Add new rate limits

Merge pull request #1655 from Infisical/project-limit
Remove plan cache upon create/delete project
2025-03-21 09:13:44 +00:00 · 2024-04-04 18:12:23 -07:00 · 2024-04-04 13:21:32 -07:00 · 2024-04-04 13:17:46 -07:00 · 2024-04-04 12:22:31 -07:00 · 2024-04-04 12:18:10 -07:00
729 changed files with 17966 additions and 6667 deletions
--- a/.env.example
+++ b/.env.example
@ -3,9 +3,6 @@
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218

-# Required
-DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
-
 # JWT
 # Required secrets to sign JWT tokens
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
@ -16,6 +13,9 @@ POSTGRES_PASSWORD=infisical
 POSTGRES_USER=infisical
 POSTGRES_DB=infisical

+# Required
+DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+
 # Redis
 REDIS_URL=redis://redis:6379

--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@ -41,6 +41,7 @@ jobs:
          load: true
          context: backend
          tags: infisical/infisical:test
+          platforms: linux/amd64,linux/arm64
      - name: ⏻ Spawn backend container and dependencies
        run: |
          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
@ -92,6 +93,7 @@ jobs:
          project: 64mmf0n610
          context: frontend
          tags: infisical/frontend:test
+          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -0,0 +1,140 @@
+name: Deployment pipeline
+on: [workflow_dispatch]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  infisical-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 🏗️ Build backend and push to docker hub
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: |
+            infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            infisical/staging_infisical:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
+    
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [infisical-image]
+    environment:
+      name: Gamma
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      - name: Configure AWS Credentials 
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+      - name: Render Amazon ECS task definition
+        id: render-web-container
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: infisical-prod-platform
+          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+          environment-variables: "LOG_LEVEL=info"
+      - name: Deploy to Amazon ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+          service: infisical-prod-platform
+          cluster: infisical-prod-platform
+          wait-for-service-stability: true
+
+  production-postgres-deployment:
+    name: Deploy to production
+    runs-on: ubuntu-latest
+    needs: [gamma-deployment]
+    environment:
+      name: Production
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      - name: Configure AWS Credentials 
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+      - name: Render Amazon ECS task definition
+        id: render-web-container
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: infisical-prod-platform
+          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+          environment-variables: "LOG_LEVEL=info"
+      - name: Deploy to Amazon ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+          service: infisical-prod-platform
+          cluster: infisical-prod-platform
+          wait-for-service-stability: true
--- a/.github/workflows/build-staging-and-deploy.yml
+++ b/.github/workflows/build-staging-and-deploy.yml
@ -1,120 +0,0 @@
-name: Build, Publish and Deploy to Gamma
-on: [workflow_dispatch]
-
-jobs:
-  infisical-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          load: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: infisical/infisical:test
-      # - name: ⏻ Spawn backend container and dependencies
-      #   run: |
-      #     docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      # - name: 🧪 Test backend image
-      #   run: |
-      #     ./.github/resources/healthcheck.sh infisical-backend-test
-      # - name: ⏻ Shut down backend container and dependencies
-      #   run: |
-      #     docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: |
-            infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            infisical/staging_infisical:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
-  postgres-migration:
-    name: Run latest migration files
-    runs-on: ubuntu-latest
-    needs: [infisical-image]
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      # - name: Run postgres DB migration files
-      #   env:
-      #     DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-      #   run: npm run migration:latest
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [postgres-migration]
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install infisical helm chart
-        run: |
-          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
-          helm repo update
-      - name: Install kubectl
-        uses: azure/setup-kubectl@v3
-      - name: Install doctl
-        uses: digitalocean/action-doctl@v2
-        with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
-      - name: Save DigitalOcean kubeconfig with short-lived credentials
-        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 infisical-gamma-postgres
-      - name: switch to gamma namespace
-        run: kubectl config set-context --current --namespace=gamma
-      - name: test kubectl
-        run: kubectl get ingress
-      - name: Download helm values to file and upgrade gamma deploy
-        run: |
-          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical-standalone  --values values.yaml --wait --install
-          if [[ $(helm status infisical) == *"FAILED"* ]]; then
-            echo "Helm upgrade failed"
-            exit 1
-          else
-            echo "Helm upgrade was successful"
-          fi
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -118,9 +118,6 @@ WORKDIR /backend

 ENV TELEMETRY_ENABLED true

-HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
-  CMD node healthcheck.js
-
 EXPOSE 8080
 EXPOSE 443

--- a/README.md
+++ b/README.md
@ -10,7 +10,8 @@
  <a href="https://infisical.com/">Infisical Cloud</a> |
  <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
  <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
-  <a href="https://www.infisical.com">Website</a>
+  <a href="https://www.infisical.com">Website</a> |
+  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
 </h4>

 <p align="center">
--- a/backend/scripts/create-backend-file.ts
+++ b/backend/scripts/create-backend-file.ts
@ -103,11 +103,15 @@ export const ${dalName} = (db: TDbClient) => {
    `import { z } from "zod";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { readLimit } from "@app/server/config/rateLimiter";

 export const register${pascalCase}Router = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({}),
      response: {
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -3,9 +3,13 @@ import "fastify";
 import { TUsers } from "@app/db/schemas";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
+import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
+import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@ -62,7 +66,7 @@ declare module "fastify" {
      authMethod: ActorAuthMethod;
      type: ActorType;
      id: string;
-      orgId?: string;
+      orgId: string;
    };
    // passport data
    passportUser: {
@ -117,6 +121,10 @@ declare module "fastify" {
      trustedIp: TTrustedIpServiceFactory;
      secretBlindIndex: TSecretBlindIndexServiceFactory;
      telemetry: TTelemetryServiceFactory;
+      dynamicSecret: TDynamicSecretServiceFactory;
+      dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
+      projectUserAdditionalPrivilege: TProjectUserAdditionalPrivilegeServiceFactory;
+      identityProjectAdditionalPrivilege: TIdentityProjectAdditionalPrivilegeServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -17,6 +17,12 @@ import {
  TBackupPrivateKey,
  TBackupPrivateKeyInsert,
  TBackupPrivateKeyUpdate,
+  TDynamicSecretLeases,
+  TDynamicSecretLeasesInsert,
+  TDynamicSecretLeasesUpdate,
+  TDynamicSecrets,
+  TDynamicSecretsInsert,
+  TDynamicSecretsUpdate,
  TGitAppInstallSessions,
  TGitAppInstallSessionsInsert,
  TGitAppInstallSessionsUpdate,
@ -32,6 +38,9 @@ import {
  TIdentityOrgMemberships,
  TIdentityOrgMembershipsInsert,
  TIdentityOrgMembershipsUpdate,
+  TIdentityProjectAdditionalPrivilege,
+  TIdentityProjectAdditionalPrivilegeInsert,
+  TIdentityProjectAdditionalPrivilegeUpdate,
  TIdentityProjectMembershipRole,
  TIdentityProjectMembershipRoleInsert,
  TIdentityProjectMembershipRoleUpdate,
@ -86,6 +95,9 @@ import {
  TProjects,
  TProjectsInsert,
  TProjectsUpdate,
+  TProjectUserAdditionalPrivilege,
+  TProjectUserAdditionalPrivilegeInsert,
+  TProjectUserAdditionalPrivilegeUpdate,
  TProjectUserMembershipRoles,
  TProjectUserMembershipRolesInsert,
  TProjectUserMembershipRolesUpdate,
@ -233,6 +245,11 @@ declare module "knex/types/tables" {
      TProjectUserMembershipRolesUpdate
    >;
    [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
+    [TableName.ProjectUserAdditionalPrivilege]: Knex.CompositeTableType<
+      TProjectUserAdditionalPrivilege,
+      TProjectUserAdditionalPrivilegeInsert,
+      TProjectUserAdditionalPrivilegeUpdate
+    >;
    [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
    [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
    [TableName.SecretBlindIndex]: Knex.CompositeTableType<
@ -288,6 +305,11 @@ declare module "knex/types/tables" {
      TIdentityProjectMembershipRoleInsert,
      TIdentityProjectMembershipRoleUpdate
    >;
+    [TableName.IdentityProjectAdditionalPrivilege]: Knex.CompositeTableType<
+      TIdentityProjectAdditionalPrivilege,
+      TIdentityProjectAdditionalPrivilegeInsert,
+      TIdentityProjectAdditionalPrivilegeUpdate
+    >;
    [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
    [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
      TSecretApprovalPolicies,
@ -340,6 +362,12 @@ declare module "knex/types/tables" {
      TSecretSnapshotFoldersInsert,
      TSecretSnapshotFoldersUpdate
    >;
+    [TableName.DynamicSecret]: Knex.CompositeTableType<TDynamicSecrets, TDynamicSecretsInsert, TDynamicSecretsUpdate>;
+    [TableName.DynamicSecretLease]: Knex.CompositeTableType<
+      TDynamicSecretLeases,
+      TDynamicSecretLeasesInsert,
+      TDynamicSecretLeasesUpdate
+    >;
    [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
    [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
    [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
--- a/backend/src/db/migrations/20240318164718_dynamic-secret.ts
+++ b/backend/src/db/migrations/20240318164718_dynamic-secret.ts
@ -0,0 +1,58 @@
+import { Knex } from "knex";
+
+import { SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesTableExist = await knex.schema.hasTable(TableName.DynamicSecret);
+  if (!doesTableExist) {
+    await knex.schema.createTable(TableName.DynamicSecret, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.integer("version").notNullable();
+      t.string("type").notNullable();
+      t.string("defaultTTL").notNullable();
+      t.string("maxTTL");
+      t.string("inputIV").notNullable();
+      t.text("inputCiphertext").notNullable();
+      t.string("inputTag").notNullable();
+      t.string("algorithm").notNullable().defaultTo(SecretEncryptionAlgo.AES_256_GCM);
+      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
+      t.uuid("folderId").notNullable();
+      // for background process communication
+      t.string("status");
+      t.string("statusDetails");
+      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
+      t.unique(["name", "folderId"]);
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.DynamicSecret);
+
+  const doesTableDynamicSecretLease = await knex.schema.hasTable(TableName.DynamicSecretLease);
+  if (!doesTableDynamicSecretLease) {
+    await knex.schema.createTable(TableName.DynamicSecretLease, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.integer("version").notNullable();
+      t.string("externalEntityId").notNullable();
+      t.datetime("expireAt").notNullable();
+      // for background process communication
+      t.string("status");
+      t.string("statusDetails");
+      t.uuid("dynamicSecretId").notNullable();
+      t.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.DynamicSecretLease);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.DynamicSecretLease);
+  await knex.schema.dropTableIfExists(TableName.DynamicSecretLease);
+
+  await dropOnUpdateTrigger(knex, TableName.DynamicSecret);
+  await knex.schema.dropTableIfExists(TableName.DynamicSecret);
+}
--- a/backend/src/db/migrations/20240326172010_project-user-additional-privilege.ts
+++ b/backend/src/db/migrations/20240326172010_project-user-additional-privilege.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.ProjectUserAdditionalPrivilege))) {
+    await knex.schema.createTable(TableName.ProjectUserAdditionalPrivilege, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("slug", 60).notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.jsonb("permissions").notNullable();
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.ProjectUserAdditionalPrivilege);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.ProjectUserAdditionalPrivilege);
+  await knex.schema.dropTableIfExists(TableName.ProjectUserAdditionalPrivilege);
+}
--- a/backend/src/db/migrations/20240326172011_machine-identity-additional-privilege.ts
+++ b/backend/src/db/migrations/20240326172011_machine-identity-additional-privilege.ts
@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityProjectAdditionalPrivilege))) {
+    await knex.schema.createTable(TableName.IdentityProjectAdditionalPrivilege, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("slug", 60).notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId")
+        .references("id")
+        .inTable(TableName.IdentityProjectMembership)
+        .onDelete("CASCADE");
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.jsonb("permissions").notNullable();
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityProjectAdditionalPrivilege);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.IdentityProjectAdditionalPrivilege);
+  await knex.schema.dropTableIfExists(TableName.IdentityProjectAdditionalPrivilege);
+}
--- a/backend/src/db/schemas/dynamic-secret-leases.ts
+++ b/backend/src/db/schemas/dynamic-secret-leases.ts
@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const DynamicSecretLeasesSchema = z.object({
+  id: z.string().uuid(),
+  version: z.number(),
+  externalEntityId: z.string(),
+  expireAt: z.date(),
+  status: z.string().nullable().optional(),
+  statusDetails: z.string().nullable().optional(),
+  dynamicSecretId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TDynamicSecretLeases = z.infer<typeof DynamicSecretLeasesSchema>;
+export type TDynamicSecretLeasesInsert = Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>;
+export type TDynamicSecretLeasesUpdate = Partial<Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/dynamic-secrets.ts
+++ b/backend/src/db/schemas/dynamic-secrets.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const DynamicSecretsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  version: z.number(),
+  type: z.string(),
+  defaultTTL: z.string(),
+  maxTTL: z.string().nullable().optional(),
+  inputIV: z.string(),
+  inputCiphertext: z.string(),
+  inputTag: z.string(),
+  algorithm: z.string().default("aes-256-gcm"),
+  keyEncoding: z.string().default("utf8"),
+  folderId: z.string().uuid(),
+  status: z.string().nullable().optional(),
+  statusDetails: z.string().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;
+export type TDynamicSecretsInsert = Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>;
+export type TDynamicSecretsUpdate = Partial<Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-project-additional-privilege.ts
+++ b/backend/src/db/schemas/identity-project-additional-privilege.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityProjectAdditionalPrivilegeSchema = z.object({
+  id: z.string().uuid(),
+  slug: z.string(),
+  projectMembershipId: z.string().uuid(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  permissions: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityProjectAdditionalPrivilege = z.infer<typeof IdentityProjectAdditionalPrivilegeSchema>;
+export type TIdentityProjectAdditionalPrivilegeInsert = Omit<
+  z.input<typeof IdentityProjectAdditionalPrivilegeSchema>,
+  TImmutableDBKeys
+>;
+export type TIdentityProjectAdditionalPrivilegeUpdate = Partial<
+  Omit<z.input<typeof IdentityProjectAdditionalPrivilegeSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -3,11 +3,14 @@ export * from "./audit-logs";
 export * from "./auth-token-sessions";
 export * from "./auth-tokens";
 export * from "./backup-private-key";
+export * from "./dynamic-secret-leases";
+export * from "./dynamic-secrets";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./identities";
 export * from "./identity-access-tokens";
 export * from "./identity-org-memberships";
+export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
 export * from "./identity-ua-client-secrets";
@ -26,6 +29,7 @@ export * from "./project-environments";
 export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
+export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./saml-configs";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -20,6 +20,7 @@ export enum TableName {
  Environment = "project_environments",
  ProjectMembership = "project_memberships",
  ProjectRoles = "project_roles",
+  ProjectUserAdditionalPrivilege = "project_user_additional_privilege",
  ProjectUserMembershipRole = "project_user_membership_roles",
  ProjectKeys = "project_keys",
  Secret = "secrets",
@ -43,6 +44,7 @@ export enum TableName {
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
+  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
  ScimToken = "scim_tokens",
  SecretApprovalPolicy = "secret_approval_policies",
  SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
@ -59,6 +61,8 @@ export enum TableName {
  GitAppOrg = "git_app_org",
  SecretScanningGitRisk = "secret_scanning_git_risks",
  TrustedIps = "trusted_ips",
+  DynamicSecret = "dynamic_secrets",
+  DynamicSecretLease = "dynamic_secret_leases",
  // junction tables with tags
  JnSecretTag = "secret_tag_junction",
  SecretVersionTag = "secret_version_tag_junction"
--- a/backend/src/db/schemas/project-user-additional-privilege.ts
+++ b/backend/src/db/schemas/project-user-additional-privilege.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectUserAdditionalPrivilegeSchema = z.object({
+  id: z.string().uuid(),
+  slug: z.string(),
+  projectMembershipId: z.string().uuid(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  permissions: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TProjectUserAdditionalPrivilege = z.infer<typeof ProjectUserAdditionalPrivilegeSchema>;
+export type TProjectUserAdditionalPrivilegeInsert = Omit<
+  z.input<typeof ProjectUserAdditionalPrivilegeSchema>,
+  TImmutableDBKeys
+>;
+export type TProjectUserAdditionalPrivilegeUpdate = Partial<
+  Omit<z.input<typeof ProjectUserAdditionalPrivilegeSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
@ -0,0 +1,197 @@
+import ms from "ms";
+import { z } from "zod";
+
+import { DynamicSecretLeasesSchema } from "@app/db/schemas";
+import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
+import { daysToMillisecond } from "@app/lib/dates";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
+        ttl: z
+          .string()
+          .optional()
+          .describe(DYNAMIC_SECRET_LEASES.CREATE.ttl)
+          .superRefine((val, ctx) => {
+            if (!val) return;
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          }),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRET_LEASES.CREATE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.path)
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema,
+          dynamicSecret: SanitizedDynamicSecretSchema,
+          data: z.unknown()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { data, lease, dynamicSecret } = await server.services.dynamicSecretLease.create({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.body.dynamicSecretName,
+        ...req.body
+      });
+      return { lease, data, dynamicSecret };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:leaseId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
+      }),
+      body: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.projectSlug),
+        path: z
+          .string()
+          .min(1)
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DYNAMIC_SECRET_LEASES.DELETE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.environmentSlug),
+        isForced: z.boolean().default(false).describe(DYNAMIC_SECRET_LEASES.DELETE.isForced)
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const lease = await server.services.dynamicSecretLease.revokeLease({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        leaseId: req.params.leaseId,
+        ...req.body
+      });
+      return { lease };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:leaseId/renew",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
+      }),
+      body: z.object({
+        ttl: z
+          .string()
+          .describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
+          .optional()
+          .superRefine((val, ctx) => {
+            if (!val) return;
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          }),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.projectSlug),
+        path: z
+          .string()
+          .min(1)
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DYNAMIC_SECRET_LEASES.RENEW.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const lease = await server.services.dynamicSecretLease.renewLease({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        leaseId: req.params.leaseId,
+        ...req.body
+      });
+      return { lease };
+    }
+  });
+
+  server.route({
+    url: "/:leaseId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
+      }),
+      querystring: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.projectSlug),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.environmentSlug)
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema.extend({
+            dynamicSecret: SanitizedDynamicSecretSchema
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const lease = await server.services.dynamicSecretLease.getLeaseDetails({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        leaseId: req.params.leaseId,
+        ...req.query
+      });
+      return { lease };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@ -0,0 +1,290 @@
+import slugify from "@sindresorhus/slugify";
+import ms from "ms";
+import { z } from "zod";
+
+import { DynamicSecretLeasesSchema } from "@app/db/schemas";
+import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/providers/models";
+import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
+import { daysToMillisecond } from "@app/lib/dates";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
+        provider: DynamicSecretProviderSchema.describe(DYNAMIC_SECRETS.CREATE.provider),
+        defaultTTL: z
+          .string()
+          .describe(DYNAMIC_SECRETS.CREATE.defaultTTL)
+          .superRefine((val, ctx) => {
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          }),
+        maxTTL: z
+          .string()
+          .describe(DYNAMIC_SECRETS.CREATE.maxTTL)
+          .optional()
+          .superRefine((val, ctx) => {
+            if (!val) return;
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          })
+          .nullable(),
+        path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
+        environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
+        name: z
+          .string()
+          .describe(DYNAMIC_SECRETS.CREATE.name)
+          .min(1)
+          .toLowerCase()
+          .max(64)
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid"
+          })
+      }),
+      response: {
+        200: z.object({
+          dynamicSecret: SanitizedDynamicSecretSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfg = await server.services.dynamicSecret.create({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+      return { dynamicSecret: dynamicSecretCfg };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:name",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
+      }),
+      body: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.projectSlug),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.UPDATE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.environmentSlug),
+        data: z.object({
+          inputs: z.any().optional().describe(DYNAMIC_SECRETS.UPDATE.inputs),
+          defaultTTL: z
+            .string()
+            .describe(DYNAMIC_SECRETS.UPDATE.defaultTTL)
+            .optional()
+            .superRefine((val, ctx) => {
+              if (!val) return;
+              const valMs = ms(val);
+              if (valMs < 60 * 1000)
+                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+              if (valMs > daysToMillisecond(1))
+                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+            }),
+          maxTTL: z
+            .string()
+            .describe(DYNAMIC_SECRETS.UPDATE.maxTTL)
+            .optional()
+            .superRefine((val, ctx) => {
+              if (!val) return;
+              const valMs = ms(val);
+              if (valMs < 60 * 1000)
+                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+              if (valMs > daysToMillisecond(1))
+                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+            })
+            .nullable(),
+          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional()
+        })
+      }),
+      response: {
+        200: z.object({
+          dynamicSecret: SanitizedDynamicSecretSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfg = await server.services.dynamicSecret.updateByName({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.params.name,
+        path: req.body.path,
+        projectSlug: req.body.projectSlug,
+        environmentSlug: req.body.environmentSlug,
+        ...req.body.data
+      });
+      return { dynamicSecret: dynamicSecretCfg };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:name",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
+      }),
+      body: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.projectSlug),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.DELETE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.environmentSlug),
+        isForced: z.boolean().default(false).describe(DYNAMIC_SECRETS.DELETE.isForced)
+      }),
+      response: {
+        200: z.object({
+          dynamicSecret: SanitizedDynamicSecretSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfg = await server.services.dynamicSecret.deleteByName({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.params.name,
+        ...req.body
+      });
+      return { dynamicSecret: dynamicSecretCfg };
+    }
+  });
+
+  server.route({
+    url: "/:name",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
+      }),
+      querystring: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.projectSlug),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.GET_BY_NAME.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.environmentSlug)
+      }),
+      response: {
+        200: z.object({
+          dynamicSecret: SanitizedDynamicSecretSchema.extend({
+            inputs: z.unknown()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfg = await server.services.dynamicSecret.getDetails({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.params.name,
+        ...req.query
+      });
+      return { dynamicSecret: dynamicSecretCfg };
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.LIST.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.environmentSlug)
+      }),
+      response: {
+        200: z.object({
+          dynamicSecrets: SanitizedDynamicSecretSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+      return { dynamicSecrets: dynamicSecretCfgs };
+    }
+  });
+
+  server.route({
+    url: "/:name/leases",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
+      }),
+      querystring: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.projectSlug),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.environmentSlug)
+      }),
+      response: {
+        200: z.object({
+          leases: DynamicSecretLeasesSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const leases = await server.services.dynamicSecretLease.listLeases({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.params.name,
+        ...req.query
+      });
+      return { leases };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@ -0,0 +1,329 @@
+import { MongoAbility, RawRuleOf } from "@casl/ability";
+import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
+import slugify from "@sindresorhus/slugify";
+import ms from "ms";
+import { z } from "zod";
+
+import { IdentityProjectAdditionalPrivilegeSchema } from "@app/db/schemas";
+import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
+import { ProjectPermissionSet } from "@app/ee/services/permission/project-permission";
+import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/permanent",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Create a permanent or a non expiry specific privilege for identity.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.projectSlug),
+        slug: z
+          .string()
+          .min(1)
+          .max(60)
+          .trim()
+          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+      }),
+      response: {
+        200: z.object({
+          privilege: IdentityProjectAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilege.create({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        isTemporary: false,
+        permissions: JSON.stringify(packRules(req.body.permissions))
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/temporary",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Create a temporary or a expiring specific privilege for identity.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.projectSlug),
+        slug: z
+          .string()
+          .min(1)
+          .max(60)
+          .trim()
+          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        temporaryMode: z
+          .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
+        temporaryRange: z
+          .string()
+          .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryRange),
+        temporaryAccessStartTime: z
+          .string()
+          .datetime()
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryAccessStartTime)
+      }),
+      response: {
+        200: z.object({
+          privilege: IdentityProjectAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilege.create({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        isTemporary: true,
+        permissions: JSON.stringify(packRules(req.body.permissions))
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Update a specific privilege of an identity.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        // disallow empty string
+        privilegeSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.slug),
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.projectSlug),
+        privilegeDetails: z
+          .object({
+            slug: z
+              .string()
+              .min(1)
+              .max(60)
+              .trim()
+              .refine((val) => val.toLowerCase() === val, "Must be lowercase")
+              .refine((v) => slugify(v) === v, {
+                message: "Slug must be a valid slug"
+              })
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
+            permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            isTemporary: z.boolean().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
+            temporaryMode: z
+              .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.temporaryMode),
+            temporaryRange: z
+              .string()
+              .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.temporaryRange),
+            temporaryAccessStartTime: z
+              .string()
+              .datetime()
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.temporaryAccessStartTime)
+          })
+          .partial()
+      }),
+      response: {
+        200: z.object({
+          privilege: IdentityProjectAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const updatedInfo = req.body.privilegeDetails;
+      const privilege = await server.services.identityProjectAdditionalPrivilege.updateBySlug({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        slug: req.body.privilegeSlug,
+        identityId: req.body.identityId,
+        projectSlug: req.body.projectSlug,
+        data: {
+          ...updatedInfo,
+          permissions: updatedInfo?.permissions ? JSON.stringify(packRules(updatedInfo.permissions)) : undefined
+        }
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Delete a specific privilege of an identity.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        privilegeSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.DELETE.slug),
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.DELETE.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.DELETE.projectSlug)
+      }),
+      response: {
+        200: z.object({
+          privilege: IdentityProjectAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilege.deleteBySlug({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        slug: req.body.privilegeSlug,
+        identityId: req.body.identityId,
+        projectSlug: req.body.projectSlug
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:privilegeSlug",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Retrieve details of a specific privilege by privilege slug.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        privilegeSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.GET_BY_SLUG.slug)
+      }),
+      querystring: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.GET_BY_SLUG.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.GET_BY_SLUG.projectSlug)
+      }),
+      response: {
+        200: z.object({
+          privilege: IdentityProjectAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilege.getPrivilegeDetailsBySlug({
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        slug: req.params.privilegeSlug,
+        ...req.query
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List of a specific privilege of an identity in a project.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug),
+        unpacked: z
+          .enum(["false", "true"])
+          .transform((el) => el === "true")
+          .default("true")
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.unpacked)
+      }),
+      response: {
+        200: z.object({
+          privileges: IdentityProjectAdditionalPrivilegeSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privileges = await server.services.identityProjectAdditionalPrivilege.listIdentityProjectPrivileges({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+      if (req.query.unpacked) {
+        return {
+          privileges: privileges.map(({ permissions, ...el }) => ({
+            ...el,
+            permissions: unpackRules(permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
+          }))
+        };
+      }
+      return { privileges };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,3 +1,6 @@
+import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
+import { registerDynamicSecretRouter } from "./dynamic-secret-router";
+import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
 import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOrgRoleRouter } from "./org-role-router";
@ -13,6 +16,7 @@ import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
 import { registerTrustedIpRouter } from "./trusted-ip-router";
+import { registerUserAdditionalPrivilegeRouter } from "./user-additional-privilege-router";

 export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  // org role starts with organization
@ -34,10 +38,26 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerSecretRotationProviderRouter, {
    prefix: "/secret-rotation-providers"
  });
+
+  await server.register(
+    async (dynamicSecretRouter) => {
+      await dynamicSecretRouter.register(registerDynamicSecretRouter);
+      await dynamicSecretRouter.register(registerDynamicSecretLeaseRouter, { prefix: "/leases" });
+    },
+    { prefix: "/dynamic-secrets" }
+  );
+
  await server.register(registerSamlRouter, { prefix: "/sso" });
  await server.register(registerScimRouter, { prefix: "/scim" });
  await server.register(registerLdapRouter, { prefix: "/ldap" });
  await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
  await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
  await server.register(registerSecretVersionRouter, { prefix: "/secret" });
+  await server.register(
+    async (privilegeRouter) => {
+      await privilegeRouter.register(registerUserAdditionalPrivilegeRouter, { prefix: "/users" });
+      await privilegeRouter.register(registerIdentityProjectAdditionalPrivilegeRouter, { prefix: "/identity" });
+    },
+    { prefix: "/additional-privilege" }
+  );
 };
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@ -17,6 +17,7 @@ import { z } from "zod";
 import { LdapConfigsSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -97,8 +98,11 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "GET",
+    url: "/config",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      querystring: z.object({
@ -130,8 +134,11 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "POST",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@ -164,6 +171,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/config",
    method: "PATCH",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z
--- a/backend/src/ee/routes/v1/license-router.ts
+++ b/backend/src/ee/routes/v1/license-router.ts
@ -3,13 +3,17 @@
 // TODO(akhilmhdh): Fix this when licence service gets it type
 import { z } from "zod";

+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:organizationId/plans/table",
    method: "GET",
+    url: "/:organizationId/plans/table",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({ billingCycle: z.enum(["monthly", "yearly"]) }),
      params: z.object({ organizationId: z.string().trim() }),
@ -32,8 +36,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plan",
    method: "GET",
+    url: "/:organizationId/plan",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -54,8 +61,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plans",
    method: "GET",
+    url: "/:organizationId/plans",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      querystring: z.object({ workspaceId: z.string().trim().optional() }),
@ -77,8 +87,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/session/trial",
    method: "POST",
+    url: "/:organizationId/session/trial",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({ success_url: z.string().trim() }),
@ -103,6 +116,9 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/:organizationId/customer-portal-session",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -123,8 +139,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plan/billing",
    method: "GET",
+    url: "/:organizationId/plan/billing",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -145,8 +164,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plan/table",
    method: "GET",
+    url: "/:organizationId/plan/table",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -167,8 +189,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details",
    method: "GET",
+    url: "/:organizationId/billing-details",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -189,8 +214,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details",
    method: "PATCH",
+    url: "/:organizationId/billing-details",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({
@ -217,8 +245,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/payment-methods",
    method: "GET",
+    url: "/:organizationId/billing-details/payment-methods",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -239,8 +270,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/payment-methods",
    method: "POST",
+    url: "/:organizationId/billing-details/payment-methods",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({
@ -267,8 +301,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/payment-methods/:pmtMethodId",
    method: "DELETE",
+    url: "/:organizationId/billing-details/payment-methods/:pmtMethodId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@ -293,8 +330,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/tax-ids",
    method: "GET",
+    url: "/:organizationId/billing-details/tax-ids",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -317,8 +357,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/tax-ids",
    method: "POST",
+    url: "/:organizationId/billing-details/tax-ids",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -347,8 +390,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/tax-ids/:taxId",
    method: "DELETE",
+    url: "/:organizationId/billing-details/tax-ids/:taxId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@ -373,8 +419,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/invoices",
    method: "GET",
+    url: "/:organizationId/invoices",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -397,8 +446,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/licenses",
    method: "GET",
+    url: "/:organizationId/licenses",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@ -2,6 +2,7 @@ import slugify from "@sindresorhus/slugify";
 import { z } from "zod";

 import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -9,6 +10,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:organizationId/roles",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -19,7 +23,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          .min(1)
          .trim()
          .refine(
-            (val) => Object.keys(OrgMembershipRole).includes(val),
+            (val) => !Object.keys(OrgMembershipRole).includes(val),
            "Please choose a different slug, the slug you have entered is reserved"
          )
          .refine((v) => slugify(v) === v, {
@ -51,6 +55,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:organizationId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@ -95,6 +102,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:organizationId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@ -122,6 +132,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/roles",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -151,6 +164,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/permissions",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -8,6 +9,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:projectId/roles",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@ -41,6 +45,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:projectId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim(),
@ -76,6 +83,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:projectId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim(),
@ -104,6 +114,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:projectId/roles",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@ -134,6 +147,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:projectId/permissions",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@ -4,6 +4,7 @@ import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -11,6 +12,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:workspaceId/secret-snapshots",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return project secret snapshots ids",
      security: [
@ -51,6 +55,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:workspaceId/secret-snapshots/count",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@ -83,6 +90,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:workspaceId/audit-logs",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return audit logs",
      security: [
@ -145,6 +155,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:workspaceId/audit-logs/filters/actors",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -17,6 +17,7 @@ import { SamlProviders, TGetSamlCfgDTO } from "@app/ee/services/saml-config/saml
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -203,8 +204,11 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "GET",
+    url: "/config",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      querystring: z.object({
@ -240,8 +244,11 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "POST",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@ -270,8 +277,11 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "PATCH",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { ScimTokensSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -20,6 +21,9 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/scim-tokens",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@ -51,6 +55,9 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/scim-tokens",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      querystring: z.object({
@ -78,6 +85,9 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/scim-tokens/:scimTokenId",
    method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -146,7 +156,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        offset: req.query.startIndex,
        limit: req.query.count,
        filter: req.query.filter,
-        orgId: req.permission.orgId as string
+        orgId: req.permission.orgId
      });
      return users;
    }
@ -184,7 +194,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const user = await req.server.services.scim.getScimUser({
        userId: req.params.userId,
-        orgId: req.permission.orgId as string
+        orgId: req.permission.orgId
      });
      return user;
    }
@ -243,7 +253,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        email: primaryEmail,
        firstName: req.body.name.givenName,
        lastName: req.body.name.familyName,
-        orgId: req.permission.orgId as string
+        orgId: req.permission.orgId
      });

      return user;
@ -280,7 +290,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const user = await req.server.services.scim.updateScimUser({
        userId: req.params.userId,
-        orgId: req.permission.orgId as string,
+        orgId: req.permission.orgId,
        operations: req.body.Operations
      });
      return user;
@ -330,7 +340,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const user = await req.server.services.scim.replaceScimUser({
        userId: req.params.userId,
-        orgId: req.permission.orgId as string,
+        orgId: req.permission.orgId,
        active: req.body.active
      });
      return user;
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -9,6 +10,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z
        .object({
@ -47,6 +51,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:sapId",
    method: "PATCH",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        sapId: z.string()
@ -85,6 +92,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:sapId",
    method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        sapId: z.string()
@ -111,6 +121,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim()
@ -137,6 +150,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/board",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim(),
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -10,13 +10,17 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApprovalStatus, RequestState } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretApprovalRequestRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim(),
@ -62,8 +66,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
  });

  server.route({
-    url: "/count",
    method: "GET",
+    url: "/count",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim()
@ -93,6 +100,9 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
  server.route({
    url: "/:id/merge",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        id: z.string()
@ -117,8 +127,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
  });

  server.route({
-    url: "/:id/review",
    method: "POST",
+    url: "/:id/review",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        id: z.string()
@ -147,8 +160,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
  });

  server.route({
-    url: "/:id/status",
    method: "POST",
+    url: "/:id/status",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        id: z.string()
@ -203,8 +219,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
    .array()
    .optional();
  server.route({
-    url: "/:id",
    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        id: z.string()
--- a/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
@ -1,12 +1,16 @@
 import { z } from "zod";

+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretRotationProviderRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId",
    method: "GET",
+    url: "/:workspaceId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
--- a/backend/src/ee/routes/v1/secret-rotation-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-router.ts
@ -2,13 +2,17 @@ import { z } from "zod";

 import { SecretRotationOutputsSchema, SecretRotationsSchema, SecretsSchema } from "@app/db/schemas";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretRotationRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        workspaceId: z.string().trim(),
@ -52,6 +56,9 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
  server.route({
    url: "/restart",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        id: z.string().trim()
@ -86,6 +93,9 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
  server.route({
    url: "/",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim()
@ -136,8 +146,11 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
  });

  server.route({
-    url: "/:id",
    method: "DELETE",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        id: z.string().trim()
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@ -2,13 +2,17 @@ import { z } from "zod";

 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
 import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretScanningRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/create-installation-session/organization",
    method: "POST",
+    url: "/create-installation-session/organization",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({ organizationId: z.string().trim() }),
      response: {
@ -31,8 +35,11 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
  });

  server.route({
-    url: "/link-installation",
    method: "POST",
+    url: "/link-installation",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        installationId: z.string(),
@ -56,8 +63,11 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
  });

  server.route({
-    url: "/installation-status/organization/:organizationId",
    method: "GET",
+    url: "/installation-status/organization/:organizationId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -80,6 +90,9 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
  server.route({
    url: "/organization/:organizationId/risks",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -100,8 +113,11 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
  });

  server.route({
-    url: "/organization/:organizationId/risks/:riskId/status",
    method: "POST",
+    url: "/organization/:organizationId/risks/:riskId/status",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim(), riskId: z.string().trim() }),
      body: z.object({ status: z.nativeEnum(SecretScanningRiskStatus) }),
--- a/backend/src/ee/routes/v1/secret-version-router.ts
+++ b/backend/src/ee/routes/v1/secret-version-router.ts
@ -1,13 +1,17 @@
 import { z } from "zod";

 import { SecretVersionsSchema } from "@app/db/schemas";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretVersionRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:secretId/secret-versions",
    method: "GET",
+    url: "/:secretId/secret-versions",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        secretId: z.string()
--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { SecretSnapshotsSchema, SecretTagsSchema, SecretVersionsSchema } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -9,6 +10,9 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:secretSnapshotId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        secretSnapshotId: z.string().trim()
@ -58,6 +62,9 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:secretSnapshotId/rollback",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Roll back project secrets to those captured in a secret snapshot version.",
      security: [
--- a/backend/src/ee/routes/v1/trusted-ip-router.ts
+++ b/backend/src/ee/routes/v1/trusted-ip-router.ts
@ -2,13 +2,17 @@ import { z } from "zod";

 import { TrustedIpsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId/trusted-ips",
    method: "GET",
+    url: "/:workspaceId/trusted-ips",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@ -33,8 +37,11 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/trusted-ips",
    method: "POST",
+    url: "/:workspaceId/trusted-ips",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@ -78,8 +85,11 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/trusted-ips/:trustedIpId",
    method: "PATCH",
+    url: "/:workspaceId/trusted-ips/:trustedIpId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim(),
@ -124,8 +134,11 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/trusted-ips/:trustedIpId",
    method: "DELETE",
+    url: "/:workspaceId/trusted-ips/:trustedIpId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim(),
--- a/backend/src/ee/routes/v1/user-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/user-additional-privilege-router.ts
@ -0,0 +1,256 @@
+import slugify from "@sindresorhus/slugify";
+import ms from "ms";
+import { z } from "zod";
+
+import { ProjectUserAdditionalPrivilegeSchema } from "@app/db/schemas";
+import { ProjectUserAdditionalPrivilegeTemporaryMode } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
+import { PROJECT_USER_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/permanent",
+    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
+        slug: z
+          .string()
+          .min(1)
+          .max(60)
+          .trim()
+          .refine((v) => v.toLowerCase() === v, "Slug must be lowercase")
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+      }),
+      response: {
+        200: z.object({
+          privilege: ProjectUserAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const privilege = await server.services.projectUserAdditionalPrivilege.create({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        isTemporary: false,
+        permissions: JSON.stringify(req.body.permissions)
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/temporary",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
+        slug: z
+          .string()
+          .min(1)
+          .max(60)
+          .trim()
+          .refine((v) => v.toLowerCase() === v, "Slug must be lowercase")
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        temporaryMode: z
+          .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
+        temporaryRange: z
+          .string()
+          .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryRange),
+        temporaryAccessStartTime: z
+          .string()
+          .datetime()
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryAccessStartTime)
+      }),
+      response: {
+        200: z.object({
+          privilege: ProjectUserAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const privilege = await server.services.projectUserAdditionalPrivilege.create({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : `privilege-${slugify(alphaNumericNanoId(12))}`,
+        isTemporary: true,
+        permissions: JSON.stringify(req.body.permissions)
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:privilegeId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        privilegeId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.privilegeId)
+      }),
+      body: z
+        .object({
+          slug: z
+            .string()
+            .max(60)
+            .trim()
+            .refine((v) => v.toLowerCase() === v, "Slug must be lowercase")
+            .refine((v) => slugify(v) === v, {
+              message: "Slug must be a valid slug"
+            })
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.slug),
+          permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+          isTemporary: z.boolean().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
+          temporaryMode: z
+            .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryMode),
+          temporaryRange: z
+            .string()
+            .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryRange),
+          temporaryAccessStartTime: z
+            .string()
+            .datetime()
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryAccessStartTime)
+        })
+        .partial(),
+      response: {
+        200: z.object({
+          privilege: ProjectUserAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const privilege = await server.services.projectUserAdditionalPrivilege.updateById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        permissions: req.body.permissions ? JSON.stringify(req.body.permissions) : undefined,
+        privilegeId: req.params.privilegeId
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:privilegeId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        privilegeId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.DELETE.privilegeId)
+      }),
+      response: {
+        200: z.object({
+          privilege: ProjectUserAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const privilege = await server.services.projectUserAdditionalPrivilege.deleteById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        privilegeId: req.params.privilegeId
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        projectMembershipId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.LIST.projectMembershipId)
+      }),
+      response: {
+        200: z.object({
+          privileges: ProjectUserAdditionalPrivilegeSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const privileges = await server.services.projectUserAdditionalPrivilege.listPrivileges({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        projectMembershipId: req.query.projectMembershipId
+      });
+      return { privileges };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:privilegeId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        privilegeId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.GET_BY_PRIVILEGEID.privilegeId)
+      }),
+      response: {
+        200: z.object({
+          privilege: ProjectUserAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const privilege = await server.services.projectUserAdditionalPrivilege.getPrivilegeDetailsById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        privilegeId: req.params.privilegeId
+      });
+      return { privilege };
+    }
+  });
+};
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts
@ -0,0 +1,80 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { DynamicSecretLeasesSchema, TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TDynamicSecretLeaseDALFactory = ReturnType<typeof dynamicSecretLeaseDALFactory>;
+
+export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.DynamicSecretLease);
+
+  const countLeasesForDynamicSecret = async (dynamicSecretId: string, tx?: Knex) => {
+    try {
+      const doc = await (tx || db)(TableName.DynamicSecretLease).count("*").where({ dynamicSecretId }).first();
+      return parseInt(doc || "0", 10);
+    } catch (error) {
+      throw new DatabaseError({ error, name: "DynamicSecretCountLeases" });
+    }
+  };
+
+  const findById = async (id: string, tx?: Knex) => {
+    try {
+      const doc = await (tx || db)(TableName.DynamicSecretLease)
+        .where({ [`${TableName.DynamicSecretLease}.id` as "id"]: id })
+        .first()
+        .join(
+          TableName.DynamicSecret,
+          `${TableName.DynamicSecretLease}.dynamicSecretId`,
+          `${TableName.DynamicSecret}.id`
+        )
+        .select(selectAllTableCols(TableName.DynamicSecretLease))
+        .select(
+          db.ref("id").withSchema(TableName.DynamicSecret).as("dynId"),
+          db.ref("name").withSchema(TableName.DynamicSecret).as("dynName"),
+          db.ref("version").withSchema(TableName.DynamicSecret).as("dynVersion"),
+          db.ref("type").withSchema(TableName.DynamicSecret).as("dynType"),
+          db.ref("defaultTTL").withSchema(TableName.DynamicSecret).as("dynDefaultTTL"),
+          db.ref("maxTTL").withSchema(TableName.DynamicSecret).as("dynMaxTTL"),
+          db.ref("inputIV").withSchema(TableName.DynamicSecret).as("dynInputIV"),
+          db.ref("inputTag").withSchema(TableName.DynamicSecret).as("dynInputTag"),
+          db.ref("inputCiphertext").withSchema(TableName.DynamicSecret).as("dynInputCiphertext"),
+          db.ref("algorithm").withSchema(TableName.DynamicSecret).as("dynAlgorithm"),
+          db.ref("keyEncoding").withSchema(TableName.DynamicSecret).as("dynKeyEncoding"),
+          db.ref("folderId").withSchema(TableName.DynamicSecret).as("dynFolderId"),
+          db.ref("status").withSchema(TableName.DynamicSecret).as("dynStatus"),
+          db.ref("statusDetails").withSchema(TableName.DynamicSecret).as("dynStatusDetails"),
+          db.ref("createdAt").withSchema(TableName.DynamicSecret).as("dynCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.DynamicSecret).as("dynUpdatedAt")
+        );
+      if (!doc) return;
+
+      return {
+        ...DynamicSecretLeasesSchema.parse(doc),
+        dynamicSecret: {
+          id: doc.dynId,
+          name: doc.dynName,
+          version: doc.dynVersion,
+          type: doc.dynType,
+          defaultTTL: doc.dynDefaultTTL,
+          maxTTL: doc.dynMaxTTL,
+          inputIV: doc.dynInputIV,
+          inputTag: doc.dynInputTag,
+          inputCiphertext: doc.dynInputCiphertext,
+          algorithm: doc.dynAlgorithm,
+          keyEncoding: doc.dynKeyEncoding,
+          folderId: doc.dynFolderId,
+          status: doc.dynStatus,
+          statusDetails: doc.dynStatusDetails,
+          createdAt: doc.dynCreatedAt,
+          updatedAt: doc.dynUpdatedAt
+        }
+      };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "DynamicSecretLeaseFindById" });
+    }
+  };
+
+  return { ...orm, findById, countLeasesForDynamicSecret };
+};
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts
@ -0,0 +1,159 @@
+import { SecretKeyEncoding } from "@app/db/schemas";
+import { DisableRotationErrors } from "@app/ee/services/secret-rotation/secret-rotation-queue";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { logger } from "@app/lib/logger";
+import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+
+import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
+import { DynamicSecretStatus } from "../dynamic-secret/dynamic-secret-types";
+import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
+import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
+
+type TDynamicSecretLeaseQueueServiceFactoryDep = {
+  queueService: TQueueServiceFactory;
+  dynamicSecretLeaseDAL: Pick<TDynamicSecretLeaseDALFactory, "findById" | "deleteById" | "find" | "updateById">;
+  dynamicSecretDAL: Pick<TDynamicSecretDALFactory, "findById" | "deleteById" | "updateById">;
+  dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
+};
+
+export type TDynamicSecretLeaseQueueServiceFactory = ReturnType<typeof dynamicSecretLeaseQueueServiceFactory>;
+
+export const dynamicSecretLeaseQueueServiceFactory = ({
+  queueService,
+  dynamicSecretDAL,
+  dynamicSecretProviders,
+  dynamicSecretLeaseDAL
+}: TDynamicSecretLeaseQueueServiceFactoryDep) => {
+  const pruneDynamicSecret = async (dynamicSecretCfgId: string) => {
+    await queueService.queue(
+      QueueName.DynamicSecretRevocation,
+      QueueJobs.DynamicSecretPruning,
+      { dynamicSecretCfgId },
+      {
+        jobId: dynamicSecretCfgId,
+        backoff: {
+          type: "exponential",
+          delay: 3000
+        },
+        removeOnFail: {
+          count: 3
+        },
+        removeOnComplete: true
+      }
+    );
+  };
+
+  const setLeaseRevocation = async (leaseId: string, expiry: number) => {
+    await queueService.queue(
+      QueueName.DynamicSecretRevocation,
+      QueueJobs.DynamicSecretRevocation,
+      { leaseId },
+      {
+        jobId: leaseId,
+        backoff: {
+          type: "exponential",
+          delay: 3000
+        },
+        delay: expiry,
+        removeOnFail: {
+          count: 3
+        },
+        removeOnComplete: true
+      }
+    );
+  };
+
+  const unsetLeaseRevocation = async (leaseId: string) => {
+    await queueService.stopJobById(QueueName.DynamicSecretRevocation, leaseId);
+  };
+
+  queueService.start(QueueName.DynamicSecretRevocation, async (job) => {
+    try {
+      if (job.name === QueueJobs.DynamicSecretRevocation) {
+        const { leaseId } = job.data as { leaseId: string };
+        logger.info("Dynamic secret lease revocation started: ", leaseId, job.id);
+
+        const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
+        if (!dynamicSecretLease) throw new DisableRotationErrors({ message: "Dynamic secret lease not found" });
+
+        const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
+        const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
+        const decryptedStoredInput = JSON.parse(
+          infisicalSymmetricDecrypt({
+            keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+            ciphertext: dynamicSecretCfg.inputCiphertext,
+            tag: dynamicSecretCfg.inputTag,
+            iv: dynamicSecretCfg.inputIV
+          })
+        ) as object;
+
+        await selectedProvider.revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId);
+        await dynamicSecretLeaseDAL.deleteById(dynamicSecretLease.id);
+        return;
+      }
+
+      if (job.name === QueueJobs.DynamicSecretPruning) {
+        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
+        logger.info("Dynamic secret pruning started: ", dynamicSecretCfgId, job.id);
+        const dynamicSecretCfg = await dynamicSecretDAL.findById(dynamicSecretCfgId);
+        if (!dynamicSecretCfg) throw new DisableRotationErrors({ message: "Dynamic secret not found" });
+        if ((dynamicSecretCfg.status as DynamicSecretStatus) !== DynamicSecretStatus.Deleting)
+          throw new DisableRotationErrors({ message: "Document not deleted" });
+
+        const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfgId });
+        if (dynamicSecretLeases.length) {
+          const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
+          const decryptedStoredInput = JSON.parse(
+            infisicalSymmetricDecrypt({
+              keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+              ciphertext: dynamicSecretCfg.inputCiphertext,
+              tag: dynamicSecretCfg.inputTag,
+              iv: dynamicSecretCfg.inputIV
+            })
+          ) as object;
+
+          await Promise.all(dynamicSecretLeases.map(({ id }) => unsetLeaseRevocation(id)));
+          await Promise.all(
+            dynamicSecretLeases.map(({ externalEntityId }) =>
+              selectedProvider.revoke(decryptedStoredInput, externalEntityId)
+            )
+          );
+        }
+
+        await dynamicSecretDAL.deleteById(dynamicSecretCfgId);
+      }
+      logger.info("Finished dynamic secret job", job.id);
+    } catch (error) {
+      logger.error(error);
+
+      if (job?.name === QueueJobs.DynamicSecretPruning) {
+        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
+        await dynamicSecretDAL.updateById(dynamicSecretCfgId, {
+          status: DynamicSecretStatus.FailedDeletion,
+          statusDetails: (error as Error)?.message?.slice(0, 255)
+        });
+      }
+
+      if (job?.name === QueueJobs.DynamicSecretRevocation) {
+        const { leaseId } = job.data as { leaseId: string };
+        await dynamicSecretLeaseDAL.updateById(leaseId, {
+          status: DynamicSecretStatus.FailedDeletion,
+          statusDetails: (error as Error)?.message?.slice(0, 255)
+        });
+      }
+      if (error instanceof DisableRotationErrors) {
+        if (job.id) {
+          await queueService.stopRepeatableJobByJobId(QueueName.DynamicSecretRevocation, job.id);
+        }
+      }
+      // propogate to next part
+      throw error;
+    }
+  });
+
+  return {
+    pruneDynamicSecret,
+    setLeaseRevocation,
+    unsetLeaseRevocation
+  };
+};
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@ -0,0 +1,343 @@
+import { ForbiddenError, subject } from "@casl/ability";
+import ms from "ms";
+
+import { SecretKeyEncoding } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { getConfig } from "@app/lib/config/env";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { BadRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+
+import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
+import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
+import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
+import { TDynamicSecretLeaseQueueServiceFactory } from "./dynamic-secret-lease-queue";
+import {
+  DynamicSecretLeaseStatus,
+  TCreateDynamicSecretLeaseDTO,
+  TDeleteDynamicSecretLeaseDTO,
+  TDetailsDynamicSecretLeaseDTO,
+  TListDynamicSecretLeasesDTO,
+  TRenewDynamicSecretLeaseDTO
+} from "./dynamic-secret-lease-types";
+
+type TDynamicSecretLeaseServiceFactoryDep = {
+  dynamicSecretLeaseDAL: TDynamicSecretLeaseDALFactory;
+  dynamicSecretDAL: Pick<TDynamicSecretDALFactory, "findOne">;
+  dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
+  dynamicSecretQueueService: TDynamicSecretLeaseQueueServiceFactory;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
+};
+
+export type TDynamicSecretLeaseServiceFactory = ReturnType<typeof dynamicSecretLeaseServiceFactory>;
+
+export const dynamicSecretLeaseServiceFactory = ({
+  dynamicSecretLeaseDAL,
+  dynamicSecretProviders,
+  dynamicSecretDAL,
+  folderDAL,
+  permissionService,
+  dynamicSecretQueueService,
+  projectDAL,
+  licenseService
+}: TDynamicSecretLeaseServiceFactoryDep) => {
+  const create = async ({
+    environmentSlug,
+    path,
+    name,
+    projectSlug,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    ttl
+  }: TCreateDynamicSecretLeaseDTO) => {
+    const appCfg = getConfig();
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan?.dynamicSecret) {
+      throw new BadRequestError({
+        message: "Failed to create lease due to plan restriction. Upgrade plan to create dynamic secret."
+      });
+    }
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
+    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+
+    const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
+    if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
+      throw new BadRequestError({ message: `Max lease limit reached. Limit: ${appCfg.MAX_LEASE_LIMIT}` });
+
+    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
+    const decryptedStoredInput = JSON.parse(
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
+    ) as object;
+
+    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
+    const { maxTTL } = dynamicSecretCfg;
+    const expireAt = new Date(new Date().getTime() + ms(selectedTTL));
+    if (maxTTL) {
+      const maxExpiryDate = new Date(new Date().getTime() + ms(maxTTL));
+      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max TTL" });
+    }
+
+    const { entityId, data } = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
+    const dynamicSecretLease = await dynamicSecretLeaseDAL.create({
+      expireAt,
+      version: 1,
+      dynamicSecretId: dynamicSecretCfg.id,
+      externalEntityId: entityId
+    });
+    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
+    return { lease: dynamicSecretLease, dynamicSecret: dynamicSecretCfg, data };
+  };
+
+  const renewLease = async ({
+    ttl,
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    projectSlug,
+    path,
+    environmentSlug,
+    leaseId
+  }: TRenewDynamicSecretLeaseDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Edit,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan?.dynamicSecret) {
+      throw new BadRequestError({
+        message: "Failed to renew lease due to plan restriction. Upgrade plan to create dynamic secret."
+      });
+    }
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
+    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+
+    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
+    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
+    const decryptedStoredInput = JSON.parse(
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
+    ) as object;
+
+    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
+    const { maxTTL } = dynamicSecretCfg;
+    const expireAt = new Date(dynamicSecretLease.expireAt.getTime() + ms(selectedTTL));
+    if (maxTTL) {
+      const maxExpiryDate = new Date(dynamicSecretLease.createdAt.getTime() + ms(maxTTL));
+      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max ttl" });
+    }
+
+    const { entityId } = await selectedProvider.renew(
+      decryptedStoredInput,
+      dynamicSecretLease.externalEntityId,
+      expireAt.getTime()
+    );
+
+    await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
+    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
+    const updatedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
+      expireAt,
+      externalEntityId: entityId
+    });
+    return updatedDynamicSecretLease;
+  };
+
+  const revokeLease = async ({
+    leaseId,
+    environmentSlug,
+    path,
+    projectSlug,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    isForced
+  }: TDeleteDynamicSecretLeaseDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Delete,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
+    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+
+    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
+    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
+    const decryptedStoredInput = JSON.parse(
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
+    ) as object;
+
+    const revokeResponse = await selectedProvider
+      .revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId)
+      .catch(async (err) => {
+        // only propogate this error if forced is false
+        if (!isForced) return { error: err as Error };
+      });
+
+    if ((revokeResponse as { error?: Error })?.error) {
+      const { error } = revokeResponse as { error?: Error };
+      logger.error("Failed to revoke lease", { error: error?.message });
+      const deletedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
+        status: DynamicSecretLeaseStatus.FailedDeletion,
+        statusDetails: error?.message?.slice(0, 255)
+      });
+      return deletedDynamicSecretLease;
+    }
+
+    await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
+    const deletedDynamicSecretLease = await dynamicSecretLeaseDAL.deleteById(dynamicSecretLease.id);
+    return deletedDynamicSecretLease;
+  };
+
+  const listLeases = async ({
+    path,
+    name,
+    actor,
+    actorId,
+    projectSlug,
+    actorOrgId,
+    environmentSlug,
+    actorAuthMethod
+  }: TListDynamicSecretLeasesDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
+    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+
+    const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
+    return dynamicSecretLeases;
+  };
+
+  const getLeaseDetails = async ({
+    projectSlug,
+    actorOrgId,
+    path,
+    environmentSlug,
+    actor,
+    actorId,
+    leaseId,
+    actorAuthMethod
+  }: TDetailsDynamicSecretLeaseDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
+    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+
+    return dynamicSecretLease;
+  };
+
+  return {
+    create,
+    listLeases,
+    revokeLease,
+    renewLease,
+    getLeaseDetails
+  };
+};
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-types.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-types.ts
@ -0,0 +1,43 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export enum DynamicSecretLeaseStatus {
+  FailedDeletion = "Failed to delete"
+}
+
+export type TCreateDynamicSecretLeaseDTO = {
+  name: string;
+  path: string;
+  environmentSlug: string;
+  ttl?: string;
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TDetailsDynamicSecretLeaseDTO = {
+  leaseId: string;
+  path: string;
+  environmentSlug: string;
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TListDynamicSecretLeasesDTO = {
+  name: string;
+  path: string;
+  environmentSlug: string;
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TDeleteDynamicSecretLeaseDTO = {
+  leaseId: string;
+  path: string;
+  environmentSlug: string;
+  projectSlug: string;
+  isForced?: boolean;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TRenewDynamicSecretLeaseDTO = {
+  leaseId: string;
+  path: string;
+  environmentSlug: string;
+  ttl?: string;
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory>;
+
+export const dynamicSecretDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.DynamicSecret);
+  return orm;
+};
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@ -0,0 +1,341 @@
+import { ForbiddenError, subject } from "@casl/ability";
+
+import { SecretKeyEncoding } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { BadRequestError } from "@app/lib/errors";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+
+import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
+import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/dynamic-secret-lease-queue";
+import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
+import {
+  DynamicSecretStatus,
+  TCreateDynamicSecretDTO,
+  TDeleteDynamicSecretDTO,
+  TDetailsDynamicSecretDTO,
+  TListDynamicSecretsDTO,
+  TUpdateDynamicSecretDTO
+} from "./dynamic-secret-types";
+import { DynamicSecretProviders, TDynamicProviderFns } from "./providers/models";
+
+type TDynamicSecretServiceFactoryDep = {
+  dynamicSecretDAL: TDynamicSecretDALFactory;
+  dynamicSecretLeaseDAL: Pick<TDynamicSecretLeaseDALFactory, "find">;
+  dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
+  dynamicSecretQueueService: Pick<
+    TDynamicSecretLeaseQueueServiceFactory,
+    "pruneDynamicSecret" | "unsetLeaseRevocation"
+  >;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+};
+
+export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
+
+export const dynamicSecretServiceFactory = ({
+  dynamicSecretDAL,
+  dynamicSecretLeaseDAL,
+  licenseService,
+  folderDAL,
+  dynamicSecretProviders,
+  permissionService,
+  dynamicSecretQueueService,
+  projectDAL
+}: TDynamicSecretServiceFactoryDep) => {
+  const create = async ({
+    path,
+    actor,
+    name,
+    actorId,
+    maxTTL,
+    provider,
+    environmentSlug,
+    projectSlug,
+    actorOrgId,
+    defaultTTL,
+    actorAuthMethod
+  }: TCreateDynamicSecretDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan?.dynamicSecret) {
+      throw new BadRequestError({
+        message: "Failed to create dynamic secret due to plan restriction. Upgrade plan to create dynamic secret."
+      });
+    }
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const existingDynamicSecret = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
+    if (existingDynamicSecret)
+      throw new BadRequestError({ message: "Provided dynamic secret already exist under the folder" });
+
+    const selectedProvider = dynamicSecretProviders[provider.type];
+    const inputs = await selectedProvider.validateProviderInputs(provider.inputs);
+
+    const isConnected = await selectedProvider.validateConnection(provider.inputs);
+    if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
+
+    const encryptedInput = infisicalSymmetricEncypt(JSON.stringify(inputs));
+    const dynamicSecretCfg = await dynamicSecretDAL.create({
+      type: provider.type,
+      version: 1,
+      inputIV: encryptedInput.iv,
+      inputTag: encryptedInput.tag,
+      inputCiphertext: encryptedInput.ciphertext,
+      algorithm: encryptedInput.algorithm,
+      keyEncoding: encryptedInput.encoding,
+      maxTTL,
+      defaultTTL,
+      folderId: folder.id,
+      name
+    });
+    return dynamicSecretCfg;
+  };
+
+  const updateByName = async ({
+    name,
+    maxTTL,
+    defaultTTL,
+    inputs,
+    environmentSlug,
+    projectSlug,
+    path,
+    actor,
+    actorId,
+    newName,
+    actorOrgId,
+    actorAuthMethod
+  }: TUpdateDynamicSecretDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Edit,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan?.dynamicSecret) {
+      throw new BadRequestError({
+        message: "Failed to update dynamic secret due to plan restriction. Upgrade plan to create dynamic secret."
+      });
+    }
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
+    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+
+    if (newName) {
+      const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
+      if (existingDynamicSecret)
+        throw new BadRequestError({ message: "Provided dynamic secret already exist under the folder" });
+    }
+
+    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
+    const decryptedStoredInput = JSON.parse(
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
+    ) as object;
+    const newInput = { ...decryptedStoredInput, ...(inputs || {}) };
+    const updatedInput = await selectedProvider.validateProviderInputs(newInput);
+
+    const isConnected = await selectedProvider.validateConnection(newInput);
+    if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
+
+    const encryptedInput = infisicalSymmetricEncypt(JSON.stringify(updatedInput));
+    const updatedDynamicCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
+      inputIV: encryptedInput.iv,
+      inputTag: encryptedInput.tag,
+      inputCiphertext: encryptedInput.ciphertext,
+      algorithm: encryptedInput.algorithm,
+      keyEncoding: encryptedInput.encoding,
+      maxTTL,
+      defaultTTL,
+      name: newName ?? name,
+      status: null,
+      statusDetails: null
+    });
+
+    return updatedDynamicCfg;
+  };
+
+  const deleteByName = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    projectSlug,
+    name,
+    path,
+    environmentSlug,
+    isForced
+  }: TDeleteDynamicSecretDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Edit,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
+    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+
+    const leases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
+    // when not forced we check with the external system to first remove the things
+    // we introduce a forced concept because consider the external lease got deleted by some other external like a human or another system
+    // this allows user to clean up it from infisical
+    if (isForced) {
+      // clear all queues for lease revocations
+      await Promise.all(leases.map(({ id: leaseId }) => dynamicSecretQueueService.unsetLeaseRevocation(leaseId)));
+
+      const deletedDynamicSecretCfg = await dynamicSecretDAL.deleteById(dynamicSecretCfg.id);
+      return deletedDynamicSecretCfg;
+    }
+    // if leases exist we should flag it as deleting and then remove leases in background
+    // then delete the main one
+    if (leases.length) {
+      const updatedDynamicSecretCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
+        status: DynamicSecretStatus.Deleting
+      });
+      await dynamicSecretQueueService.pruneDynamicSecret(updatedDynamicSecretCfg.id);
+      return updatedDynamicSecretCfg;
+    }
+    // if no leases just delete the config
+    const deletedDynamicSecretCfg = await dynamicSecretDAL.deleteById(dynamicSecretCfg.id);
+    return deletedDynamicSecretCfg;
+  };
+
+  const getDetails = async ({
+    name,
+    projectSlug,
+    path,
+    environmentSlug,
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor
+  }: TDetailsDynamicSecretDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Edit,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
+    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    const decryptedStoredInput = JSON.parse(
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
+    ) as object;
+    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
+    const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput)) as object;
+    return { ...dynamicSecretCfg, inputs: providerInputs };
+  };
+
+  const list = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    projectSlug,
+    path,
+    environmentSlug
+  }: TListDynamicSecretsDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const projectId = project.id;
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.find({ folderId: folder.id });
+    return dynamicSecretCfg;
+  };
+
+  return {
+    create,
+    updateByName,
+    deleteByName,
+    getDetails,
+    list
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
@ -0,0 +1,54 @@
+import { z } from "zod";
+
+import { TProjectPermission } from "@app/lib/types";
+
+import { DynamicSecretProviderSchema } from "./providers/models";
+
+// various status for dynamic secret that happens in background
+export enum DynamicSecretStatus {
+  Deleting = "Revocation in process",
+  FailedDeletion = "Failed to delete"
+}
+
+type TProvider = z.infer<typeof DynamicSecretProviderSchema>;
+export type TCreateDynamicSecretDTO = {
+  provider: TProvider;
+  defaultTTL: string;
+  maxTTL?: string | null;
+  path: string;
+  environmentSlug: string;
+  name: string;
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateDynamicSecretDTO = {
+  name: string;
+  newName?: string;
+  defaultTTL?: string;
+  maxTTL?: string | null;
+  path: string;
+  environmentSlug: string;
+  inputs?: TProvider["inputs"];
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TDeleteDynamicSecretDTO = {
+  name: string;
+  path: string;
+  environmentSlug: string;
+  projectSlug: string;
+  isForced?: boolean;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TDetailsDynamicSecretDTO = {
+  name: string;
+  path: string;
+  environmentSlug: string;
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TListDynamicSecretsDTO = {
+  path: string;
+  environmentSlug: string;
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@ -0,0 +1,6 @@
+import { DynamicSecretProviders } from "./models";
+import { SqlDatabaseProvider } from "./sql-database";
+
+export const buildDynamicSecretProviders = () => ({
+  [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider()
+});
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@ -0,0 +1,34 @@
+import { z } from "zod";
+
+export enum SqlProviders {
+  Postgres = "postgres"
+}
+
+export const DynamicSecretSqlDBSchema = z.object({
+  client: z.nativeEnum(SqlProviders),
+  host: z.string().toLowerCase(),
+  port: z.number(),
+  database: z.string(),
+  username: z.string(),
+  password: z.string(),
+  creationStatement: z.string(),
+  revocationStatement: z.string(),
+  renewStatement: z.string(),
+  ca: z.string().optional()
+});
+
+export enum DynamicSecretProviders {
+  SqlDatabase = "sql-database"
+}
+
+export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
+  z.object({ type: z.literal(DynamicSecretProviders.SqlDatabase), inputs: DynamicSecretSqlDBSchema })
+]);
+
+export type TDynamicProviderFns = {
+  create: (inputs: unknown, expireAt: number) => Promise<{ entityId: string; data: unknown }>;
+  validateConnection: (inputs: unknown) => Promise<boolean>;
+  validateProviderInputs: (inputs: object) => Promise<unknown>;
+  revoke: (inputs: unknown, entityId: string) => Promise<{ entityId: string }>;
+  renew: (inputs: unknown, entityId: string, expireAt: number) => Promise<{ entityId: string }>;
+};
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@ -0,0 +1,123 @@
+import handlebars from "handlebars";
+import knex from "knex";
+import { customAlphabet } from "nanoid";
+import { z } from "zod";
+
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
+import { getDbConnectionHost } from "@app/lib/knex";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { DynamicSecretSqlDBSchema, TDynamicProviderFns } from "./models";
+
+const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
+
+const generatePassword = (size?: number) => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  return customAlphabet(charset, 48)(size);
+};
+
+export const SqlDatabaseProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const appCfg = getConfig();
+    const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
+
+    const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
+    if (
+      // localhost
+      providerInputs.host === "localhost" ||
+      providerInputs.host === "127.0.0.1" ||
+      // database infisical uses
+      dbHost === providerInputs.host ||
+      // internal ips
+      providerInputs.host === "host.docker.internal" ||
+      providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
+      providerInputs.host.match(/^192\.168\.\d+\.\d+/)
+    )
+      throw new BadRequestError({ message: "Invalid db host" });
+    return providerInputs;
+  };
+
+  const getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
+    const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
+    const db = knex({
+      client: providerInputs.client,
+      connection: {
+        database: providerInputs.database,
+        port: providerInputs.port,
+        host: providerInputs.host,
+        user: providerInputs.username,
+        password: providerInputs.password,
+        connectionTimeoutMillis: EXTERNAL_REQUEST_TIMEOUT,
+        ssl,
+        pool: { min: 0, max: 1 }
+      }
+    });
+    return db;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const db = await getClient(providerInputs);
+    const isConnected = await db
+      .raw("SELECT NOW()")
+      .then(() => true)
+      .catch(() => false);
+    await db.destroy();
+    return isConnected;
+  };
+
+  const create = async (inputs: unknown, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const db = await getClient(providerInputs);
+
+    const username = alphaNumericNanoId(32);
+    const password = generatePassword();
+    const expiration = new Date(expireAt).toISOString();
+
+    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+      username,
+      password,
+      expiration
+    });
+
+    await db.raw(creationStatement.toString());
+    await db.destroy();
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const db = await getClient(providerInputs);
+
+    const username = entityId;
+
+    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
+    await db.raw(revokeStatement);
+
+    await db.destroy();
+    return { entityId: username };
+  };
+
+  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const db = await getClient(providerInputs);
+
+    const username = entityId;
+    const expiration = new Date(expireAt).toISOString();
+
+    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });
+    await db.raw(renewStatement);
+
+    await db.destroy();
+    return { entityId: username };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal.ts
@ -0,0 +1,12 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityProjectAdditionalPrivilegeDALFactory = ReturnType<
+  typeof identityProjectAdditionalPrivilegeDALFactory
+>;
+
+export const identityProjectAdditionalPrivilegeDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.IdentityProjectAdditionalPrivilege);
+  return orm;
+};
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@ -0,0 +1,297 @@
+import { ForbiddenError } from "@casl/ability";
+import ms from "ms";
+
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { ActorType } from "@app/services/auth/auth-type";
+import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { TIdentityProjectAdditionalPrivilegeDALFactory } from "./identity-project-additional-privilege-dal";
+import {
+  IdentityProjectAdditionalPrivilegeTemporaryMode,
+  TCreateIdentityPrivilegeDTO,
+  TDeleteIdentityPrivilegeDTO,
+  TGetIdentityPrivilegeDetailsDTO,
+  TListIdentityPrivilegesDTO,
+  TUpdateIdentityPrivilegeDTO
+} from "./identity-project-additional-privilege-types";
+
+type TIdentityProjectAdditionalPrivilegeServiceFactoryDep = {
+  identityProjectAdditionalPrivilegeDAL: TIdentityProjectAdditionalPrivilegeDALFactory;
+  identityProjectDAL: Pick<TIdentityProjectDALFactory, "findOne" | "findById">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+};
+
+export type TIdentityProjectAdditionalPrivilegeServiceFactory = ReturnType<
+  typeof identityProjectAdditionalPrivilegeServiceFactory
+>;
+
+export const identityProjectAdditionalPrivilegeServiceFactory = ({
+  identityProjectAdditionalPrivilegeDAL,
+  identityProjectDAL,
+  permissionService,
+  projectDAL
+}: TIdentityProjectAdditionalPrivilegeServiceFactoryDep) => {
+  const create = async ({
+    slug,
+    actor,
+    actorId,
+    identityId,
+    projectSlug,
+    permissions: customPermission,
+    actorOrgId,
+    actorAuthMethod,
+    ...dto
+  }: TCreateIdentityPrivilegeDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+    const projectId = project.id;
+
+    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
+    if (!identityProjectMembership)
+      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+
+    const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
+      slug,
+      projectMembershipId: identityProjectMembership.id
+    });
+    if (existingSlug) throw new BadRequestError({ message: "Additional privilege of provided slug exist" });
+
+    if (!dto.isTemporary) {
+      const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
+        projectMembershipId: identityProjectMembership.id,
+        slug,
+        permissions: customPermission
+      });
+      return additionalPrivilege;
+    }
+
+    const relativeTempAllocatedTimeInMs = ms(dto.temporaryRange);
+    const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
+      projectMembershipId: identityProjectMembership.id,
+      slug,
+      permissions: customPermission,
+      isTemporary: true,
+      temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative,
+      temporaryRange: dto.temporaryRange,
+      temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
+      temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
+    });
+    return additionalPrivilege;
+  };
+
+  const updateBySlug = async ({
+    projectSlug,
+    slug,
+    identityId,
+    data,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod
+  }: TUpdateIdentityPrivilegeDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+    const projectId = project.id;
+
+    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
+    if (!identityProjectMembership)
+      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+
+    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
+      slug,
+      projectMembershipId: identityProjectMembership.id
+    });
+    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (data?.slug) {
+      const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
+        slug: data.slug,
+        projectMembershipId: identityProjectMembership.id
+      });
+      if (existingSlug && existingSlug.id !== identityPrivilege.id)
+        throw new BadRequestError({ message: "Additional privilege of provided slug exist" });
+    }
+
+    const isTemporary = typeof data?.isTemporary !== "undefined" ? data.isTemporary : identityPrivilege.isTemporary;
+    if (isTemporary) {
+      const temporaryAccessStartTime = data?.temporaryAccessStartTime || identityPrivilege?.temporaryAccessStartTime;
+      const temporaryRange = data?.temporaryRange || identityPrivilege?.temporaryRange;
+      const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
+        ...data,
+        temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
+        temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
+      });
+      return additionalPrivilege;
+    }
+
+    const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
+      ...data,
+      isTemporary: false,
+      temporaryAccessStartTime: null,
+      temporaryAccessEndTime: null,
+      temporaryRange: null,
+      temporaryMode: null
+    });
+    return additionalPrivilege;
+  };
+
+  const deleteBySlug = async ({
+    actorId,
+    slug,
+    identityId,
+    projectSlug,
+    actor,
+    actorOrgId,
+    actorAuthMethod
+  }: TDeleteIdentityPrivilegeDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+    const projectId = project.id;
+
+    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
+    if (!identityProjectMembership)
+      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
+
+    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
+      slug,
+      projectMembershipId: identityProjectMembership.id
+    });
+    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+
+    const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
+    return deletedPrivilege;
+  };
+
+  const getPrivilegeDetailsBySlug = async ({
+    projectSlug,
+    identityId,
+    slug,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod
+  }: TGetIdentityPrivilegeDetailsDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+    const projectId = project.id;
+
+    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
+    if (!identityProjectMembership)
+      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+
+    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
+      slug,
+      projectMembershipId: identityProjectMembership.id
+    });
+    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+
+    return identityPrivilege;
+  };
+
+  const listIdentityProjectPrivileges = async ({
+    identityId,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    projectSlug
+  }: TListIdentityPrivilegesDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+    const projectId = project.id;
+
+    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
+    if (!identityProjectMembership)
+      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+
+    const identityPrivileges = await identityProjectAdditionalPrivilegeDAL.find({
+      projectMembershipId: identityProjectMembership.id
+    });
+    return identityPrivileges;
+  };
+
+  return {
+    create,
+    updateBySlug,
+    deleteBySlug,
+    getPrivilegeDetailsBySlug,
+    listIdentityProjectPrivileges
+  };
+};
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types.ts
@ -0,0 +1,54 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export enum IdentityProjectAdditionalPrivilegeTemporaryMode {
+  Relative = "relative"
+}
+
+export type TCreateIdentityPrivilegeDTO = {
+  permissions: unknown;
+  identityId: string;
+  projectSlug: string;
+  slug: string;
+} & (
+  | {
+      isTemporary: false;
+    }
+  | {
+      isTemporary: true;
+      temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative;
+      temporaryRange: string;
+      temporaryAccessStartTime: string;
+    }
+) &
+  Omit<TProjectPermission, "projectId">;
+
+export type TUpdateIdentityPrivilegeDTO = { slug: string; identityId: string; projectSlug: string } & Omit<
+  TProjectPermission,
+  "projectId"
+> & {
+    data: Partial<{
+      permissions: unknown;
+      slug: string;
+      isTemporary: boolean;
+      temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative;
+      temporaryRange: string;
+      temporaryAccessStartTime: string;
+    }>;
+  };
+
+export type TDeleteIdentityPrivilegeDTO = Omit<TProjectPermission, "projectId"> & {
+  slug: string;
+  identityId: string;
+  projectSlug: string;
+};
+
+export type TGetIdentityPrivilegeDetailsDTO = Omit<TProjectPermission, "projectId"> & {
+  slug: string;
+  identityId: string;
+  projectSlug: string;
+};
+
+export type TListIdentityPrivilegesDTO = Omit<TProjectPermission, "projectId"> & {
+  identityId: string;
+  projectSlug: string;
+};
--- a/backend/src/ee/services/license/licence-fns.ts
+++ b/backend/src/ee/services/license/licence-fns.ts
@ -15,6 +15,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  membersUsed: 0,
  environmentLimit: null,
  environmentsUsed: 0,
+  dynamicSecret: false,
  secretVersioning: true,
  pitRecovery: false,
  ipAllowlisting: false,
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@ -27,6 +27,7 @@ export type TFeatureSet = {
  tier: -1;
  workspaceLimit: null;
  workspacesUsed: 0;
+  dynamicSecret: false;
  memberLimit: null;
  membersUsed: 0;
  environmentLimit: null;
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@ -56,6 +56,11 @@ export const permissionDALFactory = (db: TDbClient) => {
          `${TableName.ProjectUserMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
+        .leftJoin(
+          TableName.ProjectUserAdditionalPrivilege,
+          `${TableName.ProjectUserAdditionalPrivilege}.projectMembershipId`,
+          `${TableName.ProjectMembership}.id`
+        )
        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
        .where("userId", userId)
@ -69,9 +74,22 @@ export const permissionDALFactory = (db: TDbClient) => {
          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
-        )
-        .select("permissions");
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles),
+          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApId"),
+          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApPermissions"),
+          db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryMode"),
+          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApIsTemporary"),
+          db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userApTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userApTemporaryAccessEndTime")
+        );

      const permission = sqlNestRelationships({
        data: docs,
@ -102,15 +120,44 @@ export const permissionDALFactory = (db: TDbClient) => {
                permissions: z.unknown(),
                customRoleSlug: z.string().optional().nullable()
              }).parse(data)
+          },
+          {
+            key: "userApId",
+            label: "additionalPrivileges" as const,
+            mapper: ({
+              userApId,
+              userApPermissions,
+              userApIsTemporary,
+              userApTemporaryMode,
+              userApTemporaryRange,
+              userApTemporaryAccessEndTime,
+              userApTemporaryAccessStartTime
+            }) => ({
+              id: userApId,
+              permissions: userApPermissions,
+              temporaryRange: userApTemporaryRange,
+              temporaryMode: userApTemporaryMode,
+              temporaryAccessEndTime: userApTemporaryAccessEndTime,
+              temporaryAccessStartTime: userApTemporaryAccessStartTime,
+              isTemporary: userApIsTemporary
+            })
          }
        ]
      });
+
+      if (!permission?.[0]) return undefined;
      // when introducting cron mode change it here
-      const activeRoles = permission?.[0]?.roles.filter(
+      const activeRoles = permission?.[0]?.roles?.filter(
        ({ isTemporary, temporaryAccessEndTime }) =>
          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
      );
-      return permission?.[0] ? { ...permission[0], roles: activeRoles } : undefined;
+
+      const activeAdditionalPrivileges = permission?.[0]?.additionalPrivileges?.filter(
+        ({ isTemporary, temporaryAccessEndTime }) =>
+          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+      );
+
+      return { ...permission[0], roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectPermission" });
    }
@ -129,6 +176,11 @@ export const permissionDALFactory = (db: TDbClient) => {
          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
+        .leftJoin(
+          TableName.IdentityProjectAdditionalPrivilege,
+          `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
        .join(
          // Join the Project table to later select orgId
          TableName.Project,
@ -144,9 +196,28 @@ export const permissionDALFactory = (db: TDbClient) => {
          db.ref("role").withSchema(TableName.IdentityProjectMembership).as("oldRoleField"),
          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
-        )
-        .select("permissions");
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles),
+          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
+          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryMode"),
+          db.ref("isTemporary").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryAccessEndTime")
+        );

      const permission = sqlNestRelationships({
        data: docs,
@ -171,16 +242,44 @@ export const permissionDALFactory = (db: TDbClient) => {
                permissions: z.unknown(),
                customRoleSlug: z.string().optional().nullable()
              }).parse(data)
+          },
+          {
+            key: "identityApId",
+            label: "additionalPrivileges" as const,
+            mapper: ({
+              identityApId,
+              identityApPermissions,
+              identityApIsTemporary,
+              identityApTemporaryMode,
+              identityApTemporaryRange,
+              identityApTemporaryAccessEndTime,
+              identityApTemporaryAccessStartTime
+            }) => ({
+              id: identityApId,
+              permissions: identityApPermissions,
+              temporaryRange: identityApTemporaryRange,
+              temporaryMode: identityApTemporaryMode,
+              temporaryAccessEndTime: identityApTemporaryAccessEndTime,
+              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
+              isTemporary: identityApIsTemporary
+            })
          }
        ]
      });

+      if (!permission?.[0]) return undefined;
+
      // when introducting cron mode change it here
      const activeRoles = permission?.[0]?.roles.filter(
        ({ isTemporary, temporaryAccessEndTime }) =>
          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
      );
-      return permission?.[0] ? { ...permission[0], roles: activeRoles } : undefined;
+      const activeAdditionalPrivileges = permission?.[0]?.additionalPrivileges?.filter(
+        ({ isTemporary, temporaryAccessEndTime }) =>
+          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+      );
+
+      return { ...permission[0], roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectIdentityPermission" });
    }
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@ -5,9 +5,13 @@ import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
 function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
  if (!actorAuthMethod) return false;

-  return [AuthMethod.AZURE_SAML, AuthMethod.OKTA_SAML, AuthMethod.JUMPCLOUD_SAML, AuthMethod.GOOGLE_SAML].includes(
-    actorAuthMethod
-  );
+  return [
+    AuthMethod.AZURE_SAML,
+    AuthMethod.OKTA_SAML,
+    AuthMethod.JUMPCLOUD_SAML,
+    AuthMethod.GOOGLE_SAML,
+    AuthMethod.KEYCLOAK_SAML
+  ].includes(actorAuthMethod);
 }

 function validateOrgSAML(actorAuthMethod: ActorAuthMethod, isSamlEnforced: TOrganizations["authEnforced"]) {
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@ -180,10 +180,12 @@ export const permissionServiceFactory = ({
    authMethod: ActorAuthMethod,
    userOrgId?: string
  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
-    const membership = await permissionDAL.getProjectPermission(userId, projectId);
-    if (!membership) throw new UnauthorizedError({ name: "User not in project" });
+    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
+    if (!userProjectPermission) throw new UnauthorizedError({ name: "User not in project" });

-    if (membership.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)) {
+    if (
+      userProjectPermission.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)
+    ) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }

@ -192,17 +194,27 @@ export const permissionServiceFactory = ({

    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
-    if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
+    if (userOrgId !== "API_KEY" && userProjectPermission.orgId !== userOrgId) {
      throw new UnauthorizedError({ name: "You are not logged into this organization" });
    }

-    validateOrgSAML(authMethod, membership.orgAuthEnforced);
+    validateOrgSAML(authMethod, userProjectPermission.orgAuthEnforced);
+
+    // join two permissions and pass to build the final permission set
+    const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+    const additionalPrivileges =
+      userProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
+        role: ProjectMembershipRole.Custom,
+        permissions
+      })) || [];

    return {
-      permission: buildProjectPermission(membership.roles),
-      membership,
+      permission: buildProjectPermission(rolePermissions.concat(additionalPrivileges)),
+      membership: userProjectPermission,
      hasRole: (role: string) =>
-        membership.roles.findIndex(({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug) !== -1
+        userProjectPermission.roles.findIndex(
+          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
+        ) !== -1
    };
  };

@ -226,8 +238,16 @@ export const permissionServiceFactory = ({
      throw new UnauthorizedError({ name: "You are not a member of this organization" });
    }

+    const rolePermissions =
+      identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+    const additionalPrivileges =
+      identityProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
+        role: ProjectMembershipRole.Custom,
+        permissions
+      })) || [];
+
    return {
-      permission: buildProjectPermission(identityProjectPermission.roles),
+      permission: buildProjectPermission(rolePermissions.concat(additionalPrivileges)),
      membership: identityProjectPermission,
      hasRole: (role: string) =>
        identityProjectPermission.roles.findIndex(
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal.ts
@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TProjectUserAdditionalPrivilegeDALFactory = ReturnType<typeof projectUserAdditionalPrivilegeDALFactory>;
+
+export const projectUserAdditionalPrivilegeDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.ProjectUserAdditionalPrivilege);
+  return orm;
+};
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@ -0,0 +1,212 @@
+import { ForbiddenError } from "@casl/ability";
+import ms from "ms";
+
+import { BadRequestError } from "@app/lib/errors";
+import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { TProjectUserAdditionalPrivilegeDALFactory } from "./project-user-additional-privilege-dal";
+import {
+  ProjectUserAdditionalPrivilegeTemporaryMode,
+  TCreateUserPrivilegeDTO,
+  TDeleteUserPrivilegeDTO,
+  TGetUserPrivilegeDetailsDTO,
+  TListUserPrivilegesDTO,
+  TUpdateUserPrivilegeDTO
+} from "./project-user-additional-privilege-types";
+
+type TProjectUserAdditionalPrivilegeServiceFactoryDep = {
+  projectUserAdditionalPrivilegeDAL: TProjectUserAdditionalPrivilegeDALFactory;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+};
+
+export type TProjectUserAdditionalPrivilegeServiceFactory = ReturnType<
+  typeof projectUserAdditionalPrivilegeServiceFactory
+>;
+
+export const projectUserAdditionalPrivilegeServiceFactory = ({
+  projectUserAdditionalPrivilegeDAL,
+  projectMembershipDAL,
+  permissionService
+}: TProjectUserAdditionalPrivilegeServiceFactoryDep) => {
+  const create = async ({
+    slug,
+    actor,
+    actorId,
+    permissions: customPermission,
+    actorOrgId,
+    actorAuthMethod,
+    projectMembershipId,
+    ...dto
+  }: TCreateUserPrivilegeDTO) => {
+    const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
+    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
+
+    const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({ slug, projectMembershipId });
+    if (existingSlug) throw new BadRequestError({ message: "Additional privilege of provided slug exist" });
+
+    if (!dto.isTemporary) {
+      const additionalPrivilege = await projectUserAdditionalPrivilegeDAL.create({
+        projectMembershipId,
+        slug,
+        permissions: customPermission
+      });
+      return additionalPrivilege;
+    }
+
+    const relativeTempAllocatedTimeInMs = ms(dto.temporaryRange);
+    const additionalPrivilege = await projectUserAdditionalPrivilegeDAL.create({
+      projectMembershipId,
+      slug,
+      permissions: customPermission,
+      isTemporary: true,
+      temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
+      temporaryRange: dto.temporaryRange,
+      temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
+      temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
+    });
+    return additionalPrivilege;
+  };
+
+  const updateById = async ({
+    privilegeId,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    ...dto
+  }: TUpdateUserPrivilegeDTO) => {
+    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
+    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+
+    const projectMembership = await projectMembershipDAL.findById(userPrivilege.projectMembershipId);
+    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
+
+    if (dto?.slug) {
+      const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({
+        slug: dto.slug,
+        projectMembershipId: projectMembership.id
+      });
+      if (existingSlug && existingSlug.id !== userPrivilege.id)
+        throw new BadRequestError({ message: "Additional privilege of provided slug exist" });
+    }
+
+    const isTemporary = typeof dto?.isTemporary !== "undefined" ? dto.isTemporary : userPrivilege.isTemporary;
+    if (isTemporary) {
+      const temporaryAccessStartTime = dto?.temporaryAccessStartTime || userPrivilege?.temporaryAccessStartTime;
+      const temporaryRange = dto?.temporaryRange || userPrivilege?.temporaryRange;
+      const additionalPrivilege = await projectUserAdditionalPrivilegeDAL.updateById(userPrivilege.id, {
+        ...dto,
+        temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
+        temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
+      });
+      return additionalPrivilege;
+    }
+
+    const additionalPrivilege = await projectUserAdditionalPrivilegeDAL.updateById(userPrivilege.id, {
+      ...dto,
+      isTemporary: false,
+      temporaryAccessStartTime: null,
+      temporaryAccessEndTime: null,
+      temporaryRange: null,
+      temporaryMode: null
+    });
+    return additionalPrivilege;
+  };
+
+  const deleteById = async ({ actorId, actor, actorOrgId, actorAuthMethod, privilegeId }: TDeleteUserPrivilegeDTO) => {
+    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
+    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+
+    const projectMembership = await projectMembershipDAL.findById(userPrivilege.projectMembershipId);
+    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
+
+    const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
+    return deletedPrivilege;
+  };
+
+  const getPrivilegeDetailsById = async ({
+    privilegeId,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod
+  }: TGetUserPrivilegeDetailsDTO) => {
+    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
+    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+
+    const projectMembership = await projectMembershipDAL.findById(userPrivilege.projectMembershipId);
+    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+
+    return userPrivilege;
+  };
+
+  const listPrivileges = async ({
+    projectMembershipId,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod
+  }: TListUserPrivilegesDTO) => {
+    const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
+    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+
+    const userPrivileges = await projectUserAdditionalPrivilegeDAL.find({ projectMembershipId });
+    return userPrivileges;
+  };
+
+  return {
+    create,
+    updateById,
+    deleteById,
+    getPrivilegeDetailsById,
+    listPrivileges
+  };
+};
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-types.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-types.ts
@ -0,0 +1,40 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export enum ProjectUserAdditionalPrivilegeTemporaryMode {
+  Relative = "relative"
+}
+
+export type TCreateUserPrivilegeDTO = (
+  | {
+      permissions: unknown;
+      projectMembershipId: string;
+      slug: string;
+      isTemporary: false;
+    }
+  | {
+      permissions: unknown;
+      projectMembershipId: string;
+      slug: string;
+      isTemporary: true;
+      temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative;
+      temporaryRange: string;
+      temporaryAccessStartTime: string;
+    }
+) &
+  Omit<TProjectPermission, "projectId">;
+
+export type TUpdateUserPrivilegeDTO = { privilegeId: string } & Omit<TProjectPermission, "projectId"> &
+  Partial<{
+    permissions: unknown;
+    slug: string;
+    isTemporary: boolean;
+    temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative;
+    temporaryRange: string;
+    temporaryAccessStartTime: string;
+  }>;
+
+export type TDeleteUserPrivilegeDTO = Omit<TProjectPermission, "projectId"> & { privilegeId: string };
+
+export type TGetUserPrivilegeDetailsDTO = Omit<TProjectPermission, "projectId"> & { privilegeId: string };
+
+export type TListUserPrivilegesDTO = Omit<TProjectPermission, "projectId"> & { projectMembershipId: string };
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@ -319,6 +319,11 @@ export const samlConfigServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) throw new BadRequestError({ message: "Org not found" });

+    // TODO(dangtony98): remove this after aliases update
+    if (authProvider === AuthMethod.KEYCLOAK_SAML && appCfg.LICENSE_SERVER_KEY) {
+      throw new BadRequestError({ message: "Keycloak SAML is not yet available on Infisical Cloud" });
+    }
+
    if (user) {
      await userDAL.transaction(async (tx) => {
        const [orgMembership] = await orgDAL.findMembership(
--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@ -5,7 +5,8 @@ export enum SamlProviders {
  OKTA_SAML = "okta-saml",
  AZURE_SAML = "azure-saml",
  JUMPCLOUD_SAML = "jumpcloud-saml",
-  GOOGLE_SAML = "google-saml"
+  GOOGLE_SAML = "google-saml",
+  KEYCLOAK_SAML = "keycloak-saml"
 }

 export type TCreateSamlCfgDTO = {
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts
@ -9,6 +9,7 @@ import jmespath from "jmespath";
 import knex from "knex";

 import { getConfig } from "@app/lib/config/env";
+import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { TAssignOp, TDbProviderClients, TDirectAssignOp, THttpProviderFunction } from "../templates/types";
@ -89,7 +90,17 @@ export const secretRotationDbFn = async ({
  const appCfg = getConfig();

  const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
-  if (host === "localhost" || host === "127.0.0.1" || appCfg.DB_CONNECTION_URI.includes(host))
+  const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
+  if (
+    host === "localhost" ||
+    host === "127.0.0.1" ||
+    // database infisical uses
+    dbHost === host ||
+    // internal ips
+    host === "host.docker.internal" ||
+    host.match(/^10\.\d+\.\d+\.\d+/) ||
+    host.match(/^192\.168\.\d+\.\d+/)
+  )
    throw new Error("Invalid db host");

  const db = knex({
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -194,8 +194,28 @@ export const FOLDERS = {
  }
 } as const;

+export const SECRETS = {
+  ATTACH_TAGS: {
+    secretName: "The name of the secret to attach tags to.",
+    secretPath: "The path of the secret to attach tags to.",
+    type: "The type of the secret to attach tags to. (shared/personal)",
+    environment: "The slug of the environment where the secret is located",
+    projectSlug: "The slug of the project where the secret is located",
+    tagSlugs: "An array of existing tag slugs to attach to the secret."
+  },
+  DETACH_TAGS: {
+    secretName: "The name of the secret to detach tags from.",
+    secretPath: "The path of the secret to detach tags from.",
+    type: "The type of the secret to attach tags to. (shared/personal)",
+    environment: "The slug of the environment where the secret is located",
+    projectSlug: "The slug of the project where the secret is located",
+    tagSlugs: "An array of existing tag slugs to detach from the secret."
+  }
+} as const;
+
 export const RAW_SECRETS = {
  LIST: {
+    recursive: "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories.",
    workspaceId: "The ID of the project to list secrets from.",
    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
    environment: "The slug of the environment to list secrets from.",
@ -285,3 +305,251 @@ export const AUDIT_LOGS = {
    actor: "The actor to filter the audit logs by."
  }
 } as const;
+
+export const DYNAMIC_SECRETS = {
+  LIST: {
+    projectSlug: "The slug of the project to create dynamic secret in.",
+    environmentSlug: "The slug of the environment to list folders from.",
+    path: "The path to list folders from."
+  },
+  LIST_LEAES_BY_NAME: {
+    projectSlug: "The slug of the project to create dynamic secret in.",
+    environmentSlug: "The slug of the environment to list folders from.",
+    path: "The path to list folders from.",
+    name: "The name of the dynamic secret."
+  },
+  GET_BY_NAME: {
+    projectSlug: "The slug of the project to create dynamic secret in.",
+    environmentSlug: "The slug of the environment to list folders from.",
+    path: "The path to list folders from.",
+    name: "The name of the dynamic secret."
+  },
+  CREATE: {
+    projectSlug: "The slug of the project to create dynamic secret in.",
+    environmentSlug: "The slug of the environment to create the dynamic secret in.",
+    path: "The path to create the dynamic secret in.",
+    name: "The name of the dynamic secret.",
+    provider: "The type of dynamic secret.",
+    defaultTTL: "The default TTL that will be applied for all the leases.",
+    maxTTL: "The maximum limit a TTL can be leases or renewed."
+  },
+  UPDATE: {
+    projectSlug: "The slug of the project to update dynamic secret in.",
+    environmentSlug: "The slug of the environment to update the dynamic secret in.",
+    path: "The path to update the dynamic secret in.",
+    name: "The name of the dynamic secret.",
+    inputs: "The new partial values for the configurated provider of the dynamic secret",
+    defaultTTL: "The default TTL that will be applied for all the leases.",
+    maxTTL: "The maximum limit a TTL can be leases or renewed.",
+    newName: "The new name for the dynamic secret."
+  },
+  DELETE: {
+    projectSlug: "The slug of the project to delete dynamic secret in.",
+    environmentSlug: "The slug of the environment to delete the dynamic secret in.",
+    path: "The path to delete the dynamic secret in.",
+    name: "The name of the dynamic secret.",
+    isForced:
+      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
+  }
+} as const;
+
+export const DYNAMIC_SECRET_LEASES = {
+  GET_BY_LEASEID: {
+    projectSlug: "The slug of the project to create dynamic secret in.",
+    environmentSlug: "The slug of the environment to list folders from.",
+    path: "The path to list folders from.",
+    leaseId: "The ID of the dynamic secret lease."
+  },
+  CREATE: {
+    projectSlug: "The slug of the project of the dynamic secret in.",
+    environmentSlug: "The slug of the environment of the dynamic secret in.",
+    path: "The path of the dynamic secret in.",
+    dynamicSecretName: "The name of the dynamic secret.",
+    ttl: "The lease lifetime ttl. If not provided the default TTL of dynamic secret will be used."
+  },
+  RENEW: {
+    projectSlug: "The slug of the project of the dynamic secret in.",
+    environmentSlug: "The slug of the environment of the dynamic secret in.",
+    path: "The path of the dynamic secret in.",
+    leaseId: "The ID of the dynamic secret lease.",
+    ttl: "The renew TTL that gets added with current expiry (ensure it's below max TTL) for a total less than creation time + max TTL."
+  },
+  DELETE: {
+    projectSlug: "The slug of the project of the dynamic secret in.",
+    environmentSlug: "The slug of the environment of the dynamic secret in.",
+    path: "The path of the dynamic secret in.",
+    leaseId: "The ID of the dynamic secret lease.",
+    isForced:
+      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
+  }
+} as const;
+export const SECRET_TAGS = {
+  LIST: {
+    projectId: "The ID of the project to list tags from."
+  },
+  CREATE: {
+    projectId: "The ID of the project to create the tag in.",
+    name: "The name of the tag to create.",
+    slug: "The slug of the tag to create.",
+    color: "The color of the tag to create."
+  },
+  DELETE: {
+    tagId: "The ID of the tag to delete.",
+    projectId: "The ID of the project to delete the tag from."
+  }
+} as const;
+
+export const IDENTITY_ADDITIONAL_PRIVILEGE = {
+  CREATE: {
+    projectSlug: "The slug of the project of the identity in.",
+    identityId: "The ID of the identity to delete.",
+    slug: "The slug of the privilege to create.",
+    permissions: `The permission object for the privilege.
+1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
+2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
+2. [["read", "secrets", {environment: "dev"}]]
+`,
+    isPackPermission: "Whether the server should pack(compact) the permission object.",
+    isTemporary: "Whether the privilege is temporary.",
+    temporaryMode: "Type of temporary access given. Types: relative",
+    temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
+    temporaryAccessStartTime: "ISO time for which temporary access should begin."
+  },
+  UPDATE: {
+    projectSlug: "The slug of the project of the identity in.",
+    identityId: "The ID of the identity to update.",
+    slug: "The slug of the privilege to update.",
+    newSlug: "The new slug of the privilege to update.",
+    permissions: `The permission object for the privilege.
+1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
+2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
+2. [["read", "secrets", {environment: "dev"}]]
+`,
+    isPackPermission: "Whether the server should pack(compact) the permission object.",
+    isTemporary: "Whether the privilege is temporary.",
+    temporaryMode: "Type of temporary access given. Types: relative",
+    temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
+    temporaryAccessStartTime: "ISO time for which temporary access should begin."
+  },
+  DELETE: {
+    projectSlug: "The slug of the project of the identity in.",
+    identityId: "The ID of the identity to delete.",
+    slug: "The slug of the privilege to delete."
+  },
+  GET_BY_SLUG: {
+    projectSlug: "The slug of the project of the identity in.",
+    identityId: "The ID of the identity to list.",
+    slug: "The slug of the privilege."
+  },
+  LIST: {
+    projectSlug: "The slug of the project of the identity in.",
+    identityId: "The ID of the identity to list.",
+    unpacked: "Whether the system should send the permissions as unpacked"
+  }
+};
+
+export const PROJECT_USER_ADDITIONAL_PRIVILEGE = {
+  CREATE: {
+    projectMembershipId: "Project membership id of user",
+    slug: "The slug of the privilege to create.",
+    permissions:
+      "The permission object for the privilege. Refer https://casl.js.org/v6/en/guide/define-rules#the-shape-of-raw-rule to understand the shape",
+    isPackPermission: "Whether the server should pack(compact) the permission object.",
+    isTemporary: "Whether the privilege is temporary.",
+    temporaryMode: "Type of temporary access given. Types: relative",
+    temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
+    temporaryAccessStartTime: "ISO time for which temporary access should begin."
+  },
+  UPDATE: {
+    privilegeId: "The id of privilege object",
+    slug: "The slug of the privilege to create.",
+    newSlug: "The new slug of the privilege to create.",
+    permissions:
+      "The permission object for the privilege. Refer https://casl.js.org/v6/en/guide/define-rules#the-shape-of-raw-rule to understand the shape",
+    isPackPermission: "Whether the server should pack(compact) the permission object.",
+    isTemporary: "Whether the privilege is temporary.",
+    temporaryMode: "Type of temporary access given. Types: relative",
+    temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
+    temporaryAccessStartTime: "ISO time for which temporary access should begin."
+  },
+  DELETE: {
+    privilegeId: "The id of privilege object"
+  },
+  GET_BY_PRIVILEGEID: {
+    privilegeId: "The id of privilege object"
+  },
+  LIST: {
+    projectMembershipId: "Project membership id of user"
+  }
+};
+
+export const INTEGRATION_AUTH = {
+  GET: {
+    integrationAuthId: "The id of integration authentication object."
+  },
+  DELETE: {
+    integration: "The slug of the integration to be unauthorized.",
+    projectId: "The ID of the project to delete the integration auth from."
+  },
+  DELETE_BY_ID: {
+    integrationAuthId: "The id of integration authentication object to delete."
+  },
+  CREATE_ACCESS_TOKEN: {
+    workspaceId: "The ID of the project to create the integration auth for.",
+    integration: "The slug of integration for the auth object.",
+    accessId: "The unique authorized access id of the external integration provider.",
+    accessToken: "The unique authorized access token of the external integration provider.",
+    url: "",
+    namespace: "",
+    refreshToken: "The refresh token for integration authorization."
+  },
+  LIST_AUTHORIZATION: {
+    workspaceId: "The ID of the project to list integration auths for."
+  }
+};
+
+export const INTEGRATION = {
+  CREATE: {
+    integrationAuthId: "The ID of the integration auth object to link with integration.",
+    app: "The name of the external integration providers app entity that you want to sync secrets with. Used in Netlify, GitHub, Vercel integrations.",
+    isActive: "Whether the integration should be active or disabled.",
+    appId:
+      "The ID of the external integration providers app entity that you want to sync secrets with. Used in Netlify, GitHub, Vercel integrations.",
+    secretPath: "The path of the secrets to sync secrets from.",
+    sourceEnvironment: "The environment to sync secret from.",
+    targetEnvironment:
+      "The target environment of the integration provider. Used in cloudflare pages, TeamCity, Gitlab integrations.",
+    targetEnvironmentId:
+      "The target environment id of the integration provider. Used in cloudflare pages, teamcity, gitlab integrations.",
+    targetService:
+      "The service based grouping identifier of the external provider. Used in Terraform cloud, Checkly, Railway and NorthFlank",
+    targetServiceId:
+      "The service based grouping identifier ID of the external provider. Used in Terraform cloud, Checkly, Railway and NorthFlank",
+    owner: "External integration providers service entity owner. Used in Github.",
+    path: "Path to save the synced secrets. Used by Gitlab, AWS Parameter Store, Vault",
+    region: "AWS region to sync secrets to.",
+    scope: "Scope of the provider. Used by Github, Qovery",
+    metadata: {
+      secretPrefix: "The prefix for the saved secret. Used by GCP",
+      secretSuffix: "The suffix for the saved secret. Used by GCP",
+      initialSyncBehavoir: "Type of syncing behavoir with the integration",
+      shouldAutoRedeploy: "Used by Render to trigger auto deploy",
+      secretGCPLabel: "The label for the GCP secrets"
+    }
+  },
+  UPDATE: {
+    integrationId: "The ID of the integration object.",
+    app: "The name of the external integration providers app entity that you want to sync secrets with. Used in Netlify, GitHub, Vercel integrations.",
+    appId:
+      "The ID of the external integration providers app entity that you want to sync secrets with. Used in Netlify, GitHub, Vercel integrations.",
+    isActive: "Whether the integration should be active or disabled.",
+    secretPath: "The path of the secrets to sync secrets from.",
+    owner: "External integration providers service entity owner. Used in Github.",
+    targetEnvironment:
+      "The target environment of the integration provider. Used in cloudflare pages, TeamCity, Gitlab integrations.",
+    environment: "The environment to sync secrets from."
+  },
+  DELETE: {
+    integrationId: "The ID of the integration object."
+  }
+};
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@ -18,6 +18,7 @@ const envSchema = z
    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
      `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
    ),
+    MAX_LEASE_LIMIT: z.coerce.number().default(10000),
    DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
    DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
    DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
@ -113,7 +114,8 @@ const envSchema = z
      .enum(["true", "false"])
      .transform((val) => val === "true")
      .optional(),
-    INFISICAL_CLOUD: zodStrBool.default("false")
+    INFISICAL_CLOUD: zodStrBool.default("false"),
+    MAINTENANCE_MODE: zodStrBool.default("false")
  })
  .transform((data) => ({
    ...data,
--- a/backend/src/lib/errors/index.ts
+++ b/backend/src/lib/errors/index.ts
@ -59,6 +59,18 @@ export class BadRequestError extends Error {
  }
 }

+export class DisableRotationErrors extends Error {
+  name: string;
+
+  error: unknown;
+
+  constructor({ name, error, message }: { message: string; name?: string; error?: unknown }) {
+    super(message);
+    this.name = name || "DisableRotationErrors";
+    this.error = error;
+  }
+}
+
 export class ScimRequestError extends Error {
  name: string;

--- a/backend/src/lib/knex/connection.ts
+++ b/backend/src/lib/knex/connection.ts
@ -0,0 +1,11 @@
+import { URL } from "url"; // Import the URL class
+
+export const getDbConnectionHost = (urlString: string) => {
+  try {
+    const url = new URL(urlString);
+    // Split hostname and port (if provided)
+    return url.hostname.split(":")[0];
+  } catch (error) {
+    return null;
+  }
+};
--- a/backend/src/lib/knex/index.ts
+++ b/backend/src/lib/knex/index.ts
@ -4,6 +4,7 @@ import { Tables } from "knex/types/tables";

 import { DatabaseError } from "../errors";

+export * from "./connection";
 export * from "./join";
 export * from "./select";

--- a/backend/src/lib/types/index.ts
+++ b/backend/src/lib/types/index.ts
@ -13,7 +13,7 @@ export type TProjectPermission = {
  actorId: string;
  projectId: string;
  actorAuthMethod: ActorAuthMethod;
-  actorOrgId: string | undefined;
+  actorOrgId: string;
 };

 export type RequiredKeys<T> = {
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@ -18,7 +18,8 @@ export enum QueueName {
  SecretWebhook = "secret-webhook",
  SecretFullRepoScan = "secret-full-repo-scan",
  SecretPushEventScan = "secret-push-event-scan",
-  UpgradeProjectToGhost = "upgrade-project-to-ghost"
+  UpgradeProjectToGhost = "upgrade-project-to-ghost",
+  DynamicSecretRevocation = "dynamic-secret-revocation"
 }

 export enum QueueJobs {
@ -30,7 +31,9 @@ export enum QueueJobs {
  TelemetryInstanceStats = "telemetry-self-hosted-stats",
  IntegrationSync = "secret-integration-pull",
  SecretScan = "secret-scan",
-  UpgradeProjectToGhost = "upgrade-project-to-ghost-job"
+  UpgradeProjectToGhost = "upgrade-project-to-ghost-job",
+  DynamicSecretRevocation = "dynamic-secret-revocation",
+  DynamicSecretPruning = "dynamic-secret-pruning"
 }

 export type TQueueJobTypes = {
@ -86,6 +89,19 @@ export type TQueueJobTypes = {
    name: QueueJobs.TelemetryInstanceStats;
    payload: undefined;
  };
+  [QueueName.DynamicSecretRevocation]:
+    | {
+        name: QueueJobs.DynamicSecretRevocation;
+        payload: {
+          leaseId: string;
+        };
+      }
+    | {
+        name: QueueJobs.DynamicSecretPruning;
+        payload: {
+          dynamicSecretCfgId: string;
+        };
+      };
 };

 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
--- a/backend/src/server/app.ts
+++ b/backend/src/server/app.ts
@ -24,6 +24,7 @@ import { fastifyErrHandler } from "./plugins/error-handler";
 import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
 import { fastifyIp } from "./plugins/ip";
+import { maintenanceMode } from "./plugins/maintenanceMode";
 import { fastifySwagger } from "./plugins/swagger";
 import { registerRoutes } from "./routes";

@ -72,6 +73,8 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
    }
    await server.register(helmet, { contentSecurityPolicy: false });

+    await server.register(maintenanceMode);
+
    await server.register(registerRoutes, { smtp, queue, db, keyStore });

    if (appCfg.isProductionMode) {
--- a/backend/src/server/config/rateLimiter.ts
+++ b/backend/src/server/config/rateLimiter.ts
@ -18,14 +18,43 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
  };
 };

-export const authRateLimit: RateLimitOptions = {
+// GET endpoints
+export const readLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
  max: 600,
  keyGenerator: (req) => req.realIp
 };

-export const passwordRateLimit: RateLimitOptions = {
+// POST, PATCH, PUT, DELETE endpoints
+export const writeLimit: RateLimitOptions = {
+  timeWindow: 60 * 1000,
+  max: 50,
+  keyGenerator: (req) => req.realIp
+};
+
+// special endpoints
+export const secretsLimit: RateLimitOptions = {
+  // secrets, folders, secret imports
  timeWindow: 60 * 1000,
  max: 600,
  keyGenerator: (req) => req.realIp
 };
+
+export const authRateLimit: RateLimitOptions = {
+  timeWindow: 60 * 1000,
+  max: 60,
+  keyGenerator: (req) => req.realIp
+};
+
+export const inviteUserRateLimit: RateLimitOptions = {
+  timeWindow: 60 * 1000,
+  max: 30,
+  keyGenerator: (req) => req.realIp
+};
+
+export const creationLimit: RateLimitOptions = {
+  // identity, project, org
+  timeWindow: 60 * 1000,
+  max: 30,
+  keyGenerator: (req) => req.realIp
+};
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@ -16,7 +16,7 @@ export type TAuthMode =
      userId: string;
      tokenVersionId: string; // the session id of token used
      user: TUsers;
-      orgId?: string;
+      orgId: string;
      authMethod: AuthMethod;
    }
  | {
@ -119,7 +119,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
          userId: user.id,
          tokenVersionId,
          actor,
-          orgId,
+          orgId: orgId as string,
          authMethod: token.authMethod
        };
        break;
--- a/backend/src/server/plugins/maintenanceMode.ts
+++ b/backend/src/server/plugins/maintenanceMode.ts
@ -0,0 +1,12 @@
+import fp from "fastify-plugin";
+
+import { getConfig } from "@app/lib/config/env";
+
+export const maintenanceMode = fp(async (fastify) => {
+  fastify.addHook("onRequest", async (req) => {
+    const serverEnvs = getConfig();
+    if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET" && serverEnvs.MAINTENANCE_MODE) {
+      throw new Error("Infisical is in maintenance mode. Please try again later.");
+    }
+  });
+});
--- a/backend/src/server/plugins/secret-scanner.ts
+++ b/backend/src/server/plugins/secret-scanner.ts
@ -4,6 +4,7 @@ import SmeeClient from "smee-client";

 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
+import { writeLimit } from "@app/server/config/rateLimiter";

 export const registerSecretScannerGhApp = async (server: FastifyZodProvider) => {
  const probotApp = (app: Probot) => {
@ -49,6 +50,9 @@ export const registerSecretScannerGhApp = async (server: FastifyZodProvider) =>
    server.route({
      method: "POST",
      url: "/",
+      config: {
+        rateLimit: writeLimit
+      },
      handler: async (req, res) => {
        const eventName = req.headers["x-github-event"];
        const signatureSHA256 = req.headers["x-hub-signature-256"] as string;
--- a/backend/src/server/plugins/swagger.ts
+++ b/backend/src/server/plugins/swagger.ts
@ -14,13 +14,13 @@ export const fastifySwagger = fp(async (fastify) => {
        version: "0.0.1"
      },
      servers: [
-        {
-          url: "http://localhost:8080",
-          description: "Local server"
-        },
        {
          url: "https://app.infisical.com",
          description: "Production server"
+        },
+        {
+          url: "http://localhost:8080",
+          description: "Local server"
        }
      ],
      components: {
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -5,12 +5,22 @@ import { registerV1EERoutes } from "@app/ee/routes/v1";
 import { auditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
 import { auditLogQueueServiceFactory } from "@app/ee/services/audit-log/audit-log-queue";
 import { auditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
+import { dynamicSecretDALFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-dal";
+import { dynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
+import { buildDynamicSecretProviders } from "@app/ee/services/dynamic-secret/providers";
+import { dynamicSecretLeaseDALFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal";
+import { dynamicSecretLeaseQueueServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue";
+import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
+import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
 import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { licenseDALFactory } from "@app/ee/services/license/license-dal";
 import { licenseServiceFactory } from "@app/ee/services/license/license-service";
 import { permissionDALFactory } from "@app/ee/services/permission/permission-dal";
 import { permissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { projectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
+import { projectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { samlConfigDALFactory } from "@app/ee/services/saml-config/saml-config-dal";
 import { samlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { scimDALFactory } from "@app/ee/services/scim/scim-dal";
@ -39,6 +49,7 @@ import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { apiKeyDALFactory } from "@app/services/api-key/api-key-dal";
 import { apiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { authDALFactory } from "@app/services/auth/auth-dal";
@ -143,6 +154,7 @@ export const registerRoutes = async (

  const projectDAL = projectDALFactory(db);
  const projectMembershipDAL = projectMembershipDALFactory(db);
+  const projectUserAdditionalPrivilegeDAL = projectUserAdditionalPrivilegeDALFactory(db);
  const projectUserMembershipRoleDAL = projectUserMembershipRoleDALFactory(db);
  const projectRoleDAL = projectRoleDALFactory(db);
  const projectEnvDAL = projectEnvDALFactory(db);
@ -168,6 +180,7 @@ export const registerRoutes = async (
  const identityOrgMembershipDAL = identityOrgDALFactory(db);
  const identityProjectDAL = identityProjectDALFactory(db);
  const identityProjectMembershipRoleDAL = identityProjectMembershipRoleDALFactory(db);
+  const identityProjectAdditionalPrivilegeDAL = identityProjectAdditionalPrivilegeDALFactory(db);

  const identityUaDAL = identityUaDALFactory(db);
  const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
@ -196,6 +209,8 @@ export const registerRoutes = async (
  const gitAppOrgDAL = gitAppDALFactory(db);
  const secretScanningDAL = secretScanningDALFactory(db);
  const licenseDAL = licenseDALFactory(db);
+  const dynamicSecretDAL = dynamicSecretDALFactory(db);
+  const dynamicSecretLeaseDAL = dynamicSecretLeaseDALFactory(db);

  const permissionService = permissionServiceFactory({
    permissionDAL,
@ -337,6 +352,11 @@ export const registerRoutes = async (
    projectRoleDAL,
    licenseService
  });
+  const projectUserAdditionalPrivilegeService = projectUserAdditionalPrivilegeServiceFactory({
+    permissionService,
+    projectMembershipDAL,
+    projectUserAdditionalPrivilegeDAL
+  });
  const projectKeyService = projectKeyServiceFactory({
    permissionService,
    projectKeyDAL,
@ -379,7 +399,8 @@ export const registerRoutes = async (
    folderDAL,
    licenseService,
    projectUserMembershipRoleDAL,
-    identityProjectMembershipRoleDAL
+    identityProjectMembershipRoleDAL,
+    keyStore
  });

  const projectEnvService = projectEnvServiceFactory({
@ -471,6 +492,7 @@ export const registerRoutes = async (
    snapshotService,
    secretQueueService,
    secretImportDAL,
+    projectEnvDAL,
    projectBotService
  });
  const sarService = secretApprovalRequestServiceFactory({
@ -540,6 +562,12 @@ export const registerRoutes = async (
    identityProjectMembershipRoleDAL,
    projectRoleDAL
  });
+  const identityProjectAdditionalPrivilegeService = identityProjectAdditionalPrivilegeServiceFactory({
+    projectDAL,
+    identityProjectAdditionalPrivilegeDAL,
+    permissionService,
+    identityProjectDAL
+  });
  const identityUaService = identityUaServiceFactory({
    identityOrgMembershipDAL,
    permissionService,
@ -550,6 +578,34 @@ export const registerRoutes = async (
    licenseService
  });

+  const dynamicSecretProviders = buildDynamicSecretProviders();
+  const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
+    queueService,
+    dynamicSecretLeaseDAL,
+    dynamicSecretProviders,
+    dynamicSecretDAL
+  });
+  const dynamicSecretService = dynamicSecretServiceFactory({
+    projectDAL,
+    dynamicSecretQueueService,
+    dynamicSecretDAL,
+    dynamicSecretLeaseDAL,
+    dynamicSecretProviders,
+    folderDAL,
+    permissionService,
+    licenseService
+  });
+  const dynamicSecretLeaseService = dynamicSecretLeaseServiceFactory({
+    projectDAL,
+    permissionService,
+    dynamicSecretQueueService,
+    dynamicSecretDAL,
+    dynamicSecretLeaseDAL,
+    dynamicSecretProviders,
+    folderDAL,
+    licenseService
+  });
+
  await superAdminService.initServerCfg();
  //
  // setup the communication with license key server
@ -591,6 +647,8 @@ export const registerRoutes = async (
    secretApprovalPolicy: sapService,
    secretApprovalRequest: sarService,
    secretRotation: secretRotationService,
+    dynamicSecret: dynamicSecretService,
+    dynamicSecretLease: dynamicSecretLeaseService,
    snapshot: snapshotService,
    saml: samlService,
    ldap: ldapService,
@ -600,7 +658,9 @@ export const registerRoutes = async (
    trustedIp: trustedIpService,
    scim: scimService,
    secretBlindIndex: secretBlindIndexService,
-    telemetry: telemetryService
+    telemetry: telemetryService,
+    projectUserAdditionalPrivilege: projectUserAdditionalPrivilegeService,
+    identityProjectAdditionalPrivilege: identityProjectAdditionalPrivilegeService
  });

  server.decorate<FastifyZodProvider["store"]>("store", {
@ -612,8 +672,11 @@ export const registerRoutes = async (
  await server.register(injectAuditLogInfo);

  server.route({
-    url: "/api/status",
    method: "GET",
+    url: "/api/status",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@ -1,6 +1,11 @@
 import { z } from "zod";

-import { IntegrationAuthsSchema, SecretApprovalPoliciesSchema, UsersSchema } from "@app/db/schemas";
+import {
+  DynamicSecretsSchema,
+  IntegrationAuthsSchema,
+  SecretApprovalPoliciesSchema,
+  UsersSchema
+} from "@app/db/schemas";

 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@ -56,3 +61,11 @@ export const secretRawSchema = z.object({
  secretValue: z.string(),
  secretComment: z.string().optional()
 });
+
+export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
+  inputIV: true,
+  inputTag: true,
+  inputCiphertext: true,
+  keyEncoding: true,
+  algorithm: true
+});
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@ -3,6 +3,7 @@ import { z } from "zod";
 import { OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { UnauthorizedError } from "@app/lib/errors";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -11,24 +12,33 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

 export const registerAdminRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/config",
    method: "GET",
+    url: "/config",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
-          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true })
+          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).merge(
+            z.object({ isMigrationModeOn: z.boolean() })
+          )
        })
      }
    },
    handler: async () => {
      const config = await getServerCfg();
-      return { config };
+      const serverEnvs = getConfig();
+      return { config: { ...config, isMigrationModeOn: serverEnvs.MAINTENANCE_MODE } };
    }
  });

  server.route({
-    url: "/config",
    method: "PATCH",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        allowSignUp: z.boolean().optional(),
@ -52,8 +62,11 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/signup",
    method: "POST",
+    url: "/signup",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        email: z.string().email().trim(),
--- a/backend/src/server/routes/v1/auth-router.ts
+++ b/backend/src/server/routes/v1/auth-router.ts
@ -3,7 +3,7 @@ import { z } from "zod";

 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { authRateLimit } from "@app/server/config/rateLimiter";
+import { authRateLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode, AuthModeRefreshJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";

@ -38,8 +38,11 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/checkAuth",
    method: "POST",
+    url: "/checkAuth",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      response: {
        200: z.object({
@ -52,8 +55,11 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/token",
    method: "POST",
+    url: "/token",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/bot-router.ts
+++ b/backend/src/server/routes/v1/bot-router.ts
@ -1,13 +1,17 @@
 import { z } from "zod";

 import { ProjectBotsSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:projectId",
    method: "GET",
+    url: "/:projectId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@ -38,8 +42,11 @@ export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:botId/active",
    method: "PATCH",
+    url: "/:botId/active",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        isActive: z.boolean(),
--- a/backend/src/server/routes/v1/identity-access-token-router.ts
+++ b/backend/src/server/routes/v1/identity-access-token-router.ts
@ -1,11 +1,15 @@
 import { z } from "zod";

 import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
+import { writeLimit } from "@app/server/config/rateLimiter";

 export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/token/renew",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Renew access token",
      body: z.object({
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@ -3,6 +3,7 @@ import { z } from "zod";
 import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { IDENTITIES } from "@app/lib/api-docs";
+import { creationLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -12,6 +13,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/",
+    config: {
+      rateLimit: creationLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Create identity",
@ -71,6 +75,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Update identity",
@ -121,6 +128,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Delete identity",
--- a/backend/src/server/routes/v1/identity-ua.ts
+++ b/backend/src/server/routes/v1/identity-ua.ts
@ -3,6 +3,7 @@ import { z } from "zod";
 import { IdentityUaClientSecretsSchema, IdentityUniversalAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
@ -22,8 +23,11 @@ export const sanitizedClientSecretSchema = IdentityUaClientSecretsSchema.pick({

 export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/universal-auth/login",
    method: "POST",
+    url: "/universal-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Login with Universal Auth",
      body: z.object({
@ -66,8 +70,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId",
    method: "POST",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Attach Universal Auth configuration onto identity",
@ -156,8 +163,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId",
    method: "PATCH",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Update Universal Auth configuration on identity",
@ -239,8 +249,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId",
    method: "GET",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Retrieve Universal Auth configuration on identity",
@ -283,8 +296,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId/client-secrets",
    method: "POST",
+    url: "/universal-auth/identities/:identityId/client-secrets",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Create Universal Auth Client Secret for identity",
@ -335,8 +351,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId/client-secrets",
    method: "GET",
+    url: "/universal-auth/identities/:identityId/client-secrets",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "List Universal Auth Client Secrets for identity",
@ -378,8 +397,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
    method: "POST",
+    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Revoke Universal Auth Client Secrets for identity",
--- a/backend/src/server/routes/v1/integration-auth-router.ts
+++ b/backend/src/server/routes/v1/integration-auth-router.ts
@ -1,6 +1,8 @@
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { INTEGRATION_AUTH } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -8,10 +10,19 @@ import { integrationAuthPubSchema } from "../sanitizedSchemas";

 export const registerIntegrationAuthRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/integration-options",
    method: "GET",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/integration-options",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      description: "List of integrations available.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      response: {
        200: z.object({
          integrationOptions: z
@ -36,12 +47,21 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId",
    method: "GET",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:integrationAuthId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      description: "Get details of an integration authorization by auth object id.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      params: z.object({
-        integrationAuthId: z.string().trim()
+        integrationAuthId: z.string().trim().describe(INTEGRATION_AUTH.GET.integrationAuthId)
      }),
      response: {
        200: z.object({
@ -62,13 +82,22 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/",
    method: "DELETE",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      description: "Remove all integration's auth object from the project.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      querystring: z.object({
-        integration: z.string().trim(),
-        projectId: z.string().trim()
+        integration: z.string().trim().describe(INTEGRATION_AUTH.DELETE.integration),
+        projectId: z.string().trim().describe(INTEGRATION_AUTH.DELETE.projectId)
      }),
      response: {
        200: z.object({
@ -102,12 +131,21 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId",
    method: "DELETE",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:integrationAuthId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      description: "Remove an integration auth object by object id.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      params: z.object({
-        integrationAuthId: z.string().trim()
+        integrationAuthId: z.string().trim().describe(INTEGRATION_AUTH.DELETE_BY_ID.integrationAuthId)
      }),
      response: {
        200: z.object({
@ -140,8 +178,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/oauth-token",
    method: "POST",
+    url: "/oauth-token",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@ -181,18 +222,27 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/access-token",
    method: "POST",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/access-token",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      description: "Create the integration authentication object required for syncing secrets.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      body: z.object({
-        workspaceId: z.string().trim(),
-        integration: z.string().trim(),
-        accessId: z.string().trim().optional(),
-        accessToken: z.string().trim().optional(),
-        url: z.string().url().trim().optional(),
-        namespace: z.string().trim().optional(),
-        refreshToken: z.string().trim().optional()
+        workspaceId: z.string().trim().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.workspaceId),
+        integration: z.string().trim().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.integration),
+        accessId: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.accessId),
+        accessToken: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.accessToken),
+        url: z.string().url().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.url),
+        namespace: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.namespace),
+        refreshToken: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.refreshToken)
      }),
      response: {
        200: z.object({
@ -225,8 +275,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/apps",
    method: "GET",
+    url: "/:integrationAuthId/apps",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -262,8 +315,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/teams",
    method: "GET",
+    url: "/:integrationAuthId/teams",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -293,8 +349,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/vercel/branches",
    method: "GET",
+    url: "/:integrationAuthId/vercel/branches",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -323,8 +382,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/checkly/groups",
    method: "GET",
+    url: "/:integrationAuthId/checkly/groups",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -353,8 +415,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/github/orgs",
    method: "GET",
+    url: "/:integrationAuthId/github/orgs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -381,8 +446,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/github/envs",
    method: "GET",
+    url: "/:integrationAuthId/github/envs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -415,8 +483,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/orgs",
    method: "GET",
+    url: "/:integrationAuthId/qovery/orgs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -441,8 +512,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/projects",
    method: "GET",
+    url: "/:integrationAuthId/qovery/projects",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -471,8 +545,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/environments",
    method: "GET",
+    url: "/:integrationAuthId/qovery/environments",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -501,8 +578,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/apps",
    method: "GET",
+    url: "/:integrationAuthId/qovery/apps",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -531,8 +611,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/containers",
    method: "GET",
+    url: "/:integrationAuthId/qovery/containers",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -561,8 +644,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/jobs",
    method: "GET",
+    url: "/:integrationAuthId/qovery/jobs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -591,8 +677,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/heroku/pipelines",
    method: "GET",
+    url: "/:integrationAuthId/heroku/pipelines",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -623,8 +712,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/railway/environments",
    method: "GET",
+    url: "/:integrationAuthId/railway/environments",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -653,8 +745,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/railway/services",
    method: "GET",
+    url: "/:integrationAuthId/railway/services",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -683,8 +778,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/bitbucket/workspaces",
    method: "GET",
+    url: "/:integrationAuthId/bitbucket/workspaces",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -719,8 +817,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/northflank/secret-groups",
    method: "GET",
+    url: "/:integrationAuthId/northflank/secret-groups",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -754,8 +855,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/teamcity/build-configs",
    method: "GET",
+    url: "/:integrationAuthId/teamcity/build-configs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@ -2,7 +2,9 @@ import { z } from "zod";

 import { IntegrationsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { INTEGRATION } from "@app/lib/api-docs";
 import { removeTrailingSlash, shake } from "@app/lib/fn";
+import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -10,36 +12,51 @@ import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telem

 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
+      description: "Create an integration to sync secrets.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      body: z.object({
-        integrationAuthId: z.string().trim(),
-        app: z.string().trim().optional(),
-        isActive: z.boolean(),
-        appId: z.string().trim().optional(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        sourceEnvironment: z.string().trim(),
-        targetEnvironment: z.string().trim().optional(),
-        targetEnvironmentId: z.string().trim().optional(),
-        targetService: z.string().trim().optional(),
-        targetServiceId: z.string().trim().optional(),
-        owner: z.string().trim().optional(),
-        path: z.string().trim().optional(),
-        region: z.string().trim().optional(),
-        scope: z.string().trim().optional(),
+        integrationAuthId: z.string().trim().describe(INTEGRATION.CREATE.integrationAuthId),
+        app: z.string().trim().optional().describe(INTEGRATION.CREATE.app),
+        isActive: z.boolean().describe(INTEGRATION.CREATE.isActive).default(true),
+        appId: z.string().trim().optional().describe(INTEGRATION.CREATE.appId),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(INTEGRATION.CREATE.secretPath),
+        sourceEnvironment: z.string().trim().describe(INTEGRATION.CREATE.sourceEnvironment),
+        targetEnvironment: z.string().trim().optional().describe(INTEGRATION.CREATE.targetEnvironment),
+        targetEnvironmentId: z.string().trim().optional().describe(INTEGRATION.CREATE.targetEnvironmentId),
+        targetService: z.string().trim().optional().describe(INTEGRATION.CREATE.targetService),
+        targetServiceId: z.string().trim().optional().describe(INTEGRATION.CREATE.targetServiceId),
+        owner: z.string().trim().optional().describe(INTEGRATION.CREATE.owner),
+        path: z.string().trim().optional().describe(INTEGRATION.CREATE.path),
+        region: z.string().trim().optional().describe(INTEGRATION.CREATE.region),
+        scope: z.string().trim().optional().describe(INTEGRATION.CREATE.scope),
        metadata: z
          .object({
-            secretPrefix: z.string().optional(),
-            secretSuffix: z.string().optional(),
-            initialSyncBehavior: z.string().optional(),
-            shouldAutoRedeploy: z.boolean().optional(),
+            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
+            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
+            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
            secretGCPLabel: z
              .object({
                labelName: z.string(),
                labelValue: z.string()
              })
              .optional()
+              .describe(INTEGRATION.CREATE.metadata.secretGCPLabel)
          })
          .optional()
      }),
@ -49,7 +66,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const { integration, integrationAuth } = await server.services.integration.createIntegration({
        actorId: req.permission.id,
@ -99,20 +116,34 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:integrationId",
    method: "PATCH",
+    url: "/:integrationId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
+      description: "Update an integration by integration id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      params: z.object({
-        integrationId: z.string().trim()
+        integrationId: z.string().trim().describe(INTEGRATION.UPDATE.integrationId)
      }),
      body: z.object({
-        app: z.string().trim(),
-        appId: z.string().trim(),
-        isActive: z.boolean(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        targetEnvironment: z.string().trim(),
-        owner: z.string().trim(),
-        environment: z.string().trim()
+        app: z.string().trim().describe(INTEGRATION.UPDATE.app),
+        appId: z.string().trim().describe(INTEGRATION.UPDATE.appId),
+        isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(INTEGRATION.UPDATE.secretPath),
+        targetEnvironment: z.string().trim().describe(INTEGRATION.UPDATE.targetEnvironment),
+        owner: z.string().trim().describe(INTEGRATION.UPDATE.owner),
+        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment)
      }),
      response: {
        200: z.object({
@ -120,7 +151,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const integration = await server.services.integration.updateIntegration({
        actorId: req.permission.id,
@ -135,11 +166,20 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:integrationId",
    method: "DELETE",
+    url: "/:integrationId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
+      description: "Remove an integration using the integration object ID",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      params: z.object({
-        integrationId: z.string().trim()
+        integrationId: z.string().trim().describe(INTEGRATION.DELETE.integrationId)
      }),
      response: {
        200: z.object({
@ -147,7 +187,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const integration = await server.services.integration.deleteIntegration({
        actorId: req.permission.id,
--- a/backend/src/server/routes/v1/invite-org-router.ts
+++ b/backend/src/server/routes/v1/invite-org-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { UsersSchema } from "@app/db/schemas";
+import { inviteUserRateLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
@ -9,6 +10,9 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/signup",
+    config: {
+      rateLimit: inviteUserRateLimit
+    },
    method: "POST",
    schema: {
      body: z.object({
@ -52,6 +56,9 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/verify",
    method: "POST",
+    config: {
+      rateLimit: inviteUserRateLimit
+    },
    schema: {
      body: z.object({
        email: z.string().trim().email(),
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { IncidentContactsSchema, OrganizationsSchema, OrgMembershipsSchema, UsersSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -8,6 +9,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
@ -25,6 +29,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -50,6 +57,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/users",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -87,6 +97,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:organizationId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({
@ -128,6 +141,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/incidentContactOrg",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -151,6 +167,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:organizationId/incidentContactOrg",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({ email: z.string().email().trim() }),
@ -176,6 +195,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:organizationId/incidentContactOrg/:incidentContactId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim(), incidentContactId: z.string().trim() }),
      response: {
--- a/backend/src/server/routes/v1/password-router.ts
+++ b/backend/src/server/routes/v1/password-router.ts
@ -2,7 +2,7 @@ import { z } from "zod";

 import { BackupPrivateKeySchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { passwordRateLimit } from "@app/server/config/rateLimiter";
+import { authRateLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { validateSignUpAuthorization } from "@app/services/auth/auth-fns";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -12,7 +12,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/srp1",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      body: z.object({
@ -39,7 +39,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/change-password",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      body: z.object({
@ -78,7 +78,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/email/password-reset",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      body: z.object({
@ -103,7 +103,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/email/password-reset-verify",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      body: z.object({
@ -133,7 +133,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/backup-private-key",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
@ -168,7 +168,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    url: "/backup-private-key",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      response: {
@ -190,6 +190,9 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/password-reset",
+    config: {
+      rateLimit: authRateLimit
+    },
    schema: {
      body: z.object({
        protectedKey: z.string().trim(),
--- a/backend/src/server/routes/v1/project-env-router.ts
+++ b/backend/src/server/routes/v1/project-env-router.ts
@ -3,13 +3,17 @@ import { z } from "zod";
 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ENVIRONMENTS } from "@app/lib/api-docs";
+import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId/environments",
    method: "POST",
+    url: "/:workspaceId/environments",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Create environment",
      security: [
@ -64,8 +68,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/environments/:id",
    method: "PATCH",
+    url: "/:workspaceId/environments/:id",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Update environment",
      security: [
@ -128,8 +135,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/environments/:id",
    method: "DELETE",
+    url: "/:workspaceId/environments/:id",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Delete environment",
      security: [
--- a/backend/src/server/routes/v1/project-key-router.ts
+++ b/backend/src/server/routes/v1/project-key-router.ts
@ -1,5 +1,6 @@
 import { z } from "zod";

+import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -7,6 +8,9 @@ export const registerProjectKeyRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/:workspaceId/key",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
--- a/backend/src/server/routes/v1/project-membership-router.ts
+++ b/backend/src/server/routes/v1/project-membership-router.ts
@ -10,14 +10,18 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";

 export const registerProjectMembershipRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId/memberships",
    method: "GET",
+    url: "/:workspaceId/memberships",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return project user memberships",
      security: [
@ -75,8 +79,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
  });

  server.route({
-    url: "/:workspaceId/memberships",
    method: "POST",
+    url: "/:workspaceId/memberships",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@ -126,8 +133,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
  });

  server.route({
-    url: "/:workspaceId/memberships/:membershipId",
    method: "PATCH",
+    url: "/:workspaceId/memberships/:membershipId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Update project user membership",
      security: [
@ -158,7 +168,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
            ])
          )
          .min(1)
-          .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least long lived role is required")
+          .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least one long lived role is required")
          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
      }),
      response: {
@ -197,8 +207,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
  });

  server.route({
-    url: "/:workspaceId/memberships/:membershipId",
    method: "DELETE",
+    url: "/:workspaceId/memberships/:membershipId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Delete project user membership",
      security: [
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@ -7,7 +7,8 @@ import {
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
+import { INTEGRATION_AUTH, PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
@ -24,8 +25,11 @@ const projectWithEnv = ProjectsSchema.merge(

 export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId/keys",
    method: "GET",
+    url: "/:workspaceId/keys",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@ -55,8 +59,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/users",
    method: "GET",
+    url: "/:workspaceId/users",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@ -108,8 +115,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
@ -125,8 +135,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId",
    method: "GET",
+    url: "/:workspaceId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim().describe(PROJECTS.GET.workspaceId)
@ -154,8 +167,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId",
    method: "DELETE",
+    url: "/:workspaceId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim().describe(PROJECTS.DELETE.workspaceId)
@ -185,6 +201,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/:workspaceId/name",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@ -217,8 +236,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId",
    method: "PATCH",
+    url: "/:workspaceId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim().describe(PROJECTS.UPDATE.workspaceId)
@ -261,8 +283,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/auto-capitalization",
    method: "POST",
+    url: "/:workspaceId/auto-capitalization",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@ -295,8 +320,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/integrations",
    method: "GET",
+    url: "/:workspaceId/integrations",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@ -329,11 +357,20 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/authorizations",
    method: "GET",
+    url: "/:workspaceId/authorizations",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
+      description: "List integration auth objects for a workspace.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(INTEGRATION_AUTH.LIST_AUTHORIZATION.workspaceId)
      }),
      response: {
        200: z.object({
@ -341,7 +378,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const authorizations = await server.services.integrationAuth.listIntegrationAuthByProjectId({
        actorId: req.permission.id,
@ -355,8 +392,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/service-token-data",
    method: "GET",
+    url: "/:workspaceId/service-token-data",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@ -4,6 +4,7 @@ import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { FOLDERS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -11,6 +12,9 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
  server.route({
    url: "/",
    method: "POST",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Create folders",
      security: [
@ -65,6 +69,9 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
  server.route({
    url: "/:folderId",
    method: "PATCH",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Update folder",
      security: [
@ -124,8 +131,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>

  // TODO(daniel): Expose this route in api reference and write docs for it.
  server.route({
-    url: "/:folderIdOrName",
    method: "DELETE",
+    url: "/:folderIdOrName",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Delete a folder",
      security: [
@ -181,8 +191,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Get folders",
      security: [
--- a/backend/src/server/routes/v1/secret-import-router.ts
+++ b/backend/src/server/routes/v1/secret-import-router.ts
@ -4,13 +4,17 @@ import { SecretImportsSchema, SecretsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SECRET_IMPORTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretImportRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Create secret imports",
      security: [
@ -71,8 +75,11 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/:secretImportId",
    method: "PATCH",
+    url: "/:secretImportId",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Update secret imports",
      security: [
@ -143,8 +150,11 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/:secretImportId",
    method: "DELETE",
+    url: "/:secretImportId",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Delete secret imports",
      security: [
@ -204,8 +214,11 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Get secret imports",
      security: [
@ -262,6 +275,9 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
  server.route({
    url: "/secrets",
    method: "GET",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim(),
--- a/backend/src/server/routes/v1/secret-tag-router.ts
+++ b/backend/src/server/routes/v1/secret-tag-router.ts
@ -1,16 +1,21 @@
 import { z } from "zod";

 import { SecretTagsSchema } from "@app/db/schemas";
+import { SECRET_TAGS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:projectId/tags",
    method: "GET",
+    url: "/:projectId/tags",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
-        projectId: z.string().trim()
+        projectId: z.string().trim().describe(SECRET_TAGS.LIST.projectId)
      }),
      response: {
        200: z.object({
@ -32,16 +37,19 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:projectId/tags",
    method: "POST",
+    url: "/:projectId/tags",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
-        projectId: z.string().trim()
+        projectId: z.string().trim().describe(SECRET_TAGS.CREATE.projectId)
      }),
      body: z.object({
-        name: z.string().trim(),
-        slug: z.string().trim(),
-        color: z.string()
+        name: z.string().trim().describe(SECRET_TAGS.CREATE.name),
+        slug: z.string().trim().describe(SECRET_TAGS.CREATE.slug),
+        color: z.string().trim().describe(SECRET_TAGS.CREATE.color)
      }),
      response: {
        200: z.object({
@ -64,12 +72,15 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:projectId/tags/:tagId",
    method: "DELETE",
+    url: "/:projectId/tags/:tagId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
-        projectId: z.string().trim(),
-        tagId: z.string().trim()
+        projectId: z.string().trim().describe(SECRET_TAGS.DELETE.projectId),
+        tagId: z.string().trim().describe(SECRET_TAGS.DELETE.tagId)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/user-action-router.ts
+++ b/backend/src/server/routes/v1/user-action-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { UserActionsSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -8,6 +9,9 @@ export const registerUserActionRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        action: z.string().trim()
@ -29,6 +33,9 @@ export const registerUserActionRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        action: z.string().trim()
--- a/backend/src/server/routes/v1/user-router.ts
+++ b/backend/src/server/routes/v1/user-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -8,6 +9,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/webhook-router.ts
+++ b/backend/src/server/routes/v1/webhook-router.ts
@ -3,6 +3,7 @@ import { z } from "zod";
 import { WebhooksSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -27,6 +28,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@ -75,6 +79,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:webhookId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -122,6 +129,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:webhookId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -159,6 +169,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:webhookId/test",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@ -186,6 +199,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      querystring: z.object({
--- a/backend/src/server/routes/v2/identity-org-router.ts
+++ b/backend/src/server/routes/v2/identity-org-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
 import { ORGANIZATIONS } from "@app/lib/api-docs";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -9,6 +10,9 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:orgId/identity-memberships",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Return organization identity memberships",
--- a/backend/src/server/routes/v2/identity-project-router.ts
+++ b/backend/src/server/routes/v2/identity-project-router.ts
@ -8,6 +8,7 @@ import {
  ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@ -16,6 +17,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
  server.route({
    method: "POST",
    url: "/:projectId/identity-memberships/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
@ -48,6 +52,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
  server.route({
    method: "PATCH",
    url: "/:projectId/identity-memberships/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Update project identity memberships",
@ -103,6 +110,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
  server.route({
    method: "DELETE",
    url: "/:projectId/identity-memberships/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Delete project identity memberships",
@ -137,6 +147,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
  server.route({
    method: "GET",
    url: "/:projectId/identity-memberships",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Return project identity memberships",
--- a/Show More
+++ b/Show More