turn paywall on dynamic secret

Merge pull request #1629 from Infisical/dynamic-1
allow viewer to generate and list dynamic secret
2025-08-09 06:02:53 +00:00 · 2024-03-26 17:53:47 -04:00 · 2024-03-26 17:51:26 -04:00 · 2024-03-26 17:50:06 -04:00 · 2024-03-26 15:41:40 -04:00 · 2024-03-26 15:37:24 -04:00
598 changed files with 14939 additions and 6042 deletions
--- a/.env.example
+++ b/.env.example
@@ -3,9 +3,6 @@
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 # Required
 DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
 # JWT
 # Required secrets to sign JWT tokens
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
@@ -16,6 +13,9 @@ POSTGRES_PASSWORD=infisical
 POSTGRES_USER=infisical
 POSTGRES_DB=infisical
 # Required
 DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
 # Redis
 REDIS_URL=redis://redis:6379
--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@@ -41,6 +41,7 @@ jobs:
          load: true
          context: backend
          tags: infisical/infisical:test
          platforms: linux/amd64,linux/arm64
      - name: ⏻ Spawn backend container and dependencies
        run: |
          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
@@ -92,6 +93,7 @@ jobs:
          project: 64mmf0n610
          context: frontend
          tags: infisical/frontend:test
          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@@ -0,0 +1,140 @@
 name: Deployment pipeline
 on: [workflow_dispatch]
 permissions:
  id-token: write
  contents: read
 jobs:
  infisical-image:
    name: Build backend image
    runs-on: ubuntu-latest
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - name: 📦 Install dependencies to test all dependencies
        run: npm ci --only-production
        working-directory: backend
      - name: Save commit hashes for tag
        id: commit
        uses: pr-mpt/actions-commit-hash@v2
      - name: 🔧 Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: 🐋 Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Set up Depot CLI
        uses: depot/setup-action@v1
      - name: 🏗️ Build backend and push to docker hub
        uses: depot/build-push-action@v1
        with:
          project: 64mmf0n610
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          push: true
          context: .
          file: Dockerfile.standalone-infisical
          tags: |
            infisical/staging_infisical:${{ steps.commit.outputs.short }}
            infisical/staging_infisical:latest
          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
  gamma-deployment:
    name: Deploy to gamma
    runs-on: ubuntu-latest
    needs: [infisical-image]
    environment:
      name: Gamma
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Setup Node.js environment
        uses: actions/setup-node@v2
        with:
          node-version: "20"
      - name: Change directory to backend and install dependencies
        env:
          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
        run: |
          cd backend
          npm install
          npm run migration:latest
      - name: Configure AWS Credentials 
        uses: aws-actions/configure-aws-credentials@v4
        with:
          audience: sts.amazonaws.com
          aws-region: us-east-1
          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
      - name: Save commit hashes for tag
        id: commit
        uses: pr-mpt/actions-commit-hash@v2
      - name: Download task definition
        run: |
          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
      - name: Render Amazon ECS task definition
        id: render-web-container
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
          container-name: infisical-prod-platform
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-prod-platform
          cluster: infisical-prod-platform
          wait-for-service-stability: true
  production-postgres-deployment:
    name: Deploy to production
    runs-on: ubuntu-latest
    needs: [gamma-deployment]
    environment:
      name: Production
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Setup Node.js environment
        uses: actions/setup-node@v2
        with:
          node-version: "20"
      - name: Change directory to backend and install dependencies
        env:
          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
        run: |
          cd backend
          npm install
          npm run migration:latest
      - name: Configure AWS Credentials 
        uses: aws-actions/configure-aws-credentials@v4
        with:
          audience: sts.amazonaws.com
          aws-region: us-east-1
          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
      - name: Save commit hashes for tag
        id: commit
        uses: pr-mpt/actions-commit-hash@v2
      - name: Download task definition
        run: |
          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
      - name: Render Amazon ECS task definition
        id: render-web-container
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
          container-name: infisical-prod-platform
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-prod-platform
          cluster: infisical-prod-platform
          wait-for-service-stability: true
--- a/.github/workflows/build-staging-and-deploy.yml
+++ b/.github/workflows/build-staging-and-deploy.yml
@@ -1,120 +0,0 @@
 name: Build, Publish and Deploy to Gamma
 on: [workflow_dispatch]
 jobs:
  infisical-image:
    name: Build backend image
    runs-on: ubuntu-latest
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - name: 📦 Install dependencies to test all dependencies
        run: npm ci --only-production
        working-directory: backend
      # - name: 🧪 Run tests
      #   run: npm run test:ci
      #   working-directory: backend
      - name: Save commit hashes for tag
        id: commit
        uses: pr-mpt/actions-commit-hash@v2
      - name: 🔧 Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: 🐋 Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Set up Depot CLI
        uses: depot/setup-action@v1
      - name: 📦 Build backend and export to Docker
        uses: depot/build-push-action@v1
        with:
          project: 64mmf0n610
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          load: true
          context: .
          file: Dockerfile.standalone-infisical
          tags: infisical/infisical:test
      # - name: ⏻ Spawn backend container and dependencies
      #   run: |
      #     docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
      # - name: 🧪 Test backend image
      #   run: |
      #     ./.github/resources/healthcheck.sh infisical-backend-test
      # - name: ⏻ Shut down backend container and dependencies
      #   run: |
      #     docker compose -f .github/resources/docker-compose.be-test.yml down
      - name: 🏗️ Build backend and push
        uses: depot/build-push-action@v1
        with:
          project: 64mmf0n610
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          push: true
          context: .
          file: Dockerfile.standalone-infisical
          tags: |
            infisical/staging_infisical:${{ steps.commit.outputs.short }}
            infisical/staging_infisical:latest
          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
  postgres-migration:
    name: Run latest migration files
    runs-on: ubuntu-latest
    needs: [infisical-image]
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Setup Node.js environment
        uses: actions/setup-node@v2
        with:
          node-version: "20"
      - name: Change directory to backend and install dependencies
        env:
          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
        run: |
          cd backend
          npm install
          npm run migration:latest
      # - name: Run postgres DB migration files
      #   env:
      #     DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
      #   run: npm run migration:latest
  gamma-deployment:
    name: Deploy to gamma
    runs-on: ubuntu-latest
    needs: [postgres-migration]
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - name: Install Helm
        uses: azure/setup-helm@v3
        with:
          version: v3.10.0
      - name: Install infisical helm chart
        run: |
          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
          helm repo update
      - name: Install kubectl
        uses: azure/setup-kubectl@v3
      - name: Install doctl
        uses: digitalocean/action-doctl@v2
        with:
          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
      - name: Save DigitalOcean kubeconfig with short-lived credentials
        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 infisical-gamma-postgres
      - name: switch to gamma namespace
        run: kubectl config set-context --current --namespace=gamma
      - name: test kubectl
        run: kubectl get ingress
      - name: Download helm values to file and upgrade gamma deploy
        run: |
          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
          helm upgrade infisical infisical-helm-charts/infisical-standalone  --values values.yaml --wait --install
          if [[ $(helm status infisical) == *"FAILED"* ]]; then
            echo "Helm upgrade failed"
            exit 1
          else
            echo "Helm upgrade was successful"
          fi
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@@ -118,9 +118,6 @@ WORKDIR /backend
 ENV TELEMETRY_ENABLED true
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
  CMD node healthcheck.js
 EXPOSE 8080
 EXPOSE 443
--- a/README.md
+++ b/README.md
@@ -10,7 +10,8 @@
  <a href="https://infisical.com/">Infisical Cloud</a> |
  <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
  <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
-  <a href="https://www.infisical.com">Website</a>
+  <a href="https://www.infisical.com">Website</a> |
  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
 </h4>
 <p align="center">
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@@ -10,7 +10,7 @@ import { seedData1 } from "@app/db/seed-data";
 import { initEnvConfig } from "@app/lib/config/env";
 import { initLogger } from "@app/lib/logger";
 import { main } from "@app/server/app";
-import { AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { mockQueue } from "./mocks/queue";
 import { mockSmtpServer } from "./mocks/smtp";
@@ -52,6 +52,8 @@ export default {
          authTokenType: AuthTokenType.ACCESS_TOKEN,
          userId: seedData1.id,
          tokenVersionId: seedData1.token.id,
          authMethod: AuthMethod.EMAIL,
          organizationId: seedData1.organization.id,
          accessVersion: 1
        },
        cfg.AUTH_SECRET,
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -19,8 +19,10 @@ import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TDynamicSecretServiceFactory } from "@app/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -59,9 +61,10 @@ declare module "fastify" {
    // identity injection. depending on which kinda of token the information is filled in auth
    auth: TAuthMode;
    permission: {
      authMethod: ActorAuthMethod;
      type: ActorType;
      id: string;
-      orgId?: string;
+      orgId: string;
    };
    // passport data
    passportUser: {
@@ -116,6 +119,8 @@ declare module "fastify" {
      trustedIp: TTrustedIpServiceFactory;
      secretBlindIndex: TSecretBlindIndexServiceFactory;
      telemetry: TTelemetryServiceFactory;
      dynamicSecret: TDynamicSecretServiceFactory;
      dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -17,6 +17,12 @@ import {
  TBackupPrivateKey,
  TBackupPrivateKeyInsert,
  TBackupPrivateKeyUpdate,
  TDynamicSecretLeases,
  TDynamicSecretLeasesInsert,
  TDynamicSecretLeasesUpdate,
  TDynamicSecrets,
  TDynamicSecretsInsert,
  TDynamicSecretsUpdate,
  TGitAppInstallSessions,
  TGitAppInstallSessionsInsert,
  TGitAppInstallSessionsUpdate,
@@ -340,6 +346,12 @@ declare module "knex/types/tables" {
      TSecretSnapshotFoldersInsert,
      TSecretSnapshotFoldersUpdate
    >;
    [TableName.DynamicSecret]: Knex.CompositeTableType<TDynamicSecrets, TDynamicSecretsInsert, TDynamicSecretsUpdate>;
    [TableName.DynamicSecretLease]: Knex.CompositeTableType<
      TDynamicSecretLeases,
      TDynamicSecretLeasesInsert,
      TDynamicSecretLeasesUpdate
    >;
    [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
    [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
    [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
--- a/backend/src/db/migrations/20240318164718_dynamic-secret.ts
+++ b/backend/src/db/migrations/20240318164718_dynamic-secret.ts
@@ -0,0 +1,58 @@
 import { Knex } from "knex";
 import { SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 export async function up(knex: Knex): Promise<void> {
  const doesTableExist = await knex.schema.hasTable(TableName.DynamicSecret);
  if (!doesTableExist) {
    await knex.schema.createTable(TableName.DynamicSecret, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("name").notNullable();
      t.integer("version").notNullable();
      t.string("type").notNullable();
      t.string("defaultTTL").notNullable();
      t.string("maxTTL");
      t.string("inputIV").notNullable();
      t.text("inputCiphertext").notNullable();
      t.string("inputTag").notNullable();
      t.string("algorithm").notNullable().defaultTo(SecretEncryptionAlgo.AES_256_GCM);
      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
      t.uuid("folderId").notNullable();
      // for background process communication
      t.string("status");
      t.string("statusDetails");
      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
      t.unique(["name", "folderId"]);
      t.timestamps(true, true, true);
    });
  }
  await createOnUpdateTrigger(knex, TableName.DynamicSecret);
  const doesTableDynamicSecretLease = await knex.schema.hasTable(TableName.DynamicSecretLease);
  if (!doesTableDynamicSecretLease) {
    await knex.schema.createTable(TableName.DynamicSecretLease, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.integer("version").notNullable();
      t.string("externalEntityId").notNullable();
      t.datetime("expireAt").notNullable();
      // for background process communication
      t.string("status");
      t.string("statusDetails");
      t.uuid("dynamicSecretId").notNullable();
      t.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
      t.timestamps(true, true, true);
    });
  }
  await createOnUpdateTrigger(knex, TableName.DynamicSecretLease);
 }
 export async function down(knex: Knex): Promise<void> {
  await dropOnUpdateTrigger(knex, TableName.DynamicSecretLease);
  await knex.schema.dropTableIfExists(TableName.DynamicSecretLease);
  await dropOnUpdateTrigger(knex, TableName.DynamicSecret);
  await knex.schema.dropTableIfExists(TableName.DynamicSecret);
 }
--- a/backend/src/db/schemas/dynamic-secret-leases.ts
+++ b/backend/src/db/schemas/dynamic-secret-leases.ts
@@ -0,0 +1,24 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const DynamicSecretLeasesSchema = z.object({
  id: z.string().uuid(),
  version: z.number(),
  externalEntityId: z.string(),
  expireAt: z.date(),
  status: z.string().nullable().optional(),
  statusDetails: z.string().nullable().optional(),
  dynamicSecretId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TDynamicSecretLeases = z.infer<typeof DynamicSecretLeasesSchema>;
 export type TDynamicSecretLeasesInsert = Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>;
 export type TDynamicSecretLeasesUpdate = Partial<Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/dynamic-secrets.ts
+++ b/backend/src/db/schemas/dynamic-secrets.ts
@@ -0,0 +1,31 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const DynamicSecretsSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
  version: z.number(),
  type: z.string(),
  defaultTTL: z.string(),
  maxTTL: z.string().nullable().optional(),
  inputIV: z.string(),
  inputCiphertext: z.string(),
  inputTag: z.string(),
  algorithm: z.string().default("aes-256-gcm"),
  keyEncoding: z.string().default("utf8"),
  folderId: z.string().uuid(),
  status: z.string().nullable().optional(),
  statusDetails: z.string().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;
 export type TDynamicSecretsInsert = Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>;
 export type TDynamicSecretsUpdate = Partial<Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@@ -3,6 +3,8 @@ export * from "./audit-logs";
 export * from "./auth-token-sessions";
 export * from "./auth-tokens";
 export * from "./backup-private-key";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./identities";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -59,6 +59,8 @@ export enum TableName {
  GitAppOrg = "git_app_org",
  SecretScanningGitRisk = "secret_scanning_git_risks",
  TrustedIps = "trusted_ips",
  DynamicSecret = "dynamic_secrets",
  DynamicSecretLease = "dynamic_secret_leases",
  // junction tables with tags
  JnSecretTag = "secret_tag_junction",
  SecretVersionTag = "secret_version_tag_junction"
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@@ -122,6 +122,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        orgId: req.query.organizationId,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      return ldap;
@@ -151,6 +152,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        orgId: req.body.organizationId,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
@@ -184,6 +186,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        orgId: req.body.organizationId,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
--- a/backend/src/ee/routes/v1/license-router.ts
+++ b/backend/src/ee/routes/v1/license-router.ts
@@ -24,6 +24,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        actorAuthMethod: req.permission.authMethod,
        billingCycle: req.query.billingCycle
      });
      return data;
@@ -45,6 +46,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return { plan };
@@ -66,6 +68,8 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.getOrgPlan({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@@ -89,6 +93,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        actorAuthMethod: req.permission.authMethod,
        success_url: req.body.success_url
      });
      return data;
@@ -110,6 +115,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@@ -131,6 +137,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@@ -152,6 +159,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@@ -173,6 +181,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@@ -198,6 +207,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        name: req.body.name,
        email: req.body.email
@@ -221,6 +231,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@@ -246,6 +257,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        success_url: req.body.success_url,
        cancel_url: req.body.cancel_url
@@ -271,6 +283,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.delOrgPmtMethods({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        pmtMethodId: req.params.pmtMethodId
@@ -295,6 +308,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.getOrgTaxIds({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@@ -322,6 +336,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.addOrgTaxId({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        type: req.body.type,
@@ -348,6 +363,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.delOrgTaxId({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        taxId: req.params.taxId
@@ -373,7 +389,8 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId
+        orgId: req.params.organizationId,
        actorAuthMethod: req.permission.authMethod
      });
      return data;
    }
@@ -396,6 +413,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@@ -19,7 +19,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          .min(1)
          .trim()
          .refine(
-            (val) => Object.keys(OrgMembershipRole).includes(val),
+            (val) => !Object.keys(OrgMembershipRole).includes(val),
            "Please choose a different slug, the slug you have entered is reserved"
          )
          .refine((v) => slugify(v) === v, {
@@ -41,6 +41,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.body,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@@ -84,6 +85,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.params.organizationId,
        req.params.roleId,
        req.body,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@@ -110,6 +112,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.params.roleId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@@ -138,6 +141,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
      const roles = await server.services.orgRole.listRoles(
        req.permission.id,
        req.params.organizationId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { roles } };
@@ -163,6 +167,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
      const { permissions, membership } = await server.services.orgRole.getUserPermission(
        req.permission.id,
        req.params.organizationId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { permissions, membership };
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@@ -31,6 +31,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.projectId,
        req.body,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@@ -65,6 +66,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.params.projectId,
        req.params.roleId,
        req.body,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@@ -92,6 +94,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.projectId,
        req.params.roleId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@@ -121,6 +124,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.type,
        req.permission.id,
        req.params.projectId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { roles } };
@@ -148,6 +152,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      const { permissions, membership } = await server.services.projectRole.getUserPermission(
        req.permission.id,
        req.params.projectId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { permissions, membership } };
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@@ -38,6 +38,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const secretSnapshots = await server.services.snapshot.listSnapshots({
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
@@ -69,6 +70,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const count = await server.services.snapshot.projectSecretSnapshotCount({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        environment: req.query.environment,
@@ -130,6 +132,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const auditLogs = await server.services.auditLog.listProjectAuditLogs({
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        ...req.query,
        auditLogActor: req.query.actor,
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@@ -231,6 +231,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.query.organizationId,
        type: "org"
      });
@@ -259,6 +260,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      const saml = await server.services.saml.createSamlCfg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId,
        ...req.body
@@ -290,6 +292,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      const saml = await server.services.saml.updateSamlCfg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId,
        ...req.body
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@@ -39,6 +39,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId,
        actorAuthMethod: req.permission.authMethod,
        description: req.body.description,
        ttlDays: req.body.ttlDays
      });
@@ -65,6 +66,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      const scimTokens = await server.services.scim.listScimTokens({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.query.organizationId
      });
@@ -92,6 +94,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        scimTokenId: req.params.scimTokenId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
@@ -143,7 +146,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        offset: req.query.startIndex,
        limit: req.query.count,
        filter: req.query.filter,
-        orgId: req.permission.orgId as string
+        orgId: req.permission.orgId
      });
      return users;
    }
@@ -181,7 +184,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const user = await req.server.services.scim.getScimUser({
        userId: req.params.userId,
-        orgId: req.permission.orgId as string
+        orgId: req.permission.orgId
      });
      return user;
    }
@@ -240,7 +243,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        email: primaryEmail,
        firstName: req.body.name.givenName,
        lastName: req.body.name.familyName,
-        orgId: req.permission.orgId as string
+        orgId: req.permission.orgId
      });
      return user;
@@ -277,7 +280,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const user = await req.server.services.scim.updateScimUser({
        userId: req.params.userId,
-        orgId: req.permission.orgId as string,
+        orgId: req.permission.orgId,
        operations: req.body.Operations
      });
      return user;
@@ -327,7 +330,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const user = await req.server.services.scim.replaceScimUser({
        userId: req.params.userId,
-        orgId: req.permission.orgId as string,
+        orgId: req.permission.orgId,
        active: req.body.active
      });
      return user;
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@@ -34,6 +34,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approval = await server.services.secretApprovalPolicy.createSecretApprovalPolicy({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body,
@@ -72,6 +73,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approval = await server.services.secretApprovalPolicy.updateSecretApprovalPolicy({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        secretPolicyId: req.params.sapId
@@ -98,6 +100,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approval = await server.services.secretApprovalPolicy.deleteSecretApprovalPolicy({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        secretPolicyId: req.params.sapId
      });
@@ -123,6 +126,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approvals = await server.services.secretApprovalPolicy.getSecretApprovalPolicyByProjectId({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId
      });
@@ -150,6 +154,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId,
        ...req.query
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@@ -52,6 +52,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approvals = await server.services.secretApprovalRequest.getSecretApprovals({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
@@ -81,6 +82,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approvals = await server.services.secretApprovalRequest.requestCount({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId
      });
@@ -106,6 +108,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const { approval } = await server.services.secretApprovalRequest.mergeSecretApprovalRequest({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        approvalId: req.params.id
      });
@@ -134,6 +137,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const review = await server.services.secretApprovalRequest.reviewApproval({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        approvalId: req.params.id,
        status: req.body.status
@@ -163,6 +167,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approval = await server.services.secretApprovalRequest.updateApprovalStatus({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        approvalId: req.params.id,
        status: req.body.status
@@ -271,6 +276,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approval = await server.services.secretApprovalRequest.getSecretApprovalDetails({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.id
      });
--- a/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
@@ -30,6 +30,7 @@ export const registerSecretRotationProviderRouter = async (server: FastifyZodPro
      const providers = await server.services.secretRotation.getProviderTemplates({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
--- a/backend/src/ee/routes/v1/secret-rotation-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-router.ts
@@ -39,6 +39,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
    handler: async (req) => {
      const secretRotation = await server.services.secretRotation.createRotation({
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        ...req.body,
@@ -74,6 +75,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      const secretRotation = await server.services.secretRotation.restartById({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        rotationId: req.body.id
      });
@@ -125,6 +127,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      const secretRotations = await server.services.secretRotation.getByProjectId({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId
      });
@@ -158,6 +161,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      const secretRotation = await server.services.secretRotation.deleteById({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        rotationId: req.params.id
      });
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@@ -22,6 +22,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const session = await server.services.secretScanning.createInstallationSession({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId
      });
@@ -46,6 +47,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const { installatedApp } = await server.services.secretScanning.linkInstallationToOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
@@ -67,6 +69,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const appInstallationCompleted = await server.services.secretScanning.getOrgInstallationStatus({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@@ -88,6 +91,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const { risks } = await server.services.secretScanning.getRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@@ -110,6 +114,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const { risk } = await server.services.secretScanning.updateRiskStatus({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        riskId: req.params.riskId,
--- a/backend/src/ee/routes/v1/secret-version-router.ts
+++ b/backend/src/ee/routes/v1/secret-version-router.ts
@@ -27,6 +27,7 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
      const secretVersions = await server.services.secret.getSecretVersions({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        limit: req.query.limit,
        offset: req.query.offset,
--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@@ -47,6 +47,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
      const secretSnapshot = await server.services.snapshot.getSnapshotData({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretSnapshotId
      });
@@ -79,6 +80,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
      const secretSnapshot = await server.services.snapshot.rollbackSnapshot({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretSnapshotId
      });
--- a/backend/src/ee/routes/v1/trusted-ip-router.ts
+++ b/backend/src/ee/routes/v1/trusted-ip-router.ts
@@ -22,6 +22,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const trustedIps = await server.services.trustedIp.listIpsByProjectId({
        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
@@ -52,6 +53,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { trustedIp, project } = await server.services.trustedIp.addProjectIp({
        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
@@ -99,6 +101,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        trustedIpId: req.params.trustedIpId,
        ...req.body
@@ -140,6 +143,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        trustedIpId: req.params.trustedIpId
      });
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@@ -31,10 +31,17 @@ export const auditLogServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
    projectId,
    auditLogActor
  }: TListProjectAuditLogDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    const auditLogs = await auditLogDAL.find({
      startDate,
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -55,6 +55,7 @@ export const ldapConfigServiceFactory = ({
    actorId,
    orgId,
    actorOrgId,
    actorAuthMethod,
    isActive,
    url,
    bindDN,
@@ -62,7 +63,7 @@ export const ldapConfigServiceFactory = ({
    searchBase,
    caCert
  }: TCreateLdapCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
    const plan = await licenseService.getPlan(orgId);
@@ -149,13 +150,14 @@ export const ldapConfigServiceFactory = ({
    orgId,
    actorOrgId,
    isActive,
    actorAuthMethod,
    url,
    bindDN,
    bindPass,
    searchBase,
    caCert
  }: TUpdateLdapCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
    const plan = await licenseService.getPlan(orgId);
@@ -274,8 +276,14 @@ export const ldapConfigServiceFactory = ({
    };
  };
-  const getLdapCfgWithPermissionCheck = async ({ actor, actorId, orgId, actorOrgId }: TOrgPermission) => {
+  const getLdapCfgWithPermissionCheck = async ({
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    actor,
    actorId,
    orgId,
    actorAuthMethod,
    actorOrgId
  }: TOrgPermission) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
    return getLdapCfg({
      orgId
--- a/backend/src/ee/services/license/licence-fns.ts
+++ b/backend/src/ee/services/license/licence-fns.ts
@@ -15,6 +15,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  membersUsed: 0,
  environmentLimit: null,
  environmentsUsed: 0,
  dynamicSecret: false,
  secretVersioning: true,
  pitRecovery: false,
  ipAllowlisting: false,
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@@ -8,6 +8,7 @@ import { ForbiddenError } from "@casl/ability";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { verifyOfflineLicense } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -26,6 +27,7 @@ import {
  TFeatureSet,
  TGetOrgBillInfoDTO,
  TGetOrgTaxIdDTO,
  TOfflineLicenseContents,
  TOrgInvoiceDTO,
  TOrgLicensesDTO,
  TOrgPlanDTO,
@@ -96,6 +98,36 @@ export const licenseServiceFactory = ({
        }
        return;
      }
      if (appCfg.LICENSE_KEY_OFFLINE) {
        let isValidOfflineLicense = true;
        const contents: TOfflineLicenseContents = JSON.parse(
          Buffer.from(appCfg.LICENSE_KEY_OFFLINE, "base64").toString("utf8")
        );
        const isVerified = await verifyOfflineLicense(JSON.stringify(contents.license), contents.signature);
        if (!isVerified) {
          isValidOfflineLicense = false;
          logger.warn(`Infisical EE offline license verification failed`);
        }
        if (contents.license.terminatesAt) {
          const terminationDate = new Date(contents.license.terminatesAt);
          if (terminationDate < new Date()) {
            isValidOfflineLicense = false;
            logger.warn(`Infisical EE offline license has expired`);
          }
        }
        if (isValidOfflineLicense) {
          onPremFeatures = contents.license.features;
          instanceType = InstanceType.EnterpriseOnPrem;
          logger.info(`Instance type: ${InstanceType.EnterpriseOnPrem}`);
          isValidLicense = true;
          return;
        }
      }
      // this means this is self hosted oss version
      // else it would reach catch statement
      isValidLicense = true;
@@ -192,9 +224,10 @@ export const licenseServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
    billingCycle
  }: TOrgPlansTableDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const { data } = await licenseServerCloudApi.request.get(
      `/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
@@ -202,15 +235,22 @@ export const licenseServiceFactory = ({
    return data;
  };
-  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, projectId }: TOrgPlanDTO) => {
+  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const plan = await getPlan(orgId, projectId);
    return plan;
  };
-  const startOrgTrial = async ({ orgId, actorId, actor, actorOrgId, success_url }: TStartOrgTrialDTO) => {
+  const startOrgTrial = async ({
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    orgId,
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    success_url
  }: TStartOrgTrialDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
@@ -231,8 +271,14 @@ export const licenseServiceFactory = ({
    return { url };
  };
-  const createOrganizationPortalSession = async ({ orgId, actorId, actor, actorOrgId }: TCreateOrgPortalSession) => {
+  const createOrganizationPortalSession = async ({
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    orgId,
    actorId,
    actor,
    actorAuthMethod,
    actorOrgId
  }: TCreateOrgPortalSession) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
@@ -278,8 +324,8 @@ export const licenseServiceFactory = ({
    return { url };
  };
-  const getOrgBillingInfo = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgBillInfoDTO) => {
+  const getOrgBillingInfo = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -295,8 +341,8 @@ export const licenseServiceFactory = ({
  };
  // returns org current plan feature table
-  const getOrgPlanTable = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgBillInfoDTO) => {
+  const getOrgPlanTable = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -311,8 +357,8 @@ export const licenseServiceFactory = ({
    return data;
  };
-  const getOrgBillingDetails = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgBillInfoDTO) => {
+  const getOrgBillingDetails = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -332,11 +378,12 @@ export const licenseServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    orgId,
    name,
    email
  }: TUpdateOrgBillingDetailsDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -355,8 +402,8 @@ export const licenseServiceFactory = ({
    return data;
  };
-  const getOrgPmtMethods = async ({ orgId, actor, actorId, actorOrgId }: TOrgPmtMethodsDTO) => {
+  const getOrgPmtMethods = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgPmtMethodsDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -378,11 +425,12 @@ export const licenseServiceFactory = ({
    orgId,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId,
    success_url,
    cancel_url
  }: TAddOrgPmtMethodDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -403,8 +451,15 @@ export const licenseServiceFactory = ({
    return { url };
  };
-  const delOrgPmtMethods = async ({ actorId, actor, actorOrgId, orgId, pmtMethodId }: TDelOrgPmtMethodDTO) => {
+  const delOrgPmtMethods = async ({
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    actorId,
    actor,
    actorAuthMethod,
    actorOrgId,
    orgId,
    pmtMethodId
  }: TDelOrgPmtMethodDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -420,8 +475,8 @@ export const licenseServiceFactory = ({
    return data;
  };
-  const getOrgTaxIds = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgTaxIdDTO) => {
+  const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -438,8 +493,8 @@ export const licenseServiceFactory = ({
    return taxIds;
  };
-  const addOrgTaxId = async ({ actorId, actor, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
+  const addOrgTaxId = async ({ actorId, actor, actorAuthMethod, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -459,8 +514,8 @@ export const licenseServiceFactory = ({
    return data;
  };
-  const delOrgTaxId = async ({ orgId, actor, actorId, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
+  const delOrgTaxId = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -476,8 +531,8 @@ export const licenseServiceFactory = ({
    return data;
  };
-  const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, orgId }: TOrgInvoiceDTO) => {
+  const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, actorAuthMethod, orgId }: TOrgInvoiceDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
@@ -493,8 +548,8 @@ export const licenseServiceFactory = ({
    return invoices;
  };
-  const getOrgLicenses = async ({ orgId, actor, actorId, actorOrgId }: TOrgLicensesDTO) => {
+  const getOrgLicenses = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgLicensesDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const organization = await orgDAL.findOrgById(orgId);
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@@ -6,12 +6,28 @@ export enum InstanceType {
  Cloud = "cloud"
 }
 export type TOfflineLicenseContents = {
  license: TOfflineLicense;
  signature: string;
 };
 export type TOfflineLicense = {
  issuedTo: string;
  licenseId: string;
  customerId: string | null;
  issuedAt: string;
  expiresAt: string | null;
  terminatesAt: string | null;
  features: TFeatureSet;
 };
 export type TFeatureSet = {
  _id: null;
  slug: null;
  tier: -1;
  workspaceLimit: null;
  workspacesUsed: 0;
  dynamicSecret: false;
  memberLimit: null;
  membersUsed: 0;
  environmentLimit: null;
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@@ -129,11 +129,18 @@ export const permissionDALFactory = (db: TDbClient) => {
          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
        .join(
          // Join the Project table to later select orgId
          TableName.Project,
          `${TableName.IdentityProjectMembership}.projectId`,
          `${TableName.Project}.id`
        )
        .where("identityId", identityId)
        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
        .select(
          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
          db.ref("role").withSchema(TableName.IdentityProjectMembership).as("oldRoleField"),
          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
@@ -144,16 +151,16 @@ export const permissionDALFactory = (db: TDbClient) => {
      const permission = sqlNestRelationships({
        data: docs,
        key: "membershipId",
-        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, oldRoleField }) => ({
+        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, oldRoleField, orgId }) => ({
          id: membershipId,
          identityId,
          projectId,
          role: oldRoleField,
          createdAt: membershipCreatedAt,
          updatedAt: membershipUpdatedAt,
          orgId,
          // just a prefilled value
-          orgAuthEnforced: false,
+          orgAuthEnforced: false
          orgId: ""
        }),
        childrenMapper: [
          {
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@@ -0,0 +1,23 @@
 import { TOrganizations } from "@app/db/schemas";
 import { UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
 function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
  if (!actorAuthMethod) return false;
  return [AuthMethod.AZURE_SAML, AuthMethod.OKTA_SAML, AuthMethod.JUMPCLOUD_SAML, AuthMethod.GOOGLE_SAML].includes(
    actorAuthMethod
  );
 }
 function validateOrgSAML(actorAuthMethod: ActorAuthMethod, isSamlEnforced: TOrganizations["authEnforced"]) {
  if (actorAuthMethod === undefined) {
    throw new UnauthorizedError({ name: "No auth method defined" });
  }
  if (isSamlEnforced && actorAuthMethod !== null && !isAuthMethodSaml(actorAuthMethod)) {
    throw new UnauthorizedError({ name: "Cannot access org-scoped resource" });
  }
 }
 export { isAuthMethodSaml, validateOrgSAML };
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -11,13 +11,15 @@ import {
 } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { TServiceTokenDALFactory } from "@app/services/service-token/service-token-dal";
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
 import { validateOrgSAML } from "./permission-fns";
 import { TBuildProjectPermissionDTO } from "./permission-types";
 import {
  buildServiceTokenProjectPermission,
@@ -32,6 +34,7 @@ type TPermissionServiceFactoryDep = {
  orgRoleDAL: Pick<TOrgRoleDALFactory, "findOne">;
  projectRoleDAL: Pick<TProjectRoleDALFactory, "findOne">;
  serviceTokenDAL: Pick<TServiceTokenDALFactory, "findById">;
  projectDAL: Pick<TProjectDALFactory, "findById">;
  permissionDAL: TPermissionDALFactory;
 };
@@ -41,7 +44,8 @@ export const permissionServiceFactory = ({
  permissionDAL,
  orgRoleDAL,
  projectRoleDAL,
-  serviceTokenDAL
+  serviceTokenDAL,
  projectDAL
 }: TPermissionServiceFactoryDep) => {
  const buildOrgPermission = (role: string, permission?: unknown) => {
    switch (role) {
@@ -98,16 +102,30 @@ export const permissionServiceFactory = ({
  /*
   * Get user permission in an organization
-   * */
+   */
-  const getUserOrgPermission = async (userId: string, orgId: string, userOrgId?: string) => {
+  const getUserOrgPermission = async (
    userId: string,
    orgId: string,
    authMethod: ActorAuthMethod,
    userOrgId?: string
  ) => {
    const membership = await permissionDAL.getOrgPermission(userId, orgId);
    if (!membership) throw new UnauthorizedError({ name: "User not in org" });
    if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }
-    if (membership.orgAuthEnforced && membership.orgId !== userOrgId) {
+
-      throw new BadRequestError({ name: "Cannot access org-scoped resource" });
+    // If the org ID is API_KEY, the request is being made with an API Key.
    // Since we can't scope API keys to an organization, we'll need to do an arbitrary check to see if the user is a member of the organization.
    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
    if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
      throw new UnauthorizedError({ name: "You are not logged into this organization" });
    }
    validateOrgSAML(authMethod, membership.orgAuthEnforced);
    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
  };
@@ -120,10 +138,16 @@ export const permissionServiceFactory = ({
    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
  };
-  const getOrgPermission = async (type: ActorType, id: string, orgId: string, actorOrgId?: string) => {
+  const getOrgPermission = async (
    type: ActorType,
    id: string,
    orgId: string,
    authMethod: ActorAuthMethod,
    actorOrgId: string | undefined
  ) => {
    switch (type) {
      case ActorType.USER:
-        return getUserOrgPermission(id, orgId, actorOrgId);
+        return getUserOrgPermission(id, orgId, authMethod, actorOrgId);
      case ActorType.IDENTITY:
        return getIdentityOrgPermission(id, orgId);
      default:
@@ -153,34 +177,39 @@ export const permissionServiceFactory = ({
  const getUserProjectPermission = async (
    userId: string,
    projectId: string,
    authMethod: ActorAuthMethod,
    userOrgId?: string
  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
-    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
+    const membership = await permissionDAL.getProjectPermission(userId, projectId);
-    if (!userProjectPermission) throw new UnauthorizedError({ name: "User not in project" });
+    if (!membership) throw new UnauthorizedError({ name: "User not in project" });
-    if (
+    if (membership.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)) {
      userProjectPermission.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)
    ) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }
-    if (userProjectPermission.orgAuthEnforced && userProjectPermission.orgId !== userOrgId) {
+    // If the org ID is API_KEY, the request is being made with an API Key.
-      throw new BadRequestError({ name: "Cannot access org-scoped resource" });
+    // Since we can't scope API keys to an organization, we'll need to do an arbitrary check to see if the user is a member of the organization.
    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
    if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
      throw new UnauthorizedError({ name: "You are not logged into this organization" });
    }
    validateOrgSAML(authMethod, membership.orgAuthEnforced);
    return {
-      permission: buildProjectPermission(userProjectPermission.roles),
+      permission: buildProjectPermission(membership.roles),
-      membership: userProjectPermission,
+      membership,
      hasRole: (role: string) =>
-        userProjectPermission.roles.findIndex(
+        membership.roles.findIndex(({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug) !== -1
          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
        ) !== -1
    };
  };
  const getIdentityProjectPermission = async (
    identityId: string,
-    projectId: string
+    projectId: string,
    identityOrgId: string | undefined
  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
    if (!identityProjectPermission) throw new UnauthorizedError({ name: "Identity not in project" });
@@ -193,6 +222,10 @@ export const permissionServiceFactory = ({
      throw new BadRequestError({ name: "Custom permission not found" });
    }
    if (identityProjectPermission.orgId !== identityOrgId) {
      throw new UnauthorizedError({ name: "You are not a member of this organization" });
    }
    return {
      permission: buildProjectPermission(identityProjectPermission.roles),
      membership: identityProjectPermission,
@@ -203,14 +236,32 @@ export const permissionServiceFactory = ({
    };
  };
-  const getServiceTokenProjectPermission = async (serviceTokenId: string, projectId: string) => {
+  const getServiceTokenProjectPermission = async (
    serviceTokenId: string,
    projectId: string,
    actorOrgId: string | undefined
  ) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
    if (!serviceToken) throw new BadRequestError({ message: "Service token not found" });
    const serviceTokenProject = await projectDAL.findById(serviceToken.projectId);
    if (!serviceTokenProject) throw new BadRequestError({ message: "Service token not linked to a project" });
    if (serviceTokenProject.orgId !== actorOrgId) {
      throw new UnauthorizedError({ message: "Service token not a part of this organization" });
    }
    if (serviceToken.projectId !== projectId)
      throw new UnauthorizedError({
        message: "Failed to find service authorization for given project"
      });
    if (serviceTokenProject.orgId !== actorOrgId)
      throw new UnauthorizedError({
        message: "Failed to find service authorization for given project"
      });
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@@ -238,15 +289,16 @@ export const permissionServiceFactory = ({
    type: T,
    id: string,
    projectId: string,
-    actorOrgId?: string
+    actorAuthMethod: ActorAuthMethod,
    actorOrgId: string | undefined
  ): Promise<TProjectPermissionRT<T>> => {
    switch (type) {
      case ActorType.USER:
-        return getUserProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getUserProjectPermission(id, projectId, actorAuthMethod, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      case ActorType.SERVICE:
-        return getServiceTokenProjectPermission(id, projectId) as Promise<TProjectPermissionRT<T>>;
+        return getServiceTokenProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      case ActorType.IDENTITY:
-        return getIdentityProjectPermission(id, projectId) as Promise<TProjectPermissionRT<T>>;
+        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      default:
        throw new UnauthorizedError({
          message: "Permission not defined",
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -55,6 +55,7 @@ export const samlConfigServiceFactory = ({
  const createSamlCfg = async ({
    cert,
    actor,
    actorAuthMethod,
    actorOrgId,
    orgId,
    issuer,
@@ -63,7 +64,7 @@ export const samlConfigServiceFactory = ({
    entryPoint,
    authProvider
  }: TCreateSamlCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Sso);
    const plan = await licenseService.getPlan(orgId);
@@ -146,6 +147,7 @@ export const samlConfigServiceFactory = ({
    orgId,
    actor,
    actorOrgId,
    actorAuthMethod,
    cert,
    actorId,
    issuer,
@@ -153,7 +155,7 @@ export const samlConfigServiceFactory = ({
    entryPoint,
    authProvider
  }: TUpdateSamlCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Sso);
    const plan = await licenseService.getPlan(orgId);
    if (!plan.samlSSO)
@@ -238,6 +240,7 @@ export const samlConfigServiceFactory = ({
        dto.actor,
        dto.actorId,
        ssoConfig.orgId,
        dto.actorAuthMethod,
        dto.actorOrgId
      );
      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Sso);
--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@@ -1,5 +1,5 @@
 import { TOrgPermission } from "@app/lib/types";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 export enum SamlProviders {
  OKTA_SAML = "okta-saml",
@@ -26,7 +26,14 @@ export type TUpdateSamlCfgDTO = Partial<{
  TOrgPermission;
 export type TGetSamlCfgDTO =
-  | { type: "org"; orgId: string; actor: ActorType; actorId: string; actorOrgId?: string }
+  | {
      type: "org";
      orgId: string;
      actor: ActorType;
      actorId: string;
      actorAuthMethod: ActorAuthMethod;
      actorOrgId: string | undefined;
    }
  | {
      type: "orgSlug";
      orgSlug: string;
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@@ -56,8 +56,16 @@ export const scimServiceFactory = ({
  permissionService,
  smtpService
 }: TScimServiceFactoryDep) => {
-  const createScimToken = async ({ actor, actorId, actorOrgId, orgId, description, ttlDays }: TCreateScimTokenDTO) => {
+  const createScimToken = async ({
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
    orgId,
    description,
    ttlDays
  }: TCreateScimTokenDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Scim);
    const plan = await licenseService.getPlan(orgId);
@@ -85,8 +93,8 @@ export const scimServiceFactory = ({
    return { scimToken };
  };
-  const listScimTokens = async ({ actor, actorId, actorOrgId, orgId }: TOrgPermission) => {
+  const listScimTokens = async ({ actor, actorId, actorOrgId, actorAuthMethod, orgId }: TOrgPermission) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Scim);
    const plan = await licenseService.getPlan(orgId);
@@ -99,11 +107,17 @@ export const scimServiceFactory = ({
    return scimTokens;
  };
-  const deleteScimToken = async ({ scimTokenId, actor, actorId, actorOrgId }: TDeleteScimTokenDTO) => {
+  const deleteScimToken = async ({ scimTokenId, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteScimTokenDTO) => {
    let scimToken = await scimDAL.findById(scimTokenId);
    if (!scimToken) throw new BadRequestError({ message: "Failed to find SCIM token to delete" });
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, scimToken.orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
      actor,
      actorId,
      scimToken.orgId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Scim);
    const plan = await licenseService.getPlan(scimToken.orgId);
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@@ -45,6 +45,7 @@ export const secretApprovalPolicyServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
    approvals,
    approvers,
    projectId,
@@ -54,7 +55,13 @@ export const secretApprovalPolicyServiceFactory = ({
    if (approvals > approvers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretApproval
@@ -98,6 +105,7 @@ export const secretApprovalPolicyServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    approvals,
    secretPolicyId
  }: TUpdateSapDTO) => {
@@ -108,6 +116,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actor,
      actorId,
      secretApprovalPolicy.projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -152,7 +161,13 @@ export const secretApprovalPolicyServiceFactory = ({
    };
  };
-  const deleteSecretApprovalPolicy = async ({ secretPolicyId, actor, actorId, actorOrgId }: TDeleteSapDTO) => {
+  const deleteSecretApprovalPolicy = async ({
    secretPolicyId,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TDeleteSapDTO) => {
    const sapPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
    if (!sapPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
@@ -160,6 +175,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actor,
      actorId,
      sapPolicy.projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
@@ -171,8 +187,20 @@ export const secretApprovalPolicyServiceFactory = ({
    return sapPolicy;
  };
-  const getSecretApprovalPolicyByProjectId = async ({ actorId, actor, actorOrgId, projectId }: TListSapDTO) => {
+  const getSecretApprovalPolicyByProjectId = async ({
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    projectId
  }: TListSapDTO) => {
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
    const sapPolicies = await secretApprovalPolicyDAL.find({ projectId });
@@ -201,10 +229,17 @@ export const secretApprovalPolicyServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
    environment,
    secretPath
  }: TGetBoardSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, { secretPath, environment })
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -82,13 +82,14 @@ export const secretApprovalRequestServiceFactory = ({
  secretVersionDAL,
  secretQueueService
 }: TSecretApprovalRequestServiceFactoryDep) => {
-  const requestCount = async ({ projectId, actor, actorId, actorOrgId }: TApprovalRequestCountDTO) => {
+  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
    const { membership } = await permissionService.getProjectPermission(
      actor as ActorType.USER,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
@@ -100,6 +101,7 @@ export const secretApprovalRequestServiceFactory = ({
    projectId,
    actorId,
    actor,
    actorAuthMethod,
    actorOrgId,
    status,
    environment,
@@ -109,7 +111,13 @@ export const secretApprovalRequestServiceFactory = ({
  }: TListApprovalsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
-    const { membership } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { membership } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    const approvals = await secretApprovalRequestDAL.findByProjectId({
      projectId,
      committer,
@@ -122,7 +130,13 @@ export const secretApprovalRequestServiceFactory = ({
    return approvals;
  };
-  const getSecretApprovalDetails = async ({ actor, actorId, actorOrgId, id }: TSecretApprovalDetailsDTO) => {
+  const getSecretApprovalDetails = async ({
    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
    id
  }: TSecretApprovalDetailsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(id);
@@ -133,6 +147,7 @@ export const secretApprovalRequestServiceFactory = ({
      actor,
      actorId,
      secretApprovalRequest.projectId,
      actorAuthMethod,
      actorOrgId
    );
    if (
@@ -150,7 +165,14 @@ export const secretApprovalRequestServiceFactory = ({
    return { ...secretApprovalRequest, secretPath: secretPath?.[0]?.path || "/", commits: secrets };
  };
-  const reviewApproval = async ({ approvalId, actor, status, actorId, actorOrgId }: TReviewRequestDTO) => {
+  const reviewApproval = async ({
    approvalId,
    actor,
    status,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TReviewRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
@@ -160,6 +182,7 @@ export const secretApprovalRequestServiceFactory = ({
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
      actorAuthMethod,
      actorOrgId
    );
    if (
@@ -192,7 +215,14 @@ export const secretApprovalRequestServiceFactory = ({
    return reviewStatus;
  };
-  const updateApprovalStatus = async ({ actorId, status, approvalId, actor, actorOrgId }: TStatusChangeDTO) => {
+  const updateApprovalStatus = async ({
    actorId,
    status,
    approvalId,
    actor,
    actorOrgId,
    actorAuthMethod
  }: TStatusChangeDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
@@ -202,6 +232,7 @@ export const secretApprovalRequestServiceFactory = ({
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
      actorAuthMethod,
      actorOrgId
    );
    if (
@@ -229,7 +260,8 @@ export const secretApprovalRequestServiceFactory = ({
    approvalId,
    actor,
    actorId,
-    actorOrgId
+    actorOrgId,
    actorAuthMethod
  }: TMergeSecretApprovalRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
@@ -240,8 +272,10 @@ export const secretApprovalRequestServiceFactory = ({
      ActorType.USER,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
@@ -438,6 +472,7 @@ export const secretApprovalRequestServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    policy,
    projectId,
    secretPath,
@@ -449,6 +484,7 @@ export const secretApprovalRequestServiceFactory = ({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts
@@ -9,6 +9,7 @@ import jmespath from "jmespath";
 import knex from "knex";
 import { getConfig } from "@app/lib/config/env";
 import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TAssignOp, TDbProviderClients, TDirectAssignOp, THttpProviderFunction } from "../templates/types";
@@ -89,7 +90,7 @@ export const secretRotationDbFn = async ({
  const appCfg = getConfig();
  const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
-  if (host === "localhost" || host === "127.0.0.1" || appCfg.DB_CONNECTION_URI.includes(host))
+  if (host === "localhost" || host === "127.0.0.1" || getDbConnectionHost(appCfg.DB_CONNECTION_URI) === host)
    throw new Error("Invalid db host");
  const db = knex({
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@@ -39,8 +39,20 @@ export const secretRotationServiceFactory = ({
  folderDAL,
  secretDAL
 }: TSecretRotationServiceFactoryDep) => {
-  const getProviderTemplates = async ({ actor, actorId, actorOrgId, projectId }: TProjectPermission) => {
+  const getProviderTemplates = async ({
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
    projectId
  }: TProjectPermission) => {
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
    return {
@@ -54,6 +66,7 @@ export const secretRotationServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    inputs,
    outputs,
    interval,
@@ -61,7 +74,13 @@ export const secretRotationServiceFactory = ({
    secretPath,
    environment
  }: TCreateSecretRotationDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRotation
@@ -139,14 +158,20 @@ export const secretRotationServiceFactory = ({
    return secretRotation;
  };
-  const getByProjectId = async ({ actorId, projectId, actor, actorOrgId }: TListByProjectIdDTO) => {
+  const getByProjectId = async ({ actorId, projectId, actor, actorOrgId, actorAuthMethod }: TListByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
    const doc = await secretRotationDAL.find({ projectId });
    return doc;
  };
-  const restartById = async ({ actor, actorId, actorOrgId, rotationId }: TRestartDTO) => {
+  const restartById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TRestartDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
    if (!doc) throw new BadRequestError({ message: "Rotation not found" });
@@ -157,18 +182,30 @@ export const secretRotationServiceFactory = ({
        message: "Failed to add secret rotation due to plan restriction. Upgrade plan to add secret rotation."
      });
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, doc.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      doc.projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
    await secretRotationQueue.removeFromQueue(doc.id, doc.interval);
    await secretRotationQueue.addToQueue(doc.id, doc.interval);
    return doc;
  };
-  const deleteById = async ({ actor, actorId, actorOrgId, rotationId }: TDeleteDTO) => {
+  const deleteById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TDeleteDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
    if (!doc) throw new BadRequestError({ message: "Rotation not found" });
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, doc.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      doc.projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretRotation
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@@ -39,8 +39,14 @@ export const secretScanningServiceFactory = ({
  permissionService,
  secretScanningQueue
 }: TSecretScanningServiceFactoryDep) => {
-  const createInstallationSession = async ({ actor, orgId, actorId, actorOrgId }: TInstallAppSessionDTO) => {
+  const createInstallationSession = async ({
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    actor,
    orgId,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TInstallAppSessionDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.SecretScanning);
    const sessionId = crypto.randomBytes(16).toString("hex");
@@ -53,12 +59,19 @@ export const secretScanningServiceFactory = ({
    actorId,
    installationId,
    actor,
    actorAuthMethod,
    actorOrgId
  }: TLinkInstallSessionDTO) => {
    const session = await gitAppInstallSessionDAL.findOne({ sessionId });
    if (!session) throw new UnauthorizedError({ message: "Session not found" });
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, session.orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
      actor,
      actorId,
      session.orgId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.SecretScanning);
    const installatedApp = await gitAppOrgDAL.transaction(async (tx) => {
      await gitAppInstallSessionDAL.deleteById(session.id, tx);
@@ -89,23 +102,37 @@ export const secretScanningServiceFactory = ({
    return { installatedApp };
  };
-  const getOrgInstallationStatus = async ({ actorId, orgId, actor, actorOrgId }: TGetOrgInstallStatusDTO) => {
+  const getOrgInstallationStatus = async ({
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    actorId,
    orgId,
    actor,
    actorAuthMethod,
    actorOrgId
  }: TGetOrgInstallStatusDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
    const appInstallation = await gitAppOrgDAL.findOne({ orgId });
    return Boolean(appInstallation);
  };
-  const getRisksByOrg = async ({ actor, orgId, actorId, actorOrgId }: TGetOrgRisksDTO) => {
+  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetOrgRisksDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
    const risks = await secretScanningDAL.find({ orgId }, { sort: [["createdAt", "desc"]] });
    return { risks };
  };
-  const updateRiskStatus = async ({ actorId, orgId, actor, actorOrgId, riskId, status }: TUpdateRiskStatusDTO) => {
+  const updateRiskStatus = async ({
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    actorId,
    orgId,
    actor,
    actorOrgId,
    actorAuthMethod,
    riskId,
    status
  }: TUpdateRiskStatusDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.SecretScanning);
    const isRiskResolved = Boolean(
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@@ -59,9 +59,16 @@ export const secretSnapshotServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    path
  }: TProjectSnapshotCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
@@ -77,11 +84,18 @@ export const secretSnapshotServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    path,
    limit = 20,
    offset = 0
  }: TProjectSnapshotListDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
@@ -91,10 +105,16 @@ export const secretSnapshotServiceFactory = ({
    return snapshots;
  };
-  const getSnapshotData = async ({ actorId, actor, actorOrgId, id }: TGetSnapshotDataDTO) => {
+  const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
    const snapshot = await snapshotDAL.findSecretSnapshotDataById(id);
    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, snapshot.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      snapshot.projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    return snapshot;
  };
@@ -145,11 +165,23 @@ export const secretSnapshotServiceFactory = ({
    }
  };
-  const rollbackSnapshot = async ({ id: snapshotId, actor, actorId, actorOrgId }: TRollbackSnapshotDTO) => {
+  const rollbackSnapshot = async ({
    id: snapshotId,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TRollbackSnapshotDTO) => {
    const snapshot = await snapshotDAL.findById(snapshotId);
    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, snapshot.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      snapshot.projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRollback
--- a/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
+++ b/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
@@ -26,8 +26,14 @@ export const trustedIpServiceFactory = ({
  licenseService,
  projectDAL
 }: TTrustedIpServiceFactoryDep) => {
-  const listIpsByProjectId = async ({ projectId, actor, actorId, actorOrgId }: TProjectPermission) => {
+  const listIpsByProjectId = async ({ projectId, actor, actorId, actorAuthMethod, actorOrgId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
    const trustedIps = await trustedIpDAL.find({
      projectId
@@ -38,13 +44,20 @@ export const trustedIpServiceFactory = ({
  const addProjectIp = async ({
    projectId,
    actorId,
    actorAuthMethod,
    actor,
    actorOrgId,
    ipAddress: ip,
    comment,
    isActive
  }: TCreateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
    const project = await projectDAL.findById(projectId);
@@ -78,11 +91,18 @@ export const trustedIpServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    ipAddress: ip,
    comment,
    trustedIpId
  }: TUpdateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
    const project = await projectDAL.findById(projectId);
@@ -113,8 +133,21 @@ export const trustedIpServiceFactory = ({
    return { trustedIp, project }; // for audit log
  };
-  const deleteProjectIp = async ({ projectId, actorId, actor, actorOrgId, trustedIpId }: TDeleteIpDTO) => {
+  const deleteProjectIp = async ({
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    projectId,
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod,
    trustedIpId
  }: TDeleteIpDTO) => {
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
    const project = await projectDAL.findById(projectId);
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -84,7 +84,7 @@ export const ORGANIZATIONS = {
 export const PROJECTS = {
  CREATE: {
-    organizationId: "The ID of the organization to create the project in.",
+    organizationSlug: "The slug of the organization to create the project in.",
    projectName: "The name of the project to create.",
    slug: "An optional slug for the project."
  },
@@ -194,9 +194,29 @@ export const FOLDERS = {
  }
 } as const;
 export const SECRETS = {
  ATTACH_TAGS: {
    secretName: "The name of the secret to attach tags to.",
    secretPath: "The path of the secret to attach tags to.",
    type: "The type of the secret to attach tags to. (shared/personal)",
    environment: "The slug of the environment where the secret is located",
    projectSlug: "The slug of the project where the secret is located",
    tagSlugs: "An array of existing tag slugs to attach to the secret."
  },
  DETACH_TAGS: {
    secretName: "The name of the secret to detach tags from.",
    secretPath: "The path of the secret to detach tags from.",
    type: "The type of the secret to attach tags to. (shared/personal)",
    environment: "The slug of the environment where the secret is located",
    projectSlug: "The slug of the project where the secret is located",
    tagSlugs: "An array of existing tag slugs to detach from the secret."
  }
 } as const;
 export const RAW_SECRETS = {
  LIST: {
    workspaceId: "The ID of the project to list secrets from.",
    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
    environment: "The slug of the environment to list secrets from.",
    secretPath: "The secret path to list secrets from.",
    includeImports: "Weather to include imported secrets or not."
@@ -284,3 +304,96 @@ export const AUDIT_LOGS = {
    actor: "The actor to filter the audit logs by."
  }
 } as const;
 export const DYNAMIC_SECRETS = {
  LIST: {
    projectSlug: "The slug of the project to create dynamic secret in.",
    environmentSlug: "The slug of the environment to list folders from.",
    path: "The path to list folders from."
  },
  LIST_LEAES_BY_NAME: {
    projectSlug: "The slug of the project to create dynamic secret in.",
    environmentSlug: "The slug of the environment to list folders from.",
    path: "The path to list folders from.",
    name: "The name of the dynamic secret."
  },
  GET_BY_NAME: {
    projectSlug: "The slug of the project to create dynamic secret in.",
    environmentSlug: "The slug of the environment to list folders from.",
    path: "The path to list folders from.",
    name: "The name of the dynamic secret."
  },
  CREATE: {
    projectSlug: "The slug of the project to create dynamic secret in.",
    environmentSlug: "The slug of the environment to create the dynamic secret in.",
    path: "The path to create the dynamic secret in.",
    name: "The name of the dynamic secret.",
    provider: "The type of dynamic secret.",
    defaultTTL: "The default TTL that will be applied for all the leases.",
    maxTTL: "The maximum limit a TTL can be leases or renewed."
  },
  UPDATE: {
    projectSlug: "The slug of the project to update dynamic secret in.",
    environmentSlug: "The slug of the environment to update the dynamic secret in.",
    path: "The path to update the dynamic secret in.",
    name: "The name of the dynamic secret.",
    inputs: "The new partial values for the configurated provider of the dynamic secret",
    defaultTTL: "The default TTL that will be applied for all the leases.",
    maxTTL: "The maximum limit a TTL can be leases or renewed.",
    newName: "The new name for the dynamic secret."
  },
  DELETE: {
    projectSlug: "The slug of the project to delete dynamic secret in.",
    environmentSlug: "The slug of the environment to delete the dynamic secret in.",
    path: "The path to delete the dynamic secret in.",
    name: "The name of the dynamic secret.",
    isForced:
      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
  }
 } as const;
 export const DYNAMIC_SECRET_LEASES = {
  GET_BY_LEASEID: {
    projectSlug: "The slug of the project to create dynamic secret in.",
    environmentSlug: "The slug of the environment to list folders from.",
    path: "The path to list folders from.",
    leaseId: "The ID of the dynamic secret lease."
  },
  CREATE: {
    projectSlug: "The slug of the project of the dynamic secret in.",
    environmentSlug: "The slug of the environment of the dynamic secret in.",
    path: "The path of the dynamic secret in.",
    dynamicSecretName: "The name of the dynamic secret.",
    ttl: "The lease lifetime ttl. If not provided the default TTL of dynamic secret will be used."
  },
  RENEW: {
    projectSlug: "The slug of the project of the dynamic secret in.",
    environmentSlug: "The slug of the environment of the dynamic secret in.",
    path: "The path of the dynamic secret in.",
    leaseId: "The ID of the dynamic secret lease.",
    ttl: "The renew TTL that gets added with current expiry (ensure it's below max TTL) for a total less than creation time + max TTL."
  },
  DELETE: {
    projectSlug: "The slug of the project of the dynamic secret in.",
    environmentSlug: "The slug of the environment of the dynamic secret in.",
    path: "The path of the dynamic secret in.",
    leaseId: "The ID of the dynamic secret lease.",
    isForced:
      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
  }
 } as const;
 export const SECRET_TAGS = {
  LIST: {
    projectId: "The ID of the project to list tags from."
  },
  CREATE: {
    projectId: "The ID of the project to create the tag in.",
    name: "The name of the tag to create.",
    slug: "The slug of the tag to create.",
    color: "The color of the tag to create."
  },
  DELETE: {
    tagId: "The ID of the tag to delete.",
    projectId: "The ID of the project to delete the tag from."
  }
 } as const;
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -18,6 +18,7 @@ const envSchema = z
    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
      `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
    ),
    MAX_LEASE_LIMIT: z.coerce.number().default(10000),
    DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
    DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
    DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
@@ -106,6 +107,7 @@ const envSchema = z
    LICENSE_SERVER_URL: zpStr(z.string().optional().default("https://portal.infisical.com")),
    LICENSE_SERVER_KEY: zpStr(z.string().optional()),
    LICENSE_KEY: zpStr(z.string().optional()),
    LICENSE_KEY_OFFLINE: zpStr(z.string().optional()),
    // GENERIC
    STANDALONE_MODE: z
--- a/backend/src/lib/crypto/index.ts
+++ b/backend/src/lib/crypto/index.ts
@@ -17,4 +17,5 @@ export {
  decryptSecrets,
  decryptSecretVersions
 } from "./secret-encryption";
 export { verifyOfflineLicense } from "./signing";
 export { generateSrpServerKey, srpCheckClientProof } from "./srp";
--- a/backend/src/lib/crypto/license_public_key.pem
+++ b/backend/src/lib/crypto/license_public_key.pem
@@ -0,0 +1,8 @@
 -----BEGIN RSA PUBLIC KEY-----
 MIIBCgKCAQEApchBY3BXTu4zWGBguB7nM/pjpVLY3V7VGZOAxmR5ueQTJOwiGM13
 5HN3EM9fDlQnZu9VSc0OFqRM/bUeUaI1oLPE6WzTHjdHyKjDI/S+TLx3VGEsvhM1
 uukZpYX+3KX2w4wzRHBaBWyglFy0CVNth9UJhhpD+KKfv7dzcRmsbyoUWi9wGfJu
 wLYCwaCwZRXIt1sLGmMncPz14vfwdnm2a5Tj1Jbt0GTyBl+1/ZqLbO6SsslLg2G+
 o7FfGS9z8OUTkvDdu16qxL+p2wCEFZMnOz5BB4oakuT2gS9iOO2l5AOPcT4WzPzy
 PYbX3d7cN9BkOY9I5z0cX4wzqHjQTvGNLQIDAQAB
 -----END RSA PUBLIC KEY-----
--- a/backend/src/lib/crypto/signing.ts
+++ b/backend/src/lib/crypto/signing.ts
@@ -0,0 +1,22 @@
 import crypto, { KeyObject } from "crypto";
 import fs from "fs/promises";
 import path from "path";
 export const verifySignature = (data: string, signature: Buffer, publicKey: KeyObject) => {
  const verify = crypto.createVerify("SHA256");
  verify.update(data);
  verify.end();
  return verify.verify(publicKey, signature);
 };
 export const verifyOfflineLicense = async (licenseContents: string, signature: string) => {
  const publicKeyPem = await fs.readFile(path.join(__dirname, "license_public_key.pem"), "utf8");
  const publicKey = crypto.createPublicKey({
    key: publicKeyPem,
    format: "pem",
    type: "pkcs1"
  });
  return verifySignature(licenseContents, Buffer.from(signature, "base64"), publicKey);
 };
--- a/backend/src/lib/errors/index.ts
+++ b/backend/src/lib/errors/index.ts
@@ -59,6 +59,18 @@ export class BadRequestError extends Error {
  }
 }
 export class DisableRotationErrors extends Error {
  name: string;
  error: unknown;
  constructor({ name, error, message }: { message: string; name?: string; error?: unknown }) {
    super(message);
    this.name = name || "DisableRotationErrors";
    this.error = error;
  }
 }
 export class ScimRequestError extends Error {
  name: string;
--- a/backend/src/lib/knex/connection.ts
+++ b/backend/src/lib/knex/connection.ts
@@ -0,0 +1,11 @@
 import { URL } from "url"; // Import the URL class
 export const getDbConnectionHost = (urlString: string) => {
  try {
    const url = new URL(urlString);
    // Split hostname and port (if provided)
    return url.hostname.split(":")[0];
  } catch (error) {
    return null;
  }
 };
--- a/backend/src/lib/knex/index.ts
+++ b/backend/src/lib/knex/index.ts
@@ -4,6 +4,7 @@ import { Tables } from "knex/types/tables";
 import { DatabaseError } from "../errors";
 export * from "./connection";
 export * from "./join";
 export * from "./select";
--- a/backend/src/lib/types/index.ts
+++ b/backend/src/lib/types/index.ts
@@ -1,17 +1,19 @@
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 export type TOrgPermission = {
  actor: ActorType;
  actorId: string;
  orgId: string;
-  actorOrgId?: string;
+  actorAuthMethod: ActorAuthMethod;
  actorOrgId: string | undefined;
 };
 export type TProjectPermission = {
  actor: ActorType;
  actorId: string;
  projectId: string;
-  actorOrgId?: string;
+  actorAuthMethod: ActorAuthMethod;
  actorOrgId: string;
 };
 export type RequiredKeys<T> = {
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -18,7 +18,8 @@ export enum QueueName {
  SecretWebhook = "secret-webhook",
  SecretFullRepoScan = "secret-full-repo-scan",
  SecretPushEventScan = "secret-push-event-scan",
-  UpgradeProjectToGhost = "upgrade-project-to-ghost"
+  UpgradeProjectToGhost = "upgrade-project-to-ghost",
  DynamicSecretRevocation = "dynamic-secret-revocation"
 }
 export enum QueueJobs {
@@ -30,7 +31,9 @@ export enum QueueJobs {
  TelemetryInstanceStats = "telemetry-self-hosted-stats",
  IntegrationSync = "secret-integration-pull",
  SecretScan = "secret-scan",
-  UpgradeProjectToGhost = "upgrade-project-to-ghost-job"
+  UpgradeProjectToGhost = "upgrade-project-to-ghost-job",
  DynamicSecretRevocation = "dynamic-secret-revocation",
  DynamicSecretPruning = "dynamic-secret-pruning"
 }
 export type TQueueJobTypes = {
@@ -86,6 +89,19 @@ export type TQueueJobTypes = {
    name: QueueJobs.TelemetryInstanceStats;
    payload: undefined;
  };
  [QueueName.DynamicSecretRevocation]:
    | {
        name: QueueJobs.DynamicSecretRevocation;
        payload: {
          leaseId: string;
        };
      }
    | {
        name: QueueJobs.DynamicSecretPruning;
        payload: {
          dynamicSecretCfgId: string;
        };
      };
 };
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@@ -6,42 +6,49 @@ import { TServiceTokens, TUsers } from "@app/db/schemas";
 import { TScimTokenJwtPayload } from "@app/ee/services/scim/scim-types";
 import { getConfig } from "@app/lib/config/env";
 import { UnauthorizedError } from "@app/lib/errors";
-import { ActorType, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
+import { ActorType, AuthMethod, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
 import { TIdentityAccessTokenJwtPayload } from "@app/services/identity-access-token/identity-access-token-types";
 export type TAuthMode =
  | {
      orgId?: string;
      authMode: AuthMode.JWT;
      actor: ActorType.USER;
      userId: string;
      tokenVersionId: string; // the session id of token used
      user: TUsers;
      orgId: string;
      authMethod: AuthMethod;
    }
  | {
      authMode: AuthMode.API_KEY;
      authMethod: null;
      actor: ActorType.USER;
      userId: string;
      user: TUsers;
-      orgId?: string;
+      orgId: string;
    }
  | {
      authMode: AuthMode.SERVICE_TOKEN;
      serviceToken: TServiceTokens & { createdByEmail: string };
      actor: ActorType.SERVICE;
      serviceTokenId: string;
      orgId: string;
      authMethod: null;
    }
  | {
      authMode: AuthMode.IDENTITY_ACCESS_TOKEN;
      actor: ActorType.IDENTITY;
      identityId: string;
      identityName: string;
      orgId: string;
      authMethod: null;
    }
  | {
      authMode: AuthMode.SCIM_TOKEN;
      actor: ActorType.SCIM_CLIENT;
      scimTokenId: string;
      orgId: string;
      authMethod: null;
    };
 const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
@@ -50,6 +57,7 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
    return { authMode: AuthMode.API_KEY, token: apiKey, actor: ActorType.USER } as const;
  }
  const authHeader = req.headers?.authorization;
  if (!authHeader) return { authMode: null, token: null };
  const authTokenValue = authHeader.slice(7); // slice of after Bearer
@@ -71,6 +79,7 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
        actor: ActorType.USER
      } as const;
    case AuthTokenType.API_KEY:
      // throw new Error("API Key auth is no longer supported.");
      return { authMode: AuthMode.API_KEY, token: decodedToken, actor: ActorType.USER } as const;
    case AuthTokenType.IDENTITY_ACCESS_TOKEN:
      return {
@@ -89,17 +98,30 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
  }
 };
 // ! Important: You can only 100% count on the `req.permission.orgId` field being present when the auth method is Identity Access Token (Machine Identity).
 export const injectIdentity = fp(async (server: FastifyZodProvider) => {
  server.decorateRequest("auth", null);
  server.addHook("onRequest", async (req) => {
    const appCfg = getConfig();
    const { authMode, token, actor } = await extractAuth(req, appCfg.AUTH_SECRET);
    if (req.url.includes("/api/v3/auth/")) {
      return;
    }
    if (!authMode) return;
    switch (authMode) {
      case AuthMode.JWT: {
        const { user, tokenVersionId, orgId } = await server.services.authToken.fnValidateJwtIdentity(token);
-        req.auth = { authMode: AuthMode.JWT, user, userId: user.id, tokenVersionId, actor, orgId };
+        req.auth = {
          authMode: AuthMode.JWT,
          user,
          userId: user.id,
          tokenVersionId,
          actor,
          orgId: orgId as string,
          authMethod: token.authMethod
        };
        break;
      }
      case AuthMode.IDENTITY_ACCESS_TOKEN: {
@@ -107,29 +129,40 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
        req.auth = {
          authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
          actor,
          orgId: identity.orgId,
          identityId: identity.identityId,
-          identityName: identity.name
+          identityName: identity.name,
          authMethod: null
        };
        break;
      }
      case AuthMode.SERVICE_TOKEN: {
        const serviceToken = await server.services.serviceToken.fnValidateServiceToken(token);
        req.auth = {
          orgId: serviceToken.orgId,
          authMode: AuthMode.SERVICE_TOKEN as const,
          serviceToken,
          serviceTokenId: serviceToken.id,
-          actor
+          actor,
          authMethod: null
        };
        break;
      }
      case AuthMode.API_KEY: {
        const user = await server.services.apiKey.fnValidateApiKey(token as string);
-        req.auth = { authMode: AuthMode.API_KEY as const, userId: user.id, actor, user };
+        req.auth = {
          authMode: AuthMode.API_KEY as const,
          userId: user.id,
          actor,
          user,
          orgId: "API_KEY", // We set the orgId to an arbitrary value, since we can't link an API key to a specific org. We have to deprecate API keys soon!
          authMethod: null
        };
        break;
      }
      case AuthMode.SCIM_TOKEN: {
        const { orgId, scimTokenId } = await server.services.scim.fnValidateScimToken(token);
-        req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId };
+        req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId, authMethod: null };
        break;
      }
      default:
--- a/backend/src/server/plugins/auth/inject-permission.ts
+++ b/backend/src/server/plugins/auth/inject-permission.ts
@@ -9,13 +9,33 @@ export const injectPermission = fp(async (server) => {
    if (!req.auth) return;
    if (req.auth.actor === ActorType.USER) {
-      req.permission = { type: ActorType.USER, id: req.auth.userId, orgId: req.auth?.orgId };
+      req.permission = {
        type: ActorType.USER,
        id: req.auth.userId,
        orgId: req.auth.orgId, // if the req.auth.authMode is AuthMode.API_KEY, the orgId will be "API_KEY"
        authMethod: req.auth.authMethod // if the req.auth.authMode is AuthMode.API_KEY, the authMethod will be null
      };
    } else if (req.auth.actor === ActorType.IDENTITY) {
-      req.permission = { type: ActorType.IDENTITY, id: req.auth.identityId };
+      req.permission = {
        type: ActorType.IDENTITY,
        id: req.auth.identityId,
        orgId: req.auth.orgId,
        authMethod: null
      };
    } else if (req.auth.actor === ActorType.SERVICE) {
-      req.permission = { type: ActorType.SERVICE, id: req.auth.serviceTokenId };
+      req.permission = {
        type: ActorType.SERVICE,
        id: req.auth.serviceTokenId,
        orgId: req.auth.orgId,
        authMethod: null
      };
    } else if (req.auth.actor === ActorType.SCIM_CLIENT) {
-      req.permission = { type: ActorType.SCIM_CLIENT, id: req.auth.scimTokenId, orgId: req.auth.orgId };
+      req.permission = {
        type: ActorType.SCIM_CLIENT,
        id: req.auth.scimTokenId,
        orgId: req.auth.orgId,
        authMethod: null
      };
    }
  });
 });
--- a/backend/src/server/plugins/auth/verify-auth.ts
+++ b/backend/src/server/plugins/auth/verify-auth.ts
@@ -3,15 +3,26 @@ import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";
 import { UnauthorizedError } from "@app/lib/errors";
 import { AuthMode } from "@app/services/auth/auth-type";
 interface TAuthOptions {
  requireOrg: boolean;
 }
 export const verifyAuth =
-  <T extends FastifyRequest>(authStrats: AuthMode[]) =>
+  <T extends FastifyRequest>(authStrategies: AuthMode[], options: TAuthOptions = { requireOrg: true }) =>
  (req: T, _res: FastifyReply, done: HookHandlerDoneFunction) => {
-    if (!Array.isArray(authStrats)) throw new Error("Auth strategy must be array");
+    if (!Array.isArray(authStrategies)) throw new Error("Auth strategy must be array");
    if (!req.auth) throw new UnauthorizedError({ name: "Unauthorized access", message: "Token missing" });
-    const isAccessAllowed = authStrats.some((strat) => strat === req.auth.authMode);
+    const isAccessAllowed = authStrategies.some((strategy) => strategy === req.auth.authMode);
    if (!isAccessAllowed) {
      throw new UnauthorizedError({ name: `${req.url} Unauthorized Access` });
    }
    // New optional option. There are some routes which do not require an organization ID to be present on the request.
    // An example of this is the /v1 auth routes.
    if (req.auth.authMode === AuthMode.JWT && options.requireOrg === true && !req.permission.orgId) {
      throw new UnauthorizedError({ name: `${req.url} Unauthorized Access, no organization found in request` });
    }
    done();
  };
--- a/backend/src/server/plugins/swagger.ts
+++ b/backend/src/server/plugins/swagger.ts
@@ -14,13 +14,13 @@ export const fastifySwagger = fp(async (fastify) => {
        version: "0.0.1"
      },
      servers: [
        {
          url: "http://localhost:8080",
          description: "Local server"
        },
        {
          url: "https://app.infisical.com",
          description: "Production server"
        },
        {
          url: "http://localhost:8080",
          description: "Local server"
        }
      ],
      components: {
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -47,6 +47,12 @@ import { authPaswordServiceFactory } from "@app/services/auth/auth-password-serv
 import { authSignupServiceFactory } from "@app/services/auth/auth-signup-service";
 import { tokenDALFactory } from "@app/services/auth-token/auth-token-dal";
 import { tokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { dynamicSecretDALFactory } from "@app/services/dynamic-secret/dynamic-secret-dal";
 import { dynamicSecretServiceFactory } from "@app/services/dynamic-secret/dynamic-secret-service";
 import { buildDynamicSecretProviders } from "@app/services/dynamic-secret/providers";
 import { dynamicSecretLeaseDALFactory } from "@app/services/dynamic-secret-lease/dynamic-secret-lease-dal";
 import { dynamicSecretLeaseQueueServiceFactory } from "@app/services/dynamic-secret-lease/dynamic-secret-lease-queue";
 import { dynamicSecretLeaseServiceFactory } from "@app/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { identityDALFactory } from "@app/services/identity/identity-dal";
 import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
@@ -196,12 +202,15 @@ export const registerRoutes = async (
  const gitAppOrgDAL = gitAppDALFactory(db);
  const secretScanningDAL = secretScanningDALFactory(db);
  const licenseDAL = licenseDALFactory(db);
  const dynamicSecretDAL = dynamicSecretDALFactory(db);
  const dynamicSecretLeaseDAL = dynamicSecretLeaseDALFactory(db);
  const permissionService = permissionServiceFactory({
    permissionDAL,
    orgRoleDAL,
    projectRoleDAL,
-    serviceTokenDAL
+    serviceTokenDAL,
    projectDAL
  });
  const licenseService = licenseServiceFactory({ permissionService, orgDAL, licenseDAL, keyStore });
  const trustedIpService = trustedIpServiceFactory({
@@ -266,7 +275,7 @@ export const registerRoutes = async (
  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
  const userService = userServiceFactory({ userDAL });
-  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService });
+  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL, tokenDAL: authTokenDAL });
  const passwordService = authPaswordServiceFactory({
    tokenService,
    smtpService,
@@ -372,6 +381,7 @@ export const registerRoutes = async (
    projectKeyDAL,
    userDAL,
    projectEnvDAL,
    orgDAL,
    orgService,
    projectMembershipDAL,
    folderDAL,
@@ -517,7 +527,8 @@ export const registerRoutes = async (
    projectEnvDAL,
    serviceTokenDAL,
    userDAL,
-    permissionService
+    permissionService,
    projectDAL
  });
  const identityService = identityServiceFactory({
@@ -525,7 +536,10 @@ export const registerRoutes = async (
    identityDAL,
    identityOrgMembershipDAL
  });
-  const identityAccessTokenService = identityAccessTokenServiceFactory({ identityAccessTokenDAL });
+  const identityAccessTokenService = identityAccessTokenServiceFactory({
    identityAccessTokenDAL,
    identityOrgMembershipDAL
  });
  const identityProjectService = identityProjectServiceFactory({
    permissionService,
    projectDAL,
@@ -544,6 +558,34 @@ export const registerRoutes = async (
    licenseService
  });
  const dynamicSecretProviders = buildDynamicSecretProviders();
  const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
    queueService,
    dynamicSecretLeaseDAL,
    dynamicSecretProviders,
    dynamicSecretDAL
  });
  const dynamicSecretService = dynamicSecretServiceFactory({
    projectDAL,
    dynamicSecretQueueService,
    dynamicSecretDAL,
    dynamicSecretLeaseDAL,
    dynamicSecretProviders,
    folderDAL,
    permissionService,
    licenseService
  });
  const dynamicSecretLeaseService = dynamicSecretLeaseServiceFactory({
    projectDAL,
    permissionService,
    dynamicSecretQueueService,
    dynamicSecretDAL,
    dynamicSecretLeaseDAL,
    dynamicSecretProviders,
    folderDAL,
    licenseService
  });
  await superAdminService.initServerCfg();
  //
  // setup the communication with license key server
@@ -585,6 +627,8 @@ export const registerRoutes = async (
    secretApprovalPolicy: sapService,
    secretApprovalRequest: sarService,
    secretRotation: secretRotationService,
    dynamicSecret: dynamicSecretService,
    dynamicSecretLease: dynamicSecretLeaseService,
    snapshot: snapshotService,
    saml: samlService,
    ldap: ldapService,
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@@ -1,6 +1,11 @@
 import { z } from "zod";
-import { IntegrationAuthsSchema, SecretApprovalPoliciesSchema, UsersSchema } from "@app/db/schemas";
+import {
  DynamicSecretsSchema,
  IntegrationAuthsSchema,
  SecretApprovalPoliciesSchema,
  UsersSchema
 } from "@app/db/schemas";
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@@ -56,3 +61,11 @@ export const secretRawSchema = z.object({
  secretValue: z.string(),
  secretComment: z.string().optional()
 });
 export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
  inputIV: true,
  inputTag: true,
  inputCiphertext: true,
  keyEncoding: true,
  algorithm: true
 });
--- a/backend/src/server/routes/v1/auth-router.ts
+++ b/backend/src/server/routes/v1/auth-router.ts
@@ -21,7 +21,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
    handler: async (req, res) => {
      const appCfg = getConfig();
      if (req.auth.authMode === AuthMode.JWT) {
@@ -85,6 +85,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
      const token = jwt.sign(
        {
          authMethod: decodedToken.authMethod,
          authTokenType: AuthTokenType.ACCESS_TOKEN,
          userId: decodedToken.userId,
          tokenVersionId: tokenVersion.id,
--- a/backend/src/server/routes/v1/bot-router.ts
+++ b/backend/src/server/routes/v1/bot-router.ts
@@ -30,6 +30,7 @@ export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.projectId
      });
      return { bot };
@@ -70,6 +71,7 @@ export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        botId: req.params.botId,
        botKey: req.body.botKey,
        isActive: req.body.isActive
--- a/backend/src/server/routes/v1/dynamic-secret-lease-router.ts
+++ b/backend/src/server/routes/v1/dynamic-secret-lease-router.ts
@@ -0,0 +1,185 @@
 import ms from "ms";
 import { z } from "zod";
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { SanitizedDynamicSecretSchema } from "../sanitizedSchemas";
 export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "POST",
    schema: {
      body: z.object({
        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
        ttl: z
          .string()
          .optional()
          .describe(DYNAMIC_SECRET_LEASES.CREATE.ttl)
          .superRefine((val, ctx) => {
            if (!val) return;
            const valMs = ms(val);
            if (valMs < 60 * 1000)
              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
            if (valMs > daysToMillisecond(1))
              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
          }),
        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRET_LEASES.CREATE.path),
        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.path)
      }),
      response: {
        200: z.object({
          lease: DynamicSecretLeasesSchema,
          dynamicSecret: SanitizedDynamicSecretSchema,
          data: z.unknown()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const { data, lease, dynamicSecret } = await server.services.dynamicSecretLease.create({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        name: req.body.dynamicSecretName,
        ...req.body
      });
      return { lease, data, dynamicSecret };
    }
  });
  server.route({
    url: "/:leaseId",
    method: "DELETE",
    schema: {
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
      }),
      body: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.projectSlug),
        path: z
          .string()
          .min(1)
          .trim()
          .default("/")
          .transform(removeTrailingSlash)
          .describe(DYNAMIC_SECRET_LEASES.DELETE.path),
        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.environmentSlug),
        isForced: z.boolean().default(false).describe(DYNAMIC_SECRET_LEASES.DELETE.isForced)
      }),
      response: {
        200: z.object({
          lease: DynamicSecretLeasesSchema
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const lease = await server.services.dynamicSecretLease.revokeLease({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        leaseId: req.params.leaseId,
        ...req.body
      });
      return { lease };
    }
  });
  server.route({
    url: "/:leaseId/renew",
    method: "POST",
    schema: {
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
      }),
      body: z.object({
        ttl: z
          .string()
          .describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
          .optional()
          .superRefine((val, ctx) => {
            if (!val) return;
            const valMs = ms(val);
            if (valMs < 60 * 1000)
              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
            if (valMs > daysToMillisecond(1))
              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
          }),
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.projectSlug),
        path: z
          .string()
          .min(1)
          .trim()
          .default("/")
          .transform(removeTrailingSlash)
          .describe(DYNAMIC_SECRET_LEASES.RENEW.path),
        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
      }),
      response: {
        200: z.object({
          lease: DynamicSecretLeasesSchema
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const lease = await server.services.dynamicSecretLease.renewLease({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        leaseId: req.params.leaseId,
        ...req.body
      });
      return { lease };
    }
  });
  server.route({
    url: "/:leaseId",
    method: "GET",
    schema: {
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
      }),
      querystring: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.projectSlug),
        path: z
          .string()
          .trim()
          .default("/")
          .transform(removeTrailingSlash)
          .describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.path),
        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.environmentSlug)
      }),
      response: {
        200: z.object({
          lease: DynamicSecretLeasesSchema.extend({
            dynamicSecret: SanitizedDynamicSecretSchema
          })
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const lease = await server.services.dynamicSecretLease.getLeaseDetails({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        leaseId: req.params.leaseId,
        ...req.query
      });
      return { lease };
    }
  });
 };
--- a/backend/src/server/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/server/routes/v1/dynamic-secret-router.ts
@@ -0,0 +1,272 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { DynamicSecretProviderSchema } from "@app/services/dynamic-secret/providers/models";
 import { SanitizedDynamicSecretSchema } from "../sanitizedSchemas";
 export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "POST",
    schema: {
      body: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
        provider: DynamicSecretProviderSchema.describe(DYNAMIC_SECRETS.CREATE.provider),
        defaultTTL: z
          .string()
          .describe(DYNAMIC_SECRETS.CREATE.defaultTTL)
          .superRefine((val, ctx) => {
            const valMs = ms(val);
            if (valMs < 60 * 1000)
              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
            if (valMs > daysToMillisecond(1))
              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
          }),
        maxTTL: z
          .string()
          .describe(DYNAMIC_SECRETS.CREATE.maxTTL)
          .optional()
          .superRefine((val, ctx) => {
            if (!val) return;
            const valMs = ms(val);
            if (valMs < 60 * 1000)
              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
            if (valMs > daysToMillisecond(1))
              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
          })
          .nullable(),
        path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
        environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
        name: z
          .string()
          .describe(DYNAMIC_SECRETS.CREATE.name)
          .min(1)
          .toLowerCase()
          .max(64)
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid"
          })
      }),
      response: {
        200: z.object({
          dynamicSecret: SanitizedDynamicSecretSchema
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const dynamicSecretCfg = await server.services.dynamicSecret.create({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
      return { dynamicSecret: dynamicSecretCfg };
    }
  });
  server.route({
    url: "/:name",
    method: "PATCH",
    schema: {
      params: z.object({
        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
      }),
      body: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.projectSlug),
        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.UPDATE.path),
        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.environmentSlug),
        data: z.object({
          inputs: z.any().optional().describe(DYNAMIC_SECRETS.UPDATE.inputs),
          defaultTTL: z
            .string()
            .describe(DYNAMIC_SECRETS.UPDATE.defaultTTL)
            .optional()
            .superRefine((val, ctx) => {
              if (!val) return;
              const valMs = ms(val);
              if (valMs < 60 * 1000)
                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
              if (valMs > daysToMillisecond(1))
                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
            }),
          maxTTL: z
            .string()
            .describe(DYNAMIC_SECRETS.UPDATE.maxTTL)
            .optional()
            .superRefine((val, ctx) => {
              if (!val) return;
              const valMs = ms(val);
              if (valMs < 60 * 1000)
                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
              if (valMs > daysToMillisecond(1))
                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
            })
            .nullable(),
          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional()
        })
      }),
      response: {
        200: z.object({
          dynamicSecret: SanitizedDynamicSecretSchema
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const dynamicSecretCfg = await server.services.dynamicSecret.updateByName({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        name: req.params.name,
        path: req.body.path,
        projectSlug: req.body.projectSlug,
        environmentSlug: req.body.environmentSlug,
        ...req.body.data
      });
      return { dynamicSecret: dynamicSecretCfg };
    }
  });
  server.route({
    url: "/:name",
    method: "DELETE",
    schema: {
      params: z.object({
        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
      }),
      body: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.projectSlug),
        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.DELETE.path),
        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.environmentSlug),
        isForced: z.boolean().default(false).describe(DYNAMIC_SECRETS.DELETE.isForced)
      }),
      response: {
        200: z.object({
          dynamicSecret: SanitizedDynamicSecretSchema
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const dynamicSecretCfg = await server.services.dynamicSecret.deleteByName({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        name: req.params.name,
        ...req.body
      });
      return { dynamicSecret: dynamicSecretCfg };
    }
  });
  server.route({
    url: "/:name",
    method: "GET",
    schema: {
      params: z.object({
        name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
      }),
      querystring: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.projectSlug),
        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.GET_BY_NAME.path),
        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.environmentSlug)
      }),
      response: {
        200: z.object({
          dynamicSecret: SanitizedDynamicSecretSchema.extend({
            inputs: z.unknown()
          })
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const dynamicSecretCfg = await server.services.dynamicSecret.getDetails({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        name: req.params.name,
        ...req.query
      });
      return { dynamicSecret: dynamicSecretCfg };
    }
  });
  server.route({
    url: "/",
    method: "GET",
    schema: {
      querystring: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.LIST.path),
        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.environmentSlug)
      }),
      response: {
        200: z.object({
          dynamicSecrets: SanitizedDynamicSecretSchema.array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query
      });
      return { dynamicSecrets: dynamicSecretCfgs };
    }
  });
  server.route({
    url: "/:name/leases",
    method: "GET",
    schema: {
      params: z.object({
        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
      }),
      querystring: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.projectSlug),
        path: z
          .string()
          .trim()
          .default("/")
          .transform(removeTrailingSlash)
          .describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.path),
        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.environmentSlug)
      }),
      response: {
        200: z.object({
          leases: DynamicSecretLeasesSchema.array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const leases = await server.services.dynamicSecretLease.listLeases({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        name: req.params.name,
        ...req.query
      });
      return { leases };
    }
  });
 };
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@@ -35,6 +35,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      const identity = await server.services.identity.createIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        orgId: req.body.organizationId
@@ -95,6 +96,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      const identity = await server.services.identity.updateIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.identityId,
        ...req.body
@@ -140,6 +142,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      const identity = await server.services.identity.deleteIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.identityId
      });
--- a/backend/src/server/routes/v1/identity-ua.ts
+++ b/backend/src/server/routes/v1/identity-ua.ts
@@ -131,6 +131,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
        identityId: req.params.identityId
      });
@@ -212,6 +213,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
        identityId: req.params.identityId
      });
@@ -260,6 +262,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const identityUniversalAuth = await server.services.identityUa.getIdentityUa({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId
      });
@@ -309,6 +312,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const { clientSecret, clientSecretData, orgId } = await server.services.identityUa.createUaClientSecret({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        ...req.body
@@ -354,6 +358,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUaClientSecrets({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId
      });
@@ -397,6 +402,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const clientSecretData = await server.services.identityUa.revokeUaClientSecret({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        clientSecretId: req.params.clientSecretId
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@@ -1,6 +1,8 @@
 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
@@ -52,6 +54,14 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
    { prefix: "/workspace" }
  );
  await server.register(
    async (dynamicSecretRouter) => {
      await dynamicSecretRouter.register(registerDynamicSecretRouter);
      await dynamicSecretRouter.register(registerDynamicSecretLeaseRouter, { prefix: "/leases" });
    },
    { prefix: "/dynamic-secrets" }
  );
  await server.register(registerProjectBotRouter, { prefix: "/bot" });
  await server.register(registerIntegrationRouter, { prefix: "/integration" });
  await server.register(registerIntegrationAuthRouter, { prefix: "/integration-auth" });
--- a/backend/src/server/routes/v1/integration-auth-router.ts
+++ b/backend/src/server/routes/v1/integration-auth-router.ts
@@ -53,6 +53,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.getIntegrationAuth({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@@ -80,6 +81,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        integration: req.query.integration,
        projectId: req.query.projectId
      });
@@ -117,6 +119,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.deleteIntegrationAuthById({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@@ -157,6 +160,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.oauthExchange({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body
@@ -200,6 +204,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.saveIntegrationToken({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body
@@ -247,6 +252,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const apps = await server.services.integrationAuth.getIntegrationApps({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        ...req.query
@@ -278,6 +284,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const teams = await server.services.integrationAuth.getIntegrationAuthTeams({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@@ -306,6 +313,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const branches = await server.services.integrationAuth.getVercelBranches({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@@ -335,6 +343,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const groups = await server.services.integrationAuth.getChecklyGroups({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        accountId: req.query.accountId
@@ -343,6 +352,68 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    }
  });
  server.route({
    url: "/:integrationAuthId/github/orgs",
    method: "GET",
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
        integrationAuthId: z.string().trim()
      }),
      response: {
        200: z.object({
          orgs: z.object({ name: z.string(), orgId: z.string() }).array()
        })
      }
    },
    handler: async (req) => {
      const orgs = await server.services.integrationAuth.getGithubOrgs({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        id: req.params.integrationAuthId
      });
      if (!orgs) throw new Error("No organization found.");
      return { orgs };
    }
  });
  server.route({
    url: "/:integrationAuthId/github/envs",
    method: "GET",
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
        integrationAuthId: z.string().trim()
      }),
      querystring: z.object({
        repoOwner: z.string().trim(),
        repoName: z.string().trim()
      }),
      response: {
        200: z.object({
          envs: z.object({ name: z.string(), envId: z.string() }).array()
        })
      }
    },
    handler: async (req) => {
      const envs = await server.services.integrationAuth.getGithubEnvs({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        actorAuthMethod: req.permission.authMethod,
        repoName: req.query.repoName,
        repoOwner: req.query.repoOwner
      });
      if (!envs) throw new Error("No organization found.");
      return { envs };
    }
  });
  server.route({
    url: "/:integrationAuthId/qovery/orgs",
    method: "GET",
@@ -361,6 +432,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const orgs = await server.services.integrationAuth.getQoveryOrgs({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@@ -389,6 +461,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const projects = await server.services.integrationAuth.getQoveryProjects({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        orgId: req.query.orgId
@@ -418,6 +491,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const environments = await server.services.integrationAuth.getQoveryEnvs({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        projectId: req.query.projectId
@@ -447,6 +521,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const apps = await server.services.integrationAuth.getQoveryApps({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        environmentId: req.query.environmentId
@@ -476,6 +551,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const containers = await server.services.integrationAuth.getQoveryContainers({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        environmentId: req.query.environmentId
@@ -505,6 +581,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const jobs = await server.services.integrationAuth.getQoveryJobs({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        environmentId: req.query.environmentId
@@ -537,6 +614,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const pipelines = await server.services.integrationAuth.getHerokuPipelines({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@@ -565,6 +643,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const environments = await server.services.integrationAuth.getRailwayEnvironments({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@@ -594,6 +673,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const services = await server.services.integrationAuth.getRailwayServices({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@@ -630,6 +710,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const workspaces = await server.services.integrationAuth.getBitbucketWorkspaces({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@@ -663,6 +744,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const secretGroups = await server.services.integrationAuth.getNorthFlankSecretGroups({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@@ -697,6 +779,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const buildConfigs = await server.services.integrationAuth.getTeamcityBuildConfigs({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@@ -33,6 +33,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
            secretPrefix: z.string().optional(),
            secretSuffix: z.string().optional(),
            initialSyncBehavior: z.string().optional(),
            shouldAutoRedeploy: z.boolean().optional(),
            secretGCPLabel: z
              .object({
                labelName: z.string(),
@@ -53,6 +54,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      const { integration, integrationAuth } = await server.services.integration.createIntegration({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
@@ -123,6 +125,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      const integration = await server.services.integration.updateIntegration({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationId,
        ...req.body
@@ -148,6 +151,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const integration = await server.services.integration.deleteIntegration({
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationId
--- a/backend/src/server/routes/v1/invite-org-router.ts
+++ b/backend/src/server/routes/v1/invite-org-router.ts
@@ -29,6 +29,7 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
        orgId: req.body.organizationId,
        userId: req.permission.id,
        inviteeEmail: req.body.inviteeEmail,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -15,7 +15,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
    handler: async (req) => {
      const organizations = await server.services.org.findAllOrganizationOfUser(req.permission.id);
      return { organizations };
@@ -40,6 +40,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const organization = await server.services.org.findOrganizationById(
        req.permission.id,
        req.params.organizationId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { organization };
@@ -76,6 +77,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const users = await server.services.org.findAllOrgMembers(
        req.permission.id,
        req.params.organizationId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { users };
@@ -111,6 +113,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        data: req.body
      });
@@ -138,6 +141,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const incidentContactsOrg = await req.server.services.org.findIncidentContacts(
        req.permission.id,
        req.params.organizationId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { incidentContactsOrg };
@@ -162,6 +166,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.body.email,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { incidentContactsOrg };
@@ -185,6 +190,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.params.incidentContactId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { incidentContactsOrg };
--- a/backend/src/server/routes/v1/project-env-router.ts
+++ b/backend/src/server/routes/v1/project-env-router.ts
@@ -39,6 +39,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        ...req.body
      });
@@ -95,6 +96,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      const { environment, old } = await server.services.projectEnv.updateEnvironment({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        id: req.params.id,
@@ -153,6 +155,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      const environment = await server.services.projectEnv.deleteEnvironment({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        id: req.params.id
--- a/backend/src/server/routes/v1/project-key-router.ts
+++ b/backend/src/server/routes/v1/project-key-router.ts
@@ -30,6 +30,7 @@ export const registerProjectKeyRouter = async (server: FastifyZodProvider) => {
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        nonce: req.body.key.nonce,
        receiverId: req.body.key.userId,
--- a/backend/src/server/routes/v1/project-membership-router.ts
+++ b/backend/src/server/routes/v1/project-membership-router.ts
@@ -66,6 +66,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const memberships = await server.services.projectMembership.getProjectMemberships({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
@@ -102,6 +103,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const data = await server.services.projectMembership.addUsersToProject({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        members: req.body.members
@@ -170,6 +172,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const roles = await server.services.projectMembership.updateProjectMembership({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        membershipId: req.params.membershipId,
@@ -219,6 +222,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const membership = await server.services.projectMembership.deleteProjectMembership({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        membershipId: req.params.membershipId
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -10,6 +10,7 @@ import {
 import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
 import { integrationAuthPubSchema } from "../sanitizedSchemas";
 import { sanitizedServiceTokenSchema } from "../v2/service-token-router";
@@ -45,6 +46,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const publicKeys = await server.services.projectKey.getProjectPublicKeys({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
@@ -97,6 +99,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const users = await server.services.projectMembership.getProjectMemberships({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        actorOrgId: req.permission.orgId
      });
@@ -137,37 +140,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const workspace = await server.services.project.getAProject({
-        actorId: req.permission.id,
+        filter: {
-        actor: req.permission.type,
+          type: ProjectFilterType.ID,
        actorOrgId: req.permission.orgId,
          projectId: req.params.workspaceId
      });
      return { workspace };
    }
  });
  server.route({
    url: "/",
    method: "POST",
    schema: {
      body: z.object({
        workspaceName: z.string().trim(),
        organizationId: z.string().trim()
      }),
      response: {
        200: z.object({
          workspace: projectWithEnv
        })
      }
        },
-    onRequest: verifyAuth([AuthMode.JWT]),
+        actorAuthMethod: req.permission.authMethod,
    handler: async (req) => {
      const workspace = await server.services.project.createProject({
        actorId: req.permission.id,
        actor: req.permission.type,
-        orgId: req.body.organizationId,
+        actorOrgId: req.permission.orgId
        actorOrgId: req.permission.orgId,
        workspaceName: req.body.workspaceName
      });
      return { workspace };
    }
@@ -189,10 +169,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const workspace = await server.services.project.deleteProject({
-        actorId: req.permission.id,
+        filter: {
-        actor: req.permission.type,
+          type: ProjectFilterType.ID,
        actorOrgId: req.permission.orgId,
          projectId: req.params.workspaceId
        },
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
      });
      return { workspace };
    }
@@ -220,6 +204,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const workspace = await server.services.project.updateName({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        name: req.body.name
@@ -253,17 +238,21 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const workspace = await server.services.project.updateProject({
-        actorId: req.permission.id,
+        filter: {
-        actor: req.permission.type,
+          type: ProjectFilterType.ID,
-        actorOrgId: req.permission.orgId,
+          projectId: req.params.workspaceId
-        projectId: req.params.workspaceId,
+        },
        update: {
          name: req.body.name,
          autoCapitalization: req.body.autoCapitalization
-        }
+        },
        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
      });
      return {
        workspace
@@ -293,6 +282,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const workspace = await server.services.project.toggleAutoCapitalization({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        autoCapitalization: req.body.autoCapitalization
@@ -329,6 +319,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const integrations = await server.services.integration.listIntegrationByProject({
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
@@ -354,6 +345,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const authorizations = await server.services.integrationAuth.listIntegrationAuthByProjectId({
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
@@ -379,6 +371,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const serviceTokenData = await server.services.serviceToken.getProjectServiceTokens({
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@@ -39,6 +39,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const folder = await server.services.folder.createFolder({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@@ -96,6 +97,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const { folder, old } = await server.services.folder.updateFolder({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@@ -154,6 +156,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const folder = await server.services.folder.deleteFolder({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@@ -207,6 +210,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const folders = await server.services.folder.getFolders({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId,
--- a/backend/src/server/routes/v1/secret-import-router.ts
+++ b/backend/src/server/routes/v1/secret-import-router.ts
@@ -44,6 +44,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImport = await server.services.secretImport.createImport({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@@ -114,6 +115,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImport = await server.services.secretImport.updateImport({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretImportId,
        ...req.body,
@@ -175,6 +177,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImport = await server.services.secretImport.deleteImport({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretImportId,
        ...req.body,
@@ -234,6 +237,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImports = await server.services.secretImport.getImports({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
@@ -287,6 +291,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const importedSecrets = await server.services.secretImport.getSecretsFromImports({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
--- a/backend/src/server/routes/v1/secret-tag-router.ts
+++ b/backend/src/server/routes/v1/secret-tag-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { SecretTagsSchema } from "@app/db/schemas";
 import { SECRET_TAGS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -10,7 +11,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    schema: {
      params: z.object({
-        projectId: z.string().trim()
+        projectId: z.string().trim().describe(SECRET_TAGS.LIST.projectId)
      }),
      response: {
        200: z.object({
@@ -23,6 +24,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      const workspaceTags = await server.services.secretTag.getProjectTags({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId
      });
@@ -35,12 +37,12 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    schema: {
      params: z.object({
-        projectId: z.string().trim()
+        projectId: z.string().trim().describe(SECRET_TAGS.CREATE.projectId)
      }),
      body: z.object({
-        name: z.string().trim(),
+        name: z.string().trim().describe(SECRET_TAGS.CREATE.name),
-        slug: z.string().trim(),
+        slug: z.string().trim().describe(SECRET_TAGS.CREATE.slug),
-        color: z.string()
+        color: z.string().trim().describe(SECRET_TAGS.CREATE.color)
      }),
      response: {
        200: z.object({
@@ -53,6 +55,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      const workspaceTag = await server.services.secretTag.createTag({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId,
        ...req.body
@@ -66,8 +69,8 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
    method: "DELETE",
    schema: {
      params: z.object({
-        projectId: z.string().trim(),
+        projectId: z.string().trim().describe(SECRET_TAGS.DELETE.projectId),
-        tagId: z.string().trim()
+        tagId: z.string().trim().describe(SECRET_TAGS.DELETE.tagId)
      }),
      response: {
        200: z.object({
@@ -80,6 +83,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      const workspaceTag = await server.services.secretTag.deleteTag({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.tagId
      });
--- a/backend/src/server/routes/v1/user-router.ts
+++ b/backend/src/server/routes/v1/user-router.ts
@@ -15,7 +15,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
    handler: async (req) => {
      const user = await server.services.user.getMe(req.permission.id);
      return { user };
--- a/backend/src/server/routes/v1/webhook-router.ts
+++ b/backend/src/server/routes/v1/webhook-router.ts
@@ -47,6 +47,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhook = await server.services.webhook.createWebhook({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body
@@ -93,6 +94,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhook = await server.services.webhook.updateWebhook({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.webhookId,
        isDisabled: req.body.isDisabled
@@ -130,6 +132,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhook = await server.services.webhook.deleteWebhook({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.webhookId
      });
@@ -172,6 +175,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhook = await server.services.webhook.testWebhook({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.webhookId
      });
@@ -204,6 +208,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhooks = await server.services.webhook.listWebhooks({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
--- a/backend/src/server/routes/v2/identity-org-router.ts
+++ b/backend/src/server/routes/v2/identity-org-router.ts
@@ -42,6 +42,7 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
      const identityMemberships = await server.services.identity.listOrgIdentities({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.orgId
      });
--- a/backend/src/server/routes/v2/identity-project-router.ts
+++ b/backend/src/server/routes/v2/identity-project-router.ts
@@ -35,6 +35,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
      const identityMembership = await server.services.identityProject.createProjectIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        projectId: req.params.projectId,
@@ -89,6 +90,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
      const roles = await server.services.identityProject.updateProjectIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        projectId: req.params.projectId,
@@ -123,6 +125,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
      const identityMembership = await server.services.identityProject.deleteProjectIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        projectId: req.params.projectId
@@ -177,6 +180,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
      const identityMemberships = await server.services.identityProject.listProjectIdentities({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId
      });
--- a/backend/src/server/routes/v2/mfa-router.ts
+++ b/backend/src/server/routes/v2/mfa-router.ts
@@ -68,11 +68,14 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req, res) => {
      const userAgent = req.headers["user-agent"];
      const mfaJwtToken = req.headers.authorization?.replace("Bearer ", "");
      if (!userAgent) throw new Error("user agent header is required");
      if (!mfaJwtToken) throw new Error("authorization header is required");
      const appCfg = getConfig();
      const { user, token } = await server.services.login.verifyMfaToken({
        userAgent,
        mfaJwtToken,
        ip: req.realIp,
        userId: req.mfa.userId,
        orgId: req.mfa.orgId,
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@@ -45,6 +45,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const users = await server.services.org.findAllOrgMembers(
        req.permission.id,
        req.params.organizationId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { users };
@@ -89,6 +90,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
@@ -127,6 +129,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const membership = await server.services.org.updateOrgMembership({
        userId: req.permission.id,
        role: req.body.role,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        membershipId: req.params.membershipId,
        actorOrgId: req.permission.orgId
@@ -162,6 +165,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const membership = await server.services.org.deleteOrgMembership({
        userId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        membershipId: req.params.membershipId,
        actorOrgId: req.permission.orgId
@@ -183,7 +187,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY], { requireOrg: false }),
    handler: async (req) => {
      if (req.auth.actor !== ActorType.USER) return;
@@ -217,6 +221,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const organization = await server.services.org.deleteOrganizationById(
        req.permission.id,
        req.params.organizationId,
        req.permission.authMethod,
        req.permission.orgId
      );
      return { organization };
--- a/backend/src/server/routes/v2/project-membership-router.ts
+++ b/backend/src/server/routes/v2/project-membership-router.ts
@@ -28,7 +28,9 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
    handler: async (req) => {
      const memberships = await server.services.projectMembership.addUsersToProjectNonE2EE({
        projectId: req.params.projectId,
        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
        emails: req.body.emails,
        usernames: req.body.usernames
@@ -74,6 +76,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const memberships = await server.services.projectMembership.deleteProjectMemberships({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId,
        emails: req.body.emails,
--- a/backend/src/server/routes/v2/project-router.ts
+++ b/backend/src/server/routes/v2/project-router.ts
@@ -8,6 +8,7 @@ import { authRateLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 const projectWithEnv = ProjectsSchema.merge(
@@ -17,6 +18,14 @@ const projectWithEnv = ProjectsSchema.merge(
  })
 );
 const slugSchema = z
  .string()
  .min(5)
  .max(36)
  .refine((v) => slugify(v) === v, {
    message: "Slug must be at least 5 character but no more than 36"
  });
 export const registerProjectRouter = async (server: FastifyZodProvider) => {
  /* Get project key */
  server.route({
@@ -47,6 +56,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const key = await server.services.projectKey.getLatestProjectKey({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
@@ -74,7 +84,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      params: z.object({
        projectId: z.string().trim()
      }),
      body: z.object({
        userPrivateKey: z.string().trim()
      }),
@@ -82,11 +91,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: z.void()
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      await server.services.project.upgradeProject({
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.projectId,
        userPrivateKey: req.body.userPrivateKey
      });
@@ -107,9 +118,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const status = await server.services.project.getProjectUpgradeStatus({
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId,
        actor: req.permission.type,
        actorId: req.permission.id
@@ -137,8 +150,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
            message: "Slug must be a valid slug"
          })
          .optional()
-          .describe(PROJECTS.CREATE.slug),
+          .describe(PROJECTS.CREATE.slug)
        organizationId: z.string().trim().describe(PROJECTS.CREATE.organizationId)
      }),
      response: {
        200: z.object({
@@ -146,12 +158,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const project = await server.services.project.createProject({
        actorId: req.permission.id,
        actor: req.permission.type,
-        orgId: req.body.organizationId,
+        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        workspaceName: req.body.projectName,
        slug: req.body.slug
      });
@@ -160,7 +173,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        event: PostHogEventTypes.ProjectCreated,
        distinctId: getTelemetryDistinctId(req),
        properties: {
-          orgId: req.body.organizationId,
+          orgId: project.orgId,
          name: project.name,
          ...req.auditLogInfo
        }
@@ -169,4 +182,104 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      return { project };
    }
  });
  /* Delete a project by slug */
  server.route({
    method: "DELETE",
    url: "/:slug",
    schema: {
      params: z.object({
        slug: slugSchema.describe("The slug of the project to delete.")
      }),
      response: {
        200: ProjectsSchema
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const project = await server.services.project.deleteProject({
        filter: {
          type: ProjectFilterType.SLUG,
          slug: req.params.slug,
          orgId: req.permission.orgId
        },
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type
      });
      return project;
    }
  });
  /* Get a project by slug */
  server.route({
    method: "GET",
    url: "/:slug",
    schema: {
      params: z.object({
        slug: slugSchema.describe("The slug of the project to get.")
      }),
      response: {
        200: projectWithEnv
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const project = await server.services.project.getAProject({
        filter: {
          slug: req.params.slug,
          orgId: req.permission.orgId,
          type: ProjectFilterType.SLUG
        },
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type
      });
      return project;
    }
  });
  /* Update a project by slug */
  server.route({
    method: "PATCH",
    url: "/:slug",
    schema: {
      params: z.object({
        slug: slugSchema.describe("The slug of the project to update.")
      }),
      body: z.object({
        name: z.string().trim().optional().describe("The new name of the project."),
        autoCapitalization: z.boolean().optional().describe("The new auto-capitalization setting.")
      }),
      response: {
        200: ProjectsSchema
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const project = await server.services.project.updateProject({
        filter: {
          type: ProjectFilterType.SLUG,
          slug: req.params.slug,
          orgId: req.permission.orgId
        },
        update: {
          name: req.body.name,
          autoCapitalization: req.body.autoCapitalization
        },
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
      });
      return project;
    }
  });
 };
--- a/backend/src/server/routes/v2/service-token-router.ts
+++ b/backend/src/server/routes/v2/service-token-router.ts
@@ -46,6 +46,8 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
    handler: async (req) => {
      const { serviceToken, user } = await server.services.serviceToken.getServiceToken({
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type
      });
@@ -98,6 +100,7 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
      const { serviceToken, token } = await server.services.serviceToken.createServiceToken({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId
@@ -136,6 +139,7 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
      const serviceTokenData = await server.services.serviceToken.deleteServiceToken({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.serviceTokenId
      });
--- a/backend/src/server/routes/v2/user-router.ts
+++ b/backend/src/server/routes/v2/user-router.ts
@@ -60,7 +60,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    preHandler: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    preHandler: verifyAuth([AuthMode.JWT, AuthMode.API_KEY], { requireOrg: false }),
    handler: async (req) => {
      const user = await server.services.user.updateAuthMethods(req.permission.id, req.body.authMethods);
      return { user };
--- a/backend/src/server/routes/v3/login-router.ts
+++ b/backend/src/server/routes/v3/login-router.ts
@@ -34,6 +34,42 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
    }
  });
  server.route({
    method: "POST",
    url: "/select-organization",
    config: {
      rateLimit: authRateLimit
    },
    schema: {
      body: z.object({
        organizationId: z.string().trim()
      }),
      response: {
        200: z.object({
          token: z.string()
        })
      }
    },
    handler: async (req, res) => {
      const cfg = getConfig();
      const tokens = await server.services.login.selectOrganization({
        userAgent: req.headers["user-agent"],
        authJwtToken: req.headers.authorization,
        organizationId: req.body.organizationId,
        ipAddress: req.realIp
      });
      void res.setCookie("jid", tokens.refresh, {
        httpOnly: true,
        path: "/",
        sameSite: "strict",
        secure: cfg.HTTPS_ENABLED
      });
      return { token: tokens.access };
    }
  });
  server.route({
    method: "POST",
    url: "/login2",
--- a/backend/src/server/routes/v3/secret-blind-index-router.ts
+++ b/backend/src/server/routes/v3/secret-blind-index-router.ts
@@ -20,6 +20,7 @@ export const registerSecretBlindIndexRouter = async (server: FastifyZodProvider)
    handler: async (req) => {
      const count = await server.services.secretBlindIndex.getSecretBlindIndexStatus({
        projectId: req.params.projectId,
        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
@@ -52,6 +53,7 @@ export const registerSecretBlindIndexRouter = async (server: FastifyZodProvider)
    handler: async (req) => {
      const secrets = await server.services.secretBlindIndex.getProjectSecrets({
        projectId: req.params.projectId,
        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
@@ -86,6 +88,7 @@ export const registerSecretBlindIndexRouter = async (server: FastifyZodProvider)
      await server.services.secretBlindIndex.updateProjectSecretName({
        projectId: req.params.projectId,
        secretsToUpdate: req.body.secretsToUpdate,
        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@@ -10,18 +10,137 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CommitType } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
-import { RAW_SECRETS } from "@app/lib/api-docs";
+import { RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 import { secretRawSchema } from "../sanitizedSchemas";
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/tags/:secretName",
    method: "POST",
    schema: {
      description: "Attach tags to a secret",
      security: [
        {
          bearerAuth: []
        }
      ],
      params: z.object({
        secretName: z.string().trim().describe(SECRETS.ATTACH_TAGS.secretName)
      }),
      body: z.object({
        projectSlug: z.string().trim().describe(SECRETS.ATTACH_TAGS.projectSlug),
        environment: z.string().trim().describe(SECRETS.ATTACH_TAGS.environment),
        secretPath: z
          .string()
          .trim()
          .default("/")
          .transform(removeTrailingSlash)
          .describe(SECRETS.ATTACH_TAGS.secretPath),
        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(SECRETS.ATTACH_TAGS.type),
        tagSlugs: z.string().array().min(1).describe(SECRETS.ATTACH_TAGS.tagSlugs)
      }),
      response: {
        200: z.object({
          secret: SecretsSchema.omit({ secretBlindIndex: true }).merge(
            z.object({
              tags: SecretTagsSchema.pick({
                id: true,
                slug: true,
                name: true,
                color: true
              }).array()
            })
          )
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const secret = await server.services.secret.attachTags({
        secretName: req.params.secretName,
        tagSlugs: req.body.tagSlugs,
        path: req.body.secretPath,
        environment: req.body.environment,
        type: req.body.type,
        projectSlug: req.body.projectSlug,
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      return { secret };
    }
  });
  server.route({
    url: "/tags/:secretName",
    method: "DELETE",
    schema: {
      description: "Detach tags from a secret",
      security: [
        {
          bearerAuth: []
        }
      ],
      params: z.object({
        secretName: z.string().trim().describe(SECRETS.DETACH_TAGS.secretName)
      }),
      body: z.object({
        projectSlug: z.string().trim().describe(SECRETS.DETACH_TAGS.projectSlug),
        environment: z.string().trim().describe(SECRETS.DETACH_TAGS.environment),
        secretPath: z
          .string()
          .trim()
          .default("/")
          .transform(removeTrailingSlash)
          .describe(SECRETS.DETACH_TAGS.secretPath),
        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(SECRETS.DETACH_TAGS.type),
        tagSlugs: z.string().array().min(1).describe(SECRETS.DETACH_TAGS.tagSlugs)
      }),
      response: {
        200: z.object({
          secret: SecretsSchema.omit({ secretBlindIndex: true }).merge(
            z.object({
              tags: SecretTagsSchema.pick({
                id: true,
                slug: true,
                name: true,
                color: true
              }).array()
            })
          )
        })
      }
    },
    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const secret = await server.services.secret.detachTags({
        secretName: req.params.secretName,
        tagSlugs: req.body.tagSlugs,
        path: req.body.secretPath,
        environment: req.body.environment,
        type: req.body.type,
        projectSlug: req.body.projectSlug,
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      return { secret };
    }
  });
  server.route({
    url: "/raw",
    method: "GET",
@@ -35,6 +154,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      ],
      querystring: z.object({
        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceId),
        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceSlug),
        environment: z.string().trim().optional().describe(RAW_SECRETS.LIST.environment),
        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.LIST.secretPath),
        include_imports: z
@@ -70,6 +190,22 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          environment = scope[0].environment;
          workspaceId = req.auth.serviceToken.projectId;
        }
      } else if (req.permission.type === ActorType.IDENTITY && req.query.workspaceSlug && !workspaceId) {
        const workspace = await server.services.project.getAProject({
          filter: {
            type: ProjectFilterType.SLUG,
            orgId: req.permission.orgId,
            slug: req.query.workspaceSlug
          },
          actorId: req.permission.id,
          actorAuthMethod: req.permission.authMethod,
          actor: req.permission.type,
          actorOrgId: req.permission.orgId
        });
        if (!workspace) throw new BadRequestError({ message: `No project found with slug ${req.query.workspaceSlug}` });
        workspaceId = workspace.id;
      }
      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
@@ -79,13 +215,14 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        environment,
        actorAuthMethod: req.permission.authMethod,
        projectId: workspaceId,
        path: secretPath,
        includeImports: req.query.include_imports
      });
      await server.services.auditLog.createAuditLog({
-        projectId: req.query.workspaceId,
+        projectId: workspaceId,
        ...req.auditLogInfo,
        event: {
          type: EventType.GET_SECRETS,
@@ -163,6 +300,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.getSecretByNameRaw({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        environment,
        projectId: workspaceId,
@@ -248,6 +386,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        environment: req.body.environment,
        actorAuthMethod: req.permission.authMethod,
        projectId: req.body.workspaceId,
        secretPath: req.body.secretPath,
        secretName: req.params.secretName,
@@ -331,6 +470,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        environment: req.body.environment,
        projectId: req.body.workspaceId,
        secretPath: req.body.secretPath,
@@ -407,6 +547,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.deleteSecretRaw({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        environment: req.body.environment,
        projectId: req.body.workspaceId,
@@ -502,6 +643,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const { secrets, imports } = await server.services.secret.getSecrets({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        environment: req.query.environment,
        projectId: req.query.workspaceId,
@@ -588,6 +730,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.getSecretByName({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        environment: req.query.environment,
        projectId: req.query.workspaceId,
@@ -690,6 +833,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      if (req.body.type !== SecretType.Personal && req.permission.type === ActorType.USER) {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actorOrgId: req.permission.orgId,
          actorAuthMethod: req.permission.authMethod,
          actor: req.permission.type,
          secretPath,
          environment,
@@ -699,6 +844,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@@ -742,6 +888,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.createSecret({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        type,
@@ -866,6 +1013,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@@ -875,6 +1023,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@@ -920,6 +1069,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.updateSecret({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        type,
@@ -1010,6 +1160,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@@ -1019,6 +1170,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@@ -1052,6 +1204,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.deleteSecret({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        type,
@@ -1134,6 +1287,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@@ -1143,6 +1297,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@@ -1172,6 +1327,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secrets = await server.services.secret.createManySecret({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        environment,
@@ -1255,6 +1411,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@@ -1264,6 +1421,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@@ -1292,6 +1450,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secrets = await server.services.secret.updateManySecret({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        environment,
@@ -1364,6 +1523,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@@ -1373,6 +1533,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@@ -1400,6 +1561,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secrets = await server.services.secret.deleteManySecret({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: req.body.secretPath,
        environment,
--- a/backend/src/server/routes/v3/signup-router.ts
+++ b/backend/src/server/routes/v3/signup-router.ts
@@ -108,7 +108,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          message: z.string(),
          user: UsersSchema,
-          token: z.string()
+          token: z.string(),
          organizationId: z.string().nullish()
        })
      }
    },
@@ -124,7 +125,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        });
      }
-      const { user, accessToken, refreshToken } = await server.services.signup.completeEmailAccountSignup({
+      const { user, accessToken, refreshToken, organizationId } =
        await server.services.signup.completeEmailAccountSignup({
          ...req.body,
          ip: req.realIp,
          userAgent,
@@ -152,7 +154,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        secure: appCfg.HTTPS_ENABLED
      });
-      return { message: "Successfully set up account", user, token: accessToken };
+      return { message: "Successfully set up account", user, token: accessToken, organizationId };
    }
  });
--- a/backend/src/services/auth/auth-fns.ts
+++ b/backend/src/services/auth/auth-fns.ts
@@ -15,10 +15,10 @@ export const validateProviderAuthToken = (providerToken: string, username?: stri
  if (decodedToken.username !== username) throw new Error("Invalid auth credentials");
  if (decodedToken.organizationId) {
-    return { orgId: decodedToken.organizationId };
+    return { orgId: decodedToken.organizationId, authMethod: decodedToken.authMethod };
  }
-  return {};
+  return { authMethod: decodedToken.authMethod, orgId: null };
 };
 export const validateSignUpAuthorization = (token: string, userId: string, validate = true) => {
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -1,13 +1,16 @@
 import jwt from "jsonwebtoken";
 import { TUsers, UserDeviceSchema } from "@app/db/schemas";
 import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TTokenDALFactory } from "../auth-token/auth-token-dal";
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
 import { TOrgDALFactory } from "../org/org-dal";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { validateProviderAuthToken } from "./auth-fns";
@@ -17,16 +20,24 @@ import {
  TOauthLoginDTO,
  TVerifyMfaTokenDTO
 } from "./auth-login-type";
-import { AuthMethod, AuthTokenType } from "./auth-type";
+import { AuthMethod, AuthModeJwtTokenPayload, AuthModeMfaJwtTokenPayload, AuthTokenType } from "./auth-type";
 type TAuthLoginServiceFactoryDep = {
  userDAL: TUserDALFactory;
  orgDAL: TOrgDALFactory;
  tokenService: TAuthTokenServiceFactory;
  smtpService: TSmtpService;
  tokenDAL: TTokenDALFactory;
 };
 export type TAuthLoginFactory = ReturnType<typeof authLoginServiceFactory>;
-export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }: TAuthLoginServiceFactoryDep) => {
+export const authLoginServiceFactory = ({
  userDAL,
  tokenService,
  smtpService,
  orgDAL,
  tokenDAL
 }: TAuthLoginServiceFactoryDep) => {
  /*
   * Private
   * Not exported. This is to update user device list
@@ -83,12 +94,14 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    user,
    ip,
    userAgent,
-    organizationId
+    organizationId,
    authMethod
  }: {
    user: TUsers;
    ip: string;
    userAgent: string;
-    organizationId?: string;
+    organizationId: string | undefined;
    authMethod: AuthMethod;
  }) => {
    const cfg = getConfig();
    await updateUserDeviceSession(user, ip, userAgent);
@@ -98,8 +111,10 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
      userId: user.id
    });
    if (!tokenSession) throw new Error("Failed to create token");
    const accessToken = jwt.sign(
      {
        authMethod,
        authTokenType: AuthTokenType.ACCESS_TOKEN,
        userId: user.id,
        tokenVersionId: tokenSession.id,
@@ -112,6 +127,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    const refreshToken = jwt.sign(
      {
        authMethod,
        authTokenType: AuthTokenType.REFRESH_TOKEN,
        userId: user.id,
        tokenVersionId: tokenSession.id,
@@ -158,9 +174,9 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
  const loginExchangeClientProof = async ({
    email,
    clientProof,
    providerAuthToken,
    ip,
-    userAgent
+    userAgent,
    providerAuthToken
  }: TLoginClientProofDTO) => {
    const userEnc = await userDAL.findUserEncKeyByUsername({
      username: email
@@ -168,14 +184,16 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    if (!userEnc) throw new Error("Failed to find user");
    const cfg = getConfig();
-    let organizationId;
+    let authMethod = AuthMethod.EMAIL;
-    if (!userEnc.authMethods?.includes(AuthMethod.EMAIL)) {
+    let organizationId: string | undefined;
-      const { orgId } = validateProviderAuthToken(providerAuthToken as string, email);
+
-      organizationId = orgId;
+    if (providerAuthToken) {
-    } else if (providerAuthToken) {
+      const decodedProviderToken = validateProviderAuthToken(providerAuthToken, email);
-      // SAML SSO
+
-      const { orgId } = validateProviderAuthToken(providerAuthToken, email);
+      authMethod = decodedProviderToken.authMethod;
-      organizationId = orgId;
+      if (isAuthMethodSaml(authMethod) && decodedProviderToken.orgId) {
        organizationId = decodedProviderToken.orgId;
      }
    }
    if (!userEnc.serverPrivateKey || !userEnc.clientPublicKey) throw new Error("Failed to authenticate. Try again?");
@@ -196,9 +214,9 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    if (userEnc.isMfaEnabled && userEnc.email) {
      const mfaToken = jwt.sign(
        {
          authMethod,
          authTokenType: AuthTokenType.MFA_TOKEN,
-          userId: userEnc.userId,
+          userId: userEnc.userId
          organizationId
        },
        cfg.AUTH_SECRET,
        {
@@ -221,12 +239,60 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
      },
      ip,
      userAgent,
      authMethod,
      organizationId
    });
    return { token, isMfaEnabled: false, user: userEnc } as const;
  };
  const selectOrganization = async ({
    userAgent,
    authJwtToken,
    ipAddress,
    organizationId
  }: {
    userAgent: string | undefined;
    authJwtToken: string | undefined;
    ipAddress: string;
    organizationId: string;
  }) => {
    const cfg = getConfig();
    if (!authJwtToken) throw new UnauthorizedError({ name: "Authorization header is required" });
    if (!userAgent) throw new UnauthorizedError({ name: "user agent header is required" });
    // eslint-disable-next-line no-param-reassign
    authJwtToken = authJwtToken.replace("Bearer ", ""); // remove bearer from token
    // The decoded JWT token, which contains the auth method.
    const decodedToken = jwt.verify(authJwtToken, cfg.AUTH_SECRET) as AuthModeJwtTokenPayload;
    if (!decodedToken.authMethod) throw new UnauthorizedError({ name: "Auth method not found on existing token" });
    const user = await userDAL.findUserEncKeyByUserId(decodedToken.userId);
    if (!user) throw new BadRequestError({ message: "User not found", name: "Find user from token" });
    // Check if the user actually has access to the specified organization.
    const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
    const hasOrganizationMembership = userOrgs.some((org) => org.id === organizationId);
    if (!hasOrganizationMembership) {
      throw new UnauthorizedError({ message: "User does not have access to the organization" });
    }
    await tokenDAL.incrementTokenSessionVersion(user.id, decodedToken.tokenVersionId);
    const tokens = await generateUserTokens({
      authMethod: decodedToken.authMethod,
      user,
      userAgent,
      ip: ipAddress,
      organizationId
    });
    return tokens;
  };
  /*
   * Multi factor authentication re-send code, Get user id from token
   * saved in frontend
@@ -244,12 +310,15 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
   * Multi factor authentication verification of code
   * Third step of login in which user completes with mfa
   * */
-  const verifyMfaToken = async ({ userId, mfaToken, ip, userAgent, orgId }: TVerifyMfaTokenDTO) => {
+  const verifyMfaToken = async ({ userId, mfaToken, mfaJwtToken, ip, userAgent, orgId }: TVerifyMfaTokenDTO) => {
    await tokenService.validateTokenForUser({
      type: TokenType.TOKEN_EMAIL_MFA,
      userId,
      code: mfaToken
    });
    const decodedToken = jwt.verify(mfaJwtToken, getConfig().AUTH_SECRET) as AuthModeMfaJwtTokenPayload;
    const userEnc = await userDAL.findUserEncKeyByUserId(userId);
    if (!userEnc) throw new Error("Failed to authenticate user");
@@ -260,7 +329,8 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
      },
      ip,
      userAgent,
-      organizationId: orgId
+      organizationId: orgId,
      authMethod: decodedToken.authMethod
    });
    return { token, user: userEnc };
@@ -339,6 +409,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    oauth2Login,
    resendMfaToken,
    verifyMfaToken,
    selectOrganization,
    generateUserTokens
  };
 };
--- a/backend/src/services/auth/auth-login-type.ts
+++ b/backend/src/services/auth/auth-login-type.ts
@@ -17,6 +17,7 @@ export type TLoginClientProofDTO = {
 export type TVerifyMfaTokenDTO = {
  userId: string;
  mfaToken: string;
  mfaJwtToken: string;
  ip: string;
  userAgent: string;
  orgId?: string;
--- a/backend/src/services/auth/auth-signup-service.ts
+++ b/backend/src/services/auth/auth-signup-service.ts
@@ -150,11 +150,15 @@ export const authSignupServiceFactory = ({
    });
    if (!organizationId) {
-      await orgService.createOrganization({
+      const newOrganization = await orgService.createOrganization({
        userId: user.id,
        userEmail: user.email ?? user.username,
        orgName: organizationName
      });
      if (!newOrganization) throw new Error("Failed to create organization");
      organizationId = newOrganization.id;
    }
    const updatedMembersips = await orgDAL.updateMembership(
@@ -174,6 +178,7 @@ export const authSignupServiceFactory = ({
    const accessToken = jwt.sign(
      {
        authMethod: AuthMethod.EMAIL,
        authTokenType: AuthTokenType.ACCESS_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
@@ -186,6 +191,7 @@ export const authSignupServiceFactory = ({
    const refreshToken = jwt.sign(
      {
        authMethod: AuthMethod.EMAIL,
        authTokenType: AuthTokenType.REFRESH_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
@@ -196,7 +202,7 @@ export const authSignupServiceFactory = ({
      { expiresIn: appCfg.JWT_REFRESH_LIFETIME }
    );
-    return { user: updateduser.info, accessToken, refreshToken };
+    return { user: updateduser.info, accessToken, refreshToken, organizationId };
  };
  /*
@@ -277,6 +283,7 @@ export const authSignupServiceFactory = ({
    const accessToken = jwt.sign(
      {
        authMethod: AuthMethod.EMAIL,
        authTokenType: AuthTokenType.ACCESS_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
@@ -288,6 +295,7 @@ export const authSignupServiceFactory = ({
    const refreshToken = jwt.sign(
      {
        authMethod: AuthMethod.EMAIL,
        authTokenType: AuthTokenType.REFRESH_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
--- a/backend/src/services/auth/auth-type.ts
+++ b/backend/src/services/auth/auth-type.ts
@@ -6,6 +6,7 @@ export enum AuthMethod {
  OKTA_SAML = "okta-saml",
  AZURE_SAML = "azure-saml",
  JUMPCLOUD_SAML = "jumpcloud-saml",
  GOOGLE_SAML = "google-saml",
  LDAP = "ldap"
 }
@@ -38,8 +39,12 @@ export enum ActorType { // would extend to AWS, Azure, ...
  SCIM_CLIENT = "scimClient"
 }
 // This will be null unless the token-type is JWT
 export type ActorAuthMethod = AuthMethod | null;
 export type AuthModeJwtTokenPayload = {
  authTokenType: AuthTokenType.ACCESS_TOKEN;
  authMethod: AuthMethod;
  userId: string;
  tokenVersionId: string;
  accessVersion: number;
@@ -48,12 +53,15 @@ export type AuthModeJwtTokenPayload = {
 export type AuthModeMfaJwtTokenPayload = {
  authTokenType: AuthTokenType.MFA_TOKEN;
  authMethod: AuthMethod;
  userId: string;
  organizationId?: string;
 };
 export type AuthModeRefreshJwtTokenPayload = {
  // authMode
  authTokenType: AuthTokenType.REFRESH_TOKEN;
  authMethod: AuthMethod;
  userId: string;
  tokenVersionId: string;
  refreshVersion: number;
@@ -63,6 +71,8 @@ export type AuthModeRefreshJwtTokenPayload = {
 export type AuthModeProviderJwtTokenPayload = {
  authTokenType: AuthTokenType.PROVIDER_TOKEN;
  username: string;
  authMethod: AuthMethod;
  email: string;
  organizationId?: string;
 };
--- a/Show More
+++ b/Show More