feat: reptile review feedback

feat: added api document for project router get id from slug
Merge pull request #4338 from Infisical/secrets-mgmt-docs
2025-08-14 08:08:30 +00:00 · 2025-08-13 02:34:03 +05:30 · 2025-08-13 02:27:12 +05:30 · 2025-08-10 12:27:45 +07:00 · 2025-08-08 17:06:28 -07:00 · 2025-08-08 21:02:00 -03:00
421 changed files with 14428 additions and 9794 deletions
--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@@ -1,123 +0,0 @@
-name: Release production images (frontend, backend)
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
-      - "!infisical/v*.*.*-postgres"
-
-jobs:
-  backend-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          load: true
-          context: backend
-          tags: infisical/infisical:test
-          platforms: linux/amd64,linux/arm64
-      - name: ⏻ Spawn backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      - name: 🧪 Test backend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-backend-test
-      - name: ⏻ Shut down backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: backend
-          tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-
-  frontend-image:
-    name: Build frontend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build frontend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          load: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          project: 64mmf0n610
-          context: frontend
-          tags: infisical/frontend:test
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
-      - name: ⏻ Spawn frontend container
-        run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
-      - name: 🧪 Test frontend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-frontend-test
-      - name: ⏻ Shut down frontend container
-        run: |
-          docker stop infisical-frontend-test
-      - name: 🏗️ Build frontend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          push: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: frontend
-          tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/nightly-tag-generation.yml
+++ b/.github/workflows/nightly-tag-generation.yml
@@ -0,0 +1,82 @@
+name: Generate Nightly Tag
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:  # Allow manual triggering for testing
+
+permissions:
+  contents: write
+
+jobs:
+  create-nightly-tag:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all history for tags
+          token: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+      
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+      
+      - name: Generate nightly tag
+        run: |
+          # Get the latest infisical production tag
+          LATEST_STABLE_TAG=$(git tag --list | grep "^v[0-9].*$" | grep -v "nightly" | sort -V | tail -n1)
+          
+          if [ -z "$LATEST_STABLE_TAG" ]; then
+            echo "No infisical production tags found, using v0.1.0"
+            LATEST_STABLE_TAG="v0.1.0"
+          fi
+          
+          echo "Latest production tag: $LATEST_STABLE_TAG"
+          
+          # Get current date in YYYYMMDD format
+          DATE=$(date +%Y%m%d)
+          
+          # Base nightly tag name
+          BASE_TAG="${LATEST_STABLE_TAG}-nightly-${DATE}"
+          
+          # Check if this exact tag already exists
+          if git tag --list | grep -q "^${BASE_TAG}$"; then
+            echo "Base tag ${BASE_TAG} already exists, finding next increment"
+            
+            # Find existing tags for this date and get the highest increment
+            EXISTING_TAGS=$(git tag --list | grep "^${BASE_TAG}" | grep -E '\.[0-9]+$' || true)
+            
+            if [ -z "$EXISTING_TAGS" ]; then
+              # No incremental tags exist, create .1
+              NIGHTLY_TAG="${BASE_TAG}.1"
+            else
+              # Find the highest increment
+              HIGHEST_INCREMENT=$(echo "$EXISTING_TAGS" | sed "s|^${BASE_TAG}\.||" | sort -n | tail -n1)
+              NEXT_INCREMENT=$((HIGHEST_INCREMENT + 1))
+              NIGHTLY_TAG="${BASE_TAG}.${NEXT_INCREMENT}"
+            fi
+          else
+            # Base tag doesn't exist, use it
+            NIGHTLY_TAG="$BASE_TAG"
+          fi
+          
+          echo "Generated nightly tag: $NIGHTLY_TAG"
+          echo "NIGHTLY_TAG=$NIGHTLY_TAG" >> $GITHUB_ENV
+          echo "LATEST_PRODUCTION_TAG=$LATEST_STABLE_TAG" >> $GITHUB_ENV
+
+          git tag "$NIGHTLY_TAG"
+          git push origin "$NIGHTLY_TAG"
+          echo "✅ Created and pushed nightly tag: $NIGHTLY_TAG"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ env.NIGHTLY_TAG }}
+          name: ${{ env.NIGHTLY_TAG }}
+          draft: false
+          prerelease: true
+          generate_release_notes: true
+          make_latest: false
--- a/.github/workflows/release-standalone-docker-img-postgres-offical.yml
+++ b/.github/workflows/release-standalone-docker-img-postgres-offical.yml
@@ -2,7 +2,9 @@ name: Release standalone docker image
 on:
    push:
        tags:
-            - "infisical/v*.*.*-postgres"
+            - "v*.*.*"
+            - "v*.*.*-nightly-*"
+            - "v*.*.*-nightly-*.*"

 jobs:
    infisical-tests:
@@ -17,7 +19,7 @@ jobs:
        steps:
            - name: Extract version from tag
              id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+              run: echo "::set-output name=version::${GITHUB_REF_NAME}"
            - name: ☁️ Checkout source
              uses: actions/checkout@v3
              with:
@@ -53,7 +55,7 @@ jobs:
                  push: true
                  context: .
                  tags: |
-                      infisical/infisical:latest-postgres
+                      infisical/infisical:latest
                      infisical/infisical:${{ steps.commit.outputs.short }}
                      infisical/infisical:${{ steps.extract_version.outputs.version }}
                  platforms: linux/amd64,linux/arm64
@@ -69,7 +71,7 @@ jobs:
        steps:
            - name: Extract version from tag
              id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+              run: echo "::set-output name=version::${GITHUB_REF_NAME}"
            - name: ☁️ Checkout source
              uses: actions/checkout@v3
              with:
@@ -105,7 +107,7 @@ jobs:
                  push: true
                  context: .
                  tags: |
-                      infisical/infisical-fips:latest-postgres
+                      infisical/infisical-fips:latest
                      infisical/infisical-fips:${{ steps.commit.outputs.short }}
                      infisical/infisical-fips:${{ steps.extract_version.outputs.version }}
                  platforms: linux/amd64,linux/arm64
--- a/.github/workflows/release_docker_k8_operator.yaml
+++ b/.github/workflows/release_docker_k8_operator.yaml
@@ -44,10 +44,7 @@ jobs:

            - name: Generate Helm Chart
              working-directory: k8-operator
-              run: make helm
-
-            - name: Update Helm Chart Version
-              run: ./k8-operator/scripts/update-version.sh ${{ steps.extract_version.outputs.version }}
+              run: make helm VERSION=${{ steps.extract_version.outputs.version }}

            - name: Debug - Check file changes
              run: |
--- a/backend/scripts/generate-schema-types.ts
+++ b/backend/scripts/generate-schema-types.ts
@@ -99,6 +99,7 @@ const main = async () => {
    (el) =>
      !el.tableName.includes("_migrations") &&
      !el.tableName.includes("audit_logs_") &&
+      !el.tableName.includes("active_locks") &&
      el.tableName !== "intermediate_audit_logs"
  );

--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -18,6 +18,7 @@ import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/extern
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGithubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
+import { TIdentityAuthTemplateServiceFactory } from "@app/ee/services/identity-auth-template";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
 import { TKmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
@@ -300,6 +301,7 @@ declare module "fastify" {
      reminder: TReminderServiceFactory;
      bus: TEventBusService;
      sse: TServerSentEventsService;
+      identityAuthTemplate: TIdentityAuthTemplateServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -494,6 +494,11 @@ import {
  TAccessApprovalPoliciesEnvironmentsInsert,
  TAccessApprovalPoliciesEnvironmentsUpdate
 } from "@app/db/schemas/access-approval-policies-environments";
+import {
+  TIdentityAuthTemplates,
+  TIdentityAuthTemplatesInsert,
+  TIdentityAuthTemplatesUpdate
+} from "@app/db/schemas/identity-auth-templates";
 import {
  TIdentityLdapAuths,
  TIdentityLdapAuthsInsert,
@@ -878,6 +883,11 @@ declare module "knex/types/tables" {
      TIdentityProjectAdditionalPrivilegeInsert,
      TIdentityProjectAdditionalPrivilegeUpdate
    >;
+    [TableName.IdentityAuthTemplate]: KnexOriginal.CompositeTableType<
+      TIdentityAuthTemplates,
+      TIdentityAuthTemplatesInsert,
+      TIdentityAuthTemplatesUpdate
+    >;

    [TableName.AccessApprovalPolicy]: KnexOriginal.CompositeTableType<
      TAccessApprovalPolicies,
--- a/backend/src/db/migrations/20250723220500_remove-srp.ts
+++ b/backend/src/db/migrations/20250723220500_remove-srp.ts
@@ -0,0 +1,18 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.UserEncryptionKey, (table) => {
+    table.text("encryptedPrivateKey").nullable().alter();
+    table.text("publicKey").nullable().alter();
+    table.text("iv").nullable().alter();
+    table.text("tag").nullable().alter();
+    table.text("salt").nullable().alter();
+    table.text("verifier").nullable().alter();
+  });
+}
+
+export async function down(): Promise<void> {
+  // do nothing for now to avoid breaking down migrations
+}
--- a/backend/src/db/migrations/20250801170240_add-identity-auth-template.ts
+++ b/backend/src/db/migrations/20250801170240_add-identity-auth-template.ts
@@ -0,0 +1,36 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityAuthTemplate))) {
+    await knex.schema.createTable(TableName.IdentityAuthTemplate, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.binary("templateFields").notNullable();
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.string("name", 64).notNullable();
+      t.string("authMethod").notNullable();
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.IdentityAuthTemplate);
+  }
+  if (!(await knex.schema.hasColumn(TableName.IdentityLdapAuth, "templateId"))) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.uuid("templateId").nullable();
+      t.foreign("templateId").references("id").inTable(TableName.IdentityAuthTemplate).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityLdapAuth, "templateId")) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.dropForeign(["templateId"]);
+      t.dropColumn("templateId");
+    });
+  }
+  await knex.schema.dropTableIfExists(TableName.IdentityAuthTemplate);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAuthTemplate);
+}
--- a/backend/src/db/migrations/20250805151349_last-logged-auth-method.ts
+++ b/backend/src/db/migrations/20250805151349_last-logged-auth-method.ts
@@ -0,0 +1,65 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const lastUserLoggedInAuthMethod = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginAuthMethod");
+  const lastIdentityLoggedInAuthMethod = await knex.schema.hasColumn(
+    TableName.IdentityOrgMembership,
+    "lastLoginAuthMethod"
+  );
+  const lastUserLoggedInTime = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginTime");
+  const lastIdentityLoggedInTime = await knex.schema.hasColumn(TableName.IdentityOrgMembership, "lastLoginTime");
+  if (!lastUserLoggedInAuthMethod || !lastUserLoggedInTime) {
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      if (!lastUserLoggedInAuthMethod) {
+        t.string("lastLoginAuthMethod").nullable();
+      }
+      if (!lastUserLoggedInTime) {
+        t.datetime("lastLoginTime").nullable();
+      }
+    });
+  }
+
+  if (!lastIdentityLoggedInAuthMethod || !lastIdentityLoggedInTime) {
+    await knex.schema.alterTable(TableName.IdentityOrgMembership, (t) => {
+      if (!lastIdentityLoggedInAuthMethod) {
+        t.string("lastLoginAuthMethod").nullable();
+      }
+      if (!lastIdentityLoggedInTime) {
+        t.datetime("lastLoginTime").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const lastUserLoggedInAuthMethod = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginAuthMethod");
+  const lastIdentityLoggedInAuthMethod = await knex.schema.hasColumn(
+    TableName.IdentityOrgMembership,
+    "lastLoginAuthMethod"
+  );
+  const lastUserLoggedInTime = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginTime");
+  const lastIdentityLoggedInTime = await knex.schema.hasColumn(TableName.IdentityOrgMembership, "lastLoginTime");
+  if (lastUserLoggedInAuthMethod || lastUserLoggedInTime) {
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      if (lastUserLoggedInAuthMethod) {
+        t.dropColumn("lastLoginAuthMethod");
+      }
+      if (lastUserLoggedInTime) {
+        t.dropColumn("lastLoginTime");
+      }
+    });
+  }
+
+  if (lastIdentityLoggedInAuthMethod || lastIdentityLoggedInTime) {
+    await knex.schema.alterTable(TableName.IdentityOrgMembership, (t) => {
+      if (lastIdentityLoggedInAuthMethod) {
+        t.dropColumn("lastLoginAuthMethod");
+      }
+      if (lastIdentityLoggedInTime) {
+        t.dropColumn("lastLoginTime");
+      }
+    });
+  }
+}
--- a/backend/src/db/schemas/identity-auth-templates.ts
+++ b/backend/src/db/schemas/identity-auth-templates.ts
@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityAuthTemplatesSchema = z.object({
+  id: z.string().uuid(),
+  templateFields: zodBuffer,
+  orgId: z.string().uuid(),
+  name: z.string(),
+  authMethod: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityAuthTemplates = z.infer<typeof IdentityAuthTemplatesSchema>;
+export type TIdentityAuthTemplatesInsert = Omit<z.input<typeof IdentityAuthTemplatesSchema>, TImmutableDBKeys>;
+export type TIdentityAuthTemplatesUpdate = Partial<Omit<z.input<typeof IdentityAuthTemplatesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-ldap-auths.ts
+++ b/backend/src/db/schemas/identity-ldap-auths.ts
@@ -25,7 +25,8 @@ export const IdentityLdapAuthsSchema = z.object({
  allowedFields: z.unknown().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  accessTokenPeriod: z.coerce.number().default(0),
+  templateId: z.string().uuid().nullable().optional()
 });

 export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;
--- a/backend/src/db/schemas/identity-org-memberships.ts
+++ b/backend/src/db/schemas/identity-org-memberships.ts
@@ -14,7 +14,9 @@ export const IdentityOrgMembershipsSchema = z.object({
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  lastLoginAuthMethod: z.string().nullable().optional(),
+  lastLoginTime: z.date().nullable().optional()
 });

 export type TIdentityOrgMemberships = z.infer<typeof IdentityOrgMembershipsSchema>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -91,6 +91,7 @@ export enum TableName {
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
+  IdentityAuthTemplate = "identity_auth_templates",
  // used by both identity and users
  IdentityMetadata = "identity_metadata",
  ResourceMetadata = "resource_metadata",
--- a/backend/src/db/schemas/org-memberships.ts
+++ b/backend/src/db/schemas/org-memberships.ts
@@ -19,7 +19,9 @@ export const OrgMembershipsSchema = z.object({
  roleId: z.string().uuid().nullable().optional(),
  projectFavorites: z.string().array().nullable().optional(),
  isActive: z.boolean().default(true),
-  lastInvitedAt: z.date().nullable().optional()
+  lastInvitedAt: z.date().nullable().optional(),
+  lastLoginAuthMethod: z.string().nullable().optional(),
+  lastLoginTime: z.date().nullable().optional()
 });

 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;
--- a/backend/src/db/schemas/user-encryption-keys.ts
+++ b/backend/src/db/schemas/user-encryption-keys.ts
@@ -15,12 +15,12 @@ export const UserEncryptionKeysSchema = z.object({
  protectedKey: z.string().nullable().optional(),
  protectedKeyIV: z.string().nullable().optional(),
  protectedKeyTag: z.string().nullable().optional(),
-  publicKey: z.string(),
-  encryptedPrivateKey: z.string(),
-  iv: z.string(),
-  tag: z.string(),
-  salt: z.string(),
-  verifier: z.string(),
+  publicKey: z.string().nullable().optional(),
+  encryptedPrivateKey: z.string().nullable().optional(),
+  iv: z.string().nullable().optional(),
+  tag: z.string().nullable().optional(),
+  salt: z.string().nullable().optional(),
+  verifier: z.string().nullable().optional(),
  userId: z.string().uuid(),
  hashedPassword: z.string().nullable().optional(),
  serverEncryptedPrivateKey: z.string().nullable().optional(),
--- a/backend/src/db/seed-data.ts
+++ b/backend/src/db/seed-data.ts
@@ -115,6 +115,10 @@ export const generateUserSrpKeys = async (password: string) => {
 };

 export const getUserPrivateKey = async (password: string, user: TUserEncryptionKeys) => {
+  if (!user.encryptedPrivateKey || !user.iv || !user.tag || !user.salt) {
+    throw new Error("User encrypted private key not found");
+  }
+
  const derivedKey = await argon2.hash(password, {
    salt: Buffer.from(user.salt),
    memoryCost: 65536,
--- a/backend/src/db/seeds/1-user.ts
+++ b/backend/src/db/seeds/1-user.ts
@@ -1,7 +1,7 @@
 import { Knex } from "knex";

-import { crypto } from "@app/lib/crypto";
-import { initLogger } from "@app/lib/logger";
+import { initEnvConfig } from "@app/lib/config/env";
+import { initLogger, logger } from "@app/lib/logger";
 import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 import { AuthMethod } from "../../services/auth/auth-type";
@@ -17,7 +17,7 @@ export async function seed(knex: Knex): Promise<void> {
  initLogger();

  const superAdminDAL = superAdminDALFactory(knex);
-  await crypto.initialize(superAdminDAL);
+  await initEnvConfig(superAdminDAL, logger);

  await knex(TableName.SuperAdmin).insert([
    // eslint-disable-next-line
@@ -25,6 +25,7 @@ export async function seed(knex: Knex): Promise<void> {
    { id: "00000000-0000-0000-0000-000000000000", initialized: true, allowSignUp: true }
  ]);
  // Inserts seed entries
+
  const [user] = await knex(TableName.Users)
    .insert([
      {
--- a/backend/src/db/seeds/3-project.ts
+++ b/backend/src/db/seeds/3-project.ts
@@ -1,9 +1,28 @@
 import { Knex } from "knex";

+import { initEnvConfig } from "@app/lib/config/env";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
+import { generateUserSrpKeys } from "@app/lib/crypto/srp";
+import { initLogger, logger } from "@app/lib/logger";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { AuthMethod } from "@app/services/auth/auth-type";
+import { assignWorkspaceKeysToMembers, createProjectKey } from "@app/services/project/project-fns";
+import { projectKeyDALFactory } from "@app/services/project-key/project-key-dal";
+import { projectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+import { userDALFactory } from "@app/services/user/user-dal";

-import { ProjectMembershipRole, ProjectType, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
-import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";
+import {
+  OrgMembershipRole,
+  OrgMembershipStatus,
+  ProjectMembershipRole,
+  ProjectType,
+  SecretEncryptionAlgo,
+  SecretKeyEncoding,
+  TableName
+} from "../schemas";
+import { seedData1 } from "../seed-data";

 export const DEFAULT_PROJECT_ENVS = [
  { name: "Development", slug: "dev" },
@@ -11,12 +30,159 @@ export const DEFAULT_PROJECT_ENVS = [
  { name: "Production", slug: "prod" }
 ];

+const createUserWithGhostUser = async (
+  orgId: string,
+  projectId: string,
+  userId: string,
+  userOrgMembershipId: string,
+  knex: Knex
+) => {
+  const projectKeyDAL = projectKeyDALFactory(knex);
+  const userDAL = userDALFactory(knex);
+  const projectMembershipDAL = projectMembershipDALFactory(knex);
+  const projectUserMembershipRoleDAL = projectUserMembershipRoleDALFactory(knex);
+
+  const email = `sudo-${alphaNumericNanoId(16)}-${orgId}@infisical.com`; // We add a nanoid because the email is unique. And we have to create a new ghost user each time, so we can have access to the private key.
+
+  const password = crypto.randomBytes(128).toString("hex");
+
+  const [ghostUser] = await knex(TableName.Users)
+    .insert({
+      isGhost: true,
+      authMethods: [AuthMethod.EMAIL],
+      username: email,
+      email,
+      isAccepted: true
+    })
+    .returning("*");
+
+  const encKeys = await generateUserSrpKeys(email, password);
+
+  await knex(TableName.UserEncryptionKey)
+    .insert({ userId: ghostUser.id, encryptionVersion: 2, publicKey: encKeys.publicKey })
+    .onConflict("userId")
+    .merge();
+
+  await knex(TableName.OrgMembership)
+    .insert({
+      orgId,
+      userId: ghostUser.id,
+      role: OrgMembershipRole.Admin,
+      status: OrgMembershipStatus.Accepted,
+      isActive: true
+    })
+    .returning("*");
+
+  const [projectMembership] = await knex(TableName.ProjectMembership)
+    .insert({
+      userId: ghostUser.id,
+      projectId
+    })
+    .returning("*");
+
+  await knex(TableName.ProjectUserMembershipRole).insert({
+    projectMembershipId: projectMembership.id,
+    role: ProjectMembershipRole.Admin
+  });
+
+  const { key: encryptedProjectKey, iv: encryptedProjectKeyIv } = createProjectKey({
+    publicKey: encKeys.publicKey,
+    privateKey: encKeys.plainPrivateKey
+  });
+
+  await knex(TableName.ProjectKeys).insert({
+    projectId,
+    receiverId: ghostUser.id,
+    encryptedKey: encryptedProjectKey,
+    nonce: encryptedProjectKeyIv,
+    senderId: ghostUser.id
+  });
+
+  const { iv, tag, ciphertext, encoding, algorithm } = crypto
+    .encryption()
+    .symmetric()
+    .encryptWithRootEncryptionKey(encKeys.plainPrivateKey);
+
+  await knex(TableName.ProjectBot).insert({
+    name: "Infisical Bot (Ghost)",
+    projectId,
+    tag,
+    iv,
+    encryptedProjectKey,
+    encryptedProjectKeyNonce: encryptedProjectKeyIv,
+    encryptedPrivateKey: ciphertext,
+    isActive: true,
+    publicKey: encKeys.publicKey,
+    senderId: ghostUser.id,
+    algorithm,
+    keyEncoding: encoding
+  });
+
+  const latestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, knex);
+
+  if (!latestKey) {
+    throw new Error("Latest key not found for user");
+  }
+
+  const user = await userDAL.findUserEncKeyByUserId(userId, knex);
+
+  if (!user || !user.publicKey) {
+    throw new Error("User not found");
+  }
+
+  const [projectAdmin] = assignWorkspaceKeysToMembers({
+    decryptKey: latestKey,
+    userPrivateKey: encKeys.plainPrivateKey,
+    members: [
+      {
+        userPublicKey: user.publicKey,
+        orgMembershipId: userOrgMembershipId
+      }
+    ]
+  });
+
+  // Create a membership for the user
+  const userProjectMembership = await projectMembershipDAL.create(
+    {
+      projectId,
+      userId: user.id
+    },
+    knex
+  );
+  await projectUserMembershipRoleDAL.create(
+    { projectMembershipId: userProjectMembership.id, role: ProjectMembershipRole.Admin },
+    knex
+  );
+
+  // Create a project key for the user
+  await projectKeyDAL.create(
+    {
+      encryptedKey: projectAdmin.workspaceEncryptedKey,
+      nonce: projectAdmin.workspaceEncryptedNonce,
+      senderId: ghostUser.id,
+      receiverId: user.id,
+      projectId
+    },
+    knex
+  );
+
+  return {
+    user: ghostUser,
+    keys: encKeys
+  };
+};
+
 export async function seed(knex: Knex): Promise<void> {
  // Deletes ALL existing entries
  await knex(TableName.Project).del();
  await knex(TableName.Environment).del();
  await knex(TableName.SecretFolder).del();

+  initLogger();
+
+  const superAdminDAL = superAdminDALFactory(knex);
+  await initEnvConfig(superAdminDAL, logger);
+
  const [project] = await knex(TableName.Project)
    .insert({
      name: seedData1.project.name,
@@ -29,29 +195,24 @@ export async function seed(knex: Knex): Promise<void> {
    })
    .returning("*");

-  const projectMembership = await knex(TableName.ProjectMembership)
-    .insert({
-      projectId: project.id,
+  const userOrgMembership = await knex(TableName.OrgMembership)
+    .where({
+      orgId: seedData1.organization.id,
      userId: seedData1.id
    })
-    .returning("*");
-  await knex(TableName.ProjectUserMembershipRole).insert({
-    role: ProjectMembershipRole.Admin,
-    projectMembershipId: projectMembership[0].id
-  });
+    .first();

+  if (!userOrgMembership) {
+    throw new Error("User org membership not found");
+  }
  const user = await knex(TableName.UserEncryptionKey).where({ userId: seedData1.id }).first();
  if (!user) throw new Error("User not found");

-  const userPrivateKey = await getUserPrivateKey(seedData1.password, user);
-  const projectKey = buildUserProjectKey(userPrivateKey, user.publicKey);
-  await knex(TableName.ProjectKeys).insert({
-    projectId: project.id,
-    nonce: projectKey.nonce,
-    encryptedKey: projectKey.ciphertext,
-    receiverId: seedData1.id,
-    senderId: seedData1.id
-  });
+  if (!user.publicKey) {
+    throw new Error("User public key not found");
+  }
+
+  await createUserWithGhostUser(seedData1.organization.id, project.id, seedData1.id, userOrgMembership.id, knex);

  // create default environments and default folders
  const envs = await knex(TableName.Environment)
--- a/backend/src/db/seeds/5-machine-identity.ts
+++ b/backend/src/db/seeds/5-machine-identity.ts
@@ -1,6 +1,9 @@
 import { Knex } from "knex";

+import { initEnvConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
+import { initLogger, logger } from "@app/lib/logger";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 import { IdentityAuthMethod, OrgMembershipRole, ProjectMembershipRole, TableName } from "../schemas";
 import { seedData1 } from "../seed-data";
@@ -10,6 +13,11 @@ export async function seed(knex: Knex): Promise<void> {
  await knex(TableName.Identity).del();
  await knex(TableName.IdentityOrgMembership).del();

+  initLogger();
+
+  const superAdminDAL = superAdminDALFactory(knex);
+  await initEnvConfig(superAdminDAL, logger);
+
  // Inserts seed entries
  await knex(TableName.Identity).insert([
    {
--- a/backend/src/ee/routes/v1/identity-template-router.ts
+++ b/backend/src/ee/routes/v1/identity-template-router.ts
@@ -0,0 +1,391 @@
+import { z } from "zod";
+
+import { IdentityAuthTemplatesSchema } from "@app/db/schemas/identity-auth-templates";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import {
+  IdentityAuthTemplateMethod,
+  TEMPLATE_SUCCESS_MESSAGES,
+  TEMPLATE_VALIDATION_MESSAGES
+} from "@app/ee/services/identity-auth-template/identity-auth-template-enums";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const ldapTemplateFieldsSchema = z.object({
+  url: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.LDAP.URL_REQUIRED),
+  bindDN: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.LDAP.BIND_DN_REQUIRED),
+  bindPass: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.LDAP.BIND_PASSWORD_REQUIRED),
+  searchBase: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.LDAP.SEARCH_BASE_REQUIRED),
+  ldapCaCertificate: z.string().trim().optional()
+});
+
+export const registerIdentityTemplateRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      description: "Create identity auth template",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        name: z
+          .string()
+          .trim()
+          .min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_NAME_REQUIRED)
+          .max(64, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_NAME_MAX_LENGTH),
+        authMethod: z.nativeEnum(IdentityAuthTemplateMethod),
+        templateFields: ldapTemplateFieldsSchema
+      }),
+      response: {
+        200: IdentityAuthTemplatesSchema.extend({
+          templateFields: z.record(z.string(), z.unknown())
+        })
+      }
+    },
+    handler: async (req) => {
+      const template = await server.services.identityAuthTemplate.createTemplate({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.body.name,
+        authMethod: req.body.authMethod,
+        templateFields: req.body.templateFields
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_CREATE,
+          metadata: {
+            templateId: template.id,
+            name: template.name
+          }
+        }
+      });
+
+      return template;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:templateId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      description: "Update identity auth template",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        templateId: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_ID_REQUIRED)
+      }),
+      body: z.object({
+        name: z
+          .string()
+          .trim()
+          .min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_NAME_REQUIRED)
+          .max(64, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_NAME_MAX_LENGTH)
+          .optional(),
+        templateFields: ldapTemplateFieldsSchema.partial().optional()
+      }),
+      response: {
+        200: IdentityAuthTemplatesSchema.extend({
+          templateFields: z.record(z.string(), z.unknown())
+        })
+      }
+    },
+    handler: async (req) => {
+      const template = await server.services.identityAuthTemplate.updateTemplate({
+        templateId: req.params.templateId,
+        name: req.body.name,
+        templateFields: req.body.templateFields,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_UPDATE,
+          metadata: {
+            templateId: template.id,
+            name: template.name
+          }
+        }
+      });
+
+      return template;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:templateId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      description: "Delete identity auth template",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        templateId: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_ID_REQUIRED)
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    handler: async (req) => {
+      const template = await server.services.identityAuthTemplate.deleteTemplate({
+        templateId: req.params.templateId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_DELETE,
+          metadata: {
+            templateId: template.id,
+            name: template.name
+          }
+        }
+      });
+
+      return { message: TEMPLATE_SUCCESS_MESSAGES.DELETED };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:templateId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      description: "Get identity auth template by ID",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        templateId: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_ID_REQUIRED)
+      }),
+      response: {
+        200: IdentityAuthTemplatesSchema.extend({
+          templateFields: ldapTemplateFieldsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const template = await server.services.identityAuthTemplate.getTemplate({
+        templateId: req.params.templateId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return template;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/search",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      description: "List identity auth templates",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        limit: z.coerce.number().positive().max(100).default(5).optional(),
+        offset: z.coerce.number().min(0).default(0).optional(),
+        search: z.string().optional()
+      }),
+      response: {
+        200: z.object({
+          templates: IdentityAuthTemplatesSchema.extend({
+            templateFields: ldapTemplateFieldsSchema
+          }).array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    handler: async (req) => {
+      const { templates, totalCount } = await server.services.identityAuthTemplate.listTemplates({
+        limit: req.query.limit,
+        offset: req.query.offset,
+        search: req.query.search,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return { templates, totalCount };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      description: "Get identity auth templates by authentication method",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        authMethod: z.nativeEnum(IdentityAuthTemplateMethod)
+      }),
+      response: {
+        200: IdentityAuthTemplatesSchema.extend({
+          templateFields: ldapTemplateFieldsSchema
+        }).array()
+      }
+    },
+    handler: async (req) => {
+      const templates = await server.services.identityAuthTemplate.getTemplatesByAuthMethod({
+        authMethod: req.query.authMethod,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return templates;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:templateId/usage",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      description: "Get template usage by template ID",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        templateId: z.string()
+      }),
+      response: {
+        200: z
+          .object({
+            identityId: z.string(),
+            identityName: z.string()
+          })
+          .array()
+      }
+    },
+    handler: async (req) => {
+      const templates = await server.services.identityAuthTemplate.findTemplateUsages({
+        templateId: req.params.templateId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return templates;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:templateId/delete-usage",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      description: "Unlink identity auth template usage",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        templateId: z.string()
+      }),
+      body: z.object({
+        identityIds: z.string().array()
+      }),
+      response: {
+        200: z
+          .object({
+            authId: z.string(),
+            identityId: z.string(),
+            identityName: z.string()
+          })
+          .array()
+      }
+    },
+    handler: async (req) => {
+      const templates = await server.services.identityAuthTemplate.unlinkTemplateUsage({
+        templateId: req.params.templateId,
+        identityIds: req.body.identityIds,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return templates;
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@@ -13,6 +13,7 @@ import { registerGatewayRouter } from "./gateway-router";
 import { registerGithubOrgSyncRouter } from "./github-org-sync-router";
 import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
+import { registerIdentityTemplateRouter } from "./identity-template-router";
 import { registerKmipRouter } from "./kmip-router";
 import { registerKmipSpecRouter } from "./kmip-spec-router";
 import { registerLdapRouter } from "./ldap-router";
@@ -125,6 +126,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerExternalKmsRouter, {
    prefix: "/external-kms"
  });
+  await server.register(registerIdentityTemplateRouter, { prefix: "/identity-templates" });

  await server.register(registerProjectTemplateRouter, { prefix: "/project-templates" });

--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@@ -379,14 +379,17 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "POST",
-    url: "/config/:configId/test-connection",
+    url: "/config/test-connection",
    config: {
      rateLimit: readLimit
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
-      params: z.object({
-        configId: z.string().trim()
+      body: z.object({
+        url: z.string().trim(),
+        bindDN: z.string().trim(),
+        bindPass: z.string().trim(),
+        caCert: z.string().trim()
      }),
      response: {
        200: z.boolean()
@@ -399,8 +402,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        orgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        ldapConfigId: req.params.configId
+        ...req.body
      });
+
      return result;
    }
  });
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -161,6 +161,9 @@ export enum EventType {
  CREATE_IDENTITY = "create-identity",
  UPDATE_IDENTITY = "update-identity",
  DELETE_IDENTITY = "delete-identity",
+  MACHINE_IDENTITY_AUTH_TEMPLATE_CREATE = "machine-identity-auth-template-create",
+  MACHINE_IDENTITY_AUTH_TEMPLATE_UPDATE = "machine-identity-auth-template-update",
+  MACHINE_IDENTITY_AUTH_TEMPLATE_DELETE = "machine-identity-auth-template-delete",
  LOGIN_IDENTITY_UNIVERSAL_AUTH = "login-identity-universal-auth",
  ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
  UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
@@ -830,6 +833,30 @@ interface LoginIdentityUniversalAuthEvent {
  };
 }

+interface MachineIdentityAuthTemplateCreateEvent {
+  type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_CREATE;
+  metadata: {
+    templateId: string;
+    name: string;
+  };
+}
+
+interface MachineIdentityAuthTemplateUpdateEvent {
+  type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_UPDATE;
+  metadata: {
+    templateId: string;
+    name: string;
+  };
+}
+
+interface MachineIdentityAuthTemplateDeleteEvent {
+  type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_DELETE;
+  metadata: {
+    templateId: string;
+    name: string;
+  };
+}
+
 interface AddIdentityUniversalAuthEvent {
  type: EventType.ADD_IDENTITY_UNIVERSAL_AUTH;
  metadata: {
@@ -1325,6 +1352,7 @@ interface AddIdentityLdapAuthEvent {
    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
    allowedFields?: TAllowedFields[];
    url: string;
+    templateId?: string | null;
  };
 }

@@ -1338,6 +1366,7 @@ interface UpdateIdentityLdapAuthEvent {
    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
    allowedFields?: TAllowedFields[];
    url?: string;
+    templateId?: string | null;
  };
 }

@@ -3439,6 +3468,9 @@ export type Event =
  | UpdateIdentityEvent
  | DeleteIdentityEvent
  | LoginIdentityUniversalAuthEvent
+  | MachineIdentityAuthTemplateCreateEvent
+  | MachineIdentityAuthTemplateUpdateEvent
+  | MachineIdentityAuthTemplateDeleteEvent
  | AddIdentityUniversalAuthEvent
  | UpdateIdentityUniversalAuthEvent
  | DeleteIdentityUniversalAuthEvent
--- a/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
@@ -15,6 +15,7 @@ import { z } from "zod";
 import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { crypto } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

 import { DynamicSecretAwsElastiCacheSchema, TDynamicProviderFns } from "./models";
@@ -170,14 +171,29 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
  };
  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    await ElastiCacheUserManager(
-      {
-        accessKeyId: providerInputs.accessKeyId,
-        secretAccessKey: providerInputs.secretAccessKey
-      },
-      providerInputs.region
-    ).verifyCredentials(providerInputs.clusterName);
-    return true;
+    try {
+      await ElastiCacheUserManager(
+        {
+          accessKeyId: providerInputs.accessKeyId,
+          secretAccessKey: providerInputs.secretAccessKey
+        },
+        providerInputs.region
+      ).verifyCredentials(providerInputs.clusterName);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          providerInputs.accessKeyId,
+          providerInputs.secretAccessKey,
+          providerInputs.clusterName,
+          providerInputs.region
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -206,21 +222,37 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {

    const parsedStatement = CreateElastiCacheUserSchema.parse(JSON.parse(creationStatement));

-    await ElastiCacheUserManager(
-      {
-        accessKeyId: providerInputs.accessKeyId,
-        secretAccessKey: providerInputs.secretAccessKey
-      },
-      providerInputs.region
-    ).createUser(parsedStatement, providerInputs.clusterName);
+    try {
+      await ElastiCacheUserManager(
+        {
+          accessKeyId: providerInputs.accessKeyId,
+          secretAccessKey: providerInputs.secretAccessKey
+        },
+        providerInputs.region
+      ).createUser(parsedStatement, providerInputs.clusterName);

-    return {
-      entityId: leaseUsername,
-      data: {
-        DB_USERNAME: leaseUsername,
-        DB_PASSWORD: leasePassword
-      }
-    };
+      return {
+        entityId: leaseUsername,
+        data: {
+          DB_USERNAME: leaseUsername,
+          DB_PASSWORD: leasePassword
+        }
+      };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          leaseUsername,
+          leasePassword,
+          providerInputs.accessKeyId,
+          providerInputs.secretAccessKey,
+          providerInputs.clusterName
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -229,15 +261,25 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username: entityId });
    const parsedStatement = DeleteElasticCacheUserSchema.parse(JSON.parse(revokeStatement));

-    await ElastiCacheUserManager(
-      {
-        accessKeyId: providerInputs.accessKeyId,
-        secretAccessKey: providerInputs.secretAccessKey
-      },
-      providerInputs.region
-    ).deleteUser(parsedStatement);
+    try {
+      await ElastiCacheUserManager(
+        {
+          accessKeyId: providerInputs.accessKeyId,
+          secretAccessKey: providerInputs.secretAccessKey
+        },
+        providerInputs.region
+      ).deleteUser(parsedStatement);

-    return { entityId };
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId, providerInputs.accessKeyId, providerInputs.secretAccessKey, providerInputs.clusterName]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
@@ -23,6 +23,7 @@ import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
@@ -118,22 +119,39 @@ export const AwsIamProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown, { projectId }: { projectId: string }) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs, projectId);
-    const isConnected = await client
-      .send(new GetUserCommand({}))
-      .then(() => true)
-      .catch((err) => {
-        const message = (err as Error)?.message;
-        if (
-          (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
-          // assume role will throw an error asking to provider username, but if so this has access in aws correctly
-          message.includes("Must specify userName when calling with non-User credentials")
-        ) {
-          return true;
-        }
-        throw err;
+    try {
+      const client = await $getClient(providerInputs, projectId);
+      const isConnected = await client
+        .send(new GetUserCommand({}))
+        .then(() => true)
+        .catch((err) => {
+          const message = (err as Error)?.message;
+          if (
+            (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
+            // assume role will throw an error asking to provider username, but if so this has access in aws correctly
+            message.includes("Must specify userName when calling with non-User credentials")
+          ) {
+            return true;
+          }
+          throw err;
+        });
+      return isConnected;
+    } catch (err) {
+      const sensitiveTokens = [];
+      if (providerInputs.method === AwsIamAuthType.AccessKey) {
+        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+      }
+      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+        sensitiveTokens.push(providerInputs.roleArn);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: sensitiveTokens
      });
-    return isConnected;
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -162,62 +180,81 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
      awsTags.push(...additionalTags);
    }

-    const createUserRes = await client.send(
-      new CreateUserCommand({
-        Path: awsPath,
-        PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
-        Tags: awsTags,
-        UserName: username
-      })
-    );
-
-    if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
-    if (userGroups) {
-      await Promise.all(
-        userGroups
-          .split(",")
-          .filter(Boolean)
-          .map((group) =>
-            client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
-          )
-      );
-    }
-    if (policyArns) {
-      await Promise.all(
-        policyArns
-          .split(",")
-          .filter(Boolean)
-          .map((policyArn) =>
-            client.send(new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn }))
-          )
-      );
-    }
-    if (policyDocument) {
-      await client.send(
-        new PutUserPolicyCommand({
-          UserName: createUserRes.User.UserName,
-          PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
-          PolicyDocument: policyDocument
+    try {
+      const createUserRes = await client.send(
+        new CreateUserCommand({
+          Path: awsPath,
+          PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
+          Tags: awsTags,
+          UserName: username
        })
      );
-    }

-    const createAccessKeyRes = await client.send(
-      new CreateAccessKeyCommand({
-        UserName: createUserRes.User.UserName
-      })
-    );
-    if (!createAccessKeyRes.AccessKey)
-      throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
-
-    return {
-      entityId: username,
-      data: {
-        ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
-        SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
-        USERNAME: username
+      if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
+      if (userGroups) {
+        await Promise.all(
+          userGroups
+            .split(",")
+            .filter(Boolean)
+            .map((group) =>
+              client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
+            )
+        );
      }
-    };
+      if (policyArns) {
+        await Promise.all(
+          policyArns
+            .split(",")
+            .filter(Boolean)
+            .map((policyArn) =>
+              client.send(
+                new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn })
+              )
+            )
+        );
+      }
+      if (policyDocument) {
+        await client.send(
+          new PutUserPolicyCommand({
+            UserName: createUserRes.User.UserName,
+            PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
+            PolicyDocument: policyDocument
+          })
+        );
+      }
+
+      const createAccessKeyRes = await client.send(
+        new CreateAccessKeyCommand({
+          UserName: createUserRes.User.UserName
+        })
+      );
+      if (!createAccessKeyRes.AccessKey)
+        throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
+
+      return {
+        entityId: username,
+        data: {
+          ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
+          SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
+          USERNAME: username
+        }
+      };
+    } catch (err) {
+      const sensitiveTokens = [username];
+      if (providerInputs.method === AwsIamAuthType.AccessKey) {
+        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+      }
+      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+        sensitiveTokens.push(providerInputs.roleArn);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: sensitiveTokens
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string, metadata: { projectId: string }) => {
@@ -278,8 +315,25 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
      )
    );

-    await client.send(new DeleteUserCommand({ UserName: username }));
-    return { entityId: username };
+    try {
+      await client.send(new DeleteUserCommand({ UserName: username }));
+      return { entityId: username };
+    } catch (err) {
+      const sensitiveTokens = [username];
+      if (providerInputs.method === AwsIamAuthType.AccessKey) {
+        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
+      }
+      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+        sensitiveTokens.push(providerInputs.roleArn);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: sensitiveTokens
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
@@ -2,6 +2,7 @@ import axios from "axios";
 import { customAlphabet } from "nanoid";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";

 import { AzureEntraIDSchema, TDynamicProviderFns } from "./models";

@@ -51,45 +52,82 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
-    return data.success;
+    try {
+      const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+      return data.success;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.clientSecret, providerInputs.applicationId, providerInputs.tenantId]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async ({ inputs }: { inputs: unknown }) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
-    if (!data.success) {
-      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
-    }

    const password = generatePassword();
-
-    const response = await axios.patch(
-      `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
-      {
-        passwordProfile: {
-          forceChangePasswordNextSignIn: false,
-          password
-        }
-      },
-      {
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${data.token}`
-        }
+    try {
+      const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+      if (!data.success) {
+        throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
      }
-    );
-    if (response.status !== 204) {
-      throw new BadRequestError({ message: "Failed to update password" });
-    }

-    return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+      const response = await axios.patch(
+        `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
+        {
+          passwordProfile: {
+            forceChangePasswordNextSignIn: false,
+            password
+          }
+        },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${data.token}`
+          }
+        }
+      );
+      if (response.status !== 204) {
+        throw new BadRequestError({ message: "Failed to update password" });
+      }
+
+      return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          providerInputs.clientSecret,
+          providerInputs.applicationId,
+          providerInputs.userId,
+          providerInputs.email,
+          password
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
-    // Creates a new password
-    await create({ inputs });
-    return { entityId };
+    const providerInputs = await validateProviderInputs(inputs);
+    try {
+      // Creates a new password
+      await create({ inputs });
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.clientSecret, providerInputs.applicationId, entityId]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
@@ -3,6 +3,8 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -71,9 +73,24 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
-    await client.shutdown();
-    return isConnected;
+    try {
+      const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
+      await client.shutdown();
+      return isConnected;
+    } catch (err) {
+      const tokens = [providerInputs.password, providerInputs.username];
+      if (providerInputs.keyspace) {
+        tokens.push(providerInputs.keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -89,23 +106,39 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();
    const { keyspace } = providerInputs;
-    const expiration = new Date(expireAt).toISOString();

-    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
-      username,
-      password,
-      expiration,
-      keyspace
-    });
+    try {
+      const expiration = new Date(expireAt).toISOString();

-    const queries = creationStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
-      await client.execute(query);
+      const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+        username,
+        password,
+        expiration,
+        keyspace
+      });
+
+      const queries = creationStatement.toString().split(";").filter(Boolean);
+      for (const query of queries) {
+        // eslint-disable-next-line
+        await client.execute(query);
+      }
+      await client.shutdown();
+
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      const tokens = [username, password];
+      if (keyspace) {
+        tokens.push(keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-    await client.shutdown();
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -115,14 +148,29 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    const username = entityId;
    const { keyspace } = providerInputs;

-    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace });
-    const queries = revokeStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
-      await client.execute(query);
+    try {
+      const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace });
+      const queries = revokeStatement.toString().split(";").filter(Boolean);
+      for (const query of queries) {
+        // eslint-disable-next-line
+        await client.execute(query);
+      }
+      await client.shutdown();
+      return { entityId: username };
+    } catch (err) {
+      const tokens = [username];
+      if (keyspace) {
+        tokens.push(keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-    await client.shutdown();
-    return { entityId: username };
  };

  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
@@ -130,21 +178,36 @@ export const CassandraProvider = (): TDynamicProviderFns => {
    if (!providerInputs.renewStatement) return { entityId };

    const client = await $getClient(providerInputs);
-
-    const expiration = new Date(expireAt).toISOString();
    const { keyspace } = providerInputs;

-    const renewStatement = handlebars.compile(providerInputs.renewStatement)({
-      username: entityId,
-      keyspace,
-      expiration
-    });
-    const queries = renewStatement.toString().split(";").filter(Boolean);
-    for await (const query of queries) {
-      await client.execute(query);
+    try {
+      const expiration = new Date(expireAt).toISOString();
+
+      const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+        username: entityId,
+        keyspace,
+        expiration
+      });
+      const queries = renewStatement.toString().split(";").filter(Boolean);
+      for await (const query of queries) {
+        await client.execute(query);
+      }
+      await client.shutdown();
+      return { entityId };
+    } catch (err) {
+      const tokens = [entityId];
+      if (keyspace) {
+        tokens.push(keyspace);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      await client.shutdown();
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-    await client.shutdown();
-    return { entityId };
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
@@ -2,6 +2,8 @@ import { Client as ElasticSearchClient } from "@elastic/elasticsearch";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
@@ -63,12 +65,24 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    const infoResponse = await connection
-      .info()
-      .then(() => true)
-      .catch(() => false);
-
-    return infoResponse;
+    try {
+      const infoResponse = await connection.info().then(() => true);
+      return infoResponse;
+    } catch (err) {
+      const tokens = [];
+      if (providerInputs.auth.type === ElasticSearchAuthTypes.ApiKey) {
+        tokens.push(providerInputs.auth.apiKey, providerInputs.auth.apiKeyId);
+      } else {
+        tokens.push(providerInputs.auth.username, providerInputs.auth.password);
+      }
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -79,27 +93,49 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

-    await connection.security.putUser({
-      username,
-      password,
-      full_name: "Managed by Infisical.com",
-      roles: providerInputs.roles
-    });
+    try {
+      await connection.security.putUser({
+        username,
+        password,
+        full_name: "Managed by Infisical.com",
+        roles: providerInputs.roles
+      });

-    await connection.close();
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+      await connection.close();
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password]
+      });
+      await connection.close();
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    await connection.security.deleteUser({
-      username: entityId
-    });
+    try {
+      await connection.security.deleteUser({
+        username: entityId
+      });

-    await connection.close();
-    return { entityId };
+      await connection.close();
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId]
+      });
+      await connection.close();
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts
@@ -3,6 +3,7 @@ import { GetAccessTokenResponse } from "google-auth-library/build/src/auth/oauth

 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretGcpIamSchema, TDynamicProviderFns } from "./models";
@@ -65,8 +66,18 @@ export const GcpIamProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    await $getToken(providerInputs.serviceAccountEmail, 10);
-    return true;
+    try {
+      await $getToken(providerInputs.serviceAccountEmail, 10);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.serviceAccountEmail]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; expireAt: number }) => {
@@ -74,13 +85,23 @@ export const GcpIamProvider = (): TDynamicProviderFns => {

    const providerInputs = await validateProviderInputs(inputs);

-    const now = Math.floor(Date.now() / 1000);
-    const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);
+    try {
+      const now = Math.floor(Date.now() / 1000);
+      const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);

-    const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
-    const entityId = alphaNumericNanoId(32);
+      const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
+      const entityId = alphaNumericNanoId(32);

-    return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
+      return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.serviceAccountEmail]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (_inputs: unknown, entityId: string) => {
@@ -89,10 +110,21 @@ export const GcpIamProvider = (): TDynamicProviderFns => {
  };

  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
-    // To renew a token it must be re-created
-    const data = await create({ inputs, expireAt });
+    try {
+      // To renew a token it must be re-created
+      const data = await create({ inputs, expireAt });

-    return { ...data, entityId };
+      return { ...data, entityId };
+    } catch (err) {
+      const providerInputs = await validateProviderInputs(inputs);
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.serviceAccountEmail]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/github.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/github.ts
@@ -3,6 +3,7 @@ import jwt from "jsonwebtoken";

 import { crypto } from "@app/lib/crypto";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";

@@ -89,26 +90,46 @@ export const GithubProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    await $generateGitHubInstallationAccessToken(providerInputs);
-    return true;
+    try {
+      await $generateGitHubInstallationAccessToken(providerInputs);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.privateKey, String(providerInputs.appId), String(providerInputs.installationId)]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown }) => {
    const { inputs } = data;
    const providerInputs = await validateProviderInputs(inputs);

-    const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
-    const entityId = alphaNumericNanoId(32);
+    try {
+      const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
+      const entityId = alphaNumericNanoId(32);

-    return {
-      entityId,
-      data: {
-        TOKEN: ghTokenData.token,
-        EXPIRES_AT: ghTokenData.expires_at,
-        PERMISSIONS: ghTokenData.permissions,
-        REPOSITORY_SELECTION: ghTokenData.repository_selection
-      }
-    };
+      return {
+        entityId,
+        data: {
+          TOKEN: ghTokenData.token,
+          EXPIRES_AT: ghTokenData.expires_at,
+          PERMISSIONS: ghTokenData.permissions,
+          REPOSITORY_SELECTION: ghTokenData.repository_selection
+        }
+      };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.privateKey, String(providerInputs.appId), String(providerInputs.installationId)]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async () => {
--- a/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
@@ -2,7 +2,8 @@ import axios, { AxiosError } from "axios";
 import handlebars from "handlebars";
 import https from "https";

-import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { GatewayHttpProxyActions, GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
@@ -356,8 +357,12 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
        errorMessage = (error.response?.data as { message: string }).message;
      }

-      throw new InternalServerError({
-        message: `Failed to validate connection: ${errorMessage}`
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [providerInputs.clusterToken || ""]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
      });
    }
  };
@@ -602,8 +607,12 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
        errorMessage = (error.response?.data as { message: string }).message;
      }

-      throw new InternalServerError({
-        message: `Failed to create dynamic secret: ${errorMessage}`
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [providerInputs.clusterToken || ""]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
      });
    }
  };
@@ -683,50 +692,65 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
    };

    if (providerInputs.credentialType === KubernetesCredentialType.Dynamic) {
-      const rawUrl =
-        providerInputs.authMethod === KubernetesAuthMethod.Gateway
-          ? GATEWAY_AUTH_DEFAULT_URL
-          : providerInputs.url || "";
+      try {
+        const rawUrl =
+          providerInputs.authMethod === KubernetesAuthMethod.Gateway
+            ? GATEWAY_AUTH_DEFAULT_URL
+            : providerInputs.url || "";

-      const url = new URL(rawUrl);
-      const k8sGatewayHost = url.hostname;
-      const k8sPort = url.port ? Number(url.port) : 443;
-      const k8sHost = `${url.protocol}//${url.hostname}`;
+        const url = new URL(rawUrl);
+        const k8sGatewayHost = url.hostname;
+        const k8sPort = url.port ? Number(url.port) : 443;
+        const k8sHost = `${url.protocol}//${url.hostname}`;

-      const httpsAgent =
-        providerInputs.ca && providerInputs.sslEnabled
-          ? new https.Agent({
-              ca: providerInputs.ca,
-              rejectUnauthorized: true
-            })
-          : undefined;
+        const httpsAgent =
+          providerInputs.ca && providerInputs.sslEnabled
+            ? new https.Agent({
+                ca: providerInputs.ca,
+                rejectUnauthorized: true
+              })
+            : undefined;

-      if (providerInputs.gatewayId) {
-        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
-          await $gatewayProxyWrapper(
-            {
-              gatewayId: providerInputs.gatewayId,
-              targetHost: k8sHost,
-              targetPort: k8sPort,
-              httpsAgent,
-              reviewTokenThroughGateway: true
-            },
-            serviceAccountDynamicCallback
-          );
+        if (providerInputs.gatewayId) {
+          if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
+            await $gatewayProxyWrapper(
+              {
+                gatewayId: providerInputs.gatewayId,
+                targetHost: k8sHost,
+                targetPort: k8sPort,
+                httpsAgent,
+                reviewTokenThroughGateway: true
+              },
+              serviceAccountDynamicCallback
+            );
+          } else {
+            await $gatewayProxyWrapper(
+              {
+                gatewayId: providerInputs.gatewayId,
+                targetHost: k8sGatewayHost,
+                targetPort: k8sPort,
+                httpsAgent,
+                reviewTokenThroughGateway: false
+              },
+              serviceAccountDynamicCallback
+            );
+          }
        } else {
-          await $gatewayProxyWrapper(
-            {
-              gatewayId: providerInputs.gatewayId,
-              targetHost: k8sGatewayHost,
-              targetPort: k8sPort,
-              httpsAgent,
-              reviewTokenThroughGateway: false
-            },
-            serviceAccountDynamicCallback
-          );
+          await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
        }
-      } else {
-        await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
+      } catch (error) {
+        let errorMessage = error instanceof Error ? error.message : "Unknown error";
+        if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
+          errorMessage = (error.response?.data as { message: string }).message;
+        }
+
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: errorMessage,
+          tokens: [entityId, providerInputs.clusterToken || ""]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
      }
    }

--- a/backend/src/ee/services/dynamic-secret/providers/ldap.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/ldap.ts
@@ -6,6 +6,7 @@ import RE2 from "re2";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { LdapCredentialType, LdapSchema, TDynamicProviderFns } from "./models";
@@ -91,8 +92,18 @@ export const LdapProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-    return client.connected;
+    try {
+      const client = await $getClient(providerInputs);
+      return client.connected;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.bindpass, providerInputs.binddn]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const executeLdif = async (client: ldapjs.Client, ldif_file: string) => {
@@ -205,11 +216,11 @@ export const LdapProvider = (): TDynamicProviderFns => {
    if (providerInputs.credentialType === LdapCredentialType.Static) {
      const dnRegex = new RE2("^dn:\\s*(.+)", "m");
      const dnMatch = dnRegex.exec(providerInputs.rotationLdif);
+      const username = dnMatch?.[1];
+      if (!username) throw new BadRequestError({ message: "Username not found from Ldif" });
+      const password = generatePassword();

      if (dnMatch) {
-        const username = dnMatch[1];
-        const password = generatePassword();
-
        const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rotationLdif });

        try {
@@ -217,7 +228,11 @@ export const LdapProvider = (): TDynamicProviderFns => {

          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
        } catch (err) {
-          throw new BadRequestError({ message: (err as Error).message });
+          const sanitizedErrorMessage = sanitizeString({
+            unsanitizedString: (err as Error)?.message,
+            tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
+          });
+          throw new BadRequestError({ message: sanitizedErrorMessage });
        }
      } else {
        throw new BadRequestError({
@@ -238,7 +253,11 @@ export const LdapProvider = (): TDynamicProviderFns => {
          const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
          await executeLdif(client, rollbackLdif);
        }
-        throw new BadRequestError({ message: (err as Error).message });
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
+        });
+        throw new BadRequestError({ message: sanitizedErrorMessage });
      }
    }
  };
@@ -262,7 +281,11 @@ export const LdapProvider = (): TDynamicProviderFns => {

          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
        } catch (err) {
-          throw new BadRequestError({ message: (err as Error).message });
+          const sanitizedErrorMessage = sanitizeString({
+            unsanitizedString: (err as Error)?.message,
+            tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
+          });
+          throw new BadRequestError({ message: sanitizedErrorMessage });
        }
      } else {
        throw new BadRequestError({
@@ -278,7 +301,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
    return { entityId };
  };

-  const renew = async (inputs: unknown, entityId: string) => {
+  const renew = async (_inputs: unknown, entityId: string) => {
    // No renewal necessary
    return { entityId };
  };
--- a/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
@@ -3,6 +3,8 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { createDigestAuthRequestInterceptor } from "@app/lib/axios/digest-auth";
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretMongoAtlasSchema, TDynamicProviderFns } from "./models";
@@ -49,19 +51,25 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const isConnected = await client({
-      method: "GET",
-      url: `v2/groups/${providerInputs.groupId}/databaseUsers`,
-      params: { itemsPerPage: 1 }
-    })
-      .then(() => true)
-      .catch((error) => {
-        if ((error as AxiosError).response) {
-          throw new Error(JSON.stringify((error as AxiosError).response?.data));
-        }
-        throw error;
+    try {
+      const isConnected = await client({
+        method: "GET",
+        url: `v2/groups/${providerInputs.groupId}/databaseUsers`,
+        params: { itemsPerPage: 1 }
+      }).then(() => true);
+      return isConnected;
+    } catch (error) {
+      const errorMessage = (error as AxiosError).response
+        ? JSON.stringify((error as AxiosError).response?.data)
+        : (error as Error)?.message;
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
      });
-    return isConnected;
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -77,25 +85,39 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();
    const expiration = new Date(expireAt).toISOString();
-    await client({
-      method: "POST",
-      url: `/v2/groups/${providerInputs.groupId}/databaseUsers`,
-      data: {
-        roles: providerInputs.roles,
-        scopes: providerInputs.scopes,
-        deleteAfterDate: expiration,
-        username,
-        password,
-        databaseName: "admin",
-        groupId: providerInputs.groupId
-      }
-    }).catch((error) => {
-      if ((error as AxiosError).response) {
-        throw new Error(JSON.stringify((error as AxiosError).response?.data));
-      }
-      throw error;
-    });
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    try {
+      await client({
+        method: "POST",
+        url: `/v2/groups/${providerInputs.groupId}/databaseUsers`,
+        data: {
+          roles: providerInputs.roles,
+          scopes: providerInputs.scopes,
+          deleteAfterDate: expiration,
+          username,
+          password,
+          databaseName: "admin",
+          groupId: providerInputs.groupId
+        }
+      });
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (error) {
+      const errorMessage = (error as AxiosError).response
+        ? JSON.stringify((error as AxiosError).response?.data)
+        : (error as Error)?.message;
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [
+          username,
+          password,
+          providerInputs.adminPublicKey,
+          providerInputs.adminPrivateKey,
+          providerInputs.groupId
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -111,15 +133,23 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
      throw err;
    });
    if (isExisting) {
-      await client({
-        method: "DELETE",
-        url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`
-      }).catch((error) => {
-        if ((error as AxiosError).response) {
-          throw new Error(JSON.stringify((error as AxiosError).response?.data));
-        }
-        throw error;
-      });
+      try {
+        await client({
+          method: "DELETE",
+          url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`
+        });
+      } catch (error) {
+        const errorMessage = (error as AxiosError).response
+          ? JSON.stringify((error as AxiosError).response?.data)
+          : (error as Error)?.message;
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: errorMessage,
+          tokens: [username, providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
+      }
    }

    return { entityId: username };
@@ -132,21 +162,29 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
    const username = entityId;
    const expiration = new Date(expireAt).toISOString();

-    await client({
-      method: "PATCH",
-      url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`,
-      data: {
-        deleteAfterDate: expiration,
-        databaseName: "admin",
-        groupId: providerInputs.groupId
-      }
-    }).catch((error) => {
-      if ((error as AxiosError).response) {
-        throw new Error(JSON.stringify((error as AxiosError).response?.data));
-      }
-      throw error;
-    });
-    return { entityId: username };
+    try {
+      await client({
+        method: "PATCH",
+        url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`,
+        data: {
+          deleteAfterDate: expiration,
+          databaseName: "admin",
+          groupId: providerInputs.groupId
+        }
+      });
+      return { entityId: username };
+    } catch (error) {
+      const errorMessage = (error as AxiosError).response
+        ? JSON.stringify((error as AxiosError).response?.data)
+        : (error as Error)?.message;
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: errorMessage,
+        tokens: [username, providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
@@ -2,6 +2,8 @@ import { MongoClient } from "mongodb";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { verifyHostInputValidity } from "../dynamic-secret-fns";
@@ -51,13 +53,24 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await $getClient(providerInputs);

-    const isConnected = await client
-      .db(providerInputs.database)
-      .command({ ping: 1 })
-      .then(() => true);
+    try {
+      const isConnected = await client
+        .db(providerInputs.database)
+        .command({ ping: 1 })
+        .then(() => true);

-    await client.close();
-    return isConnected;
+      await client.close();
+      return isConnected;
+    } catch (err) {
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.database, providerInputs.host]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -68,16 +81,27 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

-    const db = client.db(providerInputs.database);
+    try {
+      const db = client.db(providerInputs.database);

-    await db.command({
-      createUser: username,
-      pwd: password,
-      roles: providerInputs.roles
-    });
-    await client.close();
+      await db.command({
+        createUser: username,
+        pwd: password,
+        roles: providerInputs.roles
+      });
+      await client.close();

-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -86,13 +110,24 @@ export const MongoDBProvider = (): TDynamicProviderFns => {

    const username = entityId;

-    const db = client.db(providerInputs.database);
-    await db.command({
-      dropUser: username
-    });
-    await client.close();
+    try {
+      const db = client.db(providerInputs.database);
+      await db.command({
+        dropUser: username
+      });
+      await client.close();

-    return { entityId: username };
+      return { entityId: username };
+    } catch (err) {
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
@@ -3,6 +3,8 @@ import https from "https";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

@@ -110,11 +112,19 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const connection = await $getClient(providerInputs);
-
-    const infoResponse = await connection.get("/whoami").then(() => true);
-
-    return infoResponse;
+    try {
+      const connection = await $getClient(providerInputs);
+      const infoResponse = await connection.get("/whoami").then(() => true);
+      return infoResponse;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.host]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -125,26 +135,44 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
    const username = generateUsername(usernameTemplate, identity);
    const password = generatePassword();

-    await createRabbitMqUser({
-      axiosInstance: connection,
-      virtualHost: providerInputs.virtualHost,
-      createUser: {
-        password,
-        username,
-        tags: [...(providerInputs.tags ?? []), "infisical-user"]
-      }
-    });
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    try {
+      await createRabbitMqUser({
+        axiosInstance: connection,
+        virtualHost: providerInputs.virtualHost,
+        createUser: {
+          password,
+          username,
+          tags: [...(providerInputs.tags ?? []), "infisical-user"]
+        }
+      });
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await $getClient(providerInputs);

-    await deleteRabbitMqUser({ axiosInstance: connection, usernameToDelete: entityId });
-
-    return { entityId };
+    try {
+      await deleteRabbitMqUser({ axiosInstance: connection, usernameToDelete: entityId });
+      return { entityId };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/redis.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/redis.ts
@@ -4,6 +4,7 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -112,14 +113,27 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const connection = await $getClient(providerInputs);
-
-    const pingResponse = await connection
-      .ping()
-      .then(() => true)
-      .catch(() => false);
-
-    return pingResponse;
+    let connection;
+    try {
+      connection = await $getClient(providerInputs);
+      const pingResponse = await connection.ping().then(() => true);
+      await connection.quit();
+      return pingResponse;
+    } catch (err) {
+      if (connection) await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [
+          providerInputs.password || "",
+          providerInputs.username,
+          providerInputs.host,
+          String(providerInputs.port)
+        ]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -144,10 +158,20 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {

    const queries = creationStatement.toString().split(";").filter(Boolean);

-    await executeTransactions(connection, queries);
-
-    await connection.quit();
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    try {
+      await executeTransactions(connection, queries);
+      await connection.quit();
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password || "", providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const revoke = async (inputs: unknown, entityId: string) => {
@@ -159,10 +183,20 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
    const queries = revokeStatement.toString().split(";").filter(Boolean);

-    await executeTransactions(connection, queries);
-
-    await connection.quit();
-    return { entityId: username };
+    try {
+      await executeTransactions(connection, queries);
+      await connection.quit();
+      return { entityId: username };
+    } catch (err) {
+      await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password || "", providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
@@ -176,13 +210,23 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {

    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });

-    if (renewStatement) {
-      const queries = renewStatement.toString().split(";").filter(Boolean);
-      await executeTransactions(connection, queries);
+    try {
+      if (renewStatement) {
+        const queries = renewStatement.toString().split(";").filter(Boolean);
+        await executeTransactions(connection, queries);
+      }
+      await connection.quit();
+      return { entityId: username };
+    } catch (err) {
+      await connection.quit();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password || "", providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    await connection.quit();
-    return { entityId: username };
  };

  return {
--- a/backend/src/ee/services/dynamic-secret/providers/sap-ase.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sap-ase.ts
@@ -4,6 +4,7 @@ import odbc from "odbc";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -67,25 +68,41 @@ export const SapAseProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const masterClient = await $getClient(providerInputs, true);
-    const client = await $getClient(providerInputs);
+    let masterClient;
+    let client;
+    try {
+      masterClient = await $getClient(providerInputs, true);
+      client = await $getClient(providerInputs);

-    const [resultFromMasterDatabase] = await masterClient.query<{ version: string }>("SELECT @@VERSION AS version");
-    const [resultFromSelectedDatabase] = await client.query<{ version: string }>("SELECT @@VERSION AS version");
+      const [resultFromMasterDatabase] = await masterClient.query<{ version: string }>("SELECT @@VERSION AS version");
+      const [resultFromSelectedDatabase] = await client.query<{ version: string }>("SELECT @@VERSION AS version");

-    if (!resultFromSelectedDatabase.version) {
+      if (!resultFromSelectedDatabase.version) {
+        throw new BadRequestError({
+          message: "Failed to validate SAP ASE connection, version query failed"
+        });
+      }
+
+      if (resultFromMasterDatabase.version !== resultFromSelectedDatabase.version) {
+        throw new BadRequestError({
+          message: "Failed to validate SAP ASE connection (master), version mismatch"
+        });
+      }
+
+      await masterClient.close();
+      await client.close();
+      return true;
+    } catch (err) {
+      if (masterClient) await masterClient.close();
+      if (client) await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.host, providerInputs.database]
+      });
      throw new BadRequestError({
-        message: "Failed to validate SAP ASE connection, version query failed"
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
      });
    }
-
-    if (resultFromMasterDatabase.version !== resultFromSelectedDatabase.version) {
-      throw new BadRequestError({
-        message: "Failed to validate SAP ASE connection (master), version mismatch"
-      });
-    }
-
-    return true;
  };

  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -105,16 +122,26 @@ export const SapAseProvider = (): TDynamicProviderFns => {

    const queries = creationStatement.trim().replaceAll("\n", "").split(";").filter(Boolean);

-    for await (const query of queries) {
-      // If it's an adduser query, we need to first call sp_addlogin on the MASTER database.
-      // If not done, then the newly created user won't be able to authenticate.
-      await (query.startsWith(SapCommands.CreateLogin) ? masterClient : client).query(query);
+    try {
+      for await (const query of queries) {
+        // If it's an adduser query, we need to first call sp_addlogin on the MASTER database.
+        // If not done, then the newly created user won't be able to authenticate.
+        await (query.startsWith(SapCommands.CreateLogin) ? masterClient : client).query(query);
+      }
+      await masterClient.close();
+      await client.close();
+      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+    } catch (err) {
+      await masterClient.close();
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    await masterClient.close();
-    await client.close();
-
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
  };

  const revoke = async (inputs: unknown, username: string) => {
@@ -140,14 +167,24 @@ export const SapAseProvider = (): TDynamicProviderFns => {
      }
    }

-    for await (const query of queries) {
-      await (query.startsWith(SapCommands.DropLogin) ? masterClient : client).query(query);
+    try {
+      for await (const query of queries) {
+        await (query.startsWith(SapCommands.DropLogin) ? masterClient : client).query(query);
+      }
+      await masterClient.close();
+      await client.close();
+      return { entityId: username };
+    } catch (err) {
+      await masterClient.close();
+      await client.close();
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password, providerInputs.username, providerInputs.database]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    await masterClient.close();
-    await client.close();
-
-    return { entityId: username };
  };

  const renew = async (_: unknown, username: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/sap-hana.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sap-hana.ts
@@ -10,6 +10,7 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -83,19 +84,26 @@ export const SapHanaProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-
-    const testResult = await new Promise<boolean>((resolve, reject) => {
-      client.exec("SELECT 1 FROM DUMMY;", (err: any) => {
-        if (err) {
-          reject();
-        }
-
-        resolve(true);
+    try {
+      const client = await $getClient(providerInputs);
+      const testResult = await new Promise<boolean>((resolve, reject) => {
+        client.exec("SELECT 1 FROM DUMMY;", (err: any) => {
+          if (err) {
+            return reject(err);
+          }
+          resolve(true);
+        });
      });
-    });
-
-    return testResult;
+      return testResult;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.host]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

  const create = async (data: {
@@ -119,18 +127,22 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
    });

    const queries = creationStatement.toString().split(";").filter(Boolean);
-    for await (const query of queries) {
-      await new Promise((resolve, reject) => {
-        client.exec(query, (err: any) => {
-          if (err) {
-            reject(
-              new BadRequestError({
-                message: err.message
-              })
-            );
-          }
-          resolve(true);
+    try {
+      for await (const query of queries) {
+        await new Promise((resolve, reject) => {
+          client.exec(query, (err: any) => {
+            if (err) return reject(err);
+            resolve(true);
+          });
        });
+      }
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, password, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
      });
    }

@@ -142,18 +154,24 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
    const client = await $getClient(providerInputs);
    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
    const queries = revokeStatement.toString().split(";").filter(Boolean);
-    for await (const query of queries) {
-      await new Promise((resolve, reject) => {
-        client.exec(query, (err: any) => {
-          if (err) {
-            reject(
-              new BadRequestError({
-                message: err.message
-              })
-            );
-          }
-          resolve(true);
+    try {
+      for await (const query of queries) {
+        await new Promise((resolve, reject) => {
+          client.exec(query, (err: any) => {
+            if (err) {
+              reject(err);
+            }
+            resolve(true);
+          });
        });
+      }
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [username, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
      });
    }

@@ -174,16 +192,20 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
        await new Promise((resolve, reject) => {
          client.exec(query, (err: any) => {
            if (err) {
-              reject(
-                new BadRequestError({
-                  message: err.message
-                })
-              );
+              reject(err);
            }
            resolve(true);
          });
        });
      }
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [entityId, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({
+        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+      });
    } finally {
      client.disconnect();
    }
--- a/backend/src/ee/services/dynamic-secret/providers/snowflake.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/snowflake.ts
@@ -4,6 +4,7 @@ import snowflake from "snowflake-sdk";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@@ -69,12 +70,10 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {

  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-
-    let isValidConnection: boolean;
-
+    let client;
    try {
-      isValidConnection = await Promise.race([
+      client = await $getClient(providerInputs);
+      const isValidConnection = await Promise.race([
        client.isValidAsync(),
        new Promise((resolve) => {
          setTimeout(resolve, 10000);
@@ -82,11 +81,18 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          throw new BadRequestError({ message: "Unable to establish connection - verify credentials" });
        })
      ]);
+      return isValidConnection;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: [providerInputs.password, providerInputs.username, providerInputs.accountId, providerInputs.orgId]
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
    } finally {
-      client.destroy(noop);
+      if (client) client.destroy(noop);
    }
-
-    return isValidConnection;
  };

  const create = async (data: {
@@ -116,13 +122,19 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          sqlText: creationStatement,
          complete(err) {
            if (err) {
-              return reject(new BadRequestError({ name: "CreateLease", message: err.message }));
+              return reject(err);
            }

            return resolve(true);
          }
        });
      });
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error).message,
+        tokens: [username, password, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({ message: `Failed to create lease from provider: ${sanitizedErrorMessage}` });
    } finally {
      client.destroy(noop);
    }
@@ -143,13 +155,19 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          sqlText: revokeStatement,
          complete(err) {
            if (err) {
-              return reject(new BadRequestError({ name: "RevokeLease", message: err.message }));
+              return reject(err);
            }

            return resolve(true);
          }
        });
      });
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error).message,
+        tokens: [username, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({ message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}` });
    } finally {
      client.destroy(noop);
    }
@@ -175,13 +193,19 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
          sqlText: renewStatement,
          complete(err) {
            if (err) {
-              return reject(new BadRequestError({ name: "RenewLease", message: err.message }));
+              return reject(err);
            }

            return resolve(true);
          }
        });
      });
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error).message,
+        tokens: [entityId, providerInputs.password, providerInputs.username]
+      });
+      throw new BadRequestError({ message: `Failed to renew lease from provider: ${sanitizedErrorMessage}` });
    } finally {
      client.destroy(noop);
    }
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@@ -3,6 +3,8 @@ import knex from "knex";
 import { z } from "zod";

 import { crypto } from "@app/lib/crypto/cryptography";
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -212,8 +214,19 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
      // oracle needs from keyword
      const testStatement = providerInputs.client === SqlProviders.Oracle ? "SELECT 1 FROM DUAL" : "SELECT 1";

-      isConnected = await db.raw(testStatement).then(() => true);
-      await db.destroy();
+      try {
+        isConnected = await db.raw(testStatement).then(() => true);
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [providerInputs.username]
+        });
+        throw new BadRequestError({
+          message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+        });
+      } finally {
+        await db.destroy();
+      }
    };

    if (providerInputs.gatewayId) {
@@ -233,13 +246,13 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
    const { inputs, expireAt, usernameTemplate, identity } = data;

    const providerInputs = await validateProviderInputs(inputs);
+    const { database } = providerInputs;
    const username = generateUsername(providerInputs.client, usernameTemplate, identity);

    const password = generatePassword(providerInputs.client, providerInputs.passwordRequirements);
    const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
      const db = await $getClient({ ...providerInputs, port, host });
      try {
-        const { database } = providerInputs;
        const expiration = new Date(expireAt).toISOString();

        const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
@@ -256,6 +269,14 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
            await tx.raw(query);
          }
        });
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, password, database]
+        });
+        throw new BadRequestError({
+          message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        await db.destroy();
      }
@@ -283,6 +304,14 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
            await tx.raw(query);
          }
        });
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, database]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        await db.destroy();
      }
@@ -319,6 +348,14 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
            }
          });
        }
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [database]
+        });
+        throw new BadRequestError({
+          message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        await db.destroy();
      }
--- a/backend/src/ee/services/dynamic-secret/providers/totp.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/totp.ts
@@ -1,6 +1,8 @@
 import { authenticator } from "otplib";
 import { HashAlgorithms } from "otplib/core";

+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { DynamicSecretTotpSchema, TDynamicProviderFns, TotpConfigType } from "./models";
@@ -12,62 +14,84 @@ export const TotpProvider = (): TDynamicProviderFns => {
    return providerInputs;
  };

-  const validateConnection = async () => {
-    return true;
+  const validateConnection = async (inputs: unknown) => {
+    try {
+      await validateProviderInputs(inputs);
+      return true;
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: []
+      });
+      throw new BadRequestError({
+        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      });
+    }
  };

-  const create = async (inputs: unknown) => {
-    const providerInputs = await validateProviderInputs(inputs);
+  const create = async (data: { inputs: unknown }) => {
+    const { inputs } = data;
+    try {
+      const providerInputs = await validateProviderInputs(inputs);

-    const entityId = alphaNumericNanoId(32);
-    const authenticatorInstance = authenticator.clone();
+      const entityId = alphaNumericNanoId(32);
+      const authenticatorInstance = authenticator.clone();

-    let secret: string;
-    let period: number | null | undefined;
-    let digits: number | null | undefined;
-    let algorithm: HashAlgorithms | null | undefined;
+      let secret: string;
+      let period: number | null | undefined;
+      let digits: number | null | undefined;
+      let algorithm: HashAlgorithms | null | undefined;

-    if (providerInputs.configType === TotpConfigType.URL) {
-      const urlObj = new URL(providerInputs.url);
-      secret = urlObj.searchParams.get("secret") as string;
-      const periodFromUrl = urlObj.searchParams.get("period");
-      const digitsFromUrl = urlObj.searchParams.get("digits");
-      const algorithmFromUrl = urlObj.searchParams.get("algorithm");
+      if (providerInputs.configType === TotpConfigType.URL) {
+        const urlObj = new URL(providerInputs.url);
+        secret = urlObj.searchParams.get("secret") as string;
+        const periodFromUrl = urlObj.searchParams.get("period");
+        const digitsFromUrl = urlObj.searchParams.get("digits");
+        const algorithmFromUrl = urlObj.searchParams.get("algorithm");

-      if (periodFromUrl) {
-        period = +periodFromUrl;
+        if (periodFromUrl) {
+          period = +periodFromUrl;
+        }
+
+        if (digitsFromUrl) {
+          digits = +digitsFromUrl;
+        }
+
+        if (algorithmFromUrl) {
+          algorithm = algorithmFromUrl.toLowerCase() as HashAlgorithms;
+        }
+      } else {
+        secret = providerInputs.secret;
+        period = providerInputs.period;
+        digits = providerInputs.digits;
+        algorithm = providerInputs.algorithm as unknown as HashAlgorithms;
      }

-      if (digitsFromUrl) {
-        digits = +digitsFromUrl;
+      if (digits) {
+        authenticatorInstance.options = { digits };
      }

-      if (algorithmFromUrl) {
-        algorithm = algorithmFromUrl.toLowerCase() as HashAlgorithms;
+      if (algorithm) {
+        authenticatorInstance.options = { algorithm };
      }
-    } else {
-      secret = providerInputs.secret;
-      period = providerInputs.period;
-      digits = providerInputs.digits;
-      algorithm = providerInputs.algorithm as unknown as HashAlgorithms;
-    }

-    if (digits) {
-      authenticatorInstance.options = { digits };
-    }
+      if (period) {
+        authenticatorInstance.options = { step: period };
+      }

-    if (algorithm) {
-      authenticatorInstance.options = { algorithm };
+      return {
+        entityId,
+        data: { TOTP: authenticatorInstance.generate(secret), TIME_REMAINING: authenticatorInstance.timeRemaining() }
+      };
+    } catch (err) {
+      const sanitizedErrorMessage = sanitizeString({
+        unsanitizedString: (err as Error)?.message,
+        tokens: []
+      });
+      throw new BadRequestError({
+        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      });
    }
-
-    if (period) {
-      authenticatorInstance.options = { step: period };
-    }
-
-    return {
-      entityId,
-      data: { TOTP: authenticatorInstance.generate(secret), TIME_REMAINING: authenticatorInstance.timeRemaining() }
-    };
  };

  const revoke = async (_inputs: unknown, entityId: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/vertica.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/vertica.ts
@@ -4,6 +4,7 @@ import { z } from "zod";

 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -275,6 +276,14 @@ export const VerticaProvider = ({ gatewayService }: TVerticaProviderDTO): TDynam
            await client.raw(trimmedQuery);
          }
        }
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, password, providerInputs.username, providerInputs.password]
+        });
+        throw new BadRequestError({
+          message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        if (client) await client.destroy();
      }
@@ -339,6 +348,14 @@ export const VerticaProvider = ({ gatewayService }: TVerticaProviderDTO): TDynam
            await client.raw(trimmedQuery);
          }
        }
+      } catch (err) {
+        const sanitizedErrorMessage = sanitizeString({
+          unsanitizedString: (err as Error)?.message,
+          tokens: [username, providerInputs.username, providerInputs.password]
+        });
+        throw new BadRequestError({
+          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
+        });
      } finally {
        if (client) await client.destroy();
      }
--- a/backend/src/ee/services/event/event-sse-service.ts
+++ b/backend/src/ee/services/event/event-sse-service.ts
@@ -13,11 +13,9 @@ const AUTH_REFRESH_INTERVAL = 60 * 1000;
 const HEART_BEAT_INTERVAL = 15 * 1000;

 export const sseServiceFactory = (bus: TEventBusService, redis: Redis) => {
-  let heartbeatInterval: NodeJS.Timeout | null = null;
-
  const clients = new Set<EventStreamClient>();

-  heartbeatInterval = setInterval(() => {
+  const heartbeatInterval = setInterval(() => {
    for (const client of clients) {
      if (client.stream.closed) continue;
      void client.ping();
--- a/backend/src/ee/services/event/event-sse-stream.ts
+++ b/backend/src/ee/services/event/event-sse-stream.ts
@@ -66,15 +66,24 @@ export type EventStreamClient = {
 };

 export function createEventStreamClient(redis: Redis, options: IEventStreamClientOpts): EventStreamClient {
-  const rules = options.registered.map((r) => ({
-    subject: options.type,
-    action: "subscribe",
-    conditions: {
-      eventType: r.event,
-      secretPath: r.conditions?.secretPath ?? "/",
-      environment: r.conditions?.environmentSlug
-    }
-  }));
+  const rules = options.registered.map((r) => {
+    const secretPath = r.conditions?.secretPath;
+    const hasConditions = r.conditions?.environmentSlug || r.conditions?.secretPath;
+
+    return {
+      subject: options.type,
+      action: "subscribe",
+      conditions: {
+        eventType: r.event,
+        ...(hasConditions
+          ? {
+              environment: r.conditions?.environmentSlug ?? "",
+              secretPath: { $glob: secretPath }
+            }
+          : {})
+      }
+    };
+  });

  const id = `sse-${nanoid()}`;
  const control = new AbortController();
--- a/backend/src/ee/services/group/group-fns.ts
+++ b/backend/src/ee/services/group/group-fns.ts
@@ -1,6 +1,6 @@
 import { Knex } from "knex";

-import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
+import { ProjectVersion, SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, ScimRequestError } from "@app/lib/errors";

@@ -65,6 +65,18 @@ const addAcceptedUsersToGroup = async ({
  const userKeysSet = new Set(keys.map((k) => `${k.projectId}-${k.receiverId}`));

  for await (const projectId of projectIds) {
+    const project = await projectDAL.findById(projectId, tx);
+    if (!project) {
+      throw new NotFoundError({
+        message: `Failed to find project with ID '${projectId}'`
+      });
+    }
+
+    if (project.version !== ProjectVersion.V1 && project.version !== ProjectVersion.V2) {
+      // eslint-disable-next-line no-continue
+      continue;
+    }
+
    const usersToAddProjectKeyFor = users.filter((u) => !userKeysSet.has(`${projectId}-${u.userId}`));

    if (usersToAddProjectKeyFor.length) {
@@ -86,6 +98,12 @@ const addAcceptedUsersToGroup = async ({
        });
      }

+      if (!ghostUserLatestKey.sender.publicKey) {
+        throw new NotFoundError({
+          message: `Failed to find project owner's public key in project with ID '${projectId}'`
+        });
+      }
+
      const bot = await projectBotDAL.findOne({ projectId }, tx);

      if (!bot) {
@@ -112,6 +130,12 @@ const addAcceptedUsersToGroup = async ({
      });

      const projectKeysToAdd = usersToAddProjectKeyFor.map((user) => {
+        if (!user.publicKey) {
+          throw new NotFoundError({
+            message: `Failed to find user's public key in project with ID '${projectId}'`
+          });
+        }
+
        const { ciphertext: encryptedKey, nonce } = crypto
          .encryption()
          .asymmetric()
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@@ -41,7 +41,7 @@ type TGroupServiceFactoryDep = {
    TUserGroupMembershipDALFactory,
    "findOne" | "delete" | "filterProjectsByUserMembership" | "transaction" | "insertMany" | "find"
  >;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser" | "findById">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "findLatestProjectKey" | "insertMany">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
--- a/backend/src/ee/services/group/group-types.ts
+++ b/backend/src/ee/services/group/group-types.ts
@@ -65,7 +65,7 @@ export type TAddUsersToGroup = {
  userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "find" | "transaction" | "insertMany">;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser" | "findById">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
  tx: Knex;
 };
@@ -78,7 +78,7 @@ export type TAddUsersToGroupByUserIds = {
  orgDAL: Pick<TOrgDALFactory, "findMembership">;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser" | "findById">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
  tx?: Knex;
 };
@@ -102,7 +102,7 @@ export type TConvertPendingGroupAdditionsToGroupMemberships = {
  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser" | "findById">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
  tx?: Knex;
 };
--- a/backend/src/ee/services/identity-auth-template/identity-auth-template-dal.ts
+++ b/backend/src/ee/services/identity-auth-template/identity-auth-template-dal.ts
@@ -0,0 +1,83 @@
+/* eslint-disable no-case-declarations */
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { buildFindFilter, ormify } from "@app/lib/knex";
+
+import { IdentityAuthTemplateMethod } from "./identity-auth-template-enums";
+
+export type TIdentityAuthTemplateDALFactory = ReturnType<typeof identityAuthTemplateDALFactory>;
+
+export const identityAuthTemplateDALFactory = (db: TDbClient) => {
+  const identityAuthTemplateOrm = ormify(db, TableName.IdentityAuthTemplate);
+
+  const findByOrgId = async (
+    orgId: string,
+    { limit, offset, search, tx }: { limit?: number; offset?: number; search?: string; tx?: Knex } = {}
+  ) => {
+    let query = (tx || db.replicaNode())(TableName.IdentityAuthTemplate).where({ orgId });
+    let countQuery = (tx || db.replicaNode())(TableName.IdentityAuthTemplate).where({ orgId });
+
+    if (search) {
+      const searchFilter = `%${search.toLowerCase()}%`;
+      query = query.whereRaw("LOWER(name) LIKE ?", [searchFilter]);
+      countQuery = countQuery.whereRaw("LOWER(name) LIKE ?", [searchFilter]);
+    }
+
+    query = query.orderBy("createdAt", "desc");
+
+    if (limit !== undefined) {
+      query = query.limit(limit);
+    }
+    if (offset !== undefined) {
+      query = query.offset(offset);
+    }
+
+    const docs = await query;
+
+    const [{ count }] = (await countQuery.count("* as count")) as [{ count: string | number }];
+
+    return { docs, totalCount: Number(count) };
+  };
+
+  const findByAuthMethod = async (authMethod: string, orgId: string, tx?: Knex) => {
+    const query = (tx || db.replicaNode())(TableName.IdentityAuthTemplate)
+      .where({ authMethod, orgId })
+      .orderBy("createdAt", "desc");
+    const docs = await query;
+    return docs;
+  };
+
+  const findTemplateUsages = async (templateId: string, authMethod: string, tx?: Knex) => {
+    switch (authMethod) {
+      case IdentityAuthTemplateMethod.LDAP:
+        const query = (tx || db.replicaNode())(TableName.IdentityLdapAuth)
+          .join(TableName.Identity, `${TableName.IdentityLdapAuth}.identityId`, `${TableName.Identity}.id`)
+          // eslint-disable-next-line @typescript-eslint/no-misused-promises
+          .where(buildFindFilter({ templateId }, TableName.IdentityLdapAuth))
+          .select(
+            db.ref("identityId").withSchema(TableName.IdentityLdapAuth),
+            db.ref("name").withSchema(TableName.Identity).as("identityName")
+          );
+        const docs = await query;
+        return docs;
+      default:
+        return [];
+    }
+  };
+
+  const findByIdAndOrgId = async (id: string, orgId: string, tx?: Knex) => {
+    const query = (tx || db.replicaNode())(TableName.IdentityAuthTemplate).where({ id, orgId });
+    const doc = await query;
+    return doc?.[0];
+  };
+
+  return {
+    ...identityAuthTemplateOrm,
+    findByOrgId,
+    findByAuthMethod,
+    findTemplateUsages,
+    findByIdAndOrgId
+  };
+};
--- a/backend/src/ee/services/identity-auth-template/identity-auth-template-enums.ts
+++ b/backend/src/ee/services/identity-auth-template/identity-auth-template-enums.ts
@@ -0,0 +1,22 @@
+export enum IdentityAuthTemplateMethod {
+  LDAP = "ldap"
+}
+
+export const TEMPLATE_VALIDATION_MESSAGES = {
+  TEMPLATE_NAME_REQUIRED: "Template name is required",
+  TEMPLATE_NAME_MAX_LENGTH: "Template name must be at most 64 characters long",
+  AUTH_METHOD_REQUIRED: "Auth method is required",
+  TEMPLATE_ID_REQUIRED: "Template ID is required",
+  LDAP: {
+    URL_REQUIRED: "LDAP URL is required",
+    BIND_DN_REQUIRED: "Bind DN is required",
+    BIND_PASSWORD_REQUIRED: "Bind password is required",
+    SEARCH_BASE_REQUIRED: "Search base is required"
+  }
+} as const;
+
+export const TEMPLATE_SUCCESS_MESSAGES = {
+  CREATED: "Template created successfully",
+  UPDATED: "Template updated successfully",
+  DELETED: "Template deleted successfully"
+} as const;
--- a/backend/src/ee/services/identity-auth-template/identity-auth-template-service.ts
+++ b/backend/src/ee/services/identity-auth-template/identity-auth-template-service.ts
@@ -0,0 +1,454 @@
+import { ForbiddenError } from "@casl/ability";
+
+import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import {
+  OrgPermissionMachineIdentityAuthTemplateActions,
+  OrgPermissionSubjects
+} from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { TOrgPermission } from "@app/lib/types";
+import { ActorType } from "@app/services/auth/auth-type";
+import { TIdentityLdapAuthDALFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-dal";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { TIdentityAuthTemplateDALFactory } from "./identity-auth-template-dal";
+import { IdentityAuthTemplateMethod } from "./identity-auth-template-enums";
+import {
+  TDeleteIdentityAuthTemplateDTO,
+  TFindTemplateUsagesDTO,
+  TGetIdentityAuthTemplateDTO,
+  TGetTemplatesByAuthMethodDTO,
+  TLdapTemplateFields,
+  TListIdentityAuthTemplatesDTO,
+  TUnlinkTemplateUsageDTO
+} from "./identity-auth-template-types";
+
+type TIdentityAuthTemplateServiceFactoryDep = {
+  identityAuthTemplateDAL: TIdentityAuthTemplateDALFactory;
+  identityLdapAuthDAL: TIdentityLdapAuthDALFactory;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "encryptWithInputKey" | "decryptWithInputKey">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
+};
+
+export type TIdentityAuthTemplateServiceFactory = ReturnType<typeof identityAuthTemplateServiceFactory>;
+
+export const identityAuthTemplateServiceFactory = ({
+  identityAuthTemplateDAL,
+  identityLdapAuthDAL,
+  permissionService,
+  kmsService,
+  licenseService,
+  auditLogService
+}: TIdentityAuthTemplateServiceFactoryDep) => {
+  // Plan check
+  const $checkPlan = async (orgId: string) => {
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.machineIdentityAuthTemplates)
+      throw new BadRequestError({
+        message:
+          "Failed to use identity auth template due to plan restriction. Upgrade plan to access machine identity auth templates."
+      });
+  };
+  const createTemplate = async ({
+    name,
+    authMethod,
+    templateFields,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: {
+    name: string;
+    authMethod: string;
+    templateFields: Record<string, unknown>;
+  } & Omit<TOrgPermission, "orgId">) => {
+    await $checkPlan(actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionMachineIdentityAuthTemplateActions.CreateTemplates,
+      OrgPermissionSubjects.MachineIdentityAuthTemplate
+    );
+
+    const { encryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: actorOrgId
+    });
+    const template = await identityAuthTemplateDAL.create({
+      name,
+      authMethod,
+      templateFields: encryptor({ plainText: Buffer.from(JSON.stringify(templateFields)) }).cipherTextBlob,
+      orgId: actorOrgId
+    });
+
+    return { ...template, templateFields };
+  };
+
+  const updateTemplate = async ({
+    templateId,
+    name,
+    templateFields,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: {
+    templateId: string;
+    name?: string;
+    templateFields?: Record<string, unknown>;
+  } & Omit<TOrgPermission, "orgId">) => {
+    await $checkPlan(actorOrgId);
+    const template = await identityAuthTemplateDAL.findByIdAndOrgId(templateId, actorOrgId);
+    if (!template) {
+      throw new NotFoundError({ message: "Template not found" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      template.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionMachineIdentityAuthTemplateActions.EditTemplates,
+      OrgPermissionSubjects.MachineIdentityAuthTemplate
+    );
+
+    const { encryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: template.orgId
+    });
+
+    let finalTemplateFields: Record<string, unknown> = {};
+
+    const updatedTemplate = await identityAuthTemplateDAL.transaction(async (tx) => {
+      const authTemplate = await identityAuthTemplateDAL.updateById(
+        templateId,
+        {
+          name,
+          ...(templateFields && {
+            templateFields: encryptor({ plainText: Buffer.from(JSON.stringify(templateFields)) }).cipherTextBlob
+          })
+        },
+        tx
+      );
+
+      if (templateFields && template.authMethod === IdentityAuthTemplateMethod.LDAP) {
+        const { decryptor } = await kmsService.createCipherPairWithDataKey({
+          type: KmsDataKey.Organization,
+          orgId: template.orgId
+        });
+
+        const currentTemplateFields = JSON.parse(
+          decryptor({ cipherTextBlob: template.templateFields }).toString()
+        ) as TLdapTemplateFields;
+
+        const mergedTemplateFields: TLdapTemplateFields = { ...currentTemplateFields, ...templateFields };
+        finalTemplateFields = mergedTemplateFields;
+        const ldapUpdateData: {
+          url?: string;
+          searchBase?: string;
+          encryptedBindDN?: Buffer;
+          encryptedBindPass?: Buffer;
+          encryptedLdapCaCertificate?: Buffer;
+        } = {};
+
+        if ("url" in templateFields) {
+          ldapUpdateData.url = mergedTemplateFields.url;
+        }
+        if ("searchBase" in templateFields) {
+          ldapUpdateData.searchBase = mergedTemplateFields.searchBase;
+        }
+        if ("bindDN" in templateFields) {
+          ldapUpdateData.encryptedBindDN = encryptor({
+            plainText: Buffer.from(mergedTemplateFields.bindDN)
+          }).cipherTextBlob;
+        }
+        if ("bindPass" in templateFields) {
+          ldapUpdateData.encryptedBindPass = encryptor({
+            plainText: Buffer.from(mergedTemplateFields.bindPass)
+          }).cipherTextBlob;
+        }
+        if ("ldapCaCertificate" in templateFields) {
+          ldapUpdateData.encryptedLdapCaCertificate = encryptor({
+            plainText: Buffer.from(mergedTemplateFields.ldapCaCertificate || "")
+          }).cipherTextBlob;
+        }
+
+        if (Object.keys(ldapUpdateData).length > 0) {
+          const updatedLdapAuths = await identityLdapAuthDAL.update({ templateId }, ldapUpdateData, tx);
+          await Promise.all(
+            updatedLdapAuths.map(async (updatedLdapAuth) => {
+              await auditLogService.createAuditLog({
+                actor: {
+                  type: ActorType.PLATFORM,
+                  metadata: {}
+                },
+                orgId: actorOrgId,
+                event: {
+                  type: EventType.UPDATE_IDENTITY_LDAP_AUTH,
+                  metadata: {
+                    identityId: updatedLdapAuth.identityId,
+                    templateId: template.id
+                  }
+                }
+              });
+            })
+          );
+        }
+      }
+      return authTemplate;
+    });
+
+    return { ...updatedTemplate, templateFields: finalTemplateFields };
+  };
+
+  const deleteTemplate = async ({
+    templateId,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TDeleteIdentityAuthTemplateDTO) => {
+    await $checkPlan(actorOrgId);
+    const template = await identityAuthTemplateDAL.findByIdAndOrgId(templateId, actorOrgId);
+    if (!template) {
+      throw new NotFoundError({ message: "Template not found" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      template.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionMachineIdentityAuthTemplateActions.DeleteTemplates,
+      OrgPermissionSubjects.MachineIdentityAuthTemplate
+    );
+
+    const deletedTemplate = await identityAuthTemplateDAL.transaction(async (tx) => {
+      // Remove template reference from identityLdapAuth records
+      const updatedLdapAuths = await identityLdapAuthDAL.update({ templateId }, { templateId: null }, tx);
+      await Promise.all(
+        updatedLdapAuths.map(async (updatedLdapAuth) => {
+          await auditLogService.createAuditLog({
+            actor: {
+              type: ActorType.PLATFORM,
+              metadata: {}
+            },
+            orgId: actorOrgId,
+            event: {
+              type: EventType.UPDATE_IDENTITY_LDAP_AUTH,
+              metadata: {
+                identityId: updatedLdapAuth.identityId,
+                templateId: template.id
+              }
+            }
+          });
+        })
+      );
+
+      // Delete the template
+      const [deletedTpl] = await identityAuthTemplateDAL.delete({ id: templateId }, tx);
+      return deletedTpl;
+    });
+
+    return deletedTemplate;
+  };
+
+  const getTemplate = async ({
+    templateId,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TGetIdentityAuthTemplateDTO) => {
+    await $checkPlan(actorOrgId);
+    const template = await identityAuthTemplateDAL.findByIdAndOrgId(templateId, actorOrgId);
+    if (!template) {
+      throw new NotFoundError({ message: "Template not found" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      template.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionMachineIdentityAuthTemplateActions.ListTemplates,
+      OrgPermissionSubjects.MachineIdentityAuthTemplate
+    );
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: template.orgId
+    });
+    const decryptedTemplateFields = decryptor({ cipherTextBlob: template.templateFields }).toString();
+    return {
+      ...template,
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+      templateFields: JSON.parse(decryptedTemplateFields)
+    };
+  };
+
+  const listTemplates = async ({
+    limit,
+    offset,
+    search,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TListIdentityAuthTemplatesDTO) => {
+    await $checkPlan(actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionMachineIdentityAuthTemplateActions.ListTemplates,
+      OrgPermissionSubjects.MachineIdentityAuthTemplate
+    );
+
+    const { docs, totalCount } = await identityAuthTemplateDAL.findByOrgId(actorOrgId, { limit, offset, search });
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: actorOrgId
+    });
+    return {
+      totalCount,
+      templates: docs.map((doc) => ({
+        ...doc,
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+        templateFields: JSON.parse(decryptor({ cipherTextBlob: doc.templateFields }).toString())
+      }))
+    };
+  };
+
+  const getTemplatesByAuthMethod = async ({
+    authMethod,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TGetTemplatesByAuthMethodDTO) => {
+    await $checkPlan(actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionMachineIdentityAuthTemplateActions.AttachTemplates,
+      OrgPermissionSubjects.MachineIdentityAuthTemplate
+    );
+
+    const docs = await identityAuthTemplateDAL.findByAuthMethod(authMethod, actorOrgId);
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: actorOrgId
+    });
+    return docs.map((doc) => ({
+      ...doc,
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+      templateFields: JSON.parse(decryptor({ cipherTextBlob: doc.templateFields }).toString())
+    }));
+  };
+
+  const findTemplateUsages = async ({
+    templateId,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TFindTemplateUsagesDTO) => {
+    await $checkPlan(actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionMachineIdentityAuthTemplateActions.ListTemplates,
+      OrgPermissionSubjects.MachineIdentityAuthTemplate
+    );
+
+    const template = await identityAuthTemplateDAL.findByIdAndOrgId(templateId, actorOrgId);
+    if (!template) {
+      throw new NotFoundError({ message: "Template not found" });
+    }
+
+    const docs = await identityAuthTemplateDAL.findTemplateUsages(templateId, template.authMethod);
+    return docs;
+  };
+
+  const unlinkTemplateUsage = async ({
+    templateId,
+    identityIds,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUnlinkTemplateUsageDTO) => {
+    await $checkPlan(actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionMachineIdentityAuthTemplateActions.UnlinkTemplates,
+      OrgPermissionSubjects.MachineIdentityAuthTemplate
+    );
+
+    const template = await identityAuthTemplateDAL.findByIdAndOrgId(templateId, actorOrgId);
+    if (!template) {
+      throw new NotFoundError({ message: "Template not found" });
+    }
+
+    switch (template.authMethod) {
+      case IdentityAuthTemplateMethod.LDAP:
+        await identityLdapAuthDAL.update({ $in: { identityId: identityIds }, templateId }, { templateId: null });
+        break;
+      default:
+        break;
+    }
+  };
+
+  return {
+    createTemplate,
+    updateTemplate,
+    deleteTemplate,
+    getTemplate,
+    listTemplates,
+    getTemplatesByAuthMethod,
+    findTemplateUsages,
+    unlinkTemplateUsage
+  };
+};
--- a/backend/src/ee/services/identity-auth-template/identity-auth-template-types.ts
+++ b/backend/src/ee/services/identity-auth-template/identity-auth-template-types.ts
@@ -0,0 +1,61 @@
+import { TProjectPermission } from "@app/lib/types";
+
+import { IdentityAuthTemplateMethod } from "./identity-auth-template-enums";
+
+// Method-specific template field types
+export type TLdapTemplateFields = {
+  url: string;
+  bindDN: string;
+  bindPass: string;
+  searchBase: string;
+  ldapCaCertificate?: string;
+};
+
+// Union type for all template field types
+export type TTemplateFieldsByMethod = {
+  [IdentityAuthTemplateMethod.LDAP]: TLdapTemplateFields;
+};
+
+// Generic base types that use conditional types for type safety
+export type TCreateIdentityAuthTemplateDTO = {
+  name: string;
+  authMethod: IdentityAuthTemplateMethod;
+  templateFields: TTemplateFieldsByMethod[IdentityAuthTemplateMethod];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateIdentityAuthTemplateDTO = {
+  templateId: string;
+  name?: string;
+  templateFields?: Partial<TTemplateFieldsByMethod[IdentityAuthTemplateMethod]>;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TDeleteIdentityAuthTemplateDTO = {
+  templateId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetIdentityAuthTemplateDTO = {
+  templateId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TListIdentityAuthTemplatesDTO = {
+  limit?: number;
+  offset?: number;
+  search?: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetTemplatesByAuthMethodDTO = {
+  authMethod: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TFindTemplateUsagesDTO = {
+  templateId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUnlinkTemplateUsageDTO = {
+  templateId: string;
+  identityIds: string[];
+} & Omit<TProjectPermission, "projectId">;
+
+// Specific LDAP types for convenience
+export type TCreateLdapTemplateDTO = TCreateIdentityAuthTemplateDTO;
+export type TUpdateLdapTemplateDTO = TUpdateIdentityAuthTemplateDTO;
--- a/backend/src/ee/services/identity-auth-template/index.ts
+++ b/backend/src/ee/services/identity-auth-template/index.ts
@@ -0,0 +1,6 @@
+export type { TIdentityAuthTemplateDALFactory } from "./identity-auth-template-dal";
+export { identityAuthTemplateDALFactory } from "./identity-auth-template-dal";
+export * from "./identity-auth-template-enums";
+export type { TIdentityAuthTemplateServiceFactory } from "./identity-auth-template-service";
+export { identityAuthTemplateServiceFactory } from "./identity-auth-template-service";
+export type * from "./identity-auth-template-types";
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -1,4 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
+import { Knex } from "knex";

 import { OrgMembershipStatus, TableName, TLdapConfigsUpdate, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
@@ -45,7 +46,7 @@ import { searchGroups, testLDAPConfig } from "./ldap-fns";
 import { TLdapGroupMapDALFactory } from "./ldap-group-map-dal";

 type TLdapConfigServiceFactoryDep = {
-  ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne">;
+  ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne" | "transaction">;
  ldapGroupMapDAL: Pick<TLdapGroupMapDALFactory, "find" | "create" | "delete" | "findLdapGroupMapsByLdapConfigId">;
  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
  orgDAL: Pick<
@@ -55,7 +56,7 @@ type TLdapConfigServiceFactoryDep = {
  groupDAL: Pick<TGroupDALFactory, "find" | "findOne">;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser" | "findById">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
  userGroupMembershipDAL: Pick<
    TUserGroupMembershipDALFactory,
@@ -131,6 +132,19 @@ export const ldapConfigServiceFactory = ({
      orgId
    });

+    const isConnected = await testLDAPConfig({
+      bindDN,
+      bindPass,
+      caCert,
+      url
+    });
+
+    if (!isConnected) {
+      throw new BadRequestError({
+        message: "Failed to establish connection to LDAP directory. Please verify that your credentials are correct."
+      });
+    }
+
    const ldapConfig = await ldapConfigDAL.create({
      orgId,
      isActive,
@@ -148,6 +162,50 @@ export const ldapConfigServiceFactory = ({
    return ldapConfig;
  };

+  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean; id?: string }, tx?: Knex) => {
+    const ldapConfig = await ldapConfigDAL.findOne(filter, tx);
+    if (!ldapConfig) {
+      throw new NotFoundError({
+        message: `Failed to find organization LDAP data in organization with ID '${filter.orgId}'`
+      });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: ldapConfig.orgId
+    });
+
+    let bindDN = "";
+    if (ldapConfig.encryptedLdapBindDN) {
+      bindDN = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindDN }).toString();
+    }
+
+    let bindPass = "";
+    if (ldapConfig.encryptedLdapBindPass) {
+      bindPass = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindPass }).toString();
+    }
+
+    let caCert = "";
+    if (ldapConfig.encryptedLdapCaCertificate) {
+      caCert = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapCaCertificate }).toString();
+    }
+
+    return {
+      id: ldapConfig.id,
+      organization: ldapConfig.orgId,
+      isActive: ldapConfig.isActive,
+      url: ldapConfig.url,
+      bindDN,
+      bindPass,
+      uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
+      searchBase: ldapConfig.searchBase,
+      searchFilter: ldapConfig.searchFilter,
+      groupSearchBase: ldapConfig.groupSearchBase,
+      groupSearchFilter: ldapConfig.groupSearchFilter,
+      caCert
+    };
+  };
+
  const updateLdapCfg = async ({
    actor,
    actorId,
@@ -202,53 +260,25 @@ export const ldapConfigServiceFactory = ({
      updateQuery.encryptedLdapCaCertificate = encryptor({ plainText: Buffer.from(caCert) }).cipherTextBlob;
    }

-    const [ldapConfig] = await ldapConfigDAL.update({ orgId }, updateQuery);
+    const config = await ldapConfigDAL.transaction(async (tx) => {
+      const [updatedLdapCfg] = await ldapConfigDAL.update({ orgId }, updateQuery, tx);
+      const decryptedLdapCfg = await getLdapCfg({ orgId }, tx);

-    return ldapConfig;
-  };
+      const isSoftDeletion = !decryptedLdapCfg.url && !decryptedLdapCfg.bindDN && !decryptedLdapCfg.bindPass;
+      if (!isSoftDeletion) {
+        const isConnected = await testLDAPConfig(decryptedLdapCfg);
+        if (!isConnected) {
+          throw new BadRequestError({
+            message:
+              "Failed to establish connection to LDAP directory. Please verify that your credentials are correct."
+          });
+        }
+      }

-  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean; id?: string }) => {
-    const ldapConfig = await ldapConfigDAL.findOne(filter);
-    if (!ldapConfig) {
-      throw new NotFoundError({
-        message: `Failed to find organization LDAP data in organization with ID '${filter.orgId}'`
-      });
-    }
-
-    const { decryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: ldapConfig.orgId
+      return updatedLdapCfg;
    });

-    let bindDN = "";
-    if (ldapConfig.encryptedLdapBindDN) {
-      bindDN = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindDN }).toString();
-    }
-
-    let bindPass = "";
-    if (ldapConfig.encryptedLdapBindPass) {
-      bindPass = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindPass }).toString();
-    }
-
-    let caCert = "";
-    if (ldapConfig.encryptedLdapCaCertificate) {
-      caCert = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapCaCertificate }).toString();
-    }
-
-    return {
-      id: ldapConfig.id,
-      organization: ldapConfig.orgId,
-      isActive: ldapConfig.isActive,
-      url: ldapConfig.url,
-      bindDN,
-      bindPass,
-      uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
-      searchBase: ldapConfig.searchBase,
-      searchFilter: ldapConfig.searchFilter,
-      groupSearchBase: ldapConfig.groupSearchBase,
-      groupSearchFilter: ldapConfig.groupSearchFilter,
-      caCert
-    };
+    return config;
  };

  const getLdapCfgWithPermissionCheck = async ({
@@ -527,14 +557,13 @@ export const ldapConfigServiceFactory = ({
    });

    const isUserCompleted = Boolean(user.isAccepted);
-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);

    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        hasExchangedPrivateKey: true,
        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
        firstName,
        lastName,
@@ -694,7 +723,17 @@ export const ldapConfigServiceFactory = ({
    return deletedGroupMap;
  };

-  const testLDAPConnection = async ({ actor, actorId, orgId, actorAuthMethod, actorOrgId }: TTestLdapConnectionDTO) => {
+  const testLDAPConnection = async ({
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId,
+    bindDN,
+    bindPass,
+    caCert,
+    url
+  }: TTestLdapConnectionDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);

@@ -704,11 +743,12 @@ export const ldapConfigServiceFactory = ({
        message: "Failed to test LDAP connection due to plan restriction. Upgrade plan to test the LDAP connection."
      });

-    const ldapConfig = await getLdapCfg({
-      orgId
+    return testLDAPConfig({
+      bindDN,
+      bindPass,
+      caCert,
+      url
    });
-
-    return testLDAPConfig(ldapConfig);
  };

  return {
--- a/backend/src/ee/services/ldap-config/ldap-config-types.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-types.ts
@@ -83,6 +83,4 @@ export type TDeleteLdapGroupMapDTO = {
  ldapGroupMapId: string;
 } & TOrgPermission;

-export type TTestLdapConnectionDTO = {
-  ldapConfigId: string;
-} & TOrgPermission;
+export type TTestLdapConnectionDTO = TOrgPermission & TTestLDAPConfigDTO;
--- a/backend/src/ee/services/license/mocks/license-fns.ts
+++ b/backend/src/ee/services/license/mocks/license-fns.ts
@@ -31,7 +31,8 @@ export const getDefaultOnPremFeatures = () => {
    caCrl: false,
    sshHostGroups: false,
    enterpriseSecretSyncs: false,
-    enterpriseAppConnections: false
+    enterpriseAppConnections: false,
+    machineIdentityAuthTemplates: false
  };
 };

--- a/backend/src/ee/services/license/license-fns.ts
+++ b/backend/src/ee/services/license/license-fns.ts
@@ -60,7 +60,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  enterpriseSecretSyncs: false,
  enterpriseAppConnections: false,
  fips: false,
-  eventSubscriptions: false
+  eventSubscriptions: false,
+  machineIdentityAuthTemplates: false
 });

 export const setupLicenseRequestWithStore = (
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@@ -75,6 +75,7 @@ export type TFeatureSet = {
  secretScanning: false;
  enterpriseSecretSyncs: false;
  enterpriseAppConnections: false;
+  machineIdentityAuthTemplates: false;
  fips: false;
  eventSubscriptions: false;
 };
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -79,7 +79,7 @@ type TOidcConfigServiceFactoryDep = {
  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser" | "findById">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
  auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
@@ -404,7 +404,6 @@ export const oidcConfigServiceFactory = ({

    await licenseService.updateSubscriptionOrgMemberCount(organization.id);

-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
    const isUserCompleted = Boolean(user.isAccepted);
    const providerAuthToken = crypto.jwt().sign(
      {
@@ -417,7 +416,7 @@ export const oidcConfigServiceFactory = ({
        organizationName: organization.name,
        organizationId: organization.id,
        organizationSlug: organization.slug,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        hasExchangedPrivateKey: true,
        authMethod: AuthMethod.OIDC,
        authType: UserAliasType.OIDC,
        isUserCompleted,
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@@ -28,6 +28,15 @@ export enum OrgPermissionKmipActions {
  Setup = "setup"
 }

+export enum OrgPermissionMachineIdentityAuthTemplateActions {
+  ListTemplates = "list-templates",
+  EditTemplates = "edit-templates",
+  CreateTemplates = "create-templates",
+  DeleteTemplates = "delete-templates",
+  UnlinkTemplates = "unlink-templates",
+  AttachTemplates = "attach-templates"
+}
+
 export enum OrgPermissionAdminConsoleAction {
  AccessAllProjects = "access-all-projects"
 }
@@ -88,6 +97,7 @@ export enum OrgPermissionSubjects {
  Identity = "identity",
  Kms = "kms",
  AdminConsole = "organization-admin-console",
+  MachineIdentityAuthTemplate = "machine-identity-auth-template",
  AuditLogs = "audit-logs",
  ProjectTemplates = "project-templates",
  AppConnections = "app-connections",
@@ -126,6 +136,7 @@ export type OrgPermissionSet =
      )
    ]
  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
+  | [OrgPermissionMachineIdentityAuthTemplateActions, OrgPermissionSubjects.MachineIdentityAuthTemplate]
  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip]
  | [OrgPermissionSecretShareAction, OrgPermissionSubjects.SecretShare];

@@ -237,6 +248,14 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
      "Describe what action an entity can take."
    )
  }),
+  z.object({
+    subject: z
+      .literal(OrgPermissionSubjects.MachineIdentityAuthTemplate)
+      .describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionMachineIdentityAuthTemplateActions).describe(
+      "Describe what action an entity can take."
+    )
+  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Gateway).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionGatewayActions).describe(
@@ -350,6 +369,25 @@ const buildAdminPermission = () => {
  // the proxy assignment is temporary in order to prevent "more privilege" error during role assignment to MI
  can(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);

+  can(OrgPermissionMachineIdentityAuthTemplateActions.ListTemplates, OrgPermissionSubjects.MachineIdentityAuthTemplate);
+  can(OrgPermissionMachineIdentityAuthTemplateActions.EditTemplates, OrgPermissionSubjects.MachineIdentityAuthTemplate);
+  can(
+    OrgPermissionMachineIdentityAuthTemplateActions.CreateTemplates,
+    OrgPermissionSubjects.MachineIdentityAuthTemplate
+  );
+  can(
+    OrgPermissionMachineIdentityAuthTemplateActions.DeleteTemplates,
+    OrgPermissionSubjects.MachineIdentityAuthTemplate
+  );
+  can(
+    OrgPermissionMachineIdentityAuthTemplateActions.UnlinkTemplates,
+    OrgPermissionSubjects.MachineIdentityAuthTemplate
+  );
+  can(
+    OrgPermissionMachineIdentityAuthTemplateActions.AttachTemplates,
+    OrgPermissionSubjects.MachineIdentityAuthTemplate
+  );
+
  can(OrgPermissionSecretShareAction.ManageSettings, OrgPermissionSubjects.SecretShare);

  return rules;
@@ -385,6 +423,16 @@ const buildMemberPermission = () => {
  can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
  can(OrgPermissionGatewayActions.AttachGateways, OrgPermissionSubjects.Gateway);

+  can(OrgPermissionMachineIdentityAuthTemplateActions.ListTemplates, OrgPermissionSubjects.MachineIdentityAuthTemplate);
+  can(
+    OrgPermissionMachineIdentityAuthTemplateActions.UnlinkTemplates,
+    OrgPermissionSubjects.MachineIdentityAuthTemplate
+  );
+  can(
+    OrgPermissionMachineIdentityAuthTemplateActions.AttachTemplates,
+    OrgPermissionSubjects.MachineIdentityAuthTemplate
+  );
+
  return rules;
 };

--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -411,7 +411,6 @@ export const samlConfigServiceFactory = ({
    await licenseService.updateSubscriptionOrgMemberCount(organization.id);

    const isUserCompleted = Boolean(user.isAccepted && user.isEmailVerified);
-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
@@ -424,7 +423,7 @@ export const samlConfigServiceFactory = ({
        organizationId: organization.id,
        organizationSlug: organization.slug,
        authMethod: authProvider,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        hasExchangedPrivateKey: true,
        authType: UserAliasType.SAML,
        isUserCompleted,
        ...(relayState
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@@ -59,7 +59,7 @@ type TScimServiceFactoryDep = {
    TOrgMembershipDALFactory,
    "find" | "findOne" | "create" | "updateById" | "findById" | "update"
  >;
-  projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
+  projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser" | "findById">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
  groupDAL: Pick<
    TGroupDALFactory,
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -18,6 +18,7 @@ import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/

 export enum ApiDocsTags {
  Identities = "Identities",
+  IdentityTemplates = "Identity Templates",
  TokenAuth = "Token Auth",
  UniversalAuth = "Universal Auth",
  GcpAuth = "GCP Auth",
@@ -69,7 +70,8 @@ export enum ApiDocsTags {
  SecretScanning = "Secret Scanning",
  OidcSso = "OIDC SSO",
  SamlSso = "SAML SSO",
-  LdapSso = "LDAP SSO"
+  LdapSso = "LDAP SSO",
+  Events = "Event Subscriptions"
 }

 export const GROUPS = {
@@ -214,6 +216,7 @@ export const LDAP_AUTH = {
    password: "The password of the LDAP user to login."
  },
  ATTACH: {
+    templateId: "The ID of the identity auth template to attach the configuration onto.",
    identityId: "The ID of the identity to attach the configuration onto.",
    url: "The URL of the LDAP server.",
    allowedFields:
@@ -240,7 +243,8 @@ export const LDAP_AUTH = {
    accessTokenTTL: "The new lifetime for an access token in seconds.",
    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
-    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
+    templateId: "The ID of the identity auth template to update the configuration to."
  },
  RETRIEVE: {
    identityId: "The ID of the identity to retrieve the configuration for."
@@ -2869,3 +2873,10 @@ export const LdapSso = {
    caCert: "The CA certificate to use when verifying the LDAP server certificate."
  }
 };
+
+export const EventSubscriptions = {
+  SUBSCRIBE_PROJECT_EVENTS: {
+    projectId: "The ID of the project to subscribe to events for.",
+    register: "List of events you want to subscribe to"
+  }
+};
--- a/backend/src/lib/crypto/secret-encryption.ts
+++ b/backend/src/lib/crypto/secret-encryption.ts
@@ -53,7 +53,7 @@ type DecryptedIntegrationAuths = z.infer<typeof DecryptedIntegrationAuthsSchema>

 type TLatestKey = TProjectKeys & {
  sender: {
-    publicKey: string;
+    publicKey?: string;
  };
 };

@@ -91,6 +91,10 @@ const getDecryptedValues = (data: Array<{ ciphertext: string; iv: string; tag: s
  return results;
 };
 export const decryptSecrets = (encryptedSecrets: TSecrets[], privateKey: string, latestKey: TLatestKey) => {
+  if (!latestKey.sender.publicKey) {
+    throw new Error("Latest key sender public key not found");
+  }
+
  const key = crypto.encryption().asymmetric().decrypt({
    ciphertext: latestKey.encryptedKey,
    nonce: latestKey.nonce,
@@ -143,6 +147,10 @@ export const decryptSecretVersions = (
  privateKey: string,
  latestKey: TLatestKey
 ) => {
+  if (!latestKey.sender.publicKey) {
+    throw new Error("Latest key sender public key not found");
+  }
+
  const key = crypto.encryption().asymmetric().decrypt({
    ciphertext: latestKey.encryptedKey,
    nonce: latestKey.nonce,
@@ -195,6 +203,10 @@ export const decryptSecretApprovals = (
  privateKey: string,
  latestKey: TLatestKey
 ) => {
+  if (!latestKey.sender.publicKey) {
+    throw new Error("Latest key sender public key not found");
+  }
+
  const key = crypto.encryption().asymmetric().decrypt({
    ciphertext: latestKey.encryptedKey,
    nonce: latestKey.nonce,
@@ -247,6 +259,10 @@ export const decryptIntegrationAuths = (
  privateKey: string,
  latestKey: TLatestKey
 ) => {
+  if (!latestKey.sender.publicKey) {
+    throw new Error("Latest key sender public key not found");
+  }
+
  const key = crypto.encryption().asymmetric().decrypt({
    ciphertext: latestKey.encryptedKey,
    nonce: latestKey.nonce,
--- a/backend/src/lib/crypto/srp.ts
+++ b/backend/src/lib/crypto/srp.ts
@@ -4,6 +4,7 @@ import jsrp from "jsrp";
 import { TUserEncryptionKeys } from "@app/db/schemas";
 import { UserEncryption } from "@app/services/user/user-types";

+import { BadRequestError } from "../errors";
 import { crypto, SymmetricKeySize } from "./cryptography";

 export const generateSrpServerKey = async (salt: string, verifier: string) => {
@@ -127,6 +128,10 @@ export const getUserPrivateKey = async (
  >
 ) => {
  if (user.encryptionVersion === UserEncryption.V1) {
+    if (!user.encryptedPrivateKey || !user.iv || !user.tag || !user.salt) {
+      throw new BadRequestError({ message: "User encrypted private key not found" });
+    }
+
    return crypto
      .encryption()
      .symmetric()
@@ -138,12 +143,25 @@ export const getUserPrivateKey = async (
        keySize: SymmetricKeySize.Bits128
      });
  }
+  // still used for legacy things
  if (
    user.encryptionVersion === UserEncryption.V2 &&
    user.protectedKey &&
    user.protectedKeyIV &&
    user.protectedKeyTag
  ) {
+    if (
+      !user.salt ||
+      !user.protectedKey ||
+      !user.protectedKeyIV ||
+      !user.protectedKeyTag ||
+      !user.encryptedPrivateKey ||
+      !user.iv ||
+      !user.tag
+    ) {
+      throw new BadRequestError({ message: "User encrypted private key not found" });
+    }
+
    const derivedKey = await argon2.hash(password, {
      salt: Buffer.from(user.salt),
      memoryCost: 65536,
--- a/backend/src/lib/fn/string.ts
+++ b/backend/src/lib/fn/string.ts
@@ -19,3 +19,17 @@ export const prefixWithSlash = (str: string) => {
 const vowelRegex = new RE2(/^[aeiou]/i);

 export const startsWithVowel = (str: string) => vowelRegex.test(str);
+
+const pickWordsRegex = new RE2(/(\W+)/);
+export const sanitizeString = (dto: { unsanitizedString: string; tokens: string[] }) => {
+  const words = dto.unsanitizedString.split(pickWordsRegex);
+
+  const redactionSet = new Set(dto.tokens.filter(Boolean));
+  const sanitizedWords = words.map((el) => {
+    if (redactionSet.has(el)) {
+      return "[REDACTED]";
+    }
+    return el;
+  });
+  return sanitizedWords.join("");
+};
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -45,6 +45,8 @@ import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
 import { HsmModule } from "@app/ee/services/hsm/hsm-types";
+import { identityAuthTemplateDALFactory } from "@app/ee/services/identity-auth-template/identity-auth-template-dal";
+import { identityAuthTemplateServiceFactory } from "@app/ee/services/identity-auth-template/identity-auth-template-service";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { identityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
@@ -394,6 +396,7 @@ export const registerRoutes = async (
  const identityProjectDAL = identityProjectDALFactory(db);
  const identityProjectMembershipRoleDAL = identityProjectMembershipRoleDALFactory(db);
  const identityProjectAdditionalPrivilegeDAL = identityProjectAdditionalPrivilegeDALFactory(db);
+  const identityAuthTemplateDAL = identityAuthTemplateDALFactory(db);

  const identityTokenAuthDAL = identityTokenAuthDALFactory(db);
  const identityUaDAL = identityUaDALFactory(db);
@@ -772,7 +775,6 @@ export const registerRoutes = async (
    orgRoleDAL,
    permissionService,
    orgDAL,
-    projectBotDAL,
    incidentContactDAL,
    tokenService,
    projectUserAdditionalPrivilegeDAL,
@@ -847,9 +849,6 @@ export const registerRoutes = async (
    projectDAL,
    permissionService,
    projectUserMembershipRoleDAL,
-    userDAL,
-    projectBotDAL,
-    projectKeyDAL,
    projectMembershipDAL
  });

@@ -1135,11 +1134,9 @@ export const registerRoutes = async (
    projectBotService,
    identityProjectDAL,
    identityOrgMembershipDAL,
-    projectKeyDAL,
    userDAL,
    projectEnvDAL,
    orgDAL,
-    orgService,
    projectMembershipDAL,
    projectRoleDAL,
    folderDAL,
@@ -1159,7 +1156,6 @@ export const registerRoutes = async (
    identityProjectMembershipRoleDAL,
    keyStore,
    kmsService,
-    projectBotDAL,
    certificateTemplateDAL,
    projectSlackConfigDAL,
    slackIntegrationDAL,
@@ -1461,6 +1457,15 @@ export const registerRoutes = async (
    identityMetadataDAL
  });

+  const identityAuthTemplateService = identityAuthTemplateServiceFactory({
+    identityAuthTemplateDAL,
+    identityLdapAuthDAL,
+    permissionService,
+    kmsService,
+    licenseService,
+    auditLogService
+  });
+
  const identityAccessTokenService = identityAccessTokenServiceFactory({
    identityAccessTokenDAL,
    identityOrgMembershipDAL,
@@ -1604,7 +1609,8 @@ export const registerRoutes = async (
    identityAccessTokenDAL,
    identityOrgMembershipDAL,
    licenseService,
-    identityDAL
+    identityDAL,
+    identityAuthTemplateDAL
  });

  const dynamicSecretProviders = buildDynamicSecretProviders({
@@ -2008,6 +2014,7 @@ export const registerRoutes = async (
    webhook: webhookService,
    serviceToken: serviceTokenService,
    identity: identityService,
+    identityAuthTemplate: identityAuthTemplateService,
    identityAccessToken: identityAccessTokenService,
    identityProject: identityProjectService,
    identityTokenAuth: identityTokenAuthService,
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@@ -2,6 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import { z } from "zod";

 import { SecretFoldersSchema, SecretImportsSchema, UsersSchema } from "@app/db/schemas";
+import { RemindersSchema } from "@app/db/schemas/reminders";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionSecretActions } from "@app/ee/services/permission/project-permission";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
@@ -628,7 +629,10 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
              secretValueHidden: z.boolean(),
              secretPath: z.string().optional(),
              secretMetadata: ResourceMetadataSchema.optional(),
-              tags: SanitizedTagSchema.array().optional()
+              tags: SanitizedTagSchema.array().optional(),
+              reminder: RemindersSchema.extend({
+                recipients: z.string().array().optional()
+              }).nullish()
            })
            .array()
            .optional(),
@@ -706,7 +710,11 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {

      let imports: Awaited<ReturnType<typeof server.services.secretImport.getImports>> | undefined;
      let folders: Awaited<ReturnType<typeof server.services.folder.getFolders>> | undefined;
-      let secrets: Awaited<ReturnType<typeof server.services.secret.getSecretsRaw>>["secrets"] | undefined;
+      let secrets:
+        | (Awaited<ReturnType<typeof server.services.secret.getSecretsRaw>>["secrets"][number] & {
+            reminder: Awaited<ReturnType<typeof server.services.reminder.getRemindersForDashboard>>[string] | null;
+          })[]
+        | undefined;
      let dynamicSecrets: Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByEnv>> | undefined;
      let secretRotations:
        | Awaited<ReturnType<typeof server.services.secretRotationV2.getDashboardSecretRotations>>
@@ -904,7 +912,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          });

          if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
-            secrets = (
+            const rawSecrets = (
              await server.services.secret.getSecretsRaw({
                actorId: req.permission.id,
                actor: req.permission.type,
@@ -925,6 +933,15 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
                includeMetadataInSearch: true
              })
            ).secrets;
+
+            const reminders = await server.services.reminder.getRemindersForDashboard(
+              rawSecrets.map((secret) => secret.id)
+            );
+
+            secrets = rawSecrets.map((secret) => ({
+              ...secret,
+              reminder: reminders[secret.id] ?? null
+            }));
          }
        }
      } catch (error) {
--- a/backend/src/server/routes/v1/event-router.ts
+++ b/backend/src/server/routes/v1/event-router.ts
@@ -7,6 +7,7 @@ import { ActionProjectType, ProjectType } from "@app/db/schemas";
 import { getServerSentEventsHeaders } from "@app/ee/services/event/event-sse-stream";
 import { EventRegisterSchema } from "@app/ee/services/event/types";
 import { ProjectPermissionSecretActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ApiDocsTags, EventSubscriptions } from "@app/lib/api-docs";
 import { BadRequestError, ForbiddenRequestError, RateLimitError } from "@app/lib/errors";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -20,10 +21,14 @@ export const registerEventRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Events],
+      description: "Subscribe to project events",
      body: z.object({
-        projectId: z.string().trim(),
-        register: z.array(EventRegisterSchema).max(10)
-      })
+        projectId: z.string().trim().describe(EventSubscriptions.SUBSCRIBE_PROJECT_EVENTS.projectId),
+        register: z.array(EventRegisterSchema).min(1).max(10)
+      }),
+      produces: ["text/event-stream"]
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req, reply) => {
@@ -75,13 +80,15 @@ export const registerEventRouter = async (server: FastifyZodProvider) => {
            }

            req.body.register.forEach((r) => {
+              const fields = {
+                environment: r.conditions?.environmentSlug ?? "",
+                secretPath: r.conditions?.secretPath ?? "/",
+                eventType: r.event
+              };
+
              const allowed = info.permission.can(
                ProjectPermissionSecretActions.Subscribe,
-                subject(ProjectPermissionSub.Secrets, {
-                  environment: r.conditions?.environmentSlug ?? "",
-                  secretPath: r.conditions?.secretPath ?? "/",
-                  eventType: r.event
-                })
+                subject(ProjectPermissionSub.Secrets, fields)
              );

              if (!allowed) {
@@ -89,9 +96,9 @@ export const registerEventRouter = async (server: FastifyZodProvider) => {
                  name: "PermissionDenied",
                  message: `You are not allowed to subscribe on secrets`,
                  details: {
-                    event: r.event,
-                    environmentSlug: r.conditions?.environmentSlug,
-                    secretPath: r.conditions?.secretPath ?? "/"
+                    event: fields.eventType,
+                    environmentSlug: fields.environment,
+                    secretPath: fields.secretPath
                  }
                });
              }
--- a/backend/src/server/routes/v1/identity-ldap-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-ldap-auth-router.ts
@@ -200,49 +200,104 @@ export const registerIdentityLdapAuthRouter = async (server: FastifyZodProvider)
      params: z.object({
        identityId: z.string().trim().describe(LDAP_AUTH.ATTACH.identityId)
      }),
-      body: z
-        .object({
-          url: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.url),
-          bindDN: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.bindDN),
-          bindPass: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.bindPass),
-          searchBase: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.searchBase),
-          searchFilter: z
-            .string()
-            .trim()
-            .min(1)
-            .default("(uid={{username}})")
-            .refine(isValidLdapFilter, "Invalid LDAP search filter")
-            .describe(LDAP_AUTH.ATTACH.searchFilter),
-          allowedFields: AllowedFieldsSchema.array().optional().describe(LDAP_AUTH.ATTACH.allowedFields),
-          ldapCaCertificate: z.string().trim().optional().describe(LDAP_AUTH.ATTACH.ldapCaCertificate),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-            .describe(LDAP_AUTH.ATTACH.accessTokenTrustedIps),
-          accessTokenTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(LDAP_AUTH.ATTACH.accessTokenTTL),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .min(1)
-            .max(315360000)
-            .default(2592000)
-            .describe(LDAP_AUTH.ATTACH.accessTokenMaxTTL),
-          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(LDAP_AUTH.ATTACH.accessTokenNumUsesLimit)
-        })
-        .refine(
-          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.union([
+        // Template-based configuration
+        z
+          .object({
+            templateId: z.string().trim().describe(LDAP_AUTH.ATTACH.templateId),
+            searchFilter: z
+              .string()
+              .trim()
+              .min(1)
+              .default("(uid={{username}})")
+              .refine(isValidLdapFilter, "Invalid LDAP search filter")
+              .describe(LDAP_AUTH.ATTACH.searchFilter),
+            allowedFields: AllowedFieldsSchema.array().optional().describe(LDAP_AUTH.ATTACH.allowedFields),
+            ldapCaCertificate: z.string().trim().optional().describe(LDAP_AUTH.ATTACH.ldapCaCertificate),
+            accessTokenTrustedIps: z
+              .object({
+                ipAddress: z.string().trim()
+              })
+              .array()
+              .min(1)
+              .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+              .describe(LDAP_AUTH.ATTACH.accessTokenTrustedIps),
+            accessTokenTTL: z
+              .number()
+              .int()
+              .min(0)
+              .max(315360000)
+              .default(2592000)
+              .describe(LDAP_AUTH.ATTACH.accessTokenTTL),
+            accessTokenMaxTTL: z
+              .number()
+              .int()
+              .min(1)
+              .max(315360000)
+              .default(2592000)
+              .describe(LDAP_AUTH.ATTACH.accessTokenMaxTTL),
+            accessTokenNumUsesLimit: z
+              .number()
+              .int()
+              .min(0)
+              .default(0)
+              .describe(LDAP_AUTH.ATTACH.accessTokenNumUsesLimit)
+          })
+          .refine(
+            (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+            "Access Token TTL cannot be greater than Access Token Max TTL."
+          ),
+
+        // Manual configuration
+        z
+          .object({
+            url: z.string().trim().describe(LDAP_AUTH.ATTACH.url),
+            bindDN: z.string().trim().describe(LDAP_AUTH.ATTACH.bindDN),
+            bindPass: z.string().trim().describe(LDAP_AUTH.ATTACH.bindPass),
+            searchBase: z.string().trim().describe(LDAP_AUTH.ATTACH.searchBase),
+            searchFilter: z
+              .string()
+              .trim()
+              .min(1)
+              .default("(uid={{username}})")
+              .refine(isValidLdapFilter, "Invalid LDAP search filter")
+              .describe(LDAP_AUTH.ATTACH.searchFilter),
+            allowedFields: AllowedFieldsSchema.array().optional().describe(LDAP_AUTH.ATTACH.allowedFields),
+            ldapCaCertificate: z.string().trim().optional().describe(LDAP_AUTH.ATTACH.ldapCaCertificate),
+            accessTokenTrustedIps: z
+              .object({
+                ipAddress: z.string().trim()
+              })
+              .array()
+              .min(1)
+              .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+              .describe(LDAP_AUTH.ATTACH.accessTokenTrustedIps),
+            accessTokenTTL: z
+              .number()
+              .int()
+              .min(0)
+              .max(315360000)
+              .default(2592000)
+              .describe(LDAP_AUTH.ATTACH.accessTokenTTL),
+            accessTokenMaxTTL: z
+              .number()
+              .int()
+              .min(1)
+              .max(315360000)
+              .default(2592000)
+              .describe(LDAP_AUTH.ATTACH.accessTokenMaxTTL),
+            accessTokenNumUsesLimit: z
+              .number()
+              .int()
+              .min(0)
+              .default(0)
+              .describe(LDAP_AUTH.ATTACH.accessTokenNumUsesLimit)
+          })
+          .refine(
+            (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+            "Access Token TTL cannot be greater than Access Token Max TTL."
+          )
+      ]),
      response: {
        200: z.object({
          identityLdapAuth: IdentityLdapAuthsSchema.omit({
@@ -275,7 +330,8 @@ export const registerIdentityLdapAuthRouter = async (server: FastifyZodProvider)
            accessTokenMaxTTL: identityLdapAuth.accessTokenMaxTTL,
            accessTokenTTL: identityLdapAuth.accessTokenTTL,
            accessTokenNumUsesLimit: identityLdapAuth.accessTokenNumUsesLimit,
-            allowedFields: req.body.allowedFields
+            allowedFields: req.body.allowedFields,
+            templateId: identityLdapAuth.templateId
          }
        }
      });
@@ -309,6 +365,7 @@ export const registerIdentityLdapAuthRouter = async (server: FastifyZodProvider)
          bindDN: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.bindDN),
          bindPass: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.bindPass),
          searchBase: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.searchBase),
+          templateId: z.string().trim().optional().describe(LDAP_AUTH.UPDATE.templateId),
          searchFilter: z
            .string()
            .trim()
@@ -376,7 +433,8 @@ export const registerIdentityLdapAuthRouter = async (server: FastifyZodProvider)
            accessTokenTTL: identityLdapAuth.accessTokenTTL,
            accessTokenNumUsesLimit: identityLdapAuth.accessTokenNumUsesLimit,
            accessTokenTrustedIps: identityLdapAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            allowedFields: req.body.allowedFields
+            allowedFields: req.body.allowedFields,
+            templateId: identityLdapAuth.templateId
          }
        }
      });
@@ -413,7 +471,8 @@ export const registerIdentityLdapAuthRouter = async (server: FastifyZodProvider)
          }).extend({
            bindDN: z.string(),
            bindPass: z.string(),
-            ldapCaCertificate: z.string().optional()
+            ldapCaCertificate: z.string().optional(),
+            templateId: z.string().optional().nullable()
          })
        })
      }
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -247,7 +247,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
                lastName: true,
                id: true,
                superAdmin: true
-              }).merge(z.object({ publicKey: z.string().nullable() }))
+              }).merge(z.object({ publicKey: z.string().nullable().optional() }))
            })
          )
            .omit({ createdAt: true, updatedAt: true })
--- a/backend/src/server/routes/v1/password-router.ts
+++ b/backend/src/server/routes/v1/password-router.ts
@@ -9,73 +9,6 @@ import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { UserEncryption } from "@app/services/user/user-types";

 export const registerPasswordRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/srp1",
-    config: {
-      rateLimit: authRateLimit
-    },
-    schema: {
-      body: z.object({
-        clientPublicKey: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          serverPublicKey: z.string(),
-          salt: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { salt, serverPublicKey } = await server.services.password.generateServerPubKey(
-        req.permission.id,
-        req.body.clientPublicKey
-      );
-      return { salt, serverPublicKey };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/change-password",
-    config: {
-      rateLimit: authRateLimit
-    },
-    schema: {
-      body: z.object({
-        clientProof: z.string().trim(),
-        protectedKey: z.string().trim(),
-        protectedKeyIV: z.string().trim(),
-        protectedKeyTag: z.string().trim(),
-        encryptedPrivateKey: z.string().trim(),
-        encryptedPrivateKeyIV: z.string().trim(),
-        encryptedPrivateKeyTag: z.string().trim(),
-        salt: z.string().trim(),
-        verifier: z.string().trim(),
-        password: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req, res) => {
-      const appCfg = getConfig();
-      await server.services.password.changePassword({ ...req.body, userId: req.permission.id });
-
-      void res.cookie("jid", "", {
-        httpOnly: true,
-        path: "/",
-        sameSite: "strict",
-        secure: appCfg.HTTPS_ENABLED
-      });
-      return { message: "Successfully changed password" };
-    }
-  });
-
  server.route({
    method: "POST",
    url: "/email/password-reset",
@@ -131,41 +64,6 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    }
  });

-  server.route({
-    method: "POST",
-    url: "/backup-private-key",
-    config: {
-      rateLimit: authRateLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      body: z.object({
-        clientProof: z.string().trim(),
-        encryptedPrivateKey: z.string().trim(),
-        iv: z.string().trim(),
-        tag: z.string().trim(),
-        salt: z.string().trim(),
-        verifier: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          message: z.string(),
-          backupPrivateKey: BackupPrivateKeySchema.omit({ verifier: true })
-        })
-      }
-    },
-    handler: async (req) => {
-      const token = validateSignUpAuthorization(req.headers.authorization as string, "", false)!;
-      const backupPrivateKey = await server.services.password.createBackupPrivateKey({
-        ...req.body,
-        userId: token.userId
-      });
-      if (!backupPrivateKey) throw new Error("Failed to create backup key");
-
-      return { message: "Successfully updated backup private key", backupPrivateKey };
-    }
-  });
-
  server.route({
    method: "GET",
    url: "/backup-private-key",
@@ -257,14 +155,6 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        protectedKey: z.string().trim(),
-        protectedKeyIV: z.string().trim(),
-        protectedKeyTag: z.string().trim(),
-        encryptedPrivateKey: z.string().trim(),
-        encryptedPrivateKeyIV: z.string().trim(),
-        encryptedPrivateKeyTag: z.string().trim(),
-        salt: z.string().trim(),
-        verifier: z.string().trim(),
        password: z.string().trim(),
        token: z.string().trim()
      }),
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -52,7 +52,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          publicKeys: z
            .object({
-              publicKey: z.string().optional(),
+              publicKey: z.string().nullable().optional(),
              userId: z.string()
            })
            .array()
--- a/backend/src/server/routes/v1/user-router.ts
+++ b/backend/src/server/routes/v1/user-router.ts
@@ -1,6 +1,6 @@
 import { z } from "zod";

-import { UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
+import { UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -19,23 +19,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    schema: {
      response: {
        200: z.object({
-          user: UsersSchema.merge(
-            UserEncryptionKeysSchema.pick({
-              clientPublicKey: true,
-              serverPrivateKey: true,
-              encryptionVersion: true,
-              protectedKey: true,
-              protectedKeyIV: true,
-              protectedKeyTag: true,
-              publicKey: true,
-              encryptedPrivateKey: true,
-              iv: true,
-              tag: true,
-              salt: true,
-              verifier: true,
-              userId: true
-            })
-          )
+          user: UsersSchema.extend({
+            encryptionVersion: z.number()
+          })
        })
      }
    },
@@ -94,26 +80,6 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    }
  });

-  server.route({
-    method: "GET",
-    url: "/private-key",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      response: {
-        200: z.object({
-          privateKey: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
-    handler: async (req) => {
-      const privateKey = await server.services.user.getUserPrivateKey(req.permission.id);
-      return { privateKey };
-    }
-  });
-
  server.route({
    method: "GET",
    url: "/:userId/unlock",
--- a/backend/src/server/routes/v2/mfa-router.ts
+++ b/backend/src/server/routes/v2/mfa-router.ts
@@ -97,13 +97,13 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.object({
          encryptionVersion: z.number().default(1).nullable().optional(),
-          protectedKey: z.string().nullable(),
-          protectedKeyIV: z.string().nullable(),
-          protectedKeyTag: z.string().nullable(),
-          publicKey: z.string(),
-          encryptedPrivateKey: z.string(),
-          iv: z.string(),
-          tag: z.string(),
+          protectedKey: z.string().nullish(),
+          protectedKeyIV: z.string().nullish(),
+          protectedKeyTag: z.string().nullish(),
+          publicKey: z.string().nullish(),
+          encryptedPrivateKey: z.string().nullish(),
+          iv: z.string().nullish(),
+          tag: z.string().nullish(),
          token: z.string()
        })
      }
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@@ -153,7 +153,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
              firstName: true,
              lastName: true,
              id: true
-            }).extend({ publicKey: z.string().nullable() })
+            }).extend({ publicKey: z.string().nullish() })
          }).omit({ createdAt: true, updatedAt: true })
        })
      }
--- a/backend/src/server/routes/v2/password-router.ts
+++ b/backend/src/server/routes/v2/password-router.ts
@@ -1,5 +1,6 @@
 import { z } from "zod";

+import { getConfig } from "@app/lib/config/env";
 import { authRateLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { validatePasswordResetAuthorization } from "@app/services/auth/auth-fns";
@@ -41,13 +42,38 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
      rateLimit: authRateLimit
    },
    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
-    handler: async (req) => {
+    handler: async (req, res) => {
+      const appCfg = getConfig();
+
      await server.services.password.resetPasswordV2({
        type: ResetPasswordV2Type.LoggedInReset,
        userId: req.permission.id,
        newPassword: req.body.newPassword,
        oldPassword: req.body.oldPassword
      });
+
+      void res.cookie("jid", "", {
+        httpOnly: true,
+        path: "/",
+        sameSite: "strict",
+        secure: appCfg.HTTPS_ENABLED
+      });
+
+      void res.cookie("infisical-project-assume-privileges", "", {
+        httpOnly: true,
+        path: "/",
+        sameSite: "strict",
+        secure: appCfg.HTTPS_ENABLED,
+        maxAge: 0
+      });
+
+      void res.cookie("aod", "", {
+        httpOnly: false,
+        path: "/",
+        sameSite: "lax",
+        secure: appCfg.HTTPS_ENABLED,
+        maxAge: 0
+      });
    }
  });
 };
--- a/backend/src/server/routes/v2/project-router.ts
+++ b/backend/src/server/routes/v2/project-router.ts
@@ -52,7 +52,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: ProjectKeysSchema.merge(
          z.object({
            sender: z.object({
-              publicKey: z.string()
+              publicKey: z.string().optional()
            })
          })
        )
@@ -283,6 +283,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
+      description: "Get project details by slug",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      params: z.object({
        slug: slugSchema({ max: 36 }).describe("The slug of the project to get.")
      }),
--- a/backend/src/server/routes/v3/external-migration-router.ts
+++ b/backend/src/server/routes/v3/external-migration-router.ts
@@ -19,7 +19,7 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
    config: {
      rateLimit: writeLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const data = await req.file({
        limits: {
@@ -69,7 +69,7 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
        mappingType: z.nativeEnum(VaultMappingType)
      })
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      await server.services.migration.importVaultData({
        actorId: req.permission.id,
--- a/backend/src/server/routes/v3/login-router.ts
+++ b/backend/src/server/routes/v3/login-router.ts
@@ -20,8 +20,8 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          serverPublicKey: z.string(),
-          salt: z.string()
+          serverPublicKey: z.string().nullish(),
+          salt: z.string().nullish()
        })
      }
    },
@@ -124,14 +124,14 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          encryptionVersion: z.number().default(1).nullable().optional(),
-          protectedKey: z.string().nullable(),
-          protectedKeyIV: z.string().nullable(),
-          protectedKeyTag: z.string().nullable(),
-          publicKey: z.string(),
-          encryptedPrivateKey: z.string(),
-          iv: z.string(),
-          tag: z.string(),
+          encryptionVersion: z.number().default(1).nullish(),
+          protectedKey: z.string().nullish(),
+          protectedKeyIV: z.string().nullish(),
+          protectedKeyTag: z.string().nullish(),
+          publicKey: z.string().nullish(),
+          encryptedPrivateKey: z.string().nullish(),
+          iv: z.string().nullish(),
+          tag: z.string().nullish(),
          token: z.string()
        })
      }
@@ -181,4 +181,59 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
      } as const;
    }
  });
+
+  // New login route that doesn't use SRP
+  server.route({
+    method: "POST",
+    url: "/login",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      body: z.object({
+        email: z.string().trim(),
+        password: z.string().trim(),
+        providerAuthToken: z.string().trim().optional(),
+        captchaToken: z.string().trim().optional()
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string()
+        })
+      }
+    },
+    handler: async (req, res) => {
+      const userAgent = req.headers["user-agent"];
+      if (!userAgent) throw new Error("user agent header is required");
+
+      const { tokens } = await server.services.login.login({
+        email: req.body.email,
+        password: req.body.password,
+        ip: req.realIp,
+        userAgent,
+        providerAuthToken: req.body.providerAuthToken,
+        captchaToken: req.body.captchaToken
+      });
+      const appCfg = getConfig();
+
+      void res.setCookie("jid", tokens.refreshToken, {
+        httpOnly: true,
+        path: "/",
+        sameSite: "strict",
+        secure: appCfg.HTTPS_ENABLED
+      });
+
+      addAuthOriginDomainCookie(res);
+
+      void res.cookie("infisical-project-assume-privileges", "", {
+        httpOnly: true,
+        path: "/",
+        sameSite: "strict",
+        secure: appCfg.HTTPS_ENABLED,
+        maxAge: 0
+      });
+
+      return { accessToken: tokens.accessToken };
+    }
+  });
 };
--- a/backend/src/server/routes/v3/signup-router.ts
+++ b/backend/src/server/routes/v3/signup-router.ts
@@ -98,15 +98,6 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
          email: z.string().trim(),
          firstName: z.string().trim(),
          lastName: z.string().trim().optional(),
-          protectedKey: z.string().trim(),
-          protectedKeyIV: z.string().trim(),
-          protectedKeyTag: z.string().trim(),
-          publicKey: z.string().trim(),
-          encryptedPrivateKey: z.string().trim(),
-          encryptedPrivateKeyIV: z.string().trim(),
-          encryptedPrivateKeyTag: z.string().trim(),
-          salt: z.string().trim(),
-          verifier: z.string().trim(),
          providerAuthToken: z.string().trim().optional().nullish(),
          attributionSource: z.string().trim().optional(),
          password: z.string()
@@ -189,15 +180,6 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        password: z.string(),
        firstName: z.string().trim(),
        lastName: z.string().trim().optional(),
-        protectedKey: z.string().trim(),
-        protectedKeyIV: z.string().trim(),
-        protectedKeyTag: z.string().trim(),
-        publicKey: z.string().trim(),
-        encryptedPrivateKey: z.string().trim(),
-        encryptedPrivateKeyIV: z.string().trim(),
-        encryptedPrivateKeyTag: z.string().trim(),
-        salt: z.string().trim(),
-        verifier: z.string().trim(),
        tokenMetadata: z.string().optional()
      }),
      response: {
--- a/backend/src/services/app-connection/shared/sql/sql-connection-fns.ts
+++ b/backend/src/services/app-connection/shared/sql/sql-connection-fns.ts
@@ -44,7 +44,8 @@ const getConnectionConfig = ({
          ? {
              trustServerCertificate: !sslRejectUnauthorized,
              encrypt: true,
-              cryptoCredentialsDetails: sslCertificate ? { ca: sslCertificate } : {}
+              cryptoCredentialsDetails: sslCertificate ? { ca: sslCertificate } : {},
+              servername: host
            }
          : { encrypt: false }
      };
--- a/backend/src/services/auth/auth-fns.ts
+++ b/backend/src/services/auth/auth-fns.ts
@@ -1,8 +1,16 @@
+import { TUsers } from "@app/db/schemas";
+import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
 import { crypto } from "@app/lib/crypto";
-import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";

-import { AuthModeProviderJwtTokenPayload, AuthModeProviderSignUpTokenPayload, AuthTokenType } from "./auth-type";
+import {
+  AuthMethod,
+  AuthModeProviderJwtTokenPayload,
+  AuthModeProviderSignUpTokenPayload,
+  AuthTokenType
+} from "./auth-type";

 export const validateProviderAuthToken = (providerToken: string, username?: string) => {
  if (!providerToken) throw new UnauthorizedError();
@@ -97,3 +105,50 @@ export const enforceUserLockStatus = (isLocked: boolean, temporaryLockDateEnd?:
    }
  }
 };
+
+export const verifyCaptcha = async (user: TUsers, captchaToken?: string) => {
+  const appCfg = getConfig();
+  if (
+    user.consecutiveFailedPasswordAttempts &&
+    user.consecutiveFailedPasswordAttempts >= 10 &&
+    Boolean(appCfg.CAPTCHA_SECRET)
+  ) {
+    if (!captchaToken) {
+      throw new BadRequestError({
+        name: "Captcha Required",
+        message: "Accomplish the required captcha by logging in via Web"
+      });
+    }
+
+    // validate captcha token
+    const response = await request.postForm<{ success: boolean }>("https://api.hcaptcha.com/siteverify", {
+      response: captchaToken,
+      secret: appCfg.CAPTCHA_SECRET
+    });
+
+    if (!response.data.success) {
+      throw new BadRequestError({
+        name: "Invalid Captcha"
+      });
+    }
+  }
+};
+
+export const getAuthMethodAndOrgId = (email: string, providerAuthToken?: string) => {
+  let authMethod = AuthMethod.EMAIL;
+  let organizationId: string | undefined;
+
+  if (providerAuthToken) {
+    const decodedProviderToken = validateProviderAuthToken(providerAuthToken, email);
+
+    authMethod = decodedProviderToken.authMethod;
+    if (
+      (isAuthMethodSaml(authMethod) || [AuthMethod.LDAP, AuthMethod.OIDC].includes(authMethod)) &&
+      decodedProviderToken.orgId
+    ) {
+      organizationId = decodedProviderToken.orgId;
+    }
+  }
+
+  return { authMethod, organizationId };
+};
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -4,7 +4,6 @@ import { OrgMembershipRole, OrgMembershipStatus, TableName, TUsers, UserDeviceSc
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
 import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
-import { request } from "@app/lib/config/request";
 import { crypto, generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
 import { getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, DatabaseError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
@@ -22,7 +21,8 @@ import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { LoginMethod } from "../super-admin/super-admin-types";
 import { TTotpServiceFactory } from "../totp/totp-service";
 import { TUserDALFactory } from "../user/user-dal";
-import { enforceUserLockStatus, validateProviderAuthToken } from "./auth-fns";
+import { UserEncryption } from "../user/user-types";
+import { enforceUserLockStatus, getAuthMethodAndOrgId, validateProviderAuthToken, verifyCaptcha } from "./auth-fns";
 import {
  TLoginClientProofDTO,
  TLoginGenServerPublicKeyDTO,
@@ -148,9 +148,15 @@ export const authLoginServiceFactory = ({

    if (organizationId) {
      const org = await orgDAL.findById(organizationId);
-      if (org && org.userTokenExpiration) {
-        tokenSessionExpiresIn = getMinExpiresIn(cfg.JWT_AUTH_LIFETIME, org.userTokenExpiration);
-        refreshTokenExpiresIn = org.userTokenExpiration;
+      if (org) {
+        await orgMembershipDAL.update(
+          { userId: user.id, orgId: org.id },
+          { lastLoginAuthMethod: authMethod, lastLoginTime: new Date() }
+        );
+        if (org.userTokenExpiration) {
+          tokenSessionExpiresIn = getMinExpiresIn(cfg.JWT_AUTH_LIFETIME, org.userTokenExpiration);
+          refreshTokenExpiresIn = org.userTokenExpiration;
+        }
      }
    }

@@ -208,6 +214,10 @@ export const authLoginServiceFactory = ({
      throw new Error("Failed to find user");
    }

+    if (!userEnc.salt || !userEnc.verifier) {
+      throw new BadRequestError({ message: "Salt or verifier not found" });
+    }
+
    if (
      serverCfg.enabledLoginMethods &&
      !serverCfg.enabledLoginMethods.includes(LoginMethod.EMAIL) &&
@@ -247,8 +257,6 @@ export const authLoginServiceFactory = ({
    captchaToken,
    password
  }: TLoginClientProofDTO) => {
-    const appCfg = getConfig();
-
    // akhilmhdh: case sensitive email resolution
    const usersByUsername = await userDAL.findUserEncKeyByUsername({
      username: email
@@ -259,44 +267,11 @@ export const authLoginServiceFactory = ({
    const user = await userDAL.findById(userEnc.userId);
    const cfg = getConfig();

-    let authMethod = AuthMethod.EMAIL;
-    let organizationId: string | undefined;
+    const { authMethod, organizationId } = getAuthMethodAndOrgId(email, providerAuthToken);
+    await verifyCaptcha(user, captchaToken);

-    if (providerAuthToken) {
-      const decodedProviderToken = validateProviderAuthToken(providerAuthToken, email);
-
-      authMethod = decodedProviderToken.authMethod;
-      if (
-        (isAuthMethodSaml(authMethod) || [AuthMethod.LDAP, AuthMethod.OIDC].includes(authMethod)) &&
-        decodedProviderToken.orgId
-      ) {
-        organizationId = decodedProviderToken.orgId;
-      }
-    }
-
-    if (
-      user.consecutiveFailedPasswordAttempts &&
-      user.consecutiveFailedPasswordAttempts >= 10 &&
-      Boolean(appCfg.CAPTCHA_SECRET)
-    ) {
-      if (!captchaToken) {
-        throw new BadRequestError({
-          name: "Captcha Required",
-          message: "Accomplish the required captcha by logging in via Web"
-        });
-      }
-
-      // validate captcha token
-      const response = await request.postForm<{ success: boolean }>("https://api.hcaptcha.com/siteverify", {
-        response: captchaToken,
-        secret: appCfg.CAPTCHA_SECRET
-      });
-
-      if (!response.data.success) {
-        throw new BadRequestError({
-          name: "Invalid Captcha"
-        });
-      }
+    if (!userEnc.salt || !userEnc.verifier) {
+      throw new BadRequestError({ message: "Salt or verifier not found" });
    }

    if (!userEnc.serverPrivateKey || !userEnc.clientPublicKey) throw new Error("Failed to authenticate. Try again?");
@@ -371,6 +346,80 @@ export const authLoginServiceFactory = ({
    return { token, user: userEnc } as const;
  };

+  const login = async ({
+    email,
+    password,
+    ip,
+    userAgent,
+    providerAuthToken,
+    captchaToken
+  }: {
+    email: string;
+    password: string;
+    ip: string;
+    userAgent: string;
+    providerAuthToken?: string;
+    captchaToken?: string;
+  }) => {
+    const usersByUsername = await userDAL.findUserEncKeyByUsername({
+      username: email
+    });
+    const userEnc =
+      usersByUsername?.length > 1 ? usersByUsername.find((el) => el.username === email) : usersByUsername?.[0];
+
+    if (!userEnc) throw new BadRequestError({ message: "User not found" });
+
+    if (userEnc.encryptionVersion !== UserEncryption.V2) {
+      throw new BadRequestError({ message: "Legacy encryption scheme not supported", name: "LegacyEncryptionScheme" });
+    }
+
+    if (!userEnc.hashedPassword) {
+      if (userEnc.authMethods?.includes(AuthMethod.EMAIL)) {
+        throw new BadRequestError({
+          message: "Legacy encryption scheme not supported",
+          name: "LegacyEncryptionScheme"
+        });
+      }
+
+      throw new BadRequestError({ message: "No password found" });
+    }
+
+    const { authMethod, organizationId } = getAuthMethodAndOrgId(email, providerAuthToken);
+    await verifyCaptcha(userEnc, captchaToken);
+
+    if (!(await crypto.hashing().compareHash(password, userEnc.hashedPassword))) {
+      await userDAL.update(
+        { id: userEnc.userId },
+        {
+          $incr: {
+            consecutiveFailedPasswordAttempts: 1
+          }
+        }
+      );
+
+      throw new BadRequestError({ message: "Invalid username or email" });
+    }
+
+    const token = await generateUserTokens({
+      user: {
+        ...userEnc,
+        id: userEnc.userId
+      },
+      ip,
+      userAgent,
+      authMethod,
+      organizationId
+    });
+
+    return {
+      tokens: {
+        accessToken: token.access,
+        refreshToken: token.refresh
+      },
+      user: userEnc
+    } as const;
+  };
+
  const selectOrganization = async ({
    userAgent,
    authJwtToken,
@@ -775,7 +824,6 @@ export const authLoginServiceFactory = ({
      }
    }

-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
    const isUserCompleted = user.isAccepted;
    const providerAuthToken = crypto.jwt().sign(
      {
@@ -786,7 +834,7 @@ export const authLoginServiceFactory = ({
        isEmailVerified: user.isEmailVerified,
        firstName: user.firstName,
        lastName: user.lastName,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        hasExchangedPrivateKey: true,
        authMethod,
        isUserCompleted,
        ...(callbackPort
@@ -831,8 +879,7 @@ export const authLoginServiceFactory = ({
    const userEnc =
      usersByUsername?.length > 1 ? usersByUsername.find((el) => el.username === email) : usersByUsername?.[0];

-    if (!userEnc?.serverEncryptedPrivateKey)
-      throw new BadRequestError({ message: "Key handoff incomplete. Please try logging in again." });
+    if (!userEnc) throw new BadRequestError({ message: "User encryption not found" });

    const token = await generateUserTokens({
      user: { ...userEnc, id: userEnc.userId },
@@ -862,6 +909,7 @@ export const authLoginServiceFactory = ({
    resendMfaToken,
    verifyMfaToken,
    selectOrganization,
-    generateUserTokens
+    generateUserTokens,
+    login
  };
 };
--- a/backend/src/services/auth/auth-password-service.ts
+++ b/backend/src/services/auth/auth-password-service.ts
@@ -1,8 +1,5 @@
-import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
 import { crypto } from "@app/lib/crypto/cryptography";
-import { generateUserSrpKeys } from "@app/lib/crypto/srp";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
@@ -16,8 +13,6 @@ import { UserEncryption } from "../user/user-types";
 import { TAuthDALFactory } from "./auth-dal";
 import {
  ResetPasswordV2Type,
-  TChangePasswordDTO,
-  TCreateBackupPrivateKeyDTO,
  TResetPasswordV2DTO,
  TResetPasswordViaBackupKeyDTO,
  TSetupPasswordViaBackupKeyDTO
@@ -40,79 +35,6 @@ export const authPaswordServiceFactory = ({
  smtpService,
  totpConfigDAL
 }: TAuthPasswordServiceFactoryDep) => {
-  /*
-   * Pre setup for pass change with srp protocol
-   * Gets srp server user salt and server public key
-   */
-  const generateServerPubKey = async (userId: string, clientPublicKey: string) => {
-    const userEnc = await userDAL.findUserEncKeyByUserId(userId);
-    if (!userEnc) throw new Error("Failed to find user");
-
-    const serverSrpKey = await generateSrpServerKey(userEnc.salt, userEnc.verifier);
-    const userEncKeys = await userDAL.updateUserEncryptionByUserId(userEnc.userId, {
-      clientPublicKey,
-      serverPrivateKey: serverSrpKey.privateKey
-    });
-    if (!userEncKeys) throw new Error("Failed  to update encryption key");
-    return { salt: userEncKeys.salt, serverPublicKey: serverSrpKey.pubKey };
-  };
-
-  /*
-   * Change password to new pass
-   * */
-  const changePassword = async ({
-    userId,
-    clientProof,
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
-    salt,
-    verifier,
-    tokenVersionId,
-    password
-  }: TChangePasswordDTO) => {
-    const userEnc = await userDAL.findUserEncKeyByUserId(userId);
-    if (!userEnc) throw new Error("Failed to find user");
-
-    await userDAL.updateUserEncryptionByUserId(userEnc.userId, {
-      serverPrivateKey: null,
-      clientPublicKey: null
-    });
-    if (!userEnc.serverPrivateKey || !userEnc.clientPublicKey) throw new Error("Failed to authenticate. Try again?");
-    const isValidClientProof = await srpCheckClientProof(
-      userEnc.salt,
-      userEnc.verifier,
-      userEnc.serverPrivateKey,
-      userEnc.clientPublicKey,
-      clientProof
-    );
-    if (!isValidClientProof) throw new Error("Failed to authenticate. Try again?");
-
-    const appCfg = getConfig();
-    const hashedPassword = await crypto.hashing().createHash(password, appCfg.SALT_ROUNDS);
-    await userDAL.updateUserEncryptionByUserId(userId, {
-      encryptionVersion: 2,
-      protectedKey,
-      protectedKeyIV,
-      protectedKeyTag,
-      encryptedPrivateKey,
-      iv: encryptedPrivateKeyIV,
-      tag: encryptedPrivateKeyTag,
-      salt,
-      verifier,
-      serverPrivateKey: null,
-      clientPublicKey: null,
-      hashedPassword
-    });
-
-    if (tokenVersionId) {
-      await tokenService.clearTokenSessionById(userEnc.userId, tokenVersionId);
-    }
-  };
-
  /*
   * Email password reset flow via email. Step 1 send email
   */
@@ -193,6 +115,10 @@ export const authPaswordServiceFactory = ({
    }

    if (!user.authMethods?.includes(AuthMethod.EMAIL)) {
+      logger.error(
+        { authMethods: user.authMethods },
+        "Unable to reset password, no email authentication method is configured"
+      );
      throw new BadRequestError({ message: "Unable to reset password, no email authentication method is configured" });
    }

@@ -211,58 +137,17 @@ export const authPaswordServiceFactory = ({
      }
    }

-    const newHashedPassword = await crypto.hashing().createHash(newPassword, cfg.SALT_ROUNDS);
-
-    // we need to get the original private key first for v2
-    let privateKey: string;
-    if (
-      user.serverEncryptedPrivateKey &&
-      user.serverEncryptedPrivateKeyTag &&
-      user.serverEncryptedPrivateKeyIV &&
-      user.serverEncryptedPrivateKeyEncoding &&
-      user.encryptionVersion === UserEncryption.V2
-    ) {
-      privateKey = crypto
-        .encryption()
-        .symmetric()
-        .decryptWithRootEncryptionKey({
-          iv: user.serverEncryptedPrivateKeyIV,
-          tag: user.serverEncryptedPrivateKeyTag,
-          ciphertext: user.serverEncryptedPrivateKey,
-          keyEncoding: user.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
-        });
-    } else {
+    if (user.encryptionVersion !== UserEncryption.V2) {
      throw new BadRequestError({
        message: "Cannot reset password without current credentials or recovery method",
        name: "Reset password"
      });
    }

-    const encKeys = await generateUserSrpKeys(user.username, newPassword, {
-      publicKey: user.publicKey,
-      privateKey
-    });
-
-    const { tag, iv, ciphertext, encoding } = crypto.encryption().symmetric().encryptWithRootEncryptionKey(privateKey);
+    const newHashedPassword = await crypto.hashing().createHash(newPassword, cfg.SALT_ROUNDS);

    await userDAL.updateUserEncryptionByUserId(userId, {
-      hashedPassword: newHashedPassword,
-
-      // srp params
-      salt: encKeys.salt,
-      verifier: encKeys.verifier,
-
-      protectedKey: encKeys.protectedKey,
-      protectedKeyIV: encKeys.protectedKeyIV,
-      protectedKeyTag: encKeys.protectedKeyTag,
-      encryptedPrivateKey: encKeys.encryptedPrivateKey,
-      iv: encKeys.encryptedPrivateKeyIV,
-      tag: encKeys.encryptedPrivateKeyTag,
-
-      serverEncryptedPrivateKey: ciphertext,
-      serverEncryptedPrivateKeyIV: iv,
-      serverEncryptedPrivateKeyTag: tag,
-      serverEncryptedPrivateKeyEncoding: encoding
+      hashedPassword: newHashedPassword
    });

    await tokenService.revokeAllMySessions(userId);
@@ -313,66 +198,6 @@ export const authPaswordServiceFactory = ({
    });
  };

-  /*
-   * backup key creation to give user's their access back when lost their password
-   * this also needs to do the generateServerPubKey function to be executed first
-   * then only client proof can be verified
-   * */
-  const createBackupPrivateKey = async ({
-    clientProof,
-    encryptedPrivateKey,
-    salt,
-    verifier,
-    iv,
-    tag,
-    userId
-  }: TCreateBackupPrivateKeyDTO) => {
-    const userEnc = await userDAL.findUserEncKeyByUserId(userId);
-    if (!userEnc || (userEnc && !userEnc.isAccepted)) {
-      throw new Error("Failed to find user");
-    }
-
-    if (!userEnc.clientPublicKey || !userEnc.serverPrivateKey) throw new Error("failed to create backup key");
-    const isValidClientProff = await srpCheckClientProof(
-      userEnc.salt,
-      userEnc.verifier,
-      userEnc.serverPrivateKey,
-      userEnc.clientPublicKey,
-      clientProof
-    );
-    if (!isValidClientProff) throw new Error("failed to create backup key");
-    const backup = await authDAL.transaction(async (tx) => {
-      const backupKey = await authDAL.upsertBackupKey(
-        userEnc.userId,
-        {
-          encryptedPrivateKey,
-          iv,
-          tag,
-          salt,
-          verifier,
-          algorithm: SecretEncryptionAlgo.AES_256_GCM,
-          keyEncoding: SecretKeyEncoding.UTF8
-        },
-        tx
-      );
-
-      await userDAL.updateUserEncryptionByUserId(
-        userEnc.userId,
-        {
-          serverPrivateKey: null,
-          clientPublicKey: null
-        },
-        tx
-      );
-      return backupKey;
-    });
-
-    return backup;
-  };
-
-  /*
-   * Return user back up
-   * */
  const getBackupPrivateKeyOfUser = async (userId: string) => {
    const user = await userDAL.findUserEncKeyByUserId(userId);
    if (!user || (user && !user.isAccepted)) {
@@ -416,21 +241,7 @@ export const authPaswordServiceFactory = ({
    });
  };

-  const setupPassword = async (
-    {
-      encryptedPrivateKey,
-      protectedKeyTag,
-      protectedKey,
-      protectedKeyIV,
-      salt,
-      verifier,
-      encryptedPrivateKeyIV,
-      encryptedPrivateKeyTag,
-      password,
-      token
-    }: TSetupPasswordViaBackupKeyDTO,
-    actor: OrgServiceActor
-  ) => {
+  const setupPassword = async ({ password, token }: TSetupPasswordViaBackupKeyDTO, actor: OrgServiceActor) => {
    try {
      await tokenService.validateTokenForUser({
        type: TokenType.TOKEN_EMAIL_PASSWORD_SETUP,
@@ -466,15 +277,7 @@ export const authPaswordServiceFactory = ({
      await userDAL.updateUserEncryptionByUserId(
        actor.id,
        {
-          encryptionVersion: 2,
-          protectedKey,
-          protectedKeyIV,
-          protectedKeyTag,
-          encryptedPrivateKey,
-          iv: encryptedPrivateKeyIV,
-          tag: encryptedPrivateKeyTag,
-          salt,
-          verifier,
+          encryptionVersion: UserEncryption.V2,
          hashedPassword,
          serverPrivateKey: null,
          clientPublicKey: null
@@ -487,12 +290,9 @@ export const authPaswordServiceFactory = ({
  };

  return {
-    generateServerPubKey,
-    changePassword,
    resetPasswordByBackupKey,
    sendPasswordResetEmail,
    verifyPasswordResetEmail,
-    createBackupPrivateKey,
    getBackupPrivateKeyOfUser,
    sendPasswordSetupEmail,
    setupPassword,
--- a/backend/src/services/auth/auth-password-type.ts
+++ b/backend/src/services/auth/auth-password-type.ts
@@ -1,18 +1,3 @@
-export type TChangePasswordDTO = {
-  userId: string;
-  clientProof: string;
-  protectedKey: string;
-  protectedKeyIV: string;
-  protectedKeyTag: string;
-  encryptedPrivateKey: string;
-  encryptedPrivateKeyIV: string;
-  encryptedPrivateKeyTag: string;
-  salt: string;
-  verifier: string;
-  tokenVersionId?: string;
-  password: string;
-};
-
 export enum ResetPasswordV2Type {
  Recovery = "recovery",
  LoggedInReset = "logged-in-reset"
@@ -39,14 +24,6 @@ export type TResetPasswordViaBackupKeyDTO = {
 };

 export type TSetupPasswordViaBackupKeyDTO = {
-  protectedKey: string;
-  protectedKeyIV: string;
-  protectedKeyTag: string;
-  encryptedPrivateKey: string;
-  encryptedPrivateKeyIV: string;
-  encryptedPrivateKeyTag: string;
-  salt: string;
-  verifier: string;
  password: string;
  token: string;
 };
--- a/backend/src/services/auth/auth-signup-service.ts
+++ b/backend/src/services/auth/auth-signup-service.ts
@@ -1,11 +1,10 @@
-import { OrgMembershipStatus, SecretKeyEncoding, TableName } from "@app/db/schemas";
+import { OrgMembershipStatus, TableName } from "@app/db/schemas";
 import { convertPendingGroupAdditionsToGroupMemberships } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
-import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { getMinExpiresIn } from "@app/lib/fn";
 import { isDisposableEmail } from "@app/lib/validator";
@@ -41,7 +40,7 @@ type TAuthSignupDep = {
    | "findUserGroupMembershipsInProject"
  >;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser" | "findProjectById">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser" | "findProjectById" | "findById">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  orgService: Pick<TOrgServiceFactory, "createOrganization" | "findOrganizationById">;
@@ -147,17 +146,8 @@ export const authSignupServiceFactory = ({
    firstName,
    lastName,
    providerAuthToken,
-    salt,
-    verifier,
-    publicKey,
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
    organizationName,
    // attributionSource,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
    ip,
    userAgent,
    authorization,
@@ -191,98 +181,18 @@ export const authSignupServiceFactory = ({
    }

    const hashedPassword = await crypto.hashing().createHash(password, appCfg.SALT_ROUNDS);
-    const privateKey = await getUserPrivateKey(password, {
-      salt,
-      protectedKey,
-      protectedKeyIV,
-      protectedKeyTag,
-      encryptedPrivateKey,
-      iv: encryptedPrivateKeyIV,
-      tag: encryptedPrivateKeyTag,
-      encryptionVersion: UserEncryption.V2
-    });
-    const { tag, encoding, ciphertext, iv } = crypto.encryption().symmetric().encryptWithRootEncryptionKey(privateKey);
    const updateduser = await authDAL.transaction(async (tx) => {
      const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx);
      if (!us) throw new Error("User not found");
-      const systemGeneratedUserEncryptionKey = await userDAL.findUserEncKeyByUserId(us.id, tx);
-      let userEncKey;

-      // below condition is true means this is system generated credentials
-      // the private key is actually system generated password
-      // thus we will re-encrypt the system generated private key with the new password
-      // akhilmhdh: you may find this like why? The reason is simple we are moving away from e2ee and these are pieces of it
-      // without a dummy key in place some things will break and backward compatiability too. 2025 we will be removing all these things
-      if (
-        systemGeneratedUserEncryptionKey &&
-        !systemGeneratedUserEncryptionKey.hashedPassword &&
-        systemGeneratedUserEncryptionKey.serverEncryptedPrivateKey &&
-        systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyTag &&
-        systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyIV &&
-        systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding
-      ) {
-        // get server generated password
-        const serverGeneratedPassword = crypto
-          .encryption()
-          .symmetric()
-          .decryptWithRootEncryptionKey({
-            iv: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyIV,
-            tag: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyTag,
-            ciphertext: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKey,
-            keyEncoding: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
-          });
-        const serverGeneratedPrivateKey = await getUserPrivateKey(serverGeneratedPassword, {
-          ...systemGeneratedUserEncryptionKey
-        });
-        const encKeys = await generateUserSrpKeys(email, password, {
-          publicKey: systemGeneratedUserEncryptionKey.publicKey,
-          privateKey: serverGeneratedPrivateKey
-        });
-        // now reencrypt server generated key with user provided password
-        userEncKey = await userDAL.upsertUserEncryptionKey(
-          us.id,
-          {
-            encryptionVersion: UserEncryption.V2,
-            protectedKey: encKeys.protectedKey,
-            protectedKeyIV: encKeys.protectedKeyIV,
-            protectedKeyTag: encKeys.protectedKeyTag,
-            publicKey: encKeys.publicKey,
-            encryptedPrivateKey: encKeys.encryptedPrivateKey,
-            iv: encKeys.encryptedPrivateKeyIV,
-            tag: encKeys.encryptedPrivateKeyTag,
-            salt: encKeys.salt,
-            verifier: encKeys.verifier,
-            hashedPassword,
-            serverEncryptedPrivateKeyEncoding: encoding,
-            serverEncryptedPrivateKeyTag: tag,
-            serverEncryptedPrivateKeyIV: iv,
-            serverEncryptedPrivateKey: ciphertext
-          },
-          tx
-        );
-      } else {
-        userEncKey = await userDAL.upsertUserEncryptionKey(
-          us.id,
-          {
-            encryptionVersion: UserEncryption.V2,
-            salt,
-            verifier,
-            publicKey,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
-            encryptedPrivateKey,
-            iv: encryptedPrivateKeyIV,
-            tag: encryptedPrivateKeyTag,
-            hashedPassword,
-            serverEncryptedPrivateKeyEncoding: encoding,
-            serverEncryptedPrivateKeyTag: tag,
-            serverEncryptedPrivateKeyIV: iv,
-            serverEncryptedPrivateKey: ciphertext
-          },
-          tx
-        );
-      }
+      const userEncKey = await userDAL.upsertUserEncryptionKey(
+        us.id,
+        {
+          encryptionVersion: UserEncryption.V2,
+          hashedPassword
+        },
+        tx
+      );

      // If it's SAML Auth and the organization ID is present, we should check if the user has a pending invite for this org, and accept it
      if (
@@ -400,19 +310,10 @@ export const authSignupServiceFactory = ({
  const completeAccountInvite = async ({
    email,
    ip,
-    salt,
    password,
-    verifier,
    firstName,
-    publicKey,
    userAgent,
    lastName,
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
    authorization
  }: TCompleteAccountInviteDTO) => {
    const sanitizedEmail = email.trim().toLowerCase();
@@ -437,94 +338,17 @@ export const authSignupServiceFactory = ({

    const appCfg = getConfig();
    const hashedPassword = await crypto.hashing().createHash(password, appCfg.SALT_ROUNDS);
-    const privateKey = await getUserPrivateKey(password, {
-      salt,
-      protectedKey,
-      protectedKeyIV,
-      protectedKeyTag,
-      encryptedPrivateKey,
-      iv: encryptedPrivateKeyIV,
-      tag: encryptedPrivateKeyTag,
-      encryptionVersion: 2
-    });
-    const { tag, encoding, ciphertext, iv } = crypto.encryption().symmetric().encryptWithRootEncryptionKey(privateKey);
    const updateduser = await authDAL.transaction(async (tx) => {
      const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx);
      if (!us) throw new Error("User not found");
-      const systemGeneratedUserEncryptionKey = await userDAL.findUserEncKeyByUserId(us.id, tx);
-      let userEncKey;
-      // this means this is system generated credentials
-      // now replace the private key
-      if (
-        systemGeneratedUserEncryptionKey &&
-        !systemGeneratedUserEncryptionKey.hashedPassword &&
-        systemGeneratedUserEncryptionKey.serverEncryptedPrivateKey &&
-        systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyTag &&
-        systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyIV &&
-        systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding
-      ) {
-        // get server generated password
-        const serverGeneratedPassword = crypto
-          .encryption()
-          .symmetric()
-          .decryptWithRootEncryptionKey({
-            iv: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyIV,
-            tag: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyTag,
-            ciphertext: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKey,
-            keyEncoding: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
-          });
-        const serverGeneratedPrivateKey = await getUserPrivateKey(serverGeneratedPassword, {
-          ...systemGeneratedUserEncryptionKey
-        });
-        const encKeys = await generateUserSrpKeys(sanitizedEmail, password, {
-          publicKey: systemGeneratedUserEncryptionKey.publicKey,
-          privateKey: serverGeneratedPrivateKey
-        });
-        // now reencrypt server generated key with user provided password
-        userEncKey = await userDAL.upsertUserEncryptionKey(
-          us.id,
-          {
-            encryptionVersion: 2,
-            protectedKey: encKeys.protectedKey,
-            protectedKeyIV: encKeys.protectedKeyIV,
-            protectedKeyTag: encKeys.protectedKeyTag,
-            publicKey: encKeys.publicKey,
-            encryptedPrivateKey: encKeys.encryptedPrivateKey,
-            iv: encKeys.encryptedPrivateKeyIV,
-            tag: encKeys.encryptedPrivateKeyTag,
-            salt: encKeys.salt,
-            verifier: encKeys.verifier,
-            hashedPassword,
-            serverEncryptedPrivateKeyEncoding: encoding,
-            serverEncryptedPrivateKeyTag: tag,
-            serverEncryptedPrivateKeyIV: iv,
-            serverEncryptedPrivateKey: ciphertext
-          },
-          tx
-        );
-      } else {
-        userEncKey = await userDAL.upsertUserEncryptionKey(
-          us.id,
-          {
-            encryptionVersion: UserEncryption.V2,
-            salt,
-            verifier,
-            publicKey,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
-            encryptedPrivateKey,
-            iv: encryptedPrivateKeyIV,
-            tag: encryptedPrivateKeyTag,
-            hashedPassword,
-            serverEncryptedPrivateKeyEncoding: encoding,
-            serverEncryptedPrivateKeyTag: tag,
-            serverEncryptedPrivateKeyIV: iv,
-            serverEncryptedPrivateKey: ciphertext
-          },
-          tx
-        );
-      }
+      const userEncKey = await userDAL.upsertUserEncryptionKey(
+        us.id,
+        {
+          encryptionVersion: 2,
+          hashedPassword
+        },
+        tx
+      );

      const updatedMembersips = await orgDAL.updateMembership(
        { inviteEmail: sanitizedEmail, status: OrgMembershipStatus.Invited },
--- a/backend/src/services/auth/auth-signup-type.ts
+++ b/backend/src/services/auth/auth-signup-type.ts
@@ -3,15 +3,6 @@ export type TCompleteAccountSignupDTO = {
  password: string;
  firstName: string;
  lastName?: string;
-  protectedKey: string;
-  protectedKeyIV: string;
-  protectedKeyTag: string;
-  publicKey: string;
-  encryptedPrivateKey: string;
-  encryptedPrivateKeyIV: string;
-  encryptedPrivateKeyTag: string;
-  salt: string;
-  verifier: string;
  organizationName?: string;
  providerAuthToken?: string | null;
  attributionSource?: string | undefined;
@@ -26,15 +17,6 @@ export type TCompleteAccountInviteDTO = {
  password: string;
  firstName: string;
  lastName?: string;
-  protectedKey: string;
-  protectedKeyIV: string;
-  protectedKeyTag: string;
-  publicKey: string;
-  encryptedPrivateKey: string;
-  encryptedPrivateKeyIV: string;
-  encryptedPrivateKeyTag: string;
-  salt: string;
-  verifier: string;
  ip: string;
  userAgent: string;
  authorization: string;
--- a/backend/src/services/certificate-authority/certificate-authority-validators.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-validators.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { isValidIp } from "@app/lib/ip";
 import { isFQDN } from "@app/lib/validator/validate-url";
+import { TAltNameMapping, TAltNameType } from "@app/services/certificate/certificate-types";

 const isValidDate = (dateString: string) => {
  const date = new Date(dateString);
@@ -56,3 +57,19 @@ export const validateAltNamesField = z
      message: "Each alt name must be a valid hostname, email address, IP address or URL"
    }
  );
+
+export const validateAndMapAltNameType = (name: string): TAltNameMapping | null => {
+  if (isFQDN(name, { allow_wildcard: true, require_tld: false })) {
+    return { type: TAltNameType.DNS, value: name };
+  }
+  if (z.string().url().safeParse(name).success) {
+    return { type: TAltNameType.URL, value: name };
+  }
+  if (z.string().email().safeParse(name).success) {
+    return { type: TAltNameType.EMAIL, value: name };
+  }
+  if (isValidIp(name)) {
+    return { type: TAltNameType.IP, value: name };
+  }
+  return null;
+};
--- a/backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts
+++ b/backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts
@@ -1,7 +1,6 @@
 /* eslint-disable no-bitwise */
 import * as x509 from "@peculiar/x509";
 import RE2 from "re2";
-import { z } from "zod";

 import { TCertificateTemplates, TPkiSubscribers } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
@@ -9,7 +8,6 @@ import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
-import { isFQDN } from "@app/lib/validator/validate-url";
 import { TCertificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { TCertificateSecretDALFactory } from "@app/services/certificate/certificate-secret-dal";
@@ -17,7 +15,8 @@ import {
  CertExtendedKeyUsage,
  CertKeyAlgorithm,
  CertKeyUsage,
-  CertStatus
+  CertStatus,
+  TAltNameMapping
 } from "@app/services/certificate/certificate-types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -33,6 +32,7 @@ import {
  keyAlgorithmToAlgCfg
 } from "../certificate-authority-fns";
 import { TCertificateAuthoritySecretDALFactory } from "../certificate-authority-secret-dal";
+import { validateAndMapAltNameType } from "../certificate-authority-validators";
 import { TIssueCertWithTemplateDTO } from "./internal-certificate-authority-types";

 type TInternalCertificateAuthorityFnsDeps = {
@@ -152,27 +152,15 @@ export const InternalCertificateAuthorityFns = ({
      extensions.push(extendedKeyUsagesExtension);
    }

-    let altNamesArray: { type: "email" | "dns" | "ip" | "url"; value: string }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];

    if (subscriber.subjectAlternativeNames?.length) {
      altNamesArray = subscriber.subjectAlternativeNames.map((altName) => {
-        if (z.string().email().safeParse(altName).success) {
-          return { type: "email", value: altName };
+        const altNameType = validateAndMapAltNameType(altName);
+        if (!altNameType) {
+          throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
        }
-
-        if (isFQDN(altName, { allow_wildcard: true, require_tld: false })) {
-          return { type: "dns", value: altName };
-        }
-
-        if (z.string().url().safeParse(altName).success) {
-          return { type: "url", value: altName };
-        }
-
-        if (z.string().ip().safeParse(altName).success) {
-          return { type: "ip", value: altName };
-        }
-
-        throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
+        return altNameType;
      });

      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
@@ -426,27 +414,15 @@ export const InternalCertificateAuthorityFns = ({
      );
    }

-    let altNamesArray: { type: "email" | "dns" | "ip" | "url"; value: string }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];

    if (altNames) {
      altNamesArray = altNames.split(",").map((altName) => {
-        if (z.string().email().safeParse(altName).success) {
-          return { type: "email", value: altName };
+        const altNameType = validateAndMapAltNameType(altName);
+        if (!altNameType) {
+          throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
        }
-
-        if (isFQDN(altName, { allow_wildcard: true, require_tld: false })) {
-          return { type: "dns", value: altName };
-        }
-
-        if (z.string().url().safeParse(altName).success) {
-          return { type: "url", value: altName };
-        }
-
-        if (z.string().ip().safeParse(altName).success) {
-          return { type: "ip", value: altName };
-        }
-
-        throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
+        return altNameType;
      });

      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
--- a/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
@@ -2,7 +2,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import slugify from "@sindresorhus/slugify";
-import { z } from "zod";

 import { ActionProjectType, TableName, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -18,7 +17,6 @@ import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { isFQDN } from "@app/lib/validator/validate-url";
 import { TCertificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -34,7 +32,8 @@ import {
  CertExtendedKeyUsageOIDToName,
  CertKeyAlgorithm,
  CertKeyUsage,
-  CertStatus
+  CertStatus,
+  TAltNameMapping
 } from "../../certificate/certificate-types";
 import { TCertificateTemplateDALFactory } from "../../certificate-template/certificate-template-dal";
 import { validateCertificateDetailsAgainstTemplate } from "../../certificate-template/certificate-template-fns";
@@ -53,6 +52,7 @@ import {
 } from "../certificate-authority-fns";
 import { TCertificateAuthorityQueueFactory } from "../certificate-authority-queue";
 import { TCertificateAuthoritySecretDALFactory } from "../certificate-authority-secret-dal";
+import { validateAndMapAltNameType } from "../certificate-authority-validators";
 import { TInternalCertificateAuthorityDALFactory } from "./internal-certificate-authority-dal";
 import {
  TCreateCaDTO,
@@ -1364,34 +1364,18 @@ export const internalCertificateAuthorityServiceFactory = ({
      );
    }

-    let altNamesArray: {
-      type: "email" | "dns";
-      value: string;
-    }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];

    if (altNames) {
      altNamesArray = altNames
        .split(",")
        .map((name) => name.trim())
-        .map((altName) => {
-          // check if the altName is a valid email
-          if (z.string().email().safeParse(altName).success) {
-            return {
-              type: "email",
-              value: altName
-            };
+        .map((altName): TAltNameMapping => {
+          const altNameType = validateAndMapAltNameType(altName);
+          if (!altNameType) {
+            throw new Error(`Invalid altName: ${altName}`);
          }
-
-          // check if the altName is a valid hostname
-          if (isFQDN(altName, { allow_wildcard: true })) {
-            return {
-              type: "dns",
-              value: altName
-            };
-          }
-
-          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
-          throw new Error(`Invalid altName: ${altName}`);
+          return altNameType;
        });

      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
@@ -1766,34 +1750,22 @@ export const internalCertificateAuthorityServiceFactory = ({
    }

    let altNamesFromCsr: string = "";
-    let altNamesArray: {
-      type: "email" | "dns";
-      value: string;
-    }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];
+
    if (altNames) {
      altNamesArray = altNames
        .split(",")
        .map((name) => name.trim())
-        .map((altName) => {
-          // check if the altName is a valid email
-          if (z.string().email().safeParse(altName).success) {
-            return {
-              type: "email",
-              value: altName
-            };
+        .map((altName): TAltNameMapping => {
+          const altNameType = validateAndMapAltNameType(altName);
+          if (!altNameType) {
+            throw new Error(`Invalid altName: ${altName}`);
          }
-
-          // check if the altName is a valid hostname
-          if (isFQDN(altName, { allow_wildcard: true })) {
-            return {
-              type: "dns",
-              value: altName
-            };
-          }
-
-          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
-          throw new Error(`Invalid altName: ${altName}`);
+          return altNameType;
        });
+
+      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
+      extensions.push(altNamesExtension);
    } else {
      // attempt to read from CSR if altNames is not explicitly provided
      const sanExtension = csrObj.extensions.find((ext) => ext.type === "2.5.29.17");
@@ -1801,11 +1773,16 @@ export const internalCertificateAuthorityServiceFactory = ({
        const sanNames = new x509.GeneralNames(sanExtension.value);

        altNamesArray = sanNames.items
-          .filter((value) => value.type === "email" || value.type === "dns")
-          .map((name) => ({
-            type: name.type as "email" | "dns",
-            value: name.value
-          }));
+          .filter(
+            (value) => value.type === "email" || value.type === "dns" || value.type === "url" || value.type === "ip"
+          )
+          .map((name): TAltNameMapping => {
+            const altNameType = validateAndMapAltNameType(name.value);
+            if (!altNameType) {
+              throw new Error(`Invalid altName from CSR: ${name.value}`);
+            }
+            return altNameType;
+          });

        altNamesFromCsr = sanNames.items.map((item) => item.value).join(",");
      }
--- a/backend/src/services/certificate/certificate-types.ts
+++ b/backend/src/services/certificate/certificate-types.ts
@@ -104,3 +104,14 @@ export type TGetCertificateCredentialsDTO = {
  projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
 };
+
+export enum TAltNameType {
+  EMAIL = "email",
+  DNS = "dns",
+  IP = "ip",
+  URL = "url"
+}
+export type TAltNameMapping = {
+  type: TAltNameType;
+  value: string;
+};
--- a/backend/src/services/external-migration/external-migration-fns/vault.ts
+++ b/backend/src/services/external-migration/external-migration-fns/vault.ts
@@ -254,29 +254,26 @@ export const transformToInfisicalFormatNamespaceToProjects = (
    let currentFolderId: string | undefined;
    let currentPath = "";

-    if (path.includes("/")) {
-      const pathParts = path.split("/").filter(Boolean);
+    const pathParts = path.split("/").filter(Boolean);
+    const folderParts = pathParts;

-      const folderParts = pathParts;
+    // create nested folder structure for the entire path
+    for (const folderName of folderParts) {
+      currentPath = currentPath ? `${currentPath}/${folderName}` : folderName;
+      const folderKey = `${namespace}:${mount}:${currentPath}`;

-      // create nested folder structure for the entire path
-      for (const folderName of folderParts) {
-        currentPath = currentPath ? `${currentPath}/${folderName}` : folderName;
-        const folderKey = `${namespace}:${mount}:${currentPath}`;
-
-        if (!folderMap.has(folderKey)) {
-          const folderId = uuidv4();
-          folderMap.set(folderKey, folderId);
-          folders.push({
-            id: folderId,
-            name: folderName,
-            environmentId,
-            parentFolderId: currentFolderId || environmentId
-          });
-          currentFolderId = folderId;
-        } else {
-          currentFolderId = folderMap.get(folderKey)!;
-        }
+      if (!folderMap.has(folderKey)) {
+        const folderId = uuidv4();
+        folderMap.set(folderKey, folderId);
+        folders.push({
+          id: folderId,
+          name: folderName,
+          environmentId,
+          parentFolderId: currentFolderId || environmentId
+        });
+        currentFolderId = folderId;
+      } else {
+        currentFolderId = folderMap.get(folderKey)!;
      }
    }

--- a/backend/src/services/group-project/group-project-service.ts
+++ b/backend/src/services/group-project/group-project-service.ts
@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType, ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole, ProjectVersion, SecretKeyEncoding, TGroups } from "@app/db/schemas";
 import { TListProjectGroupUsersDTO } from "@app/ee/services/group/group-types";
 import {
  constructPermissionErrorMessage,
@@ -188,7 +188,7 @@ export const groupProjectServiceFactory = ({
      // other groups that are in the project
      const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group!.id, project.id, tx);

-      if (groupMembers.length) {
+      if (groupMembers.length && (project.version === ProjectVersion.V1 || project.version === ProjectVersion.V2)) {
        const ghostUser = await projectDAL.findProjectGhostUser(project.id, tx);

        if (!ghostUser) {
@@ -205,6 +205,12 @@ export const groupProjectServiceFactory = ({
          });
        }

+        if (!ghostUserLatestKey.sender.publicKey) {
+          throw new NotFoundError({
+            message: `Failed to find project owner's latest key in project with name ${project.name}`
+          });
+        }
+
        const bot = await projectBotDAL.findOne({ projectId: project.id }, tx);

        if (!bot) {
@@ -231,6 +237,12 @@ export const groupProjectServiceFactory = ({
        });

        const projectKeyData = groupMembers.map(({ user: { publicKey, id } }) => {
+          if (!publicKey) {
+            throw new NotFoundError({
+              message: `Failed to find user's public key in project with name ${project.name}`
+            });
+          }
+
          const { ciphertext: encryptedKey, nonce } = crypto
            .encryption()
            .asymmetric()
--- a/backend/src/services/identity-alicloud-auth/identity-alicloud-auth-service.ts
+++ b/backend/src/services/identity-alicloud-auth/identity-alicloud-auth-service.ts
@@ -38,7 +38,7 @@ type TIdentityAliCloudAuthServiceFactoryDep = {
    TIdentityAliCloudAuthDALFactory,
    "findOne" | "transaction" | "create" | "updateById" | "delete"
  >;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };
@@ -64,6 +64,8 @@ export const identityAliCloudAuthServiceFactory = ({
      identityId: identityAliCloudAuth.identityId
    });

+    if (!identityMembershipOrg) throw new UnauthorizedError({ message: "Identity not attached to a organization" });
+
    const requestUrl = new URL("https://sts.aliyuncs.com");

    for (const key of Object.keys(params)) {
@@ -87,6 +89,14 @@ export const identityAliCloudAuthServiceFactory = ({

    // Generate the token
    const identityAccessToken = await identityAliCloudAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.ALICLOUD_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityAliCloudAuth.identityId,
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -36,7 +36,7 @@ import {
 type TIdentityAwsAuthServiceFactoryDep = {
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };
@@ -91,6 +91,7 @@ export const identityAwsAuthServiceFactory = ({
    }

    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsAuth.identityId });
+    if (!identityMembershipOrg) throw new UnauthorizedError({ message: "Identity not attached to a organization" });

    const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
    const body: string = Buffer.from(iamRequestBody, "base64").toString();
@@ -152,6 +153,14 @@ export const identityAwsAuthServiceFactory = ({
    }

    const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.AWS_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityAwsAuth.identityId,
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
@@ -33,7 +33,7 @@ type TIdentityAzureAuthServiceFactoryDep = {
    TIdentityAzureAuthDALFactory,
    "findOne" | "transaction" | "create" | "updateById" | "delete"
  >;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -80,6 +80,14 @@ export const identityAzureAuthServiceFactory = ({
    }

    const identityAccessToken = await identityAzureAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.AZURE_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityAzureAuth.identityId,
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@@ -31,7 +31,7 @@ import {

 type TIdentityGcpAuthServiceFactoryDep = {
  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -119,6 +119,14 @@ export const identityGcpAuthServiceFactory = ({
    }

    const identityAccessToken = await identityGcpAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.GCP_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityGcpAuth.identityId,
--- a/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
+++ b/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
@@ -43,7 +43,7 @@ import {

 type TIdentityJwtAuthServiceFactoryDep = {
  identityJwtAuthDAL: TIdentityJwtAuthDALFactory;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -209,6 +209,14 @@ export const identityJwtAuthServiceFactory = ({
    }

    const identityAccessToken = await identityJwtAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.JWT_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityJwtAuth.identityId,
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -49,7 +49,7 @@ type TIdentityKubernetesAuthServiceFactoryDep = {
    "create" | "findOne" | "transaction" | "updateById" | "delete"
  >;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById" | "updateById">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
@@ -380,6 +380,14 @@ export const identityKubernetesAuthServiceFactory = ({
    }

    const identityAccessToken = await identityKubernetesAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.KUBERNETES_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityKubernetesAuth.identityId,
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
=	3cec1b4021	feat: reptile review feedback	2025-08-13 02:34:03 +05:30
=	97b2c534a7	feat: added api document for project router get id from slug	2025-08-13 02:27:12 +05:30
BlackMagiq	dbbd58ffb7	Merge pull request #4338 from Infisical/secrets-mgmt-docs Concepts Documentation for Secrets Management, Secret Scanning, and SSH	2025-08-10 12:27:45 +07:00
Maidul Islam	5d2beb3604	Merge pull request #4345 from Infisical/fix/migrationDoc Updated migration docs with latest image version changes	2025-08-08 17:06:28 -07:00
Carlos Monastyrski	ec65e0e29c	Updated migration docs with latest image version changes	2025-08-08 21:02:00 -03:00
Maidul Islam	b819848058	Delete .github/workflows/build-docker-image-to-prod.yml	2025-08-08 16:41:57 -07:00
Maidul Islam	1b0ef540fe	Update nightly-tag-generation.yml	2025-08-08 16:02:03 -07:00
Maidul Islam	4496241002	Update nightly-tag-generation.yml	2025-08-08 16:00:34 -07:00
Maidul Islam	52e32484ce	Update nightly-tag-generation.yml	2025-08-08 15:59:16 -07:00
Maidul Islam	8b497699d4	Update nightly-tag-generation.yml	2025-08-08 15:53:48 -07:00
Maidul Islam	be73f62226	Update nightly-tag-generation.yml	2025-08-08 15:50:08 -07:00
Maidul Islam	102620ff09	Update nightly-tag-generation.yml	2025-08-08 15:43:13 -07:00
Maidul Islam	994ee88852	add PAT to action	2025-08-08 15:38:08 -07:00
Maidul Islam	770e25b895	trigger on nightly release	2025-08-08 15:31:02 -07:00
Maidul Islam	fcf3bdb440	Merge pull request #4325 from Infisical/feat/releaseChannels Add Release Channels with nightly	2025-08-08 15:23:13 -07:00
Maidul Islam	89c11b5541	remove docker tag from having postgres attached	2025-08-08 15:21:24 -07:00
Maidul Islam	5f764904e2	Update release-standalone-docker-img-postgres-offical.yml	2025-08-08 15:12:30 -07:00
Maidul Islam	1a75384dba	Update release-standalone-docker-img-postgres-offical.yml	2025-08-08 15:10:32 -07:00
Maidul Islam	50f434cd80	Update build-docker-image-to-prod.yml	2025-08-08 15:09:46 -07:00
Maidul Islam	d879cfd90c	trigger on none prefix version	2025-08-08 15:01:19 -07:00
Maidul Islam	ca1f5eaca3	Merge pull request #4343 from Infisical/fix/oauth-issue feat: oauth error resolved due to srp removal	2025-08-08 12:48:08 -07:00
=	04086376ea	feat: oauth error resolved due to srp removal	2025-08-09 01:08:51 +05:30
Daniel Hougaard	364027a88a	Merge pull request #4341 from Infisical/helm-update-v0.10.0 Update Helm chart to version v0.10.0	2025-08-08 23:09:03 +04:00
DanielHougaard	ca110d11b0	Update Helm chart to version v0.10.0	2025-08-08 19:06:00 +00:00
Daniel Hougaard	4e8f404f16	Merge pull request #4234 from Infisical/feat/operatore-update feat: updated k8s operator to v4	2025-08-08 22:58:18 +04:00
Daniel Hougaard	22abb78f48	downgrade helm to fix tests	2025-08-08 22:46:43 +04:00
x032205	24f11406e1	Merge pull request #4333 from Infisical/ENG-3451 feat(org-admin): Remove organization admin console	2025-08-08 13:45:52 -04:00
x032205	d5d67c82b2	Make button always show and swap to "Join as Admin"	2025-08-08 13:38:15 -04:00
Akhil Mohan	35cfcf1f0f	Merge pull request #4328 from Infisical/feat/error-log feat: better error notification for dynamic secret	2025-08-08 22:59:12 +05:30
Maidul Islam	2c8cfeb826	Merge pull request #4339 from Infisical/fix/integration-audit-log feat: resolved audit log showing all the integration	2025-08-08 09:04:22 -07:00
=	70d22f90ec	feat: resolved audit log showing all the integration	2025-08-08 21:19:58 +05:30
Tuan Dang	d88a473b47	Add concept docs for secrets mgmt, secret scanning, ssh	2025-08-08 18:12:19 +07:00
=	4f52400887	feat: removed provider password from sql database	2025-08-08 12:35:33 +05:30
=	34eb9f475a	feat: fixed tokenization strategy	2025-08-08 12:29:19 +05:30
x032205	902a0b0c56	Improve style	2025-08-08 00:58:57 -04:00
Carlos Monastyrski	9e6294786f	Remove infisical/ from new tags	2025-08-07 22:42:14 -03:00
Daniel Hougaard	847c50d2d4	feat(k8s): upgrade to kubebuilder v4	2025-08-08 05:07:43 +04:00
Scott Wilson	efa043c3d2	Merge pull request #4312 from Infisical/secret-sidebar-details-refactor improvement(frontend): improve UX and design of secret sidebar/table row	2025-08-07 17:53:30 -07:00
Maidul Islam	7e94791635	update release channels	2025-08-07 16:46:41 -07:00
x032205	eedc5f533e	feat(org-admin): Remove organization admin console	2025-08-07 18:39:57 -04:00
Sheen	fc5d42baf0	Merge pull request #4329 from Infisical/misc/address-ldap-update-and-test-issues misc: address LDAP config update and test issues	2025-08-08 04:51:27 +08:00
Sheen Capadngan	b95c35620a	misc: addressed comments	2025-08-08 04:49:23 +08:00
Akhil Mohan	fa867e5068	Merge pull request #4319 from Infisical/feat/last-logged-auth feat: adds support for last logged in auth method field	2025-08-08 00:45:43 +05:30
x032205	8851faec65	Fix padding	2025-08-07 15:12:37 -04:00
Daniel Hougaard	47fb666dc7	Merge pull request #4320 from Infisical/daniel/vault-migration-path-fix fix: improve vault folders mapping	2025-08-07 22:33:58 +04:00
Sheen Capadngan	569edd2852	misc: addres LDAP config update and test issues	2025-08-07 23:56:52 +08:00
=	676ebaf3c2	feat: updated by reptile feedback	2025-08-07 20:55:41 +05:30
=	adb3185042	feat: better error notification for dynamic secret	2025-08-07 20:37:05 +05:30
=	8da0a4d846	feat: correction in sizing	2025-08-07 14:16:27 +05:30
=	eebf080e3c	feat: added last login time	2025-08-07 13:37:06 +05:30
Scott Wilson	97be31f11e	merge main and deconflict	2025-08-06 18:50:02 -07:00
Scott Wilson	667cceebc0	improvement: address feedback	2025-08-06 18:43:12 -07:00
x032205	1ad02e2da6	Merge pull request #4324 from Infisical/mssql-ssl-issue-fix servername host for mssql	2025-08-06 21:08:21 -04:00
Carlos Monastyrski	93445d96b3	Add Release Channels with nightly	2025-08-06 21:10:15 -03:00
x032205	e105a5f7da	servername host for mssql	2025-08-06 19:53:13 -04:00
Scott Wilson	72b80e1fd7	Merge pull request #4323 from Infisical/audit-log-error-message-parsing-fix fix(frontend): correctly parse fetch audit log error message	2025-08-06 15:47:25 -07:00
Scott Wilson	6429adfaf6	Merge pull request #4322 from Infisical/audit-log-dropdown-overflow improvement(frontend): update styling and overflow for audit log filter	2025-08-06 15:43:49 -07:00
Scott Wilson	fd89b3c702	fix: correctly parse audit log error message	2025-08-06 15:42:27 -07:00
Scott Wilson	50e40e8bcf	improvement: update styling and overflow for audit log filter	2025-08-06 15:17:55 -07:00
Daniel Hougaard	6100086338	fixed helm	2025-08-07 00:55:39 +04:00
Daniel Hougaard	000dd6c223	Update external-migration-router.ts	2025-08-07 00:43:07 +04:00
Daniel Hougaard	60dc1d1e00	fix: improve vault folders mapping	2025-08-06 19:58:35 +04:00
Daniel Hougaard	2d68f9aa16	fix: helm changes	2025-08-06 18:29:19 +04:00
Daniel Hougaard	e694293ebe	update deps	2025-08-06 18:17:28 +04:00
Daniel Hougaard	ef6f5ecc4b	test	2025-08-06 18:14:13 +04:00
Tuan Dang	56f5249925	Merge remote-tracking branch 'origin' into secrets-mgmt-docs	2025-08-06 19:26:59 +07:00
Tuan Dang	df5b3fa8dc	Add concepts section to secrets mgmt docs	2025-08-06 19:26:29 +07:00
=	035ac0fe8d	feat: resolved merge conflict	2025-08-06 16:37:55 +05:30
=	c12408eb81	feat: migrated the operator code to v4	2025-08-06 16:28:24 +05:30
=	13194296c6	feat: updated secret config	2025-08-06 16:21:26 +05:30
=	be20a507ac	feat: reptile feedback	2025-08-06 12:30:41 +05:30
=	63cf36c722	fix: updated the migration file issue	2025-08-06 11:59:37 +05:30
=	4dcd3ed06c	feat: adds support for last logged in auth method field	2025-08-06 11:57:43 +05:30
x032205	59cffe8cfb	Merge pull request #4313 from JuliusMieliauskas/fix-san-extension-contents FIX: SAN extension field in certificate issuance	2025-08-05 21:26:43 -04:00
Maidul Islam	fa61867a72	Merge pull request #4316 from Infisical/docs/update-self-hostable-ips Update prerequisites sections for secret syncs/rotations to include being able to accept requests…	2025-08-05 17:45:17 -07:00
Maidul Islam	f3694ca730	add more clarity to notice	2025-08-05 17:44:57 -07:00
Maidul Islam	8fcd6d9997	update phrase and placement	2025-08-05 17:39:02 -07:00
ArshBallagan	45ff9a50b6	update positioning for db related rotations	2025-08-05 15:08:08 -07:00
ArshBallagan	81cdfb9861	update to include secret rotations	2025-08-05 15:06:25 -07:00
ArshBallagan	e1e553ce23	Update prerequisites section to include being bale to accept requests from Infisical	2025-08-05 14:51:09 -07:00
Julius Mieliauskas	e7a6f46f56	refactored SAN validation logic	2025-08-06 00:26:27 +03:00
Daniel Hougaard	b51d997e26	Merge pull request #4270 from Infisical/daniel/srp-removal-round-2 feat: srp removal	2025-08-05 23:47:43 +04:00
Daniel Hougaard	23f6fbe9fc	fix: minor (and i mean minor) changes	2025-08-05 23:45:42 +04:00
Sid	c1fb5d8998	docs: add events system pages (#4294 ) * feat: events docs * fix: make the conditions optional in casl check * Update backend/src/lib/api-docs/constants.ts * Update backend/src/lib/api-docs/constants.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update docs/docs.json * docs: content * fix: pr changes * feat: improve docs * chore: remove recursive * fix: pr changes * fix: change * fix: pr changes * fix: pr changes * fix: change	2025-08-06 00:43:41 +05:30
Daniel Hougaard	0cb21082c7	requested changes	2025-08-05 22:35:32 +04:00
carlosmonastyrski	4e3613ac6e	Merge pull request #4314 from Infisical/fix/editButNotReadValuesFixForCommitRows Fix edge case where users with edit but not read permission on new commit row logic	2025-08-05 15:32:59 -03:00
carlosmonastyrski	6be65f7a56	Merge pull request #4315 from Infisical/fix/reminderEmptyRecipients Fix an issue on reminder recipients when all recipients are deleted on an update	2025-08-05 15:32:52 -03:00
Daniel Hougaard	63cb484313	Merge branch 'heads/main' into daniel/srp-removal-round-2	2025-08-05 22:17:01 +04:00
Daniel Hougaard	aa3af1672a	requested changes	2025-08-05 22:09:40 +04:00
Daniel Hougaard	33fe11e0fd	Update ChangePasswordSection.tsx	2025-08-05 22:05:31 +04:00
Daniel Hougaard	d924a4bccc	fix: seeding with a ghost user	2025-08-05 22:05:23 +04:00
Daniel Hougaard	3fc7a71bc7	Update user-service.ts	2025-08-05 22:05:02 +04:00
Daniel Hougaard	986fe2fe23	fix: password resets not working	2025-08-05 22:04:54 +04:00
Carlos Monastyrski	08f7e530b0	Fix edge case where users with edit but not read permission were having a strange behavior on the new commit row logic	2025-08-05 14:40:21 -03:00
Julius Mieliauskas	e9f5055481	fixed SAN extension field in certificate issuance	2025-08-05 20:19:17 +03:00
Scott Wilson	35055955e2	Merge pull request #4298 from Infisical/secret-overview-table-scroll improvement(frontend): make secret overview table header sticky, add underlines to env header links and limit table height for scroll	2025-08-05 09:04:33 -07:00
carlosmonastyrski	c188e7cd2b	Merge pull request #4311 from Infisical/fix/emptyStateIdentityAuthTemplate Add empty state and improve upgrade plan logic on Identity Auth Templates	2025-08-04 23:19:12 -03:00
carlosmonastyrski	7d2ded6235	Merge pull request #4310 from Infisical/fix/bulkCommitUpdateRowValues Allow users to type the same original value on bulk commits and remove them if no changes are left	2025-08-04 22:46:25 -03:00
Scott Wilson	c568f40954	improvement: remove button submit type	2025-08-04 17:09:03 -07:00
Scott Wilson	28f87b8b27	improvement: improve ux and design of secret sidebar/table row	2025-08-04 16:50:47 -07:00
Carlos Monastyrski	aab1a0297e	Add empty state and improve upgrade plan logic on Identity Auth Templates	2025-08-04 20:08:26 -03:00
Maidul Islam	dd0f5cebd2	Merge pull request #4301 from Infisical/docs-product-split Update docs to be multi-product	2025-08-04 14:54:16 -07:00
Maidul Islam	1b29a4564a	fix typos	2025-08-04 14:52:47 -07:00
Maidul Islam	9e3c0c8583	fix links	2025-08-04 14:51:02 -07:00
Carlos Monastyrski	3e803debb4	Allow users to type the same original value on bulk commits and remove them if no changes are left	2025-08-04 18:22:30 -03:00
Maidul Islam	16ebe0f8e7	small nits	2025-08-04 14:11:13 -07:00
carlosmonastyrski	e8eb1b5f8b	Merge pull request #4300 from Infisical/feat/machineAuthTemplates Add Machine Auth Templates	2025-08-04 17:24:10 -03:00
x032205	6e37b9f969	Merge pull request #4309 from Infisical/log-available-auth-methods-on-pass-reset Log available auth methods on password reset	2025-08-04 16:22:44 -04:00
x032205	899b7fe024	Log available auth methods on password reset	2025-08-04 16:16:52 -04:00
Carlos Monastyrski	098a8b81be	Final improvements on machine auth templates	2025-08-04 17:01:44 -03:00
Daniel Hougaard	e852cd8b4a	Merge pull request #4287 from cyrgim/add-support-image-pull-secret feat(helm): add support for imagePullSecrets	2025-08-04 23:36:23 +04:00
Carlos Monastyrski	830a2f9581	Renamed identity auth template permissions	2025-08-04 16:28:57 -03:00
Carlos Monastyrski	dc4db40936	Add space between identities tables	2025-08-04 16:14:24 -03:00
Carlos Monastyrski	0beff3cc1c	Fixed /ldap-auth/identities/:identityId response schema	2025-08-04 16:05:39 -03:00
x032205	5a3325fc53	Merge pull request #4308 from Infisical/fix-github-hostname-check fix github hostname check	2025-08-04 14:37:31 -04:00
Carlos Monastyrski	3dde786621	General improvements on auth templates	2025-08-04 15:29:07 -03:00
Akhil Mohan	da6b233db1	Merge pull request #4307 from Infisical/helm-update-v0.9.5 Update Helm chart to version v0.9.5	2025-08-04 23:57:23 +05:30
akhilmhdh	adf7a88d67	Update Helm chart to version v0.9.5	2025-08-04 18:22:44 +00:00
Tuan Dang	dc0cc4c29d	Update images for user + machine identities	2025-08-04 18:48:46 +07:00
Tuan Dang	6dd639be60	Update docs to be multi-product	2025-08-04 16:58:00 +07:00
Carlos Monastyrski	ebe05661d3	Addressed pr comments	2025-08-03 13:02:20 -03:00
Carlos Monastyrski	4f0007faa5	Add Machine Auth Templates	2025-08-03 12:19:57 -03:00
Scott Wilson	1898c16f1b	improvement: make secret overview table header sticky, add underlines to env header links and limit table height for scroll	2025-08-01 16:47:11 -07:00
Carlos Monastyrski	14ffa59530	Fix an issue on reminder recipients when all recipients are deleted on an update	2025-08-01 11:47:49 -03:00
cyrgim	4704774c63	feat(helm): add support for imagePullSecrets	2025-07-31 07:01:51 +02:00
Daniel Hougaard	0c98d9187d	Update 20250723220500_remove-srp.ts	2025-07-30 05:03:15 +04:00
Daniel Hougaard	e106a6dceb	Merge branch 'heads/main' into daniel/srp-removal-round-2	2025-07-30 04:44:57 +04:00
Daniel Hougaard	2d3b1b18d2	feat: srp removal, requested changes	2025-07-30 04:44:25 +04:00
Daniel Hougaard	d5dd2e8bfd	feat: srp removal	2025-07-30 04:25:27 +04:00