Add environment name as an option to .infisical.json

2025-03-23 03:03:05 +00:00 · 2023-02-14 15:55:13 -08:00
2632 changed files with 95454 additions and 166555 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,10 +0,0 @@
-backend/node_modules
-frontend/node_modules
-backend/frontend-build
-**/node_modules
-**/.next
-.dockerignore
-.git
-README.md
-.dockerignore
-**/Dockerfile
--- a/.env.example
+++ b/.env.example
@ -1,12 +1,23 @@
 # Keys
 # Required key for platform encryption/decryption ops
-# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218

 # JWT
 # Required secrets to sign JWT tokens
-# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
-AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
+JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
+JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
+JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
+JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
+
+# JWT lifetime
+# Optional lifetimes for JWT tokens expressed in seconds or a string 
+# describing a time span (e.g. 60, "2 days", "10h", "7d")
+JWT_AUTH_LIFETIME=
+JWT_REFRESH_LIFETIME=
+JWT_SIGNUP_LIFETIME=
+
+# Optional lifetimes for OTP expressed in seconds
+EMAIL_TOKEN_LIFETIME=

 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@ -14,9 +25,6 @@ AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
 # Required
 MONGO_URL=mongodb://root:example@mongo:27017/?authSource=admin

-# Redis
-REDIS_URL=redis://redis:6379
-
 # Optional credentials for MongoDB container instance and Mongo-Express
 MONGO_USERNAME=root
 MONGO_PASSWORD=example
@ -25,12 +33,14 @@ MONGO_PASSWORD=example
 # Required
 SITE_URL=http://localhost:8080

-# Mail/SMTP 
-SMTP_HOST=
-SMTP_PORT=
-SMTP_NAME=
-SMTP_USERNAME=
-SMTP_PASSWORD=
+# Mail/SMTP
+SMTP_HOST= # required
+SMTP_USERNAME= # required
+SMTP_PASSWORD= # required
+SMTP_PORT=587
+SMTP_SECURE=false
+SMTP_FROM_ADDRESS= # required
+SMTP_FROM_NAME=Infisical

 # Integration
 # Optional only if integration is used
@ -38,14 +48,10 @@ CLIENT_ID_HEROKU=
 CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
-CLIENT_ID_GITLAB=
-CLIENT_ID_BITBUCKET=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
-CLIENT_SECRET_GITLAB=
-CLIENT_SECRET_BITBUCKET=
 CLIENT_SLUG_VERCEL=

 # Sentry (optional) for monitoring errors
@ -55,13 +61,10 @@ SENTRY_DSN=
 # Ignore - Not applicable for self-hosted version
 POSTHOG_HOST=
 POSTHOG_PROJECT_API_KEY=
-
-# SSO-specific variables
-CLIENT_ID_GOOGLE_LOGIN=
-CLIENT_SECRET_GOOGLE_LOGIN=
-
-CLIENT_ID_GITHUB_LOGIN=
-CLIENT_SECRET_GITHUB_LOGIN=
-
-CLIENT_ID_GITLAB_LOGIN=
-CLIENT_SECRET_GITLAB_LOGIN=
+STRIPE_SECRET_KEY=
+STRIPE_PUBLISHABLE_KEY=
+STRIPE_WEBHOOK_SECRET=
+STRIPE_PRODUCT_STARTER=
+STRIPE_PRODUCT_TEAM=
+STRIPE_PRODUCT_PRO=
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -8,7 +8,7 @@ assignees: ''
 ---

 ### Feature description
-A clear and concise description of what the feature should be.
+A clear and concise description of what the the feature should be.

 ### Why would it be useful?
 Why would this feature be useful for Infisical users? 
--- a/.github/images/Deploy
+++ b/.github/images/Deploy
--- a/.github/images/deploy-aws-button.png
+++ b/.github/images/deploy-aws-button.png
--- a/.github/images/deploy-to-aws.png
+++ b/.github/images/deploy-to-aws.png
--- a/.github/images/do-k8-install-btn.png
+++ b/.github/images/do-k8-install-btn.png
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,22 +0,0 @@
-# Description 📣
-
-<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
-
-## Type ✨
-
- [ ] Bug fix
- [ ] New feature
- [ ] Breaking change
- [ ] Documentation
-
-# Tests 🛠️
-
-<!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible -->
-
-```sh
-# Here's some code block to paste some code snippets
-```
-
---
-
- [ ] I have read the [contributing guide](https://infisical.com/docs/contributing/overview), agreed and acknowledged the [code of conduct](https://infisical.com/docs/contributing/code-of-conduct). 📝
--- a/.github/resources/docker-compose.be-test.yml
+++ b/.github/resources/docker-compose.be-test.yml
@ -6,14 +6,13 @@ services:
    restart: unless-stopped
    depends_on:
      - mongo
-    image: infisical/infisical:test
+    image: infisical/backend:test
    command: npm run start
    environment:
      - NODE_ENV=production
      - MONGO_URL=mongodb://test:example@mongo:27017/?authSource=admin
      - MONGO_USERNAME=test
      - MONGO_PASSWORD=example
-      - ENCRYPTION_KEY=a984ecdf82ec779e55dbcc21303a900f
    networks:
      - infisical-test

--- a/.github/values.yaml
+++ b/.github/values.yaml
@ -1,52 +1,93 @@
-## @section Common parameters
-##
+#####
+# INFISICAL K8 DEFAULT VALUES FILE
+# PLEASE REPLACE VALUES/EDIT AS REQUIRED 
+#####

-## @param nameOverride Override release name
-##
 nameOverride: ""
-## @param fullnameOverride Override release fullname
-##
-fullnameOverride: ""
-
-## @section Infisical backend parameters
-## Documentation : https://infisical.com/docs/self-hosting/deployments/kubernetes
-##
-
-infisical:
-  ## @param backend.enabled Enable backend
-  ##
-  enabled: false
-  ## @param backend.name Backend name
-  ##
-  name: infisical
-  replicaCount: 2
-  image:
-    repository: infisical/infisical
-    tag: "latest-postgres"
-    pullPolicy: IfNotPresent

+frontend:
+  name: frontend
+  podAnnotations: {}
  deploymentAnnotations:
    secrets.infisical.com/auto-reload: "true"
+  replicaCount: 2
+  image:
+    repository: infisical/frontend
+    pullPolicy: Always 
+    tag: "latest"
+  kubeSecretRef: managed-secret-frontend
+  service:
+    # type of the frontend service
+    type: ClusterIP
+    # define the nodePort if service type is NodePort
+    # nodePort: 
+    annotations: {}

-  kubeSecretRef: "infisical-gamma-secrets"
+backend:
+  name: backend
+  podAnnotations: {}
+  deploymentAnnotations:
+    secrets.infisical.com/auto-reload: "true"
+  replicaCount: 2
+  image:
+    repository: infisical/backend
+    pullPolicy: Always
+    tag: "latest"
+  kubeSecretRef: managed-backend-secret
+  service:
+    annotations: {}
+
+mongodb:
+  name: mongodb
+  podAnnotations: {}
+  image:
+    repository: mongo
+    pullPolicy: IfNotPresent
+    tag: "latest"
+  service:
+    annotations: {}
+
+# By default the backend will be connected to a Mongo instance in the cluster.
+# However, it is recommended to add a managed document DB connection string because the DB instance in the cluster does not have persistence yet ( data will be deleted on next deploy).
+# Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
+mongodbConnection: {}
+  # externalMongoDBConnectionString: <>

 ingress:
-  ## @param ingress.enabled Enable ingress
-  ##
  enabled: true
-  ## @param ingress.ingressClassName Ingress class name
-  ##
-  ingressClassName: nginx
-  ## @param ingress.nginx.enabled Ingress controller
-  ##
-  # nginx:
-  #   enabled: true
-  ## @param ingress.annotations Ingress annotations
-  ##
  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-  hostName: "gamma.infisical.com"
-  tls:
-    - secretName: letsencrypt-prod
-      hosts:
-        - gamma.infisical.com
+    kubernetes.io/ingress.class: "nginx"
+  hostName: gamma.infisical.com # replace with your domain 
+  frontend: 
+    path: /
+    pathType: Prefix
+  backend:
+    path: /api
+    pathType: Prefix
+  tls: []
+
+
+## Complete Ingress example 
+# ingress:
+#   enabled: true
+#   annotations:
+#     kubernetes.io/ingress.class: "nginx"
+#     cert-manager.io/issuer: letsencrypt-nginx
+#   hostName: k8.infisical.com
+#   frontend: 
+#     path: /
+#     pathType: Prefix
+#   backend:
+#     path: /api
+#     pathType: Prefix
+#   tls:
+#     - secretName: letsencrypt-nginx
+#       hosts:
+#         - k8.infisical.com
+
+###
+### YOU MUST FILL IN ALL SECRETS BELOW
+### 
+backendEnvironmentVariables: {}
+
+frontendEnvironmentVariables: {}
--- a/.github/workflows/build-staging-and-deploy.yml
+++ b/.github/workflows/build-staging-and-deploy.yml
@ -1,120 +0,0 @@
-name: Build, Publish and Deploy to Gamma
-on: [workflow_dispatch]
-
-jobs:
-  infisical-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          load: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: infisical/infisical:test
-      # - name: ⏻ Spawn backend container and dependencies
-      #   run: |
-      #     docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      # - name: 🧪 Test backend image
-      #   run: |
-      #     ./.github/resources/healthcheck.sh infisical-backend-test
-      # - name: ⏻ Shut down backend container and dependencies
-      #   run: |
-      #     docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: |
-            infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            infisical/staging_infisical:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
-  postgres-migration:
-    name: Run latest migration files
-    runs-on: ubuntu-latest
-    needs: [infisical-image]
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      # - name: Run postgres DB migration files
-      #   env:
-      #     DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-      #   run: npm run migration:latest
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [postgres-migration]
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install infisical helm chart
-        run: |
-          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
-          helm repo update
-      - name: Install kubectl
-        uses: azure/setup-kubectl@v3
-      - name: Install doctl
-        uses: digitalocean/action-doctl@v2
-        with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
-      - name: Save DigitalOcean kubeconfig with short-lived credentials
-        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 infisical-gamma-postgres
-      - name: switch to gamma namespace
-        run: kubectl config set-context --current --namespace=gamma
-      - name: test kubectl
-        run: kubectl get ingress
-      - name: Download helm values to file and upgrade gamma deploy
-        run: |
-          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical-standalone  --values values.yaml --wait --install
-          if [[ $(helm status infisical) == *"FAILED"* ]]; then
-            echo "Helm upgrade failed"
-            exit 1
-          else
-            echo "Helm upgrade was successful"
-          fi
--- a/.github/workflows/check-be-pull-request.yml
+++ b/.github/workflows/check-be-pull-request.yml
@ -13,7 +13,6 @@ jobs:
  check-be-pr:
    name: Check
    runs-on: ubuntu-latest
-    timeout-minutes: 15

    steps:
      - name: ☁️ Checkout source
@ -27,17 +26,17 @@ jobs:
      - name: 📦 Install dependencies
        run: npm ci --only-production
        working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      # - name: 📁 Upload test results
-      #   uses: actions/upload-artifact@v3
-      #   if: always()
-      #   with:
-      #     name: be-test-results
-      #     path: |
-      #       ./backend/reports
-      #       ./backend/coverage
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
+      - name: 📁 Upload test results
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: be-test-results
+          path: |
+            ./backend/reports
+            ./backend/coverage
      - name: 🏗️ Run build
        run: npm run build
        working-directory: backend
--- a/.github/workflows/check-fe-pull-request.yml
+++ b/.github/workflows/check-fe-pull-request.yml
@ -2,35 +2,40 @@ name: Check Frontend Pull Request

 on:
  pull_request:
-    types: [opened, synchronize]
+    types: [ opened, synchronize ]
    paths:
-      - "frontend/**"
-      - "!frontend/README.md"
-      - "!frontend/.*"
-      - "frontend/.eslintrc.js"
+      - 'frontend/**'
+      - '!frontend/README.md'
+      - '!frontend/.*'
+      - 'frontend/.eslintrc.js'
+

 jobs:
+
  check-fe-pr:
    name: Check
    runs-on: ubuntu-latest
-    timeout-minutes: 15

    steps:
-      - name: ☁️ Checkout source
+      -
+        name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Setup Node 16
+      -
+        name: 🔧 Setup Node 16
        uses: actions/setup-node@v3
        with:
-          node-version: "16"
-          cache: "npm"
+          node-version: '16'
+          cache: 'npm'
          cache-dependency-path: frontend/package-lock.json
-      - name: 📦 Install dependencies
+      -
+        name: 📦 Install dependencies
        run: npm ci --only-production --ignore-scripts
        working-directory: frontend
      # -
      #   name: 🧪 Run tests
      #   run: npm run test:ci
      #   working-directory: frontend
-      - name: 🏗️ Run build
+      -
+        name: 🏗️ Run build
        run: npm run build
        working-directory: frontend
--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@ -1,26 +1,14 @@
-name: Release production images (frontend, backend)
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
-      - "!infisical/v*.*.*-postgres"
+name: Build, Publish and Deploy to Gamma
+on: [workflow_dispatch]

 jobs:
  backend-image:
    name: Build backend image
    runs-on: ubuntu-latest
+
    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
      - name: Save commit hashes for tag
        id: commit
        uses: pr-mpt/actions-commit-hash@v2
@ -40,7 +28,7 @@ jobs:
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          load: true
          context: backend
-          tags: infisical/infisical:test
+          tags: infisical/backend:test
      - name: ⏻ Spawn backend container and dependencies
        run: |
          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
@ -57,19 +45,15 @@ jobs:
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          push: true
          context: backend
-          tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
+          tags: infisical/backend:${{ steps.commit.outputs.short }}, 
+                infisical/backend:latest
          platforms: linux/amd64,linux/arm64

  frontend-image:
    name: Build frontend image
    runs-on: ubuntu-latest
+
    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - name: Save commit hashes for tag
@ -94,7 +78,6 @@ jobs:
          tags: infisical/frontend:test
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
      - name: ⏻ Spawn frontend container
        run: |
          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
@ -111,11 +94,45 @@ jobs:
          push: true
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          context: frontend
-          tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
+          tags: infisical/frontend:${{ steps.commit.outputs.short }}, 
+                infisical/frontend:latest
          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [frontend-image, backend-image]
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+      - name: Install infisical helm chart
+        run: |
+          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
+          helm repo update
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v3
+      - name: Install doctl
+        uses: digitalocean/action-doctl@v2
+        with:
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+      - name: Save DigitalOcean kubeconfig with short-lived credentials
+        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 k8s-1-25-4-do-0-nyc1-1670645170179
+      - name: switch to gamma namespace 
+        run: kubectl config set-context --current --namespace=gamma
+      - name: test kubectl
+        run: kubectl get ingress
+      - name: Download helm values to file and upgrade gamma deploy
+        run: |
+          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
+          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
+          if [[ $(helm status infisical) == *"FAILED"* ]]; then
+            echo "Helm upgrade failed"
+            exit 1
+          else
+            echo "Helm upgrade was successful"
+          fi
--- a/.github/workflows/release-standalone-docker-img-postgres-offical.yml
+++ b/.github/workflows/release-standalone-docker-img-postgres-offical.yml
@ -1,57 +0,0 @@
-name: Release standalone docker image
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*-postgres"
-
-jobs:
-  infisical-standalone:
-    name: Build infisical standalone image postgres
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: version output
-        run: |
-          echo "Output Value: ${{ steps.version.outputs.major }}"
-          echo "Output Value: ${{ steps.version.outputs.minor }}"
-          echo "Output Value: ${{ steps.version.outputs.patch }}"
-          echo "Output Value: ${{ steps.version.outputs.version }}"
-          echo "Output Value: ${{ steps.version.outputs.version_type }}"
-          echo "Output Value: ${{ steps.version.outputs.increment }}"
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          tags: |
-            infisical/infisical:latest-postgres
-            infisical/infisical:${{ steps.commit.outputs.short }}
-            infisical/infisical:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          file: Dockerfile.standalone-infisical
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@ -4,7 +4,7 @@ on:
  push:
    # run only against tags
    tags:
-      - "infisical-cli/v*.*.*"
+      - "v*"

 permissions:
  contents: write
@ -41,15 +41,13 @@ jobs:
          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
      - uses: goreleaser/goreleaser-action@v4
        with:
-          distribution: goreleaser-pro
+          distribution: goreleaser
          version: latest
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
      - uses: actions/setup-python@v4
      - run: pip install --upgrade cloudsmith-cli
      - name: Publish to CloudSmith
--- a/.github/workflows/release_docker_k8_operator.yaml
+++ b/.github/workflows/release_docker_k8_operator.yaml
@ -1,16 +1,10 @@
-name: Release Docker image for K8 operator
-on:
-  push:
-    tags:
-      - "infisical-k8-operator/v*.*.*"
+name: Release Docker image for K8 operator 
+on: [workflow_dispatch]

 jobs:
  release:
    runs-on: ubuntu-latest
    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
      - uses: actions/checkout@v2

      - name: 🔧 Set up QEMU
@ -32,6 +26,4 @@ jobs:
          context: k8-operator
          push: true
          platforms: linux/amd64,linux/arm64
-          tags: |
-            infisical/kubernetes-operator:latest
-            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
+          tags: infisical/kubernetes-operator:latest
--- a/.gitignore
+++ b/.gitignore
@ -1,9 +1,7 @@
 # backend
 node_modules
 .env
-.env.test
 .env.dev
-.env.gamma
 .env.prod
 .env.infisical

@ -34,7 +32,7 @@ reports
 junit.xml

 # next.js
-.next/
+/.next/
 /out/

 # production
@ -58,8 +56,3 @@ yarn-error.log*

 # Infisical init
 .infisical.json
-
-# Editor specific
-.vscode/*
-
-frontend-build
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -11,16 +11,10 @@ before:
    - ./cli/scripts/completions.sh
    - ./cli/scripts/manpages.sh

-monorepo:
-  tag_prefix: infisical-cli/
-  dir: cli
-
 builds:
  - id: darwin-build
    binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
    flags:
      - -trimpath
    env:
@ -38,9 +32,7 @@ builds:
    env:
      - CGO_ENABLED=0
    binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
    flags:
      - -trimpath
    goos:
@ -69,10 +61,10 @@ archives:
      - goos: windows
        format: zip
    files:
-      - ../README*
-      - ../LICENSE*
-      - ../manpages/*
-      - ../completions/*
+      - README*
+      - LICENSE*
+      - manpages/*
+      - completions/*

 release:
  replace_existing_draft: true
@ -82,7 +74,14 @@ checksum:
  name_template: "checksums.txt"

 snapshot:
-  name_template: "{{ .Version }}-devel"
+  name_template: "{{ incpatch .Version }}-devel"
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"

 # publishers:
 #   - name: fury.io
@ -108,22 +107,6 @@ brews:
      zsh_completion.install "completions/infisical.zsh" => "_infisical"
      fish_completion.install "completions/infisical.fish"
      man1.install "manpages/infisical.1.gz"
-  - name: "infisical@{{.Version}}"
-    tap:
-      owner: Infisical
-      name: homebrew-get-cli
-    commit_author:
-      name: "Infisical"
-      email: ai@infisical.com
-    folder: Formula
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"

 nfpms:
  - id: infisical
@ -181,19 +164,17 @@ aurs:
      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/infisical"
      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
      # man pages
      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"

-dockers:
-  - dockerfile: docker/alpine
-    goos: linux
-    goarch: amd64
-    ids:
-      - all-other-builds
-    image_templates:
-      - "infisical/cli:{{ .Version }}"
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}"
-      - "infisical/cli:{{ .Major }}"
-      - "infisical/cli:latest"
+# dockers:
+#   - dockerfile: cli/docker/Dockerfile
+#     goos: linux
+#     goarch: amd64
+#     ids:
+#       - infisical
+#     image_templates:
+#       - "infisical/cli:{{ .Version }}"
+#       - "infisical/cli:latest"
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@ -1,6 +1,5 @@
+
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

 npx lint-staged
-
-infisical scan git-changes --staged -v
--- a/.infisicalignore
+++ b/.infisicalignore
@ -1 +0,0 @@
-.github/resources/docker-compose.be-test.yml:generic-api-key:16
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -1,130 +0,0 @@
-ARG POSTHOG_HOST=https://app.posthog.com
-ARG POSTHOG_API_KEY=posthog-api-key
-ARG INTERCOM_ID=intercom-id
-
-FROM  node:20-alpine AS base
-
-FROM base AS frontend-dependencies
-
-# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
-RUN apk add --no-cache libc6-compat
-
-WORKDIR /app
-
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
-
-# Install dependencies
-RUN npm ci --only-production --ignore-scripts
-
-# Rebuild the source code only when needed
-FROM base AS frontend-builder
-WORKDIR /app
-
-# Copy dependencies
-COPY --from=frontend-dependencies /app/node_modules ./node_modules
-# Copy all files 
-COPY /frontend .
-
-ENV NODE_ENV production
-ENV NEXT_PUBLIC_ENV production
-ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
-ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
-ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
-ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
-
-# Build
-RUN npm run build
-
-# Production image
-FROM base AS frontend-runner
-WORKDIR /app
-
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 non-root-user
-
-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
-VOLUME /app/.next/cache/images
-
-COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
-COPY --from=frontend-builder /app/public ./public
-RUN chown non-root-user:nodejs ./public/data
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
-
-USER non-root-user
-
-ENV NEXT_TELEMETRY_DISABLED 1
-
-##
-## BACKEND
-##
-FROM base AS backend-build
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
-
-WORKDIR /app
-
-COPY backend/package*.json ./
-RUN npm ci --only-production
-
-COPY /backend .
-COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
-RUN npm i -D tsconfig-paths
-RUN npm run build
-
-# Production stage
-FROM base AS backend-runner
-
-WORKDIR /app
-
-COPY backend/package*.json ./
-RUN npm ci --only-production
-
-COPY --from=backend-build /app .
-
-RUN mkdir frontend-build
-
-# Production stage
-FROM base AS production
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
-
-## set pre baked keys
-ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
-ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
-
-WORKDIR / 
-
-COPY --from=backend-runner /app /backend
-COPY --from=backend-runner /app/dist/services/smtp/templates /backend/dist/templates
-
-COPY --from=frontend-runner /app ./backend/frontend-build
-
-
-ENV PORT 8080
-ENV HOST=0.0.0.0
-ENV HTTPS_ENABLED false 
-ENV NODE_ENV production
-ENV STANDALONE_BUILD true 
-ENV STANDALONE_MODE true
-WORKDIR /backend
-
-ENV TELEMETRY_ENABLED true
-
-HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
-  CMD node healthcheck.js
-
-EXPOSE 8080
-EXPOSE 443
-
-USER non-root-user
-
-CMD ["./standalone-entrypoint.sh"]
--- a/3
+++ b/3
@ -7,9 +7,6 @@ push:
 up-dev:
 	docker-compose -f docker-compose.dev.yml up --build

-up-pg-dev:
-	docker compose -f docker-compose.pg.yml up --build
-
 i-dev:
 	infisical run -- docker-compose -f docker-compose.dev.yml up --build

--- a/README.md
+++ b/README.md
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,13 +1,9 @@
 # Security Policy

-## Supported versions
+## Supported Versions

 We always recommend using the latest version of Infisical to ensure you get all security updates.

-## Reporting vulnerabilities
+## Reporting a Vulnerability

-Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!
-
-Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address security@infisical.com. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.
-
-Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.
+Please report security vulnerabilities or concerns to team@infisical.com.
--- a/backend/.eslintignore
+++ b/backend/.eslintignore
@ -1,2 +1,2 @@
-vitest-environment-infisical.ts
-vitest.config.ts
+node_modules
+built
--- a/backend/.eslintrc
+++ b/backend/.eslintrc
@ -0,0 +1,12 @@
+{
+  "parser": "@typescript-eslint/parser",
+  "plugins": ["@typescript-eslint"],
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/eslint-recommended",
+    "plugin:@typescript-eslint/recommended"
+  ],
+  "rules": {
+    "no-console": 2
+  }
+}
--- a/backend/.eslintrc.js
+++ b/backend/.eslintrc.js
@ -1,61 +0,0 @@
-/* eslint-env node */
-module.exports = {
-  env: {
-    es6: true,
-    node: true
-  },
-  extends: [
-    "eslint:recommended",
-    "plugin:@typescript-eslint/recommended",
-    "plugin:@typescript-eslint/recommended-type-checked",
-    "airbnb-base",
-    "airbnb-typescript/base",
-    "plugin:prettier/recommended",
-    "prettier"
-  ],
-  plugins: ["@typescript-eslint", "simple-import-sort", "import"],
-  parser: "@typescript-eslint/parser",
-  parserOptions: {
-    project: true,
-    sourceType: "module",
-    tsconfigRootDir: __dirname
-  },
-  root: true,
-  rules: {
-    "@typescript-eslint/no-empty-function": "off",
-    "@typescript-eslint/no-unsafe-enum-comparison": "off",
-    "no-void": "off",
-    "consistent-return": "off", // my style
-    "import/order": "off", // for simple-import-order
-    "import/prefer-default-export": "off", // why
-    "no-restricted-syntax": "off",
-    // importing rules
-    "simple-import-sort/exports": "error",
-    "import/first": "error",
-    "import/newline-after-import": "error",
-    "import/no-duplicates": "error",
-    "simple-import-sort/imports": [
-      "warn",
-      {
-        groups: [
-          // Side effect imports.
-          ["^\\u0000"],
-          // Node.js builtins prefixed with `node:`.
-          ["^node:"],
-          // Packages.
-          // Things that start with a letter (or digit or underscore), or `@` followed by a letter.
-          ["^@?\\w"],
-          ["^@app"],
-          ["@lib"],
-          ["@server"],
-          // Absolute imports and other imports such as Vue-style `@/foo`.
-          // Anything not matched in another group.
-          ["^"],
-          // Relative imports.
-          // Anything that starts with a dot.
-          ["^\\."]
-        ]
-      }
-    ]
-  }
-};
--- a/backend/.gitignore
+++ b/backend/.gitignore
@ -1 +0,0 @@
-dist
--- a/backend/.prettierrc.json
+++ b/backend/.prettierrc.json
@ -1,7 +0,0 @@
-{
-  "singleQuote": false,
-  "printWidth": 120,
-  "trailingComma": "none",
-  "tabWidth": 2,
-  "semi": true
-}
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -1,35 +1,18 @@
-# Build stage
-FROM node:20-alpine AS build
+FROM node:16-bullseye-slim

 WORKDIR /app

-COPY package*.json ./
+COPY package.json package-lock.json ./
+
+# RUN npm ci --only-production --ignore-scripts
+# "prepare": "cd .. && npm install"
+
 RUN npm ci --only-production

 COPY . .
-RUN npm run build
-
-# Production stage
-FROM node:20-alpine
-
-WORKDIR /app
-
-ENV npm_config_cache /home/node/.npm
-
-COPY package*.json ./
-RUN npm ci --only-production && npm cache clean --force
-
-COPY --from=build /app .
-
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.8.1 && apk add --no-cache git

 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
  CMD node healthcheck.js

-ENV HOST=0.0.0.0

-EXPOSE 4000
-
-CMD ["npm", "start"]
+CMD ["npm", "run", "start"]
--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@ -1,18 +0,0 @@
-FROM node:20-alpine
-
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.8.1 && apk add --no-cache git
-
-WORKDIR /app
-
-COPY package.json package.json
-COPY package-lock.json package-lock.json
-
-RUN npm install
-
-COPY . .
-
-ENV HOST=0.0.0.0
-
-CMD ["npm", "run", "dev:docker"]
--- a/backend/tests/healthcheck.test.ts
+++ b/backend/tests/healthcheck.test.ts
@ -0,0 +1,19 @@
+import { server } from '../src/app';
+import { describe, expect, it, beforeAll, afterAll } from '@jest/globals';
+import supertest from 'supertest';
+import { setUpHealthEndpoint } from '../src/services/health';
+
+const requestWithSupertest = supertest(server);
+describe('Healthcheck endpoint', () => {
+  beforeAll(async () => {
+    setUpHealthEndpoint(server);
+  });
+  afterAll(async () => {
+    server.close();
+  });
+
+  it('GET /healthcheck should return OK', async () => {
+    const res = await requestWithSupertest.get('/healthcheck');
+    expect(res.status).toEqual(200);
+  });
+});
--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@ -1,26 +0,0 @@
-import { TQueueServiceFactory } from "@app/queue";
-
-export const mockQueue = (): TQueueServiceFactory => {
-  const queues: Record<string, unknown> = {};
-  const workers: Record<string, unknown> = {};
-  const job: Record<string, unknown> = {};
-  const events: Record<string, unknown> = {};
-
-  return {
-    queue: async (name, jobData) => {
-      job[name] = jobData;
-    },
-    shutdown: async () => undefined,
-    stopRepeatableJob: async () => true,
-    start: (name, jobFn) => {
-      queues[name] = jobFn;
-      workers[name] = jobFn;
-    },
-    listen: (name, event) => {
-      events[name] = event;
-    },
-    clearQueue: async () => {},
-    stopJobById: async () => {},
-    stopRepeatableJobByJobId: async () => true
-  };
-};
--- a/backend/e2e-test/mocks/smtp.ts
+++ b/backend/e2e-test/mocks/smtp.ts
@ -1,10 +0,0 @@
-import { TSmtpSendMail, TSmtpService } from "@app/services/smtp/smtp-service";
-
-export const mockSmtpServer = (): TSmtpService => {
-  const storage: TSmtpSendMail[] = [];
-  return {
-    sendMail: async (data) => {
-      storage.push(data);
-    }
-  };
-};
--- a/backend/e2e-test/routes/v1/login.spec.ts
+++ b/backend/e2e-test/routes/v1/login.spec.ts
@ -1,45 +0,0 @@
-import { seedData1 } from "@app/db/seed-data";
-import jsrp from "jsrp";
-
-describe("Login V1 Router", async () => {
-  // eslint-disable-next-line
-  const client = new jsrp.client();
-  await new Promise((resolve) => {
-    client.init({ username: seedData1.email, password: seedData1.password }, () => resolve(null));
-  });
-  let clientProof: string;
-
-  test("Login first phase", async () => {
-    const res = await testServer.inject({
-      method: "POST",
-      url: "/api/v3/auth/login1",
-      body: {
-        email: "test@localhost.local",
-        clientPublicKey: client.getPublicKey()
-      }
-    });
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("serverPublicKey");
-    expect(payload).toHaveProperty("salt");
-    client.setSalt(payload.salt);
-    client.setServerPublicKey(payload.serverPublicKey);
-    clientProof = client.getProof(); // called M1
-  });
-
-  test("Login second phase", async () => {
-    const res = await testServer.inject({
-      method: "POST",
-      url: "/api/v3/auth/login2",
-      body: {
-        email: seedData1.email,
-        clientProof
-      }
-    });
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("mfaEnabled");
-    expect(payload).toHaveProperty("token");
-    expect(payload.mfaEnabled).toBeFalsy();
-  });
-});
--- a/backend/e2e-test/routes/v1/org.spec.ts
+++ b/backend/e2e-test/routes/v1/org.spec.ts
@ -1,19 +0,0 @@
-import { seedData1 } from "@app/db/seed-data";
-
-describe("Org V1 Router", async () => {
-  test("GET Org list", async () => {
-    const res = await testServer.inject({
-      method: "GET",
-      url: "/api/v1/organization",
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      }
-    });
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("organizations");
-    expect(payload).toEqual({
-      organizations: [expect.objectContaining({ name: seedData1.organization.name })]
-    });
-  });
-});
--- a/backend/e2e-test/routes/v1/project-env.spec.ts
+++ b/backend/e2e-test/routes/v1/project-env.spec.ts
@ -1,151 +0,0 @@
-import { seedData1 } from "@app/db/seed-data";
-import { DEFAULT_PROJECT_ENVS } from "@app/db/seeds/3-project";
-
-describe("Project Environment Router", async () => {
-  test("Get default environments", async () => {
-    const res = await testServer.inject({
-      method: "GET",
-      url: `/api/v1/workspace/${seedData1.project.id}`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("workspace");
-    // check for default environments
-    expect(payload).toEqual({
-      workspace: expect.objectContaining({
-        name: seedData1.project.name,
-        id: seedData1.project.id,
-        slug: seedData1.project.slug,
-        environments: expect.arrayContaining([
-          expect.objectContaining(DEFAULT_PROJECT_ENVS[0]),
-          expect.objectContaining(DEFAULT_PROJECT_ENVS[1]),
-          expect.objectContaining(DEFAULT_PROJECT_ENVS[2])
-        ])
-      })
-    });
-    // ensure only two default environments exist
-    expect(payload.workspace.environments.length).toBe(3);
-  });
-
-  const mockProjectEnv = { name: "temp", slug: "temp", id: "" }; // id will be filled in create op
-  test("Create environment", async () => {
-    const res = await testServer.inject({
-      method: "POST",
-      url: `/api/v1/workspace/${seedData1.project.id}/environments`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      body: {
-        name: mockProjectEnv.name,
-        slug: mockProjectEnv.slug
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("environment");
-    expect(payload.environment).toEqual(
-      expect.objectContaining({
-        id: expect.any(String),
-        name: mockProjectEnv.name,
-        slug: mockProjectEnv.slug,
-        projectId: seedData1.project.id,
-        position: DEFAULT_PROJECT_ENVS.length + 1,
-        createdAt: expect.any(String),
-        updatedAt: expect.any(String)
-      })
-    );
-    mockProjectEnv.id = payload.environment.id;
-  });
-
-  test("Update environment", async () => {
-    const updatedName = { name: "temp#2", slug: "temp2" };
-    const res = await testServer.inject({
-      method: "PATCH",
-      url: `/api/v1/workspace/${seedData1.project.id}/environments/${mockProjectEnv.id}`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      body: {
-        name: updatedName.name,
-        slug: updatedName.slug,
-        position: 1
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("environment");
-    expect(payload.environment).toEqual(
-      expect.objectContaining({
-        id: expect.any(String),
-        name: updatedName.name,
-        slug: updatedName.slug,
-        projectId: seedData1.project.id,
-        position: 1,
-        createdAt: expect.any(String),
-        updatedAt: expect.any(String)
-      })
-    );
-    mockProjectEnv.name = updatedName.name;
-    mockProjectEnv.slug = updatedName.slug;
-  });
-
-  test("Delete environment", async () => {
-    const res = await testServer.inject({
-      method: "DELETE",
-      url: `/api/v1/workspace/${seedData1.project.id}/environments/${mockProjectEnv.id}`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("environment");
-    expect(payload.environment).toEqual(
-      expect.objectContaining({
-        id: expect.any(String),
-        name: mockProjectEnv.name,
-        slug: mockProjectEnv.slug,
-        position: 1,
-        createdAt: expect.any(String),
-        updatedAt: expect.any(String)
-      })
-    );
-  });
-
-  // after all these opreations the list of environment should be still same
-  test("Default list of environment", async () => {
-    const res = await testServer.inject({
-      method: "GET",
-      url: `/api/v1/workspace/${seedData1.project.id}`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("workspace");
-    // check for default environments
-    expect(payload).toEqual({
-      workspace: expect.objectContaining({
-        name: seedData1.project.name,
-        id: seedData1.project.id,
-        slug: seedData1.project.slug,
-        environments: expect.arrayContaining([
-          expect.objectContaining(DEFAULT_PROJECT_ENVS[0]),
-          expect.objectContaining(DEFAULT_PROJECT_ENVS[1]),
-          expect.objectContaining(DEFAULT_PROJECT_ENVS[2])
-        ])
-      })
-    });
-    // ensure only two default environments exist
-    expect(payload.workspace.environments.length).toBe(3);
-  });
-});
--- a/backend/e2e-test/routes/v1/secret-folder.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-folder.spec.ts
@ -1,155 +0,0 @@
-import { seedData1 } from "@app/db/seed-data";
-
-describe("Secret Folder Router", async () => {
-  test.each([
-    { name: "folder1", path: "/" }, // one in root
-    { name: "folder1", path: "/level1/level2" }, // then create a deep one creating intermediate ones
-    { name: "folder2", path: "/" },
-    { name: "folder1", path: "/level1/level2" } // this should not create folder return same thing
-  ])("Create folder $name in $path", async ({ name, path }) => {
-    const res = await testServer.inject({
-      method: "POST",
-      url: `/api/v1/folders`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      body: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        name,
-        path
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("folder");
-    // check for default environments
-    expect(payload).toEqual({
-      folder: expect.objectContaining({
-        name,
-        id: expect.any(String)
-      })
-    });
-  });
-
-  test.each([
-    {
-      path: "/",
-      expected: {
-        folders: [{ name: "folder1" }, { name: "level1" }, { name: "folder2" }],
-        length: 3
-      }
-    },
-    { path: "/level1/level2", expected: { folders: [{ name: "folder1" }], length: 1 } }
-  ])("Get folders $path", async ({ path, expected }) => {
-    const res = await testServer.inject({
-      method: "GET",
-      url: `/api/v1/folders`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      query: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("folders");
-    expect(payload.folders.length).toBe(expected.length);
-    expect(payload).toEqual({ folders: expected.folders.map((el) => expect.objectContaining(el)) });
-  });
-
-  let toBeDeleteFolderId = "";
-  test("Update a deep folder", async () => {
-    const res = await testServer.inject({
-      method: "PATCH",
-      url: `/api/v1/folders/folder1`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      body: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        name: "folder-updated",
-        path: "/level1/level2"
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("folder");
-    expect(payload.folder).toEqual(
-      expect.objectContaining({
-        id: expect.any(String),
-        name: "folder-updated"
-      })
-    );
-    toBeDeleteFolderId = payload.folder.id;
-
-    const resUpdatedFolders = await testServer.inject({
-      method: "GET",
-      url: `/api/v1/folders`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      query: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path: "/level1/level2"
-      }
-    });
-
-    expect(resUpdatedFolders.statusCode).toBe(200);
-    const updatedFolderList = JSON.parse(resUpdatedFolders.payload);
-    expect(updatedFolderList).toHaveProperty("folders");
-    expect(updatedFolderList.folders.length).toEqual(1);
-    expect(updatedFolderList.folders[0].name).toEqual("folder-updated");
-  });
-
-  test("Delete a deep folder", async () => {
-    const res = await testServer.inject({
-      method: "DELETE",
-      url: `/api/v1/folders/${toBeDeleteFolderId}`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      body: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path: "/level1/level2"
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("folder");
-    expect(payload.folder).toEqual(
-      expect.objectContaining({
-        id: expect.any(String),
-        name: "folder-updated"
-      })
-    );
-
-    const resUpdatedFolders = await testServer.inject({
-      method: "GET",
-      url: `/api/v1/folders`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      query: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path: "/level1/level2"
-      }
-    });
-
-    expect(resUpdatedFolders.statusCode).toBe(200);
-    const updatedFolderList = JSON.parse(resUpdatedFolders.payload);
-    expect(updatedFolderList).toHaveProperty("folders");
-    expect(updatedFolderList.folders.length).toEqual(0);
-  });
-});
--- a/backend/e2e-test/routes/v1/secret-import.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-import.spec.ts
@ -1,179 +0,0 @@
-import { seedData1 } from "@app/db/seed-data";
-
-describe("Secret Folder Router", async () => {
-  test.each([
-    { importEnv: "dev", importPath: "/" }, // one in root
-    { importEnv: "staging", importPath: "/" } // then create a deep one creating intermediate ones
-  ])("Create secret import $importEnv with path $importPath", async ({ importPath, importEnv }) => {
-    const res = await testServer.inject({
-      method: "POST",
-      url: `/api/v1/secret-imports`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      body: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path: "/",
-        import: {
-          environment: importEnv,
-          path: importPath
-        }
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("secretImport");
-    // check for default environments
-    expect(payload.secretImport).toEqual(
-      expect.objectContaining({
-        id: expect.any(String),
-        importPath: expect.any(String),
-        importEnv: expect.objectContaining({
-          name: expect.any(String),
-          slug: expect.any(String),
-          id: expect.any(String)
-        })
-      })
-    );
-  });
-
-  let testSecretImportId = "";
-  test("Get secret imports", async () => {
-    const res = await testServer.inject({
-      method: "GET",
-      url: `/api/v1/secret-imports`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      query: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path: "/"
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("secretImports");
-    expect(payload.secretImports.length).toBe(2);
-    testSecretImportId = payload.secretImports[0].id;
-    expect(payload.secretImports).toEqual(
-      expect.arrayContaining([
-        expect.objectContaining({
-          id: expect.any(String),
-          importPath: expect.any(String),
-          importEnv: expect.objectContaining({
-            name: expect.any(String),
-            slug: expect.any(String),
-            id: expect.any(String)
-          })
-        })
-      ])
-    );
-  });
-
-  test("Update secret import position", async () => {
-    const res = await testServer.inject({
-      method: "PATCH",
-      url: `/api/v1/secret-imports/${testSecretImportId}`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      body: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path: "/",
-        import: {
-          position: 2
-        }
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("secretImport");
-    // check for default environments
-    expect(payload.secretImport).toEqual(
-      expect.objectContaining({
-        id: expect.any(String),
-        importPath: expect.any(String),
-        position: 2,
-        importEnv: expect.objectContaining({
-          name: expect.any(String),
-          slug: expect.any(String),
-          id: expect.any(String)
-        })
-      })
-    );
-
-    const secretImportsListRes = await testServer.inject({
-      method: "GET",
-      url: `/api/v1/secret-imports`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      query: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path: "/"
-      }
-    });
-
-    expect(secretImportsListRes.statusCode).toBe(200);
-    const secretImportList = JSON.parse(secretImportsListRes.payload);
-    expect(secretImportList).toHaveProperty("secretImports");
-    expect(secretImportList.secretImports[1].id).toEqual(testSecretImportId);
-  });
-
-  test("Delete secret import position", async () => {
-    const res = await testServer.inject({
-      method: "DELETE",
-      url: `/api/v1/secret-imports/${testSecretImportId}`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      body: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path: "/"
-      }
-    });
-
-    expect(res.statusCode).toBe(200);
-    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("secretImport");
-    // check for default environments
-    expect(payload.secretImport).toEqual(
-      expect.objectContaining({
-        id: expect.any(String),
-        importPath: expect.any(String),
-        importEnv: expect.objectContaining({
-          name: expect.any(String),
-          slug: expect.any(String),
-          id: expect.any(String)
-        })
-      })
-    );
-
-    const secretImportsListRes = await testServer.inject({
-      method: "GET",
-      url: `/api/v1/secret-imports`,
-      headers: {
-        authorization: `Bearer ${jwtAuthToken}`
-      },
-      query: {
-        workspaceId: seedData1.project.id,
-        environment: seedData1.environment.slug,
-        path: "/"
-      }
-    });
-
-    expect(secretImportsListRes.statusCode).toBe(200);
-    const secretImportList = JSON.parse(secretImportsListRes.payload);
-    expect(secretImportList).toHaveProperty("secretImports");
-    expect(secretImportList.secretImports.length).toEqual(1);
-    expect(secretImportList.secretImports[0].position).toEqual(1);
-  });
-});
--- a/backend/e2e-test/routes/v1/status.spec.ts
+++ b/backend/e2e-test/routes/v1/status.spec.ts
@ -1,9 +0,0 @@
-describe("Status V1 Router", async () => {
-  test("Simple check", async () => {
-    const res = await testServer.inject({
-      method: "GET",
-      url: "/api/status"
-    });
-    expect(res.statusCode).toBe(200);
-  });
-});
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -1,75 +0,0 @@
-// import { main } from "@app/server/app";
-import { initEnvConfig } from "@app/lib/config/env";
-import dotenv from "dotenv";
-import knex from "knex";
-import path from "path";
-import { mockSmtpServer } from "./mocks/smtp";
-import { initLogger } from "@app/lib/logger";
-import jwt from "jsonwebtoken";
-
-import "ts-node/register";
-import { main } from "@app/server/app";
-import { mockQueue } from "./mocks/queue";
-import { AuthTokenType } from "@app/services/auth/auth-type";
-import { seedData1 } from "@app/db/seed-data";
-
-dotenv.config({ path: path.join(__dirname, "../.env.test") });
-export default {
-  name: "knex-env",
-  transformMode: "ssr",
-  async setup() {
-    const db = knex({
-      client: "pg",
-      connection: process.env.DB_CONNECTION_URI,
-      migrations: {
-        directory: path.join(__dirname, "../src/db/migrations"),
-        extension: "ts",
-        tableName: "infisical_migrations"
-      },
-      seeds: {
-        directory: path.join(__dirname, "../src/db/seeds"),
-        extension: "ts"
-      }
-    });
-
-    try {
-      await db.migrate.latest();
-      await db.seed.run();
-      const smtp = mockSmtpServer();
-      const queue = mockQueue();
-      const logger = await initLogger();
-      const cfg = initEnvConfig(logger);
-      const server = await main({ db, smtp, logger, queue });
-      // @ts-expect-error type
-      globalThis.testServer = server;
-      // @ts-expect-error type
-      globalThis.jwtAuthToken = jwt.sign(
-        {
-          authTokenType: AuthTokenType.ACCESS_TOKEN,
-          userId: seedData1.id,
-          tokenVersionId: seedData1.token.id,
-          accessVersion: 1
-        },
-        cfg.AUTH_SECRET,
-        { expiresIn: cfg.JWT_AUTH_LIFETIME }
-      );
-    } catch (error) {
-      await db.destroy();
-      throw error;
-    }
-    // custom setup
-    return {
-      async teardown() {
-        // @ts-expect-error type
-        await globalThis.testServer.close();
-        // @ts-expect-error type
-        delete globalThis.testServer;
-        // @ts-expect-error type
-        delete globalThis.jwtToken;
-        // called after all tests with this env have been run
-        await db.migrate.rollback({}, true);
-        await db.destroy();
-      }
-    };
-  }
-};
--- a/backend/environment.d.ts
+++ b/backend/environment.d.ts
@ -0,0 +1,51 @@
+export {};
+
+declare global {
+  namespace NodeJS {
+    interface ProcessEnv {
+      PORT: string;
+      EMAIL_TOKEN_LIFETIME: string;
+      ENCRYPTION_KEY: string;
+      SALT_ROUNDS: string;
+      JWT_AUTH_LIFETIME: string;
+      JWT_AUTH_SECRET: string;
+      JWT_REFRESH_LIFETIME: string;
+      JWT_REFRESH_SECRET: string;
+			JWT_SERVICE_SECRET: string;
+			JWT_SIGNUP_LIFETIME: string;
+			JWT_SIGNUP_SECRET: string;
+      MONGO_URL: string;
+      NODE_ENV: 'development' | 'staging' | 'testing' | 'production';
+      VERBOSE_ERROR_OUTPUT: string;
+      LOKI_HOST: string;
+      CLIENT_ID_HEROKU: string;
+      CLIENT_ID_VERCEL: string;
+      CLIENT_ID_NETLIFY: string;
+      CLIENT_ID_GITHUB: string;
+      CLIENT_SECRET_HEROKU: string;
+      CLIENT_SECRET_VERCEL: string;
+      CLIENT_SECRET_NETLIFY: string;
+      CLIENT_SECRET_GITHUB: string;
+      CLIENT_SLUG_VERCEL: string;
+			POSTHOG_HOST: string;
+			POSTHOG_PROJECT_API_KEY: string;
+      SENTRY_DSN: string;
+      SITE_URL: string;
+      SMTP_HOST: string;
+      SMTP_SECURE: string;
+      SMTP_PORT: string;
+      SMTP_USERNAME: string;
+      SMTP_PASSWORD: string;
+      SMTP_FROM_ADDRESS: string;
+      SMTP_FROM_NAME: string;
+      STRIPE_PRODUCT_STARTER: string;
+      STRIPE_PRODUCT_TEAM: string;
+      STRIPE_PRODUCT_PRO: string;
+      STRIPE_PUBLISHABLE_KEY: string;
+      STRIPE_SECRET_KEY: string;
+      STRIPE_WEBHOOK_SECRET: string;
+      TELEMETRY_ENABLED: string;
+      LICENSE_KEY: string;
+    }
+  }
+}
--- a/backend/healthcheck.js
+++ b/backend/healthcheck.js
@ -0,0 +1,24 @@
+const http = require('http');
+const PORT = process.env.PORT || 4000;
+const options = {
+  host: 'localhost',
+  port: PORT,
+  timeout: 2000,
+  path: '/healthcheck'
+};
+
+const healthCheck = http.request(options, (res) => {
+  console.log(`HEALTHCHECK STATUS: ${res.statusCode}`);
+  if (res.statusCode == 200) {
+    process.exit(0);
+  } else {
+    process.exit(1);
+  }
+});
+
+healthCheck.on('error', function (err) {
+  console.error(`HEALTH CHECK ERROR: ${err}`);
+  process.exit(1);
+});
+
+healthCheck.end();
--- a/backend/img/dashboard.png
+++ b/backend/img/dashboard.png
--- a/backend/nodemon.json
+++ b/backend/nodemon.json
@ -1,6 +1,6 @@
 {
-  "watch": ["src"],
-  "ext": ".ts,.js",
-  "ignore": [],
-  "exec": "tsx ./src/main.ts | pino-pretty --colorize --colorizeObjects --singleLine"
-}
+    "watch": ["src"],
+    "ext": ".ts,.js",
+    "ignore": [],
+    "exec": "ts-node ./src/index.ts"
+}
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -1,126 +1,122 @@
 {
-  "name": "backend",
-  "version": "1.0.0",
-  "description": "",
-  "main": "index.js",
-  "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1",
-    "dev": "tsx watch --clear-screen=false ./src/main.ts  | pino-pretty --colorize --colorizeObjects --singleLine",
-    "dev:docker": "nodemon",
-    "build": "rimraf dist && tsup && cp -R ./src/lib/validator/disposable_emails.txt ./dist && cp -R ./src/services/smtp/templates ./dist",
-    "start": "node dist/main.mjs",
-    "type:check": "tsc --noEmit",
-    "lint:fix": "eslint --fix --ext js,ts ./src",
-    "lint": "eslint 'src/**/*.ts'",
-    "test:e2e": "vitest run -c vitest.e2e.config.ts",
-    "test:e2e-watch": "vitest -c vitest.e2e.config.ts",
-    "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
-    "generate:component": "tsx ./scripts/create-backend-file.ts",
-    "generate:schema": "tsx ./scripts/generate-schema-types.ts",
-    "migration:new": "tsx ./scripts/create-migration.ts",
-    "migration:up": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
-    "migration:down": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
-    "migration:list": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
-    "migration:latest": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
-    "migration:rollback": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
-    "seed:new": "tsx ./scripts/create-seed-file.ts",
-    "seed:run": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
-    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest && npm run seed:run"
-  },
-  "keywords": [],
-  "author": "",
-  "license": "ISC",
-  "devDependencies": {
-    "@types/bcrypt": "^5.0.2",
-    "@types/jmespath": "^0.15.2",
-    "@types/jsonwebtoken": "^9.0.5",
-    "@types/jsrp": "^0.2.6",
-    "@types/libsodium-wrappers": "^0.7.13",
-    "@types/lodash.isequal": "^4.5.8",
-    "@types/node": "^20.9.5",
-    "@types/nodemailer": "^6.4.14",
-    "@types/passport-github": "^1.1.12",
-    "@types/passport-google-oauth20": "^2.0.14",
-    "@types/pg": "^8.10.9",
-    "@types/picomatch": "^2.3.3",
-    "@types/prompt-sync": "^4.2.3",
-    "@types/uuid": "^9.0.7",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-import-resolver-typescript": "^3.6.1",
-    "eslint-plugin-import": "^2.29.1",
-    "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-simple-import-sort": "^10.0.0",
-    "nodemon": "^3.0.2",
-    "pino-pretty": "^10.2.3",
-    "prompt-sync": "^4.2.0",
-    "rimraf": "^5.0.5",
-    "ts-node": "^10.9.1",
-    "tsconfig-paths": "^4.2.0",
-    "tsup": "^8.0.1",
-    "tsx": "^4.4.0",
-    "typescript": "^5.3.2",
-    "vite-tsconfig-paths": "^4.2.2",
-    "vitest": "^1.0.4"
-  },
  "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.485.0",
-    "@casl/ability": "^6.5.0",
-    "@fastify/cookie": "^9.2.0",
-    "@fastify/cors": "^8.4.1",
-    "@fastify/formbody": "^7.4.0",
-    "@fastify/helmet": "^11.1.1",
-    "@fastify/passport": "^2.4.0",
-    "@fastify/rate-limit": "^9.0.0",
-    "@fastify/session": "^10.7.0",
-    "@fastify/swagger": "^8.12.0",
-    "@fastify/swagger-ui": "^1.10.1",
-    "@node-saml/passport-saml": "^4.0.4",
-    "@octokit/rest": "^20.0.2",
-    "@octokit/webhooks-types": "^7.3.1",
-    "@serdnam/pino-cloudwatch-transport": "^1.0.4",
-    "@sindresorhus/slugify": "^2.2.1",
-    "@typescript-eslint/eslint-plugin": "^6.20.0",
-    "@typescript-eslint/parser": "^6.20.0",
-    "@ucast/mongo2js": "^1.3.4",
-    "ajv": "^8.12.0",
-    "argon2": "^0.31.2",
-    "aws-sdk": "^2.1532.0",
-    "axios": "^1.6.2",
-    "axios-retry": "^4.0.0",
-    "bcrypt": "^5.1.1",
-    "bullmq": "^5.1.1",
-    "dotenv": "^16.3.1",
-    "eslint": "^8.56.0",
-    "eslint-config-airbnb-base": "^15.0.0",
-    "eslint-config-airbnb-typescript": "^17.1.0",
-    "fastify": "^4.24.3",
-    "fastify-plugin": "^4.5.1",
-    "handlebars": "^4.7.8",
-    "ioredis": "^5.3.2",
-    "jmespath": "^0.16.0",
-    "jsonwebtoken": "^9.0.2",
+    "@aws-sdk/client-secrets-manager": "^3.267.0",
+    "@godaddy/terminus": "^4.11.2",
+    "@octokit/rest": "^19.0.5",
+    "@sentry/node": "^7.14.0",
+    "@sentry/tracing": "^7.19.0",
+    "@types/crypto-js": "^4.1.1",
+    "@types/libsodium-wrappers": "^0.7.10",
+    "await-to-js": "^3.0.0",
+    "aws-sdk": "^2.1311.0",
+    "axios": "^1.1.3",
+    "bcrypt": "^5.1.0",
+    "bigint-conversion": "^2.2.2",
+    "builder-pattern": "^2.2.0",
+    "cookie-parser": "^1.4.6",
+    "cors": "^2.8.5",
+    "crypto-js": "^4.1.1",
+    "dotenv": "^16.0.1",
+    "express": "^4.18.1",
+    "express-rate-limit": "^6.7.0",
+    "express-validator": "^6.14.2",
+    "handlebars": "^4.7.7",
+    "helmet": "^5.1.1",
+    "js-yaml": "^4.1.0",
+    "jsonwebtoken": "^9.0.0",
    "jsrp": "^0.2.4",
-    "knex": "^3.0.1",
-    "libsodium-wrappers": "^0.7.13",
-    "lodash.isequal": "^4.5.0",
-    "mysql2": "^3.6.5",
-    "nanoid": "^5.0.4",
-    "node-cache": "^5.1.2",
-    "nodemailer": "^6.9.7",
-    "ora": "^7.0.1",
-    "passport-github": "^1.1.0",
-    "passport-gitlab2": "^5.0.0",
-    "passport-google-oauth20": "^2.0.0",
-    "pg": "^8.11.3",
-    "picomatch": "^3.0.1",
-    "pino": "^8.16.2",
-    "posthog-node": "^3.6.0",
-    "probot": "^12.3.3",
-    "smee-client": "^2.0.0",
+    "libsodium-wrappers": "^0.7.10",
+    "lodash": "^4.17.21",
+    "mongoose": "^6.7.2",
+    "nodemailer": "^6.8.0",
+    "posthog-node": "^2.2.2",
+    "query-string": "^7.1.3",
+    "request-ip": "^3.3.0",
+    "rimraf": "^3.0.2",
+    "stripe": "^10.7.0",
+    "swagger-autogen": "^2.22.0",
+    "swagger-ui-express": "^4.6.0",
    "tweetnacl": "^1.0.3",
    "tweetnacl-util": "^0.15.1",
-    "uuid": "^9.0.1",
-    "zod": "^3.22.4",
-    "zod-to-json-schema": "^3.22.0"
+    "typescript": "^4.9.3",
+    "utility-types": "^3.10.0",
+    "winston": "^3.8.2",
+    "winston-loki": "^6.0.6"
+  },
+  "name": "infisical-api",
+  "version": "1.0.0",
+  "main": "src/index.js",
+  "scripts": {
+    "start": "npm run build && node build/index.js",
+    "dev": "nodemon",
+    "swagger-autogen": "node ./swagger/index.ts",
+    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
+    "lint": "eslint . --ext .ts",
+    "lint-and-fix": "eslint . --ext .ts --fix",
+    "lint-staged": "lint-staged",
+    "pretest": "docker compose -f test-resources/docker-compose.test.yml up -d",
+    "test": "cross-env NODE_ENV=test jest --testTimeout=10000 --detectOpenHandles",
+    "test:ci": "npm test -- --watchAll=false --ci --reporters=default --reporters=jest-junit --reporters=github-actions --coverage --testLocationInResults --json --outputFile=coverage/report.json",
+    "posttest": "docker compose -f test-resources/docker-compose.test.yml down"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Infisical/infisical-api.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/Infisical/infisical-api/issues"
+  },
+  "homepage": "https://github.com/Infisical/infisical-api#readme",
+  "description": "",
+  "devDependencies": {
+    "@jest/globals": "^29.3.1",
+    "@posthog/plugin-scaffold": "^1.3.4",
+    "@types/bcrypt": "^5.0.0",
+    "@types/bcryptjs": "^2.4.2",
+    "@types/cookie-parser": "^1.4.3",
+    "@types/cors": "^2.8.12",
+    "@types/express": "^4.17.14",
+    "@types/jest": "^29.2.4",
+    "@types/jsonwebtoken": "^8.5.9",
+    "@types/lodash": "^4.14.191",
+    "@types/node": "^18.11.3",
+    "@types/nodemailer": "^6.4.6",
+    "@types/supertest": "^2.0.12",
+    "@types/swagger-jsdoc": "^6.0.1",
+    "@types/swagger-ui-express": "^4.1.3",
+    "@typescript-eslint/eslint-plugin": "^5.40.1",
+    "@typescript-eslint/parser": "^5.40.1",
+    "cross-env": "^7.0.3",
+    "eslint": "^8.26.0",
+    "install": "^0.13.0",
+    "jest": "^29.3.1",
+    "jest-junit": "^15.0.0",
+    "nodemon": "^2.0.19",
+    "npm": "^8.19.3",
+    "supertest": "^6.3.3",
+    "ts-jest": "^29.0.3",
+    "ts-node": "^10.9.1"
+  },
+  "jest": {
+    "preset": "ts-jest",
+    "testEnvironment": "node",
+    "collectCoverageFrom": [
+      "src/*.{js,ts}",
+      "!**/node_modules/**"
+    ],
+    "setupFiles": [
+      "<rootDir>/test-resources/env-vars.js"
+    ]
+  },
+  "jest-junit": {
+    "outputDirectory": "reports",
+    "outputName": "jest-junit.xml",
+    "ancestorSeparator": " › ",
+    "uniqueOutputName": "false",
+    "suiteNameTemplate": "{filepath}",
+    "classNameTemplate": "{classname}",
+    "titleTemplate": "{title}"
  }
 }
--- a/backend/scripts/create-backend-file.ts
+++ b/backend/scripts/create-backend-file.ts
@ -1,123 +0,0 @@
-/* eslint-disable */
-import { mkdirSync, writeFileSync } from "fs";
-import path from "path";
-import promptSync from "prompt-sync";
-
-const prompt = promptSync({
-  sigint: true
-});
-
-console.log(`
-Component List
--------------
-1. Service component
-2. DAL component
-3. Router component
-`);
-const componentType = parseInt(prompt("Select a component: "), 10);
-
-if (componentType === 1) {
-  const componentName = prompt("Enter service name: ");
-  const dir = path.join(__dirname, `../src/services/${componentName}`);
-  const pascalCase = componentName
-    .split("-")
-    .map((el) => `${el[0].toUpperCase()}${el.slice(1)}`)
-    .join("");
-  const camelCase = componentName
-    .split("-")
-    .map((el, index) => (index === 0 ? el : `${el[0].toUpperCase()}${el.slice(1)}`))
-    .join("");
-  const dalTypeName = `T${pascalCase}DALFactory`;
-  const dalName = `${camelCase}DALFactory`;
-  const serviceTypeName = `T${pascalCase}ServiceFactory`;
-  const serviceName = `${camelCase}ServiceFactory`;
-
-  mkdirSync(dir);
-
-  writeFileSync(
-    path.join(dir, `${componentName}-dal.ts`),
-    `import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-
-export type ${dalTypeName} = ReturnType<typeof ${dalName}>;
-
-export const ${dalName} = (db: TDbClient) => {
-
-  return {  };
-};
-`
-  );
-
-  writeFileSync(
-    path.join(dir, `${componentName}-service.ts`),
-    `import { ${dalTypeName} } from "./${componentName}-dal";
-
-type ${serviceTypeName}Dep = {
-  ${camelCase}DAL: ${dalTypeName};
-};
-
-export type ${serviceTypeName} = ReturnType<typeof ${serviceName}>;
-
-export const ${serviceName} = ({ ${camelCase}DAL }: ${serviceTypeName}Dep) => {
-  return {};
-};
-`
-  );
-  writeFileSync(path.join(dir, `${componentName}-types.ts`), "");
-} else if (componentType === 2) {
-  const componentName = prompt("Enter service name: ");
-  const componentPath = prompt("Path wrt service folder: ");
-  const pascalCase = componentName
-    .split("-")
-    .map((el) => `${el[0].toUpperCase()}${el.slice(1)}`)
-    .join("");
-  const camelCase = componentName
-    .split("-")
-    .map((el, index) => (index === 0 ? el : `${el[0].toUpperCase()}${el.slice(1)}`))
-    .join("");
-  const dalTypeName = `T${pascalCase}DALFactory`;
-  const dalName = `${camelCase}DALFactory`;
-
-  writeFileSync(
-    path.join(__dirname, "../src/services", componentPath, `${componentName}-dal.ts`),
-    `import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-
-export type ${dalTypeName} = ReturnType<typeof ${dalName}>;
-
-export const ${dalName} = (db: TDbClient) => {
-
-  return {  };
-};
-`
-  );
-} else if (componentType === 3) {
-  const name = prompt("Enter router name: ");
-  const version = prompt("Version number: ");
-  const pascalCase = name
-    .split("-")
-    .map((el) => `${el[0].toUpperCase()}${el.slice(1)}`)
-    .join("");
-  writeFileSync(
-    path.join(__dirname, `../src/server/routes/v${Number(version)}/${name}-router.ts`),
-    `import { z } from "zod";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const register${pascalCase}Router = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/",
-    method: "GET",
-    schema: {
-      params: z.object({}),
-      response: {
-        200: z.object({})
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {}
-  });
-};
-`
-  );
-}
--- a/backend/scripts/create-migration.ts
+++ b/backend/scripts/create-migration.ts
@ -1,16 +0,0 @@
-/* eslint-disable */
-import { execSync } from "child_process";
-import path from "path";
-import promptSync from "prompt-sync";
-
-const prompt = promptSync({ sigint: true });
-
-const migrationName = prompt("Enter name for migration: ");
-
-execSync(
-  `npx knex migrate:make --knexfile ${path.join(
-    __dirname,
-    "../src/db/knexfile.ts"
-  )} -x ts ${migrationName}`,
-  { stdio: "inherit" }
-);
--- a/backend/scripts/create-seed-file.ts
+++ b/backend/scripts/create-seed-file.ts
@ -1,17 +0,0 @@
-/* eslint-disable */
-import { execSync } from "child_process";
-import { readdirSync } from "fs";
-import path from "path";
-import promptSync from "prompt-sync";
-
-const prompt = promptSync({ sigint: true });
-
-const migrationName = prompt("Enter name for seedfile: ");
-const fileCounter = readdirSync(path.join(__dirname, "../src/db/seed")).length || 1;
-execSync(
-  `npx knex seed:make --knexfile ${path.join(
-    __dirname,
-    "../src/db/knexfile.ts"
-  )} -x ts ${fileCounter}-${migrationName}`,
-  { stdio: "inherit" }
-);
--- a/backend/scripts/generate-schema-types.ts
+++ b/backend/scripts/generate-schema-types.ts
@ -1,169 +0,0 @@
-/* eslint-disable */
-import dotenv from "dotenv";
-import path from "path";
-import knex from "knex";
-import { writeFileSync } from "fs";
-import promptSync from "prompt-sync";
-
-const prompt = promptSync({ sigint: true });
-
-dotenv.config({
-  path: path.join(__dirname, "../.env"),
-  debug: true
-});
-
-const db = knex({
-  client: "pg",
-  connection: process.env.DB_CONNECTION_URI
-});
-
-const getZodPrimitiveType = (type: string) => {
-  switch (type) {
-    case "uuid":
-      return "z.string().uuid()";
-    case "character varying":
-      return "z.string()";
-    case "ARRAY":
-      return "z.string().array()";
-    case "boolean":
-      return "z.boolean()";
-    case "jsonb":
-      return "z.unknown()";
-    case "json":
-      return "z.unknown()";
-    case "timestamp with time zone":
-      return "z.date()";
-    case "integer":
-      return "z.number()";
-    case "bigint":
-      return "z.coerce.number()";
-    case "text":
-      return "z.string()";
-    default:
-      throw new Error(`Invalid type: ${type}`);
-  }
-};
-
-const getZodDefaultValue = (type: unknown, value: string | number | boolean | Object) => {
-  if (!value || value === "null") return;
-  switch (type) {
-    case "uuid":
-      return;
-    case "character varying": {
-      if (value === "gen_random_uuid()") return;
-      if (typeof value === "string" && value.includes("::")) {
-        return `.default(${value.split("::")[0]})`;
-      }
-      return `.default(${value})`;
-    }
-    case "ARRAY":
-      return `.default(${value})`;
-    case "boolean":
-      return `.default(${value})`;
-    case "jsonb":
-      return "z.string()";
-    case "json":
-      return "z.string()";
-    case "timestamp with time zone": {
-      if (value === "CURRENT_TIMESTAMP") return;
-      return "z.string().datetime()";
-    }
-    case "integer": {
-      if ((value as string).includes("nextval")) return;
-      return `.default(${value})`;
-    }
-    case "bigint": {
-      if ((value as string).includes("nextval")) return;
-      return `.default(${parseInt((value as string).split("::")[0].slice(1, -1), 10)})`;
-    }
-    case "text":
-      if (typeof value === "string" && value.includes("::")) {
-        return `.default(${value.split("::")[0]})`;
-      }
-      return `.default(${value})`;
-    default:
-      throw new Error(`Invalid type: ${type}`);
-  }
-};
-
-const main = async () => {
-  const tables = (
-    await db("information_schema.tables")
-      .whereRaw("table_schema =  current_schema()")
-      .select<{ tableName: string }[]>("table_name as tableName")
-      .orderBy("table_name")
-  ).filter((el) => !el.tableName.includes("_migrations"));
-
-  console.log("Select a table to generate schema");
-  console.table(tables);
-  console.log("all: all tables");
-  const selectedTables = prompt("Type table numbers comma seperated: ");
-  const tableNumbers =
-    selectedTables !== "all" ? selectedTables.split(",").map((el) => Number(el)) : [];
-
-  for (let i = 0; i < tables.length; i += 1) {
-    // skip if not desired table
-    if (selectedTables !== "all" && !tableNumbers.includes(i)) continue;
-
-    const { tableName } = tables[i];
-    const columns = await db(tableName).columnInfo();
-    const columnNames = Object.keys(columns);
-
-    let schema = "";
-    for (let colNum = 0; colNum < columnNames.length; colNum++) {
-      const columnName = columnNames[colNum];
-      const colInfo = columns[columnName];
-      let ztype = getZodPrimitiveType(colInfo.type);
-      if (colInfo.defaultValue) {
-        const { defaultValue } = colInfo;
-        const zSchema = getZodDefaultValue(colInfo.type, defaultValue);
-        if (zSchema) {
-          ztype = ztype.concat(zSchema);
-        }
-      }
-      if (colInfo.nullable) {
-        ztype = ztype.concat(".nullable().optional()");
-      }
-      schema = schema.concat(`${!schema ? "\n" : ""}  ${columnName}: ${ztype},\n`);
-    }
-
-    const dashcase = tableName.split("_").join("-");
-    const pascalCase = tableName
-      .split("_")
-      .reduce(
-        (prev, curr) => prev + `${curr.at(0)?.toUpperCase()}${curr.slice(1).toLowerCase()}`,
-        ""
-      );
-    writeFileSync(
-      path.join(__dirname, "../src/db/schemas", `${dashcase}.ts`),
-      `// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ${pascalCase}Schema = z.object({${schema}});
-
-export type T${pascalCase} = z.infer<typeof ${pascalCase}Schema>;
-export type T${pascalCase}Insert = Omit<T${pascalCase}, TImmutableDBKeys>;
-export type T${pascalCase}Update = Partial<Omit<T${pascalCase}, TImmutableDBKeys>>;
-`
-    );
-
-    // const file = readFileSync(path.join(__dirname, "../src/db/schemas/index.ts"), "utf8");
-    // if (!file.includes(`export * from "./${dashcase};"`)) {
-    //   appendFileSync(
-    //     path.join(__dirname, "../src/db/schemas/index.ts"),
-    //     `\nexport * from "./${dashcase}";`,
-    //     "utf8"
-    //   );
-    // }
-  }
-
-  process.exit(0);
-};
-
-main();
--- a/backend/spec.json
+++ b/backend/spec.json
--- a/backend/src/@types/fastify-zod.d.ts
+++ b/backend/src/@types/fastify-zod.d.ts
@ -1,18 +0,0 @@
-import { FastifyInstance, RawReplyDefaultExpression, RawRequestDefaultExpression, RawServerDefault } from "fastify";
-import { Logger } from "pino";
-
-import { ZodTypeProvider } from "@app/server/plugins/fastify-zod";
-
-declare global {
-  type FastifyZodProvider = FastifyInstance<
-    RawServerDefault,
-    RawRequestDefaultExpression<RawServerDefault>,
-    RawReplyDefaultExpression<RawServerDefault>,
-    Readonly<Logger>,
-    ZodTypeProvider
-  >;
-
-  // used only for testing
-  const testServer: FastifyZodProvider;
-  const jwtAuthToken: string;
-}
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -1,119 +0,0 @@
-import "fastify";
-
-import { TUsers } from "@app/db/schemas";
-import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
-import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
-import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
-import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-service";
-import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
-import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
-import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
-import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
-import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
-import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
-import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
-import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
-import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
-import { ActorType } from "@app/services/auth/auth-type";
-import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
-import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
-import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
-import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
-import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
-import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
-import { TOrgRoleServiceFactory } from "@app/services/org/org-role-service";
-import { TOrgServiceFactory } from "@app/services/org/org-service";
-import { TProjectServiceFactory } from "@app/services/project/project-service";
-import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
-import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
-import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
-import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
-import { TProjectRoleServiceFactory } from "@app/services/project-role/project-role-service";
-import { TSecretServiceFactory } from "@app/services/secret/secret-service";
-import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
-import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
-import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
-import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
-import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
-import { TSuperAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
-import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
-import { TUserDALFactory } from "@app/services/user/user-dal";
-import { TUserServiceFactory } from "@app/services/user/user-service";
-import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
-
-declare module "fastify" {
-  interface FastifyRequest {
-    realIp: string;
-    // used for mfa session authentication
-    mfa: {
-      userId: string;
-      user: TUsers;
-    };
-    // identity injection. depending on which kinda of token the information is filled in auth
-    auth: TAuthMode;
-    permission: {
-      type: ActorType;
-      id: string;
-    };
-    // passport data
-    passportUser: {
-      isUserCompleted: string;
-      providerAuthToken: string;
-    };
-    auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
-    ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
-  }
-
-  interface FastifyInstance {
-    services: {
-      login: TAuthLoginFactory;
-      password: TAuthPasswordFactory;
-      signup: TAuthSignupFactory;
-      authToken: TAuthTokenServiceFactory;
-      permission: TPermissionServiceFactory;
-      org: TOrgServiceFactory;
-      orgRole: TOrgRoleServiceFactory;
-      superAdmin: TSuperAdminServiceFactory;
-      user: TUserServiceFactory;
-      apiKey: TApiKeyServiceFactory;
-      project: TProjectServiceFactory;
-      projectMembership: TProjectMembershipServiceFactory;
-      projectEnv: TProjectEnvServiceFactory;
-      projectKey: TProjectKeyServiceFactory;
-      projectRole: TProjectRoleServiceFactory;
-      secret: TSecretServiceFactory;
-      secretTag: TSecretTagServiceFactory;
-      secretImport: TSecretImportServiceFactory;
-      projectBot: TProjectBotServiceFactory;
-      folder: TSecretFolderServiceFactory;
-      integration: TIntegrationServiceFactory;
-      integrationAuth: TIntegrationAuthServiceFactory;
-      webhook: TWebhookServiceFactory;
-      serviceToken: TServiceTokenServiceFactory;
-      identity: TIdentityServiceFactory;
-      identityAccessToken: TIdentityAccessTokenServiceFactory;
-      identityProject: TIdentityProjectServiceFactory;
-      identityUa: TIdentityUaServiceFactory;
-      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
-      secretApprovalRequest: TSecretApprovalRequestServiceFactory;
-      secretRotation: TSecretRotationServiceFactory;
-      snapshot: TSecretSnapshotServiceFactory;
-      saml: TSamlConfigServiceFactory;
-      auditLog: TAuditLogServiceFactory;
-      secretScanning: TSecretScanningServiceFactory;
-      license: TLicenseServiceFactory;
-      trustedIp: TTrustedIpServiceFactory;
-      secretBlindIndex: TSecretBlindIndexServiceFactory;
-      telemetry: TTelemetryServiceFactory;
-    };
-    // this is exclusive use for middlewares in which we need to inject data
-    // everywhere else access using service layer
-    store: {
-      user: Pick<TUserDALFactory, "findById">;
-    };
-  }
-}
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -1,343 +0,0 @@
-import { Knex } from "knex";
-
-import {
-  TableName,
-  TApiKeys,
-  TApiKeysInsert,
-  TApiKeysUpdate,
-  TAuditLogs,
-  TAuditLogsInsert,
-  TAuditLogsUpdate,
-  TAuthTokens,
-  TAuthTokenSessions,
-  TAuthTokenSessionsInsert,
-  TAuthTokenSessionsUpdate,
-  TAuthTokensInsert,
-  TAuthTokensUpdate,
-  TBackupPrivateKey,
-  TBackupPrivateKeyInsert,
-  TBackupPrivateKeyUpdate,
-  TGitAppInstallSessions,
-  TGitAppInstallSessionsInsert,
-  TGitAppInstallSessionsUpdate,
-  TGitAppOrg,
-  TGitAppOrgInsert,
-  TGitAppOrgUpdate,
-  TIdentities,
-  TIdentitiesInsert,
-  TIdentitiesUpdate,
-  TIdentityAccessTokens,
-  TIdentityAccessTokensInsert,
-  TIdentityAccessTokensUpdate,
-  TIdentityOrgMemberships,
-  TIdentityOrgMembershipsInsert,
-  TIdentityOrgMembershipsUpdate,
-  TIdentityProjectMemberships,
-  TIdentityProjectMembershipsInsert,
-  TIdentityProjectMembershipsUpdate,
-  TIdentityUaClientSecrets,
-  TIdentityUaClientSecretsInsert,
-  TIdentityUaClientSecretsUpdate,
-  TIdentityUniversalAuths,
-  TIdentityUniversalAuthsInsert,
-  TIdentityUniversalAuthsUpdate,
-  TIncidentContacts,
-  TIncidentContactsInsert,
-  TIncidentContactsUpdate,
-  TIntegrationAuths,
-  TIntegrationAuthsInsert,
-  TIntegrationAuthsUpdate,
-  TIntegrations,
-  TIntegrationsInsert,
-  TIntegrationsUpdate,
-  TOrganizations,
-  TOrganizationsInsert,
-  TOrganizationsUpdate,
-  TOrgBots,
-  TOrgBotsInsert,
-  TOrgBotsUpdate,
-  TOrgMemberships,
-  TOrgMembershipsInsert,
-  TOrgMembershipsUpdate,
-  TOrgRoles,
-  TOrgRolesInsert,
-  TOrgRolesUpdate,
-  TProjectBots,
-  TProjectBotsInsert,
-  TProjectBotsUpdate,
-  TProjectEnvironments,
-  TProjectEnvironmentsInsert,
-  TProjectEnvironmentsUpdate,
-  TProjectKeys,
-  TProjectKeysInsert,
-  TProjectKeysUpdate,
-  TProjectMemberships,
-  TProjectMembershipsInsert,
-  TProjectMembershipsUpdate,
-  TProjectRoles,
-  TProjectRolesInsert,
-  TProjectRolesUpdate,
-  TProjects,
-  TProjectsInsert,
-  TProjectsUpdate,
-  TSamlConfigs,
-  TSamlConfigsInsert,
-  TSamlConfigsUpdate,
-  TSecretApprovalPolicies,
-  TSecretApprovalPoliciesApprovers,
-  TSecretApprovalPoliciesApproversInsert,
-  TSecretApprovalPoliciesApproversUpdate,
-  TSecretApprovalPoliciesInsert,
-  TSecretApprovalPoliciesUpdate,
-  TSecretApprovalRequests,
-  TSecretApprovalRequestSecretTags,
-  TSecretApprovalRequestSecretTagsInsert,
-  TSecretApprovalRequestSecretTagsUpdate,
-  TSecretApprovalRequestsInsert,
-  TSecretApprovalRequestsReviewers,
-  TSecretApprovalRequestsReviewersInsert,
-  TSecretApprovalRequestsReviewersUpdate,
-  TSecretApprovalRequestsSecrets,
-  TSecretApprovalRequestsSecretsInsert,
-  TSecretApprovalRequestsSecretsUpdate,
-  TSecretApprovalRequestsUpdate,
-  TSecretBlindIndexes,
-  TSecretBlindIndexesInsert,
-  TSecretBlindIndexesUpdate,
-  TSecretFolders,
-  TSecretFoldersInsert,
-  TSecretFoldersUpdate,
-  TSecretFolderVersions,
-  TSecretFolderVersionsInsert,
-  TSecretFolderVersionsUpdate,
-  TSecretImports,
-  TSecretImportsInsert,
-  TSecretImportsUpdate,
-  TSecretRotationOutputs,
-  TSecretRotationOutputsInsert,
-  TSecretRotationOutputsUpdate,
-  TSecretRotations,
-  TSecretRotationsInsert,
-  TSecretRotationsUpdate,
-  TSecrets,
-  TSecretScanningGitRisks,
-  TSecretScanningGitRisksInsert,
-  TSecretScanningGitRisksUpdate,
-  TSecretsInsert,
-  TSecretSnapshotFolders,
-  TSecretSnapshotFoldersInsert,
-  TSecretSnapshotFoldersUpdate,
-  TSecretSnapshots,
-  TSecretSnapshotSecrets,
-  TSecretSnapshotSecretsInsert,
-  TSecretSnapshotSecretsUpdate,
-  TSecretSnapshotsInsert,
-  TSecretSnapshotsUpdate,
-  TSecretsUpdate,
-  TSecretTagJunction,
-  TSecretTagJunctionInsert,
-  TSecretTagJunctionUpdate,
-  TSecretTags,
-  TSecretTagsInsert,
-  TSecretTagsUpdate,
-  TSecretVersions,
-  TSecretVersionsInsert,
-  TSecretVersionsUpdate,
-  TSecretVersionTagJunction,
-  TSecretVersionTagJunctionInsert,
-  TSecretVersionTagJunctionUpdate,
-  TServiceTokens,
-  TServiceTokensInsert,
-  TServiceTokensUpdate,
-  TSuperAdmin,
-  TSuperAdminInsert,
-  TSuperAdminUpdate,
-  TTrustedIps,
-  TTrustedIpsInsert,
-  TTrustedIpsUpdate,
-  TUserActions,
-  TUserActionsInsert,
-  TUserActionsUpdate,
-  TUserEncryptionKeys,
-  TUserEncryptionKeysInsert,
-  TUserEncryptionKeysUpdate,
-  TUsers,
-  TUsersInsert,
-  TUsersUpdate,
-  TWebhooks,
-  TWebhooksInsert,
-  TWebhooksUpdate
-} from "@app/db/schemas";
-
-declare module "knex/types/tables" {
-  interface Tables {
-    [TableName.Users]: Knex.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
-    [TableName.UserEncryptionKey]: Knex.CompositeTableType<
-      TUserEncryptionKeys,
-      TUserEncryptionKeysInsert,
-      TUserEncryptionKeysUpdate
-    >;
-    [TableName.AuthTokens]: Knex.CompositeTableType<TAuthTokens, TAuthTokensInsert, TAuthTokensUpdate>;
-    [TableName.AuthTokenSession]: Knex.CompositeTableType<
-      TAuthTokenSessions,
-      TAuthTokenSessionsInsert,
-      TAuthTokenSessionsUpdate
-    >;
-    [TableName.BackupPrivateKey]: Knex.CompositeTableType<
-      TBackupPrivateKey,
-      TBackupPrivateKeyInsert,
-      TBackupPrivateKeyUpdate
-    >;
-    [TableName.Organization]: Knex.CompositeTableType<TOrganizations, TOrganizationsInsert, TOrganizationsUpdate>;
-    [TableName.OrgMembership]: Knex.CompositeTableType<TOrgMemberships, TOrgMembershipsInsert, TOrgMembershipsUpdate>;
-    [TableName.OrgRoles]: Knex.CompositeTableType<TOrgRoles, TOrgRolesInsert, TOrgRolesUpdate>;
-    [TableName.IncidentContact]: Knex.CompositeTableType<
-      TIncidentContacts,
-      TIncidentContactsInsert,
-      TIncidentContactsUpdate
-    >;
-    [TableName.UserAction]: Knex.CompositeTableType<TUserActions, TUserActionsInsert, TUserActionsUpdate>;
-    [TableName.SuperAdmin]: Knex.CompositeTableType<TSuperAdmin, TSuperAdminInsert, TSuperAdminUpdate>;
-    [TableName.ApiKey]: Knex.CompositeTableType<TApiKeys, TApiKeysInsert, TApiKeysUpdate>;
-    [TableName.Project]: Knex.CompositeTableType<TProjects, TProjectsInsert, TProjectsUpdate>;
-    [TableName.ProjectMembership]: Knex.CompositeTableType<
-      TProjectMemberships,
-      TProjectMembershipsInsert,
-      TProjectMembershipsUpdate
-    >;
-    [TableName.Environment]: Knex.CompositeTableType<
-      TProjectEnvironments,
-      TProjectEnvironmentsInsert,
-      TProjectEnvironmentsUpdate
-    >;
-    [TableName.ProjectBot]: Knex.CompositeTableType<TProjectBots, TProjectBotsInsert, TProjectBotsUpdate>;
-    [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
-    [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
-    [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
-    [TableName.SecretBlindIndex]: Knex.CompositeTableType<
-      TSecretBlindIndexes,
-      TSecretBlindIndexesInsert,
-      TSecretBlindIndexesUpdate
-    >;
-    [TableName.SecretVersion]: Knex.CompositeTableType<TSecretVersions, TSecretVersionsInsert, TSecretVersionsUpdate>;
-    [TableName.SecretFolder]: Knex.CompositeTableType<TSecretFolders, TSecretFoldersInsert, TSecretFoldersUpdate>;
-    [TableName.SecretFolderVersion]: Knex.CompositeTableType<
-      TSecretFolderVersions,
-      TSecretFolderVersionsInsert,
-      TSecretFolderVersionsUpdate
-    >;
-    [TableName.SecretTag]: Knex.CompositeTableType<TSecretTags, TSecretTagsInsert, TSecretTagsUpdate>;
-    [TableName.SecretImport]: Knex.CompositeTableType<TSecretImports, TSecretImportsInsert, TSecretImportsUpdate>;
-    [TableName.Integration]: Knex.CompositeTableType<TIntegrations, TIntegrationsInsert, TIntegrationsUpdate>;
-    [TableName.Webhook]: Knex.CompositeTableType<TWebhooks, TWebhooksInsert, TWebhooksUpdate>;
-    [TableName.ServiceToken]: Knex.CompositeTableType<TServiceTokens, TServiceTokensInsert, TServiceTokensUpdate>;
-    [TableName.IntegrationAuth]: Knex.CompositeTableType<
-      TIntegrationAuths,
-      TIntegrationAuthsInsert,
-      TIntegrationAuthsUpdate
-    >;
-    [TableName.Identity]: Knex.CompositeTableType<TIdentities, TIdentitiesInsert, TIdentitiesUpdate>;
-    [TableName.IdentityUniversalAuth]: Knex.CompositeTableType<
-      TIdentityUniversalAuths,
-      TIdentityUniversalAuthsInsert,
-      TIdentityUniversalAuthsUpdate
-    >;
-    [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
-      TIdentityUaClientSecrets,
-      TIdentityUaClientSecretsInsert,
-      TIdentityUaClientSecretsUpdate
-    >;
-    [TableName.IdentityAccessToken]: Knex.CompositeTableType<
-      TIdentityAccessTokens,
-      TIdentityAccessTokensInsert,
-      TIdentityAccessTokensUpdate
-    >;
-    [TableName.IdentityOrgMembership]: Knex.CompositeTableType<
-      TIdentityOrgMemberships,
-      TIdentityOrgMembershipsInsert,
-      TIdentityOrgMembershipsUpdate
-    >;
-    [TableName.IdentityProjectMembership]: Knex.CompositeTableType<
-      TIdentityProjectMemberships,
-      TIdentityProjectMembershipsInsert,
-      TIdentityProjectMembershipsUpdate
-    >;
-    [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
-      TSecretApprovalPolicies,
-      TSecretApprovalPoliciesInsert,
-      TSecretApprovalPoliciesUpdate
-    >;
-    [TableName.SecretApprovalPolicyApprover]: Knex.CompositeTableType<
-      TSecretApprovalPoliciesApprovers,
-      TSecretApprovalPoliciesApproversInsert,
-      TSecretApprovalPoliciesApproversUpdate
-    >;
-    [TableName.SecretApprovalRequest]: Knex.CompositeTableType<
-      TSecretApprovalRequests,
-      TSecretApprovalRequestsInsert,
-      TSecretApprovalRequestsUpdate
-    >;
-    [TableName.SecretApprovalRequestReviewer]: Knex.CompositeTableType<
-      TSecretApprovalRequestsReviewers,
-      TSecretApprovalRequestsReviewersInsert,
-      TSecretApprovalRequestsReviewersUpdate
-    >;
-    [TableName.SecretApprovalRequestSecret]: Knex.CompositeTableType<
-      TSecretApprovalRequestsSecrets,
-      TSecretApprovalRequestsSecretsInsert,
-      TSecretApprovalRequestsSecretsUpdate
-    >;
-    [TableName.SecretApprovalRequestSecretTag]: Knex.CompositeTableType<
-      TSecretApprovalRequestSecretTags,
-      TSecretApprovalRequestSecretTagsInsert,
-      TSecretApprovalRequestSecretTagsUpdate
-    >;
-    [TableName.SecretRotation]: Knex.CompositeTableType<
-      TSecretRotations,
-      TSecretRotationsInsert,
-      TSecretRotationsUpdate
-    >;
-    [TableName.SecretRotationOutput]: Knex.CompositeTableType<
-      TSecretRotationOutputs,
-      TSecretRotationOutputsInsert,
-      TSecretRotationOutputsUpdate
-    >;
-    [TableName.Snapshot]: Knex.CompositeTableType<TSecretSnapshots, TSecretSnapshotsInsert, TSecretSnapshotsUpdate>;
-    [TableName.SnapshotSecret]: Knex.CompositeTableType<
-      TSecretSnapshotSecrets,
-      TSecretSnapshotSecretsInsert,
-      TSecretSnapshotSecretsUpdate
-    >;
-    [TableName.SnapshotFolder]: Knex.CompositeTableType<
-      TSecretSnapshotFolders,
-      TSecretSnapshotFoldersInsert,
-      TSecretSnapshotFoldersUpdate
-    >;
-    [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
-    [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
-    [TableName.AuditLog]: Knex.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
-    [TableName.GitAppInstallSession]: Knex.CompositeTableType<
-      TGitAppInstallSessions,
-      TGitAppInstallSessionsInsert,
-      TGitAppInstallSessionsUpdate
-    >;
-    [TableName.GitAppOrg]: Knex.CompositeTableType<TGitAppOrg, TGitAppOrgInsert, TGitAppOrgUpdate>;
-    [TableName.SecretScanningGitRisk]: Knex.CompositeTableType<
-      TSecretScanningGitRisks,
-      TSecretScanningGitRisksInsert,
-      TSecretScanningGitRisksUpdate
-    >;
-    [TableName.TrustedIps]: Knex.CompositeTableType<TTrustedIps, TTrustedIpsInsert, TTrustedIpsUpdate>;
-    // Junction tables
-    [TableName.JnSecretTag]: Knex.CompositeTableType<
-      TSecretTagJunction,
-      TSecretTagJunctionInsert,
-      TSecretTagJunctionUpdate
-    >;
-    [TableName.SecretVersionTag]: Knex.CompositeTableType<
-      TSecretVersionTagJunction,
-      TSecretVersionTagJunctionInsert,
-      TSecretVersionTagJunctionUpdate
-    >;
-  }
-}
--- a/backend/src/@types/passport-gitlab2.d.ts
+++ b/backend/src/@types/passport-gitlab2.d.ts
@ -1 +0,0 @@
-declare module "passport-gitlab2";
--- a/backend/src/app.ts
+++ b/backend/src/app.ts
@ -0,0 +1,140 @@
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { patchRouterParam } = require('./utils/patchAsyncRoutes');
+
+import express, { Request, Response } from 'express';
+import helmet from 'helmet';
+import cors from 'cors';
+import cookieParser from 'cookie-parser';
+import dotenv from 'dotenv';
+import swaggerUi = require('swagger-ui-express');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const swaggerFile = require('../spec.json');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const requestIp = require('request-ip');
+
+dotenv.config();
+import { PORT, NODE_ENV, SITE_URL } from './config';
+import { apiLimiter } from './helpers/rateLimiter';
+
+import {
+  workspace as eeWorkspaceRouter,
+  secret as eeSecretRouter,
+  secretSnapshot as eeSecretSnapshotRouter,
+  action as eeActionRouter
+} from './ee/routes/v1';
+import {
+  signup as v1SignupRouter,
+  auth as v1AuthRouter,
+  bot as v1BotRouter,
+  organization as v1OrganizationRouter,
+  workspace as v1WorkspaceRouter,
+  membershipOrg as v1MembershipOrgRouter,
+  membership as v1MembershipRouter,
+  key as v1KeyRouter,
+  inviteOrg as v1InviteOrgRouter,
+  user as v1UserRouter,
+  userAction as v1UserActionRouter,
+  secret as v1SecretRouter,
+  serviceToken as v1ServiceTokenRouter,
+  password as v1PasswordRouter,
+  stripe as v1StripeRouter,
+  integration as v1IntegrationRouter,
+  integrationAuth as v1IntegrationAuthRouter
+} from './routes/v1';
+import {
+  users as v2UsersRouter,
+  organizations as v2OrganizationsRouter,
+  workspace as v2WorkspaceRouter,
+  secret as v2SecretRouter, // begin to phase out
+  secrets as v2SecretsRouter,
+  serviceTokenData as v2ServiceTokenDataRouter,
+  apiKeyData as v2APIKeyDataRouter,
+  environment as v2EnvironmentRouter,
+  tags as v2TagsRouter,
+} from './routes/v2';
+
+import { healthCheck } from './routes/status';
+
+import { getLogger } from './utils/logger';
+import { RouteNotFoundError } from './utils/errors';
+import { requestErrorHandler } from './middleware/requestErrorHandler';
+
+// patch async route params to handle Promise Rejections
+patchRouterParam();
+
+export const app = express();
+
+app.enable('trust proxy');
+app.use(express.json());
+app.use(cookieParser());
+app.use(
+  cors({
+    credentials: true,
+    origin: SITE_URL
+  })
+);
+
+app.use(requestIp.mw())
+
+if (NODE_ENV === 'production') {
+  // enable app-wide rate-limiting + helmet security
+  // in production
+  app.disable('x-powered-by');
+  app.use(apiLimiter);
+  app.use(helmet());
+}
+
+// (EE) routes
+app.use('/api/v1/secret', eeSecretRouter);
+app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
+app.use('/api/v1/workspace', eeWorkspaceRouter);
+app.use('/api/v1/action', eeActionRouter);
+
+// v1 routes
+app.use('/api/v1/signup', v1SignupRouter);
+app.use('/api/v1/auth', v1AuthRouter);
+app.use('/api/v1/bot', v1BotRouter);
+app.use('/api/v1/user', v1UserRouter);
+app.use('/api/v1/user-action', v1UserActionRouter);
+app.use('/api/v1/organization', v1OrganizationRouter);
+app.use('/api/v1/workspace', v1WorkspaceRouter);
+app.use('/api/v1/membership-org', v1MembershipOrgRouter);
+app.use('/api/v1/membership', v1MembershipRouter);
+app.use('/api/v1/key', v1KeyRouter);
+app.use('/api/v1/invite-org', v1InviteOrgRouter);
+app.use('/api/v1/secret', v1SecretRouter);
+app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
+app.use('/api/v1/password', v1PasswordRouter);
+app.use('/api/v1/stripe', v1StripeRouter);
+app.use('/api/v1/integration', v1IntegrationRouter);
+app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
+
+// v2 routes
+app.use('/api/v2/users', v2UsersRouter);
+app.use('/api/v2/organizations', v2OrganizationsRouter);
+app.use('/api/v2/workspace', v2EnvironmentRouter);
+app.use('/api/v2/workspace', v2TagsRouter);
+app.use('/api/v2/workspace', v2WorkspaceRouter);
+app.use('/api/v2/secret', v2SecretRouter); // deprecated
+app.use('/api/v2/secrets', v2SecretsRouter);
+app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
+app.use('/api/v2/api-key', v2APIKeyDataRouter);
+
+// api docs 
+app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
+
+// Server status
+app.use('/api', healthCheck)
+
+//* Handle unrouted requests and respond with proper error message as well as status code
+app.use((req, res, next) => {
+  if (res.headersSent) return next();
+  next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
+})
+
+//* Error Handling Middleware (must be after all routing logic)
+app.use(requestErrorHandler)
+
+export const server = app.listen(PORT, () => {
+  getLogger("backend-main").info(`Server started listening at port ${PORT}`)
+});
--- a/backend/src/cache/redis.ts
+++ b/backend/src/cache/redis.ts
@ -1,6 +0,0 @@
-import Redis from "ioredis";
-
-export const initRedisConnection = (redisUrl: string) => {
-  const redis = new Redis(redisUrl);
-  return redis;
-};
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -0,0 +1,99 @@
+const PORT = process.env.PORT || 4000;
+const EMAIL_TOKEN_LIFETIME = parseInt(process.env.EMAIL_TOKEN_LIFETIME! || '86400');
+const INVITE_ONLY_SIGNUP = process.env.INVITE_ONLY_SIGNUP == undefined ? false : process.env.INVITE_ONLY_SIGNUP
+const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
+const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
+const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
+const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
+const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
+const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;
+const JWT_SERVICE_SECRET = process.env.JWT_SERVICE_SECRET!;
+const JWT_SIGNUP_LIFETIME = process.env.JWT_SIGNUP_LIFETIME! || '15m';
+const JWT_SIGNUP_SECRET = process.env.JWT_SIGNUP_SECRET!;
+const MONGO_URL = process.env.MONGO_URL!;
+const NODE_ENV = process.env.NODE_ENV! || 'production';
+const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
+const LOKI_HOST = process.env.LOKI_HOST || undefined;
+const CLIENT_ID_AZURE = process.env.CLIENT_ID_AZURE!;
+const TENANT_ID_AZURE = process.env.TENANT_ID_AZURE!;
+const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
+const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
+const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
+const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
+const CLIENT_SECRET_AZURE = process.env.CLIENT_SECRET_AZURE!;
+const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
+const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
+const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
+const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
+const CLIENT_SLUG_VERCEL = process.env.CLIENT_SLUG_VERCEL!;
+const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
+const POSTHOG_PROJECT_API_KEY =
+  process.env.POSTHOG_PROJECT_API_KEY! ||
+  'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+const SENTRY_DSN = process.env.SENTRY_DSN!;
+const SITE_URL = process.env.SITE_URL!;
+const SMTP_HOST = process.env.SMTP_HOST!;
+const SMTP_SECURE = process.env.SMTP_SECURE! === 'true' || false;
+const SMTP_PORT = parseInt(process.env.SMTP_PORT!) || 587;
+const SMTP_USERNAME = process.env.SMTP_USERNAME!;
+const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
+const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
+const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
+const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
+const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
+const STRIPE_PRODUCT_TEAM = process.env.STRIPE_PRODUCT_TEAM!;
+const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
+const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
+const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
+const TELEMETRY_ENABLED = process.env.TELEMETRY_ENABLED! !== 'false' && true;
+const LICENSE_KEY = process.env.LICENSE_KEY!;
+
+export {
+  PORT,
+  EMAIL_TOKEN_LIFETIME,
+  INVITE_ONLY_SIGNUP,
+  ENCRYPTION_KEY,
+  SALT_ROUNDS,
+  JWT_AUTH_LIFETIME,
+  JWT_AUTH_SECRET,
+  JWT_REFRESH_LIFETIME,
+  JWT_REFRESH_SECRET,
+  JWT_SERVICE_SECRET,
+  JWT_SIGNUP_LIFETIME,
+  JWT_SIGNUP_SECRET,
+  MONGO_URL,
+  NODE_ENV,
+  VERBOSE_ERROR_OUTPUT,
+  LOKI_HOST,
+  CLIENT_ID_AZURE,
+  TENANT_ID_AZURE,
+  CLIENT_ID_HEROKU,
+  CLIENT_ID_VERCEL,
+  CLIENT_ID_NETLIFY,
+  CLIENT_ID_GITHUB,
+  CLIENT_SECRET_AZURE,
+  CLIENT_SECRET_HEROKU,
+  CLIENT_SECRET_VERCEL,
+  CLIENT_SECRET_NETLIFY,
+  CLIENT_SECRET_GITHUB,
+  CLIENT_SLUG_VERCEL,
+  POSTHOG_HOST,
+  POSTHOG_PROJECT_API_KEY,
+  SENTRY_DSN,
+  SITE_URL,
+  SMTP_HOST,
+  SMTP_PORT,
+  SMTP_SECURE,
+  SMTP_USERNAME,
+  SMTP_PASSWORD,
+  SMTP_FROM_ADDRESS,
+  SMTP_FROM_NAME,
+  STRIPE_PRODUCT_STARTER,
+  STRIPE_PRODUCT_TEAM,
+  STRIPE_PRODUCT_PRO,
+  STRIPE_PUBLISHABLE_KEY,
+  STRIPE_SECRET_KEY,
+  STRIPE_WEBHOOK_SECRET,
+  TELEMETRY_ENABLED,
+  LICENSE_KEY
+};
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -0,0 +1,261 @@
+/* eslint-disable @typescript-eslint/no-var-requires */
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
+import * as bigintConversion from 'bigint-conversion';
+const jsrp = require('jsrp');
+import { User, LoginSRPDetail } from '../../models';
+import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
+import {
+  ACTION_LOGIN,
+  ACTION_LOGOUT
+} from '../../variables';
+import {
+  NODE_ENV,
+  JWT_AUTH_LIFETIME,
+  JWT_AUTH_SECRET,
+  JWT_REFRESH_SECRET
+} from '../../config';
+import { BadRequestError } from '../../utils/errors';
+import { EELogService } from '../../ee/services';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+
+declare module 'jsonwebtoken' {
+  export interface UserIDJwtPayload extends jwt.JwtPayload {
+    userId: string;
+  }
+}
+
+/**
+ * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login1 = async (req: Request, res: Response) => {
+  try {
+    const {
+      email,
+      clientPublicKey
+    }: { email: string; clientPublicKey: string } = req.body;
+
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier');
+
+    if (!user) throw new Error('Failed to find user');
+
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier
+      },
+      async () => {
+        // generate server-side public key
+        const serverPublicKey = server.getPublicKey();
+
+        await LoginSRPDetail.findOneAndReplace({ email: email }, {
+          email: email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt),
+        }, { upsert: true, returnNewDocument: false })
+
+        return res.status(200).send({
+          serverPublicKey,
+          salt: user.salt
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to start authentication process'
+    });
+  }
+};
+
+/**
+ * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
+ * private key
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login2 = async (req: Request, res: Response) => {
+  try {
+    const { email, clientProof } = req.body;
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
+
+    if (!user) throw new Error('Failed to find user');
+
+    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+    if (!loginSRPDetailFromDB) {
+      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+    }
+
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier,
+        b: loginSRPDetailFromDB.serverBInt
+      },
+      async () => {
+        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+
+        // compare server and client shared keys
+        if (server.checkClientProof(clientProof)) {
+          // issue tokens
+          const tokens = await issueTokens({ userId: user._id.toString() });
+
+          // store (refresh) token in httpOnly cookie
+          res.cookie('jid', tokens.refreshToken, {
+            httpOnly: true,
+            path: '/',
+            sameSite: 'strict',
+            secure: NODE_ENV === 'production' ? true : false
+          });
+
+          const loginAction = await EELogService.createAction({
+            name: ACTION_LOGIN,
+            userId: user._id
+          });
+          
+          loginAction && await EELogService.createLog({
+            userId: user._id,
+            actions: [loginAction],
+            channel: getChannelFromUserAgent(req.headers['user-agent']),
+            ipAddress: req.ip
+          });
+          
+          // return (access) token in response
+          return res.status(200).send({
+            token: tokens.token,
+            publicKey: user.publicKey,
+            encryptedPrivateKey: user.encryptedPrivateKey,
+            iv: user.iv,
+            tag: user.tag
+          });
+        }
+
+        return res.status(400).send({
+          message: 'Failed to authenticate. Try again?'
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to authenticate. Try again?'
+    });
+  }
+};
+
+/**
+ * Log out user
+ * @param req
+ * @param res
+ * @returns
+ */
+export const logout = async (req: Request, res: Response) => {
+  try {
+    await clearTokens({
+      userId: req.user._id.toString()
+    });
+
+    // clear httpOnly cookie
+    res.cookie('jid', '', {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'strict',
+      secure: NODE_ENV === 'production' ? true : false
+    });
+
+    const logoutAction = await EELogService.createAction({
+      name: ACTION_LOGOUT,
+      userId: req.user._id
+    });
+    
+    logoutAction && await EELogService.createLog({
+      userId: req.user._id,
+      actions: [logoutAction],
+      channel: getChannelFromUserAgent(req.headers['user-agent']),
+      ipAddress: req.ip
+    });
+
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to logout'
+    });
+  }
+
+  return res.status(200).send({
+    message: 'Successfully logged out.'
+  });
+};
+
+/**
+ * Return user is authenticated
+ * @param req
+ * @param res
+ * @returns
+ */
+export const checkAuth = async (req: Request, res: Response) => {
+  return res.status(200).send({
+    message: 'Authenticated'
+  });
+}
+
+/**
+ * Return new token by redeeming refresh token
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getNewToken = async (req: Request, res: Response) => {
+  try {
+    const refreshToken = req.cookies.jid;
+
+    if (!refreshToken) {
+      throw new Error('Failed to find token in request cookies');
+    }
+
+    const decodedToken = <jwt.UserIDJwtPayload>(
+      jwt.verify(refreshToken, JWT_REFRESH_SECRET)
+    );
+
+    const user = await User.findOne({
+      _id: decodedToken.userId
+    }).select('+publicKey');
+
+    if (!user) throw new Error('Failed to authenticate unfound user');
+    if (!user?.publicKey)
+      throw new Error('Failed to authenticate not fully set up account');
+
+    const token = createToken({
+      payload: {
+        userId: decodedToken.userId
+      },
+      expiresIn: JWT_AUTH_LIFETIME,
+      secret: JWT_AUTH_SECRET
+    });
+
+    return res.status(200).send({
+      token
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Invalid request'
+    });
+  }
+};
--- a/backend/src/controllers/v1/botController.ts
+++ b/backend/src/controllers/v1/botController.ts
@ -0,0 +1,107 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Bot, BotKey } from '../../models';
+import { createBot } from '../../helpers/bot';
+
+interface BotKey {
+    encryptedKey: string;
+    nonce: string;
+}
+
+/**
+ * Return bot for workspace with id [workspaceId]. If a workspace bot doesn't exist,
+ * then create and return a new bot.
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getBotByWorkspaceId = async (req: Request, res: Response) => {
+    let bot;
+	try {
+        const { workspaceId } = req.params;
+
+        bot = await Bot.findOne({
+            workspace: workspaceId
+        });
+        
+        if (!bot) {
+            // case: bot doesn't exist for workspace with id [workspaceId]
+            // -> create a new bot and return it
+            bot = await createBot({
+                name: 'Infisical Bot',
+                workspaceId
+            });
+        }
+	} catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+        return res.status(400).send({
+			message: 'Failed to get bot for workspace'
+		});
+	}
+    
+    return res.status(200).send({
+        bot
+    });
+};
+
+/**
+ * Return bot with id [req.bot._id] with active state set to [isActive].
+ * @param req
+ * @param res
+ * @returns
+ */
+export const setBotActiveState = async (req: Request, res: Response) => {
+    let bot;
+	try {
+        const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
+        
+        if (isActive) {
+            // bot state set to active -> share workspace key with bot
+            if (!botKey?.encryptedKey || !botKey?.nonce) {
+                return res.status(400).send({
+                    message: 'Failed to set bot state to active - missing bot key'
+                });
+            }
+            
+            await BotKey.findOneAndUpdate({
+                workspace: req.bot.workspace
+            }, {
+                encryptedKey: botKey.encryptedKey,
+                nonce: botKey.nonce,
+                sender: req.user._id,
+                bot: req.bot._id,
+                workspace: req.bot.workspace
+            }, {
+                upsert: true,
+                new: true
+            });
+        } else {
+            // case: bot state set to inactive -> delete bot's workspace key
+            await BotKey.deleteOne({
+                bot: req.bot._id
+            });
+        }
+
+        bot = await Bot.findOneAndUpdate({
+            _id: req.bot._id
+        }, {
+            isActive
+        }, {
+            new: true
+        });
+        
+        if (!bot) throw new Error('Failed to update bot active state');
+        
+	} catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+        return res.status(400).send({
+			message: 'Failed to update bot active state'
+		});
+	}
+    
+    return res.status(200).send({
+        bot
+    });
+};
--- a/backend/src/controllers/v1/index.ts
+++ b/backend/src/controllers/v1/index.ts
@ -0,0 +1,35 @@
+import * as authController from './authController';
+import * as botController from './botController';
+import * as integrationAuthController from './integrationAuthController';
+import * as integrationController from './integrationController';
+import * as keyController from './keyController';
+import * as membershipController from './membershipController';
+import * as membershipOrgController from './membershipOrgController';
+import * as organizationController from './organizationController';
+import * as passwordController from './passwordController';
+import * as secretController from './secretController';
+import * as serviceTokenController from './serviceTokenController';
+import * as signupController from './signupController';
+import * as stripeController from './stripeController';
+import * as userActionController from './userActionController';
+import * as userController from './userController';
+import * as workspaceController from './workspaceController';
+
+export {
+	authController,
+	botController,
+	integrationAuthController,
+	integrationController,
+	keyController,
+	membershipController,
+	membershipOrgController,
+	organizationController,
+	passwordController,
+	secretController,
+	serviceTokenController,
+	signupController,
+	stripeController,
+	userActionController,
+	userController,
+	workspaceController
+};
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -0,0 +1,200 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import * as Sentry from '@sentry/node';
+import {
+	Integration, 
+	IntegrationAuth,
+	Bot 
+} from '../../models';
+import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
+import { IntegrationService } from '../../services';
+import { getApps, revokeAccess } from '../../integrations';
+
+/***
+ * Return integration authorization with id [integrationAuthId]
+ */
+export const getIntegrationAuth = async (req: Request, res: Response) => {
+	let integrationAuth;
+	try {
+		const { integrationAuthId } = req.params;
+		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+		
+		if (!integrationAuth) return res.status(400).send({
+			message: 'Failed to find integration authorization'
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get integration authorization'
+		});	
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
+
+export const getIntegrationOptions = async (req: Request, res: Response) => {
+  return res.status(200).send({
+    integrationOptions: INTEGRATION_OPTIONS,
+  });
+};
+
+/**
+ * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const oAuthExchange = async (
+	req: Request,
+	res: Response
+) => {
+	try {
+		const { workspaceId, code, integration } = req.body;
+		if (!INTEGRATION_SET.has(integration))
+			throw new Error('Failed to validate integration');
+		
+		const environments = req.membership.workspace?.environments || [];
+		if(environments.length === 0){
+			throw new Error("Failed to get environments")
+		}
+	
+		const integrationAuth = await IntegrationService.handleOAuthExchange({
+			workspaceId,
+			integration,
+			code,
+			environment: environments[0].slug,
+		});
+		
+		return res.status(200).send({
+			integrationAuth
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get OAuth2 code-token exchange'
+		});
+	}
+};
+
+/**
+ * Save integration access token and (optionally) access id as part of integration
+ * [integration] for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const saveIntegrationAccessToken = async (
+  req: Request,
+  res: Response
+) => {
+	// TODO: refactor
+	// TODO: check if access token is valid for each integration
+
+	let integrationAuth;
+	try {
+		const {
+			workspaceId,
+			accessId,
+			accessToken,
+			integration
+		}: {
+			workspaceId: string;
+			accessId: string | null;
+			accessToken: string;
+			integration: string;
+		} = req.body;
+
+		const bot = await Bot.findOne({
+            workspace: new Types.ObjectId(workspaceId),
+            isActive: true
+        });
+        
+        if (!bot) throw new Error('Bot must be enabled to save integration access token');
+
+		integrationAuth = await IntegrationAuth.findOneAndUpdate({
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+        }, {
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+		}, {
+            new: true,
+            upsert: true
+        });
+		
+		// encrypt and save integration access details
+		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+			integrationAuthId: integrationAuth._id.toString(),
+			accessId,
+			accessToken,
+			accessExpiresAt: undefined
+		});
+		
+		if (!integrationAuth) throw new Error('Failed to save integration access token');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to save access token for integration'
+		});
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
+
+/**
+ * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getIntegrationAuthApps = async (req: Request, res: Response) => {
+  let apps;
+  try {
+    apps = await getApps({
+      integrationAuth: req.integrationAuth,
+      accessToken: req.accessToken,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get integration authorization applications",
+    });
+  }
+
+  return res.status(200).send({
+    apps,
+  });
+};
+
+/**
+ * Delete integration authorization with id [integrationAuthId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteIntegrationAuth = async (req: Request, res: Response) => {
+  let integrationAuth;
+  try {
+    integrationAuth = await revokeAccess({
+      integrationAuth: req.integrationAuth,
+      accessToken: req.accessToken,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete integration authorization",
+    });
+  }
+
+  return res.status(200).send({
+    integrationAuth,
+  });
+};
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -0,0 +1,161 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import * as Sentry from '@sentry/node';
+import { 
+	Integration, 
+	Workspace,
+	Bot, 
+	BotKey 
+} from '../../models';
+import { EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
+
+/**
+ * Create/initialize an (empty) integration for integration authorization
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createIntegration = async (req: Request, res: Response) => {
+	let integration;
+	try {
+		const {
+			integrationAuthId,
+			app,
+			appId,
+			isActive,
+			sourceEnvironment,
+			targetEnvironment,
+			owner,
+			path,
+			region
+		} = req.body;
+		
+		// TODO: validate [sourceEnvironment] and [targetEnvironment]
+
+		// initialize new integration after saving integration access token
+        integration = await new Integration({
+            workspace: req.integrationAuth.workspace._id,
+            environment: sourceEnvironment,
+            isActive,
+            app,
+			appId,
+			targetEnvironment,
+			owner,
+			path,
+			region,
+            integration: req.integrationAuth.integration,
+            integrationAuth: new Types.ObjectId(integrationAuthId)
+        }).save();
+		
+		if (integration) {
+			// trigger event - push secrets
+			EventService.handleEvent({
+				event: eventPushSecrets({
+					workspaceId: integration.workspace.toString()
+				})
+			});
+		}
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create integration'
+		});
+	}
+
+  return res.status(200).send({
+    integration,
+  });
+};
+
+/**
+ * Change environment or name of integration with id [integrationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const updateIntegration = async (req: Request, res: Response) => {
+  let integration;
+
+  // TODO: add integration-specific validation to ensure that each
+  // integration has the correct fields populated in [Integration]
+
+  try {
+    const {
+      environment,
+      isActive,
+      app,
+      appId,
+      targetEnvironment,
+      owner, // github-specific integration param
+    } = req.body;
+
+    integration = await Integration.findOneAndUpdate(
+      {
+        _id: req.integration._id,
+      },
+      {
+        environment,
+        isActive,
+        app,
+        appId,
+        targetEnvironment,
+        owner,
+      },
+      {
+        new: true,
+      }
+    );
+
+    if (integration) {
+      // trigger event - push secrets
+      EventService.handleEvent({
+        event: eventPushSecrets({
+          workspaceId: integration.workspace.toString(),
+        }),
+      });
+    }
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to update integration",
+    });
+  }
+
+  return res.status(200).send({
+    integration,
+  });
+};
+
+/**
+ * Delete integration with id [integrationId] and deactivate bot if there are
+ * no integrations left
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteIntegration = async (req: Request, res: Response) => {
+  let integration;
+  try {
+    const { integrationId } = req.params;
+
+    integration = await Integration.findOneAndDelete({
+      _id: integrationId,
+    });
+
+    if (!integration) throw new Error("Failed to find integration");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete integration",
+    });
+  }
+
+  return res.status(200).send({
+    integration,
+  });
+};
--- a/backend/src/controllers/v1/keyController.ts
+++ b/backend/src/controllers/v1/keyController.ts
@ -0,0 +1,82 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Key } from '../../models';
+import { findMembership } from '../../helpers/membership';
+
+/**
+ * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
+ * id [key.userId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const uploadKey = async (req: Request, res: Response) => {
+	try {
+		const { workspaceId } = req.params;
+		const { key } = req.body;
+
+		// validate membership of receiver
+		const receiverMembership = await findMembership({
+			user: key.userId,
+			workspace: workspaceId
+		});
+
+		if (!receiverMembership) {
+			throw new Error('Failed receiver membership validation for workspace');
+		}
+
+		await new Key({
+			encryptedKey: key.encryptedKey,
+			nonce: key.nonce,
+			sender: req.user._id,
+			receiver: key.userId,
+			workspace: workspaceId
+		}).save();
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to upload key to workspace'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully uploaded key to workspace'
+	});
+};
+
+/**
+ * Return latest (encrypted) copy of workspace key for user
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getLatestKey = async (req: Request, res: Response) => {
+	let latestKey;
+	try {
+		const { workspaceId } = req.params;
+
+		// get latest key
+		latestKey = await Key.find({
+			workspace: workspaceId,
+			receiver: req.user._id
+		})
+			.sort({ createdAt: -1 })
+			.limit(1)
+			.populate('sender', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get latest key'
+		});
+	}
+
+	const resObj: any = {};
+
+	if (latestKey.length > 0) {
+		resObj['latestKey'] = latestKey[0];
+	}
+
+	return res.status(200).send(resObj);
+};
--- a/backend/src/controllers/v1/membershipController.ts
+++ b/backend/src/controllers/v1/membershipController.ts
@ -0,0 +1,233 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Membership, MembershipOrg, User, Key, IMembership, Workspace } from '../../models';
+import {
+	findMembership,
+	deleteMembership as deleteMember
+} from '../../helpers/membership';
+import { sendMail } from '../../helpers/nodemailer';
+import { SITE_URL } from '../../config';
+import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
+
+/**
+ * Check that user is a member of workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const validateMembership = async (req: Request, res: Response) => {
+	try {
+		const { workspaceId } = req.params;
+
+		// validate membership
+		const membership = await findMembership({
+			user: req.user._id,
+			workspace: workspaceId
+		});
+
+		if (!membership) {
+			throw new Error('Failed to validate membership');
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed workspace connection check'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Workspace membership confirmed'
+	});
+};
+
+/**
+ * Delete membership with id [membershipId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteMembership = async (req: Request, res: Response) => {
+	let deletedMembership;
+	try {
+		const { membershipId } = req.params;
+
+		// check if membership to delete exists
+		const membershipToDelete = await Membership.findOne({
+			_id: membershipId
+		}).populate('user');
+
+		if (!membershipToDelete) {
+			throw new Error(
+				"Failed to delete workspace membership that doesn't exist"
+			);
+		}
+
+		// check if user is a member and admin of the workspace
+		// whose membership we wish to delete
+		const membership = await Membership.findOne({
+			user: req.user._id,
+			workspace: membershipToDelete.workspace
+		});
+
+		if (!membership) {
+			throw new Error('Failed to validate workspace membership');
+		}
+
+		if (membership.role !== ADMIN) {
+			// user is not an admin member of the workspace
+			throw new Error('Insufficient role for deleting workspace membership');
+		}
+
+		// delete workspace membership
+		deletedMembership = await deleteMember({
+			membershipId: membershipToDelete._id.toString()
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete membership'
+		});
+	}
+
+	return res.status(200).send({
+		deletedMembership
+	});
+};
+
+/**
+ * Change and return workspace membership role
+ * @param req
+ * @param res
+ * @returns
+ */
+export const changeMembershipRole = async (req: Request, res: Response) => {
+	let membershipToChangeRole;
+	try {
+		const { membershipId } = req.params;
+		const { role } = req.body;
+
+		if (![ADMIN, MEMBER].includes(role)) {
+			throw new Error('Failed to validate role');
+		}
+
+		// validate target membership
+		membershipToChangeRole = await findMembership({
+			_id: membershipId
+		});
+
+		if (!membershipToChangeRole) {
+			throw new Error('Failed to find membership to change role');
+		}
+
+		// check if user is a member and admin of target membership's
+		// workspace
+		const membership = await findMembership({
+			user: req.user._id,
+			workspace: membershipToChangeRole.workspace
+		});
+
+		if (!membership) {
+			throw new Error('Failed to validate membership');
+		}
+
+		if (membership.role !== ADMIN) {
+			// user is not an admin member of the workspace
+			throw new Error('Insufficient role for changing member roles');
+		}
+
+		membershipToChangeRole.role = role;
+		await membershipToChangeRole.save();
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change membership role'
+		});
+	}
+
+	return res.status(200).send({
+		membership: membershipToChangeRole
+	});
+};
+
+/**
+ * Add user with email [email] to workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const inviteUserToWorkspace = async (req: Request, res: Response) => {
+	let invitee, latestKey;
+	try {
+		const { workspaceId } = req.params;
+		const { email }: { email: string } = req.body;
+
+		invitee = await User.findOne({
+			email
+		}).select('+publicKey');
+
+		if (!invitee || !invitee?.publicKey)
+			throw new Error('Failed to validate invitee');
+
+		// validate invitee's workspace membership - ensure member isn't
+		// already a member of the workspace
+		const inviteeMembership = await Membership.findOne({
+			user: invitee._id,
+			workspace: workspaceId
+		});
+
+		if (inviteeMembership)
+			throw new Error('Failed to add existing member of workspace');
+
+		// validate invitee's organization membership - ensure that only
+		// (accepted) organization members can be added to the workspace
+		const membershipOrg = await MembershipOrg.findOne({
+			user: invitee._id,
+			organization: req.membership.workspace.organization,
+			status: ACCEPTED
+		});
+
+		if (!membershipOrg)
+			throw new Error("Failed to validate invitee's organization membership");
+
+		// get latest key
+		latestKey = await Key.findOne({
+			workspace: workspaceId,
+			receiver: req.user._id
+		})
+			.sort({ createdAt: -1 })
+			.populate('sender', '+publicKey');
+
+		// create new workspace membership
+		const m = await new Membership({
+			user: invitee._id,
+			workspace: workspaceId,
+			role: MEMBER
+		}).save();
+
+		await sendMail({
+			template: 'workspaceInvitation.handlebars',
+			subjectLine: 'Infisical workspace invitation',
+			recipients: [invitee.email],
+			substitutions: {
+				inviterFirstName: req.user.firstName,
+				inviterEmail: req.user.email,
+				workspaceName: req.membership.workspace.name,
+				callback_url: SITE_URL + '/login'
+			}
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to invite user to workspace'
+		});
+	}
+
+	return res.status(200).send({
+		invitee,
+		latestKey
+	});
+};
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -0,0 +1,275 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
+import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, EMAIL_TOKEN_LIFETIME } from '../../config';
+import { MembershipOrg, Organization, User, Token } from '../../models';
+import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
+import { checkEmailVerification } from '../../helpers/signup';
+import { createToken } from '../../helpers/auth';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+import { sendMail } from '../../helpers/nodemailer';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../../variables';
+
+/**
+ * Delete organization membership with id [membershipOrgId] from organization
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteMembershipOrg = async (req: Request, res: Response) => {
+	let membershipOrgToDelete;
+	try {
+		const { membershipOrgId } = req.params;
+
+		// check if organization membership to delete exists
+		membershipOrgToDelete = await MembershipOrg.findOne({
+			_id: membershipOrgId
+		}).populate('user');
+
+		if (!membershipOrgToDelete) {
+			throw new Error(
+				"Failed to delete organization membership that doesn't exist"
+			);
+		}
+
+		// check if user is a member and admin of the organization
+		// whose membership we wish to delete
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: membershipOrgToDelete.organization
+		});
+
+		if (!membershipOrg) {
+			throw new Error('Failed to validate organization membership');
+		}
+
+		if (membershipOrg.role !== OWNER && membershipOrg.role !== ADMIN) {
+			// user is not an admin member of the organization
+			throw new Error('Insufficient role for deleting organization membership');
+		}
+
+		// delete organization membership
+		const deletedMembershipOrg = await deleteMemberFromOrg({
+			membershipOrgId: membershipOrgToDelete._id.toString()
+		});
+
+		await updateSubscriptionOrgQuantity({
+			organizationId: membershipOrg.organization.toString()
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete organization membership'
+		});
+	}
+
+	return membershipOrgToDelete;
+};
+
+/**
+ * Change and return organization membership role
+ * @param req
+ * @param res
+ * @returns
+ */
+export const changeMembershipOrgRole = async (req: Request, res: Response) => {
+	// change role for (target) organization membership with id
+	// [membershipOrgId]
+
+	let membershipToChangeRole;
+	// try {
+	// } catch (err) {
+	// 	Sentry.setUser({ email: req.user.email });
+	// 	Sentry.captureException(err);
+	// 	return res.status(400).send({
+	// 		message: 'Failed to change organization membership role'
+	// 	});
+	// }
+
+	return res.status(200).send({
+		membershipOrg: membershipToChangeRole
+	});
+};
+
+/**
+ * Organization invitation step 1: Send email invitation to user with email [email]
+ * for organization with id [organizationId] containing magic link
+ * @param req
+ * @param res
+ * @returns
+ */
+export const inviteUserToOrganization = async (req: Request, res: Response) => {
+	let invitee, inviteeMembershipOrg;
+	try {
+		const { organizationId, inviteeEmail } = req.body;
+
+		// validate membership
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: organizationId
+		});
+
+		if (!membershipOrg) {
+			throw new Error('Failed to validate organization membership');
+		}
+
+		invitee = await User.findOne({
+			email: inviteeEmail
+		}).select('+publicKey');
+
+		if (invitee) {
+			// case: invitee is an existing user
+
+			inviteeMembershipOrg = await MembershipOrg.findOne({
+				user: invitee._id,
+				organization: organizationId
+			});
+
+			if (inviteeMembershipOrg && inviteeMembershipOrg.status === ACCEPTED) {
+				throw new Error(
+					'Failed to invite an existing member of the organization'
+				);
+			}
+
+			if (!inviteeMembershipOrg) {
+				await new MembershipOrg({
+					user: invitee,
+					inviteEmail: inviteeEmail,
+					organization: organizationId,
+					role: MEMBER,
+					status: invitee?.publicKey ? ACCEPTED : INVITED
+				}).save();
+			}
+		} else {
+			// check if invitee has been invited before
+			inviteeMembershipOrg = await MembershipOrg.findOne({
+				inviteEmail: inviteeEmail,
+				organization: organizationId
+			});
+
+			if (!inviteeMembershipOrg) {
+				// case: invitee has never been invited before
+
+				await new MembershipOrg({
+					inviteEmail: inviteeEmail,
+					organization: organizationId,
+					role: MEMBER,
+					status: INVITED
+				}).save();
+			}
+		}
+
+		const organization = await Organization.findOne({ _id: organizationId });
+
+		if (organization) {
+			const token = crypto.randomBytes(16).toString('hex');
+
+			await Token.findOneAndUpdate(
+				{ email: inviteeEmail },
+				{
+					email: inviteeEmail,
+					token,
+					createdAt: new Date(),
+					ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
+				},
+				{ upsert: true, new: true }
+			);
+
+			await sendMail({
+				template: 'organizationInvitation.handlebars',
+				subjectLine: 'Infisical organization invitation',
+				recipients: [inviteeEmail],
+				substitutions: {
+					inviterFirstName: req.user.firstName,
+					inviterEmail: req.user.email,
+					organizationName: organization.name,
+					email: inviteeEmail,
+					token,
+					callback_url: SITE_URL + '/signupinvite'
+				}
+			});
+		}
+
+		await updateSubscriptionOrgQuantity({ organizationId });
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to send organization invite'
+		});
+	}
+
+	return res.status(200).send({
+		message: `Sent an invite link to ${req.body.inviteeEmail}`
+	});
+};
+
+/**
+ * Organization invitation step 2: Verify that code [code] was sent to email [email] as part of
+ * magic link and issue a temporary signup token for user to complete setting up their account
+ * @param req
+ * @param res
+ * @returns
+ */
+export const verifyUserToOrganization = async (req: Request, res: Response) => {
+	let user, token;
+	try {
+		const { email, code } = req.body;
+
+		user = await User.findOne({ email }).select('+publicKey');
+
+		const membershipOrg = await MembershipOrg.findOne({
+			inviteEmail: email,
+			status: INVITED
+		});
+
+		if (!membershipOrg)
+			throw new Error('Failed to find any invitations for email');
+
+		await checkEmailVerification({
+			email,
+			code
+		});
+
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+			// membership can be approved and redirected to login/dashboard
+			membershipOrg.status = ACCEPTED;
+			await membershipOrg.save();
+
+			return res.status(200).send({
+				message: 'Successfully verified email',
+				user,
+			});
+		}
+
+		if (!user) {
+			// initialize user account
+			user = await new User({
+				email
+			}).save();
+		}
+
+		// generate temporary signup token
+		token = createToken({
+			payload: {
+				userId: user._id.toString()
+			},
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed email magic link verification for organization invitation'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully verified email',
+		user,
+		token
+	});
+};
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -0,0 +1,427 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+	SITE_URL,
+	STRIPE_SECRET_KEY
+} from '../../config';
+import Stripe from 'stripe';
+
+const stripe = new Stripe(STRIPE_SECRET_KEY, {
+	apiVersion: '2022-08-01'
+});
+import {
+	Membership,
+	MembershipOrg,
+	Organization,
+	Workspace,
+	IncidentContactOrg,
+	IMembershipOrg
+} from '../../models';
+import { createOrganization as create } from '../../helpers/organization';
+import { addMembershipsOrg } from '../../helpers/membershipOrg';
+import { OWNER, ACCEPTED } from '../../variables';
+import _ from 'lodash';
+
+export const getOrganizations = async (req: Request, res: Response) => {
+	let organizations;
+	try {
+		organizations = (
+			await MembershipOrg.find({
+				user: req.user._id
+			}).populate('organization')
+		).map((m) => m.organization);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organizations'
+		});
+	}
+
+	return res.status(200).send({
+		organizations
+	});
+};
+
+/**
+ * Create new organization named [organizationName]
+ * and add user as owner
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createOrganization = async (req: Request, res: Response) => {
+	let organization;
+	try {
+		const { organizationName } = req.body;
+
+		if (organizationName.length < 1) {
+			throw new Error('Organization names must be at least 1-character long');
+		}
+
+		// create organization and add user as member
+		organization = await create({
+			email: req.user.email,
+			name: organizationName
+		});
+
+		await addMembershipsOrg({
+			userIds: [req.user._id.toString()],
+			organizationId: organization._id.toString(),
+			roles: [OWNER],
+			statuses: [ACCEPTED]
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create organization'
+		});
+	}
+
+	return res.status(200).send({
+		organization
+	});
+};
+
+/**
+ * Return organization with id [organizationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getOrganization = async (req: Request, res: Response) => {
+	let organization;
+	try {
+		organization = req.membershipOrg.organization;
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to find organization'
+		});
+	}
+
+	return res.status(200).send({
+		organization
+	});
+};
+
+/**
+ * Return organization memberships for organization with id [organizationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getOrganizationMembers = async (req: Request, res: Response) => {
+	let users;
+	try {
+		const { organizationId } = req.params;
+
+		users = await MembershipOrg.find({
+			organization: organizationId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization members'
+		});
+	}
+
+	return res.status(200).send({
+		users
+	});
+};
+
+/**
+ * Return workspaces that user is part of in organization with id [organizationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getOrganizationWorkspaces = async (
+	req: Request,
+	res: Response
+) => {
+	let workspaces;
+	try {
+		const { organizationId } = req.params;
+
+		const workspacesSet = new Set(
+			(
+				await Workspace.find(
+					{
+						organization: organizationId
+					},
+					'_id'
+				)
+			).map((w) => w._id.toString())
+		);
+
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		)
+			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
+			.map((m) => m.workspace);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get my workspaces'
+		});
+	}
+
+	return res.status(200).send({
+		workspaces
+	});
+};
+
+/**
+ * Change name of organization with id [organizationId] to [name]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const changeOrganizationName = async (req: Request, res: Response) => {
+	let organization;
+	try {
+		const { organizationId } = req.params;
+		const { name } = req.body;
+
+		organization = await Organization.findOneAndUpdate(
+			{
+				_id: organizationId
+			},
+			{
+				name
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change organization name'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully changed organization name',
+		organization
+	});
+};
+
+/**
+ * Return incident contacts of organization with id [organizationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getOrganizationIncidentContacts = async (
+	req: Request,
+	res: Response
+) => {
+	let incidentContactsOrg;
+	try {
+		const { organizationId } = req.params;
+
+		incidentContactsOrg = await IncidentContactOrg.find({
+			organization: organizationId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization incident contacts'
+		});
+	}
+
+	return res.status(200).send({
+		incidentContactsOrg
+	});
+};
+
+/**
+ * Add and return new incident contact with email [email] for organization with id [organizationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const addOrganizationIncidentContact = async (
+	req: Request,
+	res: Response
+) => {
+	let incidentContactOrg;
+	try {
+		const { organizationId } = req.params;
+		const { email } = req.body;
+
+		incidentContactOrg = await IncidentContactOrg.findOneAndUpdate(
+			{ email, organization: organizationId },
+			{ email, organization: organizationId },
+			{ upsert: true, new: true }
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to add incident contact for organization'
+		});
+	}
+
+	return res.status(200).send({
+		incidentContactOrg
+	});
+};
+
+/**
+ * Delete incident contact with email [email] for organization with id [organizationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteOrganizationIncidentContact = async (
+	req: Request,
+	res: Response
+) => {
+	let incidentContactOrg;
+	try {
+		const { organizationId } = req.params;
+		const { email } = req.body;
+
+		incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
+			email,
+			organization: organizationId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete organization incident contact'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully deleted organization incident contact',
+		incidentContactOrg
+	});
+};
+
+/**
+ * Redirect user to (stripe) billing portal or add card page depending on
+ * if there is a card on file
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createOrganizationPortalSession = async (
+	req: Request,
+	res: Response
+) => {
+	let session;
+	try {
+		// check if there is a payment method on file
+		const paymentMethods = await stripe.paymentMethods.list({
+			customer: req.membershipOrg.organization.customerId,
+			type: 'card'
+		});
+
+		if (paymentMethods.data.length < 1) {
+			// case: no payment method on file
+			session = await stripe.checkout.sessions.create({
+				customer: req.membershipOrg.organization.customerId,
+				mode: 'setup',
+				payment_method_types: ['card'],
+				success_url: SITE_URL + '/dashboard',
+				cancel_url: SITE_URL + '/dashboard'
+			});
+		} else {
+			session = await stripe.billingPortal.sessions.create({
+				customer: req.membershipOrg.organization.customerId,
+				return_url: SITE_URL + '/dashboard'
+			});
+		}
+
+		return res.status(200).send({ url: session.url });
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to redirect to organization billing portal'
+		});
+	}
+};
+
+/**
+ * Return organization subscriptions
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getOrganizationSubscriptions = async (
+	req: Request,
+	res: Response
+) => {
+	let subscriptions;
+	try {
+		subscriptions = await stripe.subscriptions.list({
+			customer: req.membershipOrg.organization.customerId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization subscriptions'
+		});
+	}
+
+	return res.status(200).send({
+		subscriptions
+	});
+};
+
+
+/**
+ * Given a org id, return the projects each member of the org belongs to
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getOrganizationMembersAndTheirWorkspaces = async (
+	req: Request,
+	res: Response
+) => {
+	const { organizationId } = req.params;
+
+	const workspacesSet = (
+			await Workspace.find(
+				{
+					organization: organizationId
+				},
+				'_id'
+			)
+		).map((w) => w._id.toString());
+
+	const memberships = (
+		await Membership.find({
+			workspace: { $in: workspacesSet }
+		}).populate('workspace')
+	);
+	const userToWorkspaceIds: any = {};
+
+	memberships.forEach(membership => {
+		const user = membership.user.toString();
+		if (userToWorkspaceIds[user]) {
+			userToWorkspaceIds[user].push(membership.workspace);
+		} else {
+			userToWorkspaceIds[user] = [membership.workspace];
+		}
+	});
+
+	return res.json(userToWorkspaceIds);
+};
--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -0,0 +1,375 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const jsrp = require('jsrp');
+import * as bigintConversion from 'bigint-conversion';
+import { User, Token, BackupPrivateKey, LoginSRPDetail } from '../../models';
+import { checkEmailVerification } from '../../helpers/signup';
+import { createToken } from '../../helpers/auth';
+import { sendMail } from '../../helpers/nodemailer';
+import { EMAIL_TOKEN_LIFETIME, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
+import { BadRequestError } from '../../utils/errors';
+
+/**
+ * Password reset step 1: Send email verification link to email [email] 
+ * for account recovery.
+ * @param req
+ * @param res
+ * @returns
+ */
+export const emailPasswordReset = async (req: Request, res: Response) => {
+	let email: string;
+	try {
+		email = req.body.email;
+
+		const user = await User.findOne({ email }).select('+publicKey');
+		if (!user || !user?.publicKey) {
+			// case: user has already completed account
+
+			return res.status(403).send({
+				error: 'Failed to send email verification for password reset'
+			});
+		}
+
+		const token = crypto.randomBytes(16).toString('hex');
+
+		await Token.findOneAndUpdate(
+			{ email },
+			{
+				email,
+				token,
+				createdAt: new Date(),
+				ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
+			},
+			{ upsert: true, new: true }
+		);
+
+		await sendMail({
+			template: 'passwordReset.handlebars',
+			subjectLine: 'Infisical password reset',
+			recipients: [email],
+			substitutions: {
+				email,
+				token,
+				callback_url: SITE_URL + '/password-reset'
+			}
+		});
+
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to send email for account recovery'
+		});
+	}
+
+	return res.status(200).send({
+		message: `Sent an email for account recovery to ${email}`
+	});
+}
+
+/**
+ * Password reset step 2: Verify email verification link sent to email [email]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const emailPasswordResetVerify = async (req: Request, res: Response) => {
+	let user, token;
+	try {
+		const { email, code } = req.body;
+
+		user = await User.findOne({ email }).select('+publicKey');
+		if (!user || !user?.publicKey) {
+			// case: user doesn't exist with email [email] or 
+			// hasn't even completed their account
+			return res.status(403).send({
+				error: 'Failed email verification for password reset'
+			});
+		}
+
+		await checkEmailVerification({
+			email,
+			code
+		});
+
+		// generate temporary password-reset token
+		token = createToken({
+			payload: {
+				userId: user._id.toString()
+			},
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed email verification for password reset'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully verified email',
+		user,
+		token
+	});
+}
+
+/**
+ * Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const srp1 = async (req: Request, res: Response) => {
+	// return salt, serverPublicKey as part of first step of SRP protocol
+	try {
+		const { clientPublicKey } = req.body;
+		const user = await User.findOne({
+			email: req.user.email
+		}).select('+salt +verifier');
+
+		if (!user) throw new Error('Failed to find user');
+
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier
+			},
+			async () => {
+				// generate server-side public key
+				const serverPublicKey = server.getPublicKey();
+
+				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
+					email: req.user.email,
+					clientPublicKey: clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt),
+				}, { upsert: true, returnNewDocument: false })
+
+				return res.status(200).send({
+					serverPublicKey,
+					salt: user.salt
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to start change password process'
+		});
+	}
+};
+
+/**
+ * Change account SRP authentication information for user
+ * Requires verifying [clientProof] as part of step 2 of SRP protocol
+ * as initiated in POST /srp1
+ * @param req
+ * @param res
+ * @returns
+ */
+export const changePassword = async (req: Request, res: Response) => {
+	try {
+		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
+			req.body;
+		const user = await User.findOne({
+			email: req.user.email
+		}).select('+salt +verifier');
+
+		if (!user) throw new Error('Failed to find user');
+
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
+
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier,
+				b: loginSRPDetailFromDB.serverBInt
+			},
+			async () => {
+				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+
+				// compare server and client shared keys
+				if (server.checkClientProof(clientProof)) {
+					// change password
+
+					await User.findByIdAndUpdate(
+						req.user._id.toString(),
+						{
+							encryptedPrivateKey,
+							iv,
+							tag,
+							salt,
+							verifier
+						},
+						{
+							new: true
+						}
+					);
+
+					return res.status(200).send({
+						message: 'Successfully changed password'
+					});
+				}
+
+				return res.status(400).send({
+					error: 'Failed to change password. Try again?'
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to change password. Try again?'
+		});
+	}
+};
+
+/**
+ * Create or change backup private key for user
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createBackupPrivateKey = async (req: Request, res: Response) => {
+	// create/change backup private key
+	// requires verifying [clientProof] as part of second step of SRP protocol
+	// as initiated in /srp1
+
+	try {
+		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
+			req.body;
+		const user = await User.findOne({
+			email: req.user.email
+		}).select('+salt +verifier');
+
+		if (!user) throw new Error('Failed to find user');
+
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
+
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier,
+				b: loginSRPDetailFromDB.serverBInt
+			},
+			async () => {
+				server.setClientPublicKey(
+					loginSRPDetailFromDB.clientPublicKey
+				);
+
+				// compare server and client shared keys
+				if (server.checkClientProof(clientProof)) {
+					// create new or replace backup private key
+
+					const backupPrivateKey = await BackupPrivateKey.findOneAndUpdate(
+						{ user: req.user._id },
+						{
+							user: req.user._id,
+							encryptedPrivateKey,
+							iv,
+							tag,
+							salt,
+							verifier
+						},
+						{ upsert: true, new: true }
+					).select('+user, encryptedPrivateKey');
+
+					// issue tokens
+					return res.status(200).send({
+						message: 'Successfully updated backup private key',
+						backupPrivateKey
+					});
+				}
+
+				return res.status(400).send({
+					message: 'Failed to update backup private key'
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update backup private key'
+		});
+	}
+};
+
+/**
+ * Return backup private key for user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getBackupPrivateKey = async (req: Request, res: Response) => {
+	let backupPrivateKey;
+	try {
+		backupPrivateKey = await BackupPrivateKey.findOne({
+			user: req.user._id
+		}).select('+encryptedPrivateKey +iv +tag');
+
+		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get backup private key'
+		});
+	}
+
+	return res.status(200).send({
+		backupPrivateKey
+	});
+}
+
+export const resetPassword = async (req: Request, res: Response) => {
+	try {
+		const {
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier,
+		} = req.body;
+
+		await User.findByIdAndUpdate(
+			req.user._id.toString(),
+			{
+				encryptedPrivateKey,
+				iv,
+				tag,
+				salt,
+				verifier
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get backup private key'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully reset password'
+	});
+}
--- a/backend/src/controllers/v1/secretController.ts
+++ b/backend/src/controllers/v1/secretController.ts
@ -0,0 +1,235 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Key, Secret } from '../../models';
+import {
+	v1PushSecrets as push,
+	pullSecrets as pull,
+	reformatPullSecrets
+} from '../../helpers/secret';
+import { pushKeys } from '../../helpers/key';
+import { eventPushSecrets } from '../../events';
+import { EventService } from '../../services';
+import { postHogClient } from '../../services';
+
+interface PushSecret {
+	ciphertextKey: string;
+	ivKey: string;
+	tagKey: string;
+	hashKey: string;
+	ciphertextValue: string;
+	ivValue: string;
+	tagValue: string;
+	hashValue: string;
+	ciphertextComment: string;
+	ivComment: string;
+	tagComment: string;
+	hashComment: string;
+	type: 'shared' | 'personal';
+}
+
+/**
+ * Upload (encrypted) secrets to workspace with id [workspaceId]
+ * for environment [environment]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pushSecrets = async (req: Request, res: Response) => {
+	// upload (encrypted) secrets to workspace with id [workspaceId]
+
+	try {
+		let { secrets }: { secrets: PushSecret[] } = req.body;
+		const { keys, environment, channel } = req.body;
+		const { workspaceId } = req.params;
+
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
+
+		// sanitize secrets
+		secrets = secrets.filter(
+			(s: PushSecret) => s.ciphertextKey !== '' && s.ciphertextValue !== ''
+		);
+
+		await push({
+			userId: req.user._id,
+			workspaceId,
+			environment,
+			secrets
+		});
+
+		await pushKeys({
+			userId: req.user._id,
+			workspaceId,
+			keys
+		});
+		
+		
+		if (postHogClient) {
+			postHogClient.capture({
+				event: 'secrets pushed',
+				distinctId: req.user.email,
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+
+		// trigger event - push secrets
+		EventService.handleEvent({
+			event: eventPushSecrets({
+				workspaceId
+			})
+		});
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to upload workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully uploaded workspace secrets'
+	});
+};
+
+/**
+ * Return (encrypted) secrets for workspace with id [workspaceId]
+ * for environment [environment] and (encrypted) workspace key
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pullSecrets = async (req: Request, res: Response) => {
+	let secrets;
+	let key;
+	try {
+		const environment: string = req.query.environment as string;
+		const channel: string = req.query.channel as string;
+		const { workspaceId } = req.params;
+
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
+
+		secrets = await pull({
+			userId: req.user._id.toString(),
+			workspaceId,
+			environment,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
+
+		key = await Key.findOne({
+			workspace: workspaceId,
+			receiver: req.user._id
+		})
+			.sort({ createdAt: -1 })
+			.populate('sender', '+publicKey');
+		
+		if (channel !== 'cli') {
+			secrets = reformatPullSecrets({ secrets });
+		}
+
+		if (postHogClient) {
+			// capture secrets pushed event in production
+			postHogClient.capture({
+				distinctId: req.user.email,
+				event: 'secrets pulled',
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to pull workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		secrets,
+		key
+	});
+};
+
+/**
+ * Return (encrypted) secrets for workspace with id [workspaceId]
+ * for environment [environment] and (encrypted) workspace key
+ * via service token
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pullSecretsServiceToken = async (req: Request, res: Response) => {
+	let secrets;
+	let key;
+	try {
+		const environment: string = req.query.environment as string;
+		const channel: string = req.query.channel as string;
+		const { workspaceId } = req.params;
+
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
+
+		secrets = await pull({
+			userId: req.serviceToken.user._id.toString(),
+			workspaceId,
+			environment,
+			channel: 'cli',
+			ipAddress: req.ip
+		});
+
+		key = {
+			encryptedKey: req.serviceToken.encryptedKey,
+			nonce: req.serviceToken.nonce,
+			sender: {
+				publicKey: req.serviceToken.publicKey
+			},
+			receiver: req.serviceToken.user,
+			workspace: req.serviceToken.workspace
+		};
+
+		if (postHogClient) {
+			// capture secrets pulled event in production
+			postHogClient.capture({
+				distinctId: req.serviceToken.user.email,
+				event: 'secrets pulled',
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.serviceToken.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to pull workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		secrets: reformatPullSecrets({ secrets }),
+		key
+	});
+};
--- a/backend/src/controllers/v1/serviceTokenController.ts
+++ b/backend/src/controllers/v1/serviceTokenController.ts
@ -0,0 +1,75 @@
+import { Request, Response } from 'express';
+import { ServiceToken } from '../../models';
+import { createToken } from '../../helpers/auth';
+import { JWT_SERVICE_SECRET } from '../../config';
+
+/**
+ * Return service token on request
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getServiceToken = async (req: Request, res: Response) => {
+	return res.status(200).send({
+		serviceToken: req.serviceToken
+	});
+};
+
+/**
+ * Create and return a new service token
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createServiceToken = async (req: Request, res: Response) => {
+	let token;
+	try {
+		const {
+			name,
+			workspaceId,
+			environment,
+			expiresIn,
+			publicKey,
+			encryptedKey,
+			nonce
+		} = req.body;
+
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
+
+		// compute access token expiration date
+		const expiresAt = new Date();
+		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+
+		const serviceToken = await new ServiceToken({
+			name,
+			user: req.user._id,
+			workspace: workspaceId,
+			environment,
+			expiresAt,
+			publicKey,
+			encryptedKey,
+			nonce
+		}).save();
+
+		token = createToken({
+			payload: {
+				serviceTokenId: serviceToken._id.toString(),
+				workspaceId
+			},
+			expiresIn: expiresIn,
+			secret: JWT_SERVICE_SECRET
+		});
+	} catch (err) {
+		return res.status(400).send({
+			message: 'Failed to create service token'
+		});
+	}
+
+	return res.status(200).send({
+		token
+	});
+};
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -0,0 +1,312 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, INVITE_ONLY_SIGNUP } from '../../config';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
+import {
+	sendEmailVerification,
+	checkEmailVerification,
+	initializeDefaultOrg
+} from '../../helpers/signup';
+import { issueTokens, createToken } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
+import axios from 'axios';
+import { BadRequestError } from '../../utils/errors';
+
+/**
+ * Signup step 1: Initialize account for user under email [email] and send a verification code
+ * to that email
+ * @param req
+ * @param res
+ * @returns
+ */
+export const beginEmailSignup = async (req: Request, res: Response) => {
+	let email: string;
+	try {
+		email = req.body.email;
+
+		if (INVITE_ONLY_SIGNUP) {
+			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
+			const userCount = await User.countDocuments({})
+			if (userCount != 0) {
+				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+			}
+		}
+
+		const user = await User.findOne({ email }).select('+publicKey');
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+
+			return res.status(403).send({
+				error: 'Failed to send email verification code for complete account'
+			});
+		}
+
+		// send send verification email
+		await sendEmailVerification({ email });
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to send email verification code'
+		});
+	}
+
+	return res.status(200).send({
+		message: `Sent an email verification code to ${email}`
+	});
+};
+
+/**
+ * Signup step 2: Verify that code [code] was sent to email [email] and issue
+ * a temporary signup token for user to complete setting up their account
+ * @param req
+ * @param res
+ * @returns
+ */
+export const verifyEmailSignup = async (req: Request, res: Response) => {
+	let user, token;
+	try {
+		const { email, code } = req.body;
+
+		// initialize user account
+		user = await User.findOne({ email });
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+			return res.status(403).send({
+				error: 'Failed email verification for complete user'
+			});
+		}
+
+		// verify email
+		await checkEmailVerification({
+			email,
+			code
+		});
+
+		if (!user) {
+			user = await new User({
+				email
+			}).save();
+		}
+
+		// generate temporary signup token
+		token = createToken({
+			payload: {
+				userId: user._id.toString()
+			},
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed email verification'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfuly verified email',
+		user,
+		token
+	});
+};
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * signup flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountSignup = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier,
+			organizationName
+		} = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+
+		// initialize default organization and workspace
+		await initializeDefaultOrg({
+			organizationName,
+			user
+		});
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+		refreshToken = tokens.refreshToken;
+
+		// sending a welcome email to new users
+		if (process.env.LOOPS_API_KEY) {
+			await axios.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
+				},
+			});
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token,
+		refreshToken
+	});
+};
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * invite flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountInvite = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier
+		} = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		const membershipOrg = await MembershipOrg.findOne({
+			inviteEmail: email,
+			status: INVITED
+		});
+
+		if (!membershipOrg) throw new Error('Failed to find invitations for email');
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user');
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+		refreshToken = tokens.refreshToken;
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token,
+		refreshToken
+	});
+};
--- a/backend/src/controllers/v1/stripeController.ts
+++ b/backend/src/controllers/v1/stripeController.ts
@ -0,0 +1,40 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import Stripe from 'stripe';
+import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../config';
+const stripe = new Stripe(STRIPE_SECRET_KEY, {
+	apiVersion: '2022-08-01'
+});
+
+/**
+ * Handle service provisioning/un-provisioning via Stripe
+ * @param req
+ * @param res
+ * @returns
+ */
+export const handleWebhook = async (req: Request, res: Response) => {
+	let event;
+	try {
+		// check request for valid stripe signature
+		const sig = req.headers['stripe-signature'] as string;
+		event = stripe.webhooks.constructEvent(
+			req.body,
+			sig,
+			STRIPE_WEBHOOK_SECRET // ?
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to process webhook'
+		});
+	}
+
+	switch (event.type) {
+		case '':
+			break;
+		default:
+	}
+
+	return res.json({ received: true });
+};
--- a/backend/src/controllers/v1/userActionController.ts
+++ b/backend/src/controllers/v1/userActionController.ts
@ -0,0 +1,70 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { UserAction } from '../../models';
+
+/**
+ * Add user action [action]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const addUserAction = async (req: Request, res: Response) => {
+	// add/record new action [action] for user with id [req.user._id]
+
+	let userAction;
+	try {
+		const { action } = req.body;
+
+		userAction = await UserAction.findOneAndUpdate(
+			{
+				user: req.user._id,
+				action
+			},
+			{ user: req.user._id, action },
+			{
+				new: true,
+				upsert: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to record user action'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully recorded user action',
+		userAction
+	});
+};
+
+/**
+ * Return user action [action] for user
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getUserAction = async (req: Request, res: Response) => {
+	// get user action [action] for user with id [req.user._id]
+	let userAction;
+	try {
+		const action: string = req.query.action as string;
+
+		userAction = await UserAction.findOne({
+			user: req.user._id,
+			action
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get user action'
+		});
+	}
+
+	return res.status(200).send({
+		userAction
+	});
+};
--- a/backend/src/controllers/v1/userController.ts
+++ b/backend/src/controllers/v1/userController.ts
@ -0,0 +1,13 @@
+import { Request, Response } from 'express';
+
+/**
+ * Return user on request
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getUser = async (req: Request, res: Response) => {
+	return res.status(200).send({
+		user: req.user
+	});
+};
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -0,0 +1,335 @@
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import {
+  Workspace,
+  Membership,
+  MembershipOrg,
+  Integration,
+  IntegrationAuth,
+  IUser,
+  ServiceToken,
+  ServiceTokenData,
+} from "../../models";
+import {
+  createWorkspace as create,
+  deleteWorkspace as deleteWork,
+} from "../../helpers/workspace";
+import { addMemberships } from "../../helpers/membership";
+import { ADMIN } from "../../variables";
+
+/**
+ * Return public keys of members of workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
+  let publicKeys;
+  try {
+    const { workspaceId } = req.params;
+
+    publicKeys = (
+      await Membership.find({
+        workspace: workspaceId,
+      }).populate<{ user: IUser }>("user", "publicKey")
+    ).map((member) => {
+      return {
+        publicKey: member.user.publicKey,
+        userId: member.user._id,
+      };
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace member public keys",
+    });
+  }
+
+  return res.status(200).send({
+    publicKeys,
+  });
+};
+
+/**
+ * Return memberships for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceMemberships = async (req: Request, res: Response) => {
+  let users;
+  try {
+    const { workspaceId } = req.params;
+
+    users = await Membership.find({
+      workspace: workspaceId,
+    }).populate("user", "+publicKey");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace members",
+    });
+  }
+
+  return res.status(200).send({
+    users,
+  });
+};
+
+/**
+ * Return workspaces that user is part of
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaces = async (req: Request, res: Response) => {
+  let workspaces;
+  try {
+    workspaces = (
+      await Membership.find({
+        user: req.user._id,
+      }).populate("workspace")
+    ).map((m) => m.workspace);
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspaces",
+    });
+  }
+
+  return res.status(200).send({
+    workspaces,
+  });
+};
+
+/**
+ * Return workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspace = async (req: Request, res: Response) => {
+  let workspace;
+  try {
+    const { workspaceId } = req.params;
+
+    workspace = await Workspace.findOne({
+      _id: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace",
+    });
+  }
+
+  return res.status(200).send({
+    workspace,
+  });
+};
+
+/**
+ * Create new workspace named [workspaceName] under organization with id
+ * [organizationId] and add user as admin
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createWorkspace = async (req: Request, res: Response) => {
+  let workspace;
+  try {
+    const { workspaceName, organizationId } = req.body;
+
+    // validate organization membership
+    const membershipOrg = await MembershipOrg.findOne({
+      user: req.user._id,
+      organization: organizationId,
+    });
+
+    if (!membershipOrg) {
+      throw new Error("Failed to validate organization membership");
+    }
+
+    if (workspaceName.length < 1) {
+      throw new Error("Workspace names must be at least 1-character long");
+    }
+
+    // create workspace and add user as member
+    workspace = await create({
+      name: workspaceName,
+      organizationId,
+    });
+
+    await addMemberships({
+      userIds: [req.user._id],
+      workspaceId: workspace._id.toString(),
+      roles: [ADMIN],
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to create workspace",
+    });
+  }
+
+  return res.status(200).send({
+    workspace,
+  });
+};
+
+/**
+ * Delete workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteWorkspace = async (req: Request, res: Response) => {
+  try {
+    const { workspaceId } = req.params;
+
+    // delete workspace
+    await deleteWork({
+      id: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete workspace",
+    });
+  }
+
+  return res.status(200).send({
+    message: "Successfully deleted workspace",
+  });
+};
+
+/**
+ * Change name of workspace with id [workspaceId] to [name]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const changeWorkspaceName = async (req: Request, res: Response) => {
+  let workspace;
+  try {
+    const { workspaceId } = req.params;
+    const { name } = req.body;
+
+    workspace = await Workspace.findOneAndUpdate(
+      {
+        _id: workspaceId,
+      },
+      {
+        name,
+      },
+      {
+        new: true,
+      }
+    );
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to change workspace name",
+    });
+  }
+
+  return res.status(200).send({
+    message: "Successfully changed workspace name",
+    workspace,
+  });
+};
+
+/**
+ * Return integrations for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
+  let integrations;
+  try {
+    const { workspaceId } = req.params;
+
+    integrations = await Integration.find({
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace integrations",
+    });
+  }
+
+  return res.status(200).send({
+    integrations,
+  });
+};
+
+/**
+ * Return (integration) authorizations for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceIntegrationAuthorizations = async (
+  req: Request,
+  res: Response
+) => {
+  let authorizations;
+  try {
+    const { workspaceId } = req.params;
+
+    authorizations = await IntegrationAuth.find({
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace integration authorizations",
+    });
+  }
+
+  return res.status(200).send({
+    authorizations,
+  });
+};
+
+/**
+ * Return service service tokens for workspace [workspaceId] belonging to user
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceServiceTokens = async (
+  req: Request,
+  res: Response
+) => {
+  let serviceTokens;
+  try {
+    const { workspaceId } = req.params;
+    // ?? FIX.
+    serviceTokens = await ServiceToken.find({
+      user: req.user._id,
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace service tokens",
+    });
+  }
+
+  return res.status(200).send({
+    serviceTokens,
+  });
+};
--- a/backend/src/controllers/v2/apiKeyDataController.ts
+++ b/backend/src/controllers/v2/apiKeyDataController.ts
@ -0,0 +1,105 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    APIKeyData
+} from '../../models';
+import {
+    SALT_ROUNDS
+} from '../../config';
+
+/**
+ * Return API key data for user with id [req.user_id]
+ * @param req
+ * @param res 
+ * @returns 
+ */
+export const getAPIKeyData = async (req: Request, res: Response) => {
+    let apiKeyData;
+    try {
+        apiKeyData = await APIKeyData.find({
+            user: req.user._id
+        });
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to get API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}
+
+/**
+ * Create new API key data for user with id [req.user._id]
+ * @param req 
+ * @param res 
+ */
+export const createAPIKeyData = async (req: Request, res: Response) => {
+    let apiKey, apiKeyData;
+    try {
+        const { name, expiresIn } = req.body;
+        
+        const secret = crypto.randomBytes(16).toString('hex');
+        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+        
+		const expiresAt = new Date();
+		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+        
+        apiKeyData = await new APIKeyData({
+            name,
+            expiresAt,
+            user: req.user._id,
+            secretHash
+        }).save();
+        
+        // return api key data without sensitive data
+        apiKeyData = await APIKeyData.findById(apiKeyData._id);
+        
+        if (!apiKeyData) throw new Error('Failed to find API key data');
+        
+        apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
+            
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKey,
+        apiKeyData
+    });
+}
+
+/**
+ * Delete API key data with id [apiKeyDataId].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteAPIKeyData = async (req: Request, res: Response) => {
+    let apiKeyData;
+    try {
+        const { apiKeyDataId } = req.params;
+
+        apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
+        
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to delete API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}
--- a/backend/src/controllers/v2/environmentController.ts
+++ b/backend/src/controllers/v2/environmentController.ts
@ -0,0 +1,262 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+  Secret,
+  ServiceToken,
+  Workspace,
+  Integration,
+  ServiceTokenData,
+  Membership,
+} from '../../models';
+import { SecretVersion } from '../../ee/models';
+import { BadRequestError } from '../../utils/errors';
+import _ from 'lodash';
+import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+
+/**
+ * Create new workspace environment named [environmentName] under workspace with id
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createWorkspaceEnvironment = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const { environmentName, environmentSlug } = req.body;
+  try {
+    const workspace = await Workspace.findById(workspaceId).exec();
+    if (
+      !workspace ||
+      workspace?.environments.find(
+        ({ name, slug }) => slug === environmentSlug || environmentName === name
+      )
+    ) {
+      throw new Error('Failed to create workspace environment');
+    }
+
+    workspace?.environments.push({
+      name: environmentName,
+      slug: environmentSlug.toLowerCase(),
+    });
+    await workspace.save();
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to create new workspace environment',
+    });
+  }
+
+  return res.status(200).send({
+    message: 'Successfully created new environment',
+    workspace: workspaceId,
+    environment: {
+      name: environmentName,
+      slug: environmentSlug,
+    },
+  });
+};
+
+/**
+ * Rename workspace environment with new name and slug of a workspace with [workspaceId]
+ * Old slug [oldEnvironmentSlug] must be provided
+ * @param req
+ * @param res
+ * @returns
+ */
+export const renameWorkspaceEnvironment = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const { environmentName, environmentSlug, oldEnvironmentSlug } = req.body;
+  try {
+    // user should pass both new slug and env name
+    if (!environmentSlug || !environmentName) {
+      throw new Error('Invalid environment given.');
+    }
+
+    // atomic update the env to avoid conflict
+    const workspace = await Workspace.findById(workspaceId).exec();
+    if (!workspace) {
+      throw new Error('Failed to create workspace environment');
+    }
+
+    const isEnvExist = workspace.environments.some(
+      ({ name, slug }) =>
+        slug !== oldEnvironmentSlug &&
+        (name === environmentName || slug === environmentSlug)
+    );
+    if (isEnvExist) {
+      throw new Error('Invalid environment given');
+    }
+
+    const envIndex = workspace?.environments.findIndex(
+      ({ slug }) => slug === oldEnvironmentSlug
+    );
+    if (envIndex === -1) {
+      throw new Error('Invalid environment given');
+    }
+
+    workspace.environments[envIndex].name = environmentName;
+    workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
+
+    await workspace.save();
+    await Secret.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await SecretVersion.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await ServiceToken.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await ServiceTokenData.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await Integration.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await Membership.updateMany(
+      {
+        workspace: workspaceId,
+        "deniedPermissions.environmentSlug": oldEnvironmentSlug
+      },
+      { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
+      { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
+    )
+
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to update workspace environment',
+    });
+  }
+
+  return res.status(200).send({
+    message: 'Successfully update environment',
+    workspace: workspaceId,
+    environment: {
+      name: environmentName,
+      slug: environmentSlug,
+    },
+  });
+};
+
+/**
+ * Delete workspace environment by [environmentSlug] of workspace [workspaceId] and do the clean up
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteWorkspaceEnvironment = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const { environmentSlug } = req.body;
+  try {
+    // atomic update the env to avoid conflict
+    const workspace = await Workspace.findById(workspaceId).exec();
+    if (!workspace) {
+      throw new Error('Failed to create workspace environment');
+    }
+
+    const envIndex = workspace?.environments.findIndex(
+      ({ slug }) => slug === environmentSlug
+    );
+    if (envIndex === -1) {
+      throw new Error('Invalid environment given');
+    }
+
+    workspace.environments.splice(envIndex, 1);
+    await workspace.save();
+
+    // clean up
+    await Secret.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await SecretVersion.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await ServiceToken.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await ServiceTokenData.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await Integration.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await Membership.updateMany(
+      { workspace: workspaceId },
+      { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
+    )
+
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to delete workspace environment',
+    });
+  }
+
+  return res.status(200).send({
+    message: 'Successfully deleted environment',
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+};
+
+
+export const getAllAccessibleEnvironmentsOfWorkspace = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const workspacesUserIsMemberOf = await Membership.findOne({
+    workspace: workspaceId,
+    user: req.user
+  })
+
+  if (!workspacesUserIsMemberOf) {
+    throw BadRequestError()
+  }
+
+  const accessibleEnvironments: any = []
+  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions
+
+  const relatedWorkspace = await Workspace.findById(workspaceId)
+  if (!relatedWorkspace) {
+    throw BadRequestError()
+  }
+  relatedWorkspace.environments.forEach(environment => {
+    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
+    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
+    if (isReadBlocked && isWriteBlocked) {
+      return
+    } else {
+      accessibleEnvironments.push({
+        name: environment.name,
+        slug: environment.slug,
+        isWriteDenied: isWriteBlocked,
+        isReadDenied: isReadBlocked
+      })
+    }
+  })
+
+  res.json({ accessibleEnvironments })
+};
--- a/backend/src/controllers/v2/index.ts
+++ b/backend/src/controllers/v2/index.ts
@ -0,0 +1,21 @@
+import * as usersController from './usersController';
+import * as organizationsController from './organizationsController';
+import * as workspaceController from './workspaceController';
+import * as serviceTokenDataController from './serviceTokenDataController';
+import * as apiKeyDataController from './apiKeyDataController';
+import * as secretController from './secretController';
+import * as secretsController from './secretsController';
+import * as environmentController from './environmentController';
+import * as tagController from './tagController';
+
+export {
+    usersController,
+    organizationsController,
+    workspaceController,
+    serviceTokenDataController,
+    apiKeyDataController,
+    secretController,
+    secretsController,
+    environmentController,
+    tagController
+}
--- a/backend/src/controllers/v2/organizationsController.ts
+++ b/backend/src/controllers/v2/organizationsController.ts
@ -0,0 +1,296 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { 
+    MembershipOrg,
+    Membership,
+    Workspace
+} from '../../models';
+import { deleteMembershipOrg } from '../../helpers/membershipOrg';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+
+/**
+ * Return memberships for organization with id [organizationId]
+ * @param req 
+ * @param res 
+ */
+export const getOrganizationMemberships = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return organization memberships'
+    #swagger.description = 'Return organization memberships'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"memberships": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/MembershipOrg" 
+							},
+							"description": "Memberships of organization"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let memberships;
+    try {
+        const { organizationId } = req.params;
+
+		memberships = await MembershipOrg.find({
+			organization: organizationId
+		}).populate('user', '+publicKey');
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization memberships'
+		});
+    }
+    
+    return res.status(200).send({
+        memberships
+    });
+}
+
+/**
+ * Update role of membership with id [membershipId] to role [role]
+ * @param req 
+ * @param res 
+ */
+export const updateOrganizationMembership = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Update organization membership'
+    #swagger.description = 'Update organization membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of organization membership to update",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role of organization membership - either owner, admin, or member",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/MembershipOrg",
+							"description": "Updated organization membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let membership;
+    try {
+        const { membershipId } = req.params;
+        const { role } = req.body;
+        
+        membership = await MembershipOrg.findByIdAndUpdate(
+            membershipId,
+            {
+                role
+            }, {
+                new: true
+            }
+        );
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update organization membership'
+		});
+    }
+    
+    return res.status(200).send({
+        membership
+    });
+}
+
+/**
+ * Delete organization membership with id [membershipId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteOrganizationMembership = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Delete organization membership'
+    #swagger.description = 'Delete organization membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of organization membership to delete",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/MembershipOrg",
+							"description": "Deleted organization membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let membership;
+    try {
+        const { membershipId } = req.params;
+        
+        // delete organization membership
+        membership = await deleteMembershipOrg({
+            membershipOrgId: membershipId
+        });
+
+        await updateSubscriptionOrgQuantity({
+			organizationId: membership.organization.toString()
+		});
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete organization membership'
+		});	
+    }
+
+    return res.status(200).send({
+        membership
+    });
+}
+
+/**
+ * Return workspaces for organization with id [organizationId] that user has
+ * access to
+ * @param req 
+ * @param res 
+ */
+export const getOrganizationWorkspaces = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return projects in organization that user is part of'
+    #swagger.description = 'Return projects in organization that user is part of'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"workspaces": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Project" 
+							},
+							"description": "Projects of organization"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let workspaces;
+    try {
+        const { organizationId } = req.params;
+
+		const workspacesSet = new Set(
+			(
+				await Workspace.find(
+					{
+						organization: organizationId
+					},
+					'_id'
+				)
+			).map((w) => w._id.toString())
+		);
+
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		)
+			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
+			.map((m) => m.workspace);
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization workspaces'
+		});	
+    }
+    
+    return res.status(200).send({
+        workspaces
+    });
+}
--- a/backend/src/controllers/v2/secretController.ts
+++ b/backend/src/controllers/v2/secretController.ts
@ -0,0 +1,401 @@
+import to from "await-to-js";
+import { Request, Response } from "express";
+import mongoose, { Types } from "mongoose";
+import Secret, { ISecret } from "../../models/secret";
+import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret";
+const { ValidationError } = mongoose.Error;
+import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
+import { AnyBulkWriteOperation } from 'mongodb';
+import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
+import { postHogClient } from '../../services';
+
+/**
+ * Create secret for workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const createSecret = async (req: Request, res: Response) => {
+  const secretToCreate: CreateSecretRequestBody = req.body.secret;
+  const { workspaceId, environment } = req.params
+  const sanitizedSecret: SanitizedSecretForCreate = {
+    secretKeyCiphertext: secretToCreate.secretKeyCiphertext,
+    secretKeyIV: secretToCreate.secretKeyIV,
+    secretKeyTag: secretToCreate.secretKeyTag,
+    secretKeyHash: secretToCreate.secretKeyHash,
+    secretValueCiphertext: secretToCreate.secretValueCiphertext,
+    secretValueIV: secretToCreate.secretValueIV,
+    secretValueTag: secretToCreate.secretValueTag,
+    secretValueHash: secretToCreate.secretValueHash,
+    secretCommentCiphertext: secretToCreate.secretCommentCiphertext,
+    secretCommentIV: secretToCreate.secretCommentIV,
+    secretCommentTag: secretToCreate.secretCommentTag,
+    secretCommentHash: secretToCreate.secretCommentHash,
+    workspace: new Types.ObjectId(workspaceId),
+    environment,
+    type: secretToCreate.type,
+    user: new Types.ObjectId(req.user._id)
+  }
+
+
+  const [error, secret] = await to(Secret.create(sanitizedSecret).then())
+  if (error instanceof ValidationError) {
+    throw RouteValidationError({ message: error.message, stack: error.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets added',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: 1,
+        workspaceId,
+        environment,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send({
+    secret
+  })
+}
+
+/**
+ * Create many secrets for workspace wiht id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const createSecrets = async (req: Request, res: Response) => {
+  const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
+  const { workspaceId, environment } = req.params
+  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
+
+  secretsToCreate.forEach(rawSecret => {
+    const safeUpdateFields: SanitizedSecretForCreate = {
+      secretKeyCiphertext: rawSecret.secretKeyCiphertext,
+      secretKeyIV: rawSecret.secretKeyIV,
+      secretKeyTag: rawSecret.secretKeyTag,
+      secretKeyHash: rawSecret.secretKeyHash,
+      secretValueCiphertext: rawSecret.secretValueCiphertext,
+      secretValueIV: rawSecret.secretValueIV,
+      secretValueTag: rawSecret.secretValueTag,
+      secretValueHash: rawSecret.secretValueHash,
+      secretCommentCiphertext: rawSecret.secretCommentCiphertext,
+      secretCommentIV: rawSecret.secretCommentIV,
+      secretCommentTag: rawSecret.secretCommentTag,
+      secretCommentHash: rawSecret.secretCommentHash,
+      workspace: new Types.ObjectId(workspaceId),
+      environment,
+      type: rawSecret.type,
+      user: new Types.ObjectId(req.user._id)
+    }
+
+    sanitizedSecretesToCreate.push(safeUpdateFields)
+  })
+
+  const [bulkCreateError, secrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
+  if (bulkCreateError) {
+    if (bulkCreateError instanceof ValidationError) {
+      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
+    }
+
+    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets added',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: (secretsToCreate ?? []).length,
+        workspaceId,
+        environment,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send({
+    secrets
+  })
+}
+
+/**
+ * Delete secrets in workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecrets = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretIdsToDelete: string[] = req.body.secretIds
+
+  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanDeleteError) {
+    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
+  }
+
+  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
+  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
+
+  let numSecretsDeleted = 0;
+  secretIdsToDelete.forEach(secretIdToDelete => {
+    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
+      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
+      deleteOperationsToPerform.push(deleteOperation)
+      numSecretsDeleted++;
+    } else {
+      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
+    }
+  })
+
+  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
+  if (bulkDeleteError) {
+    if (bulkDeleteError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
+    }
+    throw InternalServerError()
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets deleted',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: numSecretsDeleted,
+        environment: environmentName,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send()
+}
+
+/**
+ * Delete secret with id [secretId]
+ * @param req 
+ * @param res
+ */
+export const deleteSecret = async (req: Request, res: Response) => {
+  await Secret.findByIdAndDelete(req._secret._id)
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets deleted',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: 1,
+        workspaceId: req._secret.workspace.toString(),
+        environment: req._secret.environment,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send({
+    secret: req._secret
+  })
+}
+
+/**
+ * Update secrets for workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSecrets = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
+  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanModifyError) {
+    throw InternalServerError({ message: "Unable to fetch secrets you own" })
+  }
+
+  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
+  const updateOperationsToPerform: any = []
+
+  secretsModificationsRequested.forEach(userModifiedSecret => {
+    if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
+      const sanitizedSecret: SanitizedSecretModify = {
+        secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
+        secretKeyIV: userModifiedSecret.secretKeyIV,
+        secretKeyTag: userModifiedSecret.secretKeyTag,
+        secretKeyHash: userModifiedSecret.secretKeyHash,
+        secretValueCiphertext: userModifiedSecret.secretValueCiphertext,
+        secretValueIV: userModifiedSecret.secretValueIV,
+        secretValueTag: userModifiedSecret.secretValueTag,
+        secretValueHash: userModifiedSecret.secretValueHash,
+        secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
+        secretCommentIV: userModifiedSecret.secretCommentIV,
+        secretCommentTag: userModifiedSecret.secretCommentTag,
+        secretCommentHash: userModifiedSecret.secretCommentHash,
+      }
+
+      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
+      updateOperationsToPerform.push(updateOperation)
+    } else {
+      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
+    }
+  })
+
+  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
+  if (bulkModificationInfoError) {
+    if (bulkModificationInfoError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
+    }
+
+    throw InternalServerError()
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets modified',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: (secretsModificationsRequested ?? []).length,
+        environment: environmentName,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  return res.status(200).send()
+}
+
+/**
+ * Update a secret within workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSecret = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
+
+  const [secretIdUserCanModifyError, secretIdUserCanModify] = await to(Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdUserCanModifyError && !secretIdUserCanModify) {
+    throw BadRequestError()
+  }
+
+  const sanitizedSecret: SanitizedSecretModify = {
+    secretKeyCiphertext: secretModificationsRequested.secretKeyCiphertext,
+    secretKeyIV: secretModificationsRequested.secretKeyIV,
+    secretKeyTag: secretModificationsRequested.secretKeyTag,
+    secretKeyHash: secretModificationsRequested.secretKeyHash,
+    secretValueCiphertext: secretModificationsRequested.secretValueCiphertext,
+    secretValueIV: secretModificationsRequested.secretValueIV,
+    secretValueTag: secretModificationsRequested.secretValueTag,
+    secretValueHash: secretModificationsRequested.secretValueHash,
+    secretCommentCiphertext: secretModificationsRequested.secretCommentCiphertext,
+    secretCommentIV: secretModificationsRequested.secretCommentIV,
+    secretCommentTag: secretModificationsRequested.secretCommentTag,
+    secretCommentHash: secretModificationsRequested.secretCommentHash,
+  }
+
+  const [error, singleModificationUpdate] = await to(Secret.updateOne({ _id: secretModificationsRequested._id, workspace: workspaceId }, { $inc: { version: 1 }, $set: sanitizedSecret }).then())
+  if (error instanceof ValidationError) {
+    throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: error.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets modified',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: 1,
+        environment: environmentName,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  return res.status(200).send(singleModificationUpdate)
+}
+
+/**
+ * Return secrets for workspace with id [workspaceId], environment [environment] and user
+ * with id [req.user._id]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+  const { environment } = req.query;
+  const { workspaceId } = req.params;
+
+  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
+  let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+  if (req.user) {
+    userId = req.user._id;
+    userEmail = req.user.email;
+  }
+
+  if (req.serviceTokenData) {
+    userId = req.serviceTokenData.user._id
+    userEmail = req.serviceTokenData.user.email;
+  }
+
+  const [err, secrets] = await to(Secret.find(
+    {
+      workspace: workspaceId,
+      environment,
+      $or: [{ user: userId }, { user: { $exists: false } }],
+      type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+    }
+  ).then())
+
+  if (err) {
+    throw RouteValidationError({ message: "Failed to get secrets, please try again", stack: err.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets pulled',
+      distinctId: userEmail,
+      properties: {
+        numberOfSecrets: (secrets ?? []).length,
+        environment,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  return res.json(secrets)
+}
+
+/**
+ * Return secret with id [secretId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecret = async (req: Request, res: Response) => {
+  // if (postHogClient) {
+  //   postHogClient.capture({
+  //     event: 'secrets pulled',
+  //     distinctId: req.user.email,
+  //     properties: {
+  //       numberOfSecrets: 1,
+  //       workspaceId: req._secret.workspace.toString(),
+  //       environment: req._secret.environment,
+  //       channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+  //       userAgent: req.headers?.['user-agent']
+  //     }
+  //   });
+  // }
+
+  return res.status(200).send({
+    secret: req._secret
+  });
+}
--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
@ -0,0 +1,783 @@
+import to from 'await-to-js';
+import { Types } from 'mongoose';
+import { Request, Response } from 'express';
+import { ISecret, Membership, Secret, Workspace } from '../../models';
+import {
+    SECRET_PERSONAL,
+    SECRET_SHARED,
+    ACTION_ADD_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';
+import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
+import { EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
+import { EESecretService, EELogService } from '../../ee/services';
+import { postHogClient } from '../../services';
+import { getChannelFromUserAgent } from '../../utils/posthog';
+import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
+import Tag from '../../models/tag';
+import _ from 'lodash';
+
+/**
+ * Create secret(s) for workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const createSecrets = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Create new secret(s)'
+    #swagger.description = 'Create one or many secrets for a given project and environment.'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "workspaceId": {
+                    "type": "string",
+                    "description": "ID of project",
+                },
+                "environment": {
+                    "type": "string",
+                    "description": "Environment within project"
+                },
+                "secrets": {
+                    $ref: "#/components/schemas/CreateSecret",
+                    "description": "Secret(s) to create - object or array of objects"
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Newly-created secrets for the given project and environment"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+    const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;
+
+    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
+    if (!hasAccess) {
+        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+    }
+
+    let listOfSecretsToCreate;
+    if (Array.isArray(req.body.secrets)) {
+        // case: create multiple secrets
+        listOfSecretsToCreate = req.body.secrets;
+    } else if (typeof req.body.secrets === 'object') {
+        // case: create 1 secret
+        listOfSecretsToCreate = [req.body.secrets];
+    }
+
+    type secretsToCreateType = {
+        type: string;
+        secretKeyCiphertext: string;
+        secretKeyIV: string;
+        secretKeyTag: string;
+        secretValueCiphertext: string;
+        secretValueIV: string;
+        secretValueTag: string;
+        secretCommentCiphertext: string;
+        secretCommentIV: string;
+        secretCommentTag: string;
+        tags: string[]
+    }
+
+    const newlyCreatedSecrets = await Secret.insertMany(
+        listOfSecretsToCreate.map(({
+            type,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
+        }: secretsToCreateType) => {
+            return ({
+                version: 1,
+                workspace: new Types.ObjectId(workspaceId),
+                type,
+                user: type === SECRET_PERSONAL ? req.user : undefined,
+                environment,
+                secretKeyCiphertext,
+                secretKeyIV,
+                secretKeyTag,
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+                tags
+            });
+        })
+    );
+
+    setTimeout(async () => {
+        // trigger event - push secrets
+        await EventService.handleEvent({
+            event: eventPushSecrets({
+                workspaceId
+            })
+        });
+    }, 5000);
+
+    // (EE) add secret versions for new secrets
+    await EESecretService.addSecretVersions({
+        secretVersions: newlyCreatedSecrets.map(({
+            _id,
+            version,
+            workspace,
+            type,
+            user,
+            environment,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretKeyHash,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretValueHash,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
+        }) => ({
+            _id: new Types.ObjectId(),
+            secret: _id,
+            version,
+            workspace,
+            type,
+            user,
+            environment,
+            isDeleted: false,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretKeyHash,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretValueHash,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
+        }))
+    });
+
+    const addAction = await EELogService.createAction({
+        name: ACTION_ADD_SECRETS,
+        userId: req.user._id,
+        workspaceId: new Types.ObjectId(workspaceId),
+        secretIds: newlyCreatedSecrets.map((n) => n._id)
+    });
+
+    // (EE) create (audit) log
+    addAction && await EELogService.createLog({
+        userId: req.user._id.toString(),
+        workspaceId: new Types.ObjectId(workspaceId),
+        actions: [addAction],
+        channel,
+        ipAddress: req.ip
+    });
+
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets added',
+            distinctId: req.user.email,
+            properties: {
+                numberOfSecrets: listOfSecretsToCreate.length,
+                environment,
+                workspaceId,
+                channel: channel,
+                userAgent: req.headers?.['user-agent']
+            }
+        });
+    }
+
+    return res.status(200).send({
+        secrets: newlyCreatedSecrets
+    });
+}
+
+/**
+ * Return secret(s) for workspace with id [workspaceId], environment [environment] and user
+ * with id [req.user._id]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Read secrets'
+    #swagger.description = 'Read secrets from a project and environment'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.parameters['workspaceId'] = {
+        "description": "ID of project",
+        "required": true,
+        "type": "string"
+    }
+
+    #swagger.parameters['environment'] = {
+        "description": "Environment within project",
+        "required": true,
+        "type": "string"
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Secrets for the given project and environment"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+
+
+    const { workspaceId, environment, tagSlugs } = req.query;
+    const tagNamesList = typeof tagSlugs === 'string' && tagSlugs !== '' ? tagSlugs.split(',') : [];
+    let userId = "" // used for getting personal secrets for user
+    let userEmail = "" // used for posthog 
+    if (req.user) {
+        userId = req.user._id;
+        userEmail = req.user.email;
+    }
+
+    if (req.serviceTokenData) {
+        userId = req.serviceTokenData.user._id
+        userEmail = req.serviceTokenData.user.email;
+    }
+
+    // none service token case as service tokens are already scoped to env and project
+    let hasWriteOnlyAccess
+    if (!req.serviceTokenData) {
+        hasWriteOnlyAccess = await userHasWriteOnlyAbility(userId, workspaceId, environment)
+        const hasNoAccess = await userHasNoAbility(userId, workspaceId, environment)
+        if (hasNoAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+    }
+    let secrets: any
+    let secretQuery: any
+
+    if (tagNamesList != undefined && tagNamesList.length != 0) {
+        const workspaceFromDB = await Tag.find({ workspace: workspaceId })
+
+        const tagIds = _.map(tagNamesList, (tagName) => {
+            const tag = _.find(workspaceFromDB, { slug: tagName });
+            return tag ? tag.id : null;
+        });
+
+        secretQuery = {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            tags: { $in: tagIds },
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    } else {
+        secretQuery = {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    }
+
+    if (hasWriteOnlyAccess) {
+        secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag")
+    } else {
+        secrets = await Secret.find(secretQuery).populate("tags")
+    }
+
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+
+    const readAction = await EELogService.createAction({
+        name: ACTION_READ_SECRETS,
+        userId: new Types.ObjectId(userId),
+        workspaceId: new Types.ObjectId(workspaceId as string),
+        secretIds: secrets.map((n: any) => n._id)
+    });
+
+    readAction && await EELogService.createLog({
+        userId: new Types.ObjectId(userId),
+        workspaceId: new Types.ObjectId(workspaceId as string),
+        actions: [readAction],
+        channel,
+        ipAddress: req.ip
+    });
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pulled',
+            distinctId: userEmail,
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel,
+                userAgent: req.headers?.['user-agent']
+            }
+        });
+    }
+
+    return res.status(200).send({
+        secrets
+    });
+}
+
+
+export const getOnlySecretKeys = async (req: Request, res: Response) => {
+    const { workspaceId, environment } = req.query;
+
+    let userId = "" // used for getting personal secrets for user
+    let userEmail = "" // used for posthog 
+    if (req.user) {
+        userId = req.user._id;
+        userEmail = req.user.email;
+    }
+
+    if (req.serviceTokenData) {
+        userId = req.serviceTokenData.user._id
+        userEmail = req.serviceTokenData.user.email;
+    }
+
+    // none service token case as service tokens are already scoped
+    if (!req.serviceTokenData) {
+        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+    }
+
+    const [err, secretKeys] = await to(Secret.find(
+        {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    )
+        .select("secretKeyIV secretKeyTag secretKeyCiphertext")
+        .then())
+
+    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
+
+    // readAction && await EELogService.createLog({
+    //     userId: new Types.ObjectId(userId),
+    //     workspaceId: new Types.ObjectId(workspaceId as string),
+    //     actions: [readAction],
+    //     channel,
+    //     ipAddress: req.ip
+    // });
+
+    return res.status(200).send({
+        secretKeys
+    });
+}
+
+/**
+ * Update secret(s)
+ * @param req 
+ * @param res 
+ */
+export const updateSecrets = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Update secret(s)'
+    #swagger.description = 'Update secret(s)'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "secrets": {
+                    $ref: "#/components/schemas/UpdateSecret",
+                    "description": "Secret(s) to update - object or array of objects"
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Updated secrets"
+                        }
+                    }
+                }
+            }           
+        }
+    }
+    */
+    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
+
+    // TODO: move type
+    interface PatchSecret {
+        id: string;
+        secretKeyCiphertext: string;
+        secretKeyIV: string;
+        secretKeyTag: string;
+        secretValueCiphertext: string;
+        secretValueIV: string;
+        secretValueTag: string;
+        secretCommentCiphertext: string;
+        secretCommentIV: string;
+        secretCommentTag: string;
+        tags: string[]
+    }
+
+    const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
+        const {
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
+        } = secret;
+
+        return ({
+            updateOne: {
+                filter: { _id: new Types.ObjectId(secret.id) },
+                update: {
+                    $inc: {
+                        version: 1
+                    },
+                    secretKeyCiphertext,
+                    secretKeyIV,
+                    secretKeyTag,
+                    secretValueCiphertext,
+                    secretValueIV,
+                    secretValueTag,
+                    tags,
+                    ...((
+                        secretCommentCiphertext !== undefined &&
+                        secretCommentIV &&
+                        secretCommentTag
+                    ) ? {
+                        secretCommentCiphertext,
+                        secretCommentIV,
+                        secretCommentTag
+                    } : {}),
+                }
+            }
+        });
+    });
+
+    await Secret.bulkWrite(updateOperationsToPerform);
+
+    const secretModificationsBySecretId: { [key: string]: PatchSecret } = {};
+    req.body.secrets.forEach((secret: PatchSecret) => {
+        secretModificationsBySecretId[secret.id] = secret;
+    });
+
+    const ListOfSecretsBeforeModifications = req.secrets
+    const secretVersions = {
+        secretVersions: ListOfSecretsBeforeModifications.map((secret: ISecret) => {
+            const {
+                secretKeyCiphertext,
+                secretKeyIV,
+                secretKeyTag,
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+                tags
+            } = secretModificationsBySecretId[secret._id.toString()]
+
+            return ({
+                secret: secret._id,
+                version: secret.version + 1,
+                workspace: secret.workspace,
+                type: secret.type,
+                environment: secret.environment,
+                secretKeyCiphertext: secretKeyCiphertext ? secretKeyCiphertext : secret.secretKeyCiphertext,
+                secretKeyIV: secretKeyIV ? secretKeyIV : secret.secretKeyIV,
+                secretKeyTag: secretKeyTag ? secretKeyTag : secret.secretKeyTag,
+                secretValueCiphertext: secretValueCiphertext ? secretValueCiphertext : secret.secretValueCiphertext,
+                secretValueIV: secretValueIV ? secretValueIV : secret.secretValueIV,
+                secretValueTag: secretValueTag ? secretValueTag : secret.secretValueTag,
+                secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
+                secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
+                secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
+                tags: tags ? tags : secret.tags
+            });
+        })
+    }
+
+    await EESecretService.addSecretVersions(secretVersions);
+
+
+    // group secrets into workspaces so updated secrets can
+    // be logged and snapshotted separately for each workspace
+    const workspaceSecretObj: any = {};
+    req.secrets.forEach((s: any) => {
+        if (s.workspace.toString() in workspaceSecretObj) {
+            workspaceSecretObj[s.workspace.toString()].push(s);
+        } else {
+            workspaceSecretObj[s.workspace.toString()] = [s]
+        }
+    });
+
+    Object.keys(workspaceSecretObj).forEach(async (key) => {
+        // trigger event - push secrets
+        setTimeout(async () => {
+            await EventService.handleEvent({
+                event: eventPushSecrets({
+                    workspaceId: key
+                })
+            });
+        }, 10000);
+
+        const updateAction = await EELogService.createAction({
+            name: ACTION_UPDATE_SECRETS,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(key),
+            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
+        });
+
+        // (EE) create (audit) log
+        updateAction && await EELogService.createLog({
+            userId: req.user._id.toString(),
+            workspaceId: new Types.ObjectId(key),
+            actions: [updateAction],
+            channel,
+            ipAddress: req.ip
+        });
+
+        // (EE) take a secret snapshot
+        await EESecretService.takeSecretSnapshot({
+            workspaceId: key
+        })
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets modified',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: workspaceSecretObj[key].length,
+                    environment: workspaceSecretObj[key][0].environment,
+                    workspaceId: key,
+                    channel: channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    });
+
+    return res.status(200).send({
+        secrets: await Secret.find({
+            _id: {
+                $in: req.secrets.map((secret: ISecret) => secret._id)
+            }
+        })
+    });
+}
+
+/**
+ * Delete secret(s) with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecrets = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Delete secret(s)'
+    #swagger.description = 'Delete one or many secrets by their ID(s)'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "secretIds": {
+                    "type": "string",
+                    "description": "ID(s) of secrets - string or array of strings"
+                },
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Deleted secrets"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+    const toDelete = req.secrets.map((s: any) => s._id);
+
+    await Secret.deleteMany({
+        _id: {
+            $in: toDelete
+        }
+    });
+
+    await EESecretService.markDeletedSecretVersions({
+        secretIds: toDelete
+    });
+
+    // group secrets into workspaces so deleted secrets can
+    // be logged and snapshotted separately for each workspace
+    const workspaceSecretObj: any = {};
+    req.secrets.forEach((s: any) => {
+        if (s.workspace.toString() in workspaceSecretObj) {
+            workspaceSecretObj[s.workspace.toString()].push(s);
+        } else {
+            workspaceSecretObj[s.workspace.toString()] = [s]
+        }
+    });
+
+    Object.keys(workspaceSecretObj).forEach(async (key) => {
+        // trigger event - push secrets
+        await EventService.handleEvent({
+            event: eventPushSecrets({
+                workspaceId: key
+            })
+        });
+        const deleteAction = await EELogService.createAction({
+            name: ACTION_DELETE_SECRETS,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(key),
+            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
+        });
+
+        // (EE) create (audit) log
+        deleteAction && await EELogService.createLog({
+            userId: req.user._id.toString(),
+            workspaceId: new Types.ObjectId(key),
+            actions: [deleteAction],
+            channel,
+            ipAddress: req.ip
+        });
+
+        // (EE) take a secret snapshot
+        await EESecretService.takeSecretSnapshot({
+            workspaceId: key
+        })
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets deleted',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: workspaceSecretObj[key].length,
+                    environment: workspaceSecretObj[key][0].environment,
+                    workspaceId: key,
+                    channel: channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    });
+
+    return res.status(200).send({
+        secrets: req.secrets
+    });
+}
--- a/backend/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend/src/controllers/v2/serviceTokenDataController.ts
@ -0,0 +1,114 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    ServiceTokenData
+} from '../../models';
+import {
+    SALT_ROUNDS
+} from '../../config';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { ABILITY_READ } from '../../variables/organization';
+
+/**
+ * Return service token data associated with service token on request
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getServiceTokenData = async (req: Request, res: Response) => res.status(200).json(req.serviceTokenData);
+
+/**
+ * Create new service token data for workspace with id [workspaceId] and
+ * environment [environment].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createServiceTokenData = async (req: Request, res: Response) => {
+    let serviceToken, serviceTokenData;
+    try {
+        const {
+            name,
+            workspaceId,
+            environment,
+            encryptedKey,
+            iv,
+            tag,
+            expiresIn
+        } = req.body;
+
+        const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+
+        const secret = crypto.randomBytes(16).toString('hex');
+        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+
+        const expiresAt = new Date();
+        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+
+        serviceTokenData = await new ServiceTokenData({
+            name,
+            workspace: workspaceId,
+            environment,
+            user: req.user._id,
+            expiresAt,
+            secretHash,
+            encryptedKey,
+            iv,
+            tag
+        }).save();
+
+        // return service token data without sensitive data
+        serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+
+        if (!serviceTokenData) throw new Error('Failed to find service token data');
+
+        serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to create service token data'
+        });
+    }
+
+    return res.status(200).send({
+        serviceToken,
+        serviceTokenData
+    });
+}
+
+/**
+ * Delete service token data with id [serviceTokenDataId].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteServiceTokenData = async (req: Request, res: Response) => {
+    let serviceTokenData;
+    try {
+        const { serviceTokenDataId } = req.params;
+
+        serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to delete service token data'
+        });
+    }
+
+    return res.status(200).send({
+        serviceTokenData
+    });
+}
+
+function UnauthorizedRequestError(arg0: { message: string; }) {
+    throw new Error('Function not implemented.');
+}
--- a/backend/src/controllers/v2/tagController.ts
+++ b/backend/src/controllers/v2/tagController.ts
@ -0,0 +1,72 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import {
+	Membership, Secret,
+} from '../../models';
+import Tag, { ITag } from '../../models/tag';
+import { Builder } from "builder-pattern"
+import to from 'await-to-js';
+import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
+import { MongoError } from 'mongodb';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+
+export const createWorkspaceTag = async (req: Request, res: Response) => {
+	const { workspaceId } = req.params
+	const { name, slug } = req.body
+	const sanitizedTagToCreate = Builder<ITag>()
+		.name(name)
+		.workspace(new Types.ObjectId(workspaceId))
+		.slug(slug)
+		.user(new Types.ObjectId(req.user._id))
+		.build();
+
+	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
+
+	if (err) {
+		if ((err as MongoError).code === 11000) {
+			throw BadRequestError({ message: "Tags must be unique in a workspace" })
+		}
+
+		throw err
+	}
+
+	res.json(createdTag)
+}
+
+export const deleteWorkspaceTag = async (req: Request, res: Response) => {
+	const { tagId } = req.params
+
+	const tagFromDB = await Tag.findById(tagId)
+	if (!tagFromDB) {
+		throw BadRequestError()
+	}
+
+	// can only delete if the request user is one that belongs to the same workspace as the tag
+	const membership = await Membership.findOne({
+		user: req.user,
+		workspace: tagFromDB.workspace
+	});
+
+	if (!membership) {
+		UnauthorizedRequestError({ message: 'Failed to validate membership' });
+	}
+
+	const result = await Tag.findByIdAndDelete(tagId);
+
+	// remove the tag from secrets
+	await Secret.updateMany(
+		{ tags: { $in: [tagId] } },
+		{ $pull: { tags: tagId } }
+	);
+
+	res.json(result);
+}
+
+export const getWorkspaceTags = async (req: Request, res: Response) => {
+	const { workspaceId } = req.params
+	const workspaceTags = await Tag.find({ workspace: workspaceId })
+	return res.json({
+		workspaceTags
+	})
+}
--- a/backend/src/controllers/v2/usersController.ts
+++ b/backend/src/controllers/v2/usersController.ts
@ -0,0 +1,109 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+    User,
+    MembershipOrg
+} from '../../models';
+
+/**
+ * Return the current user.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMe = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = "Retrieve the current user on the request"
+    #swagger.description = "Retrieve the current user on the request"
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "user": {
+                            "type": "object",
+                            $ref: "#/components/schemas/CurrentUser",
+                            "description": "Current user on request"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+    let user;
+    try {
+        user = await User
+            .findById(req.user._id)
+            .select('+publicKey +encryptedPrivateKey +iv +tag');
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get current user'
+		});
+    }
+    
+    return res.status(200).send({
+        user
+    });
+}
+
+/**
+ * Return organizations that the current user is part of.
+ * @param req 
+ * @param res 
+ */
+export const getMyOrganizations = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return organizations that current user is part of'
+    #swagger.description = 'Return organizations that current user is part of'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"organizations": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Organization" 
+							},
+							"description": "Organizations that user is part of"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let organizations;
+	try {
+		organizations = (
+			await MembershipOrg.find({
+				user: req.user._id
+			}).populate('organization')
+		).map((m) => m.organization);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to get current user's organizations"
+		});
+	}
+
+	return res.status(200).send({
+		organizations
+	});
+}
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -0,0 +1,508 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import {
+	Workspace,
+	Secret,
+	Membership,
+	MembershipOrg,
+	Integration,
+	IntegrationAuth,
+	Key,
+	IUser,
+	ServiceToken,
+	ServiceTokenData
+} from '../../models';
+import {
+	v2PushSecrets as push,
+	pullSecrets as pull,
+	reformatPullSecrets
+} from '../../helpers/secret';
+import { pushKeys } from '../../helpers/key';
+import { postHogClient, EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
+
+interface V2PushSecret {
+	type: string; // personal or shared
+	secretKeyCiphertext: string;
+	secretKeyIV: string;
+	secretKeyTag: string;
+	secretKeyHash: string;
+	secretValueCiphertext: string;
+	secretValueIV: string;
+	secretValueTag: string;
+	secretValueHash: string;
+	secretCommentCiphertext?: string;
+	secretCommentIV?: string;
+	secretCommentTag?: string;
+	secretCommentHash?: string;
+}
+
+/**
+ * Upload (encrypted) secrets to workspace with id [workspaceId]
+ * for environment [environment]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
+	// upload (encrypted) secrets to workspace with id [workspaceId]
+	try {
+		let { secrets }: { secrets: V2PushSecret[] } = req.body;
+		const { keys, environment, channel } = req.body;
+		const { workspaceId } = req.params;
+
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
+
+		// sanitize secrets
+		secrets = secrets.filter(
+			(s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
+		);
+
+		await push({
+			userId: req.user._id,
+			workspaceId,
+			environment,
+			secrets,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
+
+		await pushKeys({
+			userId: req.user._id,
+			workspaceId,
+			keys
+		});
+
+		if (postHogClient) {
+			postHogClient.capture({
+				event: 'secrets pushed',
+				distinctId: req.user.email,
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+
+		// trigger event - push secrets
+		EventService.handleEvent({
+			event: eventPushSecrets({
+				workspaceId
+			})
+		});
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to upload workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully uploaded workspace secrets'
+	});
+};
+
+/**
+ * Return (encrypted) secrets for workspace with id [workspaceId]
+ * for environment [environment]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pullSecrets = async (req: Request, res: Response) => {
+	let secrets;
+	try {
+		const environment: string = req.query.environment as string;
+		const channel: string = req.query.channel as string;
+		const { workspaceId } = req.params;
+
+		let userId;
+		if (req.user) {
+			userId = req.user._id.toString();
+		} else if (req.serviceTokenData) {
+			userId = req.serviceTokenData.user._id
+		}
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
+
+		secrets = await pull({
+			userId,
+			workspaceId,
+			environment,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
+
+		if (channel !== 'cli') {
+			secrets = reformatPullSecrets({ secrets });
+		}
+
+		if (postHogClient) {
+			// capture secrets pushed event in production
+			postHogClient.capture({
+				distinctId: req.user.email,
+				event: 'secrets pulled',
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to pull workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		secrets
+	});
+};
+
+export const getWorkspaceKey = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return encrypted project key'
+    #swagger.description = 'Return encrypted project key'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "array",
+                    "items": {
+                        $ref: "#/components/schemas/ProjectKey" 
+                    },
+                    "description": "Encrypted project key for the given project"
+                }
+            }           
+        }
+    }   
+    */
+	let key;
+	try {
+		const { workspaceId } = req.params;
+
+		key = await Key.findOne({
+			workspace: workspaceId,
+			receiver: req.user._id
+		}).populate('sender', '+publicKey');
+
+		if (!key) throw new Error('Failed to find workspace key');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace key'
+		});
+	}
+
+	return res.status(200).json(key);
+}
+export const getWorkspaceServiceTokenData = async (
+	req: Request,
+	res: Response
+) => {
+	let serviceTokenData;
+	try {
+		const { workspaceId } = req.params;
+
+		serviceTokenData = await ServiceTokenData
+			.find({
+				workspace: workspaceId
+			})
+			.select('+encryptedKey +iv +tag');
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace service token data'
+		});
+	}
+
+	return res.status(200).send({
+		serviceTokenData
+	});
+}
+
+/**
+ * Return memberships for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceMemberships = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return project memberships'
+    #swagger.description = 'Return project memberships'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"memberships": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Membership" 
+							},
+							"description": "Memberships of project"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let memberships;
+	try {
+		const { workspaceId } = req.params;
+
+		memberships = await Membership.find({
+			workspace: workspaceId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace memberships'
+		});
+	}
+
+	return res.status(200).send({
+		memberships
+	});
+}
+
+/**
+ * Update role of membership with id [membershipId] to role [role]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateWorkspaceMembership = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Update project membership'
+    #swagger.description = 'Update project membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of project membership to update",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role of membership - either admin or member",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/Membership",
+							"description": "Updated membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let membership;
+	try {
+		const {
+			membershipId
+		} = req.params;
+		const { role } = req.body;
+		
+		membership = await Membership.findByIdAndUpdate(
+			membershipId,
+			{
+				role
+			}, {
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update workspace membership'
+		});
+	}
+	
+	return res.status(200).send({
+		membership
+	}); 
+}
+
+/**
+ * Delete workspace membership with id [membershipId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteWorkspaceMembership = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Delete project membership'
+    #swagger.description = 'Delete project membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of project membership to delete",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/Membership",
+							"description": "Deleted membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let membership;
+	try {
+		const { 
+			membershipId
+		} = req.params;
+		
+		membership = await Membership.findByIdAndDelete(membershipId);
+		
+		if (!membership) throw new Error('Failed to delete workspace membership');
+		
+		await Key.deleteMany({
+			receiver: membership.user,
+			workspace: membership.workspace
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete workspace membership'
+		});	
+	}
+	
+	return res.status(200).send({
+		membership
+	});
+}
+
+/**
+ * Change autoCapitilzation Rule of workspace
+ * @param req
+ * @param res
+ * @returns
+ */
+export const toggleAutoCapitalization = async (req: Request, res: Response) => {
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+		const { autoCapitalization } = req.body;
+
+		workspace = await Workspace.findOneAndUpdate(
+			{
+				_id: workspaceId
+			},
+			{
+				autoCapitalization
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change autoCapitalization setting'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully changed autoCapitalization setting',
+		workspace
+	});
+};
+
--- a/backend/src/db/index.ts
+++ b/backend/src/db/index.ts
@ -1,2 +0,0 @@
-export type { TDbClient } from "./instance";
-export { initDbConnection } from "./instance";
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -1,11 +0,0 @@
-import knex from "knex";
-
-export type TDbClient = ReturnType<typeof initDbConnection>;
-export const initDbConnection = (dbConnectionUri: string) => {
-  const db = knex({
-    client: "pg",
-    connection: dbConnectionUri
-  });
-
-  return db;
-};
--- a/backend/src/db/knexfile.ts
+++ b/backend/src/db/knexfile.ts
@ -1,39 +0,0 @@
-// eslint-disable-next-line
-import "ts-node/register";
-
-import dotenv from "dotenv";
-import type { Knex } from "knex";
-import path from "path";
-
-// Update with your config settings.
-dotenv.config({
-  path: path.join(__dirname, "../../.env"),
-  debug: true
-});
-export default {
-  development: {
-    client: "postgres",
-    connection: process.env.DB_CONNECTION_URI,
-    pool: {
-      min: 2,
-      max: 10
-    },
-    seeds: {
-      directory: "./seeds"
-    },
-    migrations: {
-      tableName: "infisical_migrations"
-    }
-  },
-  production: {
-    client: "postgres",
-    connection: process.env.DB_CONNECTION_URI,
-    pool: {
-      min: 2,
-      max: 10
-    },
-    migrations: {
-      tableName: "infisical_migrations"
-    }
-  }
-} as Knex.Config;
--- a/backend/src/db/migrations/20231128072457_user.ts
+++ b/backend/src/db/migrations/20231128072457_user.ts
@ -1,37 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import {
-  createOnUpdateTrigger,
-  createUpdateAtTriggerFunction,
-  dropOnUpdateTrigger,
-  dropUpdatedAtTriggerFunction
-} from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.Users);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.Users, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("email").unique().notNullable();
-      t.specificType("authMethods", "text[]");
-      t.boolean("superAdmin").defaultTo(false);
-      t.string("firstName");
-      t.string("lastName");
-      t.boolean("isAccepted").defaultTo(false);
-      t.boolean("isMfaEnabled").defaultTo(false);
-      t.specificType("mfaMethods", "text[]");
-      t.jsonb("devices");
-      t.timestamps(true, true, true);
-    });
-  }
-  // this is a one time function
-  await createUpdateAtTriggerFunction(knex);
-  await createOnUpdateTrigger(knex, TableName.Users);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.Users);
-  await dropOnUpdateTrigger(knex, TableName.Users);
-  await dropUpdatedAtTriggerFunction(knex);
-}
--- a/backend/src/db/migrations/20231128092347_user-encryption-key.ts
+++ b/backend/src/db/migrations/20231128092347_user-encryption-key.ts
@ -1,31 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.UserEncryptionKey);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.UserEncryptionKey, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("clientPublicKey");
-      t.text("serverPrivateKey");
-      t.integer("encryptionVersion").defaultTo(2);
-      t.text("protectedKey");
-      t.text("protectedKeyIV");
-      t.text("protectedKeyTag");
-      t.text("publicKey").notNullable();
-      t.text("encryptedPrivateKey").notNullable();
-      t.text("iv").notNullable();
-      t.text("tag").notNullable();
-      t.text("salt").notNullable();
-      t.text("verifier").notNullable();
-      // one to one relationship
-      t.uuid("userId").notNullable().unique();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.UserEncryptionKey);
-}
--- a/backend/src/db/migrations/20231129072939_auth-token.ts
+++ b/backend/src/db/migrations/20231129072939_auth-token.ts
@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.AuthTokens);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.AuthTokens, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("type").notNullable();
-      t.string("phoneNumber");
-      t.string("tokenHash").notNullable();
-      t.integer("triesLeft");
-      t.datetime("expiresAt").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AuthTokens);
-}
--- a/backend/src/db/migrations/20231130072734_auth-token-session.ts
+++ b/backend/src/db/migrations/20231130072734_auth-token-session.ts
@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.AuthTokenSession);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.AuthTokenSession, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("ip").notNullable();
-      t.string("userAgent");
-      t.integer("refreshVersion").notNullable().defaultTo(1);
-      t.integer("accessVersion").notNullable().defaultTo(1);
-      t.datetime("lastUsed").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.AuthTokenSession);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AuthTokenSession);
-  await dropOnUpdateTrigger(knex, TableName.AuthTokenSession);
-}
--- a/backend/src/db/migrations/20231201151432_backup-key.ts
+++ b/backend/src/db/migrations/20231201151432_backup-key.ts
@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesTableExist = await knex.schema.hasTable(TableName.BackupPrivateKey);
-  if (!doesTableExist) {
-    await knex.schema.createTable(TableName.BackupPrivateKey, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("encryptedPrivateKey").notNullable();
-      t.text("iv").notNullable();
-      t.text("tag").notNullable();
-      t.string("algorithm").notNullable();
-      t.string("keyEncoding").notNullable();
-      t.text("salt").notNullable();
-      t.text("verifier").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable().unique();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.BackupPrivateKey);
-}
--- a/backend/src/db/migrations/20231204092737_organization.ts
+++ b/backend/src/db/migrations/20231204092737_organization.ts
@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.Organization);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.Organization, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("customerId");
-      t.string("slug").notNullable();
-      // does not need update trigger we will do it manually
-      t.unique("slug");
-      t.timestamps(true, true, true);
-    });
-    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
-      t.uuid("orgId");
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.Organization);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.AuthTokens, "orgId")) {
-    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
-      t.dropColumn("orgId");
-    });
-  }
-  await knex.schema.dropTableIfExists(TableName.Organization);
-  await dropOnUpdateTrigger(knex, TableName.Organization);
-}
--- a/backend/src/db/migrations/20231204092747_org-membership.ts
+++ b/backend/src/db/migrations/20231204092747_org-membership.ts
@ -1,48 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { OrgMembershipStatus } from "../schemas/models";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isOrgRolePresent = await knex.schema.hasTable(TableName.OrgRoles);
-  if (!isOrgRolePresent) {
-    await knex.schema.createTable(TableName.OrgRoles, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("description");
-      t.string("slug").notNullable();
-      t.jsonb("permissions").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-
-  const isOrgTablePresent = await knex.schema.hasTable(TableName.OrgMembership);
-  if (!isOrgTablePresent) {
-    await knex.schema.createTable(TableName.OrgMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      t.string("status").notNullable().defaultTo(OrgMembershipStatus.Invited);
-      t.string("inviteEmail");
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.OrgMembership);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.OrgMembership);
-  await knex.schema.dropTableIfExists(TableName.OrgRoles);
-  await dropOnUpdateTrigger(knex, TableName.OrgMembership);
-}
--- a/backend/src/db/migrations/20231205151331_incident-contact.ts
+++ b/backend/src/db/migrations/20231205151331_incident-contact.ts
@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.IncidentContact);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.IncidentContact, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("email").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.IncidentContact);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IncidentContact);
-  await dropOnUpdateTrigger(knex, TableName.IncidentContact);
-}
--- a/backend/src/db/migrations/20231207055643_user-action.ts
+++ b/backend/src/db/migrations/20231207055643_user-action.ts
@ -1,20 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.UserAction);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.UserAction, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("action").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.UserAction);
-}
--- a/backend/src/db/migrations/20231207055701_super-admin.ts
+++ b/backend/src/db/migrations/20231207055701_super-admin.ts
@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.SuperAdmin, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.boolean("initialized").defaultTo(false);
-      t.boolean("allowSignUp").defaultTo(true);
-      t.timestamps(true, true, true);
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.SuperAdmin);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SuperAdmin);
-  await dropOnUpdateTrigger(knex, TableName.SuperAdmin);
-}
--- a/Show More
+++ b/Show More
				`@ -1 +0,0 @@`
				`.github/resources/docker-compose.be-test.yml:generic-api-key:16`