docs: updated docs to reflect new SDK structure

backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts

@@ -0,0 +1,26 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist) t.index("projectId");
+      if (doesOrgIdExist) t.index("orgId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist) t.dropIndex("projectId");
+      if (doesOrgIdExist) t.dropIndex("orgId");
+    });
+  }
+}

backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesEnvIdExist) t.index("envId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
+
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesEnvIdExist) t.dropIndex("envId");
+    });
+  }
+}

backend/src/db/migrations/20240522204414_index-secret-version-envId.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
+  if (await knex.schema.hasTable(TableName.SecretVersion)) {
+    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
+      if (doesEnvIdExist) t.index("envId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
+
+  if (await knex.schema.hasTable(TableName.SecretVersion)) {
+    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
+      if (doesEnvIdExist) t.dropIndex("envId");
+    });
+  }
+}

backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSnapshotIdExist) t.index("snapshotId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
+    });
+  }
+}

backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
+    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
+      if (doesSnapshotIdExist) t.index("snapshotId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
+    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
+      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
+    });
+  }
+}

backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts

@@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
+  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
+  if (await knex.schema.hasTable(TableName.Secret)) {
+    await knex.schema.alterTable(TableName.Secret, (t) => {
+      if (doesFolderIdExist && doesUserIdExist) t.index(["folderId", "userId"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
+  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
+
+  if (await knex.schema.hasTable(TableName.Secret)) {
+    await knex.schema.alterTable(TableName.Secret, (t) => {
+      if (doesUserIdExist && doesFolderIdExist) t.dropIndex(["folderId", "userId"]);
+    });
+  }
+}

backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesExpireAtExist) t.index("expiresAt");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesExpireAtExist) t.dropIndex("expiresAt");
+    });
+  }
+}

backend/src/lib/api-docs/constants.ts

@@ -225,8 +225,7 @@ export const PROJECT_IDENTITIES = {
     roles: {
       description: "A list of role slugs to assign to the identity project membership.",
       role: "The role slug to assign to the newly created identity project membership.",
-      isTemporary:
-        "Whether the assigned role is temporary. If isTemporary is set true, must provide temporaryMode, temporaryRange and temporaryAccessStartTime.",
+      isTemporary: "Whether the assigned role is temporary.",
       temporaryMode: "Type of temporary expiry.",
       temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
       temporaryAccessStartTime: "Time to which the temporary access starts"
@@ -243,8 +242,7 @@ export const PROJECT_IDENTITIES = {
     roles: {
       description: "A list of role slugs to assign to the newly created identity project membership.",
       role: "The role slug to assign to the newly created identity project membership.",
-      isTemporary:
-        "Whether the assigned role is temporary. If isTemporary is set true, must provide temporaryMode, temporaryRange and temporaryAccessStartTime.",
+      isTemporary: "Whether the assigned role is temporary.",
       temporaryMode: "Type of temporary expiry.",
       temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
       temporaryAccessStartTime: "Time to which the temporary access starts"

backend/src/server/app.ts

@@ -8,6 +8,8 @@ import cors from "@fastify/cors";
 import fastifyEtag from "@fastify/etag";
 import fastifyFormBody from "@fastify/formbody";
 import helmet from "@fastify/helmet";
+import type { FastifyRateLimitOptions } from "@fastify/rate-limit";
+import ratelimiter from "@fastify/rate-limit";
 import fasitfy from "fastify";
 import { Knex } from "knex";
 import { Logger } from "pino";
@@ -17,6 +19,7 @@ import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
 
+import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { fastifyErrHandler } from "./plugins/error-handler";
 import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
@@ -64,6 +67,10 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
     await server.register(fastifyFormBody);
     await server.register(fastifyErrHandler);
 
+    // Rate limiters and security headers
+    if (appCfg.isProductionMode) {
+      await server.register<FastifyRateLimitOptions>(ratelimiter, globalRateLimiterCfg());
+    }
     await server.register(helmet, { contentSecurityPolicy: false });
 
     await server.register(maintenanceMode);

backend/src/server/config/rateLimiter.ts

@@ -1,34 +1,20 @@
 import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-limit";
-import { FastifyRequest } from "fastify";
 import { Redis } from "ioredis";
 
 import { getConfig } from "@app/lib/config/env";
-import { ActorType } from "@app/services/auth/auth-type";
-
-const getDistinctRequestActorId = (req: FastifyRequest) => {
-  if (req?.auth?.actor === ActorType.USER) {
-    return req.auth.user.username;
-  }
-  if (req?.auth?.actor === ActorType.IDENTITY) {
-    return `${req.auth.identityId}-machine-identity-`;
-  }
-  if (req?.auth?.actor === ActorType.SERVICE) {
-    return `${req.auth.serviceToken.id}-service-token`; // when user gets removed from system
-  }
-  return req.realIp;
-};
 
 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
   const appCfg = getConfig();
   const redis = appCfg.isRedisConfigured
     ? new Redis(appCfg.REDIS_URL, { connectTimeout: 500, maxRetriesPerRequest: 1 })
     : null;
+
   return {
     timeWindow: 60 * 1000,
     max: 600,
     redis,
     allowList: (req) => req.url === "/healthcheck" || req.url === "/api/status",
-    keyGenerator: (req) => getDistinctRequestActorId(req)
+    keyGenerator: (req) => req.realIp
   };
 };
 
@@ -36,39 +22,39 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
 export const readLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
   max: 600,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };
 
 // POST, PATCH, PUT, DELETE endpoints
 export const writeLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
   max: 50,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };
 
 // special endpoints
 export const secretsLimit: RateLimitOptions = {
   // secrets, folders, secret imports
   timeWindow: 60 * 1000,
-  max: 1000,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  max: 60,
+  keyGenerator: (req) => req.realIp
 };
 
 export const authRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
   max: 60,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };
 
 export const inviteUserRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
   max: 30,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };
 
 export const creationLimit: RateLimitOptions = {
   // identity, project, org
   timeWindow: 60 * 1000,
   max: 30,
-  keyGenerator: (req) => getDistinctRequestActorId(req)
+  keyGenerator: (req) => req.realIp
 };

backend/src/server/plugins/auth/inject-permission.ts

@@ -1,5 +1,6 @@
 import fp from "fastify-plugin";
 
+import { logger } from "@app/lib/logger";
 import { ActorType } from "@app/services/auth/auth-type";
 
 // inject permission type needed based on auth extracted
@@ -15,6 +16,10 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId, // if the req.auth.authMode is AuthMode.API_KEY, the orgId will be "API_KEY"
         authMethod: req.auth.authMethod // if the req.auth.authMode is AuthMode.API_KEY, the authMethod will be null
       };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.userId}] [type=${ActorType.USER}]`
+      );
     } else if (req.auth.actor === ActorType.IDENTITY) {
       req.permission = {
         type: ActorType.IDENTITY,
@@ -22,6 +27,10 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.identityId}] [type=${ActorType.IDENTITY}]`
+      );
     } else if (req.auth.actor === ActorType.SERVICE) {
       req.permission = {
         type: ActorType.SERVICE,
@@ -29,6 +38,10 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.serviceTokenId}] [type=${ActorType.SERVICE}]`
+      );
     } else if (req.auth.actor === ActorType.SCIM_CLIENT) {
       req.permission = {
         type: ActorType.SCIM_CLIENT,
@@ -36,6 +49,10 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.scimTokenId}] [type=${ActorType.SCIM_CLIENT}]`
+      );
     }
   });
 });

backend/src/server/routes/index.ts

@@ -1,4 +1,3 @@
-import ratelimiter, { FastifyRateLimitOptions } from "@fastify/rate-limit";
 import { Knex } from "knex";
 import { z } from "zod";
 
@@ -62,7 +61,7 @@ import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
-import { globalRateLimiterCfg, readLimit } from "@app/server/config/rateLimiter";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { apiKeyDALFactory } from "@app/services/api-key/api-key-dal";
 import { apiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { authDALFactory } from "@app/services/auth/auth-dal";
@@ -840,11 +839,6 @@ export const registerRoutes = async (
     user: userDAL
   });
 
-  // Rate limiters and security headers
-  if (appCfg.isProductionMode) {
-    await server.register<FastifyRateLimitOptions>(ratelimiter, globalRateLimiterCfg());
-  }
-
   await server.register(injectIdentity, { userDAL, serviceTokenDAL });
   await server.register(injectPermission);
   await server.register(injectAuditLogInfo);

backend/src/services/project-membership/project-membership-dal.ts

@@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
@@ -104,9 +106,9 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findProjectGhostUser = async (projectId: string) => {
+  const findProjectGhostUser = async (projectId: string, tx?: Knex) => {
     try {
-      const ghostUser = await db(TableName.ProjectMembership)
+      const ghostUser = await (tx || db)(TableName.ProjectMembership)
         .where({ projectId })
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
         .select(selectAllTableCols(TableName.Users))

backend/src/services/project/project-service.ts

@@ -340,7 +340,7 @@ export const projectServiceFactory = ({
 
     const deletedProject = await projectDAL.transaction(async (tx) => {
       const delProject = await projectDAL.deleteById(project.id, tx);
-      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id).catch(() => null);
+      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id, tx).catch(() => null);
 
       // Delete the org membership for the ghost user if it's found.
       if (projectGhostUser) {

docs/documentation/guides/node.mdx

@@ -36,7 +36,7 @@ Initialize a new Node.js project with a default `package.json` file.
 npm init -y
 ```
 
-Install `express` and [infisical-node](https://github.com/Infisical/infisical-node), the client Node SDK for Infisical.
+Install `express` and [@infisical/sdk](https://www.npmjs.com/package/@infisical/sdk), the client Node SDK for Infisical.
 
 ```console
 npm install express @infisical/sdk

docs/documentation/guides/python.mdx

@@ -5,7 +5,7 @@ title: "Python"
 This guide demonstrates how to use Infisical to manage secrets for your Python stack from local development to production. It uses:
 
 - Infisical (you can use [Infisical Cloud](https://app.infisical.com) or a [self-hosted instance of Infisical](https://infisical.com/docs/self-hosting/overview)) to store your secrets.
-- The [infisical-python](https://github.com/Infisical/sdk/tree/main/crates/infisical-py) Python client SDK to fetch secrets back to your Python application on demand.
+- The [infisical-python](https://pypi.org/project/infisical-python/) Python client SDK to fetch secrets back to your Python application on demand.
 
 ## Project Setup
 
@@ -36,23 +36,27 @@ python3 -m venv env
 source env/bin/activate
 ```
 
-Install Flask and [infisical-python](https://github.com/Infisical/sdk/tree/main/crates/infisical-py), the client Python SDK for Infisical.
+Install Flask and [infisical-python](https://pypi.org/project/infisical-python/), the client Python SDK for Infisical.
 
 ```console
-pip install Flask infisical-python
+pip install flask infisical-python
 ```
 
 Finally, create an `app.py` file containing the application code.
 
 ```py
 from flask import Flask
-from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions
+from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions, AuthenticationOptions, UniversalAuthMethod
 
 app = Flask(__name__)
 
 client = InfisicalClient(ClientSettings(
-    client_id="MACHINE_IDENTITY_CLIENT_ID",
-    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
+    auth=AuthenticationOptions(
+      universal_auth=UniversalAuthMethod(
+        client_id="CLIENT_ID",
+        client_secret="CLIENT_SECRET",
+      )
+    )
 ))
 
 @app.route("/")

docs/sdks/languages/csharp.mdx

@@ -21,21 +21,28 @@ namespace Example
         static void Main(string[] args)
         {
 
-            var settings = new ClientSettings
+          ClientSettings settings = new ClientSettings
+          {
+            Auth = new AuthenticationOptions
             {
-                ClientId = "CLIENT_ID",
-                ClientSecret = "CLIENT_SECRET",
-                // SiteUrl = "http://localhost:8080", <-- This line can be omitted if you're using Infisical Cloud.
-            };
-            var infisical = new InfisicalClient(settings);
+              UniversalAuth = new UniversalAuthMethod
+              {
+                ClientId = "your-client-id",
+                ClientSecret = "your-client-secret"
+              }
+            }
+          };
 
-            var options = new GetSecretOptions
+
+          var infisicalClient = new InfisicalClient(settings);
+
+            var getSecretOptions = new GetSecretOptions
             {
                 SecretName = "TEST",
                 ProjectId = "PROJECT_ID",
                 Environment = "dev",
             };
-            var secret = infisical.GetSecret(options);
+            var secret = infisical.GetSecret(getSecretOptions);
 
 
             Console.WriteLine($"The value of secret '{secret.SecretKey}', is: {secret.SecretValue}");
@@ -52,8 +59,6 @@ This example demonstrates how to use the Infisical C# SDK in a C# application. T
 
 # Installation
 
-Run `npm` to add `@infisical/sdk` to your project.
-
 ```console
 $ dotnet add package Infisical.Sdk
 ```
@@ -70,14 +75,20 @@ namespace Example
     {
         static void Main(string[] args)
         {
-
-            var settings = new ClientSettings
+          ClientSettings settings = new ClientSettings
+          {
+            Auth = new AuthenticationOptions
             {
-                ClientId = "CLIENT_ID",
-                ClientSecret = "CLIENT_SECRET",
-            };
+              UniversalAuth = new UniversalAuthMethod
+              {
+                ClientId = "your-client-id",
+                ClientSecret = "your-client-secret"
+              }
+            }
+          };
 
-            var infisical = new InfisicalClient(settings); // <-- Your SDK instance!
+
+          var infisicalClient = new InfisicalClient(settings); // <-- Your SDK client is now ready to use
         }
     }
 }
@@ -87,14 +98,14 @@ namespace Example
 
 <ParamField query="options" type="object">
     <Expandable title="properties">
-        <ParamField query="ClientId" type="string" optional>
+        <ParamField query="ClientId" deprecated type="string" optional>
             Your machine identity client ID.
         </ParamField>
-          <ParamField query="ClientSecret" type="string" optional>
+          <ParamField query="ClientSecret" deprecated type="string" optional>
             Your machine identity client secret.
         </ParamField>
 
-         <ParamField query="AccessToken" type="string" optional>
+         <ParamField query="AccessToken" deprecated type="string" optional>
             An access token obtained from the machine identity login endpoint.
         </ParamField>
 
@@ -103,13 +114,120 @@ namespace Example
             If manually set to 0, caching will be disabled, this is not recommended.
         </ParamField>
 
-        <ParamField query="SiteUrl()" type="string" default="https://app.infisical.com" optional>
+        <ParamField query="SiteUrl" type="string" default="https://app.infisical.com" optional>
             Your self-hosted absolute site URL including the protocol (e.g. `https://app.infisical.com`)
         </ParamField>
+
+        <ParamField query="Auth" type="AuthenticationOptions">
+          The authentication object to use for the client. This is required unless you're using environment variables.
+        </ParamField>
     </Expandable>
 
 </ParamField>
 
+### Authentication
+
+The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
+
+#### Universal Auth
+
+**Using environment variables**
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
+
+**Using the SDK directly**
+```csharp
+    ClientSettings settings = new ClientSettings
+    {
+      Auth = new AuthenticationOptions
+      {
+        UniversalAuth = new UniversalAuthMethod
+        {
+          ClientId = "your-client-id",
+          ClientSecret = "your-client-secret"
+        }
+      }
+    };
+
+    var infisicalClient = new InfisicalClient(settings);
+```
+
+#### GCP ID Token Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
+  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```csharp
+  ClientSettings settings = new ClientSettings
+  {
+    Auth = new AuthenticationOptions
+    {
+      GcpIdToken = new GcpIdTokenAuthMethod
+      {
+        IdentityId = "your-machine-identity-id",
+      }
+    }
+  };
+
+
+  var infisicalClient = new InfisicalClient(settings);
+```
+
+#### GCP IAM Auth
+
+**Using environment variables**
+- `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
+
+**Using the SDK directly**
+```csharp
+  ClientSettings settings = new ClientSettings
+  {
+    Auth = new AuthenticationOptions
+    {
+      GcpIam = new GcpIamAuthMethod
+      {
+        IdentityId = "your-machine-identity-id",
+        ServiceAccountKeyFilePath = "./path/to/your/service-account-key.json"
+      }
+    }
+  };
+
+
+  var infisicalClient = new InfisicalClient(settings);
+```
+
+#### AWS IAM Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on AWS.
+  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```csharp
+  ClientSettings settings = new ClientSettings
+  {
+    Auth = new AuthenticationOptions
+    {
+      AwsIam = new AwsIamAuthMethod
+      {
+        IdentityId = "your-machine-identity-id",
+      }
+    }
+  };
+
+
+  var infisicalClient = new InfisicalClient(settings);
+```
+
 ### Caching
 
 To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cacheTTL" option when creating the client.
@@ -155,6 +273,14 @@ Retrieve all secrets within the Infisical project and environment that client is
         <ParamField query="IncludeImports" type="boolean" default="false" optional>
              Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
         </ParamField>
+
+        <ParamField query="Recursive" type="boolean" default="false" optional>
+            Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
+        </ParamField>
+
+        <ParamField query="ExpandSecretReferences" type="boolean" default="true" optional>
+            Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
+        </ParamField>
     </Expandable>
 
 </ParamField>

docs/sdks/languages/java.mdx

@@ -19,12 +19,19 @@ import com.infisical.sdk.schema.*;
 
 public class Example {
     public static void main(String[] args) {
-        // Create a new Infisical Client
+       
+        // Create the authentication settings for the client
         ClientSettings settings = new ClientSettings();
-        settings.setClientID("MACHINE_IDENTITY_CLIENT_ID");
-        settings.setClientSecret("MACHINE_IDENTITY_CLIENT_SECRET");
-        settings.setCacheTTL(Long.valueOf(300)); // 300 seconds, 5 minutes
+        AuthenticationOptions authOptions = new AuthenticationOptions();
+        UniversalAuthMethod authMethod = new UniversalAuthMethod();
 
+        authMethod.setClientID("YOUR_IDENTITY_ID");
+        authMethod.setClientSecret("YOUR_CLIENT_SECRET");
+
+        authOptions.setUniversalAuth(authMethod);
+        settings.setAuth(authOptions);
+
+        // Create a new Infisical Client
         InfisicalClient client = new InfisicalClient(settings);
 
         // Create the options for fetching the secret
@@ -68,11 +75,18 @@ import com.infisical.sdk.schema.*;
 
 public class App {
     public static void main(String[] args) {
-
+        // Create the authentication settings for the client
         ClientSettings settings = new ClientSettings();
-        settings.setClientID("MACHINE_IDENTITY_CLIENT_ID");
-        settings.setClientSecret("MACHINE_IDENTITY_CLIENT_SECRET");
+        AuthenticationOptions authOptions = new AuthenticationOptions();
+        UniversalAuthMethod authMethod = new UniversalAuthMethod();
 
+        authMethod.setClientID("YOUR_IDENTITY_ID");
+        authMethod.setClientSecret("YOUR_CLIENT_SECRET");
+
+        authOptions.setUniversalAuth(authMethod);
+        settings.setAuth(authOptions);
+
+        // Create a new Infisical Client
         InfisicalClient client = new InfisicalClient(settings); // Your client!
     }
 }
@@ -82,15 +96,21 @@ public class App {
 
 <ParamField query="options" type="object">
     <Expandable title="properties">
-        <ParamField query="setClientID()" type="string" optional>
+        <ParamField query="setClientID()" type="string" deprecated optional>
             Your machine identity client ID.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `setAuth()` method on the client settings instead.
         </ParamField>
-          <ParamField query="setClientSecret()" type="string" optional>
+          <ParamField query="setClientSecret()" deprecated type="string" optional>
             Your machine identity client secret.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `setAuth()` method on the client settings instead.
         </ParamField>
 
-         <ParamField query="setAccessToken()" type="string" optional>
+         <ParamField query="setAccessToken()" deprecatedtype="string" optional>
             An access token obtained from the machine identity login endpoint.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `setAuth()` method on the client settings instead.
         </ParamField>
 
         <ParamField query="setCacheTTL()" type="number" default="300" optional>
@@ -101,10 +121,106 @@ public class App {
         <ParamField query="setSiteURL()" type="string" default="https://app.infisical.com" optional>
             Your self-hosted absolute site URL including the protocol (e.g. `https://app.infisical.com`)
         </ParamField>
+
+        <ParamField query="setAuth()" type="AuthenticationOptions">
+          The authentication object to use for the client. This is required unless you're using environment variables.
+      </ParamField>
     </Expandable>
 
 </ParamField>
 
+### Authentication
+
+The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
+
+#### Universal Auth
+
+**Using environment variables**
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  UniversalAuthMethod authMethod = new UniversalAuthMethod();
+
+  authMethod.setClientID("YOUR_IDENTITY_ID");
+  authMethod.setClientSecret("YOUR_CLIENT_SECRET");
+
+  authOptions.setUniversalAuth(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
+#### GCP ID Token Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
+  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  GCPIDTokenAuthMethod authMethod = new GCPIDTokenAuthMethod();
+
+  authMethod.setIdentityID("YOUR_MACHINE_IDENTITY_ID");
+
+  authOptions.setGcpIDToken(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
+#### GCP IAM Auth
+
+**Using environment variables**
+- `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  GCPIamAuthMethod authMethod = new GCPIamAuthMethod();
+
+  authMethod.setIdentityID("YOUR_MACHINE_IDENTITY_ID");
+  authMethod.setServiceAccountKeyFilePath("./path/to/your/service-account-key.json");
+
+  authOptions.setGcpIam(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
+#### AWS IAM Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on AWS.
+  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  AWSIamAuthMethod authMethod = new AWSIamAuthMethod();
+
+  authMethod.setIdentityID("YOUR_MACHINE_IDENTITY_ID");
+
+  authOptions.setAwsIam(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
 ### Caching
 
 To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cacheTTL" option when creating the client.
@@ -119,6 +235,8 @@ options.setEnvironment("dev");
 options.setProjectID("PROJECT_ID");
 options.setPath("/foo/bar");
 options.setIncludeImports(false);
+options.setRecursive(false);
+options.setExpandSecretReferences(true);
 
 SecretElement[] secrets = client.listSecrets(options);
 ```
@@ -148,6 +266,14 @@ Retrieve all secrets within the Infisical project and environment that client is
         <ParamField query="setIncludeImports()" type="boolean" default="false" optional>
              Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
         </ParamField>
+
+         <ParamField query="setRecursive()" type="boolean" default="false" optional>
+            Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
+        </ParamField>
+
+        <ParamField query="setExpandSecretReferences()" type="boolean" default="true" optional>
+            Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
+        </ParamField>
     </Expandable>
 
 </ParamField>

docs/sdks/languages/node.mdx

@@ -4,7 +4,7 @@ sidebarTitle: "Node.js"
 icon: "node"
 ---
 
-If you're working with Node.js, the official [infisical-node](https://github.com/Infisical/sdk/tree/main/languages/node) package is the easiest way to fetch and work with secrets for your application.
+If you're working with Node.js, the official [Infisical Node SDK](https://github.com/Infisical/sdk/tree/main/languages/node) package is the easiest way to fetch and work with secrets for your application.
 
 - [NPM Package](https://www.npmjs.com/package/@infisical/sdk)
 - [Github Repository](https://github.com/Infisical/sdk/tree/main/languages/node)
@@ -21,14 +21,19 @@ const app = express();
 const PORT = 3000;
 
 const client = new InfisicalClient({
-    clientId: "YOUR_CLIENT_ID",
-    clientSecret: "YOUR_CLIENT_SECRET",
+    siteUrl: "https://app.infisical.com", // Optional, defaults to https://app.infisical.com
+    auth: {
+      universalAuth: {
+        clientId: "YOUR_CLIENT_ID",
+        clientSecret: "YOUR_CLIENT_SECRET"
+      }
+    },
     logLevel: LogLevel.Error
 });
 
 app.get("/", async (req, res) => {
-    // access value
-
+  // Access the secret
+  
     const name = await client.getSecret({
         environment: "dev",
         projectId: "PROJECT_ID",
@@ -72,8 +77,12 @@ Import the SDK and create a client instance with your [Machine Identity](/docume
     import { InfisicalClient, LogLevel } from "@infisical/sdk";
 
     const client = new InfisicalClient({
-        clientId: "YOUR_CLIENT_ID",
-        clientSecret: "YOUR_CLIENT_SECRET",
+        auth: {
+          universalAuth: {
+            clientId: "YOUR_CLIENT_ID",
+            clientSecret: "YOUR_CLIENT_SECRET"
+          }
+        },
         logLevel: LogLevel.Error
     });
     ```
@@ -81,31 +90,40 @@ Import the SDK and create a client instance with your [Machine Identity](/docume
   </Tab>
   <Tab title="ES5">
     ```js
-    const { InfisicalClient, LogLevel } = require("@infisical/sdk");
+    const { InfisicalClient } = require("@infisical/sdk");
 
     const client = new InfisicalClient({
-        clientId: "YOUR_CLIENT_ID",
-        clientSecret: "YOUR_CLIENT_SECRET",
-        logLevel: LogLevel.Error
+        auth: {
+          universalAuth: {
+            clientId: "YOUR_CLIENT_ID",
+            clientSecret: "YOUR_CLIENT_SECRET"
+          }
+        },
     });
     ```
 
   </Tab>
 </Tabs>
 
-#### Parameters
+### Parameters
 
 <ParamField query="options" type="object">
     <Expandable title="properties">
-        <ParamField query="clientId" type="string" optional>
+        <ParamField query="clientId" deprecated type="string" optional>
             Your machine identity client ID.
+            
+            **This field is deprecated and will be removed in future versions.** Please use the `auth.universalAuth.clientId` field instead.
         </ParamField>
-          <ParamField query="clientSecret" type="string" optional>
+          <ParamField query="clientSecret" deprecated type="string" optional>
             Your machine identity client secret.
+            
+            **This field is deprecated and will be removed in future versions.** Please use the `auth.universalAuth.clientSecret` field instead.
         </ParamField>
 
-         <ParamField query="accessToken" type="string" optional>
+         <ParamField query="accessToken" deprecated type="string" optional>
             An access token obtained from the machine identity login endpoint.
+            
+            **This field is deprecated and will be removed in future versions.** Please use the `auth.accessToken` field instead.
         </ParamField>
 
         <ParamField query="cacheTtl" type="number" default="300" optional>
@@ -119,10 +137,97 @@ Import the SDK and create a client instance with your [Machine Identity](/docume
         <ParamField query="logLevel" type="enum" default="Error" optional>
             The level of logs you wish to log The logs are derived from Rust, as we have written our base SDK in Rust.
         </ParamField>
+
+        <ParamField query="auth" type="AuthenticationOptions">
+            The authentication object to use for the client. This is required unless you're using environment variables.
+        </ParamField>
     </Expandable>
 
 </ParamField>
 
+
+### Authentication
+
+The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
+
+#### Universal Auth
+
+**Using environment variables**
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+    auth: {
+      universalAuth: {
+        clientId: "YOUR_CLIENT_ID",
+        clientSecret: "YOUR_CLIENT_SECRET"
+      }
+    }
+});
+```
+
+#### GCP ID Token Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
+  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+    auth: {
+      gcpIdToken: {
+        identityId: "YOUR_IDENTITY_ID"
+      }
+    }
+});
+```
+
+#### GCP IAM Auth
+
+**Using environment variables**
+- `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+    auth: {
+      gcpIam: {
+        identityId: "YOUR_IDENTITY_ID",
+        serviceAccountKeyFilePath: "./path/to/your/service-account-key.json"
+      }
+    }
+});
+```
+
+#### AWS IAM Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on AWS.
+  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+    auth: {
+      awsIam: {
+        identityId: "YOUR_IDENTITY_ID"
+      }
+    }
+});
+```
+
+
+
 ### Caching
 
 To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cacheTtl" option when creating the client.
@@ -161,6 +266,14 @@ Retrieve all secrets within the Infisical project and environment that client is
             Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `process.env["SECRET_NAME"]`.
         </ParamField>
 
+        <ParamField query="recursive" type="boolean" default="false" optional>
+            Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
+        </ParamField>
+
+        <ParamField query="expandSecretReferences" type="boolean" default="true" optional>
+            Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
+        </ParamField>
+
         <ParamField query="includeImports" type="false" default="boolean" optional>
              Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
         </ParamField>

docs/sdks/languages/python.mdx

@@ -6,20 +6,24 @@ icon: "python"
 
 If you're working with Python, the official [infisical-python](https://github.com/Infisical/sdk/edit/main/crates/infisical-py) package is the easiest way to fetch and work with secrets for your application.
 
-- [PyPi Package](https://pypi.org/project/infisical-python/)
-- [Github Repository](https://github.com/Infisical/sdk/edit/main/crates/infisical-py)
+-   [PyPi Package](https://pypi.org/project/infisical-python/)
+-   [Github Repository](https://github.com/Infisical/sdk/edit/main/crates/infisical-py)
 
 ## Basic Usage
 
 ```py
 from flask import Flask
-from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions
+from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions, AuthenticationOptions, UniversalAuthMethod
 
 app = Flask(__name__)
 
 client = InfisicalClient(ClientSettings(
-    client_id="MACHINE_IDENTITY_CLIENT_ID",
-    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
+    auth=AuthenticationOptions(
+      universal_auth=UniversalAuthMethod(
+        client_id="CLIENT_ID",
+        client_secret="CLIENT_SECRET",
+      )
+    )
 ))
 
 @app.route("/")
@@ -38,7 +42,7 @@ def hello_world():
 This example demonstrates how to use the Infisical Python SDK with a Flask application. The application retrieves a secret named "NAME" and responds to requests with a greeting that includes the secret value.
 
 <Warning>
-    We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
+	We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
 </Warning>
 
 ## Installation
@@ -56,11 +60,15 @@ Note: You need Python 3.7+.
 Import the SDK and create a client instance with your [Machine Identity](/api-reference/overview/authentication).
 
 ```py
-from infisical_client import ClientSettings, InfisicalClient
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, UniversalAuthMethod
 
 client = InfisicalClient(ClientSettings(
-    client_id="MACHINE_IDENTITY_CLIENT_ID",
-    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
+    auth=AuthenticationOptions(
+      universal_auth=UniversalAuthMethod(
+        client_id="CLIENT_ID",
+        client_secret="CLIENT_SECRET",
+      )
+    )
 ))
 ```
 
@@ -68,14 +76,20 @@ client = InfisicalClient(ClientSettings(
 
 <ParamField query="options" type="object">
     <Expandable title="properties">
-        <ParamField query="client_id" type="string" optional>
+        <ParamField query="client_id" type="string" deprecated optional>
             Your Infisical Client ID.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `auth` field instead.
         </ParamField>
-        <ParamField query="client_secret" type="string" optional>
+        <ParamField query="client_secret" type="string" deprecated optional>
             Your Infisical Client Secret.
+
+          **This field is deprecated and will be removed in future versions.** Please use the `auth` field instead.
         </ParamField>
-        <ParamField query="access_token" type="string" optional>
+        <ParamField query="access_token" type="string" deprecated optional>
             If you want to directly pass an access token obtained from the authentication endpoints, you can do so.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `auth` field instead.
         </ParamField>
 
         <ParamField query="cache_ttl" type="number" default="300" optional>
@@ -85,18 +99,108 @@ client = InfisicalClient(ClientSettings(
 
 
         <ParamField
-        query="site_url"
-        type="string"
-        default="https://app.infisical.com"
-        optional
+          query="site_url"
+          type="string"
+          default="https://app.infisical.com"
+          optional
         >
-        Your self-hosted absolute site URL including the protocol (e.g.
-        `https://app.infisical.com`)
+          Your self-hosted absolute site URL including the protocol (e.g. `https://app.infisical.com`)
         </ParamField>
+
+        <ParamField query="auth" type="AuthenticationOptions">
+          The authentication object to use for the client. This is required unless you're using environment variables.
+      </ParamField>
     </Expandable>
 
 </ParamField>
 
+### Authentication
+
+The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
+
+#### Universal Auth
+
+**Using environment variables**
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
+
+**Using the SDK directly**
+```python3
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, UniversalAuthMethod
+
+client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+      universal_auth=UniversalAuthMethod(
+        client_id="CLIENT_ID",
+        client_secret="CLIENT_SECRET",
+      )
+    )
+))
+```
+
+#### GCP ID Token Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
+  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```py
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, GCPIDTokenAuthMethod
+
+client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+        gcp_id_token=GCPIDTokenAuthMethod(
+            identity_id="MACHINE_IDENTITY_ID",
+        )
+    )
+))
+```
+
+#### GCP IAM Auth
+
+**Using environment variables**
+- `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
+
+**Using the SDK directly**
+```py
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, GCPIamAuthMethod
+
+
+client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+        gcp_iam=GCPIamAuthMethod(
+            identity_id="MACHINE_IDENTITY_ID",
+            service_account_key_file_path="./path/to/service_account_key.json"
+        )
+    )
+))
+```
+
+#### AWS IAM Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on AWS.
+  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```py
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, AWSIamAuthMethod
+
+client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+        aws_iam=AWSIamAuthMethod(identity_id="MACHINE_IDENTITY_ID")
+    )
+))
+```
+
 ### Caching
 
 To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cache_ttl" option when creating the client.
@@ -133,6 +237,14 @@ Retrieve all secrets within the Infisical project and environment that client is
             Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `process.env["SECRET_NAME"]`.
         </ParamField>
 
+        <ParamField query="recursive" type="boolean" default="false" optional>
+            Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
+        </ParamField>
+
+        <ParamField query="expand_secret_references" type="boolean" default="true" optional>
+            Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
+        </ParamField>
+
         <ParamField query="include_imports" type="boolean" default="false" optional>
              Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
         </ParamField>
@@ -156,26 +268,26 @@ By default, `getSecret()` fetches and returns a shared secret. If not found, it
 #### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="secret_name" type="string" required>
-            The key of the secret to retrieve
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="project_id" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="path" type="string" optional>
-            The path from where secret should be fetched from.
-        </ParamField>
-        <ParamField query="type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "personal".
-        </ParamField>
-        <ParamField query="include_imports" type="boolean" default="false" optional>
-            Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="secret_name" type="string" required>
+			The key of the secret to retrieve
+		</ParamField>
+		<ParamField query="environment" type="string" required>
+			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+		</ParamField>
+		<ParamField query="project_id" type="string" required>
+			The project ID where the secret lives in.
+		</ParamField>
+		<ParamField query="path" type="string" optional>
+			The path from where secret should be fetched from.
+		</ParamField>
+		<ParamField query="type" type="string" optional>
+			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "personal".
+		</ParamField>
+		<ParamField query="include_imports" type="boolean" default="false" optional>
+			Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
+		</ParamField>
+	</Expandable>
 </ParamField>
 
 ### client.createSecret(options)
@@ -194,26 +306,26 @@ Create a new secret in Infisical.
 #### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="secret_name" type="string" required>
-            The key of the secret to create.
-        </ParamField>
-        <ParamField query="secret_value" type="string" required>
-            The value of the secret.
-        </ParamField>
-        <ParamField query="project_id" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="path" type="string" optional>
-            The path from where secret should be created.
-        </ParamField>
-        <ParamField query="type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="secret_name" type="string" required>
+			The key of the secret to create.
+		</ParamField>
+		<ParamField query="secret_value" type="string" required>
+			The value of the secret.
+		</ParamField>
+		<ParamField query="project_id" type="string" required>
+			The project ID where the secret lives in.
+		</ParamField>
+		<ParamField query="environment" type="string" required>
+			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+		</ParamField>
+		<ParamField query="path" type="string" optional>
+			The path from where secret should be created.
+		</ParamField>
+		<ParamField query="type" type="string" optional>
+			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+		</ParamField>
+	</Expandable>
 </ParamField>
 
 ### client.updateSecret(options)
@@ -232,26 +344,26 @@ Update an existing secret in Infisical.
 #### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="secret_name" type="string" required>
-            The key of the secret to update.
-        </ParamField>
-        <ParamField query="secret_value" type="string" required>
-            The new value of the secret.
-        </ParamField>
-        <ParamField query="project_id" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="path" type="string" optional>
-            The path from where secret should be updated.
-        </ParamField>
-        <ParamField query="type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="secret_name" type="string" required>
+			The key of the secret to update.
+		</ParamField>
+		<ParamField query="secret_value" type="string" required>
+			The new value of the secret.
+		</ParamField>
+		<ParamField query="project_id" type="string" required>
+			The project ID where the secret lives in.
+		</ParamField>
+		<ParamField query="environment" type="string" required>
+			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+		</ParamField>
+		<ParamField query="path" type="string" optional>
+			The path from where secret should be updated.
+		</ParamField>
+		<ParamField query="type" type="string" optional>
+			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+		</ParamField>
+	</Expandable>
 </ParamField>
 
 ### client.deleteSecret(options)
@@ -269,23 +381,23 @@ Delete a secret in Infisical.
 #### Parameters
 
 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="secret_name" type="string">
-            The key of the secret to update.
-        </ParamField>
-        <ParamField query="project_id" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="path" type="string" optional>
-            The path from where secret should be deleted.
-        </ParamField>
-        <ParamField query="type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="secret_name" type="string">
+			The key of the secret to update.
+		</ParamField>
+		<ParamField query="project_id" type="string" required>
+			The project ID where the secret lives in.
+		</ParamField>
+		<ParamField query="environment" type="string" required>
+			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+		</ParamField>
+		<ParamField query="path" type="string" optional>
+			The path from where secret should be deleted.
+		</ParamField>
+		<ParamField query="type" type="string" optional>
+			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+		</ParamField>
+	</Expandable>
 </ParamField>
 
 ## Cryptography
@@ -299,9 +411,11 @@ key = client.createSymmetricKey()
 ```
 
 #### Returns (string)
+
 `key` (string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.
 
 ### Encrypt symmetric
+
 ```py
 encryptOptions = EncryptSymmetricOptions(
     key=key,
@@ -314,22 +428,22 @@ encryptedData = client.encryptSymmetric(encryptOptions)
 #### Parameters
 
 <ParamField query="Parameters" type="object" required>
-    <Expandable title="properties">
-        <ParamField query="plaintext" type="string">
-            The plaintext you want to encrypt.
-        </ParamField>
-        <ParamField query="key" type="string" required>
-            The symmetric key to use for encryption.
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="plaintext" type="string">
+			The plaintext you want to encrypt.
+		</ParamField>
+		<ParamField query="key" type="string" required>
+			The symmetric key to use for encryption.
+		</ParamField>
+	</Expandable>
 </ParamField>
 
 #### Returns (object)
-`tag` (string): A base64-encoded, 128-bit authentication tag.
-`iv` (string): A base64-encoded, 96-bit initialization vector.
-`ciphertext` (string): A base64-encoded, encrypted ciphertext.
+
+`tag` (string): A base64-encoded, 128-bit authentication tag. `iv` (string): A base64-encoded, 96-bit initialization vector. `ciphertext` (string): A base64-encoded, encrypted ciphertext.
 
 ### Decrypt symmetric
+
 ```py
 decryptOptions = DecryptSymmetricOptions(
     ciphertext=encryptedData.ciphertext,
@@ -344,22 +458,24 @@ decryptedString = client.decryptSymmetric(decryptOptions)
 ```
 
 #### Parameters
+
 <ParamField query="Parameters" type="object" required>
-    <Expandable title="properties">
-        <ParamField query="ciphertext" type="string">
-            The ciphertext you want to decrypt.
-        </ParamField>
-        <ParamField query="key" type="string" required>
-            The symmetric key to use for encryption.
-        </ParamField>
-        <ParamField query="iv" type="string" required>
-            The initialization vector to use for decryption.
-        </ParamField>
-        <ParamField query="tag" type="string" required>
-            The authentication tag to use for decryption.
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="ciphertext" type="string">
+			The ciphertext you want to decrypt.
+		</ParamField>
+		<ParamField query="key" type="string" required>
+			The symmetric key to use for encryption.
+		</ParamField>
+		<ParamField query="iv" type="string" required>
+			The initialization vector to use for decryption.
+		</ParamField>
+		<ParamField query="tag" type="string" required>
+			The authentication tag to use for decryption.
+		</ParamField>
+	</Expandable>
 </ParamField>
 
 #### Returns (string)
+
 `plaintext` (string): The decrypted plaintext.