requested changes

fix: allow https on gateway k8s hosts
Update infisicalpushsecret_controller.go
2025-07-31 10:38:12 +00:00 · 2025-05-29 16:57:22 +04:00 · 2025-05-29 16:39:47 +04:00 · 2025-05-20 23:35:43 +04:00 · 2025-05-20 23:03:58 +04:00 · 2025-05-20 18:14:07 +04:00
61 changed files with 1545 additions and 404 deletions
--- a/backend/src/db/migrations/20250516021501_toggle-secret-sharing-on-project.ts
+++ b/backend/src/db/migrations/20250516021501_toggle-secret-sharing-on-project.ts
@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
+  if (!hasSecretSharingColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.boolean("secretSharing").notNullable().defaultTo(true);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
+  if (hasSecretSharingColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.dropColumn("secretSharing");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250516192508_secret-sharing-limits-for-org.ts
+++ b/backend/src/db/migrations/20250516192508_secret-sharing-limits-for-org.ts
@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
+  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
+
+  if (!hasLifetimeColumn || !hasViewLimitColumn) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      if (!hasLifetimeColumn) {
+        t.integer("maxSharedSecretLifetime").nullable().defaultTo(2592000); // 30 days in seconds
+      }
+      if (!hasViewLimitColumn) {
+        t.integer("maxSharedSecretViewLimit").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
+  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
+
+  if (hasLifetimeColumn || hasViewLimitColumn) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      if (hasLifetimeColumn) {
+        t.dropColumn("maxSharedSecretLifetime");
+      }
+      if (hasViewLimitColumn) {
+        t.dropColumn("maxSharedSecretViewLimit");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20250517002223_secret-share-to-specific-emails.ts
+++ b/backend/src/db/migrations/20250517002223_secret-share-to-specific-emails.ts
@@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
+
+    if (!hasEncryptedSalt || !hasAuthorizedEmails) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        // These two columns are only needed when secrets are shared with a specific list of emails
+
+        if (!hasEncryptedSalt) {
+          t.binary("encryptedSalt").nullable();
+        }
+
+        if (!hasAuthorizedEmails) {
+          t.json("authorizedEmails").nullable();
+        }
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
+
+    if (hasEncryptedSalt || hasAuthorizedEmails) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        if (hasEncryptedSalt) {
+          t.dropColumn("encryptedSalt");
+        }
+
+        if (hasAuthorizedEmails) {
+          t.dropColumn("authorizedEmails");
+        }
+      });
+    }
+  }
+}
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@@ -34,7 +34,9 @@ export const OrganizationsSchema = z.object({
  kmsProductEnabled: z.boolean().default(true).nullable().optional(),
  sshProductEnabled: z.boolean().default(true).nullable().optional(),
  scannerProductEnabled: z.boolean().default(true).nullable().optional(),
-  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional()
+  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional(),
+  maxSharedSecretLifetime: z.number().default(2592000).nullable().optional(),
+  maxSharedSecretViewLimit: z.number().nullable().optional()
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@@ -27,7 +27,8 @@ export const ProjectsSchema = z.object({
  description: z.string().nullable().optional(),
  type: z.string(),
  enforceCapitalization: z.boolean().default(false),
-  hasDeleteProtection: z.boolean().default(false).nullable().optional()
+  hasDeleteProtection: z.boolean().default(false).nullable().optional(),
+  secretSharing: z.boolean().default(true)
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/secret-sharing.ts
+++ b/backend/src/db/schemas/secret-sharing.ts
@@ -27,7 +27,9 @@ export const SecretSharingSchema = z.object({
  password: z.string().nullable().optional(),
  encryptedSecret: zodBuffer.nullable().optional(),
  identifier: z.string().nullable().optional(),
-  type: z.string().default("share")
+  type: z.string().default("share"),
+  encryptedSalt: zodBuffer.nullable().optional(),
+  authorizedEmails: z.unknown().nullable().optional()
 });

 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;
--- a/backend/src/ee/services/hsm/hsm-fns.ts
+++ b/backend/src/ee/services/hsm/hsm-fns.ts
@@ -24,9 +24,13 @@ export const initializeHsmModule = (envConfig: Pick<TEnvConfig, "isHsmConfigured
      isInitialized = true;

      logger.info("PKCS#11 module initialized");
-    } catch (err) {
-      logger.error(err, "Failed to initialize PKCS#11 module");
-      throw err;
+    } catch (error) {
+      if (error instanceof pkcs11js.Pkcs11Error && error.code === pkcs11js.CKR_CRYPTOKI_ALREADY_INITIALIZED) {
+        logger.info("Skipping HSM initialization because it's already initialized.");
+      } else {
+        logger.error(error, "Failed to initialize PKCS#11 module");
+        throw error;
+      }
    }
  };

--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -608,7 +608,8 @@ export const PROJECTS = {
    projectDescription: "An optional description label for the project.",
    autoCapitalization: "Disable or enable auto-capitalization for the project.",
    slug: "An optional slug for the project. (must be unique within the organization)",
-    hasDeleteProtection: "Enable or disable delete protection for the project."
+    hasDeleteProtection: "Enable or disable delete protection for the project.",
+    secretSharing: "Enable or disable secret sharing for the project."
  },
  GET_KEY: {
    workspaceId: "The ID of the project to get the key from."
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@@ -261,7 +261,8 @@ export const SanitizedProjectSchema = ProjectsSchema.pick({
  pitVersionLimit: true,
  kmsCertificateKeyId: true,
  auditLogsRetentionDays: true,
-  hasDeleteProtection: true
+  hasDeleteProtection: true,
+  secretSharing: true
 });

 export const SanitizedTagSchema = SecretTagsSchema.pick({
--- a/backend/src/server/routes/v1/certificate-router.ts
+++ b/backend/src/server/routes/v1/certificate-router.ts
@@ -131,8 +131,8 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.object({
          certificate: z.string().trim().describe(CERTIFICATES.GET_CERT.certificate),
-          certificateChain: z.string().trim().nullish().describe(CERTIFICATES.GET_CERT.certificateChain),
-          privateKey: z.string().trim().describe(CERTIFICATES.GET_CERT.privateKey),
+          certificateChain: z.string().trim().nullable().describe(CERTIFICATES.GET_CERT.certificateChain),
+          privateKey: z.string().trim().nullable().describe(CERTIFICATES.GET_CERT.privateKey),
          serialNumber: z.string().trim().describe(CERTIFICATES.GET_CERT.serialNumberRes)
        })
      }
@@ -518,7 +518,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.object({
          certificate: z.string().trim().describe(CERTIFICATES.GET_CERT.certificate),
-          certificateChain: z.string().trim().nullish().describe(CERTIFICATES.GET_CERT.certificateChain),
+          certificateChain: z.string().trim().nullable().describe(CERTIFICATES.GET_CERT.certificateChain),
          serialNumber: z.string().trim().describe(CERTIFICATES.GET_CERT.serialNumberRes)
        })
      }
--- a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
@@ -114,10 +114,12 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
                  CharacterType.Numbers,
                  CharacterType.Colon,
                  CharacterType.Period,
-                  CharacterType.ForwardSlash
+                  CharacterType.ForwardSlash,
+                  CharacterType.Hyphen
                ])(val),
              {
-                message: "Kubernetes host must only contain alphabets, numbers, colons, periods, and forward slashes."
+                message:
+                  "Kubernetes host must only contain alphabets, numbers, colons, periods, hyphen, and forward slashes."
              }
            ),
          caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
@@ -234,11 +236,13 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
                  CharacterType.Numbers,
                  CharacterType.Colon,
                  CharacterType.Period,
-                  CharacterType.ForwardSlash
+                  CharacterType.ForwardSlash,
+                  CharacterType.Hyphen
                ])(val);
              },
              {
-                message: "Kubernetes host must only contain alphabets, numbers, colons, periods, and forward slashes."
+                message:
+                  "Kubernetes host must only contain alphabets, numbers, colons, periods, hyphen, and forward slashes."
              }
            ),
          caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -281,7 +281,18 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        kmsProductEnabled: z.boolean().optional(),
        sshProductEnabled: z.boolean().optional(),
        scannerProductEnabled: z.boolean().optional(),
-        shareSecretsProductEnabled: z.boolean().optional()
+        shareSecretsProductEnabled: z.boolean().optional(),
+        maxSharedSecretLifetime: z
+          .number()
+          .min(300, "Max Shared Secret lifetime cannot be under 5 minutes")
+          .max(2592000, "Max Shared Secret lifetime cannot exceed 30 days")
+          .optional(),
+        maxSharedSecretViewLimit: z
+          .number()
+          .min(1, "Max Shared Secret view count cannot be lower than 1")
+          .max(1000, "Max Shared Secret view count cannot exceed 1000")
+          .nullable()
+          .optional()
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -346,7 +346,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
              "Project slug can only contain lowercase letters and numbers, with optional single hyphens (-) or underscores (_) between words. Cannot start or end with a hyphen or underscore."
          })
          .optional()
-          .describe(PROJECTS.UPDATE.slug)
+          .describe(PROJECTS.UPDATE.slug),
+        secretSharing: z.boolean().optional().describe(PROJECTS.UPDATE.secretSharing)
      }),
      response: {
        200: z.object({
@@ -366,7 +367,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          description: req.body.description,
          autoCapitalization: req.body.autoCapitalization,
          hasDeleteProtection: req.body.hasDeleteProtection,
-          slug: req.body.slug
+          slug: req.body.slug,
+          secretSharing: req.body.secretSharing
        },
        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
--- a/backend/src/server/routes/v1/secret-sharing-router.ts
+++ b/backend/src/server/routes/v1/secret-sharing-router.ts
@@ -62,7 +62,9 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
      }),
      body: z.object({
        hashedHex: z.string().min(1).optional(),
-        password: z.string().optional()
+        password: z.string().optional(),
+        email: z.string().optional(),
+        hash: z.string().optional()
      }),
      response: {
        200: z.object({
@@ -88,7 +90,9 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        sharedSecretId: req.params.id,
        hashedHex: req.body.hashedHex,
        password: req.body.password,
-        orgId: req.permission?.orgId
+        orgId: req.permission?.orgId,
+        email: req.body.email,
+        hash: req.body.hash
      });

      if (sharedSecret.secret?.orgId) {
@@ -151,7 +155,8 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        secretValue: z.string(),
        expiresAt: z.string(),
        expiresAfterViews: z.number().min(1).optional(),
-        accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization)
+        accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization),
+        emails: z.string().email().array().max(100).optional()
      }),
      response: {
        200: z.object({
--- a/backend/src/services/auth/auth-password-service.ts
+++ b/backend/src/services/auth/auth-password-service.ts
@@ -189,16 +189,15 @@ export const authPaswordServiceFactory = ({
      throw new BadRequestError({ message: `User encryption key not found for user with ID '${userId}'` });
    }

-    if (!user.hashedPassword) {
-      throw new BadRequestError({ message: "Unable to reset password, no password is set" });
-    }
-
    if (!user.authMethods?.includes(AuthMethod.EMAIL)) {
      throw new BadRequestError({ message: "Unable to reset password, no email authentication method is configured" });
    }

    // we check the old password if the user is resetting their password while logged in
    if (type === ResetPasswordV2Type.LoggedInReset) {
+      if (!user.hashedPassword) {
+        throw new BadRequestError({ message: "Unable to change password, no password is set" });
+      }
      if (!oldPassword) {
        throw new BadRequestError({ message: "Current password is required." });
      }
--- a/backend/src/services/certificate/certificate-fns.ts
+++ b/backend/src/services/certificate/certificate-fns.ts
@@ -105,7 +105,7 @@ export const buildCertificateChain = async ({
  kmsService,
  kmsId
 }: TBuildCertificateChainDTO) => {
-  if (!encryptedCertificateChain && (!caCert || !caCertChain)) {
+  if (!encryptedCertificateChain && !caCert) {
    return null;
  }

--- a/backend/src/services/certificate/certificate-service.ts
+++ b/backend/src/services/certificate/certificate-service.ts
@@ -29,6 +29,7 @@ import {
  TGetCertPrivateKeyDTO,
  TRevokeCertDTO
 } from "./certificate-types";
+import { NotFoundError } from "@app/lib/errors";

 type TCertificateServiceFactoryDep = {
  certificateDAL: Pick<TCertificateDALFactory, "findOne" | "deleteById" | "update" | "find">;
@@ -337,18 +338,27 @@ export const certificateServiceFactory = ({
      encryptedCertificateChain: certBody.encryptedCertificateChain || undefined
    });

-    const { certPrivateKey } = await getCertificateCredentials({
-      certId: cert.id,
-      projectId: ca.projectId,
-      certificateSecretDAL,
-      projectDAL,
-      kmsService
-    });
+    let privateKey: string | null = null;
+    try {
+      const { certPrivateKey } = await getCertificateCredentials({
+        certId: cert.id,
+        projectId: ca.projectId,
+        certificateSecretDAL,
+        projectDAL,
+        kmsService
+      });
+      privateKey = certPrivateKey;
+    } catch (e) {
+      // Skip NotFound errors but throw all others
+      if (!(e instanceof NotFoundError)) {
+        throw e;
+      }
+    }

    return {
      certificate,
      certificateChain,
-      privateKey: certPrivateKey,
+      privateKey,
      serialNumber,
      cert,
      ca
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -2,6 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import axios, { AxiosError } from "axios";
 import https from "https";
 import jwt from "jsonwebtoken";
+import RE2 from "re2";

 import { IdentityAuthMethod, TIdentityKubernetesAuthsUpdate } from "@app/db/schemas";
 import { TGatewayDALFactory } from "@app/ee/services/gateway/gateway-dal";
@@ -185,7 +186,13 @@ export const identityKubernetesAuthServiceFactory = ({
      return res.data;
    };

-    const [k8sHost, k8sPort] = identityKubernetesAuth.kubernetesHost.split(":");
+    let { kubernetesHost } = identityKubernetesAuth;
+
+    if (kubernetesHost.startsWith("https://") || kubernetesHost.startsWith("http://")) {
+      kubernetesHost = new RE2("^https?:\\/\\/").replace(kubernetesHost, "");
+    }
+
+    const [k8sHost, k8sPort] = kubernetesHost.split(":");

    const data = identityKubernetesAuth.gatewayId
      ? await $gatewayProxyWrapper(
--- a/backend/src/services/org/org-schema.ts
+++ b/backend/src/services/org/org-schema.ts
@@ -24,5 +24,7 @@ export const sanitizedOrganizationSchema = OrganizationsSchema.pick({
  kmsProductEnabled: true,
  sshProductEnabled: true,
  scannerProductEnabled: true,
-  shareSecretsProductEnabled: true
+  shareSecretsProductEnabled: true,
+  maxSharedSecretLifetime: true,
+  maxSharedSecretViewLimit: true
 });
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -361,7 +361,9 @@ export const orgServiceFactory = ({
      kmsProductEnabled,
      sshProductEnabled,
      scannerProductEnabled,
-      shareSecretsProductEnabled
+      shareSecretsProductEnabled,
+      maxSharedSecretLifetime,
+      maxSharedSecretViewLimit
    }
  }: TUpdateOrgDTO) => {
    const appCfg = getConfig();
@@ -469,7 +471,9 @@ export const orgServiceFactory = ({
      kmsProductEnabled,
      sshProductEnabled,
      scannerProductEnabled,
-      shareSecretsProductEnabled
+      shareSecretsProductEnabled,
+      maxSharedSecretLifetime,
+      maxSharedSecretViewLimit
    });
    if (!org) throw new NotFoundError({ message: `Organization with ID '${orgId}' not found` });
    return org;
--- a/backend/src/services/org/org-types.ts
+++ b/backend/src/services/org/org-types.ts
@@ -81,6 +81,8 @@ export type TUpdateOrgDTO = {
    sshProductEnabled: boolean;
    scannerProductEnabled: boolean;
    shareSecretsProductEnabled: boolean;
+    maxSharedSecretLifetime: number;
+    maxSharedSecretViewLimit: number | null;
  }>;
 } & TOrgPermission;

--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@@ -658,7 +658,8 @@ export const projectServiceFactory = ({
      autoCapitalization: update.autoCapitalization,
      enforceCapitalization: update.autoCapitalization,
      hasDeleteProtection: update.hasDeleteProtection,
-      slug: update.slug
+      slug: update.slug,
+      secretSharing: update.secretSharing
    });

    return updatedProject;
--- a/backend/src/services/project/project-types.ts
+++ b/backend/src/services/project/project-types.ts
@@ -93,6 +93,7 @@ export type TUpdateProjectDTO = {
    autoCapitalization?: boolean;
    hasDeleteProtection?: boolean;
    slug?: string;
+    secretSharing?: boolean;
  };
 } & Omit<TProjectPermission, "projectId">;

--- a/backend/src/services/secret-sharing/secret-sharing-service.ts
+++ b/backend/src/services/secret-sharing/secret-sharing-service.ts
@@ -6,6 +6,7 @@ import { TSecretSharing } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { SecretSharingAccessType } from "@app/lib/types";
 import { isUuidV4 } from "@app/lib/validator";

@@ -60,7 +61,9 @@ export const secretSharingServiceFactory = ({
    }

    const fiveMins = 5 * 60 * 1000;
-    if (expiryTime - currentTime < fiveMins) {
+
+    // 1 second buffer
+    if (expiryTime - currentTime + 1000 < fiveMins) {
      throw new BadRequestError({ message: "Expiration time cannot be less than 5 mins" });
    }
  };
@@ -76,8 +79,11 @@ export const secretSharingServiceFactory = ({
    password,
    accessType,
    expiresAt,
-    expiresAfterViews
+    expiresAfterViews,
+    emails
  }: TCreateSharedSecretDTO) => {
+    const appCfg = getConfig();
+
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    if (!permission) throw new ForbiddenRequestError({ name: "User is not a part of the specified organization" });
    $validateSharedSecretExpiry(expiresAt);
@@ -93,7 +99,46 @@ export const secretSharingServiceFactory = ({
      throw new BadRequestError({ message: "Shared secret value too long" });
    }

+    // Check lifetime is within org allowance
+    const expiresAtTimestamp = new Date(expiresAt).getTime();
+    const lifetime = expiresAtTimestamp - new Date().getTime();
+
+    // org.maxSharedSecretLifetime is in seconds
+    if (org.maxSharedSecretLifetime && lifetime / 1000 > org.maxSharedSecretLifetime) {
+      throw new BadRequestError({ message: "Secret lifetime exceeds organization limit" });
+    }
+
+    // Check max view count is within org allowance
+    if (org.maxSharedSecretViewLimit && (!expiresAfterViews || expiresAfterViews > org.maxSharedSecretViewLimit)) {
+      throw new BadRequestError({ message: "Secret max views parameter exceeds organization limit" });
+    }
+
    const encryptWithRoot = kmsService.encryptWithRootKey();
+
+    let salt: string | undefined;
+    let encryptedSalt: Buffer | undefined;
+    const orgEmails = [];
+
+    if (emails && emails.length > 0) {
+      const allOrgMembers = await orgDAL.findAllOrgMembers(orgId);
+
+      // Check to see that all emails are a part of the organization (if enforced) while also collecting a list of emails which are in the org
+      for (const email of emails) {
+        if (allOrgMembers.some((v) => v.user.email === email)) {
+          orgEmails.push(email);
+          // If the email is not part of the org, but access type / org settings require it
+        } else if (!org.allowSecretSharingOutsideOrganization || accessType === SecretSharingAccessType.Organization) {
+          throw new BadRequestError({
+            message: "Organization does not allow sharing secrets to members outside of this organization"
+          });
+        }
+      }
+
+      // Generate salt for signing email hashes (if emails are provided)
+      salt = crypto.randomBytes(32).toString("hex");
+      encryptedSalt = encryptWithRoot(Buffer.from(salt));
+    }
+
    const encryptedSecret = encryptWithRoot(Buffer.from(secretValue));

    const id = crypto.randomBytes(32).toString("hex");
@@ -112,11 +157,45 @@ export const secretSharingServiceFactory = ({
      expiresAfterViews,
      userId: actorId,
      orgId,
-      accessType
+      accessType,
+      authorizedEmails: emails && emails.length > 0 ? JSON.stringify(emails) : undefined,
+      encryptedSalt
    });

    const idToReturn = `${Buffer.from(newSharedSecret.identifier!, "hex").toString("base64url")}`;

+    // Loop through recipients and send out emails with unique access links
+    if (emails && salt) {
+      const user = await userDAL.findById(actorId);
+
+      if (!user) {
+        throw new NotFoundError({ message: `User with ID '${actorId}' not found` });
+      }
+
+      for await (const email of emails) {
+        try {
+          const hmac = crypto.createHmac("sha256", salt).update(email);
+          const hash = hmac.digest("hex");
+
+          // Only show the username to emails which are part of the organization
+          const respondentUsername = orgEmails.includes(email) ? user.username : undefined;
+
+          await smtpService.sendMail({
+            recipients: [email],
+            subjectLine: "A secret has been shared with you",
+            substitutions: {
+              name,
+              respondentUsername,
+              secretRequestUrl: `${appCfg.SITE_URL}/shared/secret/${idToReturn}?email=${encodeURIComponent(email)}&hash=${hash}`
+            },
+            template: SmtpTemplates.SecretRequestCompleted
+          });
+        } catch (e) {
+          logger.error(e, "Failed to send shared secret URL to a recipient's email.");
+        }
+      }
+    }
+
    return { id: idToReturn };
  };

@@ -390,8 +469,15 @@ export const secretSharingServiceFactory = ({
    });
  };

-  /** Get's password-less secret. validates all secret's requested (must be fresh). */
-  const getSharedSecretById = async ({ sharedSecretId, hashedHex, orgId, password }: TGetActiveSharedSecretByIdDTO) => {
+  /** Gets password-less secret. validates all secret's requested (must be fresh). */
+  const getSharedSecretById = async ({
+    sharedSecretId,
+    hashedHex,
+    orgId,
+    password,
+    email,
+    hash
+  }: TGetActiveSharedSecretByIdDTO) => {
    const sharedSecret = isUuidV4(sharedSecretId)
      ? await secretSharingDAL.findOne({
          id: sharedSecretId,
@@ -438,6 +524,32 @@ export const secretSharingServiceFactory = ({
      });
    }

+    const decryptWithRoot = kmsService.decryptWithRootKey();
+
+    if (sharedSecret.authorizedEmails && sharedSecret.encryptedSalt) {
+      // Verify both params were passed
+      if (!email || !hash) {
+        throw new BadRequestError({
+          message: "This secret is email protected. Parameters must include email and hash."
+        });
+
+        // Verify that email is authorized to view shared secret
+      } else if (!(sharedSecret.authorizedEmails as string[]).includes(email)) {
+        throw new UnauthorizedError({ message: "Email not authorized to view secret" });
+
+        // Verify that hash matches
+      } else {
+        const salt = decryptWithRoot(sharedSecret.encryptedSalt).toString();
+        const hmac = crypto.createHmac("sha256", salt).update(email);
+        const rebuiltHash = hmac.digest("hex");
+
+        if (rebuiltHash !== hash) {
+          throw new UnauthorizedError({ message: "Email not authorized to view secret" });
+        }
+      }
+    }
+
+    // Password checks
    const isPasswordProtected = Boolean(sharedSecret.password);
    const hasProvidedPassword = Boolean(password);
    if (isPasswordProtected) {
@@ -452,7 +564,6 @@ export const secretSharingServiceFactory = ({
    // If encryptedSecret is set, we know that this secret has been encrypted using KMS, and we can therefore do server-side decryption.
    let decryptedSecretValue: Buffer | undefined;
    if (sharedSecret.encryptedSecret) {
-      const decryptWithRoot = kmsService.decryptWithRootKey();
      decryptedSecretValue = decryptWithRoot(sharedSecret.encryptedSecret);
    }

--- a/backend/src/services/secret-sharing/secret-sharing-types.ts
+++ b/backend/src/services/secret-sharing/secret-sharing-types.ts
@@ -22,6 +22,7 @@ export type TSharedSecretPermission = {
  accessType?: SecretSharingAccessType;
  name?: string;
  password?: string;
+  emails?: string[];
 };

 export type TCreatePublicSharedSecretDTO = {
@@ -37,6 +38,10 @@ export type TGetActiveSharedSecretByIdDTO = {
  hashedHex?: string;
  orgId?: string;
  password?: string;
+
+  // For secrets shared with specific emails
+  email?: string;
+  hash?: string;
 };

 export type TValidateActiveSharedSecretDTO = TGetActiveSharedSecretByIdDTO & {
--- a/cli/packages/cmd/agent.go
+++ b/cli/packages/cmd/agent.go
@@ -884,6 +884,12 @@ func (tm *AgentManager) MonitorSecretChanges(secretTemplate Template, templateId

 					if err != nil {
 						log.Error().Msgf("unable to process template because %v", err)
+
+						// case: if exit-after-auth is true, it should exit the agent once an error on secret fetching occurs with the appropriate exit code (1)
+						// previous behavior would exit after 25 sec with status code 0, even if this step errors
+						if tm.exitAfterAuth {
+							os.Exit(1)
+						}
 					} else {
 						if (existingEtag != currentEtag) || firstRun {

--- a/company/handbook/spending-money.mdx
+++ b/company/handbook/spending-money.mdx
@@ -6,9 +6,14 @@ description: "The guide to spending money at Infisical."

 Fairly frequently, you might run into situations when you need to spend company money. 

-<Note>
-Please spend money in a way that you think is in the best interest of the company.
-</Note>
+
+# Expensing Meals
+
+As a perk of working at Infisical, we cover some of your meal expenses.
+
+HQ team members: meals and unlimited snacks are provided on-site at no cost.
+
+Remote team members: a food stipend is allocated based on location.

 # Trivial expenses

@@ -18,6 +23,10 @@ This means expenses that are:
 1. Non-recurring AND less than $75/month in total.
 2. Recurring AND less than $20/month. 

+<Note>
+Please spend money in a way that you think is in the best interest of the company.
+</Note>
+
 ## Saving receipts

 Make sure you keep copies for all receipts. If you expense something on a company card and cannot provide a receipt, this may be deducted from your pay.
--- a/docs/documentation/platform/kms/hsm-integration.mdx
+++ b/docs/documentation/platform/kms/hsm-integration.mdx
@@ -38,7 +38,7 @@ Enabling HSM encryption has a set of key benefits:
 ### Requirements
 - An Infisical instance with a version number that is equal to or greater than `v0.91.0`.
 - If you are using Docker, your instance must be using the `infisical/infisical-fips` image.
- An HSM device from a provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm), [AWS CloudHSM](https://aws.amazon.com/cloudhsm/), or others.
+- An HSM device from a provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm), [AWS CloudHSM](https://aws.amazon.com/cloudhsm/), [Fortanix HSM](https://www.fortanix.com/platform/data-security-manager), or others.


 ### FIPS Compliance
@@ -53,14 +53,14 @@ For organizations that work with US government agencies, FIPS compliance is almo

 <Steps>
    <Step title="Setting up an HSM Device">
-        To set up HSM encryption, you need to configure an HSM provider and HSM key. The HSM provider is used to connect to the HSM device, and the HSM key is used to encrypt Infisical's KMS keys. We recommend using a Cloud HSM provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm) or [AWS CloudHSM](https://aws.amazon.com/cloudhsm/).
+        To set up HSM encryption, you need to configure an HSM provider and HSM key. The HSM provider is used to connect to the HSM device, and the HSM key is used to encrypt Infisical's KMS keys. We recommend using a Cloud HSM provider such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm), [AWS CloudHSM](https://aws.amazon.com/cloudhsm/), or [Fortanix HSM](https://www.fortanix.com/platform/data-security-manager).

        You need to follow the instructions provided by the HSM provider to set up the HSM device. Once the HSM device is set up, the HSM device can be used within Infisical.

        After setting up the HSM from your provider, you will have a set of files that you can use to access the HSM. These files need to be present on the machine where Infisical is running.
        If you are using containers, you will need to mount the folder where these files are stored as a volume in the container.

-        The setup process for an HSM device varies depending on the provider. We have created a guide for Thales Luna Cloud HSM, which you can find below.
+        The setup process for an HSM device varies depending on the provider. We have created guides for Thales Luna Cloud HSM and Fortanix HSM, which you can find below.
        
    </Step>
    <Step title="Configure HSM on Infisical">
@@ -255,6 +255,78 @@ For organizations that work with US government agencies, FIPS compliance is almo
        </Steps>
        After following these steps, your Docker setup will be ready to use HSM encryption.
      </Tab>
+      <Tab title="Fortanix HSM">
+        <Steps>
+          <Step title="Set up Fortanix HSM">
+            To use Fortanix HSM with Infisical, you need to:
+            
+            1. Create an App in Fortanix:
+               - Set Interface value to be PKCS#11
+               - Select API key as authentication method
+               - Assign app to a group
+            
+              ![Fortanix HSM Setup](/images/platform/kms/hsm/fortanix-hsm-setup.png)
+
+            2. Take note of the domain (e.g., apac.smartkey.io). You will need this to set up the configuration file for the Fortanix client.
+          </Step>
+          
+          <Step title="Install PKCS11 Library">
+            The easiest approach would be to download the `.so` file for Linux directly from the [Fortanix PKCS#11 installation page](https://fortanix.zendesk.com/hc/en-us/sections/4408769080724-PKCS-11).
+            
+            Create a configuration file named `pkcs11.conf` with the following content:
+            
+            ```
+            api_endpoint = "https://apac.smartkey.io"
+            prevent_duplicate_opaque_objects = true
+            retry_timeout_millis = 60000
+            ```
+            
+            Note: Replace `apac.smartkey.io` with your actual Fortanix domain if different. For more details about the configuration file format and additional options, refer to the [Fortanix PKCS#11 Configuration File Documentation](https://support.fortanix.com/docs/clients-pkcs11-library#511-configuration-file-format).
+          </Step>
+          
+          <Step title="Create a directory for Fortanix files">
+            Create a directory to store the Fortanix library and configuration file:
+            
+            ```bash
+            mkdir -p /etc/fortanix-hsm
+            ```
+            
+            Copy the downloaded `.so` file and the `pkcs11.conf` file to this directory:
+            
+            ```bash
+            cp /path/to/fortanix_pkcs11_4.37.2554.so /etc/fortanix-hsm/
+            cp /path/to/pkcs11.conf /etc/fortanix-hsm/
+            ```
+          </Step>
+          
+          <Step title="Run Docker">
+            Run Docker with Fortanix HSM by mounting the directory and setting the required environment variables:
+            
+            ```bash
+            docker run -p 80:8080 \
+              -v /etc/fortanix-hsm:/etc/fortanix-hsm \
+              -e HSM_LIB_PATH="/etc/fortanix-hsm/fortanix_pkcs11_4.37.2554.so" \  # Path to the PKCS#11 library
+              -e HSM_PIN="MDE3YWUxO..." \  # Your Fortanix app API key used for authentication
+              -e HSM_SLOT=0 \              # Slot value (arbitrary for Fortanix HSM)
+              -e HSM_KEY_LABEL="hsm-key-label" \  # Label to identify the encryption key in the HSM
+              -e FORTANIX_PKCS11_CONFIG_PATH="/etc/fortanix-hsm/pkcs11.conf" \  # Path to Fortanix configuration file
+              
+              # The rest are unrelated to HSM setup...
+              -e ENCRYPTION_KEY="<>" \
+              -e AUTH_SECRET="<>" \
+              -e DB_CONNECTION_URI="<>" \
+              -e REDIS_URL="<>" \
+              -e SITE_URL="<>" \
+              infisical/infisical-fips:<version> # Replace <version> with the version you want to use
+            ```
+            
+            <Warning>
+              Note: Fortanix HSM integration only works for AMD64 CPU architectures.
+            </Warning>
+          </Step>
+        </Steps>
+        After following these steps, your Docker setup will be ready to use Fortanix HSM encryption.
+      </Tab>
    </Tabs>
  </Tab>
  <Tab title="Kubernetes">
@@ -569,6 +641,173 @@ For organizations that work with US government agencies, FIPS compliance is almo
        </Steps>
        After following these steps, your Kubernetes setup will be ready to use HSM encryption.
      </Tab>
+      <Tab title="Fortanix HSM">
+        <Steps>
+          <Step title="Set up Fortanix HSM">
+            First, you need to set up Fortanix HSM by:
+            
+            1. Creating an App in Fortanix:
+               - Set Interface value to be PKCS#11
+               - Select API key as authentication method
+               - Assign app to a group
+
+              ![Fortanix HSM Setup](/images/platform/kms/hsm/fortanix-hsm-setup.png)
+
+            2. Take note of the domain (e.g., apac.smartkey.io). You will need this when setting up the configuration file.
+          </Step>
+          
+          <Step title="Create configuration files">
+            Create a directory to store the Fortanix configuration files:
+            
+            ```bash
+            mkdir -p /etc/fortanix-hsm
+            ```
+            
+            Download the Fortanix PKCS#11 library for Linux from the [Fortanix PKCS#11 installation page](https://fortanix.zendesk.com/hc/en-us/sections/4408769080724-PKCS-11).
+            
+            Create a configuration file named `pkcs11.conf` with the following content:
+            
+            ```
+            api_endpoint = "https://apac.smartkey.io"
+            prevent_duplicate_opaque_objects = true
+            retry_timeout_millis = 60000
+            ```
+            
+            Note: Replace `apac.smartkey.io` with your actual Fortanix domain if different.
+          </Step>
+          
+          <Step title="Creating a Persistent Volume Claim (PVC)">
+            Create a Persistent Volume Claim to store the Fortanix files:
+            
+            ```bash
+            kubectl apply -f - <<EOF
+            apiVersion: v1
+            kind: PersistentVolumeClaim
+            metadata:
+              name: fortanix-hsm-pvc
+            spec:
+              accessModes:
+                - ReadWriteOnce
+              resources:
+                requests:
+                  storage: 100Mi
+            EOF
+            ```
+            
+            Create a temporary pod to upload the files:
+            
+            ```bash
+            kubectl apply -f - <<EOF
+            apiVersion: v1
+            kind: Pod
+            metadata:
+              name: fortanix-setup-pod
+            spec:
+              containers:
+              - name: setup
+                image: busybox
+                command: ["/bin/sh", "-c", "sleep 3600"]
+                volumeMounts:
+                - name: fortanix-data
+                  mountPath: /data
+              volumes:
+              - name: fortanix-data
+                persistentVolumeClaim:
+                  claimName: fortanix-hsm-pvc
+            EOF
+            ```
+            
+            Ensure the pod is running:
+            
+            ```bash
+            kubectl wait --for=condition=Ready pod/fortanix-setup-pod --timeout=60s
+            ```
+            
+            Copy the Fortanix files to the PVC:
+            
+            ```bash
+            kubectl exec fortanix-setup-pod -- mkdir -p /data/
+            kubectl cp /etc/fortanix-hsm/fortanix_pkcs11_4.37.2554.so fortanix-setup-pod:/data/
+            kubectl cp /etc/fortanix-hsm/pkcs11.conf fortanix-setup-pod:/data/
+            kubectl exec fortanix-setup-pod -- chmod -R 755 /data/
+            ```
+            
+            Delete the temporary pod:
+            
+            ```bash
+            kubectl delete pod fortanix-setup-pod
+            ```
+          </Step>
+          
+          <Step title="Update the Kubernetes Secret">
+            Update your Kubernetes secret with the Fortanix HSM environment variables:
+            
+            ```yaml
+            apiVersion: v1
+            kind: Secret
+            metadata:
+              name: infisical-secrets
+            type: Opaque
+            stringData:
+              # ... Other environment variables ...
+              HSM_LIB_PATH: "/etc/fortanix-hsm/fortanix_pkcs11_4.37.2554.so"  # Path to the PKCS#11 library in the container
+              HSM_PIN: "<your-fortanix-api-key>"  # Your Fortanix app API key used for authentication
+              HSM_SLOT: "0"            # Slot value (can be set to 0 for Fortanix HSM as it's arbitrary)
+              HSM_KEY_LABEL: "hsm-key-label"  # Label to identify the encryption key in the HSM
+              FORTANIX_PKCS11_CONFIG_PATH: "/etc/fortanix-hsm/pkcs11.conf"  # Path to Fortanix configuration file
+            ```
+            
+            Apply the updated secret:
+            
+            ```bash
+            kubectl apply -f ./secret-file-name.yaml
+            ```
+          </Step>
+          
+          <Step title="Update Helm Values">
+            Update your Helm values to use the FIPS-compliant image and mount the Fortanix HSM files:
+            
+            ```yaml
+            # ... The rest of the values.yaml file ...
+            
+            image:
+              repository: infisical/infisical-fips  # Must use "infisical/infisical-fips"
+              tag: "v0.117.1-postgres"
+              pullPolicy: IfNotPresent
+            
+            extraVolumeMounts:
+              - name: fortanix-data
+                mountPath: /etc/fortanix-hsm  # The path where Fortanix files will be available
+            
+            extraVolumes:
+              - name: fortanix-data
+                persistentVolumeClaim:
+                  claimName: fortanix-hsm-pvc
+            
+            # ... The rest of the values.yaml file ...
+            ```
+            
+            <Warning>
+              Note: Fortanix HSM integration only works for AMD64 CPU architectures.
+            </Warning>
+          </Step>
+          
+          <Step title="Upgrade and Restart">
+            Upgrade the Helm chart with the new values:
+            
+            ```bash
+            helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml
+            ```
+            
+            Restart the deployment:
+            
+            ```bash
+            kubectl rollout restart deployment/infisical-infisical
+            ```
+          </Step>
+        </Steps>
+        After following these steps, your Kubernetes setup will be ready to use Fortanix HSM encryption.
+      </Tab>
    </Tabs>
  </Tab>
 </Tabs>
--- a/docs/documentation/platform/organization.mdx
+++ b/docs/documentation/platform/organization.mdx
@@ -20,6 +20,7 @@ The **Settings** page lets you manage information about your organization includ
 - **Slug**: The slug of your organization.
 - **Default Organization Member Role**: The role assigned to users when joining your organization unless otherwise specified.
 - **Incident Contacts**: Emails that should be alerted if anything abnormal is detected within the organization.
+- **Enabled Products**: Products which are enabled for your organization. This setting strictly affects the sidebar UI; disabling a product does not disable its API or routes.

 ![organization settings general](../../images/platform/organization/organization-settings-general.png)

@@ -43,7 +44,7 @@ In the **Organization Roles** tab, you can edit current or create new custom rol

 <Info>
  Note that Role-Based Access Management (RBAC) is partly a paid feature.
-  
+
  Infisical provides immutable roles like `admin`, `member`, etc.
  at the organization and project level for free.

--- a/docs/images/platform/kms/hsm/fortanix-hsm-setup.png
+++ b/docs/images/platform/kms/hsm/fortanix-hsm-setup.png
--- a/docs/images/platform/organization/organization-settings-general.png
+++ b/docs/images/platform/organization/organization-settings-general.png
--- a/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx
@@ -144,6 +144,7 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
                    <a
                      href="https://infisical.com/docs/integrations/secret-syncs/overview#key-schemas"
                      target="_blank"
+                      rel="noopener noreferrer"
                    >
                      Key Schema
                    </a>{" "}
--- a/frontend/src/components/v2/Select/Select.tsx
+++ b/frontend/src/components/v2/Select/Select.tsx
@@ -123,6 +123,7 @@ export const SelectItem = forwardRef<HTMLDivElement, SelectItemProps>(
    return (
      <SelectPrimitive.Item
        {...props}
+        disabled={isDisabled}
        className={twMerge(
          "relative mb-0.5 cursor-pointer select-none items-center overflow-hidden truncate rounded-md py-2 pl-10 pr-4 text-sm outline-none transition-all hover:bg-mineshaft-500 data-[highlighted]:bg-mineshaft-700/80",
          isSelected && "bg-primary",
--- a/frontend/src/hooks/api/certificates/queries.tsx
+++ b/frontend/src/hooks/api/certificates/queries.tsx
@@ -48,7 +48,7 @@ export const useGetCertBundle = (serialNumber: string) => {
        certificate: string;
        certificateChain: string;
        serialNumber: string;
-        privateKey: string;
+        privateKey: string | null;
      }>(`/api/v1/pki/certificates/${serialNumber}/bundle`);
      return data;
    },
--- a/frontend/src/hooks/api/organization/queries.tsx
+++ b/frontend/src/hooks/api/organization/queries.tsx
@@ -118,7 +118,9 @@ export const useUpdateOrg = () => {
      kmsProductEnabled,
      sshProductEnabled,
      scannerProductEnabled,
-      shareSecretsProductEnabled
+      shareSecretsProductEnabled,
+      maxSharedSecretLifetime,
+      maxSharedSecretViewLimit
    }) => {
      return apiRequest.patch(`/api/v1/organization/${orgId}`, {
        name,
@@ -136,7 +138,9 @@ export const useUpdateOrg = () => {
        kmsProductEnabled,
        sshProductEnabled,
        scannerProductEnabled,
-        shareSecretsProductEnabled
+        shareSecretsProductEnabled,
+        maxSharedSecretLifetime,
+        maxSharedSecretViewLimit
      });
    },
    onSuccess: () => {
--- a/frontend/src/hooks/api/organization/types.ts
+++ b/frontend/src/hooks/api/organization/types.ts
@@ -26,6 +26,8 @@ export type Organization = {
  sshProductEnabled: boolean;
  scannerProductEnabled: boolean;
  shareSecretsProductEnabled: boolean;
+  maxSharedSecretLifetime: number;
+  maxSharedSecretViewLimit: number | null;
 };

 export type UpdateOrgDTO = {
@@ -46,6 +48,8 @@ export type UpdateOrgDTO = {
  sshProductEnabled?: boolean;
  scannerProductEnabled?: boolean;
  shareSecretsProductEnabled?: boolean;
+  maxSharedSecretViewLimit?: number | null;
+  maxSharedSecretLifetime?: number;
 };

 export type BillingDetails = {
--- a/frontend/src/hooks/api/secretSharing/queries.ts
+++ b/frontend/src/hooks/api/secretSharing/queries.ts
@@ -11,10 +11,13 @@ export const secretSharingKeys = {
  allSecretRequests: () => ["secretRequests"] as const,
  specificSecretRequests: ({ offset, limit }: { offset: number; limit: number }) =>
    [...secretSharingKeys.allSecretRequests(), { offset, limit }] as const,
-  getSecretById: (arg: { id: string; hashedHex: string | null; password?: string }) => [
-    "shared-secret",
-    arg
-  ],
+  getSecretById: (arg: {
+    id: string;
+    hashedHex: string | null;
+    password?: string;
+    email?: string;
+    hash?: string;
+  }) => ["shared-secret", arg],
  getSecretRequestById: (arg: { id: string }) => ["secret-request", arg] as const
 };

@@ -70,20 +73,34 @@ export const useGetSecretRequests = ({
 export const useGetActiveSharedSecretById = ({
  sharedSecretId,
  hashedHex,
-  password
+  password,
+  email,
+  hash
 }: {
  sharedSecretId: string;
  hashedHex: string | null;
  password?: string;
+
+  // For secrets shared to specific emails (optional)
+  email?: string;
+  hash?: string;
 }) => {
  return useQuery({
-    queryKey: secretSharingKeys.getSecretById({ id: sharedSecretId, hashedHex, password }),
+    queryKey: secretSharingKeys.getSecretById({
+      id: sharedSecretId,
+      hashedHex,
+      password,
+      email,
+      hash
+    }),
    queryFn: async () => {
      const { data } = await apiRequest.post<TViewSharedSecretResponse>(
        `/api/v1/secret-sharing/shared/public/${sharedSecretId}`,
        {
          ...(hashedHex && { hashedHex }),
-          password
+          password,
+          email,
+          hash
        }
      );

--- a/frontend/src/hooks/api/secretSharing/types.ts
+++ b/frontend/src/hooks/api/secretSharing/types.ts
@@ -32,6 +32,7 @@ export type TCreateSharedSecretRequest = {
  expiresAt: Date;
  expiresAfterViews?: number;
  accessType?: SecretSharingAccessType;
+  emails?: string[];
 };

 export type TCreateSecretRequestRequestDTO = {
--- a/frontend/src/hooks/api/workspace/queries.tsx
+++ b/frontend/src/hooks/api/workspace/queries.tsx
@@ -277,13 +277,20 @@ export const useUpdateProject = () => {
  const queryClient = useQueryClient();

  return useMutation<Workspace, object, UpdateProjectDTO>({
-    mutationFn: async ({ projectID, newProjectName, newProjectDescription, newSlug }) => {
+    mutationFn: async ({
+      projectID,
+      newProjectName,
+      newProjectDescription,
+      newSlug,
+      secretSharing
+    }) => {
      const { data } = await apiRequest.patch<{ workspace: Workspace }>(
        `/api/v1/workspace/${projectID}`,
        {
          name: newProjectName,
          description: newProjectDescription,
-          slug: newSlug
+          slug: newSlug,
+          secretSharing
        }
      );
      return data.workspace;
--- a/frontend/src/hooks/api/workspace/types.ts
+++ b/frontend/src/hooks/api/workspace/types.ts
@@ -37,6 +37,7 @@ export type Workspace = {
  createdAt: string;
  roles?: TProjectRole[];
  hasDeleteProtection: boolean;
+  secretSharing: boolean;
 };

 export type WorkspaceEnv = {
@@ -73,9 +74,10 @@ export type CreateWorkspaceDTO = {

 export type UpdateProjectDTO = {
  projectID: string;
-  newProjectName: string;
+  newProjectName?: string;
  newProjectDescription?: string;
  newSlug?: string;
+  secretSharing?: boolean;
 };

 export type UpdatePitVersionLimitDTO = { projectSlug: string; pitVersionLimit: number };
--- a/frontend/src/pages/cert-manager/CertificatesPage/components/CertificateCertModal.tsx
+++ b/frontend/src/pages/cert-manager/CertificatesPage/components/CertificateCertModal.tsx
@@ -35,7 +35,7 @@ export const CertificateCertModal = ({ popUp, handlePopUpToggle }: Props) => {
        certificate: string;
        certificateChain: string;
        serialNumber: string;
-        privateKey?: string;
+        privateKey?: string | null;
      }
    | undefined = canReadPrivateKey ? bundleData : bodyData;

@@ -52,7 +52,7 @@ export const CertificateCertModal = ({ popUp, handlePopUpToggle }: Props) => {
            serialNumber={data.serialNumber}
            certificate={data.certificate}
            certificateChain={data.certificateChain}
-            privateKey={data.privateKey}
+            privateKey={data.privateKey || undefined}
          />
        ) : (
          <div />
--- a/frontend/src/pages/organization/SecretSharingPage/components/ShareSecret/AddShareSecretModal.tsx
+++ b/frontend/src/pages/organization/SecretSharingPage/components/ShareSecret/AddShareSecretModal.tsx
@@ -30,6 +30,8 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle }: Props) => {
          allowSecretSharingOutsideOrganization={
            currentOrg?.allowSecretSharingOutsideOrganization ?? true
          }
+          maxSharedSecretLifetime={currentOrg?.maxSharedSecretLifetime}
+          maxSharedSecretViewLimit={currentOrg?.maxSharedSecretViewLimit}
        />
      </ModalContent>
    </Modal>
--- a/frontend/src/pages/organization/SecretSharingSettingsPage/SecretSharingSettingsPage.tsx
+++ b/frontend/src/pages/organization/SecretSharingSettingsPage/SecretSharingSettingsPage.tsx
@@ -17,11 +17,11 @@ export const SecretSharingSettingsPage = withPermission(
    return (
      <>
        <Helmet>
-          <title>{t("common.head-title", { title: t("settings.org.title") })}</title>
+          <title>{t("common.head-title", { title: "Secret Share Settings" })}</title>
        </Helmet>
        <div className="flex w-full justify-center bg-bunker-800 text-white">
          <div className="w-full max-w-7xl">
-            <PageHeader title={t("settings.org.title")} />
+            <PageHeader title="Secret Share Settings" />
            <SecretSharingSettingsTabGroup />
          </div>
        </div>
--- a/frontend/src/pages/organization/SecretSharingSettingsPage/components/OrgSecretShareLimitSection/OrgSecretShareLimitSection.tsx
+++ b/frontend/src/pages/organization/SecretSharingSettingsPage/components/OrgSecretShareLimitSection/OrgSecretShareLimitSection.tsx
@@ -0,0 +1,294 @@
+import { Controller, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+import { useEffect } from "react";
+
+import { createNotification } from "@app/components/notifications";
+import { OrgPermissionCan } from "@app/components/permissions";
+import { Button, FormControl, Input, Select, SelectItem } from "@app/components/v2";
+import { OrgPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { useUpdateOrg } from "@app/hooks/api";
+
+const MAX_SHARED_SECRET_LIFETIME_SECONDS = 30 * 24 * 60 * 60; // 30 days in seconds
+const MIN_SHARED_SECRET_LIFETIME_SECONDS = 5 * 60; // 5 minutes in seconds
+
+// Helper function to convert duration to seconds
+const durationToSeconds = (value: number, unit: "m" | "h" | "d"): number => {
+  switch (unit) {
+    case "m":
+      return value * 60;
+    case "h":
+      return value * 60 * 60;
+    case "d":
+      return value * 60 * 60 * 24;
+    default:
+      return 0;
+  }
+};
+
+// Helper function to convert seconds to form lifetime value and unit
+const getFormLifetimeFromSeconds = (
+  totalSeconds: number | null | undefined
+): { maxLifetimeValue: number; maxLifetimeUnit: "m" | "h" | "d" } => {
+  const DEFAULT_LIFETIME_VALUE = 30;
+  const DEFAULT_LIFETIME_UNIT = "d" as "m" | "h" | "d";
+
+  if (totalSeconds == null || totalSeconds <= 0) {
+    return {
+      maxLifetimeValue: DEFAULT_LIFETIME_VALUE,
+      maxLifetimeUnit: DEFAULT_LIFETIME_UNIT
+    };
+  }
+
+  const secondsInDay = 24 * 60 * 60;
+  const secondsInHour = 60 * 60;
+  const secondsInMinute = 60;
+
+  if (totalSeconds % secondsInDay === 0) {
+    const value = totalSeconds / secondsInDay;
+    if (value >= 1) return { maxLifetimeValue: value, maxLifetimeUnit: "d" };
+  }
+
+  if (totalSeconds % secondsInHour === 0) {
+    const value = totalSeconds / secondsInHour;
+    if (value >= 1) return { maxLifetimeValue: value, maxLifetimeUnit: "h" };
+  }
+
+  if (totalSeconds % secondsInMinute === 0) {
+    const value = totalSeconds / secondsInMinute;
+    if (value >= 1) return { maxLifetimeValue: value, maxLifetimeUnit: "m" };
+  }
+
+  return {
+    maxLifetimeValue: DEFAULT_LIFETIME_VALUE,
+    maxLifetimeUnit: DEFAULT_LIFETIME_UNIT
+  };
+};
+
+const formSchema = z
+  .object({
+    maxLifetimeValue: z.number().min(1, "Value must be at least 1"),
+    maxLifetimeUnit: z.enum(["m", "h", "d"], {
+      invalid_type_error: "Please select a valid time unit"
+    }),
+    maxViewLimit: z.string()
+  })
+  .superRefine((data, ctx) => {
+    const { maxLifetimeValue, maxLifetimeUnit } = data;
+
+    const durationInSeconds = durationToSeconds(maxLifetimeValue, maxLifetimeUnit);
+
+    // Check max limit
+    if (durationInSeconds > MAX_SHARED_SECRET_LIFETIME_SECONDS) {
+      let message = "Duration exceeds maximum allowed limit";
+
+      if (maxLifetimeUnit === "m") {
+        message = `Maximum allowed minutes is ${MAX_SHARED_SECRET_LIFETIME_SECONDS / 60} (30 days)`;
+      } else if (maxLifetimeUnit === "h") {
+        message = `Maximum allowed hours is ${MAX_SHARED_SECRET_LIFETIME_SECONDS / (60 * 60)} (30 days)`;
+      } else if (maxLifetimeUnit === "d") {
+        message = `Maximum allowed days is ${MAX_SHARED_SECRET_LIFETIME_SECONDS / (24 * 60 * 60)}`;
+      }
+
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message,
+        path: ["maxLifetimeValue"]
+      });
+    }
+
+    // Check min limit
+    if (durationInSeconds < MIN_SHARED_SECRET_LIFETIME_SECONDS) {
+      const message = `Duration must be at least ${MIN_SHARED_SECRET_LIFETIME_SECONDS / 60} minutes`; // 5 minutes
+
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message,
+        path: ["maxLifetimeValue"]
+      });
+    }
+  });
+
+type TForm = z.infer<typeof formSchema>;
+
+const viewLimitOptions = [
+  { label: "1", value: 1 },
+  { label: "Unlimited", value: -1 }
+];
+
+export const OrgSecretShareLimitSection = () => {
+  const { mutateAsync } = useUpdateOrg();
+  const { currentOrg } = useOrganization();
+
+  const getDefaultFormValues = () => {
+    const initialLifetime = getFormLifetimeFromSeconds(currentOrg?.maxSharedSecretLifetime);
+    return {
+      maxLifetimeValue: initialLifetime.maxLifetimeValue,
+      maxLifetimeUnit: initialLifetime.maxLifetimeUnit,
+      maxViewLimit: currentOrg?.maxSharedSecretViewLimit?.toString() || "-1"
+    };
+  };
+
+  const {
+    control,
+    formState: { isSubmitting, isDirty },
+    handleSubmit,
+    reset
+  } = useForm<TForm>({
+    resolver: zodResolver(formSchema),
+    defaultValues: getDefaultFormValues()
+  });
+
+  useEffect(() => {
+    if (currentOrg) {
+      reset(getDefaultFormValues());
+    }
+  }, [currentOrg, reset]);
+
+  const handleFormSubmit = async (formData: TForm) => {
+    try {
+      const maxSharedSecretLifetimeSeconds = durationToSeconds(
+        formData.maxLifetimeValue,
+        formData.maxLifetimeUnit
+      );
+
+      await mutateAsync({
+        orgId: currentOrg.id,
+        maxSharedSecretViewLimit:
+          formData.maxViewLimit === "-1" ? null : Number(formData.maxViewLimit),
+        maxSharedSecretLifetime: maxSharedSecretLifetimeSeconds
+      });
+
+      createNotification({
+        text: "Successfully updated secret share limits",
+        type: "success"
+      });
+
+      reset(formData);
+    } catch {
+      createNotification({
+        text: "Failed to update secret share limits",
+        type: "error"
+      });
+    }
+  };
+
+  // Units for the dropdown with readable labels
+  const timeUnits = [
+    { value: "m", label: "Minutes" },
+    { value: "h", label: "Hours" },
+    { value: "d", label: "Days" }
+  ];
+
+  return (
+    <div className="mb-4 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <div className="flex w-full items-center justify-between">
+        <p className="text-xl font-semibold">Secret Share Limits</p>
+      </div>
+      <p className="mb-4 mt-2 text-sm text-gray-400">
+        These settings establish the maximum limits for all Shared Secret parameters within this
+        organization. Shared secrets cannot be created with values exceeding these limits.
+      </p>
+      <OrgPermissionCan I={OrgPermissionActions.Edit} a={OrgPermissionSubjects.Settings}>
+        {(isAllowed) => (
+          <form onSubmit={handleSubmit(handleFormSubmit)} autoComplete="off">
+            <div className="flex max-w-sm gap-4">
+              <Controller
+                control={control}
+                name="maxLifetimeValue"
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error)}
+                    errorText={error?.message}
+                    tooltipText="The max amount of time that can be set before the secret share link expires."
+                    label="Max Lifetime"
+                    className="w-full"
+                  >
+                    <Input
+                      {...field}
+                      type="number"
+                      min={1}
+                      step={1}
+                      value={field.value}
+                      onChange={(e) => {
+                        const val = e.target.value;
+                        field.onChange(val === "" ? "" : parseInt(val, 10));
+                      }}
+                      disabled={!isAllowed}
+                    />
+                  </FormControl>
+                )}
+              />
+              <Controller
+                control={control}
+                name="maxLifetimeUnit"
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error)}
+                    errorText={error?.message}
+                    label="Time unit"
+                  >
+                    <Select
+                      value={field.value}
+                      className="pr-2"
+                      onValueChange={field.onChange}
+                      placeholder="Select time unit"
+                      isDisabled={!isAllowed}
+                    >
+                      {timeUnits.map(({ value, label }) => (
+                        <SelectItem
+                          key={value}
+                          value={value}
+                          className="relative py-2 pl-6 pr-8 text-sm hover:bg-mineshaft-700"
+                        >
+                          <div className="ml-3 font-medium">{label}</div>
+                        </SelectItem>
+                      ))}
+                    </Select>
+                  </FormControl>
+                )}
+              />
+            </div>
+            <div className="flex max-w-sm">
+              <Controller
+                control={control}
+                name="maxViewLimit"
+                render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+                  <FormControl
+                    label="Max Views"
+                    errorText={error?.message}
+                    isError={Boolean(error)}
+                    className="w-full"
+                  >
+                    <Select
+                      defaultValue={field.value}
+                      {...field}
+                      onValueChange={(e) => onChange(e)}
+                      className="w-full"
+                      isDisabled={!isAllowed}
+                    >
+                      {viewLimitOptions.map(({ label, value: viewLimitValue }) => (
+                        <SelectItem value={String(viewLimitValue || "")} key={label}>
+                          {label}
+                        </SelectItem>
+                      ))}
+                    </Select>
+                  </FormControl>
+                )}
+              />
+            </div>
+            <Button
+              colorSchema="secondary"
+              type="submit"
+              isLoading={isSubmitting}
+              disabled={!isDirty || !isAllowed}
+              className="mt-4"
+            >
+              Save
+            </Button>
+          </form>
+        )}
+      </OrgPermissionCan>
+    </div>
+  );
+};
--- a/frontend/src/pages/organization/SecretSharingSettingsPage/components/OrgSecretShareLimitSection/index.tsx
+++ b/frontend/src/pages/organization/SecretSharingSettingsPage/components/OrgSecretShareLimitSection/index.tsx
@@ -0,0 +1 @@
+export { OrgSecretShareLimitSection } from "./OrgSecretShareLimitSection";
--- a/frontend/src/pages/organization/SecretSharingSettingsPage/components/SecretSharingSettingsGeneralTab/SecretSharingSettingsGeneralTab.tsx
+++ b/frontend/src/pages/organization/SecretSharingSettingsPage/components/SecretSharingSettingsGeneralTab/SecretSharingSettingsGeneralTab.tsx
@@ -1,9 +1,11 @@
+import { OrgSecretShareLimitSection } from "../OrgSecretShareLimitSection";
 import { SecretSharingAllowShareToAnyone } from "../SecretSharingAllowShareToAnyone";

 export const SecretSharingSettingsGeneralTab = () => {
  return (
    <div className="w-full">
      <SecretSharingAllowShareToAnyone />
+      <OrgSecretShareLimitSection />
    </div>
  );
 };
--- a/frontend/src/pages/organization/SettingsPage/components/OrgProductSelectSection/OrgProductSelectSection.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/OrgProductSelectSection/OrgProductSelectSection.tsx
@@ -1,10 +1,10 @@
 import { useEffect, useState } from "react";
+import axios from "axios";

+import { createNotification } from "@app/components/notifications";
 import { Switch } from "@app/components/v2";
 import { useOrganization } from "@app/context";
 import { useUpdateOrg } from "@app/hooks/api";
-import axios from "axios";
-import { createNotification } from "@app/components/notifications";

 export const OrgProductSelectSection = () => {
  const [toggledProducts, setToggledProducts] = useState<{
@@ -79,8 +79,8 @@ export const OrgProductSelectSection = () => {
  };

  return (
-    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
-      <h2 className="text-xl font-semibold text-mineshaft-100">Organization Products</h2>
+    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 px-6 py-5">
+      <h2 className="text-xl font-semibold text-mineshaft-100">Enabled Products</h2>
      <p className="mb-4 text-gray-400">
        Select which products are available for your organization.
      </p>
--- a/frontend/src/pages/organization/SettingsPage/components/OrgSecurityTab/OrgUserAccessTokenLimitSection.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/OrgSecurityTab/OrgUserAccessTokenLimitSection.tsx
@@ -96,61 +96,59 @@ export const OrgUserAccessTokenLimitSection = () => {
      <OrgPermissionCan I={OrgPermissionActions.Edit} a={OrgPermissionSubjects.Settings}>
        {(isAllowed) => (
          <form onSubmit={handleSubmit(handleUserTokenExpirationSubmit)} autoComplete="off">
-            <div className="flex max-w-md gap-4">
-              <div className="flex-1">
-                <Controller
-                  control={control}
-                  name="expirationValue"
-                  render={({ field, fieldState: { error } }) => (
-                    <FormControl
-                      isError={Boolean(error)}
-                      errorText={error?.message}
-                      label="Expiration value"
+            <div className="flex max-w-sm gap-4">
+              <Controller
+                control={control}
+                name="expirationValue"
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error)}
+                    errorText={error?.message}
+                    label="Expiration value"
+                    className="w-full"
+                  >
+                    <Input
+                      {...field}
+                      type="number"
+                      min={1}
+                      step={1}
+                      value={field.value}
+                      onChange={(e) => field.onChange(parseInt(e.target.value, 10))}
+                      disabled={!isAllowed}
+                    />
+                  </FormControl>
+                )}
+              />
+
+              <Controller
+                control={control}
+                name="expirationUnit"
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error)}
+                    errorText={error?.message}
+                    label="Time unit"
+                  >
+                    <Select
+                      value={field.value}
+                      className="pr-2"
+                      onValueChange={field.onChange}
+                      placeholder="Select time unit"
+                      isDisabled={!isAllowed}
                    >
-                      <Input
-                        {...field}
-                        type="number"
-                        min={1}
-                        step={1}
-                        value={field.value}
-                        onChange={(e) => field.onChange(parseInt(e.target.value, 10))}
-                        disabled={!isAllowed}
-                      />
-                    </FormControl>
-                  )}
-                />
-              </div>
-              <div className="flex-1">
-                <Controller
-                  control={control}
-                  name="expirationUnit"
-                  render={({ field, fieldState: { error } }) => (
-                    <FormControl
-                      isError={Boolean(error)}
-                      errorText={error?.message}
-                      label="Time unit"
-                    >
-                      <Select
-                        value={field.value}
-                        className="pr-2"
-                        onValueChange={field.onChange}
-                        placeholder="Select time unit"
-                        isDisabled={!isAllowed}
-                      >
-                        {timeUnits.map(({ value, label }) => (
-                          <SelectItem
-                            key={value}
-                            value={value}
-                            className="relative py-2 pl-6 pr-8 text-sm hover:bg-mineshaft-700"
-                          >
-                            <div className="ml-3 font-medium">{label}</div>
-                          </SelectItem>
-                        ))}
-                      </Select>
-                    </FormControl>
-                  )}
-                />
-              </div>
+                      {timeUnits.map(({ value, label }) => (
+                        <SelectItem
+                          key={value}
+                          value={value}
+                          className="relative py-2 pl-6 pr-8 text-sm hover:bg-mineshaft-700"
+                        >
+                          <div className="ml-3 font-medium">{label}</div>
+                        </SelectItem>
+                      ))}
+                    </Select>
+                  </FormControl>
+                )}
+              />
            </div>
            <Button
              colorSchema="secondary"
--- a/frontend/src/pages/organization/SsoPage/components/OrgSsoTab/OrgSsoTab.tsx
+++ b/frontend/src/pages/organization/SsoPage/components/OrgSsoTab/OrgSsoTab.tsx
@@ -1,7 +1,7 @@
 import { twMerge } from "tailwind-merge";

 import { UpgradePlanModal } from "@app/components/license/UpgradePlanModal";
-import { Button, ContentLoader } from "@app/components/v2";
+import { Button, ContentLoader, EmptyState } from "@app/components/v2";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
@@ -60,102 +60,108 @@ export const OrgSsoTab = withPermission(
    const shouldShowCreateIdentityProviderView =
      !isOidcConfigured && !isSamlConfigured && !isLdapConfigured;

-    const createIdentityProviderView = (shouldDisplaySection(LoginMethod.SAML) ||
+    const createIdentityProviderView =
+      shouldDisplaySection(LoginMethod.SAML) ||
      shouldDisplaySection(LoginMethod.OIDC) ||
-      shouldDisplaySection(LoginMethod.LDAP)) && (
-      <>
-        <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-6">
-          <p className="text-xl font-semibold text-gray-200">Connect an Identity Provider</p>
-          <p className="mb-2 mt-1 text-gray-400">
-            Connect your identity provider to simplify user management
-          </p>
-          {shouldDisplaySection(LoginMethod.SAML) && (
-            <div
-              className={twMerge(
-                "mt-4 flex items-center justify-between",
-                (shouldDisplaySection(LoginMethod.OIDC) ||
-                  shouldDisplaySection(LoginMethod.LDAP)) &&
-                  "border-b border-mineshaft-500 pb-4"
-              )}
-            >
-              <p className="text-lg text-gray-200">SAML</p>
-              <Button
-                colorSchema="secondary"
-                onClick={() => {
-                  if (!subscription?.samlSSO) {
-                    handlePopUpOpen("upgradePlan", { feature: "SAML SSO", plan: "Pro" });
-                    return;
-                  }
-
-                  handlePopUpOpen("addSSO");
-                }}
+      shouldDisplaySection(LoginMethod.LDAP) ? (
+        <>
+          <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-6">
+            <p className="text-xl font-semibold text-gray-200">Connect an Identity Provider</p>
+            <p className="mb-2 mt-1 text-gray-400">
+              Connect your identity provider to simplify user management
+            </p>
+            {shouldDisplaySection(LoginMethod.SAML) && (
+              <div
+                className={twMerge(
+                  "mt-4 flex items-center justify-between",
+                  (shouldDisplaySection(LoginMethod.OIDC) ||
+                    shouldDisplaySection(LoginMethod.LDAP)) &&
+                    "border-b border-mineshaft-500 pb-4"
+                )}
              >
-                Connect
-              </Button>
-            </div>
-          )}
-          {shouldDisplaySection(LoginMethod.OIDC) && (
-            <div
-              className={twMerge(
-                "mt-4 flex items-center justify-between",
-                shouldDisplaySection(LoginMethod.LDAP) && "border-b border-mineshaft-500 pb-4"
-              )}
-            >
-              <p className="text-lg text-gray-200">OIDC</p>
-              <Button
-                colorSchema="secondary"
-                onClick={() => {
-                  if (!subscription?.oidcSSO) {
-                    handlePopUpOpen("upgradePlan", { feature: "OIDC SSO", plan: "Pro" });
-                    return;
-                  }
+                <p className="text-lg text-gray-200">SAML</p>
+                <Button
+                  colorSchema="secondary"
+                  onClick={() => {
+                    if (!subscription?.samlSSO) {
+                      handlePopUpOpen("upgradePlan", { feature: "SAML SSO", plan: "Pro" });
+                      return;
+                    }

-                  handlePopUpOpen("addOIDC");
-                }}
+                    handlePopUpOpen("addSSO");
+                  }}
+                >
+                  Connect
+                </Button>
+              </div>
+            )}
+            {shouldDisplaySection(LoginMethod.OIDC) && (
+              <div
+                className={twMerge(
+                  "mt-4 flex items-center justify-between",
+                  shouldDisplaySection(LoginMethod.LDAP) && "border-b border-mineshaft-500 pb-4"
+                )}
              >
-                Connect
-              </Button>
-            </div>
-          )}
-          {shouldDisplaySection(LoginMethod.LDAP) && (
-            <div className="mt-4 flex items-center justify-between">
-              <p className="text-lg text-gray-200">LDAP</p>
-              <Button
-                colorSchema="secondary"
-                onClick={() => {
-                  if (!subscription?.ldap) {
-                    handlePopUpOpen("upgradePlan", { feature: "LDAP", plan: "Enterprise" });
-                    return;
-                  }
+                <p className="text-lg text-gray-200">OIDC</p>
+                <Button
+                  colorSchema="secondary"
+                  onClick={() => {
+                    if (!subscription?.oidcSSO) {
+                      handlePopUpOpen("upgradePlan", { feature: "OIDC SSO", plan: "Pro" });
+                      return;
+                    }

-                  handlePopUpOpen("addLDAP");
-                }}
-              >
-                Connect
-              </Button>
-            </div>
-          )}
-        </div>
-        <SSOModal
-          hideDelete
-          popUp={popUp}
-          handlePopUpClose={handlePopUpClose}
-          handlePopUpToggle={handlePopUpToggle}
-        />
-        <OIDCModal
-          hideDelete
-          popUp={popUp}
-          handlePopUpClose={handlePopUpClose}
-          handlePopUpToggle={handlePopUpToggle}
-        />
-        <LDAPModal
-          hideDelete
-          popUp={popUp}
-          handlePopUpClose={handlePopUpClose}
-          handlePopUpToggle={handlePopUpToggle}
-        />
-      </>
-    );
+                    handlePopUpOpen("addOIDC");
+                  }}
+                >
+                  Connect
+                </Button>
+              </div>
+            )}
+            {shouldDisplaySection(LoginMethod.LDAP) && (
+              <div className="mt-4 flex items-center justify-between">
+                <p className="text-lg text-gray-200">LDAP</p>
+                <Button
+                  colorSchema="secondary"
+                  onClick={() => {
+                    if (!subscription?.ldap) {
+                      handlePopUpOpen("upgradePlan", { feature: "LDAP", plan: "Enterprise" });
+                      return;
+                    }
+
+                    handlePopUpOpen("addLDAP");
+                  }}
+                >
+                  Connect
+                </Button>
+              </div>
+            )}
+          </div>
+          <SSOModal
+            hideDelete
+            popUp={popUp}
+            handlePopUpClose={handlePopUpClose}
+            handlePopUpToggle={handlePopUpToggle}
+          />
+          <OIDCModal
+            hideDelete
+            popUp={popUp}
+            handlePopUpClose={handlePopUpClose}
+            handlePopUpToggle={handlePopUpToggle}
+          />
+          <LDAPModal
+            hideDelete
+            popUp={popUp}
+            handlePopUpClose={handlePopUpClose}
+            handlePopUpToggle={handlePopUpToggle}
+          />
+        </>
+      ) : (
+        <EmptyState title="" iconSize="2x" className="!pb-10 pt-14">
+          <p className="text-center text-lg">Single Sign-On (SSO) has been disabled</p>
+          <p className="text-center">Contact your server administrator</p>
+        </EmptyState>
+      );

    if (areConfigsLoading) {
      return <ContentLoader />;
--- a/frontend/src/pages/public/ShareSecretPage/ShareSecretPage.tsx
+++ b/frontend/src/pages/public/ShareSecretPage/ShareSecretPage.tsx
@@ -91,7 +91,7 @@ export const ShareSecretPage = () => {
                Infisical
              </a>
              <br />
-              156 2nd st, 3rd Floor, San Francisco, California, 94105, United States. 🇺🇸
+              235 2nd st, San Francisco, California, 94105, United States. 🇺🇸
            </p>
          </div>
        </div>
--- a/frontend/src/pages/public/ShareSecretPage/components/ShareSecretForm.tsx
+++ b/frontend/src/pages/public/ShareSecretPage/components/ShareSecretForm.tsx
@@ -6,7 +6,19 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";

 import { createNotification } from "@app/components/notifications";
-import { Button, FormControl, IconButton, Input, Select, SelectItem } from "@app/components/v2";
+import {
+  Accordion,
+  AccordionContent,
+  AccordionItem,
+  AccordionTrigger,
+  Button,
+  FormControl,
+  IconButton,
+  Input,
+  Select,
+  SelectItem,
+  Switch
+} from "@app/components/v2";
 import { useTimedReset } from "@app/hooks";
 import { useCreatePublicSharedSecret, useCreateSharedSecret } from "@app/hooks/api";
 import { SecretSharingAccessType } from "@app/hooks/api/secretSharing";
@@ -33,7 +45,24 @@ const schema = z.object({
  secret: z.string().min(1),
  expiresIn: z.string(),
  viewLimit: z.string(),
-  accessType: z.nativeEnum(SecretSharingAccessType).optional()
+  accessType: z.nativeEnum(SecretSharingAccessType).optional(),
+  emails: z
+    .string()
+    .optional()
+    .refine(
+      (val) => {
+        if (!val) return true;
+        const emails = val
+          .split(",")
+          .map((email) => email.trim())
+          .filter((email) => email !== "");
+        if (emails.length > 100) return false;
+        return emails.every((email) => z.string().email().safeParse(email).success);
+      },
+      {
+        message: "Must be a comma-separated list of valid emails (max 100) or empty."
+      }
+    )
 });

 export type FormData = z.infer<typeof schema>;
@@ -42,14 +71,18 @@ type Props = {
  isPublic: boolean; // whether or not this is a public (non-authenticated) secret sharing form
  value?: string;
  allowSecretSharingOutsideOrganization?: boolean;
+  maxSharedSecretLifetime?: number;
+  maxSharedSecretViewLimit?: number | null;
 };

 export const ShareSecretForm = ({
  isPublic,
  value,
-  allowSecretSharingOutsideOrganization = true
+  allowSecretSharingOutsideOrganization = true,
+  maxSharedSecretLifetime,
+  maxSharedSecretViewLimit
 }: Props) => {
-  const [secretLink, setSecretLink] = useState("");
+  const [secretLink, setSecretLink] = useState<string | null>(null);
  const [, isCopyingSecret, setCopyTextSecret] = useTimedReset<string>({
    initialState: "Copy to clipboard"
  });
@@ -58,6 +91,15 @@ export const ShareSecretForm = ({
  const privateSharedSecretCreator = useCreateSharedSecret();
  const createSharedSecret = isPublic ? publicSharedSecretCreator : privateSharedSecretCreator;

+  // Note: maxSharedSecretLifetime is in seconds
+  const filteredExpiresInOptions = maxSharedSecretLifetime
+    ? expiresInOptions.filter((v) => v.value / 1000 <= maxSharedSecretLifetime)
+    : expiresInOptions;
+
+  const filteredViewLimitOptions = maxSharedSecretViewLimit
+    ? viewLimitOptions.filter((v) => v.value > 0 && v.value <= maxSharedSecretViewLimit)
+    : viewLimitOptions;
+
  const {
    control,
    reset,
@@ -66,7 +108,10 @@ export const ShareSecretForm = ({
  } = useForm<FormData>({
    resolver: zodResolver(schema),
    defaultValues: {
-      secret: value || ""
+      secret: value || "",
+      viewLimit: filteredViewLimitOptions[filteredViewLimitOptions.length - 1].value.toString(),
+      expiresIn:
+        filteredExpiresInOptions[Math.min(filteredExpiresInOptions.length - 1, 2)].value.toString()
    }
  });

@@ -76,32 +121,45 @@ export const ShareSecretForm = ({
    secret,
    expiresIn,
    viewLimit,
-    accessType
+    accessType,
+    emails
  }: FormData) => {
    try {
      const expiresAt = new Date(new Date().getTime() + Number(expiresIn));

+      const processedEmails = emails ? emails.split(",").map((e) => e.trim()) : undefined;
+
      const { id } = await createSharedSecret.mutateAsync({
        name,
        password,
        secretValue: secret,
        expiresAt,
        expiresAfterViews: viewLimit === "-1" ? undefined : Number(viewLimit),
-        accessType
+        accessType,
+        emails: processedEmails
      });

-      const link = `${window.location.origin}/shared/secret/${id}`;
+      if (processedEmails && processedEmails.length > 0) {
+        setSecretLink("");
+        createNotification({
+          text: `Shared secret link emailed to ${processedEmails.length} user(s).`,
+          type: "success"
+        });
+      } else {
+        const link = `${window.location.origin}/shared/secret/${id}`;
+
+        setSecretLink(link);
+
+        navigator.clipboard.writeText(link);
+        setCopyTextSecret("secret");
+
+        createNotification({
+          text: "Shared secret link copied to clipboard.",
+          type: "success"
+        });
+      }

-      setSecretLink(link);
      reset();
-
-      navigator.clipboard.writeText(link);
-      setCopyTextSecret("secret");
-
-      createNotification({
-        text: "Shared secret link copied to clipboard.",
-        type: "success"
-      });
    } catch (error) {
      console.error(error);
      createNotification({
@@ -111,152 +169,256 @@ export const ShareSecretForm = ({
    }
  };

-  const hasSecretLink = Boolean(secretLink);
-
-  return !hasSecretLink ? (
-    <form onSubmit={handleSubmit(onFormSubmit)}>
-      {!isPublic && (
+  if (secretLink === null)
+    return (
+      <form onSubmit={handleSubmit(onFormSubmit)}>
+        {!isPublic && (
+          <Controller
+            control={control}
+            name="name"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                label="Name"
+                isOptional
+                isError={Boolean(error)}
+                errorText={error?.message}
+              >
+                <Input
+                  {...field}
+                  placeholder="API Key"
+                  type="text"
+                  autoComplete="off"
+                  autoCorrect="off"
+                  spellCheck="false"
+                />
+              </FormControl>
+            )}
+          />
+        )}
        <Controller
          control={control}
-          name="name"
+          name="secret"
          render={({ field, fieldState: { error } }) => (
            <FormControl
-              label="Name (Optional)"
+              label="Your Secret"
              isError={Boolean(error)}
              errorText={error?.message}
+              className="mb-2"
+              isRequired
            >
-              <Input
+              <textarea
+                placeholder="Enter sensitive data to share via an encrypted link..."
                {...field}
-                placeholder="API Key"
-                type="text"
-                autoComplete="off"
-                autoCorrect="off"
-                spellCheck="false"
+                className="h-40 min-h-[70px] w-full rounded-md border border-mineshaft-600 bg-mineshaft-900 px-2 py-1.5 text-bunker-300 outline-none transition-all placeholder:text-mineshaft-400 hover:border-primary-400/30 focus:border-primary-400/50 group-hover:mr-2"
+                disabled={value !== undefined}
              />
            </FormControl>
          )}
        />
-      )}
-      <Controller
-        control={control}
-        name="secret"
-        render={({ field, fieldState: { error } }) => (
-          <FormControl
-            label="Your Secret"
-            isError={Boolean(error)}
-            errorText={error?.message}
-            className="mb-2"
-            isRequired
-          >
-            <textarea
-              placeholder="Enter sensitive data to share via an encrypted link..."
-              {...field}
-              className="h-40 min-h-[70px] w-full rounded-md border border-mineshaft-600 bg-mineshaft-900 px-2 py-1.5 text-bunker-300 outline-none transition-all placeholder:text-mineshaft-400 hover:border-primary-400/30 focus:border-primary-400/50 group-hover:mr-2"
-              disabled={value !== undefined}
-            />
-          </FormControl>
-        )}
-      />
-      <Controller
-        control={control}
-        name="password"
-        render={({ field, fieldState: { error } }) => (
-          <FormControl
-            label="Password"
-            isError={Boolean(error)}
-            errorText={error?.message}
-            isOptional
-          >
-            <Input
-              {...field}
-              placeholder="Password"
-              type="password"
-              autoComplete="new-password"
-              autoCorrect="off"
-              spellCheck="false"
-              aria-autocomplete="none"
-              data-form-type="other"
-            />
-          </FormControl>
-        )}
-      />
-      <Controller
-        control={control}
-        name="expiresIn"
-        defaultValue="3600000"
-        render={({ field: { onChange, ...field }, fieldState: { error } }) => (
-          <FormControl label="Expires In" errorText={error?.message} isError={Boolean(error)}>
-            <Select
-              defaultValue={field.value}
-              {...field}
-              onValueChange={(e) => onChange(e)}
-              className="w-full"
-            >
-              {expiresInOptions.map(({ label, value: expiresInValue }) => (
-                <SelectItem value={String(expiresInValue || "")} key={label}>
-                  {label}
-                </SelectItem>
-              ))}
-            </Select>
-          </FormControl>
-        )}
-      />
-      <Controller
-        control={control}
-        name="viewLimit"
-        defaultValue="-1"
-        render={({ field: { onChange, ...field }, fieldState: { error } }) => (
-          <FormControl label="Max Views" errorText={error?.message} isError={Boolean(error)}>
-            <Select
-              defaultValue={field.value}
-              {...field}
-              onValueChange={(e) => onChange(e)}
-              className="w-full"
-            >
-              {viewLimitOptions.map(({ label, value: viewLimitValue }) => (
-                <SelectItem value={String(viewLimitValue || "")} key={label}>
-                  {label}
-                </SelectItem>
-              ))}
-            </Select>
-          </FormControl>
-        )}
-      />
-      {!isPublic && (
        <Controller
          control={control}
-          name="accessType"
-          defaultValue={SecretSharingAccessType.Organization}
-          render={({ field: { onChange, ...field }, fieldState: { error } }) => (
-            <FormControl label="General Access" errorText={error?.message} isError={Boolean(error)}>
-              <Select
-                defaultValue={field.value}
+          name="password"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Password"
+              isError={Boolean(error)}
+              errorText={error?.message}
+              isOptional
+            >
+              <Input
                {...field}
-                onValueChange={(e) => onChange(e)}
-                className="w-full"
-              >
-                {allowSecretSharingOutsideOrganization && (
-                  <SelectItem value={SecretSharingAccessType.Anyone}>Anyone</SelectItem>
-                )}
-                <SelectItem value={SecretSharingAccessType.Organization}>
-                  People within your organization
-                </SelectItem>
-              </Select>
+                placeholder="Password"
+                type="password"
+                autoComplete="new-password"
+                autoCorrect="off"
+                spellCheck="false"
+                aria-autocomplete="none"
+                data-form-type="other"
+              />
            </FormControl>
          )}
        />
-      )}
-      <Button
-        className="mt-4"
-        size="sm"
-        type="submit"
-        isLoading={isSubmitting}
-        isDisabled={isSubmitting}
-      >
-        Create Secret Link
-      </Button>
-    </form>
-  ) : (
+
+        {!isPublic && (
+          <Controller
+            control={control}
+            name="accessType"
+            defaultValue={SecretSharingAccessType.Organization}
+            render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+              <FormControl
+                helperText={
+                  allowSecretSharingOutsideOrganization ? undefined : (
+                    <span className="text-red-500">Feature enforced by organization</span>
+                  )
+                }
+                errorText={error?.message}
+                isError={Boolean(error)}
+              >
+                <Switch
+                  className={`ml-0 mr-2 bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-primary ${!allowSecretSharingOutsideOrganization ? "opacity-50" : ""}`}
+                  thumbClassName="bg-mineshaft-800"
+                  containerClassName="flex-row-reverse w-fit"
+                  isChecked={
+                    field.value === SecretSharingAccessType.Organization ||
+                    !allowSecretSharingOutsideOrganization
+                  }
+                  isDisabled={!allowSecretSharingOutsideOrganization}
+                  onCheckedChange={(v) =>
+                    onChange(
+                      v ? SecretSharingAccessType.Organization : SecretSharingAccessType.Anyone
+                    )
+                  }
+                  id="org-access-only"
+                >
+                  Limit access to people within organization
+                </Switch>
+              </FormControl>
+            )}
+          />
+        )}
+
+        <Accordion type="single" collapsible className="w-full">
+          <AccordionItem value="advance-settings" className="data-[state=open]:border-none">
+            <AccordionTrigger className="h-fit flex-none pl-1 text-sm">
+              <div className="order-1 ml-3">Advanced Settings</div>
+            </AccordionTrigger>
+            <AccordionContent childrenClassName="p-0">
+              <Controller
+                control={control}
+                name="expiresIn"
+                render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+                  <FormControl
+                    label="Expires In"
+                    errorText={error?.message}
+                    isError={Boolean(error)}
+                    helperText={
+                      expiresInOptions.length !== filteredExpiresInOptions.length ? (
+                        <span className="text-yellow-500">
+                          Limited to{" "}
+                          {filteredExpiresInOptions[filteredExpiresInOptions.length - 1].label} by
+                          organization
+                        </span>
+                      ) : undefined
+                    }
+                  >
+                    <Select
+                      defaultValue={field.value}
+                      {...field}
+                      onValueChange={(e) => onChange(e)}
+                      className="w-full"
+                    >
+                      {expiresInOptions.map(({ label, value: expiresInValue }) => (
+                        <SelectItem
+                          value={String(expiresInValue || "")}
+                          key={label}
+                          isDisabled={!filteredExpiresInOptions.some((v) => v.label === label)}
+                        >
+                          {label}
+                        </SelectItem>
+                      ))}
+                    </Select>
+                  </FormControl>
+                )}
+              />
+              <Controller
+                control={control}
+                name="viewLimit"
+                render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+                  <FormControl
+                    label="Max Views"
+                    errorText={error?.message}
+                    isError={Boolean(error)}
+                    helperText={
+                      viewLimitOptions.length !== filteredViewLimitOptions.length ? (
+                        <span className="text-yellow-500">
+                          Limited to{" "}
+                          {filteredViewLimitOptions[filteredViewLimitOptions.length - 1].label} by
+                          organization
+                        </span>
+                      ) : undefined
+                    }
+                  >
+                    <Select
+                      defaultValue={field.value}
+                      {...field}
+                      onValueChange={(e) => onChange(e)}
+                      className="w-full"
+                    >
+                      {viewLimitOptions.map(({ label, value: viewLimitValue }) => (
+                        <SelectItem
+                          value={String(viewLimitValue || "")}
+                          key={label}
+                          isDisabled={!filteredViewLimitOptions.some((v) => v.label === label)}
+                        >
+                          {label}
+                        </SelectItem>
+                      ))}
+                    </Select>
+                  </FormControl>
+                )}
+              />
+
+              {!isPublic && (
+                <Controller
+                  control={control}
+                  name="emails"
+                  render={({ field, fieldState: { error } }) => (
+                    <FormControl
+                      label="Authorized Emails"
+                      isOptional
+                      tooltipText="Unique secret links will be emailed to each individual. The secret will only be accessible to those links."
+                      tooltipClassName="max-w-sm"
+                      isError={Boolean(error)}
+                      errorText={error?.message}
+                    >
+                      <Input
+                        {...field}
+                        placeholder="user1@example.com, user2@example.com"
+                        autoComplete="off"
+                      />
+                    </FormControl>
+                  )}
+                />
+              )}
+            </AccordionContent>
+          </AccordionItem>
+        </Accordion>
+
+        <div className="flex w-full justify-end">
+          <Button
+            className="mt-4"
+            size="sm"
+            type="submit"
+            isLoading={isSubmitting}
+            isDisabled={isSubmitting}
+          >
+            Create Secret Link
+          </Button>
+        </div>
+      </form>
+    );
+
+  if (secretLink === "")
+    return (
+      <>
+        <div className="mt-1 flex w-full items-center justify-center gap-2">
+          <FontAwesomeIcon icon={faCheck} className="text-green-500" />
+          <span>Shared secret link has been emailed to select users.</span>
+        </div>
+        <Button
+          className="mt-6 w-full bg-mineshaft-700 py-3 text-bunker-200"
+          colorSchema="primary"
+          variant="outline_bg"
+          size="sm"
+          onClick={() => setSecretLink(null)}
+          rightIcon={<FontAwesomeIcon icon={faRedo} className="pl-2" />}
+        >
+          Share Another Secret
+        </Button>
+      </>
+    );
+
+  return (
    <>
      <div className="mr-2 flex items-center justify-end rounded-md bg-white/[0.05] p-2 text-base text-gray-400">
        <p className="mr-4 break-all">{secretLink}</p>
@@ -265,7 +427,7 @@ export const ShareSecretForm = ({
          colorSchema="secondary"
          className="group relative ml-2"
          onClick={() => {
-            navigator.clipboard.writeText(secretLink);
+            navigator.clipboard.writeText(secretLink || "");
            setCopyTextSecret("Copied");
          }}
        >
@@ -277,7 +439,7 @@ export const ShareSecretForm = ({
        colorSchema="primary"
        variant="outline_bg"
        size="sm"
-        onClick={() => setSecretLink("")}
+        onClick={() => setSecretLink(null)}
        rightIcon={<FontAwesomeIcon icon={faRedo} className="pl-2" />}
      >
        Share Another Secret
--- a/frontend/src/pages/public/ViewSecretRequestByIDPage/ViewSecretRequestByIDPage.tsx
+++ b/frontend/src/pages/public/ViewSecretRequestByIDPage/ViewSecretRequestByIDPage.tsx
@@ -175,7 +175,7 @@ export const ViewSecretRequestByIDPage = () => {
              Infisical
            </a>
            <br />
-            156 2nd st, 3rd Floor, San Francisco, California, 94105, United States. 🇺🇸
+            235 2nd st, San Francisco, California, 94105, United States. 🇺🇸
          </p>
        </div>
      </div>
--- a/frontend/src/pages/public/ViewSharedSecretByIDPage/ViewSharedSecretByIDPage.tsx
+++ b/frontend/src/pages/public/ViewSharedSecretByIDPage/ViewSharedSecretByIDPage.tsx
@@ -38,6 +38,14 @@ export const ViewSharedSecretByIDPage = () => {
    from: ROUTE_PATHS.Public.ViewSharedSecretByIDPage.id,
    select: (el) => el.key
  });
+  const email = useSearch({
+    from: ROUTE_PATHS.Public.ViewSharedSecretByIDPage.id,
+    select: (el) => el.email
+  });
+  const hash = useSearch({
+    from: ROUTE_PATHS.Public.ViewSharedSecretByIDPage.id,
+    select: (el) => el.hash
+  });
  const [password, setPassword] = useState<string>();
  const { hashedHex, key } = extractDetailsFromUrl(urlEncodedKey);

@@ -49,7 +57,9 @@ export const ViewSharedSecretByIDPage = () => {
  } = useGetActiveSharedSecretById({
    sharedSecretId: id,
    hashedHex,
-    password
+    password,
+    email,
+    hash
  });

  const navigate = useNavigate();
@@ -57,15 +67,16 @@ export const ViewSharedSecretByIDPage = () => {
  const isUnauthorized =
    ((error as AxiosError)?.response?.data as { statusCode: number })?.statusCode === 401;

-  const isForbidden =
-    ((error as AxiosError)?.response?.data as { statusCode: number })?.statusCode === 403;
-
  const isInvalidCredential =
    ((error as AxiosError)?.response?.data as { message: string })?.message ===
    "Invalid credentials";

+  const isEmailUnauthorized =
+    ((error as AxiosError)?.response?.data as { message: string })?.message ===
+    "Email not authorized to view secret";
+
  useEffect(() => {
-    if (isUnauthorized && !isInvalidCredential) {
+    if (isUnauthorized && !isInvalidCredential && !isEmailUnauthorized) {
      // persist current URL in session storage so that we can come back to this after successful login
      sessionStorage.setItem(
        SessionStorageKeys.ORG_LOGIN_SUCCESS_REDIRECT_URL,
@@ -85,10 +96,10 @@ export const ViewSharedSecretByIDPage = () => {
      });
    }

-    if (isForbidden) {
+    if (error) {
      createNotification({
        type: "error",
-        text: "You do not have access to this shared secret."
+        text: ((error as AxiosError)?.response?.data as { message: string })?.message
      });
    }
  }, [error]);
@@ -195,7 +206,7 @@ export const ViewSharedSecretByIDPage = () => {
              Infisical
            </a>
            <br />
-            156 2nd st, 3rd Floor, San Francisco, California, 94105, United States. 🇺🇸
+            235 2nd st, San Francisco, California, 94105, United States. 🇺🇸
          </p>
        </div>
      </div>
--- a/frontend/src/pages/public/ViewSharedSecretByIDPage/route.tsx
+++ b/frontend/src/pages/public/ViewSharedSecretByIDPage/route.tsx
@@ -7,7 +7,9 @@ import { authKeys, fetchAuthToken } from "@app/hooks/api/auth/queries";
 import { ViewSharedSecretByIDPage } from "./ViewSharedSecretByIDPage";

 const SharedSecretByIDPageQuerySchema = z.object({
-  key: z.string().catch("")
+  key: z.string().catch(""),
+  email: z.string().optional(),
+  hash: z.string().optional()
 });

 export const Route = createFileRoute("/shared/secret/$secretId")({
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx
@@ -95,7 +95,6 @@ export const SecretDetailSidebar = ({
  handleSecretShare
 }: Props) => {
  const {
-    register,
    control,
    watch,
    handleSubmit,
@@ -104,7 +103,8 @@ export const SecretDetailSidebar = ({
    formState: { isDirty, isSubmitting }
  } = useForm<TFormSchema>({
    resolver: zodResolver(formSchema),
-    values: secret
+    values: secret,
+    disabled: !secret
  });

  const { handlePopUpToggle, popUp, handlePopUpOpen } = usePopUp([
@@ -398,11 +398,19 @@ export const SecretDetailSidebar = ({
                                  autoFocus={false}
                                />
                                <Tooltip
-                                  content="You don't have permission to view the secret value."
-                                  isDisabled={!secret?.secretValueHidden}
+                                  content={
+                                    !currentWorkspace.secretSharing
+                                      ? "This project does not allow secret sharing."
+                                      : "You don't have permission to view the secret value."
+                                  }
+                                  isDisabled={
+                                    !secret?.secretValueHidden && currentWorkspace.secretSharing
+                                  }
                                >
                                  <Button
-                                    isDisabled={secret?.secretValueHidden}
+                                    isDisabled={
+                                      secret?.secretValueHidden || !currentWorkspace.secretSharing
+                                    }
                                    className="px-2 py-[0.43rem] font-normal"
                                    variant="outline_bg"
                                    leftIcon={<FontAwesomeIcon icon={faShare} />}
@@ -705,14 +713,25 @@ export const SecretDetailSidebar = ({
                  </FormControl>
                </div>
              </div>
-              <FormControl label="Comments & Notes">
-                <TextArea
-                  className="border border-mineshaft-600 bg-bunker-800 text-sm"
-                  {...register("comment")}
-                  readOnly={isReadOnly}
-                  rows={5}
-                />
-              </FormControl>
+              <Controller
+                control={control}
+                name="comment"
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    label="Comments & Notes"
+                    isError={Boolean(error?.message)}
+                    errorText={error?.message}
+                    className="mb-0"
+                  >
+                    <TextArea
+                      className="border border-mineshaft-600 bg-bunker-800 text-sm"
+                      readOnly={isReadOnly}
+                      rows={5}
+                      {...field}
+                    />
+                  </FormControl>
+                )}
+              />
              <FormControl>
                {secretReminderRepeatDays && secretReminderRepeatDays > 0 ? (
                  <div className="flex items-center justify-between px-2">
@@ -913,7 +932,9 @@ export const SecretDetailSidebar = ({
                                variant="outline_bg"
                                size="sm"
                                className="h-8 w-8 rounded-md"
-                                onClick={() => setValue("value", secretValue)}
+                                onClick={() =>
+                                  setValue("value", secretValue, { shouldDirty: true })
+                                }
                              >
                                <FontAwesomeIcon icon={faArrowRotateRight} />
                              </IconButton>
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretItem.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretItem.tsx
@@ -589,7 +589,7 @@ export const SecretItem = memo(
                    )}
                  </ProjectPermissionCan>
                  <IconButton
-                    isDisabled={secret.secretValueHidden}
+                    isDisabled={secret.secretValueHidden || !currentWorkspace.secretSharing}
                    className="w-0 overflow-hidden p-0 group-hover:w-5"
                    variant="plain"
                    size="md"
--- a/frontend/src/pages/secret-manager/SettingsPage/components/ProjectGeneralTab/ProjectGeneralTab.tsx
+++ b/frontend/src/pages/secret-manager/SettingsPage/components/ProjectGeneralTab/ProjectGeneralTab.tsx
@@ -10,6 +10,7 @@ import { DeleteProjectSection } from "../DeleteProjectSection";
 import { EnvironmentSection } from "../EnvironmentSection";
 import { PointInTimeVersionLimitSection } from "../PointInTimeVersionLimitSection";
 import { RebuildSecretIndicesSection } from "../RebuildSecretIndicesSection/RebuildSecretIndicesSection";
+import { SecretSharingSection } from "../SecretSharingSection";
 import { SecretTagsSection } from "../SecretTagsSection";

 export const ProjectGeneralTab = () => {
@@ -22,6 +23,7 @@ export const ProjectGeneralTab = () => {
      {isSecretManager && <EnvironmentSection />}
      {isSecretManager && <SecretTagsSection />}
      {isSecretManager && <AutoCapitalizationSection />}
+      {isSecretManager && <SecretSharingSection />}
      {isSecretManager && <PointInTimeVersionLimitSection />}
      <AuditLogsRetentionSection />
      {isSecretManager && <BackfillSecretReferenceSecretion />}
--- a/frontend/src/pages/secret-manager/SettingsPage/components/SecretSharingSection/SecretSharingSection.tsx
+++ b/frontend/src/pages/secret-manager/SettingsPage/components/SecretSharingSection/SecretSharingSection.tsx
@@ -0,0 +1,64 @@
+import { useState } from "react";
+
+import { createNotification } from "@app/components/notifications";
+import { ProjectPermissionCan } from "@app/components/permissions";
+import { Checkbox } from "@app/components/v2";
+import { ProjectPermissionActions, ProjectPermissionSub, useWorkspace } from "@app/context";
+import { useUpdateProject } from "@app/hooks/api/workspace/queries";
+
+export const SecretSharingSection = () => {
+  const { currentWorkspace } = useWorkspace();
+  const { mutateAsync: updateProject } = useUpdateProject();
+
+  const [isLoading, setIsLoading] = useState(false);
+
+  const handleToggle = async (state: boolean) => {
+    setIsLoading(true);
+
+    try {
+      if (!currentWorkspace?.id) {
+        setIsLoading(false);
+        return;
+      }
+
+      await updateProject({
+        projectID: currentWorkspace.id,
+        secretSharing: state
+      });
+
+      createNotification({
+        text: `Successfully ${state ? "enabled" : "disabled"} secret sharing for this project`,
+        type: "success"
+      });
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: "Failed to update secret sharing for this project",
+        type: "error"
+      });
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  return (
+    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <p className="mb-3 text-xl font-semibold">Allow Secret Sharing</p>
+      <ProjectPermissionCan I={ProjectPermissionActions.Edit} a={ProjectPermissionSub.Settings}>
+        {(isAllowed) => (
+          <div className="w-max">
+            <Checkbox
+              className="data-[state=checked]:bg-primary"
+              id="secretSharing"
+              isDisabled={!isAllowed || isLoading}
+              isChecked={currentWorkspace?.secretSharing ?? true}
+              onCheckedChange={(state) => handleToggle(state as boolean)}
+            >
+              This feature enables your project members to securely share secrets.
+            </Checkbox>
+          </div>
+        )}
+      </ProjectPermissionCan>
+    </div>
+  );
+};
--- a/frontend/src/pages/secret-manager/SettingsPage/components/SecretSharingSection/index.tsx
+++ b/frontend/src/pages/secret-manager/SettingsPage/components/SecretSharingSection/index.tsx
@@ -0,0 +1 @@
+export { SecretSharingSection } from "./SecretSharingSection";
--- a/k8-operator/controllers/infisicalpushsecret/infisicalpushsecret_controller.go
+++ b/k8-operator/controllers/infisicalpushsecret/infisicalpushsecret_controller.go
@@ -30,9 +30,9 @@ import (
 // InfisicalSecretReconciler reconciles a InfisicalSecret object
 type InfisicalPushSecretReconciler struct {
 	client.Client
-
-	BaseLogger logr.Logger
-	Scheme     *runtime.Scheme
+	IsNamespaceScoped bool
+	BaseLogger        logr.Logger
+	Scheme            *runtime.Scheme
 }

 var infisicalPushSecretResourceVariablesMap map[string]util.ResourceVariables = make(map[string]util.ResourceVariables)
@@ -51,7 +51,7 @@ func (r *InfisicalPushSecretReconciler) GetLogger(req ctrl.Request) logr.Logger
 //+kubebuilder:rbac:groups="",resources=pods,verbs=get;list
 //+kubebuilder:rbac:groups="authentication.k8s.io",resources=tokenreviews,verbs=create
 //+kubebuilder:rbac:groups="",resources=serviceaccounts/token,verbs=create
-// +kubebuilder:rbac:groups=secrets.infisical.com,resources=clustergenerators,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=secrets.infisical.com,resources=clustergenerators,verbs=get;list;watch;create;update;patch;delete
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 // For more details, check Reconcile and its Result here:
@@ -249,19 +249,26 @@ func (r *InfisicalPushSecretReconciler) SetupWithManager(mgr ctrl.Manager) error
 		},
 	}

-	return ctrl.NewControllerManagedBy(mgr).
+	controllerManager := ctrl.NewControllerManagedBy(mgr).
 		For(&secretsv1alpha1.InfisicalPushSecret{}, builder.WithPredicates(
 			specChangeOrDelete,
 		)).
 		Watches(
 			&source.Kind{Type: &corev1.Secret{}},
 			handler.EnqueueRequestsFromMapFunc(r.findPushSecretsForSecret),
-		).
-		Watches(
+		)
+
+	if !r.IsNamespaceScoped {
+		r.BaseLogger.Info("Watching ClusterGenerators for non-namespace scoped operator")
+		controllerManager.Watches(
 			&source.Kind{Type: &secretsv1alpha1.ClusterGenerator{}},
 			handler.EnqueueRequestsFromMapFunc(r.findPushSecretsForClusterGenerator),
-		).
-		Complete(r)
+		)
+	} else {
+		r.BaseLogger.Info("Not watching ClusterGenerators for namespace scoped operator")
+	}
+
+	return controllerManager.Complete(r)
 }

 func (r *InfisicalPushSecretReconciler) findPushSecretsForClusterGenerator(o client.Object) []reconcile.Request {
@@ -277,6 +284,7 @@ func (r *InfisicalPushSecretReconciler) findPushSecretsForClusterGenerator(o cli
 	}

 	requests := []reconcile.Request{}
+
 	for _, pushSecret := range pushSecrets.Items {
 		if pushSecret.Spec.Push.Generators != nil {
 			for _, generator := range pushSecret.Spec.Push.Generators {
--- a/k8-operator/main.go
+++ b/k8-operator/main.go
@@ -99,9 +99,10 @@ func main() {
 	}

 	if err = (&infisicalPushSecretController.InfisicalPushSecretReconciler{
-		Client:     mgr.GetClient(),
-		Scheme:     mgr.GetScheme(),
-		BaseLogger: ctrl.Log,
+		Client:            mgr.GetClient(),
+		Scheme:            mgr.GetScheme(),
+		BaseLogger:        ctrl.Log,
+		IsNamespaceScoped: namespace != "",
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "InfisicalPushSecret")
 		os.Exit(1)
Author	SHA1	Message	Date
Daniel Hougaard	78c4a591a9	requested changes	2025-05-29 16:57:22 +04:00
Daniel Hougaard	f6b7717517	fix: allow https on gateway k8s hosts	2025-05-29 16:39:47 +04:00
Daniel Hougaard	10d14edc20	Update infisicalpushsecret_controller.go	2025-05-20 23:35:43 +04:00
Daniel Hougaard	52feabd786	fix(k8s): disable clustergenerator watching in namespace scoped installation	2025-05-20 23:03:58 +04:00
Daniel Hougaard	8d8a3efd77	Merge pull request #3631 from Infisical/daniel/password-resets-fix fix(password-resets): allow password resets when users don't have a password set	2025-05-20 18:14:07 +04:00
Daniel Hougaard	677180548b	Update auth-password-service.ts	2025-05-20 17:47:47 +04:00
Daniel Hougaard	293bea474e	Merge pull request #3626 from Infisical/daniel/agent-injector-docs docs: k8s agent injector	2025-05-20 17:33:15 +04:00
Sheen	1f85d9c486	Merge pull request #3629 from Infisical/misc/add-fortanix-hsm misc: add docs for Fortanix HSM	2025-05-20 20:51:13 +08:00
Daniel Hougaard	75d33820b3	Merge pull request #3630 from Infisical/daniel/agent-exit-code fix(agent): exit code 1 on fetch secrets error	2025-05-20 14:39:34 +04:00
Daniel Hougaard	074446df1f	Update agent.go	2025-05-20 14:32:07 +04:00
Daniel Hougaard	5250e7c3d5	Update docs/documentation/platform/kms/hsm-integration.mdx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-05-20 12:34:57 +04:00
Sheen	2deaa4eff3	misc: final revisions	2025-05-20 06:14:15 +00:00
Maidul Islam	0b6bc4c1f0	update spend	2025-05-19 21:58:19 -07:00
Maidul Islam	abbe7bbd0c	Merge pull request #3627 from Infisical/fix-breaking-schema-changes--for-k8s Allow Hyphens in k8s	2025-05-19 18:26:09 -07:00
Maidul Islam	565340dc50	fix lint	2025-05-19 18:13:45 -07:00
Maidul Islam	36c428f152	allow hyphens in host name	2025-05-19 17:45:12 -07:00
Maidul Islam	f97826ea82	allow hyphens in host name	2025-05-19 17:42:42 -07:00
Maidul Islam	0f5cbf055c	remove limit	2025-05-19 17:27:47 -07:00
x032205	b960ee61d7	Merge pull request #3624 from Infisical/product-select-docs add product select to docs + change the heading	2025-05-19 17:16:38 -04:00
x032205	0b98a214a7	ui tweaks	2025-05-19 17:15:42 -04:00
x032205	599c2226e4	Merge pull request #3615 from Infisical/ENG-2787 feat(org): Shared Secret limits for org	2025-05-19 16:26:10 -04:00
Sheen	8e24a4d3f8	misc: added docs	2025-05-19 20:19:39 +00:00
x032205	27486e7600	Merge pull request #3625 from Infisical/ENG-2795 fix secret rollback not tainting form	2025-05-19 16:17:26 -04:00
x032205	979e9efbcb	fix lint issue	2025-05-19 15:52:50 -04:00
Sheen Capadngan	e06b5ecd1b	misc: add error handling for already initialized error	2025-05-20 03:44:21 +08:00
x032205	1097ec64b2	ui improvements	2025-05-19 15:40:07 -04:00
x032205	93fe9929b7	fix secret rollback not tainting form	2025-05-19 15:22:24 -04:00
x032205	aca654a993	Update docs/documentation/platform/organization.mdx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-05-19 13:38:34 -04:00
x032205	b5cf237a4a	add product select to docs + change the heading	2025-05-19 13:35:35 -04:00
x032205	6efb630200	Moved secret share limits to secret share settings	2025-05-19 12:32:22 -04:00
x032205	151ede6cbf	Merge	2025-05-19 12:20:02 -04:00
x032205	931ee1e8da	Merge pull request #3616 from Infisical/ENG-2783 feat(secret-sharing): Specify Emails	2025-05-19 12:12:07 -04:00
x032205	0401793d38	Changed "token" param to "hash" and used hex encoding for URL	2025-05-19 10:48:58 -04:00
x032205	0613c12508	Merge pull request #3618 from Infisical/fix-bundle-for-old-certs	2025-05-18 13:29:31 -04:00
Daniel Hougaard	60d3ffac5d	Merge pull request #3620 from Infisical/daniel/k8s-auth-fix fix(identities-auth): fixed kubernetes auth login	2025-05-17 22:18:52 +04:00
x032205	f92aba14cd	Merge pull request #3619 from Infisical/fix-padding Org Products Padding Fix	2025-05-17 13:11:56 -04:00
x032205	fdeefcdfcf	padding to match similar container	2025-05-17 13:10:15 -04:00
x032205	645f70f770	tweaks	2025-05-17 13:05:09 -04:00
x032205	923feb81f3	fix bundle endpoint for old certs	2025-05-17 12:44:05 -04:00
x032205	16c51af340	review fixes	2025-05-17 02:17:41 -04:00
x032205	9fd37ca456	greptile review fixes	2025-05-17 01:51:05 -04:00
x032205	92bebf7d84	feat(secret-sharing): Specify Emails	2025-05-17 00:54:40 -04:00
x032205	df053bbae9	Merge pull request #3611 from Infisical/ENG-2782 feat(project): Enable / Disable Secret Sharing	2025-05-16 18:58:39 -04:00
x032205	42319f01a7	greptile review fixes	2025-05-16 18:54:57 -04:00
x032205	0ea9f9b60d	feat(org): Shared Secret limits for org	2025-05-16 18:36:02 -04:00
Scott Wilson	16eefe5bac	Merge pull request #3610 from Infisical/sso-empty-state improvement(sso-page): Add empty display for SSO general tab if no SSO is enabled	2025-05-16 10:10:16 -07:00
Daniel Hougaard	b984111a73	Merge pull request #3612 from Infisical/daniel/cli-auth-fix fix(auth): cli auth bug	2025-05-16 17:29:21 +04:00
x032205	ad50cff184	Update frontend/src/pages/secret-manager/SettingsPage/components/SecretSharingSection/SecretSharingSection.tsx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-05-16 00:21:30 -04:00
x032205	8e43d2a994	feat(project): Enable / Disable Secret Sharing	2025-05-16 00:08:55 -04:00
Scott Wilson	ef70de1e0b	fix: add noopenner to doc link	2025-05-15 20:05:56 -07:00
Scott Wilson	7e9ee7b5e3	fix: add empty display for sso general tab if no sso is enabled	2025-05-15 20:01:08 -07:00
				`@@ -0,0 +1 @@`
				`export { OrgSecretShareLimitSection } from "./OrgSecretShareLimitSection";`
				`@@ -0,0 +1 @@`
				`export { SecretSharingSection } from "./SecretSharingSection";`