"
+                            "description": "ID of workspace where environment was deleted",
+                            "example": "abc123"
                        },
                        "environment": {
                            "type": "string",
-                            "example": "dev-environment"
+                            "description": "Slug of deleted environment",
+                            "example": "dev"
                        }
                    },
                    "description": "Response after deleting an environment from a workspace"
@ -515,7 +521,11 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
    body: { environmentSlug }
  } = await validateRequest(reqValidator.DeleteWorkspaceEnvironmentV2, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.Environments
@ -591,98 +601,4 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
    workspace: workspaceId,
    environment: environmentSlug
  });
-};
-
-// TODO(akhilmhdh) after rbac this can be completely removed
-export const getAllAccessibleEnvironmentsOfWorkspace = async (req: Request, res: Response) => {
-  /*
-    #swagger.summary = 'Get all accessible environments of a workspace'
-    #swagger.description = 'Fetch all environments that the user has access to in a specified workspace'
-
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.parameters['workspaceId'] = {
-		"description": "ID of the workspace",
-		"required": true,
-		"type": "string",
-        "in": "path"
-	}
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": {
-                    "type": "object",
-                    "properties": {
-                        "accessibleEnvironments": {
-                            "type": "array",
-                            "items": {
-                                "type": "object",
-                                "properties": {
-                                    "name": {
-                                        "type": "string",
-                                        "example": "Development"
-                                    },
-                                    "slug": {
-                                        "type": "string",
-                                        "example": "development"
-                                    },
-                                    "isWriteDenied": {
-                                        "type": "boolean",
-                                        "example": false
-                                    },
-                                    "isReadDenied": {
-                                        "type": "boolean",
-                                        "example": false
-                                    }
-                                }
-                            }
-                        }
-                    },
-                    "description": "List of environments the user has access to in the specified workspace"
-                }
-            }
-        }
-    }
-  */
-  const {
-    params: { workspaceId }
-  } = await validateRequest(reqValidator.GetAllAccessibileEnvironmentsOfWorkspaceV2, req);
-
-  const { membership: workspacesUserIsMemberOf } = await getUserProjectPermissions(
-    req.user._id,
-    workspaceId
-  );
-
-  const accessibleEnvironments: any = [];
-  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions;
-
-  const relatedWorkspace = await Workspace.findById(workspaceId);
-  if (!relatedWorkspace) {
-    throw BadRequestError();
-  }
-  relatedWorkspace.environments.forEach((environment) => {
-    const isReadBlocked = _.some(deniedPermission, {
-      environmentSlug: environment.slug,
-      ability: PERMISSION_READ_SECRETS
-    });
-    const isWriteBlocked = _.some(deniedPermission, {
-      environmentSlug: environment.slug,
-      ability: PERMISSION_WRITE_SECRETS
-    });
-    if (isReadBlocked && isWriteBlocked) {
-      return;
-    } else {
-      accessibleEnvironments.push({
-        name: environment.name,
-        slug: environment.slug,
-        isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked
-      });
-    }
-  });
-
-  res.json({ accessibleEnvironments });
-};
+};
--- a/backend-mongo/src/controllers/v2/index.ts
+++ b/backend-mongo/src/controllers/v2/index.ts
@ -6,20 +6,20 @@ import * as workspaceController from "./workspaceController";
 import * as serviceTokenDataController from "./serviceTokenDataController";
 import * as secretController from "./secretController";
 import * as secretsController from "./secretsController";
-import * as serviceAccountsController from "./serviceAccountsController";
 import * as environmentController from "./environmentController";
 import * as tagController from "./tagController";
+import * as membershipController from "./membershipController";

 export {
-    authController,
-    signupController,
-    usersController,
-    organizationsController,
-    workspaceController,
-    serviceTokenDataController,
-    secretController,
-    secretsController,
-    serviceAccountsController,
-    environmentController,
-    tagController,
-}
+  authController,
+  signupController,
+  usersController,
+  organizationsController,
+  workspaceController,
+  serviceTokenDataController,
+  secretController,
+  secretsController,
+  environmentController,
+  tagController,
+  membershipController
+};
--- a/backend-mongo/src/controllers/v2/membershipController.ts
+++ b/backend-mongo/src/controllers/v2/membershipController.ts
@ -0,0 +1,107 @@
+import { ForbiddenError } from "@casl/ability";
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+
+import { getSiteURL } from "../../config";
+import { EventType } from "../../ee/models";
+import { EEAuditLogService } from "../../ee/services";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getAuthDataProjectPermissions
+} from "../../ee/services/ProjectRoleService";
+import { sendMail } from "../../helpers";
+import { validateRequest } from "../../helpers/validation";
+import { IUser, Key, Membership, MembershipOrg, Workspace } from "../../models";
+import { BadRequestError } from "../../utils/errors";
+import * as reqValidator from "../../validation/membership";
+import { ACCEPTED, MEMBER } from "../../variables";
+
+export const addUserToWorkspace = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId },
+    body: { members }
+  } = await validateRequest(reqValidator.AddUserToWorkspaceV2, req);
+  // check workspace
+  const workspace = await Workspace.findById(workspaceId);
+  if (!workspace) throw new Error("Failed to find workspace");
+
+  // check permission
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.Member
+  );
+
+  // validate members are part of the organization
+  const orgMembers = await MembershipOrg.find({
+    status: ACCEPTED,
+    _id: { $in: members.map(({ orgMembershipId }) => orgMembershipId) },
+    organization: workspace.organization
+  })
+    .populate<{ user: IUser }>("user")
+    .select({ _id: 1, user: 1 })
+    .lean();
+  if (orgMembers.length !== members.length)
+    throw BadRequestError({ message: "Org member not found" });
+
+  const existingMember = await Membership.find({
+    workspace: workspaceId,
+    user: { $in: orgMembers.map(({ user }) => user) }
+  });
+  if (existingMember?.length)
+    throw BadRequestError({ message: "Some users are already part of workspace" });
+
+  await Membership.insertMany(
+    orgMembers.map(({ user }) => ({ user: user._id, workspace: workspaceId, role: MEMBER }))
+  );
+
+  const encKeyGroupedByOrgMemberId = members.reduce<Record<string, (typeof members)[number]>>(
+    (prev, curr) => ({ ...prev, [curr.orgMembershipId]: curr }),
+    {}
+  );
+  await Key.insertMany(
+    orgMembers.map(({ user, _id: id }) => ({
+      encryptedKey: encKeyGroupedByOrgMemberId[id.toString()].workspaceEncryptedKey,
+      nonce: encKeyGroupedByOrgMemberId[id.toString()].workspaceEncryptedNonce,
+      sender: req.user._id,
+      receiver: user._id,
+      workspace: workspaceId
+    }))
+  );
+
+  await sendMail({
+    template: "workspaceInvitation.handlebars",
+    subjectLine: "Infisical workspace invitation",
+    recipients: orgMembers.map(({ user }) => user.email),
+    substitutions: {
+      inviterFirstName: req.user.firstName,
+      inviterEmail: req.user.email,
+      workspaceName: workspace.name,
+      callback_url: (await getSiteURL()) + "/login"
+    }
+  });
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.ADD_BATCH_WORKSPACE_MEMBER,
+      metadata: orgMembers.map(({ user }) => ({
+        userId: user._id.toString(),
+        email: user.email
+      }))
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );
+
+  return res.status(200).send({
+    success: true,
+    data: orgMembers
+  });
+};
--- a/backend-mongo/src/controllers/v2/organizationsController.ts
+++ b/backend-mongo/src/controllers/v2/organizationsController.ts
@ -1,32 +1,33 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { 
-  Membership, 
-  MembershipOrg, 
-  ServiceAccount, 
-  Workspace 
+  IWorkspace,
+  Identity,
+  IdentityMembership,
+  IdentityMembershipOrg, 
+  Membership,
+  MembershipOrg,
+  User,
+  Workspace
 } from "../../models";
 import { Role } from "../../ee/models";
 import { deleteMembershipOrg } from "../../helpers/membershipOrg";
-import { 
+import {
  createOrganization as create,
  deleteOrganization,
  updateSubscriptionOrgQuantity
 } from "../../helpers/organization";
 import { addMembershipsOrg } from "../../helpers/membershipOrg";
-import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
-import {
-  ACCEPTED,
-  ADMIN,
-  CUSTOM 
-} from "../../variables";
+import { BadRequestError, ResourceNotFoundError, UnauthorizedRequestError } from "../../utils/errors";
+import { ACCEPTED, ADMIN, CUSTOM, MEMBER, NO_ACCESS } from "../../variables";
 import * as reqValidator from "../../validation/organization";
 import { validateRequest } from "../../helpers/validation";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
+import { EELicenseService } from "../../ee/services";
 import { ForbiddenError } from "@casl/ability";

 /**
@ -36,11 +37,12 @@ import { ForbiddenError } from "@casl/ability";
 */
 export const getOrganizationMemberships = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Return organization memberships'
-    #swagger.description = 'Return organization memberships'
+    #swagger.summary = 'Return organization user memberships'
+    #swagger.description = 'Return organization user memberships'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['organizationId'] = {
@ -72,7 +74,10 @@ export const getOrganizationMemberships = async (req: Request, res: Response) =>
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgMembersv2, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Member
@ -94,11 +99,12 @@ export const getOrganizationMemberships = async (req: Request, res: Response) =>
 */
 export const updateOrganizationMembership = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Update organization membership'
-    #swagger.description = 'Update organization membership'
+    #swagger.summary = 'Update organization user membership'
+    #swagger.description = 'Update organization user membership'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['organizationId'] = {
@ -150,16 +156,32 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
    params: { organizationId, membershipId },
    body: { role }
  } = await validateRequest(reqValidator.UpdateOrgMemberv2, req);
-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Member
  );

-  const isCustomRole = !["admin", "member", "owner"].includes(role);
+  const isCustomRole = ![ADMIN, MEMBER, NO_ACCESS].includes(role);
  if (isCustomRole) {
-    const orgRole = await Role.findOne({ slug: role, isOrgRole: true });
+    const orgRole = await Role.findOne({ 
+      slug: role, 
+      isOrgRole: true,
+      organization: new Types.ObjectId(organizationId)
+    });
+
    if (!orgRole) throw BadRequestError({ message: "Role not found" });
+    
+    const plan = await EELicenseService.getPlan(new Types.ObjectId(organizationId));
+    
+    if (!plan.rbac) return res.status(400).send({
+      message:
+        "Failed to assign custom role due to RBAC restriction. Upgrade plan to assign custom role to member."
+    });

    const membership = await MembershipOrg.findByIdAndUpdate(membershipId, {
      role: CUSTOM,
@ -198,11 +220,12 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
 */
 export const deleteOrganizationMembership = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Delete organization membership'
-    #swagger.description = 'Delete organization membership'
+    #swagger.summary = 'Delete organization user membership'
+    #swagger.description = 'Delete organization user membership'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['organizationId'] = {
@ -236,7 +259,18 @@ export const deleteOrganizationMembership = async (req: Request, res: Response)
  const {
    params: { organizationId, membershipId }
  } = await validateRequest(reqValidator.DeleteOrgMemberv2, req);
-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  
+  const membershipOrg = await MembershipOrg.findOne({
+    _id: new Types.ObjectId(membershipId),
+    organization: new Types.ObjectId(organizationId)
+  });
+  
+  if (!membershipOrg) throw ResourceNotFoundError();
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: membershipOrg.organization
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.Member
@ -268,7 +302,8 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
    #swagger.description = 'Return projects in organization that user is part of'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['organizationId'] = {
@ -296,11 +331,16 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
        }
    }   
    */
+  
  const {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgWorkspacesv2, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Workspace
@ -317,36 +357,33 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
    ).map((w) => w._id.toString())
  );

-  const workspaces = (
-    await Membership.find({
-      user: req.user._id
-    }).populate("workspace")
-  )
-    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
-    .map((m) => m.workspace);
+  let workspaces: IWorkspace[] = [];
+  
+  if (req.authData.authPayload instanceof Identity) {
+    workspaces = (
+      await IdentityMembership.find({
+        identity: req.authData.authPayload._id
+      }).populate<{ workspace: IWorkspace }>("workspace")
+    )
+      .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+      .map((m) => m.workspace);
+  }
+  
+  if (req.authData.authPayload instanceof User) {
+    workspaces = (
+      await Membership.find({
+        user: req.authData.authPayload._id
+      }).populate<{ workspace: IWorkspace }>("workspace")
+    )
+      .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+      .map((m) => m.workspace);
+  }

  return res.status(200).send({
    workspaces
  });
 };

-/**
- * Return service accounts for organization with id [organizationId]
- * @param req
- * @param res
- */
-export const getOrganizationServiceAccounts = async (req: Request, res: Response) => {
-  const { organizationId } = req.params;
-
-  const serviceAccounts = await ServiceAccount.find({
-    organization: new Types.ObjectId(organizationId)
-  });
-
-  return res.status(200).send({
-    serviceAccounts
-  });
-};
-
 /**
 * Create new organization named [organizationName]
 * and add user as owner
@ -354,7 +391,7 @@ export const getOrganizationServiceAccounts = async (req: Request, res: Response
 * @param res
 * @returns
 */
- export const createOrganization = async (req: Request, res: Response) => {
+export const createOrganization = async (req: Request, res: Response) => {
  const {
    body: { name }
  } = await validateRequest(reqValidator.CreateOrgv2, req);
@ -379,27 +416,90 @@ export const getOrganizationServiceAccounts = async (req: Request, res: Response

 /**
 * Delete organization with id [organizationId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
 */
 export const deleteOrganizationById = async (req: Request, res: Response) => {
  const {
    params: { organizationId }
  } = await validateRequest(reqValidator.DeleteOrgv2, req);
-  
+
  const membershipOrg = await MembershipOrg.findOne({
    user: req.user._id,
    organization: new Types.ObjectId(organizationId),
    role: ADMIN
  });
-  
+
  if (!membershipOrg) throw UnauthorizedRequestError();
-  
+
  const organization = await deleteOrganization({
    organizationId: new Types.ObjectId(organizationId)
  });
-  
+
  return res.status(200).send({
    organization
  });
+};
+
+/**
+ * Return list of identity memberships for organization with id [organizationId]
+ * @param req
+ * @param res 
+ * @returns 
+ */
+ export const getOrganizationIdentityMemberships = async (req: Request, res: Response) => {
+   /*
+    #swagger.summary = 'Return organization identity memberships'
+    #swagger.description = 'Return organization identity memberships'
+
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+    
+    #swagger.parameters['organizationId'] = {
+        "description": "ID of organization",
+        "required": true,
+        "type": "string",
+        "in": "path"
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+              "schema": { 
+                "type": "object",
+                "properties": {
+                  "identityMemberships": {
+                    "type": "array",
+                    "items": {
+                      $ref: "#/components/schemas/IdentityMembershipOrg" 
+                    },
+                    "description": "Identity memberships of organization"
+                  }
+                }
+              }
+            }           
+        }
+    }
+  */
+  const {
+    params: { organizationId }
+  } = await validateRequest(reqValidator.GetOrgIdentityMembershipsV2, req);
+
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
+  ForbiddenError.from(permission).throwUnlessCan(
+    OrgPermissionActions.Read,
+    OrgPermissionSubjects.Identity
+  );
+ 
+  const identityMemberships = await IdentityMembershipOrg.find({
+    organization: new Types.ObjectId(organizationId)
+  }).populate("identity customRole");
+  
+  return res.status(200).send({
+    identityMemberships
+  });
 }
--- a/backend-mongo/src/controllers/v2/secretController.ts
+++ b/backend-mongo/src/controllers/v2/secretController.ts
@ -11,7 +11,6 @@ import {
  ValidationError as RouteValidationError,
  UnauthorizedRequestError
 } from "../../utils/errors";
-import { AnyBulkWriteOperation } from "mongodb";
 import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
@ -19,7 +18,7 @@ import {
  SECRET_SHARED
 } from "../../variables";
 import { TelemetryService } from "../../services";
-import { ISecret, Secret, User } from "../../models";
+import { Secret, User } from "../../models";
 import { AccountNotFoundError } from "../../utils/errors";

 /**
@ -145,22 +144,22 @@ export const deleteSecrets = async (req: Request, res: Response) => {
  const secretsUserCanDeleteSet: Set<string> = new Set(
    secretIdsUserCanDelete.map((objectId) => objectId._id.toString())
  );
-  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = [];

-  let numSecretsDeleted = 0;
-  secretIdsToDelete.forEach((secretIdToDelete) => {
-    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
-      const deleteOperation = {
-        deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
-      };
-      deleteOperationsToPerform.push(deleteOperation);
-      numSecretsDeleted++;
-    } else {
-      throw RouteValidationError({
-        message: "You cannot delete secrets that you do not have access to"
-      });
-    }
-  });
+  // Filter out IDs that user can delete and then map them to delete operations
+  const deleteOperationsToPerform = secretIdsToDelete
+    .filter(secretIdToDelete => {
+      if (!secretsUserCanDeleteSet.has(secretIdToDelete)) {
+        throw RouteValidationError({
+          message: "You cannot delete secrets that you do not have access to"
+        });
+      }
+      return true;
+    })
+    .map(secretIdToDelete => ({
+      deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
+    }));
+
+  const numSecretsDeleted = deleteOperationsToPerform.length;

  await Secret.bulkWrite(deleteOperationsToPerform);

--- a/backend-mongo/src/controllers/v2/secretsController.ts
+++ b/backend-mongo/src/controllers/v2/secretsController.ts
@ -1,12 +1,8 @@
 import { Types } from "mongoose";
 import { Request, Response } from "express";
 import { Folder, ISecret, Secret, ServiceTokenData, Tag } from "../../models";
-import { AuditLog, EventType, IAction, SecretVersion } from "../../ee/models";
+import { AuditLog, EventType, SecretVersion } from "../../ee/models";
 import {
-  ACTION_ADD_SECRETS,
-  ACTION_DELETE_SECRETS,
-  ACTION_READ_SECRETS,
-  ACTION_UPDATE_SECRETS,
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
  K8_USER_AGENT_NAME,
@ -15,7 +11,7 @@ import {
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { EventService } from "../../services";
 import { eventPushSecrets } from "../../events";
-import { EEAuditLogService, EELogService, EESecretService } from "../../ee/services";
+import { EEAuditLogService, EESecretService } from "../../ee/services";
 import { SecretService, TelemetryService } from "../../services";
 import { getUserAgentType } from "../../utils/posthog";
 import { PERMISSION_WRITE_SECRETS } from "../../variables";
@ -43,7 +39,7 @@ import {
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError, subject } from "@casl/ability";

@ -82,7 +78,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
  const createSecrets: any[] = [];
  const updateSecrets: any[] = [];
  const deleteSecrets: { _id: Types.ObjectId; secretName: string }[] = [];
-  const actions: IAction[] = [];

  // get secret blind index salt
  const salt = await SecretService.getSecretBlindIndexSalt({
@ -164,7 +159,11 @@ export const batchSecrets = async (req: Request, res: Response) => {
  }
  // not using service token  using auth
  if (!(req.authData.authPayload instanceof ServiceTokenData)) {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
    if (createSecrets.length)
      ForbiddenError.from(permission).throwUnlessCan(
        ProjectPermissionActions.Create,
@ -224,16 +223,6 @@ export const batchSecrets = async (req: Request, res: Response) => {

    await AuditLog.insertMany(auditLogs);

-    const addAction = (await EELogService.createAction({
-      name: ACTION_ADD_SECRETS,
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: createdSecrets.map((n) => n._id)
-    })) as IAction;
-    actions.push(addAction);
-
    if (postHogClient) {
      postHogClient.capture({
        event: "secrets added",
@ -350,14 +339,6 @@ export const batchSecrets = async (req: Request, res: Response) => {

    await AuditLog.insertMany(auditLogs);

-    const updateAction = (await EELogService.createAction({
-      name: ACTION_UPDATE_SECRETS,
-      userId: req.user._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: updatedSecrets.map((u) => u._id)
-    })) as IAction;
-    actions.push(updateAction);
-
    if (postHogClient) {
      postHogClient.capture({
        event: "secrets modified",
@ -428,14 +409,6 @@ export const batchSecrets = async (req: Request, res: Response) => {

    await AuditLog.insertMany(auditLogs);

-    const deleteAction = (await EELogService.createAction({
-      name: ACTION_DELETE_SECRETS,
-      userId: req.user._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: deleteSecretIds
-    })) as IAction;
-    actions.push(deleteAction);
-
    if (postHogClient) {
      postHogClient.capture({
        event: "secrets deleted",
@ -451,17 +424,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
    }
  }

-  if (actions.length > 0) {
-    // (EE) create (audit) log
-    await EELogService.createLog({
-      userId: req.user._id.toString(),
-      workspaceId: new Types.ObjectId(workspaceId),
-      actions,
-      channel,
-      ipAddress: req.realIP
-    });
-  }
-
  // // trigger event - push secrets
  await EventService.handleEvent({
    event: eventPushSecrets({
@ -731,27 +693,6 @@ export const createSecrets = async (req: Request, res: Response) => {
    )
  });

-  const addAction = await EELogService.createAction({
-    name: ACTION_ADD_SECRETS,
-    userId: req.user?._id,
-    serviceAccountId: req.serviceAccount?._id,
-    serviceTokenDataId: req.serviceTokenData?._id,
-    workspaceId: new Types.ObjectId(workspaceId),
-    secretIds: newlyCreatedSecrets.map((n) => n._id)
-  });
-
-  // (EE) create (audit) log
-  addAction &&
-    (await EELogService.createLog({
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      actions: [addAction],
-      channel,
-      ipAddress: req.realIP
-    }));
-
  // (EE) take a secret snapshot
  await EESecretService.takeSecretSnapshot({
    workspaceId: new Types.ObjectId(workspaceId),
@ -960,22 +901,6 @@ export const getSecrets = async (req: Request, res: Response) => {
    secrets = await Secret.find(secretQuery).populate("tags");
  }

-  // case: client authorization is via service account
-  if (req.serviceAccount) {
-    const secretQuery: any = {
-      workspace: workspaceId,
-      environment,
-      folder: folderId,
-      user: { $exists: false } // shared secrets only from workspace
-    };
-
-    if (tagIds.length > 0) {
-      secretQuery.tags = { $in: tagIds };
-    }
-
-    secrets = await Secret.find(secretQuery).populate("tags");
-  }
-
  // TODO(akhilmhdh) - secret-imp change this to org type
  let importedSecrets: any[] = [];
  if (include_imports) {
@ -988,28 +913,6 @@ export const getSecrets = async (req: Request, res: Response) => {
    );
  }

-  const channel = getUserAgentType(req.headers["user-agent"]);
-
-  const readAction = await EELogService.createAction({
-    name: ACTION_READ_SECRETS,
-    userId: req.user?._id,
-    serviceAccountId: req.serviceAccount?._id,
-    serviceTokenDataId: req.serviceTokenData?._id,
-    workspaceId: new Types.ObjectId(workspaceId as string),
-    secretIds: secrets.map((n: any) => n._id)
-  });
-
-  readAction &&
-    (await EELogService.createLog({
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(workspaceId as string),
-      actions: [readAction],
-      channel,
-      ipAddress: req.realIP
-    }));
-
  await EEAuditLogService.createAuditLog(
    req.authData,
    {
@ -1247,27 +1150,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
    //   });
    // }, 10000);

-    const updateAction = await EELogService.createAction({
-      name: ACTION_UPDATE_SECRETS,
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
-    });
-
-    // (EE) create (audit) log
-    updateAction &&
-      (await EELogService.createLog({
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(key),
-        actions: [updateAction],
-        channel,
-        ipAddress: req.realIP
-      }));
-
    // (EE) take a secret snapshot
    // IMP(akhilmhdh): commented out due to unknown where the environment is
    // await EESecretService.takeSecretSnapshot({
@ -1387,26 +1269,6 @@ export const deleteSecrets = async (req: Request, res: Response) => {
    //     workspaceId: new Types.ObjectId(key)
    //   })
    // });
-    const deleteAction = await EELogService.createAction({
-      name: ACTION_DELETE_SECRETS,
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
-    });
-
-    // (EE) create (audit) log
-    deleteAction &&
-      (await EELogService.createLog({
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(key),
-        actions: [deleteAction],
-        channel,
-        ipAddress: req.realIP
-      }));

    // (EE) take a secret snapshot
    // IMP(akhilmhdh): Not sure how to take secretSnapshot
--- a/backend-mongo/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend-mongo/src/controllers/v2/serviceTokenDataController.ts
@ -11,9 +11,9 @@ import * as reqValidator from "../../validation/serviceTokenData";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";
 import { Types } from "mongoose";

 /**
@ -75,12 +75,25 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
  const {
    body: { workspaceId, permissions, tag, encryptedKey, scopes, name, expiresIn, iv }
  } = await validateRequest(reqValidator.CreateServiceTokenV2, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.ServiceTokens
  );

+  scopes.forEach(({ environment, secretPath }) => {
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: secretPath })
+    );
+  })
+
+
  const secret = crypto.randomBytes(16).toString("hex");
  const secretHash = await bcrypt.hash(secret, await getSaltRounds());

@ -151,10 +164,11 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
  let serviceTokenData = await ServiceTokenData.findById(serviceTokenDataId);
  if (!serviceTokenData) throw BadRequestError({ message: "Service token not found" });

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    serviceTokenData.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: serviceTokenData.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.ServiceTokens
--- a/backend-mongo/src/controllers/v2/signupController.ts
+++ b/backend-mongo/src/controllers/v2/signupController.ts
--- a/backend-mongo/src/controllers/v2/tagController.ts
+++ b/backend-mongo/src/controllers/v2/tagController.ts
@ -7,7 +7,7 @@ import { validateRequest } from "../../helpers/validation";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import * as reqValidator from "../../validation/tags";

@ -17,7 +17,11 @@ export const createWorkspaceTag = async (req: Request, res: Response) => {
    params: { workspaceId }
  } = await validateRequest(reqValidator.CreateWorkspaceTagsV2, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.Tags
@ -45,10 +49,11 @@ export const deleteWorkspaceTag = async (req: Request, res: Response) => {
    throw BadRequestError();
  }

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    tagFromDB.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: tagFromDB.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.Tags
@ -66,7 +71,12 @@ export const getWorkspaceTags = async (req: Request, res: Response) => {
  const {
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetWorkspaceTagsV2, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.Tags
--- a/backend-mongo/src/controllers/v2/usersController.ts
+++ b/backend-mongo/src/controllers/v2/usersController.ts
--- a/backend-mongo/src/controllers/v2/workspaceController.ts
+++ b/backend-mongo/src/controllers/v2/workspaceController.ts
@ -0,0 +1,883 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import {
+  IIdentity,
+  IdentityMembership,
+  IdentityMembershipOrg,
+  Key,
+  Membership,
+  ServiceTokenData,
+  Workspace
+} from "../../models";
+import { IRole, Role } from "../../ee/models";
+import {
+  pullSecrets as pull,
+  v2PushSecrets as push,
+  reformatPullSecrets
+} from "../../helpers/secret";
+import { pushKeys } from "../../helpers/key";
+import { EventService, TelemetryService } from "../../services";
+import { eventPushSecrets } from "../../events";
+import { EEAuditLogService } from "../../ee/services";
+import { EventType } from "../../ee/models";
+import { validateRequest } from "../../helpers/validation";
+import * as reqValidator from "../../validation";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getAuthDataProjectPermissions,
+  getWorkspaceRolePermissions,
+  isAtLeastAsPrivilegedWorkspace
+} from "../../ee/services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+import { BadRequestError, ForbiddenRequestError, ResourceNotFoundError } from "../../utils/errors";
+import { ADMIN, CUSTOM, MEMBER, NO_ACCESS, VIEWER } from "../../variables";
+
+interface V2PushSecret {
+  type: string; // personal or shared
+  secretKeyCiphertext: string;
+  secretKeyIV: string;
+  secretKeyTag: string;
+  secretKeyHash: string;
+  secretValueCiphertext: string;
+  secretValueIV: string;
+  secretValueTag: string;
+  secretValueHash: string;
+  secretCommentCiphertext?: string;
+  secretCommentIV?: string;
+  secretCommentTag?: string;
+  secretCommentHash?: string;
+}
+
+/**
+ * Upload (encrypted) secrets to workspace with id [workspaceId]
+ * for environment [environment]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
+  // upload (encrypted) secrets to workspace with id [workspaceId]
+  const postHogClient = await TelemetryService.getPostHogClient();
+  let { secrets }: { secrets: V2PushSecret[] } = req.body;
+  const { keys, environment, channel } = req.body;
+  const { workspaceId } = req.params;
+
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error("Failed to validate environment");
+  }
+
+  // sanitize secrets
+  secrets = secrets.filter(
+    (s: V2PushSecret) => s.secretKeyCiphertext !== "" && s.secretValueCiphertext !== ""
+  );
+
+  await push({
+    userId: req.user._id,
+    workspaceId,
+    environment,
+    secrets,
+    channel: channel ? channel : "cli",
+    ipAddress: req.realIP
+  });
+
+  await pushKeys({
+    userId: req.user._id,
+    workspaceId,
+    keys
+  });
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: "secrets pushed",
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : "cli"
+      }
+    });
+  }
+
+  // trigger event - push secrets
+  EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath: "/"
+    })
+  });
+
+  return res.status(200).send({
+    message: "Successfully uploaded workspace secrets"
+  });
+};
+
+/**
+ * Return (encrypted) secrets for workspace with id [workspaceId]
+ * for environment [environment]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pullSecrets = async (req: Request, res: Response) => {
+  let secrets;
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const environment: string = req.query.environment as string;
+  const channel: string = req.query.channel as string;
+  const { workspaceId } = req.params;
+
+  let userId;
+  if (req.user) {
+    userId = req.user._id.toString();
+  } else if (req.serviceTokenData) {
+    userId = req.serviceTokenData.user.toString();
+  }
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error("Failed to validate environment");
+  }
+
+  secrets = await pull({
+    userId,
+    workspaceId,
+    environment,
+    channel: channel ? channel : "cli",
+    ipAddress: req.realIP
+  });
+
+  if (channel !== "cli") {
+    secrets = reformatPullSecrets({ secrets });
+  }
+
+  if (postHogClient) {
+    // capture secrets pushed event in production
+    postHogClient.capture({
+      distinctId: req.user.email,
+      event: "secrets pulled",
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : "cli"
+      }
+    });
+  }
+
+  return res.status(200).send({
+    secrets
+  });
+};
+
+export const getWorkspaceKey = async (req: Request, res: Response) => {
+  /* 
+    #swagger.summary = 'Return encrypted project key'
+    #swagger.description = 'Return encrypted project key'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+  #swagger.parameters['workspaceId'] = {
+    "description": "ID of project",
+    "required": true,
+    "type": "string"
+  } 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "array",
+                    "items": {
+                        $ref: "#/components/schemas/ProjectKey" 
+                    },
+                    "description": "Encrypted project key for the given project"
+                }
+            }           
+        }
+    }   
+    */
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.GetWorkspaceKeyV2, req);
+
+  const key = await Key.findOne({
+    workspace: workspaceId,
+    receiver: req.user._id
+  }).populate("sender", "+publicKey");
+
+  if (!key) throw new Error(`getWorkspaceKey: Failed to find workspace key [workspaceId=${workspaceId}] [receiver=${req.user._id}]`);
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.GET_WORKSPACE_KEY,
+      metadata: {
+        keyId: key._id.toString()
+      }
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );
+
+  return res.status(200).json(key);
+};
+
+export const getWorkspaceServiceTokenData = async (req: Request, res: Response) => {
+  const { workspaceId } = req.params;
+
+  const serviceTokenData = await ServiceTokenData.find({
+    workspace: workspaceId
+  }).select("+encryptedKey +iv +tag");
+
+  return res.status(200).send({
+    serviceTokenData
+  });
+};
+
+/**
+ * Return memberships for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceMemberships = async (req: Request, res: Response) => {
+  /* 
+    #swagger.summary = 'Return project user memberships'
+    #swagger.description = 'Return project user memberships'
+    
+    #swagger.security = [{
+        "apiKeyAuth": [],
+        "bearerAuth": []
+    }]
+
+  #swagger.parameters['workspaceId'] = {
+    "description": "ID of project",
+    "required": true,
+    "type": "string"
+  } 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+          "properties": {
+            "memberships": {
+              "type": "array",
+              "items": {
+                $ref: "#/components/schemas/Membership" 
+              },
+              "description": "Memberships of project"
+            }
+          }
+                }
+            }           
+        }
+    }   
+    */
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.GetWorkspaceMembershipsV2, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.Member
+  );
+
+  const memberships = await Membership.find({
+    workspace: workspaceId
+  }).populate("user", "+publicKey");
+
+  return res.status(200).send({
+    memberships
+  });
+};
+
+/**
+ * Update role of membership with id [membershipId] to role [role]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const updateWorkspaceMembership = async (req: Request, res: Response) => {
+  /* 
+    #swagger.summary = 'Update project user membership'
+    #swagger.description = 'Update project user membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": [],
+        "bearerAuth": []
+    }]
+
+  #swagger.parameters['workspaceId'] = {
+    "description": "ID of project",
+    "required": true,
+    "type": "string"
+  } 
+
+  #swagger.parameters['membershipId'] = {
+    "description": "ID of project membership to update",
+    "required": true,
+    "type": "string"
+  } 
+
+  #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role to update to for project membership",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+          "type": "object",
+          "properties": {
+            "membership": {
+              $ref: "#/components/schemas/Membership",
+              "description": "Updated membership"
+            }
+          }
+                }
+            }           
+        }
+    }   
+    */
+  const {
+    params: { workspaceId, membershipId },
+    body: { role }
+  } = await validateRequest(reqValidator.UpdateWorkspaceMembershipsV2, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.Member
+  );
+
+  const membership = await Membership.findByIdAndUpdate(
+    membershipId,
+    {
+      role
+    },
+    {
+      new: true
+    }
+  );
+
+  return res.status(200).send({
+    membership
+  });
+};
+
+/**
+ * Delete workspace membership with id [membershipId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteWorkspaceMembership = async (req: Request, res: Response) => {
+  /* 
+    #swagger.summary = 'Delete project user membership'
+    #swagger.description = 'Delete project user membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": [],
+        "bearerAuth": []
+    }]
+
+  #swagger.parameters['workspaceId'] = {
+    "description": "ID of project",
+    "required": true,
+    "type": "string"
+  } 
+
+  #swagger.parameters['membershipId'] = {
+    "description": "ID of project membership to delete",
+    "required": true,
+    "type": "string"
+  } 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+          "type": "object",
+          "properties": {
+            "membership": {
+              $ref: "#/components/schemas/Membership",
+              "description": "Deleted membership"
+            }
+          }
+                }
+            }           
+        }
+    }   
+    */
+  const {
+    params: { workspaceId, membershipId }
+  } = await validateRequest(reqValidator.DeleteWorkspaceMembershipsV2, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.Member
+  );
+
+  const membership = await Membership.findByIdAndDelete(membershipId);
+
+  if (!membership) throw new Error("Failed to delete workspace membership");
+
+  await Key.deleteMany({
+    receiver: membership.user,
+    workspace: membership.workspace
+  });
+
+  return res.status(200).send({
+    membership
+  });
+};
+
+/**
+ * Change autoCapitilzation Rule of workspace
+ * @param req
+ * @param res
+ * @returns
+ */
+export const toggleAutoCapitalization = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId },
+    body: { autoCapitalization }
+  } = await validateRequest(reqValidator.ToggleAutoCapitalizationV2, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.Settings
+  );
+
+  const workspace = await Workspace.findOneAndUpdate(
+    {
+      _id: workspaceId
+    },
+    {
+      autoCapitalization
+    },
+    {
+      new: true
+    }
+  );
+
+  return res.status(200).send({
+    message: "Successfully changed autoCapitalization setting",
+    workspace
+  });
+};
+
+/**
+ * Add identity with id [identityId] to workspace
+ * with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const addIdentityToWorkspace = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId, identityId },
+    body: {
+      role
+    }
+  } = await validateRequest(reqValidator.AddIdentityToWorkspaceV2, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.Identity
+  );
+
+  let identityMembership = await IdentityMembership.findOne({
+    identity: new Types.ObjectId(identityId),
+    workspace: new Types.ObjectId(workspaceId)
+  });
+
+  if (identityMembership) throw BadRequestError({
+    message: `Identity with id ${identityId} already exists in project with id ${workspaceId}`
+  });
+
+
+  const workspace = await Workspace.findById(workspaceId);
+  if (!workspace) throw ResourceNotFoundError();
+
+  const identityMembershipOrg = await IdentityMembershipOrg.findOne({
+    identity: new Types.ObjectId(identityId),
+    organization: workspace.organization
+  });
+
+  if (!identityMembershipOrg) throw ResourceNotFoundError({
+    message: `Failed to find identity with id ${identityId}`
+  });
+
+  if (!identityMembershipOrg.organization.equals(workspace.organization)) throw BadRequestError({
+    message: "Failed to add identity to project in another organization"
+  });
+
+  const rolePermission = await getWorkspaceRolePermissions(role, workspaceId);
+  const isAsPrivilegedAsIntendedRole = isAtLeastAsPrivilegedWorkspace(permission, rolePermission);
+
+  if (!isAsPrivilegedAsIntendedRole) throw ForbiddenRequestError({
+    message: "Failed to add identity to project with more privileged role"
+  });
+
+  let customRole;
+  if (role) {
+    const isCustomRole = ![ADMIN, MEMBER, VIEWER, NO_ACCESS].includes(role);
+    if (isCustomRole) {
+      customRole = await Role.findOne({
+        slug: role,
+        isOrgRole: false,
+        workspace: new Types.ObjectId(workspaceId)
+      });
+
+      if (!customRole) throw BadRequestError({ message: "Role not found" });
+    }
+  }
+
+  identityMembership = await new IdentityMembership({
+    identity: identityMembershipOrg.identity,
+    workspace: new Types.ObjectId(workspaceId),
+    role: customRole ? CUSTOM : role,
+    customRole
+  }).save();
+
+  return res.status(200).send({
+    identityMembership
+  });
+}
+
+/**
+ * Update role of identity with id [identityId] in workspace
+ * with id [workspaceId] to [role]
+ * @param req 
+ * @param res 
+ */
+ export const updateIdentityWorkspaceRole = async (req: Request, res: Response) => {
+   /* 
+    #swagger.summary = 'Update project identity membership'
+    #swagger.description = 'Update project identity membership'
+    
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['identityId'] = {
+		"description": "ID of identity whose membership to update in project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role to update to for identity project membership",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+          "application/json": {
+            "schema": { 
+              "type": "object",
+              "properties": {
+                "identityMembership": {
+                  $ref: "#/components/schemas/IdentityMembership",
+                  "description": "Updated identity membership"
+                }
+              }
+            }
+          }           
+        }
+    }   
+    */
+  const {
+    params: { workspaceId, identityId },
+    body: {
+      role
+    }
+  } = await validateRequest(reqValidator.UpdateIdentityWorkspaceRoleV2, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.Identity
+  );
+
+  let identityMembership = await IdentityMembership
+    .findOne({
+      identity: new Types.ObjectId(identityId),
+      workspace: new Types.ObjectId(workspaceId)
+    })
+    .populate<{
+      identity: IIdentity,
+      customRole: IRole
+    }>("identity customRole");
+
+  if (!identityMembership) throw BadRequestError({
+    message: `Identity with id ${identityId} does not exist in project with id ${workspaceId}`
+  });
+
+  const identityRolePermission = await getWorkspaceRolePermissions(
+    identityMembership?.customRole?.slug ?? identityMembership.role,
+    identityMembership.workspace.toString()
+  );
+  const isAsPrivilegedAsIdentity = isAtLeastAsPrivilegedWorkspace(permission, identityRolePermission);
+  if (!isAsPrivilegedAsIdentity) throw ForbiddenRequestError({
+    message: "Failed to update role of more privileged identity"
+  });
+
+  const rolePermission = await getWorkspaceRolePermissions(role, workspaceId);
+  const isAsPrivilegedAsIntendedRole = isAtLeastAsPrivilegedWorkspace(permission, rolePermission);
+
+  if (!isAsPrivilegedAsIntendedRole) throw ForbiddenRequestError({
+    message: "Failed to update identity to a more privileged role"
+  });
+
+  let customRole;
+  if (role) {
+    const isCustomRole = ![ADMIN, MEMBER, VIEWER, NO_ACCESS].includes(role);
+    if (isCustomRole) {
+      customRole = await Role.findOne({
+        slug: role,
+        isOrgRole: false,
+        workspace: new Types.ObjectId(workspaceId)
+      });
+
+      if (!customRole) throw BadRequestError({ message: "Role not found" });
+    }
+  }
+
+  identityMembership = await IdentityMembership.findOneAndUpdate(
+    {
+      identity: identityMembership.identity._id,
+      workspace: new Types.ObjectId(workspaceId),
+    },
+    {
+      role: customRole ? CUSTOM : role,
+      customRole
+    },
+    {
+      new: true
+    }
+  );
+
+  return res.status(200).send({
+    identityMembership
+  });
+}
+
+/**
+ * Delete identity with id [identityId] from workspace
+ * with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+ export const deleteIdentityFromWorkspace = async (req: Request, res: Response) => {
+   /* 
+    #swagger.summary = 'Delete project identity membership'
+    #swagger.description = 'Delete project identity membership'
+    
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['identityId'] = {
+		"description": "ID of identity whose membership to delete in project",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+          "application/json": {
+            "schema": { 
+              "type": "object",
+              "properties": {
+                "identityMembership": {
+                  $ref: "#/components/schemas/IdentityMembership",
+                  "description": "Deleted identity membership"
+                }
+              }
+            }
+          }           
+        }
+    }   
+    */
+  const {
+    params: { workspaceId, identityId }
+  } = await validateRequest(reqValidator.DeleteIdentityFromWorkspaceV2, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.Identity
+  );
+
+  const identityMembership = await IdentityMembership
+    .findOne({
+      identity: new Types.ObjectId(identityId),
+      workspace: new Types.ObjectId(workspaceId)
+    })
+    .populate<{
+      identity: IIdentity,
+      customRole: IRole
+    }>("identity customRole");
+
+  if (!identityMembership) throw ResourceNotFoundError({
+    message: `Identity with id ${identityId} does not exist in project with id ${workspaceId}`
+  });
+
+  const identityRolePermission = await getWorkspaceRolePermissions(
+    identityMembership?.customRole?.slug ?? identityMembership.role,
+    identityMembership.workspace.toString()
+  );
+  const isAsPrivilegedAsIdentity = isAtLeastAsPrivilegedWorkspace(permission, identityRolePermission);
+  if (!isAsPrivilegedAsIdentity) throw ForbiddenRequestError({
+    message: "Failed to remove more privileged identity from project"
+  });
+
+  await IdentityMembership.findByIdAndDelete(identityMembership._id);
+
+  return res.status(200).send({
+    identityMembership
+  });
+}
+
+/**
+ * Return list of identity memberships for workspace with id [workspaceId]
+ * @param req
+ * @param res 
+ * @returns 
+ */
+ export const getWorkspaceIdentityMemberships = async (req: Request, res: Response) => {
+   /*
+    #swagger.summary = 'Return project identity memberships'
+    #swagger.description = 'Return project identity memberships'
+
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+    
+    #swagger.parameters['workspaceId'] = {
+        "description": "ID of project",
+        "required": true,
+        "type": "string",
+        "in": "path"
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+              "schema": { 
+                "type": "object",
+                "properties": {
+                  "identityMemberships": {
+                    "type": "array",
+                    "items": {
+                      $ref: "#/components/schemas/IdentityMembership" 
+                    },
+                    "description": "Identity memberships of project"
+                  }
+                }
+              }
+            }           
+        }
+    }
+  */
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.GetWorkspaceIdentityMembersV2, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.Identity
+  );
+
+  const identityMemberships = await IdentityMembership.find({
+    workspace: new Types.ObjectId(workspaceId)
+  }).populate("identity customRole");
+
+  return res.status(200).send({
+    identityMemberships
+  });
+}
--- a/backend-mongo/src/controllers/v3/authController.ts
+++ b/backend-mongo/src/controllers/v3/authController.ts
@ -8,11 +8,9 @@ import { createToken, issueAuthTokens, validateProviderAuthToken } from "../../h
 import { checkUserDevice } from "../../helpers/user";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
-import { EELogService } from "../../ee/services";
 import { BadRequestError, InternalServerError } from "../../utils/errors";
-import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables";
-import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
-import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config";
+import { AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables";
+import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config";
 import { AuthMethod } from "../../models/user";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
@ -134,10 +132,11 @@ export const login2 = async (req: Request, res: Response) => {
          // generate temporary MFA token
          const token = createToken({
            payload: {
+              authTokenType: AuthTokenType.MFA_TOKEN,
              userId: user._id.toString()
            },
            expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret()
+            secret: await getAuthSecret()
          });

          const code = await TokenService.createToken({
@ -214,19 +213,6 @@ export const login2 = async (req: Request, res: Response) => {
          response.protectedKeyTag = user.protectedKeyTag;
        }

-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id
-        });
-
-        loginAction &&
-          (await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ipAddress: req.realIP
-          }));
-
        return res.status(200).send(response);
      }

--- a/backend-mongo/src/controllers/v3/index.ts
+++ b/backend-mongo/src/controllers/v3/index.ts
@ -1,9 +1,11 @@
+import * as usersController from "./usersController";
 import * as secretsController from "./secretsController";
 import * as workspacesController from "./workspacesController";
 import * as authController from "./authController";
 import * as signupController from "./signupController";

 export {
+    usersController,
    authController,
    secretsController,
    signupController,
--- a/backend-mongo/src/controllers/v3/secretsController.ts
+++ b/backend-mongo/src/controllers/v3/secretsController.ts
--- a/backend-mongo/src/controllers/v3/signupController.ts
+++ b/backend-mongo/src/controllers/v3/signupController.ts
@ -5,10 +5,10 @@ import { MembershipOrg, User } from "../../models";
 import { completeAccount } from "../../helpers/user";
 import { initializeDefaultOrg } from "../../helpers/signup";
 import { issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
-import { ACCEPTED, INVITED } from "../../variables";
+import { ACCEPTED, AuthTokenType, INVITED } from "../../variables";
 import { standardRequest } from "../../config/request";
-import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
-import { BadRequestError } from "../../utils/errors";
+import { getAuthSecret, getHttpsEnabled, getLoopsApiKey } from "../../config";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { TelemetryService } from "../../services";
 import { AuthMethod } from "../../models";
 import { validateRequest } from "../../helpers/validation";
@ -78,12 +78,11 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
      }

      const decodedToken = <jwt.UserIDJwtPayload>(
-        jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
+        jwt.verify(AUTH_TOKEN_VALUE, await getAuthSecret())
      );
-
-      if (decodedToken.userId !== user.id) {
-        throw BadRequestError();
-      }
+      
+      if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) throw UnauthorizedRequestError();
+      if (decodedToken.userId !== user.id) throw UnauthorizedRequestError();
    }

    // complete setting up user's account
--- a/backend-mongo/src/controllers/v3/usersController.ts
+++ b/backend-mongo/src/controllers/v3/usersController.ts
@ -0,0 +1,18 @@
+import { Request, Response } from "express";
+import { APIKeyDataV2 } from "../../models";
+
+/**
+ * Return API keys belonging to current user.
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getMyAPIKeys = async (req: Request, res: Response) => {
+    const apiKeyData = await APIKeyDataV2.find({
+        user: req.user._id
+    });
+
+    return res.status(200).send({
+        apiKeyData
+    });
+}
--- a/backend-mongo/src/controllers/v3/workspacesController.ts
+++ b/backend-mongo/src/controllers/v3/workspacesController.ts
@ -1,9 +1,9 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { validateRequest } from "../../helpers/validation";
-import { Secret, ServiceTokenDataV3 } from "../../models";
+import { Membership, Secret, User } from "../../models";
 import { SecretService } from "../../services";
-import { getUserProjectPermissions } from "../../ee/services/ProjectRoleService";
+import { getAuthDataProjectPermissions } from "../../ee/services/ProjectRoleService";
 import { UnauthorizedRequestError } from "../../utils/errors";
 import * as reqValidator from "../../validation/workspace";

@ -19,9 +19,22 @@ export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response)
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetWorkspaceBlinkIndexStatusV3, req);

-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
-  if (membership.role !== "admin")
-    throw UnauthorizedRequestError({ message: "User must be an admin" });
+  await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  if (req.authData.authPayload instanceof User) {
+    const membership = await Membership.findOne({
+      user: req.authData.authPayload._id,
+      workspace: new Types.ObjectId(workspaceId)
+    });
+    
+    if (!membership) throw UnauthorizedRequestError();
+
+    if (membership.role !== "admin")
+      throw UnauthorizedRequestError({ message: "User must be an admin" });
+  }

  const secretsWithoutBlindIndex = await Secret.countDocuments({
    workspace: new Types.ObjectId(workspaceId),
@ -41,9 +54,22 @@ export const getWorkspaceSecrets = async (req: Request, res: Response) => {
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetWorkspaceSecretsV3, req);

-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
-  if (membership.role !== "admin")
-    throw UnauthorizedRequestError({ message: "User must be an admin" });
+  await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  if (req.authData.authPayload instanceof User) {
+    const membership = await Membership.findOne({
+      user: req.authData.authPayload._id,
+      workspace: new Types.ObjectId(workspaceId)
+    });
+    
+    if (!membership) throw UnauthorizedRequestError();
+
+    if (membership.role !== "admin")
+      throw UnauthorizedRequestError({ message: "User must be an admin" });
+  }

  const secrets = await Secret.find({
    workspace: new Types.ObjectId(workspaceId)
@ -65,9 +91,22 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
    body: { secretsToUpdate }
  } = await validateRequest(reqValidator.NameWorkspaceSecretsV3, req);

-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
-  if (membership.role !== "admin")
-    throw UnauthorizedRequestError({ message: "User must be an admin" });
+  await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  if (req.authData.authPayload instanceof User) {
+    const membership = await Membership.findOne({
+      user: req.authData.authPayload._id,
+      workspace: new Types.ObjectId(workspaceId)
+    });
+    
+    if (!membership) throw UnauthorizedRequestError();
+
+    if (membership.role !== "admin")
+      throw UnauthorizedRequestError({ message: "User must be an admin" });
+  }

  // get secret blind index salt
  const salt = await SecretService.getSecretBlindIndexSalt({
@ -101,17 +140,3 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
    message: "Successfully named workspace secrets"
  });
 };
-
-export const getWorkspaceServiceTokenData = async (req: Request, res: Response) => {
-  const {
-    params: { workspaceId }
-  } = await validateRequest(reqValidator.GetWorkspaceServiceTokenDataV3, req);
-  
-  const serviceTokenData = await ServiceTokenDataV3.find({
-    workspace: new Types.ObjectId(workspaceId)
-  });
-  
-  return res.status(200).send({
-    serviceTokenData
-  });
-}
--- a/backend-mongo/src/data/disposable_emails.txt
+++ b/backend-mongo/src/data/disposable_emails.txt
--- a/backend-mongo/src/ee/LICENSE
+++ b/backend-mongo/src/ee/LICENSE
--- a/backend-mongo/src/ee/controllers/v1/cloudProductsController.ts
+++ b/backend-mongo/src/ee/controllers/v1/cloudProductsController.ts
--- a/backend-mongo/src/ee/controllers/v1/identitiesController.ts
+++ b/backend-mongo/src/ee/controllers/v1/identitiesController.ts
@ -0,0 +1,460 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import {
+    IIdentity,
+    Identity,
+    IdentityAccessToken,
+    IdentityMembership,
+    IdentityMembershipOrg,
+    IdentityUniversalAuth,
+    IdentityUniversalAuthClientSecret,
+    Organization
+} from "../../../models";
+import {
+    EventType,
+    IRole,
+    Role
+} from "../../models";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../../validation/identities";
+import {
+    getAuthDataOrgPermissions,
+    getOrgRolePermissions,
+    isAtLeastAsPrivilegedOrg
+} from "../../services/RoleService";
+import {
+    BadRequestError,
+    ForbiddenRequestError,
+    ResourceNotFoundError,
+} from "../../../utils/errors";
+import { ADMIN, CUSTOM, MEMBER, NO_ACCESS } from "../../../variables";
+import {
+    OrgPermissionActions,
+    OrgPermissionSubjects
+} from "../../services/RoleService";
+import { EEAuditLogService } from "../../services";
+import { ForbiddenError } from "@casl/ability";
+
+/**
+ * Create identity
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createIdentity = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Create identity'
+        #swagger.description = 'Create identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+        
+        #swagger.requestBody = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "name": {
+                                "type": "string",
+                                "description": "Name of entity to create",
+                                "example": "development"
+                            },
+                            "organizationId": {
+                                "type": "string",
+                                "description": "ID of organization where to create identity",
+                                "example": "dev-environment"
+                            },
+                            "role": {
+                                "type": "string",
+                                "description": "Role to assume for organization membership",
+                                "example": "no-access"
+                            }
+                        },
+                        "required": ["name", "organizationId", "role"]
+                    }
+                }
+            }
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "identity": {
+                                $ref: '#/definitions/Identity'
+                            }
+                        },
+                        "description": "Details of the created identity"
+                    }
+                }
+            }
+        }
+    */
+    const {
+        body: {
+            name,
+            organizationId,
+            role
+        }
+    } = await validateRequest(reqValidator.CreateIdentityV1, req);
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: new Types.ObjectId(organizationId)
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Create,
+        OrgPermissionSubjects.Identity
+    );
+
+    const rolePermission = await getOrgRolePermissions(role, organizationId);
+    const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, rolePermission);
+
+    if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+        message: "Failed to create a more privileged identity"
+    });
+
+    const organization = await Organization.findById(organizationId);
+    if (!organization) throw BadRequestError({ message: `Organization with id ${organizationId} not found` });
+
+    const isCustomRole = ![ADMIN, MEMBER, NO_ACCESS].includes(role);
+
+    let customRole;
+    if (isCustomRole) {
+        customRole = await Role.findOne({
+            slug: role,
+            isOrgRole: true,
+            organization: new Types.ObjectId(organizationId)
+        });
+
+        if (!customRole) throw BadRequestError({ message: "Role not found" });
+    }
+    
+    const identity = await new Identity({
+        name
+    }).save();
+
+    await new IdentityMembershipOrg({
+        identity: identity._id,
+        organization: new Types.ObjectId(organizationId),
+        role: isCustomRole ? CUSTOM : role,
+        customRole
+    }).save();
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.CREATE_IDENTITY,
+            metadata: {
+                identityId: identity._id.toString(),
+                name
+            }
+        },
+        {
+            organizationId: new Types.ObjectId(organizationId)
+        }
+    );
+
+    return res.status(200).send({
+        identity
+    });
+}
+
+/**
+ * Update identity with id [identityId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+ export const updateIdentity = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Update identity'
+        #swagger.description = 'Update identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity to update",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+        
+        #swagger.requestBody = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "name": {
+                                "type": "string",
+                                "description": "Name of entity to update to",
+                                "example": "development"
+                            },
+                            "role": {
+                                "type": "string",
+                                "description": "Role to update to for organization membership",
+                                "example": "no-access"
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "identity": {
+                                $ref: '#/definitions/Identity'
+                            }
+                        },
+                        "description": "Details of the updated identity"
+                    }
+                }
+            }
+        }
+    */
+    const {
+        params: { identityId  },
+        body: {
+            name,
+            role
+        }
+    } = await validateRequest(reqValidator.UpdateIdentityV1, req);
+
+    const identityMembershipOrg = await IdentityMembershipOrg
+        .findOne({
+            identity: new Types.ObjectId(identityId)
+        })
+        .populate<{
+            identity: IIdentity,
+            customRole: IRole
+        }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError({
+        message: `Failed to find identity with id ${identityId}`
+    });
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Edit,
+        OrgPermissionSubjects.Identity
+    );
+
+    const identityRolePermission = await getOrgRolePermissions(
+        identityMembershipOrg?.customRole?.slug ?? identityMembershipOrg.role,
+        identityMembershipOrg.organization.toString()
+    );
+    const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, identityRolePermission);
+    if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+        message: "Failed to update more privileged identity"
+    });
+
+    if (role) {
+        const rolePermission = await getOrgRolePermissions(role, identityMembershipOrg.organization.toString());
+        const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, rolePermission);
+
+        if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+            message: "Failed to update identity to a more privileged role"
+        });
+    }
+
+    let customRole;
+    if (role) {
+        const isCustomRole = ![ADMIN, MEMBER, NO_ACCESS].includes(role);
+        if (isCustomRole) {
+            customRole = await Role.findOne({
+                slug: role,
+                isOrgRole: true,
+                organization: identityMembershipOrg.organization
+            });
+
+            if (!customRole) throw BadRequestError({ message: "Role not found" });
+        }
+    }
+
+    const identity = await Identity.findByIdAndUpdate(
+        identityId,
+        {
+            name,
+        },
+        {
+            new: true
+        }
+    );
+
+    if (!identity) throw BadRequestError({
+        message: `Failed to update identity with id ${identityId}`
+    });
+
+    await IdentityMembershipOrg.findOneAndUpdate(
+        {
+            identity: identity._id
+        },
+        {
+            role: customRole ? CUSTOM : role,
+            ...(customRole ? {
+                customRole
+            } : {}),
+            ...(role && !customRole ? { // non-custom role
+                $unset: {
+                    customRole: 1
+                }
+            } : {})
+        },
+        {
+            new: true
+        }
+    );
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.UPDATE_IDENTITY,
+            metadata: {
+                identityId: identity._id.toString(),
+                name: identity.name,
+            }
+        },
+        {
+            organizationId: identityMembershipOrg.organization
+        }
+    );
+
+    return res.status(200).send({
+        identity
+    });
+}
+
+/**
+ * Delete identity with id [identityId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+ export const deleteIdentity = async (req: Request, res: Response) => {
+     /*
+        #swagger.summary = 'Delete identity'
+        #swagger.description = 'Delete identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "identity": {
+                                $ref: '#/definitions/Identity'
+                            }
+                        },
+                        "description": "Details of the deleted identity"
+                    }
+                }
+            }
+        }
+    */
+    const {
+        params: { identityId }
+    } = await validateRequest(reqValidator.DeleteIdentityV1, req);
+    
+    const identityMembershipOrg = await IdentityMembershipOrg
+        .findOne({
+            identity: new Types.ObjectId(identityId)
+        })
+        .populate<{
+            identity: IIdentity,
+            customRole: IRole
+        }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError({
+        message: `Failed to find identity with id ${identityId}`
+    });
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Delete,
+        OrgPermissionSubjects.Identity
+    );
+
+    const identityRolePermission = await getOrgRolePermissions(
+        identityMembershipOrg?.customRole?.slug ?? identityMembershipOrg.role,
+        identityMembershipOrg.organization.toString()
+    );
+    const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, identityRolePermission);
+    if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+        message: "Failed to delete more privileged identity"
+    });
+
+    const identity = await Identity.findByIdAndDelete(identityMembershipOrg.identity);
+    if (!identity) throw ResourceNotFoundError({
+        message: `Identity with id ${identityId} not found`
+    });
+
+    await IdentityMembershipOrg.findByIdAndDelete(identityMembershipOrg._id);
+
+    await IdentityMembership.deleteMany({
+        identity: identityMembershipOrg.identity
+    });
+    
+    await IdentityUniversalAuth.deleteMany({
+        identity: identityMembershipOrg.identity
+    });
+    
+    await IdentityUniversalAuthClientSecret.deleteMany({
+        identity: identityMembershipOrg.identity
+    });
+    
+    await IdentityAccessToken.deleteMany({
+        identity: identityMembershipOrg.identity
+    });
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.DELETE_IDENTITY,
+            metadata: {
+                identityId: identity._id.toString()
+            }
+        },
+        {
+            organizationId: identityMembershipOrg.organization
+        }
+    );
+
+    return res.status(200).send({
+        identity
+    });
+}
+
+
+
+
+
--- a/backend-mongo/src/ee/controllers/v1/index.ts
+++ b/backend-mongo/src/ee/controllers/v1/index.ts
@ -1,27 +1,31 @@
+import * as identitiesController from "./identitiesController";
 import * as secretController from "./secretController";
 import * as secretSnapshotController from "./secretSnapshotController";
 import * as organizationsController from "./organizationsController";
 import * as ssoController from "./ssoController";
 import * as usersController from "./usersController";
 import * as workspaceController from "./workspaceController";
-import * as actionController from "./actionController";
 import * as membershipController from "./membershipController";
 import * as cloudProductsController from "./cloudProductsController";
 import * as roleController from "./roleController";
 import * as secretApprovalPolicyController from "./secretApprovalPolicyController";
 import * as secretApprovalRequestController from "./secretApprovalRequestsController";
+import * as secretRotationProviderController from "./secretRotationProviderController";
+import * as secretRotationController from "./secretRotationController";

 export {
+  identitiesController,
  secretController,
  secretSnapshotController,
  organizationsController,
  ssoController,
  usersController,
  workspaceController,
-  actionController,
  membershipController,
  cloudProductsController,
  roleController,
  secretApprovalPolicyController,
-  secretApprovalRequestController
+  secretApprovalRequestController,
+  secretRotationProviderController,
+  secretRotationController
 };
--- a/backend-mongo/src/ee/controllers/v1/membershipController.ts
+++ b/backend-mongo/src/ee/controllers/v1/membershipController.ts
--- a/backend-mongo/src/ee/controllers/v1/organizationsController.ts
+++ b/backend-mongo/src/ee/controllers/v1/organizationsController.ts
@ -8,7 +8,7 @@ import * as reqValidator from "../../../validation/organization";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions,
 } from "../../services/RoleService";
 import { ForbiddenError } from "@casl/ability";
 import { Organization } from "../../../models";
@ -20,7 +20,10 @@ export const getOrganizationPlansTable = async (req: Request, res: Response) =>
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlansTablev1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -42,7 +45,10 @@ export const getOrganizationPlan = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlanv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -70,7 +76,10 @@ export const startOrganizationTrial = async (req: Request, res: Response) => {
    body: { success_url }
  } = await validateRequest(reqValidator.StartOrgTrailv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Billing
@ -116,7 +125,10 @@ export const getOrganizationPlanBillingInfo = async (req: Request, res: Response
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlanBillingInfov1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -149,7 +161,10 @@ export const getOrganizationPlanTable = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlanTablev1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -176,7 +191,10 @@ export const getOrganizationBillingDetails = async (req: Request, res: Response)
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgBillingDetailsv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -204,7 +222,10 @@ export const updateOrganizationBillingDetails = async (req: Request, res: Respon
    body: { name, email }
  } = await validateRequest(reqValidator.UpdateOrgBillingDetailsv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Billing
@ -238,7 +259,10 @@ export const getOrganizationPmtMethods = async (req: Request, res: Response) =>
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPmtMethodsv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -271,7 +295,10 @@ export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
    body: { success_url, cancel_url }
  } = await validateRequest(reqValidator.CreateOrgPmtMethodv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Billing
@ -312,7 +339,10 @@ export const deleteOrganizationPmtMethod = async (req: Request, res: Response) =
    params: { organizationId, pmtMethodId }
  } = await validateRequest(reqValidator.DelOrgPmtMethodv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.Billing
@ -342,7 +372,10 @@ export const getOrganizationTaxIds = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgTaxIdsv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -375,7 +408,10 @@ export const addOrganizationTaxId = async (req: Request, res: Response) => {
    body: { type, value }
  } = await validateRequest(reqValidator.CreateOrgTaxId, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Billing
@ -412,7 +448,10 @@ export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
    params: { organizationId, taxId }
  } = await validateRequest(reqValidator.DelOrgTaxIdv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.Billing
@ -445,7 +484,10 @@ export const getOrganizationInvoices = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgInvoicesv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -480,7 +522,10 @@ export const getOrganizationLicenses = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgLicencesv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
--- a/backend-mongo/src/ee/controllers/v1/roleController.ts
+++ b/backend-mongo/src/ee/controllers/v1/roleController.ts
@ -1,4 +1,6 @@
 import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Membership, User } from "../../../models";
 import {
  CreateRoleSchema,
  DeleteRoleSchema,
@ -11,16 +13,19 @@ import {
  ProjectPermissionActions,
  ProjectPermissionSub,
  adminProjectPermissions,
-  getUserProjectPermissions,
+  getAuthDataProjectPermissions,
  memberProjectPermissions,
+  noAccessProjectPermissions,
  viewerProjectPermission
 } from "../../services/ProjectRoleService";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
  adminPermissions,
+  getAuthDataOrgPermissions,
  getUserOrgPermissions,
-  memberPermissions
+  memberPermissions,
+  noAccessPermissions
 } from "../../services/RoleService";
 import { BadRequestError } from "../../../utils/errors";
 import { Role } from "../../models";
@ -34,12 +39,19 @@ export const createRole = async (req: Request, res: Response) => {

  const isOrgRole = !workspaceId; // if workspaceid is provided then its a workspace rule
  if (isOrgRole) {
-    const { permission } = await getUserOrgPermissions(req.user.id, orgId);
+    const { permission } = await getAuthDataOrgPermissions({
+      authData: req.authData,
+      organizationId: new Types.ObjectId(orgId)
+    });
+    
    if (permission.cannot(OrgPermissionActions.Create, OrgPermissionSubjects.Role)) {
      throw BadRequestError({ message: "user doesn't have the permission." });
    }
  } else {
-    const { permission } = await getUserProjectPermissions(req.user.id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
    if (permission.cannot(ProjectPermissionActions.Create, ProjectPermissionSub.Role)) {
      throw BadRequestError({ message: "User doesn't have the permission." });
    }
@ -75,14 +87,21 @@ export const updateRole = async (req: Request, res: Response) => {
    body: { name, description, slug, permissions, workspaceId, orgId }
  } = await validateRequest(UpdateRoleSchema, req);
  const isOrgRole = !workspaceId; // if workspaceid is provided then its a workspace rule
-
+  
  if (isOrgRole) {
-    const { permission } = await getUserOrgPermissions(req.user.id, orgId);
+    const { permission } = await getAuthDataOrgPermissions({
+      authData: req.authData,
+      organizationId: new Types.ObjectId(orgId)
+    });
    if (permission.cannot(OrgPermissionActions.Edit, OrgPermissionSubjects.Role)) {
      throw BadRequestError({ message: "User doesn't have the org permission." });
    }
  } else {
-    const { permission } = await getUserProjectPermissions(req.user.id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
    if (permission.cannot(ProjectPermissionActions.Edit, ProjectPermissionSub.Role)) {
      throw BadRequestError({ message: "User doesn't have the workspace permission." });
    }
@ -129,12 +148,19 @@ export const deleteRole = async (req: Request, res: Response) => {

  const isOrgRole = !role.workspace;
  if (isOrgRole) {
-    const { permission } = await getUserOrgPermissions(req.user.id, role.organization.toString());
+    const { permission } = await getAuthDataOrgPermissions({
+      authData: req.authData,
+      organizationId: role.organization
+    });
    if (permission.cannot(OrgPermissionActions.Delete, OrgPermissionSubjects.Role)) {
      throw BadRequestError({ message: "User doesn't have the org permission." });
    }
  } else {
-    const { permission } = await getUserProjectPermissions(req.user.id, role.workspace.toString());
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: role.workspace
+    });
+
    if (permission.cannot(ProjectPermissionActions.Delete, ProjectPermissionSub.Role)) {
      throw BadRequestError({ message: "User doesn't have the workspace permission." });
    }
@ -157,12 +183,19 @@ export const getRoles = async (req: Request, res: Response) => {

  const isOrgRole = !workspaceId;
  if (isOrgRole) {
-    const { permission } = await getUserOrgPermissions(req.user.id, orgId);
+    const { permission } = await getAuthDataOrgPermissions({
+      authData: req.authData,
+      organizationId: new Types.ObjectId(orgId)
+    });
    if (permission.cannot(OrgPermissionActions.Read, OrgPermissionSubjects.Role)) {
      throw BadRequestError({ message: "User doesn't have the org permission." });
    }
  } else {
-    const { permission } = await getUserProjectPermissions(req.user.id, workspaceId);
+    const { permission } = await getAuthDataProjectPermissions({
+      authData: req.authData,
+      workspaceId: new Types.ObjectId(workspaceId)
+    });
+
    if (permission.cannot(ProjectPermissionActions.Read, ProjectPermissionSub.Role)) {
      throw BadRequestError({ message: "User doesn't have the workspace permission." });
    }
@ -178,6 +211,13 @@ export const getRoles = async (req: Request, res: Response) => {
      description: "Complete administration access over the organization",
      permissions: isOrgRole ? adminPermissions.rules : adminProjectPermissions.rules
    },
+    {
+      _id: "no-access",
+      name: "No Access",
+      slug: "no-access",
+      description: "No access to any resources in the organization",
+      permissions: isOrgRole ? noAccessPermissions.rules : noAccessProjectPermissions.rules
+    },
    {
      _id: "member",
      name: isOrgRole ? "Member" : "Developer",
@ -213,11 +253,12 @@ export const getUserPermissions = async (req: Request, res: Response) => {
    params: { orgId }
  } = await validateRequest(GetUserPermission, req);
  
-  const { permission } = await getUserOrgPermissions(req.user._id, orgId);
+  const { permission, membership } = await getUserOrgPermissions(req.user._id, orgId);

  res.status(200).json({
    data: {
-      permissions: packRules(permission.rules)
+      permissions: packRules(permission.rules),
+      membership
    }
  });
 };
@ -226,11 +267,24 @@ export const getUserWorkspacePermissions = async (req: Request, res: Response) =
  const {
    params: { workspaceId }
  } = await validateRequest(GetUserProjectPermission, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
+  let membership;
+  if (req.authData.authPayload instanceof User) {
+    membership = await Membership.findOne({
+      user: req.authData.authPayload._id,
+      workspace: new Types.ObjectId(workspaceId)
+    })
+  }

  res.status(200).json({
    data: {
-      permissions: packRules(permission.rules)
+      permissions: packRules(permission.rules),
+      membership
    }
  });
 };
--- a/backend-mongo/src/ee/controllers/v1/secretApprovalPolicyController.ts
+++ b/backend-mongo/src/ee/controllers/v1/secretApprovalPolicyController.ts
@ -1,10 +1,11 @@
+import { Types } from "mongoose";
 import { ForbiddenError, subject } from "@casl/ability";
 import { Request, Response } from "express";
 import { nanoid } from "nanoid";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../services/ProjectRoleService";
 import { validateRequest } from "../../../helpers/validation";
 import { SecretApprovalPolicy } from "../../models/secretApprovalPolicy";
@ -19,7 +20,11 @@ export const createSecretApprovalPolicy = async (req: Request, res: Response) =>
    body: { approvals, secretPath, approvers, environment, workspaceId, name }
  } = await validateRequest(reqValidator.CreateSecretApprovalRule, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.SecretApproval
@ -49,10 +54,11 @@ export const updateSecretApprovalPolicy = async (req: Request, res: Response) =>
  const secretApproval = await SecretApprovalPolicy.findById(id);
  if (!secretApproval) throw ERR_SECRET_APPROVAL_NOT_FOUND;

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    secretApproval.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: secretApproval.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.SecretApproval
@ -78,10 +84,11 @@ export const deleteSecretApprovalPolicy = async (req: Request, res: Response) =>
  const secretApproval = await SecretApprovalPolicy.findById(id);
  if (!secretApproval) throw ERR_SECRET_APPROVAL_NOT_FOUND;

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    secretApproval.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: secretApproval.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.SecretApproval
@ -99,7 +106,11 @@ export const getSecretApprovalPolicy = async (req: Request, res: Response) => {
    query: { workspaceId }
  } = await validateRequest(reqValidator.GetSecretApprovalRuleList, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.SecretApproval
@ -117,7 +128,11 @@ export const getSecretApprovalPolicyOfBoard = async (req: Request, res: Response
    query: { workspaceId, environment, secretPath }
  } = await validateRequest(reqValidator.GetSecretApprovalPolicyOfABoard, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    subject(ProjectPermissionSub.Secrets, { secretPath, environment })
--- a/backend-mongo/src/ee/controllers/v1/secretApprovalRequestsController.ts
+++ b/backend-mongo/src/ee/controllers/v1/secretApprovalRequestsController.ts
@ -1,7 +1,6 @@
 import { Request, Response } from "express";
-import { getUserProjectPermissions } from "../../services/ProjectRoleService";
 import { validateRequest } from "../../../helpers/validation";
-import { Folder } from "../../../models";
+import { Folder, Membership, User } from "../../../models";
 import { ApprovalStatus, SecretApprovalRequest } from "../../models/secretApprovalRequest";
 import * as reqValidator from "../../validation/secretApprovalRequest";
 import { getFolderWithPathFromId } from "../../../services/FolderService";
@ -17,7 +16,15 @@ export const getSecretApprovalRequestCount = async (req: Request, res: Response)
    query: { workspaceId }
  } = await validateRequest(reqValidator.getSecretApprovalRequestCount, req);

-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: new Types.ObjectId(workspaceId)
+  });
+
+  if (!membership) throw UnauthorizedRequestError();
+
  const approvalRequestCount = await SecretApprovalRequest.aggregate([
    {
      $match: {
@ -65,7 +72,14 @@ export const getSecretApprovalRequests = async (req: Request, res: Response) =>
    query: { status, committer, workspaceId, environment, limit, offset }
  } = await validateRequest(reqValidator.getSecretApprovalRequests, req);

-  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: new Types.ObjectId(workspaceId)
+  });
+
+  if (!membership) throw UnauthorizedRequestError();

  const query = {
    workspace: new Types.ObjectId(workspaceId),
@ -148,14 +162,19 @@ export const getSecretApprovalRequestDetails = async (req: Request, res: Respons
  if (!secretApprovalRequest)
    throw BadRequestError({ message: "Secret approval request not found" });

-  const { membership } = await getUserProjectPermissions(
-    req.user._id,
-    secretApprovalRequest.workspace.toString()
-  );
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: secretApprovalRequest.workspace
+  });
+
+  if (!membership) throw UnauthorizedRequestError();
+
  // allow to fetch only if its admin or is the committer or approver
  if (
    membership.role !== "admin" &&
-    secretApprovalRequest.committer !== membership.id &&
+    !secretApprovalRequest.committer.equals(membership.id) &&
    !secretApprovalRequest.policy.approvers.find(
      (approverId) => approverId.toString() === membership._id.toString()
    )
@ -190,10 +209,15 @@ export const updateSecretApprovalReviewStatus = async (req: Request, res: Respon
  if (!secretApprovalRequest)
    throw BadRequestError({ message: "Secret approval request not found" });

-  const { membership } = await getUserProjectPermissions(
-    req.user._id,
-    secretApprovalRequest.workspace.toString()
-  );
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: secretApprovalRequest.workspace
+  });
+
+  if (!membership) throw UnauthorizedRequestError();
+
  if (
    membership.role !== "admin" &&
    secretApprovalRequest.committer !== membership.id &&
@ -227,10 +251,15 @@ export const mergeSecretApprovalRequest = async (req: Request, res: Response) =>
  if (!secretApprovalRequest)
    throw BadRequestError({ message: "Secret approval request not found" });

-  const { membership } = await getUserProjectPermissions(
-    req.user._id,
-    secretApprovalRequest.workspace.toString()
-  );
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: secretApprovalRequest.workspace
+  });
+
+  if (!membership) throw UnauthorizedRequestError();
+
  if (
    membership.role !== "admin" &&
    secretApprovalRequest.committer !== membership.id &&
@ -272,10 +301,14 @@ export const updateSecretApprovalRequestStatus = async (req: Request, res: Respo
  if (!secretApprovalRequest)
    throw BadRequestError({ message: "Secret approval request not found" });

-  const { membership } = await getUserProjectPermissions(
-    req.user._id,
-    secretApprovalRequest.workspace.toString()
-  );
+  if (!(req.authData.authPayload instanceof User)) return;
+
+  const membership = await Membership.findOne({
+    user: req.authData.authPayload._id,
+    workspace: secretApprovalRequest.workspace
+  });
+
+  if (!membership) throw UnauthorizedRequestError();

  if (
    membership.role !== "admin" &&
--- a/backend-mongo/src/ee/controllers/v1/secretController.ts
+++ b/backend-mongo/src/ee/controllers/v1/secretController.ts
@ -5,7 +5,7 @@ import { Folder, Secret } from "../../../models";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../services/ProjectRoleService";
 import { BadRequestError } from "../../../utils/errors";
 import * as reqValidator from "../../../validation";
@ -74,7 +74,11 @@ export const getSecretVersions = async (req: Request, res: Response) => {
    throw BadRequestError({ message: "Failed to find secret" });
  }

-  const { permission } = await getUserProjectPermissions(req.user._id, secret.workspace.toString());
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: secret.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.SecretRollback
@ -157,10 +161,12 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
  if (!toBeUpdatedSec) {
    throw BadRequestError({ message: "Failed to find secret" });
  }
-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    toBeUpdatedSec.workspace.toString()
-  );
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: toBeUpdatedSec.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.SecretRollback
--- a/backend-mongo/src/ee/controllers/v1/secretRotationController.ts
+++ b/backend-mongo/src/ee/controllers/v1/secretRotationController.ts
@ -0,0 +1,110 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotation";
+import * as secretRotationService from "../../secretRotation/service";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getAuthDataProjectPermissions
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const createSecretRotation = async (req: Request, res: Response) => {
+  const {
+    body: {
+      provider,
+      customProvider,
+      interval,
+      outputs,
+      secretPath,
+      environment,
+      workspaceId,
+      inputs
+    }
+  } = await validateRequest(reqValidator.createSecretRotationV1, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.createSecretRotation({
+    workspaceId,
+    inputs,
+    environment,
+    secretPath,
+    outputs,
+    interval,
+    customProvider,
+    provider
+  });
+
+  return res.send({ secretRotation });
+};
+
+export const restartSecretRotations = async (req: Request, res: Response) => {
+  const {
+    body: { id }
+  } = await validateRequest(reqValidator.restartSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: doc.workspace
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.restartSecretRotation({ id });
+  return res.send({ secretRotation });
+};
+
+export const deleteSecretRotations = async (req: Request, res: Response) => {
+  const {
+    params: { id }
+  } = await validateRequest(reqValidator.removeSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: doc.workspace
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.deleteSecretRotation({ id });
+  return res.send({ secretRotations });
+};
+
+export const getSecretRotations = async (req: Request, res: Response) => {
+  const {
+    query: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationV1, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.getSecretRotationOfWorkspace(workspaceId);
+  return res.send({ secretRotations });
+};
--- a/backend-mongo/src/ee/controllers/v1/secretRotationProviderController.ts
+++ b/backend-mongo/src/ee/controllers/v1/secretRotationProviderController.ts
@ -0,0 +1,33 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotationProvider";
+import * as secretRotationProviderService from "../../secretRotation/service";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getAuthDataProjectPermissions
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const getProviderTemplates = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationProvidersV1, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const rotationProviderList = await secretRotationProviderService.getProviderTemplate({
+    workspaceId
+  });
+
+  return res.send(rotationProviderList);
+};
--- a/backend-mongo/src/ee/controllers/v1/secretSnapshotController.ts
+++ b/backend-mongo/src/ee/controllers/v1/secretSnapshotController.ts
@ -4,7 +4,7 @@ import { validateRequest } from "../../../helpers/validation";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../services/ProjectRoleService";
 import * as reqValidator from "../../../validation/secretSnapshot";
 import { ISecretVersion, SecretSnapshot, TFolderRootVersionSchema } from "../../models";
@ -33,10 +33,11 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {

  if (!secretSnapshot) throw new Error("Failed to find secret snapshot");

-  const { permission } = await getUserProjectPermissions(
-    req.user._id,
-    secretSnapshot.workspace.toString()
-  );
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: secretSnapshot.workspace
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.SecretRollback
--- a/backend-mongo/src/ee/controllers/v1/ssoController.ts
+++ b/backend-mongo/src/ee/controllers/v1/ssoController.ts
@ -13,7 +13,7 @@ import { validateRequest } from "../../../helpers/validation";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../services/RoleService";
 import { ForbiddenError } from "@casl/ability";

@ -47,7 +47,10 @@ export const getSSOConfig = async (req: Request, res: Response) => {
    query: { organizationId }
  } = await validateRequest(reqValidator.GetSsoConfigv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Sso
@ -71,7 +74,10 @@ export const updateSSOConfig = async (req: Request, res: Response) => {
    body: { organizationId, authProvider, isActive, entryPoint, issuer, cert }
  } = await validateRequest(reqValidator.UpdateSsoConfigv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Sso
@ -206,7 +212,10 @@ export const createSSOConfig = async (req: Request, res: Response) => {
    body: { organizationId, authProvider, isActive, entryPoint, issuer, cert }
  } = await validateRequest(reqValidator.CreateSsoConfigv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Sso
--- a/backend-mongo/src/ee/controllers/v1/usersController.ts
+++ b/backend-mongo/src/ee/controllers/v1/usersController.ts
--- a/backend-mongo/src/ee/controllers/v1/workspaceController.ts
+++ b/backend-mongo/src/ee/controllers/v1/workspaceController.ts
@ -2,10 +2,11 @@ import { Request, Response } from "express";
 import { PipelineStage, Types } from "mongoose";
 import {
  Folder,
+  Identity,
+  IdentityMembership,
  Membership,
  Secret,
  ServiceTokenData,
-  ServiceTokenDataV3,
  TFolderSchema,
  User,
  Workspace
@ -17,18 +18,16 @@ import {
  FolderVersion,
  IPType,
  ISecretVersion,
-  Log,
+  IdentityActor,
  SecretSnapshot,
  SecretVersion,
  ServiceActor,
-  ServiceActorV3,
  TFolderRootVersionSchema,
  TrustedIP,
  UserActor
 } from "../../models";
 import { EESecretService } from "../../services";
 import { getLatestSecretVersionIds } from "../../helpers/secretVersion";
-// import Folder, { TFolderSchema } from "../../../models/folder";
 import { getFolderByPath, searchByFolderId } from "../../../services/FolderService";
 import { EEAuditLogService, EELicenseService } from "../../services";
 import { extractIPDetails, isValidIpOrCidr } from "../../../utils/ip";
@ -38,7 +37,6 @@ import {
  DeleteWorkspaceTrustedIpV1,
  GetWorkspaceAuditLogActorFilterOptsV1,
  GetWorkspaceAuditLogsV1,
-  GetWorkspaceLogsV1,
  GetWorkspaceSecretSnapshotsCountV1,
  GetWorkspaceSecretSnapshotsV1,
  GetWorkspaceTrustedIpsV1,
@ -48,7 +46,7 @@ import {
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getUserProjectPermissions
+  getAuthDataProjectPermissions
 } from "../../services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { BadRequestError } from "../../../utils/errors";
@ -64,15 +62,30 @@ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) =
    #swagger.description = 'Return project secret snapshots ids'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
+		"description": "ID of project where to get secret snapshots for",
 		"required": true,
 		"type": "string"
 	} 

+	#swagger.parameters['environment'] = {
+      "description": "Slug of environment where to get secret snapshots for",
+      "required": true,
+      "type": "string",
+      "in": "query"
+  }
+
+  #swagger.parameters['directory'] = {
+      "description": "Path where to get secret snapshots for like / or /foo/bar. Default is /",
+      "required": false,
+      "type": "string",
+      "in": "query"
+  }
+
 	#swagger.parameters['offset'] = {
 		"description": "Number of secret snapshots to skip",
 		"required": false,
@ -109,7 +122,11 @@ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) =
    query: { environment, directory, offset, limit }
  } = await validateRequest(GetWorkspaceSecretSnapshotsV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.SecretRollback
@ -150,7 +167,11 @@ export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Respon
    query: { environment, directory }
  } = await validateRequest(GetWorkspaceSecretSnapshotsCountV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.SecretRollback
@ -189,11 +210,12 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
    #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
+		"description": "ID of project where to roll back",
 		"required": true,
 		"type": "string"
 	} 
@ -205,6 +227,14 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
          "schema": {
            "type": "object",
            "properties": {
+                "environment": {
+                  "type": "string",
+                  "description": "Slug of environment where to roll back"
+                },
+                "directory": {
+                  "type": "string",
+                  "description": "Path where to roll back for like / or /foo/bar. Default is /"
+                },
                "version": {
                    "type": "integer",
                    "description": "Version of secret snapshot to roll back to",
@ -240,7 +270,11 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
    body: { directory, environment, version }
  } = await validateRequest(RollbackWorkspaceSecretSnapshotV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.SecretRollback
@ -564,128 +598,117 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 };

 /**
- * Return (audit) logs for workspace with id [workspaceId]
+ * Return audit logs for workspace with id [workspaceId]
 * @param req
 * @param res
- * @returns
 */
-export const getWorkspaceLogs = async (req: Request, res: Response) => {
+export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Return project (audit) logs'
-    #swagger.description = 'Return project (audit) logs'
+    #swagger.summary = 'Return audit logs'
+    #swagger.description = 'Return audit logs'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+      "apiKeyAuth": []
    }]

-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
+    #swagger.parameters['workspaceId'] = {
+      "description": "ID of the workspace where to get folders from",
+      "required": true,
+      "type": "string",
+      "in": "path"
+    }

-	#swagger.parameters['userId'] = {
-		"description": "ID of project member",
-		"required": false,
-		"type": "string"
-	} 
+    #swagger.parameters['offset'] = {
+      "description": "Number of logs to skip before starting to return logs for pagination",
+      "required": false,
+      "type": "string"
+    }

-	#swagger.parameters['offset'] = {
-		"description": "Number of logs to skip",
-		"required": false,
-		"type": "string"
-	}
+    #swagger.parameters['limit'] = {
+      "description": "Maximum number of logs to return for pagination",
+      "required": false,
+      "type": "string"
+    }

-	#swagger.parameters['limit'] = {
-		"description": "Maximum number of logs to return",
-		"required": false,
-		"type": "string"
-	}
+   #swagger.parameters['startDate'] = {
+      "description": "Filter logs from this date in ISO-8601 format",
+      "required": false,
+      "type": "string"
+    }

-	#swagger.parameters['sortBy'] = {
-		"description": "Order to sort the logs by",
-		"schema": {
-			"type": "string",
-			"@enum": ["oldest", "recent"]
-		},
-		"required": false
-	}
+   #swagger.parameters['endDate'] = {
+      "description": "Filter logs till this date in ISO-8601 format",
+      "required": false,
+      "type": "string"
+    }

-	#swagger.parameters['actionNames'] = {
-		"description": "Names of log actions (comma-separated)",
-		"required": false,
-		"type": "string"
-	}
+    #swagger.parameters['eventType'] = {
+      "description": "Filter by type of event such as get-secrets, get-secret, create-secret, update-secret, delete-secret, etc.",
+      "required": false,
+      "type": "string",
+    }
+
+    #swagger.parameters['userAgentType'] = {
+      "description": "Filter by type of user agent such as web, cli, k8-operator, or other",
+      "required": false,
+      "type": "string",
+    }
+
+    #swagger.parameters['actor'] = {
+      "description": "Filter by actor such as user or service",
+      "required": false,
+      "type": "string"
+    }

    #swagger.responses[200] = {
        content: {
            "application/json": {
                schema: { 
-					"type": "object",
-					"properties": {
-						"logs": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Log" 
-							},
-							"description": "Project logs"
-						}
-					}
+                  "type": "object",
+                  "properties": {
+                        "auditLogs": {
+                            "type": "array",
+                            "items": {
+			      $ref: "#/components/schemas/AuditLog",
+                            },
+                            "description": "List of audit log"                        
+                          },
+                  }
                }
            }           
        }
    }   
    */
-  const {
-    query: { limit, offset, userId, sortBy, actionNames },
-    params: { workspaceId }
-  } = await validateRequest(GetWorkspaceLogsV1, req);
-
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
-  ForbiddenError.from(permission).throwUnlessCan(
-    ProjectPermissionActions.Read,
-    ProjectPermissionSub.AuditLogs
-  );
-
-  const logs = await Log.find({
-    workspace: workspaceId,
-    ...(userId ? { user: userId } : {}),
-    ...(actionNames
-      ? {
-          actionNames: {
-            $in: actionNames.split(",")
-          }
-        }
-      : {})
-  })
-    .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
-    .skip(offset)
-    .limit(limit)
-    .populate("actions")
-    .populate("user serviceAccount serviceTokenData");
-
-  return res.status(200).send({
-    logs
-  });
-};
-
-/**
- * Return audit logs for workspace with id [workspaceId]
- * @param req
- * @param res
- */
-export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
  const {
    query: { limit, offset, endDate, eventType, startDate, userAgentType, actor },
    params: { workspaceId }
  } = await validateRequest(GetWorkspaceAuditLogsV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.AuditLogs
  );
-  
+
+  let actorMetadataQuery = "";
+  if (actor) {
+    switch (actor?.split("-", 2)[0]) {
+      case ActorType.USER:
+        actorMetadataQuery = "actor.metadata.userId";
+        break;
+      case ActorType.SERVICE:
+        actorMetadataQuery = "actor.metadata.serviceId";
+        break;
+      case ActorType.IDENTITY:
+        actorMetadataQuery = "actor.metadata.identityId";
+        break;
+    }
+  }
+
  const query = {
    workspace: new Types.ObjectId(workspaceId),
    ...(eventType
@ -701,13 +724,9 @@ export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
    ...(actor
      ? {
          "actor.type": actor.substring(0, actor.lastIndexOf("-")),
-          ...(actor.split("-", 2)[0] === ActorType.USER
-            ? {
-                "actor.metadata.userId": actor.substring(actor.lastIndexOf("-") + 1)
-              }
-            : {
-                "actor.metadata.serviceId": actor.substring(actor.lastIndexOf("-") + 1)
-              })
+          ...({
+            [actorMetadataQuery]: actor.substring(actor.lastIndexOf("-") + 1)
+          })
        }
      : {}),
    ...(startDate || endDate
@ -719,14 +738,11 @@ export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
        }
      : {})
  };
-
+  
  const auditLogs = await AuditLog.find(query).sort({ createdAt: -1 }).skip(offset).limit(limit);
-
-  const totalCount = await AuditLog.countDocuments(query);
-
+  
  return res.status(200).send({
-    auditLogs,
-    totalCount
+    auditLogs
  });
 };

@ -740,7 +756,11 @@ export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Res
    params: { workspaceId }
  } = await validateRequest(GetWorkspaceAuditLogActorFilterOptsV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.AuditLogs
@ -749,6 +769,7 @@ export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Res
  const userIds = await Membership.distinct("user", {
    workspace: new Types.ObjectId(workspaceId)
  });
+  
  const userActors: UserActor[] = (
    await User.find({
      _id: {
@ -774,24 +795,26 @@ export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Res
      name: serviceTokenData.name
    }
  }));
+
+  const identityIds = await IdentityMembership.distinct("identity", {
+    workspace: new Types.ObjectId(workspaceId)
+  });
  
-  const serviceV3Actors: ServiceActorV3[] = (
-    await ServiceTokenDataV3.find({
-      workspace: new Types.ObjectId(workspaceId)
+  const identityActors: IdentityActor[] = (
+    await Identity.find({
+      _id: {
+        $in: identityIds
+      }
    })
-  ).map((serviceTokenData) => ({
-    type: ActorType.SERVICE_V3,
+  ).map((identity) => ({
+    type: ActorType.IDENTITY,
    metadata: {
-      serviceId: serviceTokenData._id.toString(),
-      name: serviceTokenData.name
+      identityId: identity._id.toString(),
+      name: identity.name
    }
  }));
-  
-  const actors = [
-    ...userActors, 
-    ...serviceActors,
-    ...serviceV3Actors
-  ];
+
+  const actors = [...userActors, ...serviceActors, ...identityActors];

  return res.status(200).send({
    actors
@ -808,7 +831,11 @@ export const getWorkspaceTrustedIps = async (req: Request, res: Response) => {
    params: { workspaceId }
  } = await validateRequest(GetWorkspaceTrustedIpsV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Read,
    ProjectPermissionSub.IpAllowList
@ -834,7 +861,11 @@ export const addWorkspaceTrustedIp = async (req: Request, res: Response) => {
    body: { comment, isActive, ipAddress: ip }
  } = await validateRequest(AddWorkspaceTrustedIpV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Create,
    ProjectPermissionSub.IpAllowList
@ -900,7 +931,11 @@ export const updateWorkspaceTrustedIp = async (req: Request, res: Response) => {
    body: { ipAddress: ip, comment }
  } = await validateRequest(UpdateWorkspaceTrustedIpV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.IpAllowList
@ -992,7 +1027,11 @@ export const deleteWorkspaceTrustedIp = async (req: Request, res: Response) => {
    params: { workspaceId, trustedIpId }
  } = await validateRequest(DeleteWorkspaceTrustedIpV1, req);

-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.IpAllowList
--- a/backend-mongo/src/ee/controllers/v3/apiKeyDataController.ts
+++ b/backend-mongo/src/ee/controllers/v3/apiKeyDataController.ts
@ -0,0 +1,101 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { APIKeyDataV2 } from "../../../models/apiKeyDataV2";
+import { validateRequest } from "../../../helpers/validation";
+import { BadRequestError } from "../../../utils/errors";
+import * as reqValidator from "../../../validation";
+import { createToken } from "../../../helpers";
+import { AuthTokenType } from "../../../variables";
+import { getAuthSecret } from "../../../config";
+
+/**
+ * Create API key data v2
+ * @param req 
+ * @param res 
+ */
+export const createAPIKeyData = async (req: Request, res: Response) => {
+    const {
+        body: {
+            name
+        }
+    } = await validateRequest(reqValidator.CreateAPIKeyV3, req);
+
+    const apiKeyData = await new APIKeyDataV2({
+        name,
+        user: req.user._id,
+        usageCount: 0,
+    }).save();
+    
+    const apiKey = createToken({
+        payload: {
+            authTokenType: AuthTokenType.API_KEY,
+            apiKeyDataId: apiKeyData._id.toString(),
+            userId: req.user._id.toString()
+        },
+        secret: await getAuthSecret()
+    });
+
+    return res.status(200).send({
+        apiKeyData,
+        apiKey
+    });
+}
+
+/**
+ * Update API key data v2 with id [apiKeyDataId]
+ * @param req 
+ * @param res 
+ */
+ export const updateAPIKeyData = async (req: Request, res: Response) => {
+    const {
+        params: { apiKeyDataId },
+        body: { 
+            name, 
+        }
+    } = await validateRequest(reqValidator.UpdateAPIKeyV3, req);
+
+    const apiKeyData = await APIKeyDataV2.findOneAndUpdate(
+        {
+            _id: new Types.ObjectId(apiKeyDataId),
+            user: req.user._id
+        },
+        {
+            name
+        },
+        {
+            new: true
+        }
+    );
+    
+    if (!apiKeyData) throw BadRequestError({
+        message: "Failed to update API key"
+    });
+
+    return res.status(200).send({
+        apiKeyData
+    });
+}
+
+/**
+ * Delete API key data v2 with id [apiKeyDataId]
+ * @param req 
+ * @param res 
+ */
+ export const deleteAPIKeyData = async (req: Request, res: Response) => {
+    const {
+        params: { apiKeyDataId }
+    } = await validateRequest(reqValidator.DeleteAPIKeyV3, req);
+
+    const apiKeyData = await APIKeyDataV2.findOneAndDelete({
+        _id: new Types.ObjectId(apiKeyDataId),
+        user: req.user._id
+    });
+
+    if (!apiKeyData) throw BadRequestError({
+        message: "Failed to delete API key"
+    });
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}
--- a/backend-mongo/src/ee/controllers/v3/index.ts
+++ b/backend-mongo/src/ee/controllers/v3/index.ts
@ -0,0 +1,5 @@
+import * as apiKeyDataController from "./apiKeyDataController";
+
+export {
+    apiKeyDataController
+}
--- a/backend-mongo/src/ee/helpers/checkMembershipPermissions.ts
+++ b/backend-mongo/src/ee/helpers/checkMembershipPermissions.ts
--- a/backend-mongo/src/ee/helpers/organizations.ts
+++ b/backend-mongo/src/ee/helpers/organizations.ts
--- a/backend-mongo/src/ee/helpers/secret.ts
+++ b/backend-mongo/src/ee/helpers/secret.ts
--- a/backend-mongo/src/ee/helpers/secretVersion.ts
+++ b/backend-mongo/src/ee/helpers/secretVersion.ts
--- a/backend-mongo/src/ee/models/auditLog/auditLog.ts
+++ b/backend-mongo/src/ee/models/auditLog/auditLog.ts
@ -0,0 +1,70 @@
+import { Schema, Types, model } from "mongoose";
+import { ActorType, EventType, UserAgentType } from "./enums";
+import { Actor, Event } from "./types";
+
+export interface IAuditLog {
+  actor: Actor;
+  organization: Types.ObjectId;
+  workspace: Types.ObjectId;
+  ipAddress: string;
+  event: Event;
+  userAgent: string;
+  userAgentType: UserAgentType;
+  expiresAt?: Date;
+}
+
+const auditLogSchema = new Schema<IAuditLog>(
+  {
+    actor: {
+      type: {
+        type: String,
+        enum: ActorType,
+        required: true
+      },
+      metadata: {
+        type: Schema.Types.Mixed
+      }
+    },
+    organization: {
+      type: Schema.Types.ObjectId,
+      required: false
+    },
+    workspace: {
+      type: Schema.Types.ObjectId,
+      required: false,
+      index: true
+    },
+    ipAddress: {
+      type: String,
+      required: true
+    },
+    event: {
+      type: {
+        type: String,
+        enum: EventType,
+        required: true
+      },
+      metadata: {
+        type: Schema.Types.Mixed
+      }
+    },
+    userAgent: {
+      type: String,
+      required: true
+    },
+    userAgentType: {
+      type: String,
+      enum: UserAgentType,
+      required: true
+    },
+    expiresAt: {
+      type: Date,
+      expires: 0
+    }
+  },
+  {
+    timestamps: true
+  }
+);
+
+export const AuditLog = model<IAuditLog>("AuditLog", auditLogSchema);
--- a/backend-mongo/src/ee/models/auditLog/enums.ts
+++ b/backend-mongo/src/ee/models/auditLog/enums.ts
@ -1,14 +1,17 @@
-export enum ActorType {
-    USER = "user",
+export enum ActorType { // would extend to AWS, Azure, ...
+    USER = "user", // userIdentity
    SERVICE = "service",
-    SERVICE_V3 = "service-v3"
+    IDENTITY = "identity"
 }

 export enum UserAgentType {
  WEB = "web",
  CLI = "cli",
  K8_OPERATOR = "k8-operator",
-  OTHER = "other"
+  TERRAFORM = "terraform",
+  OTHER = "other",
+  PYTHON_SDK = "InfisicalPythonSDK",
+  NODE_SDK = "InfisicalNodeSDK"
 }

 export enum EventType {
@ -31,13 +34,21 @@ export enum EventType {
  DELETE_TRUSTED_IP = "delete-trusted-ip",
  CREATE_SERVICE_TOKEN = "create-service-token", // v2
  DELETE_SERVICE_TOKEN = "delete-service-token", // v2
-  CREATE_SERVICE_TOKEN_V3 = "create-service-token-v3", // v3
-  UPDATE_SERVICE_TOKEN_V3 = "update-service-token-v3", // v3
-  DELETE_SERVICE_TOKEN_V3 = "delete-service-token-v3", // v3
+  CREATE_IDENTITY = "create-identity",
+  UPDATE_IDENTITY = "update-identity",
+  DELETE_IDENTITY = "delete-identity",
+  LOGIN_IDENTITY_UNIVERSAL_AUTH = "login-identity-universal-auth",
+  ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
+  UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
+  GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
+  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
+  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET =  "revoke-identity-universal-auth-client-secret",
+  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
  CREATE_ENVIRONMENT = "create-environment",
  UPDATE_ENVIRONMENT = "update-environment",
  DELETE_ENVIRONMENT = "delete-environment",
  ADD_WORKSPACE_MEMBER = "add-workspace-member",
+  ADD_BATCH_WORKSPACE_MEMBER = "add-workspace-members",
  REMOVE_WORKSPACE_MEMBER = "remove-workspace-member",
  CREATE_FOLDER = "create-folder",
  UPDATE_FOLDER = "update-folder",
--- a/backend-mongo/src/ee/models/auditLog/index.ts
+++ b/backend-mongo/src/ee/models/auditLog/index.ts
--- a/backend-mongo/src/ee/models/auditLog/types.ts
+++ b/backend-mongo/src/ee/models/auditLog/types.ts
@ -1,11 +1,5 @@
-import {
-    ActorType,
-    EventType
-} from "./enums";
-import {
-  IServiceTokenV3Scope,
-  IServiceTokenV3TrustedIp
-} from "../../../models/serviceTokenDataV3";
+import { ActorType, EventType } from "./enums";
+import { IIdentityTrustedIp } from "../../../models";

 interface UserActorMetadata {
  userId: string;
@ -17,6 +11,11 @@ interface ServiceActorMetadata {
  name: string;
 }

+interface IdentityActorMetadata {
+  identityId: string;
+  name: string;
+}
+
 export interface UserActor {
  type: ActorType.USER;
  metadata: UserActorMetadata;
@ -27,15 +26,12 @@ export interface ServiceActor {
  metadata: ServiceActorMetadata;
 }

-export interface ServiceActorV3 {
-    type: ActorType.SERVICE_V3;
-    metadata: ServiceActorMetadata;
+export interface IdentityActor {
+  type: ActorType.IDENTITY;
+  metadata: IdentityActorMetadata;
 }

-export type Actor = 
-    | UserActor
-    | ServiceActor
-    | ServiceActorV3;
+export type Actor = UserActor | ServiceActor | IdentityActor;

 interface GetSecretsEvent {
  type: EventType.GET_SECRETS;
@ -225,37 +221,92 @@ interface DeleteServiceTokenEvent {
  };
 }

-interface CreateServiceTokenV3Event {
-    type: EventType.CREATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        scopes: Array<IServiceTokenV3Scope>;
-        trustedIps: Array<IServiceTokenV3TrustedIp>;
-        expiresAt?: Date;
-    }
+interface CreateIdentityEvent { // note: currently not logging org-role
+  type: EventType.CREATE_IDENTITY;
+  metadata: {
+    identityId: string;
+    name: string;
+  };
 }

-interface UpdateServiceTokenV3Event {
-    type: EventType.UPDATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name?: string;
-        isActive?: boolean;
-        scopes?: Array<IServiceTokenV3Scope>;
-        trustedIps?: Array<IServiceTokenV3TrustedIp>;
-        expiresAt?: Date;
-    }
+interface UpdateIdentityEvent {
+  type: EventType.UPDATE_IDENTITY;
+  metadata: {
+    identityId: string;
+    name?: string;
+  };
 }

-interface DeleteServiceTokenV3Event {
-    type: EventType.DELETE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        scopes: Array<IServiceTokenV3Scope>;
-        expiresAt?: Date;
-        trustedIps: Array<IServiceTokenV3TrustedIp>;
-    }
+interface DeleteIdentityEvent {
+  type: EventType.DELETE_IDENTITY;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface LoginIdentityUniversalAuthEvent {
+  type: EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH ;
+  metadata: {
+    identityId: string;
+    identityUniversalAuthId: string;
+    clientSecretId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityUniversalAuthEvent {
+  type: EventType.ADD_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+    clientSecretTrustedIps: Array<IIdentityTrustedIp>;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<IIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityUniversalAuthEvent {
+  type: EventType.UPDATE_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+    clientSecretTrustedIps?: Array<IIdentityTrustedIp>;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<IIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityUniversalAuthEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface CreateIdentityUniversalAuthClientSecretEvent {
+  type: EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET ;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
+  };
+}
+
+interface GetIdentityUniversalAuthClientSecretsEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS;
+  metadata: {
+    identityId: string;
+  };
+}
+
+
+interface RevokeIdentityUniversalAuthClientSecretEvent {
+  type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET ;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
+  };
 }

 interface CreateEnvironmentEvent {
@ -292,6 +343,14 @@ interface AddWorkspaceMemberEvent {
  };
 }

+interface AddBatchWorkspaceMemberEvent {
+  type: EventType.ADD_BATCH_WORKSPACE_MEMBER;
+  metadata: Array<{
+    userId: string;
+    email: string;
+  }>;
+}
+
 interface RemoveWorkspaceMemberEvent {
  type: EventType.REMOVE_WORKSPACE_MEMBER;
  metadata: {
@ -427,15 +486,15 @@ interface UpdateUserRole {
 }

 interface UpdateUserDeniedPermissions {
-    type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS,
-    metadata: {
-        userId: string;
-        email: string;
-        deniedPermissions: {
-            environmentSlug: string;
-            ability: string;
-        }[]
-    }
+  type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS;
+  metadata: {
+    userId: string;
+    email: string;
+    deniedPermissions: {
+      environmentSlug: string;
+      ability: string;
+    }[];
+  };
 }
 interface SecretApprovalMerge {
  type: EventType.SECRET_APPROVAL_MERGED;
@ -492,13 +551,21 @@ export type Event =
  | DeleteTrustedIPEvent
  | CreateServiceTokenEvent
  | DeleteServiceTokenEvent
-  | CreateServiceTokenV3Event
-  | UpdateServiceTokenV3Event
-  | DeleteServiceTokenV3Event
+  | CreateIdentityEvent
+  | UpdateIdentityEvent
+  | DeleteIdentityEvent
+  | LoginIdentityUniversalAuthEvent
+  | AddIdentityUniversalAuthEvent
+  | UpdateIdentityUniversalAuthEvent
+  | GetIdentityUniversalAuthEvent
+  | CreateIdentityUniversalAuthClientSecretEvent
+  | GetIdentityUniversalAuthClientSecretsEvent
+  | RevokeIdentityUniversalAuthClientSecretEvent
  | CreateEnvironmentEvent
  | UpdateEnvironmentEvent
  | DeleteEnvironmentEvent
  | AddWorkspaceMemberEvent
+  | AddBatchWorkspaceMemberEvent
  | RemoveWorkspaceMemberEvent
  | CreateFolderEvent
  | UpdateFolderEvent
--- a/backend-mongo/src/ee/models/folderVersion.ts
+++ b/backend-mongo/src/ee/models/folderVersion.ts
--- a/backend-mongo/src/ee/models/gitAppInstallationSession.ts
+++ b/backend-mongo/src/ee/models/gitAppInstallationSession.ts
--- a/backend-mongo/src/ee/models/gitAppOrganizationInstallation.ts
+++ b/backend-mongo/src/ee/models/gitAppOrganizationInstallation.ts
--- a/backend-mongo/src/ee/models/gitRisks.ts
+++ b/backend-mongo/src/ee/models/gitRisks.ts
--- a/backend-mongo/src/ee/models/index.ts
+++ b/backend-mongo/src/ee/models/index.ts
@ -1,9 +1,7 @@
 export * from "./secretSnapshot";
 export * from "./secretVersion";
 export * from "./folderVersion";
-export * from "./log";
 export * from "./role";
-export * from "./action";
 export * from "./ssoConfig";
 export * from "./trustedIp";
 export * from "./auditLog";
--- a/backend-mongo/src/ee/models/role.ts
+++ b/backend-mongo/src/ee/models/role.ts
--- a/Show More
+++ b/Show More