fix: resolved gitlab integration creation issue regarding groups

changed sidebar color
added time off page to company wiki
2025-08-31 15:32:32 +00:00 · 2024-05-28 19:43:00 +08:00 · 2024-05-27 22:32:54 -07:00 · 2024-05-27 22:26:21 -07:00 · 2024-05-27 16:03:42 -07:00 · 2024-05-27 16:00:39 -07:00
51 changed files with 2815 additions and 279 deletions
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -33,6 +33,7 @@ import { TGroupProjectServiceFactory } from "@app/services/group-project/group-p
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -121,6 +122,7 @@ declare module "fastify" {
      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
      identityGcpAuth: TIdentityGcpAuthServiceFactory;
      identityAwsAuth: TIdentityAwsAuthServiceFactory;
+      identityAzureAuth: TIdentityAzureAuthServiceFactory;
      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -62,6 +62,9 @@ import {
  TIdentityAwsAuths,
  TIdentityAwsAuthsInsert,
  TIdentityAwsAuthsUpdate,
+  TIdentityAzureAuths,
+  TIdentityAzureAuthsInsert,
+  TIdentityAzureAuthsUpdate,
  TIdentityGcpAuths,
  TIdentityGcpAuthsInsert,
  TIdentityGcpAuthsUpdate,
@@ -356,6 +359,11 @@ declare module "knex/types/tables" {
      TIdentityAwsAuthsInsert,
      TIdentityAwsAuthsUpdate
    >;
+    [TableName.IdentityAzureAuth]: Knex.CompositeTableType<
+      TIdentityAzureAuths,
+      TIdentityAzureAuthsInsert,
+      TIdentityAzureAuthsUpdate
+    >;
    [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
      TIdentityUaClientSecrets,
      TIdentityUaClientSecretsInsert,
--- a/backend/src/db/migrations/20240527073740_identity-azure-auth.ts
+++ b/backend/src/db/migrations/20240527073740_identity-azure-auth.ts
@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityAzureAuth))) {
+    await knex.schema.createTable(TableName.IdentityAzureAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("tenantId").notNullable();
+      t.string("resource").notNullable();
+      t.string("allowedServicePrincipalIds").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityAzureAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
+}
--- a/backend/src/db/schemas/identity-azure-auths.ts
+++ b/backend/src/db/schemas/identity-azure-auths.ts
@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityAzureAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  tenantId: z.string(),
+  resource: z.string(),
+  allowedServicePrincipalIds: z.string()
+});
+
+export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;
+export type TIdentityAzureAuthsInsert = Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAzureAuthsUpdate = Partial<Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@@ -18,6 +18,7 @@ export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
 export * from "./identity-aws-auths";
+export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-org-memberships";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -47,6 +47,7 @@ export enum TableName {
  IdentityUniversalAuth = "identity_universal_auths",
  IdentityKubernetesAuth = "identity_kubernetes_auths",
  IdentityGcpAuth = "identity_gcp_auths",
+  IdentityAzureAuth = "identity_azure_auths",
  IdentityUaClientSecret = "identity_ua_client_secrets",
  IdentityAwsAuth = "identity_aws_auths",
  IdentityOrgMembership = "identity_org_memberships",
@@ -149,5 +150,6 @@ export enum IdentityAuthMethod {
  Univeral = "universal-auth",
  KUBERNETES_AUTH = "kubernetes-auth",
  GCP_AUTH = "gcp-auth",
-  AWS_AUTH = "aws-auth"
+  AWS_AUTH = "aws-auth",
+  AZURE_AUTH = "azure-auth"
 }
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -79,6 +79,10 @@ export enum EventType {
  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
+  LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
+  ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
+  UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
+  GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
  CREATE_ENVIRONMENT = "create-environment",
  UPDATE_ENVIRONMENT = "update-environment",
  DELETE_ENVIRONMENT = "delete-environment",
@@ -572,6 +576,48 @@ interface GetIdentityAwsAuthEvent {
  };
 }

+interface LoginIdentityAzureAuthEvent {
+  type: EventType.LOGIN_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+    identityAzureAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityAzureAuthEvent {
+  type: EventType.ADD_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+    tenantId: string;
+    resource: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityAzureAuthEvent {
+  type: EventType.UPDATE_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+    tenantId?: string;
+    resource?: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityAzureAuthEvent {
+  type: EventType.GET_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface CreateEnvironmentEvent {
  type: EventType.CREATE_ENVIRONMENT;
  metadata: {
@@ -839,6 +885,10 @@ export type Event =
  | AddIdentityAwsAuthEvent
  | UpdateIdentityAwsAuthEvent
  | GetIdentityAwsAuthEvent
+  | LoginIdentityAzureAuthEvent
+  | AddIdentityAzureAuthEvent
+  | UpdateIdentityAzureAuthEvent
+  | GetIdentityAzureAuthEvent
  | CreateEnvironmentEvent
  | UpdateEnvironmentEvent
  | DeleteEnvironmentEvent
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -80,6 +80,8 @@ import { identityAccessTokenDALFactory } from "@app/services/identity-access-tok
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
 import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { identityAzureAuthDALFactory } from "@app/services/identity-azure-auth/identity-azure-auth-dal";
+import { identityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-dal";
 import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
@@ -213,8 +215,8 @@ export const registerRoutes = async (
  const identityKubernetesAuthDAL = identityKubernetesAuthDALFactory(db);
  const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
  const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
-
  const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
+  const identityAzureAuthDAL = identityAzureAuthDALFactory(db);

  const auditLogDAL = auditLogDALFactory(db);
  const auditLogStreamDAL = auditLogStreamDALFactory(db);
@@ -743,6 +745,15 @@ export const registerRoutes = async (
    permissionService
  });

+  const identityAzureAuthService = identityAzureAuthServiceFactory({
+    identityAzureAuthDAL,
+    identityOrgMembershipDAL,
+    identityAccessTokenDAL,
+    identityDAL,
+    permissionService,
+    licenseService
+  });
+
  const dynamicSecretProviders = buildDynamicSecretProviders();
  const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
    queueService,
@@ -819,6 +830,7 @@ export const registerRoutes = async (
    identityKubernetesAuth: identityKubernetesAuthService,
    identityGcpAuth: identityGcpAuthService,
    identityAwsAuth: identityAwsAuthService,
+    identityAzureAuth: identityAzureAuthService,
    secretApprovalPolicy: sapService,
    accessApprovalPolicy: accessApprovalPolicyService,
    accessApprovalRequest: accessApprovalRequestService,
--- a/backend/src/server/routes/v1/identity-azure-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-azure-auth-router.ts
@@ -0,0 +1,262 @@
+import { z } from "zod";
+
+import { IdentityAzureAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { validateAzureAuthField } from "@app/services/identity-azure-auth/identity-azure-auth-validators";
+
+export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/azure-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Login with Azure Auth",
+      body: z.object({
+        identityId: z.string(),
+        jwt: z.string()
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityAzureAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityAzureAuth.login(req.body);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityAzureAuthId: identityAzureAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityAzureAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Attach Azure Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        tenantId: z.string().trim(),
+        resource: z.string().trim(),
+        allowedServicePrincipalIds: validateAzureAuthField,
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.attachAzureAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId,
+            tenantId: identityAzureAuth.tenantId,
+            resource: identityAzureAuth.resource,
+            accessTokenTTL: identityAzureAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAzureAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update Azure Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        tenantId: z.string().trim().optional(),
+        resource: z.string().trim().optional(),
+        allowedServicePrincipalIds: validateAzureAuthField.optional(),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.updateAzureAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId,
+            tenantId: identityAzureAuth.tenantId,
+            resource: identityAzureAuth.resource,
+            accessTokenTTL: identityAzureAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAzureAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve Azure Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.getAzureAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
+};
--- a/backend/src/server/routes/v1/identity-gcp-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-gcp-auth-router.ts
@@ -160,9 +160,9 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
      }),
      body: z.object({
        type: z.enum(["iam", "gce"]).optional(),
-        allowedServiceAccounts: validateGcpAuthField,
-        allowedProjects: validateGcpAuthField,
-        allowedZones: validateGcpAuthField,
+        allowedServiceAccounts: validateGcpAuthField.optional(),
+        allowedProjects: validateGcpAuthField.optional(),
+        allowedZones: validateGcpAuthField.optional(),
        accessTokenTrustedIps: z
          .object({
            ipAddress: z.string().trim()
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@@ -3,6 +3,7 @@ import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
 import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
+import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
@@ -34,6 +35,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
      await authRouter.register(registerIdentityGcpAuthRouter);
      await authRouter.register(registerIdentityAccessTokenRouter);
      await authRouter.register(registerIdentityAwsAuthRouter);
+      await authRouter.register(registerIdentityAzureAuthRouter);
    },
    { prefix: "/auth" }
  );
--- a/backend/src/server/routes/v1/integration-auth-router.ts
+++ b/backend/src/server/routes/v1/integration-auth-router.ts
@@ -330,7 +330,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
          teams: z
            .object({
              name: z.string(),
-              id: z.string().optional()
+              id: z.string()
            })
            .array()
        })
--- a/backend/src/services/identity-access-token/identity-access-token-dal.ts
+++ b/backend/src/services/identity-access-token/identity-access-token-dal.ts
@@ -39,6 +39,12 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
            `${TableName.IdentityAwsAuth}.identityId`
          );
        })
+        .leftJoin(TableName.IdentityAzureAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.AZURE_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityAzureAuth}.identityId`
+          );
+        })
        .leftJoin(TableName.IdentityKubernetesAuth, (qb) => {
          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.KUBERNETES_AUTH])).andOn(
            `${TableName.Identity}.id`,
@@ -50,6 +56,7 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth).as("accessTokenTrustedIpsUa"),
          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityGcpAuth).as("accessTokenTrustedIpsGcp"),
          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAwsAuth).as("accessTokenTrustedIpsAws"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAzureAuth).as("accessTokenTrustedIpsAzure"),
          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityKubernetesAuth).as("accessTokenTrustedIpsK8s"),
          db.ref("name").withSchema(TableName.Identity)
        )
@@ -63,6 +70,7 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
          doc.accessTokenTrustedIpsUa ||
          doc.accessTokenTrustedIpsGcp ||
          doc.accessTokenTrustedIpsAws ||
+          doc.accessTokenTrustedIpsAzure ||
          doc.accessTokenTrustedIpsK8s
      };
    } catch (error) {
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-dal.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-dal.ts
@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityAzureAuthDALFactory = ReturnType<typeof identityAzureAuthDALFactory>;
+
+export const identityAzureAuthDALFactory = (db: TDbClient) => {
+  const azureAuthOrm = ormify(db, TableName.IdentityAzureAuth);
+  return azureAuthOrm;
+};
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-fns.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-fns.ts
@@ -0,0 +1,34 @@
+import axios from "axios";
+import jwt from "jsonwebtoken";
+
+import { UnauthorizedError } from "@app/lib/errors";
+
+import { TAzureAuthJwtPayload, TAzureJwksUriResponse, TDecodedAzureAuthJwt } from "./identity-azure-auth-types";
+
+export const validateAzureIdentity = async ({
+  tenantId,
+  resource,
+  jwt: azureJwt
+}: {
+  tenantId: string;
+  resource: string;
+  jwt: string;
+}) => {
+  const jwksUri = `https://login.microsoftonline.com/${tenantId}/discovery/keys`;
+
+  const decodedJwt = jwt.decode(azureJwt, { complete: true }) as TDecodedAzureAuthJwt;
+  const { kid } = decodedJwt.header;
+
+  const { data }: { data: TAzureJwksUriResponse } = await axios.get(jwksUri);
+  const signingKeys = data.keys;
+
+  const signingKey = signingKeys.find((key) => key.kid === kid);
+  if (!signingKey) throw new UnauthorizedError();
+
+  const publicKey = `-----BEGIN CERTIFICATE-----\n${signingKey.x5c[0]}\n-----END CERTIFICATE-----`;
+
+  return jwt.verify(azureJwt, publicKey, {
+    audience: resource,
+    issuer: `https://sts.windows.net/${tenantId}/`
+  }) as TAzureAuthJwtPayload;
+};
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
@@ -0,0 +1,286 @@
+import { ForbiddenError } from "@casl/ability";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+
+import { AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TIdentityAzureAuthDALFactory } from "./identity-azure-auth-dal";
+import { validateAzureIdentity } from "./identity-azure-auth-fns";
+import {
+  TAttachAzureAuthDTO,
+  TGetAzureAuthDTO,
+  TLoginAzureAuthDTO,
+  TUpdateAzureAuthDTO
+} from "./identity-azure-auth-types";
+
+type TIdentityAzureAuthServiceFactoryDep = {
+  identityAzureAuthDAL: Pick<TIdentityAzureAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityDAL: Pick<TIdentityDALFactory, "updateById">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TIdentityAzureAuthServiceFactory = ReturnType<typeof identityAzureAuthServiceFactory>;
+
+export const identityAzureAuthServiceFactory = ({
+  identityAzureAuthDAL,
+  identityOrgMembershipDAL,
+  identityAccessTokenDAL,
+  identityDAL,
+  permissionService,
+  licenseService
+}: TIdentityAzureAuthServiceFactoryDep) => {
+  const login = async ({ identityId, jwt: azureJwt }: TLoginAzureAuthDTO) => {
+    const identityAzureAuth = await identityAzureAuthDAL.findOne({ identityId });
+    if (!identityAzureAuth) throw new UnauthorizedError();
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAzureAuth.identityId });
+    if (!identityMembershipOrg) throw new UnauthorizedError();
+
+    const azureIdentity = await validateAzureIdentity({
+      tenantId: identityAzureAuth.tenantId,
+      resource: identityAzureAuth.resource,
+      jwt: azureJwt
+    });
+
+    if (azureIdentity.tid !== identityAzureAuth.tenantId) throw new UnauthorizedError();
+
+    if (identityAzureAuth.allowedServicePrincipalIds) {
+      // validate if the service principal id is in the list of allowed service principal ids
+
+      const isServicePrincipalAllowed = identityAzureAuth.allowedServicePrincipalIds
+        .split(",")
+        .map((servicePrincipalId) => servicePrincipalId.trim())
+        .some((servicePrincipalId) => servicePrincipalId === azureIdentity.oid);
+
+      if (!isServicePrincipalAllowed) throw new UnauthorizedError();
+    }
+
+    const identityAccessToken = await identityAzureAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityAzureAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityAzureAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityAzureAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
+      }
+    );
+
+    return { accessToken, identityAzureAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachAzureAuth = async ({
+    identityId,
+    tenantId,
+    resource,
+    allowedServicePrincipalIds,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TAttachAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity.authMethod)
+      throw new BadRequestError({
+        message: "Failed to add Azure Auth to already configured identity"
+      });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const identityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
+      const doc = await identityAzureAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          tenantId,
+          resource,
+          allowedServicePrincipalIds,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      await identityDAL.updateById(
+        identityMembershipOrg.identityId,
+        {
+          authMethod: IdentityAuthMethod.AZURE_AUTH
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateAzureAuth = async ({
+    identityId,
+    tenantId,
+    resource,
+    allowedServicePrincipalIds,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+      throw new BadRequestError({
+        message: "Failed to update Azure Auth"
+      });
+
+    const identityGcpAuth = await identityAzureAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityGcpAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updatedAzureAuth = await identityAzureAuthDAL.updateById(identityGcpAuth.id, {
+      tenantId,
+      resource,
+      allowedServicePrincipalIds,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    });
+
+    return {
+      ...updatedAzureAuth,
+      orgId: identityMembershipOrg.orgId
+    };
+  };
+
+  const getAzureAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have Azure Auth attached"
+      });
+
+    const identityAzureAuth = await identityAzureAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  return {
+    login,
+    attachAzureAuth,
+    updateAzureAuth,
+    getAzureAuth
+  };
+};
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-types.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-types.ts
@@ -0,0 +1,120 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginAzureAuthDTO = {
+  identityId: string;
+  jwt: string;
+};
+
+export type TAttachAzureAuthDTO = {
+  identityId: string;
+  tenantId: string;
+  resource: string;
+  allowedServicePrincipalIds: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateAzureAuthDTO = {
+  identityId: string;
+  tenantId?: string;
+  resource?: string;
+  allowedServicePrincipalIds?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetAzureAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TAzureJwksUriResponse = {
+  keys: {
+    kty: string;
+    use: string;
+    kid: string;
+    x5t: string;
+    n: string;
+    e: string;
+    x5c: string[];
+  }[];
+};
+
+type TUserPayload = {
+  aud: string;
+  iss: string;
+  iat: number;
+  nbf: number;
+  exp: number;
+  acr: string;
+  aio: string;
+  amr: string[];
+  appid: string;
+  appidacr: string;
+  family_name: string;
+  given_name: string;
+  groups: string[];
+  idtyp: string;
+  ipaddr: string;
+  name: string;
+  oid: string;
+  puid: string;
+  rh: string;
+  scp: string;
+  sub: string;
+  tid: string;
+  unique_name: string;
+  upn: string;
+  uti: string;
+  ver: string;
+  wids: string[];
+  xms_cae: string;
+  xms_cc: string[];
+  xms_filter_index: string[];
+  xms_rd: string;
+  xms_ssm: string;
+  xms_tcdt: number;
+};
+
+type TAppPayload = {
+  aud: string;
+  iss: string;
+  iat: number;
+  nbf: number;
+  exp: number;
+  aio: string;
+  appid: string;
+  appidacr: string;
+  idp: string;
+  idtyp: string;
+  oid: string; // service principal id
+  rh: string;
+  sub: string;
+  tid: string;
+  uti: string;
+  ver: string;
+  xms_cae: string;
+  xms_cc: string[];
+  xms_rd: string;
+  xms_ssm: string;
+  xms_tcdt: number;
+};
+
+export type TAzureAuthJwtPayload = TUserPayload | TAppPayload;
+
+export type TDecodedAzureAuthJwt = {
+  header: {
+    type: string;
+    alg: string;
+    x5t: string;
+    kid: string;
+  };
+  payload: TAzureAuthJwtPayload;
+  signature: string;
+  metadata: {
+    [key: string]: string;
+  };
+};
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-validators.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-validators.ts
@@ -0,0 +1,14 @@
+import { z } from "zod";
+
+export const validateAzureAuthField = z
+  .string()
+  .trim()
+  .default("")
+  .transform((data) => {
+    if (data === "") return "";
+    // Trim each ID and join with ', ' to ensure formatting
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  });
--- a/backend/src/services/identity-project/identity-project-service.ts
+++ b/backend/src/services/identity-project/identity-project-service.ts
@@ -259,7 +259,7 @@ export const identityProjectServiceFactory = ({
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });

-    const [deletedIdentity] = await identityProjectDAL.delete({ identityId });
+    const [deletedIdentity] = await identityProjectDAL.delete({ identityId, projectId });
    return deletedIdentity;
  };

--- a/backend/src/services/integration-auth/integration-team.ts
+++ b/backend/src/services/integration-auth/integration-team.ts
@@ -5,7 +5,7 @@ import { Integrations, IntegrationUrls } from "./integration-list";

 type Team = {
  name: string;
-  teamId: string;
+  id: string;
 };
 const getTeamsGitLab = async ({ url, accessToken }: { url: string; accessToken: string }) => {
  const gitLabApiUrl = url ? `${url}/api` : IntegrationUrls.GITLAB_API_URL;
@@ -22,7 +22,7 @@ const getTeamsGitLab = async ({ url, accessToken }: { url: string; accessToken:

  teams = res.map((t) => ({
    name: t.name,
-    teamId: t.id
+    id: t.id.toString()
  }));

  return teams;
--- a/company/handbook/onboarding.mdx
+++ b/company/handbook/onboarding.mdx
@@ -1,7 +1,7 @@
 ---
 title: "Onboarding"
 sidebarTitle: "Onboarding"
-description: "This handbook explains how we work at Infisical."
+description: "This guide explains the onboarding process for new joiners at Infisical."
 ---

 Welcome to Infisical! 
@@ -17,9 +17,12 @@ Every new joiner has an onboarding buddy who should ideally be in the the same t
 ## Onboarding Checklist

 1. Join the weekly all-hands meeting. It typically happens on Monday's at 8:30am PT.
-3. Ship something together on day one – even if tiny! It feels great to hit the ground running, with a development environment all ready to go.
-4. Check out the [Areas of Responsibility (AoR) Table](https://docs.google.com/spreadsheets/d/1RnXlGFg83Sgu0dh7ycuydsSobmFfI3A0XkGw7vrVxEI/edit?usp=sharing). This is helpful to know who you can ask about particular areas of Infisical. Feel free to add yourself to the areas you'd be most interesting to dive into.
-5. Read the [Infisical Strategy Doc](https://docs.google.com/document/d/1oy_NP1Q_Zt1oqxLpyNkLIGmhAI3N28AmZq6dDIOONSQ/edit?usp=sharing).
-7. Update your LinkedIn profile with one of [Infisical's official banners](https://drive.google.com/drive/u/0/folders/1oSNWjbpRl9oNYwxM_98IqzKs9fAskrb2) (if you want to). You can also coordinate your social posts in the #marketing Slack channel, so that we can boost it from Infisical's official social media accounts.
-8. Over the first few weeks, feel free to schedule 1:1s with folks on the team to get to know them a bit better.
-2. Change your Slack username in the users channel to `[NAME] (Infisical)`.
+2. Ship something together on day one – even if tiny! It feels great to hit the ground running, with a development environment all ready to go.
+3. Check out the [Areas of Responsibility (AoR) Table](https://docs.google.com/spreadsheets/d/1RnXlGFg83Sgu0dh7ycuydsSobmFfI3A0XkGw7vrVxEI/edit?usp=sharing). This is helpful to know who you can ask about particular areas of Infisical. Feel free to add yourself to the areas you'd be most interesting to dive into.
+4. Read the [Infisical Strategy Doc](https://docs.google.com/document/d/1oy_NP1Q_Zt1oqxLpyNkLIGmhAI3N28AmZq6dDIOONSQ/edit?usp=sharing).
+5. Update your LinkedIn profile with one of [Infisical's official banners](https://drive.google.com/drive/u/0/folders/1oSNWjbpRl9oNYwxM_98IqzKs9fAskrb2) (if you want to). You can also coordinate your social posts in the #marketing Slack channel, so that we can boost it from Infisical's official social media accounts.
+6. Over the first few weeks, feel free to schedule 1:1s with folks on the team to get to know them a bit better.
+7. Change your Slack username in the users channel to `[NAME] (Infisical)`.
+8. Go through the [technical overview](https://infisical.com/docs/internals/overview) of Infisical. 
+
+
--- a/company/handbook/spending-money.mdx
+++ b/company/handbook/spending-money.mdx
@@ -0,0 +1,27 @@
+---
+title: "Spenging Money"
+sidebarTitle: "Spending Money"
+description: "The guide to spending money at Infisical."
+---
+
+Fairly frequently, you might run into situations when you need to spend company money. 
+
+**Please spend money in a way that you think is in the best interest of the company.**
+
+## Trivial expenses
+
+We don't want you to be slowed down because you're waiting for an approval to purchase some SaaS. For trivial expenses – **Just do it**.
+
+This means expenses that are: 
+1. Non-recurring AND less than $75/month in total.
+2. Recurring AND less than $20/month. 
+
+## Saving receipts
+
+Make sure you keep copies for all receipts. If you expense something on a company card and cannot provide a receipt, this may be deducted from your pay.
+
+You should default to using your company card in all cases - it has no transaction fees. If using your personal card is unavoidable, please reach out to Maidul to get it reimbursed manually.
+
+## Brex
+
+We use Brex as our primary credit card provider. Don't have a company card yet? Reach out to Maidul. 
--- a/company/handbook/time-off.mdx
+++ b/company/handbook/time-off.mdx
@@ -0,0 +1,13 @@
+---
+title: "Time Off"
+sidebarTitle: "Time Off"
+description: "The guide to taking time off at Infisical."
+---
+
+We offer eveyone at Infisical unlimited time off. We care about your results, not how long you work.
+
+To request time off, just submit a request in Rippling and let Maidul know at least a week in advance. 
+
+## National holidays
+
+Since Infisical's team is globally distributed, it is hard for us to keep track of all the various national holidays across many different countries. Whether you'd like to celebrate Christmas or National Brisket Day (which, by the way, is on May 28th), you are welcome to take PTO on those days – just let Maidul know at least a week ahead so that we can adjust our planning. 
--- a/company/mint.json
+++ b/company/mint.json
@@ -56,7 +56,9 @@
    {
      "group": "How we work",
      "pages": [
-        "handbook/onboarding"
+        "handbook/onboarding", 
+        "handbook/spending-money",
+        "handbook/time-off"
      ]
    }
  ],
--- a/company/style.css
+++ b/company/style.css
@@ -1,7 +1,7 @@
 #navbar .max-w-8xl {
  max-width: 100%;
  border-bottom: 1px solid #ebebeb;
-  background-color: #fcfcfc;
+  background-color: #F4F3EF;
 }

 .max-w-8xl {
@@ -14,7 +14,7 @@
  padding-right: 30px;
  border-right: 1px;
  border-color: #cdd64b;
-  background-color: #fcfcfc;
+  background-color: #F4F3EF;
  border-right: 1px solid #ebebeb;
 }

@@ -37,6 +37,13 @@
  padding: 0px;
 }

+#sidebar li > a.text-primary {
+  border-radius: 0;
+  background-color: #FBFFCC;
+  border-left: 4px solid #EFFF33;
+  padding: 5px;
+}
+
 /* #sidebar ul > div.mt-12 {
  padding-top: 30px;
  position: relative;
@@ -49,10 +56,10 @@
 } */

 #header {
-  border-left: 1px solid #26272b;
+  border-left: 4px solid #EFFF33;
  padding-left: 16px;
  padding-right: 16px;
-  background-color: #f5f5f5;
+  background-color: #FDFFE5;
  padding-bottom: 10px;
  padding-top: 10px;
 }
@@ -63,6 +70,13 @@
  border-color: #ebebeb;
 }

+#content-area:hover .mt-8 .block:hover{
+  border-radius: 0;
+  border-width: 1px;
+  background-color: #FDFFE5;
+  border-color: #EFFF33;
+}
+
 #content-area .mt-8 .rounded-xl{
  border-radius: 0;
 }
--- a/docs/documentation/guides/node.mdx
+++ b/docs/documentation/guides/node.mdx
@@ -36,7 +36,7 @@ Initialize a new Node.js project with a default `package.json` file.
 npm init -y
 ```

-Install `express` and [infisical-node](https://github.com/Infisical/infisical-node), the client Node SDK for Infisical.
+Install `express` and [@infisical/sdk](https://www.npmjs.com/package/@infisical/sdk), the client Node SDK for Infisical.

 ```console
 npm install express @infisical/sdk
@@ -46,16 +46,19 @@ Finally, create an index.js file containing the application code.

 ```js
 const express = require('express');
-const { InfisicalClient, LogLevel } = require("@infisical/sdk");
+const { InfisicalClient } = require("@infisical/sdk");

 const app = express();

 const PORT = 3000;

 const client = new InfisicalClient({
-    clientId: "YOUR_CLIENT_ID",
-    clientSecret: "YOUR_CLIENT_SECRET",
-    logLevel: LogLevel.Error
+    auth: {
+      universalAuth: {
+        clientId: "YOUR_CLIENT_ID",
+        clientSecret: "YOUR_CLIENT_SECRET",
+      }
+    }
 });

 app.get("/", async (req, res) => {
--- a/docs/documentation/guides/python.mdx
+++ b/docs/documentation/guides/python.mdx
@@ -5,7 +5,7 @@ title: "Python"
 This guide demonstrates how to use Infisical to manage secrets for your Python stack from local development to production. It uses:

 - Infisical (you can use [Infisical Cloud](https://app.infisical.com) or a [self-hosted instance of Infisical](https://infisical.com/docs/self-hosting/overview)) to store your secrets.
- The [infisical-python](https://github.com/Infisical/sdk/tree/main/crates/infisical-py) Python client SDK to fetch secrets back to your Python application on demand.
+- The [infisical-python](https://pypi.org/project/infisical-python/) Python client SDK to fetch secrets back to your Python application on demand.

 ## Project Setup

@@ -36,23 +36,27 @@ python3 -m venv env
 source env/bin/activate
 ```

-Install Flask and [infisical-python](https://github.com/Infisical/sdk/tree/main/crates/infisical-py), the client Python SDK for Infisical.
+Install Flask and [infisical-python](https://pypi.org/project/infisical-python/), the client Python SDK for Infisical.

 ```console
-pip install Flask infisical-python
+pip install flask infisical-python
 ```

 Finally, create an `app.py` file containing the application code.

 ```py
 from flask import Flask
-from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions
+from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions, AuthenticationOptions, UniversalAuthMethod

 app = Flask(__name__)

 client = InfisicalClient(ClientSettings(
-    client_id="MACHINE_IDENTITY_CLIENT_ID",
-    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
+    auth=AuthenticationOptions(
+      universal_auth=UniversalAuthMethod(
+        client_id="CLIENT_ID",
+        client_secret="CLIENT_SECRET",
+      )
+    )
 ))

@app.route("/")
--- a/docs/documentation/platform/identities/aws-auth.mdx
+++ b/docs/documentation/platform/identities/aws-auth.mdx
@@ -280,6 +280,10 @@ access the Infisical API using the AWS Auth authentication method.
                    --data-urlencode 'iamRequestHeaders=...'
                ```

+                <Note>
+                    Note that you should replace `<identityId>` with the ID of the identity you created in step 1.
+                </Note>
+
                #### Sample response

                ```bash Response
--- a/docs/documentation/platform/identities/azure-auth.mdx
+++ b/docs/documentation/platform/identities/azure-auth.mdx
@@ -0,0 +1,176 @@
+---
+title: Azure Auth
+description: "Learn how to authenticate with Infisical for services on Azure"
+---
+
+**Azure Auth** is an Azure-native authentication method for Azure resources like Azure VMs, Azure App Services, Azure Functions, Azure Kubernetes Service, etc. to access Infisical.
+
+## Diagram
+
+The following sequence digram illustrates the Azure Auth workflow for authenticating Azure [service principals](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Client as Client
+  participant Infis as Infisical
+  participant Azure as Azure AD OpenID
+
+  Note over Client,Azure: Step 1: Instance Identity Token Retrieval
+  Client->>Azure: Request managed identity access token
+  Azure-->>Client: Return managed identity access token
+
+  Note over Client,Infis: Step 2: Identity Token Login Operation
+  Client->>Infis: Send managed identity access token to /api/v1/auth/azure-auth/login
+  Infis->>Azure: Request public key
+  Azure-->>Infis: Return public key
+
+  Note over Infis: Step 3: Identity Token Verification
+  Note over Infis: Step 4: Identity Property Validation
+  Infis->>Client: Return short-lived access token
+
+  Note over Client,Infis: Step 4: Access Infisical API with Token
+  Client->>Infis: Make authenticated requests using the short-lived access token
+```
+
+## Concept
+
+At a high-level, Infisical authenticates an Azure service by verifying its identity and checking that it meets specific requirements (e.g. it is bound to an allowed service principal) at the `/api/v1/auth/azure-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+To be more specific:
+
+1. The client running on an Azure service obtains an [access token](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http) that is a JWT token representing the managed identity for the Azure resource such as a Virtual Machine; the managed identity is associated with a service principal in Azure AD.
+2. The client sends the access token to Infisical.
+3. Infisical verifies the token against the corresponding public key at the [public Azure AD OpenID configuration endpoint](https://learn.microsoft.com/en-us/answers/questions/793793/azure-ad-validate-access-token).
+4. Infisical checks if the entity behind the access token is allowed to authenticate with Infisical based on set criteria such as **Allowed Service Principal IDs**.
+5. If all is well, Infisical returns a short-lived access token that the client can use to make authenticated requests to the Infisical API.
+
+<Note>
+We recommend using one of Infisical's clients like SDKs or the Infisical Agent
+to authenticate with Infisical using Azure Auth as they handle the
+authentication process including generating the client access token for you.
+
+Also, note that Infisical needs network-level access to send requests to the Google Cloud API
+as part of the Azure Auth workflow.
+
+</Note>
+
+## Guide
+
+In the following steps, we explore how to create and use identities for your applications in Azure to
+access the Infisical API using the Azure Auth authentication method.
+
+<Steps>
+    <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+    ![identities organization](/images/platform/identities/identities-org.png)
+
+    When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![identities organization create](/images/platform/identities/identities-org-create.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **Azure Auth**.
+
+    ![identities create azure auth method](/images/platform/identities/identities-org-create-azure-auth-method.png)
+
+    Here's some more guidance on each field:
+
+    - Tenant ID: The [tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) for the Azure AD organization.
+    - Resource / Audience: The resource URL for the application registered in Azure AD. The value is expected to match the `aud` claim of the access token JWT later used in the login operation against Infisical. See the [resource](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http) parameter for how the audience is set when requesting a JWT access token from the Azure Instance Metadata Service (IMDS) endpoint. In most cases, this value should be `https://management.azure.com/` which is the default.
+    - Allowed Service Principal IDs: A comma-separated list of Azure AD service principal IDs that are allowed to authenticate with Infisical.
+    - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max TTL (default is `2592000`  equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+    - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+
+    </Step>
+    <Step title="Adding an identity to a project">
+    To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+    To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+    Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+    ![identities project](/images/platform/identities/identities-project.png)
+
+    ![identities project create](/images/platform/identities/identities-project-create.png)
+    </Step>
+    <Step title="Accessing the Infisical API with the identity">
+        To access the Infisical API as the identity, you need to generate a managed identity [access token](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http) that is a JWT token representing the managed identity for the Azure resource such as a Virtual Machine. The client token must be sent to the `/api/v1/auth/azure-auth/login` endpoint in exchange for a separate access token to access the Infisical API.
+
+        We provide a few code examples below of how you can authenticate with Infisical to access the [Infisical API](/api-reference/overview/introduction).
+
+        <AccordionGroup>
+            <Accordion
+                title="Sample code for generating the access token"
+            >
+                Start by making a request from your Azure client such as Virtual Machine to obtain a managed identity access token.
+
+                For more examples of how to obtain the managed identity access token, refer to the [official documentation](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http).
+
+                #### Sample request
+                ```bash curl
+                curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s
+                ```
+
+                #### Sample response
+                ```bash
+                {
+                    "access_token": "eyJ0eXAi...",
+                    "refresh_token": "",
+                    "expires_in": "3599",
+                    "expires_on": "1506484173",
+                    "not_before": "1506480273",
+                    "resource": "https://management.azure.com/",
+                    "token_type": "Bearer"
+                }
+                ```
+
+                Next use send the obtained managed identity access token (i.e. the token from the `access_token` field above) to authenticate with Infisical and obtain a separate access token.
+
+                #### Sample request
+
+                ```bash Request
+                curl --location --request POST 'https://app.infisical.com/api/v1/auth/gcp-auth/login' \
+                    --header 'Content-Type: application/x-www-form-urlencoded' \
+                    --data-urlencode 'identityId=...' \
+                    --data-urlencode 'jwt=...'
+                ```
+
+                <Note>
+                    Note that you should replace `<identityId>` with the ID of the identity you created in step 1.
+                </Note>
+
+                #### Sample response
+
+                ```bash Response
+                {
+                    "accessToken": "...",
+                    "expiresIn": 7200,
+                    "accessTokenMaxTTL": 43244
+                    "tokenType": "Bearer"
+                }
+                ```
+
+                Next, you can use this access token to access the [Infisical API](/api-reference/overview/introduction)
+            </Accordion>
+        </AccordionGroup>
+
+        <Tip>
+            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using Azure Auth as they handle the authentication process including retrieving the client access token.
+        </Tip>
+        <Note>
+        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        the default TTL is `7200` seconds which can be adjusted.
+        If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+        a new access token should be obtained by performing another login operation.
+        </Note>
+    </Step>
+
+</Steps>
--- a/docs/documentation/platform/identities/machine-identities.mdx
+++ b/docs/documentation/platform/identities/machine-identities.mdx
@@ -7,9 +7,9 @@ description: "Learn how to use Machine Identities to programmatically interact w

 An Infisical machine identity is an entity that represents a workload or application that require access to various resources in Infisical. This is conceptually similar to an IAM user in AWS or service account in Google Cloud Platform (GCP).

-Each identity must authenticate with the Infisical API using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth), [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth), [AWS Auth](/documentation/platform/identities/aws-auth), or [GCP Auth](/documentation/platform/identities/gcp-auth) to get back a short-lived access token to be used in subsequent requests.
+Each identity must authenticate with the Infisical API using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth), [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth), [AWS Auth](/documentation/platform/identities/aws-auth), [Azure Auth](/documentation/platform/identities/azure-auth), or [GCP Auth](/documentation/platform/identities/gcp-auth) to get back a short-lived access token to be used in subsequent requests.

-![organization identities](/images/platform/organization/organization-machine-identities.png)
+![Organization Identities](/images/platform/organization/organization-machine-identities.png)

 Key Features:

@@ -39,11 +39,10 @@ To interact with various resources in Infisical, Machine Identities are able to

 - [Universal Auth](/documentation/platform/identities/universal-auth): A platform-agnostic authentication method that can be configured on an identity suitable to authenticate from any platform/environment.
 - [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth): A Kubernetes-native authentication method for applications (e.g. pods) to authenticate with Infisical.
- [AWS Auth](/documentation/platform/identities/aws-auth): An AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to authenticate with Infisical.
+- [AWS Auth](/documentation/platform/identities/aws-auth): An AWS-native authentication method for AWS services (e.g. EC2, Lambda functions, etc.) to authenticate with Infisical.
+- [Azure Auth](/documentation/platform/identities/azure-auth): An Azure-native authentication method for Azure resources (e.g. Azure VMs, Azure App Services, Azure Functions, Azure Kubernetes Service, etc.) to authenticate with Infisical.
 - [GCP Auth](/documentation/platform/identities/gcp-auth): A GCP-native authentication method for GCP resources (e.g. Compute Engine, App Engine, Cloud Run, Google Kubernetes Engine, IAM service accounts, etc.) to authenticate with Infisical.

-IAM service accounts and GCE instances to authenticate with Infisical.
-
 ## FAQ

 <AccordionGroup>
--- a/docs/images/platform/identities/identities-org-create-azure-auth-method.png
+++ b/docs/images/platform/identities/identities-org-create-azure-auth-method.png
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -160,6 +160,7 @@
        "documentation/platform/identities/universal-auth",
        "documentation/platform/identities/kubernetes-auth",
        "documentation/platform/identities/gcp-auth",
+        "documentation/platform/identities/azure-auth",
        "documentation/platform/identities/aws-auth",
        "documentation/platform/mfa",
        {
--- a/docs/sdks/languages/csharp.mdx
+++ b/docs/sdks/languages/csharp.mdx
@@ -21,21 +21,28 @@ namespace Example
        static void Main(string[] args)
        {

-            var settings = new ClientSettings
+          ClientSettings settings = new ClientSettings
+          {
+            Auth = new AuthenticationOptions
            {
-                ClientId = "CLIENT_ID",
-                ClientSecret = "CLIENT_SECRET",
-                // SiteUrl = "http://localhost:8080", <-- This line can be omitted if you're using Infisical Cloud.
-            };
-            var infisical = new InfisicalClient(settings);
+              UniversalAuth = new UniversalAuthMethod
+              {
+                ClientId = "your-client-id",
+                ClientSecret = "your-client-secret"
+              }
+            }
+          };

-            var options = new GetSecretOptions
+
+          var infisicalClient = new InfisicalClient(settings);
+
+            var getSecretOptions = new GetSecretOptions
            {
                SecretName = "TEST",
                ProjectId = "PROJECT_ID",
                Environment = "dev",
            };
-            var secret = infisical.GetSecret(options);
+            var secret = infisical.GetSecret(getSecretOptions);


            Console.WriteLine($"The value of secret '{secret.SecretKey}', is: {secret.SecretValue}");
@@ -52,8 +59,6 @@ This example demonstrates how to use the Infisical C# SDK in a C# application. T

 # Installation

-Run `npm` to add `@infisical/sdk` to your project.
-
 ```console
 $ dotnet add package Infisical.Sdk
 ```
@@ -70,14 +75,20 @@ namespace Example
    {
        static void Main(string[] args)
        {
-
-            var settings = new ClientSettings
+          ClientSettings settings = new ClientSettings
+          {
+            Auth = new AuthenticationOptions
            {
-                ClientId = "CLIENT_ID",
-                ClientSecret = "CLIENT_SECRET",
-            };
+              UniversalAuth = new UniversalAuthMethod
+              {
+                ClientId = "your-client-id",
+                ClientSecret = "your-client-secret"
+              }
+            }
+          };

-            var infisical = new InfisicalClient(settings); // <-- Your SDK instance!
+
+          var infisicalClient = new InfisicalClient(settings); // <-- Your SDK client is now ready to use
        }
    }
 }
@@ -87,14 +98,14 @@ namespace Example

 <ParamField query="options" type="object">
    <Expandable title="properties">
-        <ParamField query="ClientId" type="string" optional>
+        <ParamField query="ClientId" deprecated type="string" optional>
            Your machine identity client ID.
        </ParamField>
-          <ParamField query="ClientSecret" type="string" optional>
+          <ParamField query="ClientSecret" deprecated type="string" optional>
            Your machine identity client secret.
        </ParamField>

-         <ParamField query="AccessToken" type="string" optional>
+         <ParamField query="AccessToken" deprecated type="string" optional>
            An access token obtained from the machine identity login endpoint.
        </ParamField>

@@ -103,13 +114,175 @@ namespace Example
            If manually set to 0, caching will be disabled, this is not recommended.
        </ParamField>

-        <ParamField query="SiteUrl()" type="string" default="https://app.infisical.com" optional>
+        <ParamField query="SiteUrl" type="string" default="https://app.infisical.com" optional>
            Your self-hosted absolute site URL including the protocol (e.g. `https://app.infisical.com`)
        </ParamField>
+
+        <ParamField query="Auth" type="AuthenticationOptions">
+          The authentication object to use for the client. This is required unless you're using environment variables.
+        </ParamField>
    </Expandable>

 </ParamField>

+### Authentication
+
+The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
+
+#### Universal Auth
+
+**Using environment variables**
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
+
+**Using the SDK directly**
+```csharp
+    ClientSettings settings = new ClientSettings
+    {
+      Auth = new AuthenticationOptions
+      {
+        UniversalAuth = new UniversalAuthMethod
+        {
+          ClientId = "your-client-id",
+          ClientSecret = "your-client-secret"
+        }
+      }
+    };
+
+    var infisicalClient = new InfisicalClient(settings);
+```
+
+#### GCP ID Token Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
+  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```csharp
+  ClientSettings settings = new ClientSettings
+  {
+    Auth = new AuthenticationOptions
+    {
+      GcpIdToken = new GcpIdTokenAuthMethod
+      {
+        IdentityId = "your-machine-identity-id",
+      }
+    }
+  };
+
+
+  var infisicalClient = new InfisicalClient(settings);
+```
+
+#### GCP IAM Auth
+
+**Using environment variables**
+- `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
+
+**Using the SDK directly**
+```csharp
+  ClientSettings settings = new ClientSettings
+  {
+    Auth = new AuthenticationOptions
+    {
+      GcpIam = new GcpIamAuthMethod
+      {
+        IdentityId = "your-machine-identity-id",
+        ServiceAccountKeyFilePath = "./path/to/your/service-account-key.json"
+      }
+    }
+  };
+
+
+  var infisicalClient = new InfisicalClient(settings);
+```
+
+#### AWS IAM Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on AWS.
+  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```csharp
+  ClientSettings settings = new ClientSettings
+  {
+    Auth = new AuthenticationOptions
+    {
+      AwsIam = new AwsIamAuthMethod
+      {
+        IdentityId = "your-machine-identity-id",
+      }
+    }
+  };
+
+
+  var infisicalClient = new InfisicalClient(settings);
+```
+
+
+#### Azure Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Azure.
+  Please [read more](/documentation/platform/identities/azure-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AZURE_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```csharp
+  ClientSettings settings = new ClientSettings
+  {
+    Auth = new AuthenticationOptions
+    {
+      Azure = new AzureAuthMethod
+      {
+        IdentityId = "YOUR_IDENTITY_ID",
+      }
+    }
+  };
+
+  var infisicalClient = new InfisicalClient(settings);
+```
+
+#### Kubernetes Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Kubernetes.
+  Please [read more](/documentation/platform/identities/kubernetes-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_KUBERNETES_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME` - The environment variable name that contains the path to the service account token. This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
+
+**Using the SDK directly**
+```csharp
+  ClientSettings settings = new ClientSettings
+  {
+    Auth = new AuthenticationOptions
+    {
+      Kubernetes = new KubernetesAuthMethod
+      {
+        ServiceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token", // Optional
+        IdentityId = "YOUR_IDENTITY_ID",
+      }
+    }
+  };
+
+  var infisicalClient = new InfisicalClient(settings);
+```
+
+
+
 ### Caching

 To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cacheTTL" option when creating the client.
@@ -155,6 +328,14 @@ Retrieve all secrets within the Infisical project and environment that client is
        <ParamField query="IncludeImports" type="boolean" default="false" optional>
             Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
        </ParamField>
+
+        <ParamField query="Recursive" type="boolean" default="false" optional>
+            Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
+        </ParamField>
+
+        <ParamField query="ExpandSecretReferences" type="boolean" default="true" optional>
+            Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
+        </ParamField>
    </Expandable>

 </ParamField>
--- a/docs/sdks/languages/java.mdx
+++ b/docs/sdks/languages/java.mdx
@@ -19,12 +19,19 @@ import com.infisical.sdk.schema.*;

 public class Example {
    public static void main(String[] args) {
-        // Create a new Infisical Client
+       
+        // Create the authentication settings for the client
        ClientSettings settings = new ClientSettings();
-        settings.setClientID("MACHINE_IDENTITY_CLIENT_ID");
-        settings.setClientSecret("MACHINE_IDENTITY_CLIENT_SECRET");
-        settings.setCacheTTL(Long.valueOf(300)); // 300 seconds, 5 minutes
+        AuthenticationOptions authOptions = new AuthenticationOptions();
+        UniversalAuthMethod authMethod = new UniversalAuthMethod();

+        authMethod.setClientID("YOUR_IDENTITY_ID");
+        authMethod.setClientSecret("YOUR_CLIENT_SECRET");
+
+        authOptions.setUniversalAuth(authMethod);
+        settings.setAuth(authOptions);
+
+        // Create a new Infisical Client
        InfisicalClient client = new InfisicalClient(settings);

        // Create the options for fetching the secret
@@ -68,11 +75,18 @@ import com.infisical.sdk.schema.*;

 public class App {
    public static void main(String[] args) {
-
+        // Create the authentication settings for the client
        ClientSettings settings = new ClientSettings();
-        settings.setClientID("MACHINE_IDENTITY_CLIENT_ID");
-        settings.setClientSecret("MACHINE_IDENTITY_CLIENT_SECRET");
+        AuthenticationOptions authOptions = new AuthenticationOptions();
+        UniversalAuthMethod authMethod = new UniversalAuthMethod();

+        authMethod.setClientID("YOUR_IDENTITY_ID");
+        authMethod.setClientSecret("YOUR_CLIENT_SECRET");
+
+        authOptions.setUniversalAuth(authMethod);
+        settings.setAuth(authOptions);
+
+        // Create a new Infisical Client
        InfisicalClient client = new InfisicalClient(settings); // Your client!
    }
 }
@@ -82,15 +96,21 @@ public class App {

 <ParamField query="options" type="object">
    <Expandable title="properties">
-        <ParamField query="setClientID()" type="string" optional>
+        <ParamField query="setClientID()" type="string" deprecated optional>
            Your machine identity client ID.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `setAuth()` method on the client settings instead.
        </ParamField>
-          <ParamField query="setClientSecret()" type="string" optional>
+          <ParamField query="setClientSecret()" deprecated type="string" optional>
            Your machine identity client secret.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `setAuth()` method on the client settings instead.
        </ParamField>

-         <ParamField query="setAccessToken()" type="string" optional>
+         <ParamField query="setAccessToken()" deprecatedtype="string" optional>
            An access token obtained from the machine identity login endpoint.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `setAuth()` method on the client settings instead.
        </ParamField>

        <ParamField query="setCacheTTL()" type="number" default="300" optional>
@@ -101,10 +121,155 @@ public class App {
        <ParamField query="setSiteURL()" type="string" default="https://app.infisical.com" optional>
            Your self-hosted absolute site URL including the protocol (e.g. `https://app.infisical.com`)
        </ParamField>
+
+        <ParamField query="setAuth()" type="AuthenticationOptions">
+          The authentication object to use for the client. This is required unless you're using environment variables.
+      </ParamField>
    </Expandable>

 </ParamField>

+### Authentication
+
+The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
+
+#### Universal Auth
+
+**Using environment variables**
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  UniversalAuthMethod authMethod = new UniversalAuthMethod();
+
+  authMethod.setClientID("YOUR_IDENTITY_ID");
+  authMethod.setClientSecret("YOUR_CLIENT_SECRET");
+
+  authOptions.setUniversalAuth(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
+#### GCP ID Token Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
+  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  GCPIDTokenAuthMethod authMethod = new GCPIDTokenAuthMethod();
+
+  authMethod.setIdentityID("YOUR_MACHINE_IDENTITY_ID");
+
+  authOptions.setGcpIDToken(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
+#### GCP IAM Auth
+
+**Using environment variables**
+- `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  GCPIamAuthMethod authMethod = new GCPIamAuthMethod();
+
+  authMethod.setIdentityID("YOUR_MACHINE_IDENTITY_ID");
+  authMethod.setServiceAccountKeyFilePath("./path/to/your/service-account-key.json");
+
+  authOptions.setGcpIam(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
+#### AWS IAM Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on AWS.
+  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  AWSIamAuthMethod authMethod = new AWSIamAuthMethod();
+
+  authMethod.setIdentityID("YOUR_MACHINE_IDENTITY_ID");
+
+  authOptions.setAwsIam(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
+#### Azure Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Azure.
+  Please [read more](/documentation/platform/identities/azure-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AZURE_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  AzureAuthMethod authMethod = new AzureAuthMethod();
+  
+  authMethod.setIdentityID("YOUR_IDENTITY_ID");
+
+  authOptions.setAzure(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
+#### Kubernetes Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Kubernetes.
+  Please [read more](/documentation/platform/identities/kubernetes-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_KUBERNETES_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME` - The environment variable name that contains the path to the service account token. This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
+
+**Using the SDK directly**
+```java
+  ClientSettings settings = new ClientSettings();
+  AuthenticationOptions authOptions = new AuthenticationOptions();
+  KubernetesAuthMethod authMethod = new KubernetesAuthMethod();
+
+  authMethod.setIdentityID("YOUR_IDENTITY_ID");
+  authMethod.setServiceAccountTokenPath("/var/run/secrets/kubernetes.io/serviceaccount/token"); // Optional
+
+  authOptions.setKubernetes(authMethod);
+  settings.setAuth(authOptions);
+
+  InfisicalClient client = new InfisicalClient(settings);
+```
+
+
 ### Caching

 To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cacheTTL" option when creating the client.
@@ -119,6 +284,8 @@ options.setEnvironment("dev");
 options.setProjectID("PROJECT_ID");
 options.setPath("/foo/bar");
 options.setIncludeImports(false);
+options.setRecursive(false);
+options.setExpandSecretReferences(true);

 SecretElement[] secrets = client.listSecrets(options);
 ```
@@ -148,6 +315,14 @@ Retrieve all secrets within the Infisical project and environment that client is
        <ParamField query="setIncludeImports()" type="boolean" default="false" optional>
             Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
        </ParamField>
+
+         <ParamField query="setRecursive()" type="boolean" default="false" optional>
+            Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
+        </ParamField>
+
+        <ParamField query="setExpandSecretReferences()" type="boolean" default="true" optional>
+            Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
+        </ParamField>
    </Expandable>

 </ParamField>
--- a/docs/sdks/languages/node.mdx
+++ b/docs/sdks/languages/node.mdx
@@ -4,7 +4,7 @@ sidebarTitle: "Node.js"
 icon: "node"
 ---

-If you're working with Node.js, the official [infisical-node](https://github.com/Infisical/sdk/tree/main/languages/node) package is the easiest way to fetch and work with secrets for your application.
+If you're working with Node.js, the official [Infisical Node SDK](https://github.com/Infisical/sdk/tree/main/languages/node) package is the easiest way to fetch and work with secrets for your application.

 - [NPM Package](https://www.npmjs.com/package/@infisical/sdk)
 - [Github Repository](https://github.com/Infisical/sdk/tree/main/languages/node)
@@ -14,21 +14,25 @@ If you're working with Node.js, the official [infisical-node](https://github.com
 ```js
 import express from "express";

-import { InfisicalClient, LogLevel } from "@infisical/sdk";
+import { InfisicalClient } from "@infisical/sdk";

 const app = express();

 const PORT = 3000;

 const client = new InfisicalClient({
-    clientId: "YOUR_CLIENT_ID",
-    clientSecret: "YOUR_CLIENT_SECRET",
-    logLevel: LogLevel.Error
+    siteUrl: "https://app.infisical.com", // Optional, defaults to https://app.infisical.com
+    auth: {
+      universalAuth: {
+        clientId: "YOUR_CLIENT_ID",
+        clientSecret: "YOUR_CLIENT_SECRET"
+      }
+    }
 });

 app.get("/", async (req, res) => {
-    // access value
-
+  // Access the secret
+  
    const name = await client.getSecret({
        environment: "dev",
        projectId: "PROJECT_ID",
@@ -72,8 +76,12 @@ Import the SDK and create a client instance with your [Machine Identity](/docume
    import { InfisicalClient, LogLevel } from "@infisical/sdk";

    const client = new InfisicalClient({
-        clientId: "YOUR_CLIENT_ID",
-        clientSecret: "YOUR_CLIENT_SECRET",
+        auth: {
+          universalAuth: {
+            clientId: "YOUR_CLIENT_ID",
+            clientSecret: "YOUR_CLIENT_SECRET"
+          }
+        },
        logLevel: LogLevel.Error
    });
    ```
@@ -81,31 +89,40 @@ Import the SDK and create a client instance with your [Machine Identity](/docume
  </Tab>
  <Tab title="ES5">
    ```js
-    const { InfisicalClient, LogLevel } = require("@infisical/sdk");
+    const { InfisicalClient } = require("@infisical/sdk");

    const client = new InfisicalClient({
-        clientId: "YOUR_CLIENT_ID",
-        clientSecret: "YOUR_CLIENT_SECRET",
-        logLevel: LogLevel.Error
+        auth: {
+          universalAuth: {
+            clientId: "YOUR_CLIENT_ID",
+            clientSecret: "YOUR_CLIENT_SECRET"
+          }
+        },
    });
    ```

  </Tab>
 </Tabs>

-#### Parameters
+### Parameters

 <ParamField query="options" type="object">
    <Expandable title="properties">
-        <ParamField query="clientId" type="string" optional>
+        <ParamField query="clientId" deprecated type="string" optional>
            Your machine identity client ID.
+            
+            **This field is deprecated and will be removed in future versions.** Please use the `auth.universalAuth.clientId` field instead.
        </ParamField>
-          <ParamField query="clientSecret" type="string" optional>
+          <ParamField query="clientSecret" deprecated type="string" optional>
            Your machine identity client secret.
+            
+            **This field is deprecated and will be removed in future versions.** Please use the `auth.universalAuth.clientSecret` field instead.
        </ParamField>

-         <ParamField query="accessToken" type="string" optional>
+         <ParamField query="accessToken" deprecated type="string" optional>
            An access token obtained from the machine identity login endpoint.
+            
+            **This field is deprecated and will be removed in future versions.** Please use the `auth.accessToken` field instead.
        </ParamField>

        <ParamField query="cacheTtl" type="number" default="300" optional>
@@ -119,10 +136,138 @@ Import the SDK and create a client instance with your [Machine Identity](/docume
        <ParamField query="logLevel" type="enum" default="Error" optional>
            The level of logs you wish to log The logs are derived from Rust, as we have written our base SDK in Rust.
        </ParamField>
+
+        <ParamField query="auth" type="AuthenticationOptions">
+            The authentication object to use for the client. This is required unless you're using environment variables.
+        </ParamField>
    </Expandable>

 </ParamField>

+
+### Authentication
+
+The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
+
+#### Universal Auth
+
+**Using environment variables**
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+    auth: {
+      universalAuth: {
+        clientId: "YOUR_CLIENT_ID",
+        clientSecret: "YOUR_CLIENT_SECRET"
+      }
+    }
+});
+```
+
+#### GCP ID Token Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
+  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+    auth: {
+      gcpIdToken: {
+        identityId: "YOUR_IDENTITY_ID"
+      }
+    }
+});
+```
+
+#### GCP IAM Auth
+
+**Using environment variables**
+- `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+    auth: {
+      gcpIam: {
+        identityId: "YOUR_IDENTITY_ID",
+        serviceAccountKeyFilePath: "./path/to/your/service-account-key.json"
+      }
+    }
+});
+```
+
+#### AWS IAM Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on AWS.
+  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+    auth: {
+      awsIam: {
+        identityId: "YOUR_IDENTITY_ID"
+      }
+    }
+});
+```
+
+#### Azure Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Azure.
+  Please [read more](/documentation/platform/identities/azure-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AZURE_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+  auth: {
+    azure: {
+      identityId: "YOUR_IDENTITY_ID"
+    }
+  }
+});
+```
+
+
+#### Kubernetes Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Kubernetes.
+  Please [read more](/documentation/platform/identities/kubernetes-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_KUBERNETES_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME` - The environment variable name that contains the path to the service account token. This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
+
+**Using the SDK directly**
+```js
+const client = new InfisicalClient({
+  auth: {
+    kubernetes: {
+      identityId: "YOUR_IDENTITY_ID",
+      serviceAccountTokenPathEnvName: "/var/run/secrets/kubernetes.io/serviceaccount/token" // Optional
+    }
+  }
+});
+```
+
 ### Caching

 To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cacheTtl" option when creating the client.
@@ -161,6 +306,14 @@ Retrieve all secrets within the Infisical project and environment that client is
            Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `process.env["SECRET_NAME"]`.
        </ParamField>

+        <ParamField query="recursive" type="boolean" default="false" optional>
+            Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
+        </ParamField>
+
+        <ParamField query="expandSecretReferences" type="boolean" default="true" optional>
+            Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
+        </ParamField>
+
        <ParamField query="includeImports" type="false" default="boolean" optional>
             Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
        </ParamField>
--- a/docs/sdks/languages/python.mdx
+++ b/docs/sdks/languages/python.mdx
@@ -6,20 +6,24 @@ icon: "python"

 If you're working with Python, the official [infisical-python](https://github.com/Infisical/sdk/edit/main/crates/infisical-py) package is the easiest way to fetch and work with secrets for your application.

- [PyPi Package](https://pypi.org/project/infisical-python/)
- [Github Repository](https://github.com/Infisical/sdk/edit/main/crates/infisical-py)
+-   [PyPi Package](https://pypi.org/project/infisical-python/)
+-   [Github Repository](https://github.com/Infisical/sdk/edit/main/crates/infisical-py)

 ## Basic Usage

 ```py
 from flask import Flask
-from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions
+from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions, AuthenticationOptions, UniversalAuthMethod

 app = Flask(__name__)

 client = InfisicalClient(ClientSettings(
-    client_id="MACHINE_IDENTITY_CLIENT_ID",
-    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
+    auth=AuthenticationOptions(
+      universal_auth=UniversalAuthMethod(
+        client_id="CLIENT_ID",
+        client_secret="CLIENT_SECRET",
+      )
+    )
 ))

@app.route("/")
@@ -38,7 +42,7 @@ def hello_world():
 This example demonstrates how to use the Infisical Python SDK with a Flask application. The application retrieves a secret named "NAME" and responds to requests with a greeting that includes the secret value.

 <Warning>
-    We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
+	We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
 </Warning>

 ## Installation
@@ -56,11 +60,15 @@ Note: You need Python 3.7+.
 Import the SDK and create a client instance with your [Machine Identity](/api-reference/overview/authentication).

 ```py
-from infisical_client import ClientSettings, InfisicalClient
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, UniversalAuthMethod

 client = InfisicalClient(ClientSettings(
-    client_id="MACHINE_IDENTITY_CLIENT_ID",
-    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
+    auth=AuthenticationOptions(
+      universal_auth=UniversalAuthMethod(
+        client_id="CLIENT_ID",
+        client_secret="CLIENT_SECRET",
+      )
+    )
 ))
 ```

@@ -68,14 +76,20 @@ client = InfisicalClient(ClientSettings(

 <ParamField query="options" type="object">
    <Expandable title="properties">
-        <ParamField query="client_id" type="string" optional>
+        <ParamField query="client_id" type="string" deprecated optional>
            Your Infisical Client ID.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `auth` field instead.
        </ParamField>
-        <ParamField query="client_secret" type="string" optional>
+        <ParamField query="client_secret" type="string" deprecated optional>
            Your Infisical Client Secret.
+
+          **This field is deprecated and will be removed in future versions.** Please use the `auth` field instead.
        </ParamField>
-        <ParamField query="access_token" type="string" optional>
+        <ParamField query="access_token" type="string" deprecated optional>
            If you want to directly pass an access token obtained from the authentication endpoints, you can do so.
+
+            **This field is deprecated and will be removed in future versions.** Please use the `auth` field instead.
        </ParamField>

        <ParamField query="cache_ttl" type="number" default="300" optional>
@@ -85,18 +99,155 @@ client = InfisicalClient(ClientSettings(


        <ParamField
-        query="site_url"
-        type="string"
-        default="https://app.infisical.com"
-        optional
+          query="site_url"
+          type="string"
+          default="https://app.infisical.com"
+          optional
        >
-        Your self-hosted absolute site URL including the protocol (e.g.
-        `https://app.infisical.com`)
+          Your self-hosted absolute site URL including the protocol (e.g. `https://app.infisical.com`)
        </ParamField>
+
+        <ParamField query="auth" type="AuthenticationOptions">
+          The authentication object to use for the client. This is required unless you're using environment variables.
+      </ParamField>
    </Expandable>

 </ParamField>

+### Authentication
+
+The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
+
+#### Universal Auth
+
+**Using environment variables**
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
+
+**Using the SDK directly**
+```python3
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, UniversalAuthMethod
+
+client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+      universal_auth=UniversalAuthMethod(
+        client_id="CLIENT_ID",
+        client_secret="CLIENT_SECRET",
+      )
+    )
+))
+```
+
+#### GCP ID Token Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
+  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```py
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, GCPIDTokenAuthMethod
+
+client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+        gcp_id_token=GCPIDTokenAuthMethod(
+            identity_id="MACHINE_IDENTITY_ID",
+        )
+    )
+))
+```
+
+#### GCP IAM Auth
+
+**Using environment variables**
+- `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
+
+**Using the SDK directly**
+```py
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, GCPIamAuthMethod
+
+
+client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+        gcp_iam=GCPIamAuthMethod(
+            identity_id="MACHINE_IDENTITY_ID",
+            service_account_key_file_path="./path/to/service_account_key.json"
+        )
+    )
+))
+```
+
+#### AWS IAM Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on AWS.
+  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```py
+from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, AWSIamAuthMethod
+
+client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+        aws_iam=AWSIamAuthMethod(identity_id="MACHINE_IDENTITY_ID")
+    )
+))
+```
+
+#### Azure Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Azure.
+  Please [read more](/documentation/platform/identities/azure-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_AZURE_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```python
+from infisical_client import InfisicalClient, ClientSettings, AuthenticationOptions, AzureAuthMethod
+
+kubernetes_client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+        azure=AzureAuthMethod(
+            identity_id="YOUR_IDENTITY_ID",
+        )
+    )
+))
+```
+
+
+#### Kubernetes Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Kubernetes.
+  Please [read more](/documentation/platform/identities/kubernetes-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+- `INFISICAL_KUBERNETES_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME` - The environment variable name that contains the path to the service account token. This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
+
+**Using the SDK directly**
+```python
+from infisical_client import InfisicalClient, ClientSettings, AuthenticationOptions, KubernetesAuthMethod
+
+kubernetes_client = InfisicalClient(ClientSettings(
+    auth=AuthenticationOptions(
+        kubernetes=KubernetesAuthMethod(
+            identity_id="YOUR_IDENTITY_ID",
+            service_account_token_path="/var/run/secrets/kubernetes.io/serviceaccount/token" # Optional
+        )
+    )
+))
+```
+
 ### Caching

 To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cache_ttl" option when creating the client.
@@ -133,6 +284,14 @@ Retrieve all secrets within the Infisical project and environment that client is
            Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `process.env["SECRET_NAME"]`.
        </ParamField>

+        <ParamField query="recursive" type="boolean" default="false" optional>
+            Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
+        </ParamField>
+
+        <ParamField query="expand_secret_references" type="boolean" default="true" optional>
+            Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
+        </ParamField>
+
        <ParamField query="include_imports" type="boolean" default="false" optional>
             Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
        </ParamField>
@@ -156,26 +315,26 @@ By default, `getSecret()` fetches and returns a shared secret. If not found, it
 #### Parameters

 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="secret_name" type="string" required>
-            The key of the secret to retrieve
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="project_id" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="path" type="string" optional>
-            The path from where secret should be fetched from.
-        </ParamField>
-        <ParamField query="type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "personal".
-        </ParamField>
-        <ParamField query="include_imports" type="boolean" default="false" optional>
-            Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="secret_name" type="string" required>
+			The key of the secret to retrieve
+		</ParamField>
+		<ParamField query="environment" type="string" required>
+			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+		</ParamField>
+		<ParamField query="project_id" type="string" required>
+			The project ID where the secret lives in.
+		</ParamField>
+		<ParamField query="path" type="string" optional>
+			The path from where secret should be fetched from.
+		</ParamField>
+		<ParamField query="type" type="string" optional>
+			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "personal".
+		</ParamField>
+		<ParamField query="include_imports" type="boolean" default="false" optional>
+			Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
+		</ParamField>
+	</Expandable>
 </ParamField>

 ### client.createSecret(options)
@@ -194,26 +353,26 @@ Create a new secret in Infisical.
 #### Parameters

 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="secret_name" type="string" required>
-            The key of the secret to create.
-        </ParamField>
-        <ParamField query="secret_value" type="string" required>
-            The value of the secret.
-        </ParamField>
-        <ParamField query="project_id" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="path" type="string" optional>
-            The path from where secret should be created.
-        </ParamField>
-        <ParamField query="type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="secret_name" type="string" required>
+			The key of the secret to create.
+		</ParamField>
+		<ParamField query="secret_value" type="string" required>
+			The value of the secret.
+		</ParamField>
+		<ParamField query="project_id" type="string" required>
+			The project ID where the secret lives in.
+		</ParamField>
+		<ParamField query="environment" type="string" required>
+			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+		</ParamField>
+		<ParamField query="path" type="string" optional>
+			The path from where secret should be created.
+		</ParamField>
+		<ParamField query="type" type="string" optional>
+			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+		</ParamField>
+	</Expandable>
 </ParamField>

 ### client.updateSecret(options)
@@ -232,26 +391,26 @@ Update an existing secret in Infisical.
 #### Parameters

 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="secret_name" type="string" required>
-            The key of the secret to update.
-        </ParamField>
-        <ParamField query="secret_value" type="string" required>
-            The new value of the secret.
-        </ParamField>
-        <ParamField query="project_id" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="path" type="string" optional>
-            The path from where secret should be updated.
-        </ParamField>
-        <ParamField query="type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="secret_name" type="string" required>
+			The key of the secret to update.
+		</ParamField>
+		<ParamField query="secret_value" type="string" required>
+			The new value of the secret.
+		</ParamField>
+		<ParamField query="project_id" type="string" required>
+			The project ID where the secret lives in.
+		</ParamField>
+		<ParamField query="environment" type="string" required>
+			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+		</ParamField>
+		<ParamField query="path" type="string" optional>
+			The path from where secret should be updated.
+		</ParamField>
+		<ParamField query="type" type="string" optional>
+			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+		</ParamField>
+	</Expandable>
 </ParamField>

 ### client.deleteSecret(options)
@@ -269,23 +428,23 @@ Delete a secret in Infisical.
 #### Parameters

 <ParamField query="Parameters" type="object" optional>
-    <Expandable title="properties">
-        <ParamField query="secret_name" type="string">
-            The key of the secret to update.
-        </ParamField>
-        <ParamField query="project_id" type="string" required>
-            The project ID where the secret lives in.
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
-        </ParamField>
-        <ParamField query="path" type="string" optional>
-            The path from where secret should be deleted.
-        </ParamField>
-        <ParamField query="type" type="string" optional>
-            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="secret_name" type="string">
+			The key of the secret to update.
+		</ParamField>
+		<ParamField query="project_id" type="string" required>
+			The project ID where the secret lives in.
+		</ParamField>
+		<ParamField query="environment" type="string" required>
+			The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+		</ParamField>
+		<ParamField query="path" type="string" optional>
+			The path from where secret should be deleted.
+		</ParamField>
+		<ParamField query="type" type="string" optional>
+			The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+		</ParamField>
+	</Expandable>
 </ParamField>

 ## Cryptography
@@ -299,9 +458,11 @@ key = client.createSymmetricKey()
 ```

 #### Returns (string)
+
 `key` (string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.

 ### Encrypt symmetric
+
 ```py
 encryptOptions = EncryptSymmetricOptions(
    key=key,
@@ -314,22 +475,22 @@ encryptedData = client.encryptSymmetric(encryptOptions)
 #### Parameters

 <ParamField query="Parameters" type="object" required>
-    <Expandable title="properties">
-        <ParamField query="plaintext" type="string">
-            The plaintext you want to encrypt.
-        </ParamField>
-        <ParamField query="key" type="string" required>
-            The symmetric key to use for encryption.
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="plaintext" type="string">
+			The plaintext you want to encrypt.
+		</ParamField>
+		<ParamField query="key" type="string" required>
+			The symmetric key to use for encryption.
+		</ParamField>
+	</Expandable>
 </ParamField>

 #### Returns (object)
-`tag` (string): A base64-encoded, 128-bit authentication tag.
-`iv` (string): A base64-encoded, 96-bit initialization vector.
-`ciphertext` (string): A base64-encoded, encrypted ciphertext.
+
+`tag` (string): A base64-encoded, 128-bit authentication tag. `iv` (string): A base64-encoded, 96-bit initialization vector. `ciphertext` (string): A base64-encoded, encrypted ciphertext.

 ### Decrypt symmetric
+
 ```py
 decryptOptions = DecryptSymmetricOptions(
    ciphertext=encryptedData.ciphertext,
@@ -344,22 +505,24 @@ decryptedString = client.decryptSymmetric(decryptOptions)
 ```

 #### Parameters
+
 <ParamField query="Parameters" type="object" required>
-    <Expandable title="properties">
-        <ParamField query="ciphertext" type="string">
-            The ciphertext you want to decrypt.
-        </ParamField>
-        <ParamField query="key" type="string" required>
-            The symmetric key to use for encryption.
-        </ParamField>
-        <ParamField query="iv" type="string" required>
-            The initialization vector to use for decryption.
-        </ParamField>
-        <ParamField query="tag" type="string" required>
-            The authentication tag to use for decryption.
-        </ParamField>
-    </Expandable>
+	<Expandable title="properties">
+		<ParamField query="ciphertext" type="string">
+			The ciphertext you want to decrypt.
+		</ParamField>
+		<ParamField query="key" type="string" required>
+			The symmetric key to use for encryption.
+		</ParamField>
+		<ParamField query="iv" type="string" required>
+			The initialization vector to use for decryption.
+		</ParamField>
+		<ParamField query="tag" type="string" required>
+			The authentication tag to use for decryption.
+		</ParamField>
+	</Expandable>
 </ParamField>

 #### Returns (string)
+
 `plaintext` (string): The decrypted plaintext.
--- a/docs/style.css
+++ b/docs/style.css
@@ -1,7 +1,7 @@
 #navbar .max-w-8xl {
  max-width: 100%;
  border-bottom: 1px solid #ebebeb;
-  background-color: #fcfcfc;
+  background-color: #F4F3EF;
 }

 .max-w-8xl {
@@ -14,7 +14,7 @@
  padding-right: 30px;
  border-right: 1px;
  border-color: #cdd64b;
-  background-color: #fcfcfc;
+  background-color: #F4F3EF;
  border-right: 1px solid #ebebeb;
 }

@@ -27,6 +27,13 @@
  padding: 5px;
 }

+#sidebar li > a.text-primary {
+  border-radius: 0;
+  background-color: #FBFFCC;
+  border-left: 4px solid #EFFF33;
+  padding: 5px;
+}
+
 #sidebar li > a.mt-2 {
  border-radius: 0;
  padding: 5px;
@@ -49,10 +56,10 @@
 } */

 #header {
-  border-left: 1px solid #26272b;
+  border-left: 4px solid #EFFF33;
  padding-left: 16px;
  padding-right: 16px;
-  background-color: #f5f5f5;
+  background-color: #FDFFE5;
  padding-bottom: 10px;
  padding-top: 10px;
 }
@@ -60,9 +67,17 @@
 #content-area .mt-8 .block{
  border-radius: 0;
  border-width: 1px;
+  background-color: #FCFBFA;
  border-color: #ebebeb;
 }

+/* #content-area:hover .mt-8 .block:hover{
+  border-radius: 0;
+  border-width: 1px;
+  background-color: #FDFFE5;
+  border-color: #EFFF33;
+} */
+
 #content-area .mt-8 .rounded-xl{
  border-radius: 0;
 }
--- a/frontend/src/helpers/secret.ts
+++ b/frontend/src/helpers/secret.ts
@@ -0,0 +1,175 @@
+import path from "path";
+
+import { decryptSymmetric } from "@app/components/utilities/cryptography/crypto";
+import { fetchProjectEncryptedSecrets } from "@app/hooks/api/secrets/queries";
+
+const INTERPOLATION_SYNTAX_REG = /\${([^}]+)}/g;
+export const interpolateSecrets = ({
+  projectId,
+  secretEncKey
+}: {
+  projectId: string;
+  secretEncKey: string;
+}) => {
+  const fetchSecretsCrossEnv = () => {
+    const fetchCache: Record<string, Record<string, string>> = {};
+
+    return async (secRefEnv: string, secRefPath: string[], secRefKey: string) => {
+      const secRefPathUrl = path.join("/", ...secRefPath);
+      const uniqKey = `${secRefEnv}-${secRefPathUrl}`;
+
+      if (fetchCache?.[uniqKey]) {
+        return fetchCache[uniqKey][secRefKey];
+      }
+
+      // get secrets by projectId, env, path
+      const encryptedSecrets = await fetchProjectEncryptedSecrets({
+        workspaceId: projectId,
+        environment: secRefEnv,
+        secretPath: secRefPathUrl
+      });
+
+      const decryptedSec = encryptedSecrets.reduce<Record<string, string>>((prev, secret) => {
+        const secretKey = decryptSymmetric({
+          ciphertext: secret.secretKeyCiphertext,
+          iv: secret.secretKeyIV,
+          tag: secret.secretKeyTag,
+          key: secretEncKey
+        });
+        const secretValue = decryptSymmetric({
+          ciphertext: secret.secretValueCiphertext,
+          iv: secret.secretValueIV,
+          tag: secret.secretValueTag,
+          key: secretEncKey
+        });
+
+        // eslint-disable-next-line
+        prev[secretKey] = secretValue;
+        return prev;
+      }, {});
+
+      fetchCache[uniqKey] = decryptedSec;
+
+      return fetchCache[uniqKey][secRefKey];
+    };
+  };
+
+  const recursivelyExpandSecret = async (
+    expandedSec: Record<string, string>,
+    interpolatedSec: Record<string, string>,
+    fetchCrossEnv: (env: string, secPath: string[], secKey: string) => Promise<string>,
+    recursionChainBreaker: Record<string, boolean>,
+    key: string
+  ) => {
+    if (expandedSec?.[key] !== undefined) {
+      return expandedSec[key];
+    }
+    if (recursionChainBreaker?.[key]) {
+      return "";
+    }
+    // eslint-disable-next-line
+    recursionChainBreaker[key] = true;
+
+    let interpolatedValue = interpolatedSec[key];
+    if (!interpolatedValue) {
+      // eslint-disable-next-line no-console
+      console.error(`Couldn't find referenced value - ${key}`);
+      return "";
+    }
+
+    const refs = interpolatedValue.match(INTERPOLATION_SYNTAX_REG);
+    if (refs) {
+      await Promise.all(
+        refs.map(async (interpolationSyntax) => {
+          const interpolationKey = interpolationSyntax.slice(2, interpolationSyntax.length - 1);
+          const entities = interpolationKey.trim().split(".");
+
+          if (entities.length === 1) {
+            const val = await recursivelyExpandSecret(
+              expandedSec,
+              interpolatedSec,
+              fetchCrossEnv,
+              recursionChainBreaker,
+              interpolationKey
+            );
+            if (val) {
+              interpolatedValue = interpolatedValue.replaceAll(interpolationSyntax, val);
+            }
+            return;
+          }
+
+          if (entities.length > 1) {
+            const secRefEnv = entities[0];
+            const secRefPath = entities.slice(1, entities.length - 1);
+            const secRefKey = entities[entities.length - 1];
+
+            const val = await fetchCrossEnv(secRefEnv, secRefPath, secRefKey);
+            if (val) {
+              interpolatedValue = interpolatedValue.replaceAll(interpolationSyntax, val);
+            }
+          }
+        })
+      );
+    }
+
+    // eslint-disable-next-line
+    expandedSec[key] = interpolatedValue;
+    return interpolatedValue;
+  };
+
+  // used to convert multi line ones to quotes ones with \n
+  const formatMultiValueEnv = (val?: string) => {
+    if (!val) return "";
+    if (!val.match("\n")) return val;
+    return `"${val.replace(/\n/g, "\\n")}"`;
+  };
+
+  const expandSecrets = async (
+    secrets: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }>
+  ) => {
+    const expandedSec: Record<string, string> = {};
+    const interpolatedSec: Record<string, string> = {};
+
+    const crossSecEnvFetch = fetchSecretsCrossEnv();
+
+    Object.keys(secrets).forEach((key) => {
+      if (secrets[key].value.match(INTERPOLATION_SYNTAX_REG)) {
+        interpolatedSec[key] = secrets[key].value;
+      } else {
+        expandedSec[key] = secrets[key].value;
+      }
+    });
+
+    await Promise.all(
+      Object.keys(secrets).map(async (key) => {
+        if (expandedSec?.[key]) {
+          // should not do multi line encoding if user has set it to skip
+          // eslint-disable-next-line
+          secrets[key].value = secrets[key].skipMultilineEncoding
+            ? expandedSec[key]
+            : formatMultiValueEnv(expandedSec[key]);
+          return;
+        }
+
+        // this is to avoid recursion loop. So the graph should be direct graph rather than cyclic
+        // so for any recursion building if there is an entity two times same key meaning it will be looped
+        const recursionChainBreaker: Record<string, boolean> = {};
+        const expandedVal = await recursivelyExpandSecret(
+          expandedSec,
+          interpolatedSec,
+          crossSecEnvFetch,
+          recursionChainBreaker,
+          key
+        );
+
+        // eslint-disable-next-line
+        secrets[key].value = secrets[key].skipMultilineEncoding
+          ? expandedVal
+          : formatMultiValueEnv(expandedVal);
+      })
+    );
+
+    return secrets;
+  };
+  return expandSecrets;
+};
--- a/frontend/src/hooks/api/identities/constants.tsx
+++ b/frontend/src/hooks/api/identities/constants.tsx
@@ -4,5 +4,6 @@ export const identityAuthToNameMap: { [I in IdentityAuthMethod]: string } = {
  [IdentityAuthMethod.UNIVERSAL_AUTH]: "Universal Auth",
  [IdentityAuthMethod.KUBERNETES_AUTH]: "Kubernetes Auth",
  [IdentityAuthMethod.GCP_AUTH]: "GCP Auth",
-  [IdentityAuthMethod.AWS_AUTH]: "AWS Auth"
+  [IdentityAuthMethod.AWS_AUTH]: "AWS Auth",
+  [IdentityAuthMethod.AZURE_AUTH]: "Azure Auth"
 };
--- a/frontend/src/hooks/api/identities/enums.tsx
+++ b/frontend/src/hooks/api/identities/enums.tsx
@@ -2,5 +2,6 @@ export enum IdentityAuthMethod {
  UNIVERSAL_AUTH = "universal-auth",
  KUBERNETES_AUTH = "kubernetes-auth",
  GCP_AUTH = "gcp-auth",
-  AWS_AUTH = "aws-auth"
+  AWS_AUTH = "aws-auth",
+  AZURE_AUTH = "azure-auth"
 }
--- a/frontend/src/hooks/api/identities/index.tsx
+++ b/frontend/src/hooks/api/identities/index.tsx
@@ -2,6 +2,7 @@ export { identityAuthToNameMap } from "./constants";
 export { IdentityAuthMethod } from "./enums";
 export {
  useAddIdentityAwsAuth,
+  useAddIdentityAzureAuth,
  useAddIdentityGcpAuth,
  useAddIdentityKubernetesAuth,
  useAddIdentityUniversalAuth,
@@ -11,11 +12,14 @@ export {
  useRevokeIdentityUniversalAuthClientSecret,
  useUpdateIdentity,
  useUpdateIdentityAwsAuth,
+  useUpdateIdentityAzureAuth,
  useUpdateIdentityGcpAuth,
  useUpdateIdentityKubernetesAuth,
-  useUpdateIdentityUniversalAuth} from "./mutations";
+  useUpdateIdentityUniversalAuth
+} from "./mutations";
 export {
  useGetIdentityAwsAuth,
+  useGetIdentityAzureAuth,
  useGetIdentityGcpAuth,
  useGetIdentityKubernetesAuth,
  useGetIdentityUniversalAuth,
--- a/frontend/src/hooks/api/identities/mutations.tsx
+++ b/frontend/src/hooks/api/identities/mutations.tsx
@@ -6,6 +6,7 @@ import { organizationKeys } from "../organization/queries";
 import { identitiesKeys } from "./queries";
 import {
  AddIdentityAwsAuthDTO,
+  AddIdentityAzureAuthDTO,
  AddIdentityGcpAuthDTO,
  AddIdentityKubernetesAuthDTO,
  AddIdentityUniversalAuthDTO,
@@ -17,14 +18,17 @@ import {
  DeleteIdentityUniversalAuthClientSecretDTO,
  Identity,
  IdentityAwsAuth,
+  IdentityAzureAuth,
  IdentityGcpAuth,
  IdentityKubernetesAuth,
  IdentityUniversalAuth,
  UpdateIdentityAwsAuthDTO,
+  UpdateIdentityAzureAuthDTO,
  UpdateIdentityDTO,
  UpdateIdentityGcpAuthDTO,
  UpdateIdentityKubernetesAuthDTO,
-  UpdateIdentityUniversalAuthDTO} from "./types";
+  UpdateIdentityUniversalAuthDTO
+} from "./types";

 export const useCreateIdentity = () => {
  const queryClient = useQueryClient();
@@ -326,7 +330,41 @@ export const useUpdateIdentityAwsAuth = () => {
  });
 };

-// --- K8s auth (TODO: add cert and token reviewer JWT fields)
+export const useAddIdentityAzureAuth = () => {
+  const queryClient = useQueryClient();
+  return useMutation<IdentityAzureAuth, {}, AddIdentityAzureAuthDTO>({
+    mutationFn: async ({
+      identityId,
+      tenantId,
+      resource,
+      allowedServicePrincipalIds,
+      accessTokenTTL,
+      accessTokenMaxTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps
+    }) => {
+      const {
+        data: { identityAzureAuth }
+      } = await apiRequest.post<{ identityAzureAuth: IdentityAzureAuth }>(
+        `/api/v1/auth/azure-auth/identities/${identityId}`,
+        {
+          tenantId,
+          resource,
+          allowedServicePrincipalIds,
+          accessTokenTTL,
+          accessTokenMaxTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps
+        }
+      );
+
+      return identityAzureAuth;
+    },
+    onSuccess: (_, { organizationId }) => {
+      queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
+    }
+  });
+};

 export const useAddIdentityKubernetesAuth = () => {
  const queryClient = useQueryClient();
@@ -370,6 +408,42 @@ export const useAddIdentityKubernetesAuth = () => {
  });
 };

+export const useUpdateIdentityAzureAuth = () => {
+  const queryClient = useQueryClient();
+  return useMutation<IdentityAzureAuth, {}, UpdateIdentityAzureAuthDTO>({
+    mutationFn: async ({
+      identityId,
+      tenantId,
+      resource,
+      allowedServicePrincipalIds,
+      accessTokenTTL,
+      accessTokenMaxTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps
+    }) => {
+      const {
+        data: { identityAzureAuth }
+      } = await apiRequest.patch<{ identityAzureAuth: IdentityAzureAuth }>(
+        `/api/v1/auth/azure-auth/identities/${identityId}`,
+        {
+          tenantId,
+          resource,
+          allowedServicePrincipalIds,
+          accessTokenTTL,
+          accessTokenMaxTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps
+        }
+      );
+
+      return identityAzureAuth;
+    },
+    onSuccess: (_, { organizationId }) => {
+      queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
+    }
+  });
+};
+
 export const useUpdateIdentityKubernetesAuth = () => {
  const queryClient = useQueryClient();
  return useMutation<IdentityKubernetesAuth, {}, UpdateIdentityKubernetesAuthDTO>({
@@ -403,6 +477,7 @@ export const useUpdateIdentityKubernetesAuth = () => {
          accessTokenTrustedIps
        }
      );
+
      return identityKubernetesAuth;
    },
    onSuccess: (_, { organizationId }) => {
--- a/frontend/src/hooks/api/identities/queries.tsx
+++ b/frontend/src/hooks/api/identities/queries.tsx
@@ -5,10 +5,10 @@ import { apiRequest } from "@app/config/request";
 import {
  ClientSecretData,
  IdentityAwsAuth,
+  IdentityAzureAuth,
  IdentityGcpAuth,
  IdentityKubernetesAuth,
-  IdentityUniversalAuth
-} from "./types";
+  IdentityUniversalAuth} from "./types";

 export const identitiesKeys = {
  getIdentityUniversalAuth: (identityId: string) =>
@@ -18,7 +18,8 @@ export const identitiesKeys = {
  getIdentityKubernetesAuth: (identityId: string) =>
    [{ identityId }, "identity-kubernetes-auth"] as const,
  getIdentityGcpAuth: (identityId: string) => [{ identityId }, "identity-gcp-auth"] as const,
-  getIdentityAwsAuth: (identityId: string) => [{ identityId }, "identity-aws-auth"] as const
+  getIdentityAwsAuth: (identityId: string) => [{ identityId }, "identity-aws-auth"] as const,
+  getIdentityAzureAuth: (identityId: string) => [{ identityId }, "identity-azure-auth"] as const
 };

 export const useGetIdentityUniversalAuth = (identityId: string) => {
@@ -81,6 +82,21 @@ export const useGetIdentityAwsAuth = (identityId: string) => {
  });
 };

+export const useGetIdentityAzureAuth = (identityId: string) => {
+  return useQuery({
+    enabled: Boolean(identityId),
+    queryKey: identitiesKeys.getIdentityAzureAuth(identityId),
+    queryFn: async () => {
+      const {
+        data: { identityAzureAuth }
+      } = await apiRequest.get<{ identityAzureAuth: IdentityAzureAuth }>(
+        `/api/v1/auth/azure-auth/identities/${identityId}`
+      );
+      return identityAzureAuth;
+    }
+  });
+};
+
 export const useGetIdentityKubernetesAuth = (identityId: string) => {
  return useQuery({
    enabled: Boolean(identityId),
--- a/frontend/src/hooks/api/identities/types.ts
+++ b/frontend/src/hooks/api/identities/types.ts
@@ -195,6 +195,45 @@ export type UpdateIdentityAwsAuthDTO = {
  }[];
 };

+export type IdentityAzureAuth = {
+  identityId: string;
+  tenantId: string;
+  resource: string;
+  allowedServicePrincipalIds: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: IdentityTrustedIp[];
+};
+
+export type AddIdentityAzureAuthDTO = {
+  organizationId: string;
+  identityId: string;
+  tenantId: string;
+  resource: string;
+  allowedServicePrincipalIds: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: {
+    ipAddress: string;
+  }[];
+};
+
+export type UpdateIdentityAzureAuthDTO = {
+  organizationId: string;
+  identityId: string;
+  tenantId?: string;
+  resource?: string;
+  allowedServicePrincipalIds?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: {
+    ipAddress: string;
+  }[];
+};
+
 export type IdentityKubernetesAuth = {
  identityId: string;
  kubernetesHost: string;
--- a/frontend/src/hooks/api/integrationAuth/types.ts
+++ b/frontend/src/hooks/api/integrationAuth/types.ts
@@ -30,7 +30,7 @@ export type HerokuPipelineCoupling = {

 export type Team = {
  name: string;
-  teamId: string;
+  id: string;
 };

 export type Environment = {
--- a/frontend/src/hooks/api/secrets/queries.tsx
+++ b/frontend/src/hooks/api/secrets/queries.tsx
@@ -98,7 +98,7 @@ export const decryptSecrets = (
  return secrets;
 };

-const fetchProjectEncryptedSecrets = async ({
+export const fetchProjectEncryptedSecrets = async ({
  workspaceId,
  environment,
  secretPath
--- a/frontend/src/pages/integrations/gitlab/create.tsx
+++ b/frontend/src/pages/integrations/gitlab/create.tsx
@@ -121,7 +121,7 @@ export default function GitLabCreateIntegrationPage() {
      if (integrationAuthTeams) {
        if (integrationAuthTeams.length > 0) {
          // case: user is part of at least 1 group in GitLab
-          setValue("targetTeamId", String(integrationAuthTeams[0].teamId));
+          setValue("targetTeamId", String(integrationAuthTeams[0].id));
        } else {
          // case: user is not part of any groups in GitLab
          setValue("targetTeamId", "none");
@@ -312,8 +312,8 @@ export default function GitLabCreateIntegrationPage() {
                        {integrationAuthTeams.length > 0 ? (
                          integrationAuthTeams.map((integrationAuthTeam) => (
                            <SelectItem
-                              value={String(integrationAuthTeam.teamId as string)}
-                              key={`target-team-${String(integrationAuthTeam.teamId)}`}
+                              value={String(integrationAuthTeam.id as string)}
+                              key={`target-team-${String(integrationAuthTeam.id)}`}
                            >
                              {integrationAuthTeam.name}
                            </SelectItem>
--- a/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityAuthMethodModal.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityAuthMethodModal.tsx
@@ -15,6 +15,7 @@ import { IdentityAuthMethod } from "@app/hooks/api/identities";
 import { UsePopUpState } from "@app/hooks/usePopUp";

 import { IdentityAwsAuthForm } from "./IdentityAwsAuthForm";
+import { IdentityAzureAuthForm } from "./IdentityAzureAuthForm";
 import { IdentityGcpAuthForm } from "./IdentityGcpAuthForm";
 import { IdentityKubernetesAuthForm } from "./IdentityKubernetesAuthForm";
 import { IdentityUniversalAuthForm } from "./IdentityUniversalAuthForm";
@@ -32,7 +33,8 @@ const identityAuthMethods = [
  { label: "Universal Auth", value: IdentityAuthMethod.UNIVERSAL_AUTH },
  { label: "Kubernetes Auth", value: IdentityAuthMethod.KUBERNETES_AUTH },
  { label: "GCP Auth", value: IdentityAuthMethod.GCP_AUTH },
-  { label: "AWS Auth", value: IdentityAuthMethod.AWS_AUTH }
+  { label: "AWS Auth", value: IdentityAuthMethod.AWS_AUTH },
+  { label: "Azure Auth", value: IdentityAuthMethod.AZURE_AUTH }
 ];

 const schema = yup
@@ -97,6 +99,15 @@ export const IdentityAuthMethodModal = ({ popUp, handlePopUpOpen, handlePopUpTog
          />
        );
      }
+      case IdentityAuthMethod.AZURE_AUTH: {
+        return (
+          <IdentityAzureAuthForm
+            handlePopUpOpen={handlePopUpOpen}
+            handlePopUpToggle={handlePopUpToggle}
+            identityAuthMethodData={identityAuthMethodData}
+          />
+        );
+      }
      case IdentityAuthMethod.UNIVERSAL_AUTH: {
        return (
          <IdentityUniversalAuthForm
--- a/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityAzureAuthForm.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityAzureAuthForm.tsx
@@ -0,0 +1,350 @@
+import { useEffect } from "react";
+import { Controller, useFieldArray, useForm } from "react-hook-form";
+import { faPlus, faXmark } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, FormControl, IconButton, Input } from "@app/components/v2";
+import { useOrganization, useSubscription } from "@app/context";
+import {
+  useAddIdentityAzureAuth,
+  useGetIdentityAzureAuth,
+  useUpdateIdentityAzureAuth
+} from "@app/hooks/api";
+import { IdentityAuthMethod } from "@app/hooks/api/identities";
+import { IdentityTrustedIp } from "@app/hooks/api/identities/types";
+import { UsePopUpState } from "@app/hooks/usePopUp";
+
+const schema = z
+  .object({
+    tenantId: z.string(),
+    resource: z.string(),
+    allowedServicePrincipalIds: z.string(),
+    accessTokenTTL: z.string(),
+    accessTokenMaxTTL: z.string(),
+    accessTokenNumUsesLimit: z.string(),
+    accessTokenTrustedIps: z
+      .array(
+        z.object({
+          ipAddress: z.string().max(50)
+        })
+      )
+      .min(1)
+  })
+  .required();
+
+export type FormData = z.infer<typeof schema>;
+
+type Props = {
+  handlePopUpOpen: (popUpName: keyof UsePopUpState<["upgradePlan"]>) => void;
+  handlePopUpToggle: (
+    popUpName: keyof UsePopUpState<["identityAuthMethod"]>,
+    state?: boolean
+  ) => void;
+  identityAuthMethodData: {
+    identityId: string;
+    name: string;
+    authMethod?: IdentityAuthMethod;
+  };
+};
+
+export const IdentityAzureAuthForm = ({
+  handlePopUpOpen,
+  handlePopUpToggle,
+  identityAuthMethodData
+}: Props) => {
+  const { currentOrg } = useOrganization();
+  const orgId = currentOrg?.id || "";
+  const { subscription } = useSubscription();
+
+  const { mutateAsync: addMutateAsync } = useAddIdentityAzureAuth();
+  const { mutateAsync: updateMutateAsync } = useUpdateIdentityAzureAuth();
+
+  const { data } = useGetIdentityAzureAuth(identityAuthMethodData?.identityId ?? "");
+
+  const {
+    control,
+    handleSubmit,
+    reset,
+    formState: { isSubmitting }
+  } = useForm<FormData>({
+    resolver: zodResolver(schema),
+    defaultValues: {
+      tenantId: "",
+      resource: "https://management.azure.com/",
+      allowedServicePrincipalIds: "",
+      accessTokenTTL: "2592000",
+      accessTokenMaxTTL: "2592000",
+      accessTokenNumUsesLimit: "0",
+      accessTokenTrustedIps: [{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]
+    }
+  });
+
+  const {
+    fields: accessTokenTrustedIpsFields,
+    append: appendAccessTokenTrustedIp,
+    remove: removeAccessTokenTrustedIp
+  } = useFieldArray({ control, name: "accessTokenTrustedIps" });
+
+  useEffect(() => {
+    if (data) {
+      reset({
+        tenantId: data.tenantId,
+        resource: data.resource,
+        allowedServicePrincipalIds: data.allowedServicePrincipalIds,
+        accessTokenTTL: String(data.accessTokenTTL),
+        accessTokenMaxTTL: String(data.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: String(data.accessTokenNumUsesLimit),
+        accessTokenTrustedIps: data.accessTokenTrustedIps.map(
+          ({ ipAddress, prefix }: IdentityTrustedIp) => {
+            return {
+              ipAddress: `${ipAddress}${prefix !== undefined ? `/${prefix}` : ""}`
+            };
+          }
+        )
+      });
+    } else {
+      reset({
+        tenantId: "",
+        resource: "https://management.azure.com/",
+        allowedServicePrincipalIds: "",
+        accessTokenTTL: "2592000",
+        accessTokenMaxTTL: "2592000",
+        accessTokenNumUsesLimit: "0",
+        accessTokenTrustedIps: [{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]
+      });
+    }
+  }, [data]);
+
+  const onFormSubmit = async ({
+    tenantId,
+    resource,
+    allowedServicePrincipalIds,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps
+  }: FormData) => {
+    try {
+      if (!identityAuthMethodData) return;
+
+      if (data) {
+        await updateMutateAsync({
+          organizationId: orgId,
+          identityId: identityAuthMethodData.identityId,
+          tenantId,
+          resource,
+          allowedServicePrincipalIds,
+          accessTokenTTL: Number(accessTokenTTL),
+          accessTokenMaxTTL: Number(accessTokenMaxTTL),
+          accessTokenNumUsesLimit: Number(accessTokenNumUsesLimit),
+          accessTokenTrustedIps
+        });
+      } else {
+        await addMutateAsync({
+          organizationId: orgId,
+          identityId: identityAuthMethodData.identityId,
+          tenantId: tenantId || "",
+          resource: resource || "",
+          allowedServicePrincipalIds: allowedServicePrincipalIds || "",
+          accessTokenTTL: Number(accessTokenTTL),
+          accessTokenMaxTTL: Number(accessTokenMaxTTL),
+          accessTokenNumUsesLimit: Number(accessTokenNumUsesLimit),
+          accessTokenTrustedIps
+        });
+      }
+
+      handlePopUpToggle("identityAuthMethod", false);
+
+      createNotification({
+        text: `Successfully ${
+          identityAuthMethodData?.authMethod ? "updated" : "configured"
+        } auth method`,
+        type: "success"
+      });
+
+      reset();
+    } catch (err) {
+      createNotification({
+        text: `Failed to ${identityAuthMethodData?.authMethod ? "update" : "configure"} identity`,
+        type: "error"
+      });
+    }
+  };
+
+  return (
+    <form onSubmit={handleSubmit(onFormSubmit)}>
+      <Controller
+        control={control}
+        defaultValue="2592000"
+        name="tenantId"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Tenant ID"
+            isError={Boolean(error)}
+            errorText={error?.message}
+            isRequired
+          >
+            <Input {...field} placeholder="00000000-0000-0000-0000-000000000000" type="text" />
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        name="resource"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Resource / Audience"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input {...field} placeholder="https://management.azure.com/" />
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        name="allowedServicePrincipalIds"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Allowed Service Principal IDs"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input {...field} placeholder="00000000-0000-0000-0000-000000000000, ..." />
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        defaultValue="2592000"
+        name="accessTokenTTL"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Access Token TTL (seconds)"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input {...field} placeholder="2592000" type="number" min="1" step="1" />
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        defaultValue="2592000"
+        name="accessTokenMaxTTL"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Access Token Max TTL (seconds)"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input {...field} placeholder="2592000" type="number" min="1" step="1" />
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        defaultValue="0"
+        name="accessTokenNumUsesLimit"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Access Token Max Number of Uses"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input {...field} placeholder="0" type="number" min="0" step="1" />
+          </FormControl>
+        )}
+      />
+      {accessTokenTrustedIpsFields.map(({ id }, index) => (
+        <div className="mb-3 flex items-end space-x-2" key={id}>
+          <Controller
+            control={control}
+            name={`accessTokenTrustedIps.${index}.ipAddress`}
+            defaultValue="0.0.0.0/0"
+            render={({ field, fieldState: { error } }) => {
+              return (
+                <FormControl
+                  className="mb-0 flex-grow"
+                  label={index === 0 ? "Access Token Trusted IPs" : undefined}
+                  isError={Boolean(error)}
+                  errorText={error?.message}
+                >
+                  <Input
+                    value={field.value}
+                    onChange={(e) => {
+                      if (subscription?.ipAllowlisting) {
+                        field.onChange(e);
+                        return;
+                      }
+
+                      handlePopUpOpen("upgradePlan");
+                    }}
+                    placeholder="123.456.789.0"
+                  />
+                </FormControl>
+              );
+            }}
+          />
+          <IconButton
+            onClick={() => {
+              if (subscription?.ipAllowlisting) {
+                removeAccessTokenTrustedIp(index);
+                return;
+              }
+
+              handlePopUpOpen("upgradePlan");
+            }}
+            size="lg"
+            colorSchema="danger"
+            variant="plain"
+            ariaLabel="update"
+            className="p-3"
+          >
+            <FontAwesomeIcon icon={faXmark} />
+          </IconButton>
+        </div>
+      ))}
+      <div className="my-4 ml-1">
+        <Button
+          variant="outline_bg"
+          onClick={() => {
+            if (subscription?.ipAllowlisting) {
+              appendAccessTokenTrustedIp({
+                ipAddress: "0.0.0.0/0"
+              });
+              return;
+            }
+
+            handlePopUpOpen("upgradePlan");
+          }}
+          leftIcon={<FontAwesomeIcon icon={faPlus} />}
+          size="xs"
+        >
+          Add IP Address
+        </Button>
+      </div>
+      <div className="flex items-center">
+        <Button
+          className="mr-4"
+          size="sm"
+          type="submit"
+          isLoading={isSubmitting}
+          isDisabled={isSubmitting}
+        >
+          {identityAuthMethodData?.authMethod ? "Update" : "Configure"}
+        </Button>
+        <Button
+          colorSchema="secondary"
+          variant="plain"
+          onClick={() => handlePopUpToggle("identityAuthMethod", false)}
+        >
+          {identityAuthMethodData?.authMethod ? "Cancel" : "Skip"}
+        </Button>
+      </div>
+    </form>
+  );
+};
--- a/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityTable.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityTable.tsx
@@ -1,9 +1,22 @@
-import { faKey, faLock, faPencil, faServer, faXmark } from "@fortawesome/free-solid-svg-icons";
+import {
+  faCopy,
+  faEllipsis,
+  faKey,
+  faLock,
+  faPencil,
+  faServer,
+  faXmark
+} from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { twMerge } from "tailwind-merge";

 import { createNotification } from "@app/components/notifications";
 import { OrgPermissionCan } from "@app/components/permissions";
 import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
  EmptyState,
  IconButton,
  Select,
@@ -80,7 +93,6 @@ export const IdentityTable = ({ handlePopUpOpen }: Props) => {
        <THead>
          <Tr>
            <Th>Name</Th>
-            <Th>ID</Th>
            <Th>Role</Th>
            <Th>Auth Method</Th>
            <Th className="w-5" />
@@ -95,7 +107,6 @@ export const IdentityTable = ({ handlePopUpOpen }: Props) => {
              return (
                <Tr className="h-10" key={`identity-${id}`}>
                  <Td>{name}</Td>
-                  <Td>{id}</Td>
                  <Td>
                    <OrgPermissionCan
                      I={OrgPermissionActions.Edit}
@@ -127,7 +138,7 @@ export const IdentityTable = ({ handlePopUpOpen }: Props) => {
                  </Td>
                  <Td>{authMethod ? identityAuthToNameMap[authMethod] : "Not configured"}</Td>
                  <Td>
-                    <div className="flex items-center justify-end">
+                    <div className="flex items-center justify-end space-x-4">
                      {authMethod === IdentityAuthMethod.UNIVERSAL_AUTH && (
                        <Tooltip content="Manage client ID/secrets">
                          <IconButton
@@ -141,7 +152,6 @@ export const IdentityTable = ({ handlePopUpOpen }: Props) => {
                            colorSchema="primary"
                            variant="plain"
                            ariaLabel="update"
-                            // isDisabled={!isAllowed}
                          >
                            <FontAwesomeIcon icon={faKey} />
                          </IconButton>
@@ -165,7 +175,6 @@ export const IdentityTable = ({ handlePopUpOpen }: Props) => {
                              colorSchema="primary"
                              variant="plain"
                              ariaLabel="update"
-                              className="ml-4"
                              isDisabled={!isAllowed}
                            >
                              <FontAwesomeIcon icon={faLock} />
@@ -173,54 +182,78 @@ export const IdentityTable = ({ handlePopUpOpen }: Props) => {
                          </Tooltip>
                        )}
                      </OrgPermissionCan>
-                      <OrgPermissionCan
-                        I={OrgPermissionActions.Edit}
-                        a={OrgPermissionSubjects.Identity}
-                      >
-                        {(isAllowed) => (
-                          <IconButton
-                            onClick={async () => {
-                              handlePopUpOpen("identity", {
-                                identityId: id,
-                                name,
-                                role,
-                                customRole
-                              });
-                            }}
-                            size="lg"
-                            colorSchema="primary"
-                            variant="plain"
-                            ariaLabel="update"
-                            className="ml-4"
-                            isDisabled={!isAllowed}
+                      <DropdownMenu>
+                        <DropdownMenuTrigger asChild className="rounded-lg">
+                          <div className="hover:text-primary-400 data-[state=open]:text-primary-400">
+                            <Tooltip content="More options">
+                              <FontAwesomeIcon size="lg" icon={faEllipsis} />
+                            </Tooltip>
+                          </div>
+                        </DropdownMenuTrigger>
+                        <DropdownMenuContent align="start" className="p-1">
+                          <OrgPermissionCan
+                            I={OrgPermissionActions.Edit}
+                            a={OrgPermissionSubjects.Identity}
                          >
-                            <FontAwesomeIcon icon={faPencil} />
-                          </IconButton>
-                        )}
-                      </OrgPermissionCan>
-                      <OrgPermissionCan
-                        I={OrgPermissionActions.Delete}
-                        a={OrgPermissionSubjects.Identity}
-                      >
-                        {(isAllowed) => (
-                          <IconButton
+                            {(isAllowed) => (
+                              <DropdownMenuItem
+                                className={twMerge(
+                                  !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
+                                )}
+                                onClick={async () => {
+                                  if (!isAllowed) return;
+                                  handlePopUpOpen("identity", {
+                                    identityId: id,
+                                    name,
+                                    role,
+                                    customRole
+                                  });
+                                }}
+                                disabled={!isAllowed}
+                                icon={<FontAwesomeIcon icon={faPencil} />}
+                              >
+                                Update identity
+                              </DropdownMenuItem>
+                            )}
+                          </OrgPermissionCan>
+                          <OrgPermissionCan
+                            I={OrgPermissionActions.Delete}
+                            a={OrgPermissionSubjects.Identity}
+                          >
+                            {(isAllowed) => (
+                              <DropdownMenuItem
+                                className={twMerge(
+                                  isAllowed
+                                    ? "hover:!bg-red-500 hover:!text-white"
+                                    : "pointer-events-none cursor-not-allowed opacity-50"
+                                )}
+                                onClick={() => {
+                                  if (!isAllowed) return;
+                                  handlePopUpOpen("deleteIdentity", {
+                                    identityId: id,
+                                    name
+                                  });
+                                }}
+                                icon={<FontAwesomeIcon icon={faXmark} />}
+                              >
+                                Delete identity
+                              </DropdownMenuItem>
+                            )}
+                          </OrgPermissionCan>
+                          <DropdownMenuItem
                            onClick={() => {
-                              handlePopUpOpen("deleteIdentity", {
-                                identityId: id,
-                                name
+                              navigator.clipboard.writeText(id);
+                              createNotification({
+                                text: "Copied identity internal ID to clipboard",
+                                type: "success"
                              });
                            }}
-                            size="lg"
-                            colorSchema="danger"
-                            variant="plain"
-                            ariaLabel="update"
-                            className="ml-4"
-                            isDisabled={!isAllowed}
+                            icon={<FontAwesomeIcon icon={faCopy} />}
                          >
-                            <FontAwesomeIcon icon={faXmark} />
-                          </IconButton>
-                        )}
-                      </OrgPermissionCan>
+                            Copy Identity ID
+                          </DropdownMenuItem>
+                        </DropdownMenuContent>
+                      </DropdownMenu>
                    </div>
                  </Td>
                </Tr>
--- a/frontend/src/views/SecretMainPage/components/ActionBar/ActionBar.tsx
+++ b/frontend/src/views/SecretMainPage/components/ActionBar/ActionBar.tsx
@@ -23,6 +23,7 @@ import { twMerge } from "tailwind-merge";

 import { createNotification } from "@app/components/notifications";
 import { ProjectPermissionCan } from "@app/components/permissions";
+import { decryptAssymmetric } from "@app/components/utilities/cryptography/crypto";
 import {
  Button,
  DeleteActionModal,
@@ -43,8 +44,9 @@ import {
  UpgradePlanModal
 } from "@app/components/v2";
 import { ProjectPermissionActions, ProjectPermissionSub, useSubscription } from "@app/context";
+import { interpolateSecrets } from "@app/helpers/secret";
 import { usePopUp } from "@app/hooks";
-import { useCreateFolder, useDeleteSecretBatch } from "@app/hooks/api";
+import { useCreateFolder, useDeleteSecretBatch, useGetUserWsKey } from "@app/hooks/api";
 import { DecryptedSecret, TImportedSecrets, WsTag } from "@app/hooks/api/types";
 import { debounce } from "@app/lib/fn/debounce";

@@ -112,6 +114,7 @@ export const ActionBar = ({

  const { mutateAsync: createFolder } = useCreateFolder();
  const { mutateAsync: deleteBatchSecretV3 } = useDeleteSecretBatch();
+  const { data: decryptFileKey } = useGetUserWsKey(workspaceId);

  const selectedSecrets = useSelectedSecrets();
  const { reset: resetSelectedSecret } = useSelectedSecretActions();
@@ -144,30 +147,59 @@ export const ActionBar = ({
  const handleSecretDownload = async () => {
    const secPriority: Record<string, boolean> = {};
    const downloadedSecrets: Array<{ key: string; value: string; comment?: string }> = [];
+
+    const PRIVATE_KEY = localStorage.getItem("PRIVATE_KEY") as string;
+    const workspaceKey = decryptAssymmetric({
+      ciphertext: decryptFileKey!.encryptedKey,
+      nonce: decryptFileKey!.nonce,
+      publicKey: decryptFileKey!.sender.publicKey,
+      privateKey: PRIVATE_KEY
+    });
+
+    const expandSecrets = interpolateSecrets({
+      projectId: workspaceId,
+      secretEncKey: workspaceKey
+    });
+
+    const secretRecord: Record<
+      string,
+      { value: string; comment?: string; skipMultilineEncoding?: boolean }
+    > = {};
+
    // load up secrets in dashboard
-    secrets?.forEach(({ key, value, comment }) => {
+    secrets?.forEach(({ key, value, valueOverride, comment }) => {
      secPriority[key] = true;
-      downloadedSecrets.push({ key, value, comment });
+      downloadedSecrets.push({ key, value: valueOverride || value, comment });
    });
    // now load imported secrets with secPriority
    for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
-      importedSecrets[i].secrets.forEach(({ key, value, comment }) => {
+      importedSecrets[i].secrets.forEach(({ key, value, valueOverride, comment }) => {
        if (secPriority?.[key]) return;
-        downloadedSecrets.unshift({ key, value, comment });
+        downloadedSecrets.unshift({ key, value: valueOverride || value, comment });
        secPriority[key] = true;
      });
    }

+    downloadedSecrets.forEach((secret) => {
+      secretRecord[secret.key] = {
+        value: secret.value,
+        comment: secret.comment
+      };
+    });
+
+    await expandSecrets(secretRecord);
+
    const file = downloadedSecrets
      .sort((a, b) => a.key.toLowerCase().localeCompare(b.key.toLowerCase()))
      .reduce(
-        (prev, { key, value, comment }, index) =>
+        (prev, { key, comment }, index) =>
          prev +
          (comment
-            ? `${index === 0 ? "#" : "\n#"} ${comment}\n${key}=${value}\n`
-            : `${key}=${value}\n`),
+            ? `${index === 0 ? "#" : "\n#"} ${comment}\n${key}=${secretRecord[key].value}\n`
+            : `${key}=${secretRecord[key].value}\n`),
        ""
      );
+
    const blob = new Blob([file], { type: "text/plain;charset=utf-8" });
    FileSaver.saveAs(blob, `${environment}.env`);
  };
Author	SHA1	Message	Date
Sheen Capadngan	a618e0ebf2	fix: resolved gitlab integration creation issue regarding groups	2024-05-28 19:43:00 +08:00
Vladyslav Matsiiako	c638caede5	changed sidebar color	2024-05-27 22:32:54 -07:00
Vladyslav Matsiiako	300deb5607	added time off page to company wiki	2024-05-27 22:26:21 -07:00
Vladyslav Matsiiako	1e63604f1e	added more styling to docs	2024-05-27 16:03:42 -07:00
Vladyslav Matsiiako	6ce86c4240	added more styling to docs	2024-05-27 16:00:39 -07:00
Vladyslav Matsiiako	fd65936ae7	Merge branch 'main' of https://github.com/Infisical/infisical	2024-05-27 15:59:14 -07:00
Daniel Hougaard	c894a18797	Merge pull request #1718 from Infisical/daniel/mi-ux-fix-2 Fix: Machine Identities user experience improvement	2024-05-28 00:34:17 +02:00
Vladyslav Matsiiako	c170ba6249	changed docs design	2024-05-27 15:32:56 -07:00
Daniel Hougaard	c344330c93	Merge pull request #1882 from Infisical/daniel/azure-auth-sdk-docs Docs: Azure & Kubernetes auth SDK documentation	2024-05-28 00:18:16 +02:00
Daniel Hougaard	a6dd36f684	Docs: Azure documentation	2024-05-28 00:11:57 +02:00
Daniel Hougaard	eb8acba037	Docs: Azure documentation	2024-05-28 00:11:55 +02:00
Daniel Hougaard	c7a8e1102e	Docs: Azure documentation	2024-05-28 00:11:52 +02:00
Daniel Hougaard	aca71a7b6f	Docs: Azure documentation	2024-05-28 00:11:49 +02:00
Daniel Hougaard	ae075df0ec	Fix: Old docs	2024-05-28 00:11:33 +02:00
Daniel Hougaard	75927f711c	Merge pull request #1863 from Infisical/daniel/auth-sdk-docs Docs: Updated docs to reflect new SDK structure	2024-05-27 23:29:03 +02:00
BlackMagiq	b1b1ce07a3	Merge pull request #1878 from Infisical/create-pull-request/patch-1716795461 GH Action: rename new migration file timestamp	2024-05-27 11:10:48 -07:00
Sheen Capadngan	81f7884d03	Merge pull request #1881 from Infisical/fix/resolved-identity-deletion-issue-across-projects fix: resolved identity deletion issue across projects	2024-05-28 00:28:18 +08:00
Sheen Capadngan	b8c35fbf15	fix: resolved identity deletion issue across projects	2024-05-28 00:13:47 +08:00
Sheen Capadngan	42e73d66fc	Merge pull request #1873 from Infisical/feat/add-personal-overrides-and-secret-reference-to-download-envs feat: added personal overrides and support for secret ref during download	2024-05-27 23:09:59 +08:00
github-actions	fe40e4f475	chore: renamed new migration files to latest timestamp (gh-action)	2024-05-27 07:37:39 +00:00
BlackMagiq	b9782c1a85	Merge pull request #1833 from Infisical/azure-auth Azure Native Authentication Method	2024-05-27 00:37:09 -07:00
Vladyslav Matsiiako	a0be2985dd	Added money page	2024-05-26 22:19:42 -07:00
vmatsiiako	86d16c5b9f	Merge pull request #1877 from Infisical/sheensantoscapadngan-patch-1 Update onboarding.mdx	2024-05-26 22:05:12 -07:00
Sheen Capadngan	c1c1471439	Update onboarding.mdx	2024-05-27 12:28:14 +08:00
Sheen Capadngan	efe10e361f	feat: added personal overrides and support for secret ref to download envs	2024-05-24 22:14:32 +08:00
Daniel Hougaard	3d65d121c0	docs: updated docs to reflect new SDK structure	2024-05-23 04:45:33 +02:00
Tuan Dang	4e06fa3a0c	Move azure auth migration file to front	2024-05-20 21:15:42 -07:00
Tuan Dang	0f827fc31a	Merge remote-tracking branch 'origin' into azure-auth	2024-05-20 21:14:30 -07:00
Tuan Dang	7189544705	Merge branch 'azure-auth' of https://github.com/Infisical/infisical into azure-auth	2024-05-20 08:41:19 -07:00
Tuan Dang	a724ab101c	Fix identities docs markings	2024-05-20 08:39:10 -07:00
Tuan Dang	dea67e3cb0	Update azure auth based on review	2024-05-19 22:24:26 -07:00
Tuan Dang	ce66cccd8b	Fix merge conflicts	2024-05-19 22:19:49 -07:00
Daniel Hougaard	91eda2419a	Update machine-identities.mdx	2024-05-20 00:32:10 +02:00
Tuan Dang	b350eef2b9	Add access token trusted ip support for azure auth	2024-05-17 15:43:12 -07:00
Tuan Dang	85725215f2	Merge remote-tracking branch 'origin' into azure-auth	2024-05-17 15:41:58 -07:00
Tuan Dang	9c0a1b7089	Merge remote-tracking branch 'origin' into azure-auth	2024-05-15 23:23:50 -07:00
Tuan Dang	9352e8bca0	Add docs for Azure auth	2024-05-15 23:13:19 -07:00
Tuan Dang	265932df20	Finish preliminary azure auth method	2024-05-15 16:30:42 -07:00
vmatsiiako	f23056bcbc	Update IdentityTable.tsx	2024-05-08 09:20:30 -07:00
Daniel Hougaard	fdf5fcad0a	Update IdentityTable.tsx	2024-04-22 23:09:46 +02:00
Daniel Hougaard	a85c59e3e2	Fix: Improve user experience for machine identities	2024-04-22 22:00:37 +02:00