Revert "Revert "GH Action: rename new migration file timestamp""

Merge pull request #1969 from Infisical/revert-1967-create-pull-request/patch-1718327327
Revert "GH Action: rename new migration file timestamp"
2025-08-02 08:27:38 +00:00 · 2024-06-14 09:13:29 -04:00 · 2024-06-14 09:10:43 -04:00 · 2024-06-14 09:10:29 -04:00 · 2024-06-13 23:33:36 -04:00 · 2024-06-13 23:09:28 -04:00
107 changed files with 3245 additions and 722 deletions
--- a/.github/workflows/check-api-for-breaking-changes.yml
+++ b/.github/workflows/check-api-for-breaking-changes.yml
@@ -47,7 +47,7 @@ jobs:
      - name: Wait for container to be stable and check logs
        run: |
          SECONDS=0
- r        HEALTHY=0
+          HEALTHY=0
          while [ $SECONDS -lt 60 ]; do
            if docker ps | grep infisical-api | grep -q healthy; then
              echo "Container is healthy."
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@@ -22,6 +22,9 @@ jobs:
            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+            CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}

    goreleaser:
        runs-on: ubuntu-20.04
@@ -56,7 +59,7 @@ jobs:
            - uses: goreleaser/goreleaser-action@v4
              with:
                  distribution: goreleaser-pro
-                  version: latest
+                  version: v1.26.2-pro
                  args: release --clean
              env:
                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
--- a/.github/workflows/run-cli-tests.yml
+++ b/.github/workflows/run-cli-tests.yml
@@ -20,7 +20,12 @@ on:
                required: true
            CLI_TESTS_ENV_SLUG:
                required: true
-
+            CLI_TESTS_USER_EMAIL:
+                required: true
+            CLI_TESTS_USER_PASSWORD:
+                required: true
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE:
+                required: true
 jobs:
    test:
        defaults:
@@ -43,5 +48,8 @@ jobs:
                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+                  INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}

              run: go test -v -count=1 ./test
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -36,6 +36,7 @@
        "bcrypt": "^5.1.1",
        "bullmq": "^5.4.2",
        "cassandra-driver": "^4.7.2",
+        "cron": "^3.1.7",
        "dotenv": "^16.4.1",
        "fastify": "^4.26.0",
        "fastify-plugin": "^4.5.1",
@@ -4806,6 +4807,11 @@
        "long": "*"
      }
    },
+    "node_modules/@types/luxon": {
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/@types/luxon/-/luxon-3.4.2.tgz",
+      "integrity": "sha512-TifLZlFudklWlMBfhubvgqTXRzLDI5pCbGa4P8a3wPyUQSW+1xQ5eDsreP9DWHX3tjq1ke96uYG/nwundroWcA=="
+    },
    "node_modules/@types/mime": {
      "version": "1.3.5",
      "resolved": "https://registry.npmjs.org/@types/mime/-/mime-1.3.5.tgz",
@@ -6689,6 +6695,15 @@
      "integrity": "sha512-dcKFX3jn0MpIaXjisoRvexIJVEKzaq7z2rZKxf+MSr9TkdmHmsU4m2lcLojrj/FHl8mk5VxMmYA+ftRkP/3oKQ==",
      "dev": true
    },
+    "node_modules/cron": {
+      "version": "3.1.7",
+      "resolved": "https://registry.npmjs.org/cron/-/cron-3.1.7.tgz",
+      "integrity": "sha512-tlBg7ARsAMQLzgwqVxy8AZl/qlTc5nibqYwtNGoCrd+cV+ugI+tvZC1oT/8dFH8W455YrywGykx/KMmAqOr7Jw==",
+      "dependencies": {
+        "@types/luxon": "~3.4.0",
+        "luxon": "~3.4.0"
+      }
+    },
    "node_modules/cron-parser": {
      "version": "4.9.0",
      "resolved": "https://registry.npmjs.org/cron-parser/-/cron-parser-4.9.0.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@@ -97,6 +97,7 @@
    "bcrypt": "^5.1.1",
    "bullmq": "^5.4.2",
    "cassandra-driver": "^4.7.2",
+    "cron": "^3.1.7",
    "dotenv": "^16.4.1",
    "fastify": "^4.26.0",
    "fastify-plugin": "^4.5.1",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -48,6 +48,7 @@ import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env
 import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
 import { TProjectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { TRateLimitServiceFactory } from "@app/services/rate-limit/rate-limit-service";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
@@ -147,6 +148,7 @@ declare module "fastify" {
      projectUserAdditionalPrivilege: TProjectUserAdditionalPrivilegeServiceFactory;
      identityProjectAdditionalPrivilege: TIdentityProjectAdditionalPrivilegeServiceFactory;
      secretSharing: TSecretSharingServiceFactory;
+      rateLimit: TRateLimitServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -149,6 +149,9 @@ import {
  TProjectUserMembershipRoles,
  TProjectUserMembershipRolesInsert,
  TProjectUserMembershipRolesUpdate,
+  TRateLimit,
+  TRateLimitInsert,
+  TRateLimitUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@@ -343,6 +346,7 @@ declare module "knex/types/tables" {
      TSecretFolderVersionsUpdate
    >;
    [TableName.SecretSharing]: Knex.CompositeTableType<TSecretSharing, TSecretSharingInsert, TSecretSharingUpdate>;
+    [TableName.RateLimit]: Knex.CompositeTableType<TRateLimit, TRateLimitInsert, TRateLimitUpdate>;
    [TableName.SecretTag]: Knex.CompositeTableType<TSecretTags, TSecretTagsInsert, TSecretTagsUpdate>;
    [TableName.SecretImport]: Knex.CompositeTableType<TSecretImports, TSecretImportsInsert, TSecretImportsUpdate>;
    [TableName.Integration]: Knex.CompositeTableType<TIntegrations, TIntegrationsInsert, TIntegrationsUpdate>;
--- a/backend/src/db/migrations/20240612200518_add-pit-version-limit.ts
+++ b/backend/src/db/migrations/20240612200518_add-pit-version-limit.ts
@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasPitVersionLimitColumn = await knex.schema.hasColumn(TableName.Project, "pitVersionLimit");
+  await knex.schema.alterTable(TableName.Project, (tb) => {
+    if (!hasPitVersionLimitColumn) {
+      tb.integer("pitVersionLimit").notNullable().defaultTo(10);
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasPitVersionLimitColumn = await knex.schema.hasColumn(TableName.Project, "pitVersionLimit");
+  await knex.schema.alterTable(TableName.Project, (tb) => {
+    if (hasPitVersionLimitColumn) {
+      tb.dropColumn("pitVersionLimit");
+    }
+  });
+}
--- a/backend/src/db/migrations/20240614010847_custom-rate-limits-for-self-hosting.ts
+++ b/backend/src/db/migrations/20240614010847_custom-rate-limits-for-self-hosting.ts
@@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.RateLimit))) {
+    await knex.schema.createTable(TableName.RateLimit, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.integer("readRateLimit").defaultTo(600).notNullable();
+      t.integer("writeRateLimit").defaultTo(200).notNullable();
+      t.integer("secretsRateLimit").defaultTo(60).notNullable();
+      t.integer("authRateLimit").defaultTo(60).notNullable();
+      t.integer("inviteUserRateLimit").defaultTo(30).notNullable();
+      t.integer("mfaRateLimit").defaultTo(20).notNullable();
+      t.integer("creationLimit").defaultTo(30).notNullable();
+      t.integer("publicEndpointLimit").defaultTo(30).notNullable();
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.RateLimit);
+
+    // create init rate limit entry with defaults
+    await knex(TableName.RateLimit).insert({});
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.RateLimit);
+  await dropOnUpdateTrigger(knex, TableName.RateLimit);
+}
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@@ -48,6 +48,7 @@ export * from "./project-roles";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
+export * from "./rate-limit";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -18,6 +18,7 @@ export enum TableName {
  IncidentContact = "incident_contacts",
  UserAction = "user_actions",
  SuperAdmin = "super_admin",
+  RateLimit = "rate_limit",
  ApiKey = "api_keys",
  Project = "projects",
  ProjectBot = "project_bots",
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@@ -16,7 +16,8 @@ export const ProjectsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  version: z.number().default(1),
-  upgradeStatus: z.string().nullable().optional()
+  upgradeStatus: z.string().nullable().optional(),
+  pitVersionLimit: z.number().default(10)
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/rate-limit.ts
+++ b/backend/src/db/schemas/rate-limit.ts
@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const RateLimitSchema = z.object({
+  id: z.string().uuid(),
+  readRateLimit: z.number().default(600),
+  writeRateLimit: z.number().default(200),
+  secretsRateLimit: z.number().default(60),
+  authRateLimit: z.number().default(60),
+  inviteUserRateLimit: z.number().default(30),
+  mfaRateLimit: z.number().default(20),
+  creationLimit: z.number().default(30),
+  publicEndpointLimit: z.number().default(30),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TRateLimit = z.infer<typeof RateLimitSchema>;
+export type TRateLimitInsert = Omit<z.input<typeof RateLimitSchema>, TImmutableDBKeys>;
+export type TRateLimitUpdate = Partial<Omit<z.input<typeof RateLimitSchema>, TImmutableDBKeys>>;
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@@ -362,6 +362,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      const groups = await req.server.services.scim.listScimGroups({
        orgId: req.permission.orgId,
        startIndex: req.query.startIndex,
+        filter: req.query.filter,
        limit: req.query.count
      });

--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

+import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
@@ -19,7 +20,11 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
          workspaceId: z.string(),
          name: z.string().optional(),
          environment: z.string(),
-          secretPath: z.string().optional().nullable(),
+          secretPath: z
+            .string()
+            .optional()
+            .nullable()
+            .transform((val) => (val ? removeTrailingSlash(val) : val)),
          approvers: z.string().array().min(1),
          approvals: z.number().min(1).default(1)
        })
@@ -63,7 +68,11 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
          name: z.string().optional(),
          approvers: z.string().array().min(1),
          approvals: z.number().min(1).default(1),
-          secretPath: z.string().optional().nullable()
+          secretPath: z
+            .string()
+            .optional()
+            .nullable()
+            .transform((val) => (val ? removeTrailingSlash(val) : val))
        })
        .refine((data) => data.approvals <= data.approvers.length, {
          path: ["approvals"],
@@ -157,7 +166,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      querystring: z.object({
        workspaceId: z.string().trim(),
        environment: z.string().trim(),
-        secretPath: z.string().trim()
+        secretPath: z.string().trim().transform(removeTrailingSlash)
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/services/scim/scim-fns.ts
+++ b/backend/src/ee/services/scim/scim-fns.ts
@@ -18,6 +18,20 @@ export const buildScimUserList = ({
  };
 };

+export const parseScimFilter = (filterToParse: string | undefined) => {
+  if (!filterToParse) return {};
+  const [parsedName, parsedValue] = filterToParse.split("eq").map((s) => s.trim());
+
+  let attributeName = parsedName;
+  if (parsedName === "userName") {
+    attributeName = "email";
+  } else if (parsedName === "displayName") {
+    attributeName = "name";
+  }
+
+  return { [attributeName]: parsedValue.replace(/"/g, "") };
+};
+
 export const buildScimUser = ({
  orgMembershipId,
  username,
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@@ -30,7 +30,7 @@ import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { buildScimGroup, buildScimGroupList, buildScimUser, buildScimUserList } from "./scim-fns";
+import { buildScimGroup, buildScimGroupList, buildScimUser, buildScimUserList, parseScimFilter } from "./scim-fns";
 import {
  TCreateScimGroupDTO,
  TCreateScimTokenDTO,
@@ -184,18 +184,6 @@ export const scimServiceFactory = ({
        status: 403
      });

-    const parseFilter = (filterToParse: string | undefined) => {
-      if (!filterToParse) return {};
-      const [parsedName, parsedValue] = filterToParse.split("eq").map((s) => s.trim());
-
-      let attributeName = parsedName;
-      if (parsedName === "userName") {
-        attributeName = "email";
-      }
-
-      return { [attributeName]: parsedValue.replace(/"/g, "") };
-    };
-
    const findOpts = {
      ...(startIndex && { offset: startIndex - 1 }),
      ...(limit && { limit })
@@ -204,7 +192,7 @@ export const scimServiceFactory = ({
    const users = await orgDAL.findMembership(
      {
        [`${TableName.OrgMembership}.orgId` as "id"]: orgId,
-        ...parseFilter(filter)
+        ...parseScimFilter(filter)
      },
      findOpts
    );
@@ -557,7 +545,7 @@ export const scimServiceFactory = ({
    return {}; // intentionally return empty object upon success
  };

-  const listScimGroups = async ({ orgId, startIndex, limit }: TListScimGroupsDTO) => {
+  const listScimGroups = async ({ orgId, startIndex, limit, filter }: TListScimGroupsDTO) => {
    const plan = await licenseService.getPlan(orgId);
    if (!plan.groups)
      throw new BadRequestError({
@@ -580,7 +568,8 @@ export const scimServiceFactory = ({

    const groups = await groupDAL.findGroups(
      {
-        orgId
+        orgId,
+        ...(filter && parseScimFilter(filter))
      },
      {
        offset: startIndex - 1,
--- a/backend/src/ee/services/scim/scim-types.ts
+++ b/backend/src/ee/services/scim/scim-types.ts
@@ -66,6 +66,7 @@ export type TDeleteScimUserDTO = {

 export type TListScimGroupsDTO = {
  startIndex: number;
+  filter?: string;
  limit: number;
  orgId: string;
 };
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@@ -4,6 +4,7 @@ import picomatch from "picomatch";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -207,7 +208,8 @@ export const secretApprovalPolicyServiceFactory = ({
    return sapPolicies;
  };

-  const getSecretApprovalPolicy = async (projectId: string, environment: string, secretPath: string) => {
+  const getSecretApprovalPolicy = async (projectId: string, environment: string, path: string) => {
+    const secretPath = removeTrailingSlash(path);
    const env = await projectEnvDAL.findOne({ slug: environment, projectId });
    if (!env) throw new BadRequestError({ message: "Environment not found" });

--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@@ -81,8 +81,7 @@ export const secretSnapshotServiceFactory = ({
    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
    if (!folder) throw new BadRequestError({ message: "Folder not found" });

-    const count = await snapshotDAL.countOfSnapshotsByFolderId(folder.id);
-    return count;
+    return snapshotDAL.countOfSnapshotsByFolderId(folder.id);
  };

  const listSnapshots = async ({
--- a/backend/src/ee/services/secret-snapshot/snapshot-dal.ts
+++ b/backend/src/ee/services/secret-snapshot/snapshot-dal.ts
@@ -1,3 +1,4 @@
+/* eslint-disable no-await-in-loop */
 import { Knex } from "knex";

 import { TDbClient } from "@app/db";
@@ -11,6 +12,7 @@ import {
 } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
+import { logger } from "@app/lib/logger";

 export type TSnapshotDALFactory = ReturnType<typeof snapshotDALFactory>;

@@ -325,12 +327,152 @@ export const snapshotDALFactory = (db: TDbClient) => {
    }
  };

+  /**
+   * Prunes excess snapshots from the database to ensure only a specified number of recent snapshots are retained for each folder.
+   *
+   * This function operates in three main steps:
+   * 1. Pruning snapshots from root/non-versioned folders.
+   * 2. Pruning snapshots from versioned folders.
+   * 3. Removing orphaned snapshots that do not belong to any existing folder or folder version.
+   *
+   * The function processes snapshots in batches, determined by the `PRUNE_FOLDER_BATCH_SIZE` constant,
+   * to manage the large datasets without overwhelming the DB.
+   *
+   * Steps:
+   * - Fetch a batch of folder IDs.
+   * - For each batch, use a Common Table Expression (CTE) to rank snapshots within each folder by their creation date.
+   * - Identify and delete snapshots that exceed the project's point-in-time version limit (`pitVersionLimit`).
+   * - Repeat the process for versioned folders.
+   * - Finally, delete orphaned snapshots that do not have an associated folder.
+   */
+  const pruneExcessSnapshots = async () => {
+    const PRUNE_FOLDER_BATCH_SIZE = 10000;
+
+    try {
+      let uuidOffset = "00000000-0000-0000-0000-000000000000";
+      // cleanup snapshots from root/non-versioned folders
+      // eslint-disable-next-line no-constant-condition, no-unreachable-loop
+      while (true) {
+        const folderBatch = await db(TableName.SecretFolder)
+          .where("id", ">", uuidOffset)
+          .where("isReserved", false)
+          .orderBy("id", "asc")
+          .limit(PRUNE_FOLDER_BATCH_SIZE)
+          .select("id");
+
+        const batchEntries = folderBatch.map((folder) => folder.id);
+
+        if (folderBatch.length) {
+          try {
+            logger.info(`Pruning snapshots in [range=${batchEntries[0]}:${batchEntries[batchEntries.length - 1]}]`);
+            await db(TableName.Snapshot)
+              .with("snapshot_cte", (qb) => {
+                void qb
+                  .from(TableName.Snapshot)
+                  .whereIn(`${TableName.Snapshot}.folderId`, batchEntries)
+                  .select(
+                    "folderId",
+                    `${TableName.Snapshot}.id as id`,
+                    db.raw(
+                      `ROW_NUMBER() OVER (PARTITION BY ${TableName.Snapshot}."folderId" ORDER BY ${TableName.Snapshot}."createdAt" DESC) AS row_num`
+                    )
+                  );
+              })
+              .join(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.Snapshot}.folderId`)
+              .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
+              .join(TableName.Project, `${TableName.Project}.id`, `${TableName.Environment}.projectId`)
+              .join("snapshot_cte", "snapshot_cte.id", `${TableName.Snapshot}.id`)
+              .whereNull(`${TableName.SecretFolder}.parentId`)
+              .whereRaw(`snapshot_cte.row_num > ${TableName.Project}."pitVersionLimit"`)
+              .delete();
+          } catch (err) {
+            logger.error(
+              `Failed to prune snapshots from root/non-versioned folders in range ${batchEntries[0]}:${
+                batchEntries[batchEntries.length - 1]
+              }`
+            );
+          } finally {
+            uuidOffset = batchEntries[batchEntries.length - 1];
+          }
+        } else {
+          break;
+        }
+      }
+
+      // cleanup snapshots from versioned folders
+      uuidOffset = "00000000-0000-0000-0000-000000000000";
+      // eslint-disable-next-line no-constant-condition
+      while (true) {
+        const folderBatch = await db(TableName.SecretFolderVersion)
+          .select("folderId")
+          .distinct("folderId")
+          .where("folderId", ">", uuidOffset)
+          .orderBy("folderId", "asc")
+          .limit(PRUNE_FOLDER_BATCH_SIZE);
+
+        const batchEntries = folderBatch.map((folder) => folder.folderId);
+
+        if (folderBatch.length) {
+          try {
+            logger.info(`Pruning snapshots in range ${batchEntries[0]}:${batchEntries[batchEntries.length - 1]}`);
+            await db(TableName.Snapshot)
+              .with("snapshot_cte", (qb) => {
+                void qb
+                  .from(TableName.Snapshot)
+                  .whereIn(`${TableName.Snapshot}.folderId`, batchEntries)
+                  .select(
+                    "folderId",
+                    `${TableName.Snapshot}.id as id`,
+                    db.raw(
+                      `ROW_NUMBER() OVER (PARTITION BY ${TableName.Snapshot}."folderId" ORDER BY ${TableName.Snapshot}."createdAt" DESC) AS row_num`
+                    )
+                  );
+              })
+              .join(
+                TableName.SecretFolderVersion,
+                `${TableName.SecretFolderVersion}.folderId`,
+                `${TableName.Snapshot}.folderId`
+              )
+              .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolderVersion}.envId`)
+              .join(TableName.Project, `${TableName.Project}.id`, `${TableName.Environment}.projectId`)
+              .join("snapshot_cte", "snapshot_cte.id", `${TableName.Snapshot}.id`)
+              .whereRaw(`snapshot_cte.row_num > ${TableName.Project}."pitVersionLimit"`)
+              .delete();
+          } catch (err) {
+            logger.error(
+              `Failed to prune snapshots from versioned folders in range ${batchEntries[0]}:${
+                batchEntries[batchEntries.length - 1]
+              }`
+            );
+          } finally {
+            uuidOffset = batchEntries[batchEntries.length - 1];
+          }
+        } else {
+          break;
+        }
+      }
+
+      // cleanup orphaned snapshots (those that don't belong to an existing folder and folder version)
+      await db(TableName.Snapshot)
+        .whereNotIn("folderId", (qb) => {
+          void qb
+            .select("folderId")
+            .from(TableName.SecretFolderVersion)
+            .union((qb1) => void qb1.select("id").from(TableName.SecretFolder));
+        })
+        .delete();
+    } catch (error) {
+      throw new DatabaseError({ error, name: "SnapshotPrune" });
+    }
+  };
+
  return {
    ...secretSnapshotOrm,
    findById,
    findLatestSnapshotByFolderId,
    findRecursivelySnapshots,
    countOfSnapshotsByFolderId,
-    findSecretSnapshotDataById
+    findSecretSnapshotDataById,
+    pruneExcessSnapshots
  };
 };
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -39,7 +39,9 @@ const envSchema = z
    HTTPS_ENABLED: zodStrBool,
    // smtp options
    SMTP_HOST: zpStr(z.string().optional()),
-    SMTP_SECURE: zodStrBool,
+    SMTP_IGNORE_TLS: zodStrBool.default("false"),
+    SMTP_REQUIRE_TLS: zodStrBool.default("true"),
+    SMTP_TLS_REJECT_UNAUTHORIZED: zodStrBool.default("true"),
    SMTP_PORT: z.coerce.number().default(587),
    SMTP_USERNAME: zpStr(z.string().optional()),
    SMTP_PASSWORD: zpStr(z.string().optional()),
@@ -153,13 +155,20 @@ export const initEnvConfig = (logger: Logger) => {
  return envCfg;
 };

-export const formatSmtpConfig = () => ({
-  host: envCfg.SMTP_HOST,
-  port: envCfg.SMTP_PORT,
-  auth:
-    envCfg.SMTP_USERNAME && envCfg.SMTP_PASSWORD
-      ? { user: envCfg.SMTP_USERNAME, pass: envCfg.SMTP_PASSWORD }
-      : undefined,
-  secure: envCfg.SMTP_SECURE,
-  from: `"${envCfg.SMTP_FROM_NAME}" <${envCfg.SMTP_FROM_ADDRESS}>`
-});
+export const formatSmtpConfig = () => {
+  return {
+    host: envCfg.SMTP_HOST,
+    port: envCfg.SMTP_PORT,
+    auth:
+      envCfg.SMTP_USERNAME && envCfg.SMTP_PASSWORD
+        ? { user: envCfg.SMTP_USERNAME, pass: envCfg.SMTP_PASSWORD }
+        : undefined,
+    secure: envCfg.SMTP_PORT === 465,
+    from: `"${envCfg.SMTP_FROM_NAME}" <${envCfg.SMTP_FROM_ADDRESS}>`,
+    ignoreTLS: envCfg.SMTP_IGNORE_TLS,
+    requireTLS: envCfg.SMTP_REQUIRE_TLS,
+    tls: {
+      rejectUnauthorized: envCfg.SMTP_TLS_REJECT_UNAUTHORIZED
+    }
+  };
+};
--- a/backend/src/server/app.ts
+++ b/backend/src/server/app.ts
@@ -17,6 +17,8 @@ import { Logger } from "pino";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
+import { rateLimitDALFactory } from "@app/services/rate-limit/rate-limit-dal";
+import { rateLimitServiceFactory } from "@app/services/rate-limit/rate-limit-service";
 import { TSmtpService } from "@app/services/smtp/smtp-service";

 import { globalRateLimiterCfg } from "./config/rateLimiter";
@@ -69,8 +71,12 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {

    // Rate limiters and security headers
    if (appCfg.isProductionMode) {
+      const rateLimitDAL = rateLimitDALFactory(db);
+      const rateLimitService = rateLimitServiceFactory({ rateLimitDAL });
+      await rateLimitService.syncRateLimitConfiguration();
      await server.register<FastifyRateLimitOptions>(ratelimiter, globalRateLimiterCfg());
    }
+
    await server.register(helmet, { contentSecurityPolicy: false });

    await server.register(maintenanceMode);
--- a/backend/src/server/boot-strap-check.ts
+++ b/backend/src/server/boot-strap-check.ts
@@ -5,7 +5,6 @@ import { createTransport } from "nodemailer";

 import { formatSmtpConfig, getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
-import { getTlsOption } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";

 type BootstrapOpt = {
@@ -44,7 +43,7 @@ export const bootstrapCheck = async ({ db }: BootstrapOpt) => {
  console.info("Testing smtp connection");

  const smtpCfg = formatSmtpConfig();
-  await createTransport({ ...smtpCfg, ...getTlsOption(smtpCfg.host, smtpCfg.secure) })
+  await createTransport(smtpCfg)
    .verify()
    .then(async () => {
      console.info("SMTP successfully connected");
--- a/backend/src/server/config/rateLimiter.ts
+++ b/backend/src/server/config/rateLimiter.ts
@@ -2,6 +2,7 @@ import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-lim
 import { Redis } from "ioredis";

 import { getConfig } from "@app/lib/config/env";
+import { getRateLimiterConfig } from "@app/services/rate-limit/rate-limit-service";

 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
  const appCfg = getConfig();
@@ -21,14 +22,14 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
 // GET endpoints
 export const readLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
-  max: 600,
+  max: () => getRateLimiterConfig().readLimit,
  keyGenerator: (req) => req.realIp
 };

 // POST, PATCH, PUT, DELETE endpoints
 export const writeLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
-  max: 200, // (too low, FA having issues so increasing it - maidul)
+  max: () => getRateLimiterConfig().writeLimit,
  keyGenerator: (req) => req.realIp
 };

@@ -36,25 +37,25 @@ export const writeLimit: RateLimitOptions = {
 export const secretsLimit: RateLimitOptions = {
  // secrets, folders, secret imports
  timeWindow: 60 * 1000,
-  max: 60,
+  max: () => getRateLimiterConfig().secretsLimit,
  keyGenerator: (req) => req.realIp
 };

 export const authRateLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
-  max: 60,
+  max: () => getRateLimiterConfig().authRateLimit,
  keyGenerator: (req) => req.realIp
 };

 export const inviteUserRateLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
-  max: 30,
+  max: () => getRateLimiterConfig().inviteUserRateLimit,
  keyGenerator: (req) => req.realIp
 };

 export const mfaRateLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
-  max: 20,
+  max: () => getRateLimiterConfig().mfaRateLimit,
  keyGenerator: (req) => {
    return req.headers.authorization?.split(" ")[1] || req.realIp;
  }
@@ -63,7 +64,7 @@ export const mfaRateLimit: RateLimitOptions = {
 export const creationLimit: RateLimitOptions = {
  // identity, project, org
  timeWindow: 60 * 1000,
-  max: 30,
+  max: () => getRateLimiterConfig().creationLimit,
  keyGenerator: (req) => req.realIp
 };

@@ -71,6 +72,6 @@ export const creationLimit: RateLimitOptions = {
 export const publicEndpointLimit: RateLimitOptions = {
  // Shared Secrets
  timeWindow: 60 * 1000,
-  max: 30,
+  max: () => getRateLimiterConfig().publicEndpointLimit,
  keyGenerator: (req) => req.realIp
 };
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -1,3 +1,4 @@
+import { CronJob } from "cron";
 import { Knex } from "knex";
 import { z } from "zod";

@@ -121,6 +122,8 @@ import { projectMembershipServiceFactory } from "@app/services/project-membershi
 import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { rateLimitDALFactory } from "@app/services/rate-limit/rate-limit-dal";
+import { rateLimitServiceFactory } from "@app/services/rate-limit/rate-limit-service";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
@@ -185,6 +188,7 @@ export const registerRoutes = async (
  const incidentContactDAL = incidentContactDALFactory(db);
  const orgRoleDAL = orgRoleDALFactory(db);
  const superAdminDAL = superAdminDALFactory(db);
+  const rateLimitDAL = rateLimitDALFactory(db);
  const apiKeyDAL = apiKeyDALFactory(db);

  const projectDAL = projectDALFactory(db);
@@ -444,6 +448,9 @@ export const registerRoutes = async (
    orgService,
    keyStore
  });
+  const rateLimitService = rateLimitServiceFactory({
+    rateLimitDAL
+  });
  const apiKeyService = apiKeyServiceFactory({ apiKeyDAL, userDAL });

  const secretScanningQueue = secretScanningQueueFactory({
@@ -824,6 +831,9 @@ export const registerRoutes = async (
  const dailyResourceCleanUp = dailyResourceCleanUpQueueServiceFactory({
    auditLogDAL,
    queueService,
+    secretVersionDAL,
+    secretFolderVersionDAL: folderVersionDAL,
+    snapshotDAL,
    identityAccessTokenDAL,
    secretSharingDAL
  });
@@ -859,6 +869,7 @@ export const registerRoutes = async (
    secret: secretService,
    secretReplication: secretReplicationService,
    secretTag: secretTagService,
+    rateLimit: rateLimitService,
    folder: folderService,
    secretImport: secretImportService,
    projectBot: projectBotService,
@@ -897,6 +908,11 @@ export const registerRoutes = async (
    secretSharing: secretSharingService
  });

+  const cronJobs: CronJob[] = [];
+  if (appCfg.isProductionMode) {
+    cronJobs.push(rateLimitService.initializeBackgroundSync());
+  }
+
  server.decorate<FastifyZodProvider["store"]>("store", {
    user: userDAL
  });
@@ -951,6 +967,7 @@ export const registerRoutes = async (
  await server.register(registerV3Routes, { prefix: "/api/v3" });

  server.addHook("onClose", async () => {
+    cronJobs.forEach((job) => job.stop());
    await telemetryService.flushAll();
  });
 };
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@@ -17,6 +17,7 @@ import { registerProjectEnvRouter } from "./project-env-router";
 import { registerProjectKeyRouter } from "./project-key-router";
 import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
+import { registerRateLimitRouter } from "./rate-limit-router";
 import { registerSecretFolderRouter } from "./secret-folder-router";
 import { registerSecretImportRouter } from "./secret-import-router";
 import { registerSecretSharingRouter } from "./secret-sharing-router";
@@ -43,6 +44,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
  await server.register(registerPasswordRouter, { prefix: "/password" });
  await server.register(registerOrgRouter, { prefix: "/organization" });
  await server.register(registerAdminRouter, { prefix: "/admin" });
+  await server.register(registerRateLimitRouter, { prefix: "/rate-limit" });
  await server.register(registerUserRouter, { prefix: "/user" });
  await server.register(registerInviteOrgRouter, { prefix: "/invite-org" });
  await server.register(registerUserActionRouter, { prefix: "/user-action" });
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -334,6 +334,44 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "PUT",
+    url: "/:workspaceSlug/version-limit",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        workspaceSlug: z.string().trim()
+      }),
+      body: z.object({
+        pitVersionLimit: z.number().min(1).max(100)
+      }),
+      response: {
+        200: z.object({
+          message: z.string(),
+          workspace: ProjectsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const workspace = await server.services.project.updateVersionLimit({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        pitVersionLimit: req.body.pitVersionLimit,
+        workspaceSlug: req.params.workspaceSlug
+      });
+
+      return {
+        message: "Successfully changed workspace version limit",
+        workspace
+      };
+    }
+  });
+
  server.route({
    method: "GET",
    url: "/:workspaceId/integrations",
--- a/backend/src/server/routes/v1/rate-limit-router.ts
+++ b/backend/src/server/routes/v1/rate-limit-router.ts
@@ -0,0 +1,75 @@
+import { z } from "zod";
+
+import { RateLimitSchema } from "@app/db/schemas";
+import { BadRequestError } from "@app/lib/errors";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          rateLimit: RateLimitSchema
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async () => {
+      const rateLimit = await server.services.rateLimit.getRateLimits();
+      if (!rateLimit) {
+        throw new BadRequestError({
+          name: "Get Rate Limit Error",
+          message: "Rate limit configuration does not exist."
+        });
+      }
+      return { rateLimit };
+    }
+  });
+
+  server.route({
+    method: "PUT",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+
+    schema: {
+      body: z.object({
+        readRateLimit: z.number(),
+        writeRateLimit: z.number(),
+        secretsRateLimit: z.number(),
+        authRateLimit: z.number(),
+        inviteUserRateLimit: z.number(),
+        mfaRateLimit: z.number(),
+        creationLimit: z.number(),
+        publicEndpointLimit: z.number()
+      }),
+      response: {
+        200: z.object({
+          rateLimit: RateLimitSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const rateLimit = await server.services.rateLimit.updateRateLimit(req.body);
+      return { rateLimit };
+    }
+  });
+};
--- a/backend/src/services/auth/auth-signup-service.ts
+++ b/backend/src/services/auth/auth-signup-service.ts
@@ -231,7 +231,7 @@ export const authSignupServiceFactory = ({

    const accessToken = jwt.sign(
      {
-        authMethod: AuthMethod.EMAIL,
+        authMethod: authMethod || AuthMethod.EMAIL,
        authTokenType: AuthTokenType.ACCESS_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
@@ -244,7 +244,7 @@ export const authSignupServiceFactory = ({

    const refreshToken = jwt.sign(
      {
-        authMethod: AuthMethod.EMAIL,
+        authMethod: authMethod || AuthMethod.EMAIL,
        authTokenType: AuthTokenType.REFRESH_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -315,7 +315,6 @@ export const orgServiceFactory = ({
        },
        tx
      );
-      await licenseService.updateSubscriptionOrgMemberCount(org.id);
      await orgBotDAL.create(
        {
          name: org.name,
@@ -337,6 +336,7 @@ export const orgServiceFactory = ({
      return org;
    });

+    await licenseService.updateSubscriptionOrgMemberCount(organization.id);
    return organization;
  };

--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@@ -39,6 +39,7 @@ import {
  TToggleProjectAutoCapitalizationDTO,
  TUpdateProjectDTO,
  TUpdateProjectNameDTO,
+  TUpdateProjectVersionLimitDTO,
  TUpgradeProjectDTO
 } from "./project-types";

@@ -133,7 +134,8 @@ export const projectServiceFactory = ({
          name: workspaceName,
          orgId: organization.id,
          slug: projectSlug || slugify(`${workspaceName}-${alphaNumericNanoId(4)}`),
-          version: ProjectVersion.V2
+          version: ProjectVersion.V2,
+          pitVersionLimit: 10
        },
        tx
      );
@@ -406,6 +408,35 @@ export const projectServiceFactory = ({
    return updatedProject;
  };

+  const updateVersionLimit = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    pitVersionLimit,
+    workspaceSlug
+  }: TUpdateProjectVersionLimitDTO) => {
+    const project = await projectDAL.findProjectBySlug(workspaceSlug, actorOrgId);
+    if (!project) {
+      throw new BadRequestError({
+        message: "Project not found"
+      });
+    }
+
+    const { hasRole } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    if (!hasRole(ProjectMembershipRole.Admin))
+      throw new BadRequestError({ message: "Only admins are allowed to take this action" });
+
+    return projectDAL.updateById(project.id, { pitVersionLimit });
+  };
+
  const updateName = async ({
    projectId,
    actor,
@@ -501,6 +532,7 @@ export const projectServiceFactory = ({
    getAProject,
    toggleAutoCapitalization,
    updateName,
-    upgradeProject
+    upgradeProject,
+    updateVersionLimit
  };
 };
--- a/backend/src/services/project/project-types.ts
+++ b/backend/src/services/project/project-types.ts
@@ -43,6 +43,11 @@ export type TToggleProjectAutoCapitalizationDTO = {
  autoCapitalization: boolean;
 } & TProjectPermission;

+export type TUpdateProjectVersionLimitDTO = {
+  pitVersionLimit: number;
+  workspaceSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TUpdateProjectNameDTO = {
  name: string;
 } & TProjectPermission;
--- a/backend/src/services/rate-limit/rate-limit-dal.ts
+++ b/backend/src/services/rate-limit/rate-limit-dal.ts
@@ -0,0 +1,7 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TRateLimitDALFactory = ReturnType<typeof rateLimitDALFactory>;
+
+export const rateLimitDALFactory = (db: TDbClient) => ormify(db, TableName.RateLimit, {});
--- a/backend/src/services/rate-limit/rate-limit-service.ts
+++ b/backend/src/services/rate-limit/rate-limit-service.ts
@@ -0,0 +1,95 @@
+import { CronJob } from "cron";
+
+import { logger } from "@app/lib/logger";
+
+import { TRateLimitDALFactory } from "./rate-limit-dal";
+import { TRateLimit, TRateLimitUpdateDTO } from "./rate-limit-types";
+
+let rateLimitMaxConfiguration = {
+  readLimit: 60,
+  publicEndpointLimit: 30,
+  writeLimit: 200,
+  secretsLimit: 60,
+  authRateLimit: 60,
+  inviteUserRateLimit: 30,
+  mfaRateLimit: 20,
+  creationLimit: 30
+};
+
+Object.freeze(rateLimitMaxConfiguration);
+
+export const getRateLimiterConfig = () => {
+  return rateLimitMaxConfiguration;
+};
+
+type TRateLimitServiceFactoryDep = {
+  rateLimitDAL: TRateLimitDALFactory;
+};
+
+export type TRateLimitServiceFactory = ReturnType<typeof rateLimitServiceFactory>;
+
+export const rateLimitServiceFactory = ({ rateLimitDAL }: TRateLimitServiceFactoryDep) => {
+  const DEFAULT_RATE_LIMIT_CONFIG_ID = "00000000-0000-0000-0000-000000000000";
+
+  const getRateLimits = async (): Promise<TRateLimit | undefined> => {
+    let rateLimit: TRateLimit;
+
+    try {
+      rateLimit = await rateLimitDAL.findOne({ id: DEFAULT_RATE_LIMIT_CONFIG_ID });
+      if (!rateLimit) {
+        // rate limit might not exist
+        rateLimit = await rateLimitDAL.create({
+          // @ts-expect-error id is kept as fixed because there should only be one rate limit config per instance
+          id: DEFAULT_RATE_LIMIT_CONFIG_ID
+        });
+      }
+      return rateLimit;
+    } catch (err) {
+      logger.error("Error fetching rate limits %o", err);
+      return undefined;
+    }
+  };
+
+  const updateRateLimit = async (updates: TRateLimitUpdateDTO): Promise<TRateLimit> => {
+    return rateLimitDAL.updateById(DEFAULT_RATE_LIMIT_CONFIG_ID, updates);
+  };
+
+  const syncRateLimitConfiguration = async () => {
+    try {
+      const rateLimit = await getRateLimits();
+      if (rateLimit) {
+        const newRateLimitMaxConfiguration: typeof rateLimitMaxConfiguration = {
+          readLimit: rateLimit.readRateLimit,
+          publicEndpointLimit: rateLimit.publicEndpointLimit,
+          writeLimit: rateLimit.writeRateLimit,
+          secretsLimit: rateLimit.secretsRateLimit,
+          authRateLimit: rateLimit.authRateLimit,
+          inviteUserRateLimit: rateLimit.inviteUserRateLimit,
+          mfaRateLimit: rateLimit.mfaRateLimit,
+          creationLimit: rateLimit.creationLimit
+        };
+
+        logger.info(`syncRateLimitConfiguration: rate limit configuration: %o`, newRateLimitMaxConfiguration);
+        Object.freeze(newRateLimitMaxConfiguration);
+        rateLimitMaxConfiguration = newRateLimitMaxConfiguration;
+      }
+    } catch (error) {
+      logger.error(`Error syncing rate limit configurations: %o`, error);
+    }
+  };
+
+  const initializeBackgroundSync = () => {
+    // sync rate limits configuration every 10 minutes
+    const job = new CronJob("*/10 * * * *", syncRateLimitConfiguration);
+    job.start();
+
+    return job;
+  };
+
+  return {
+    getRateLimits,
+    updateRateLimit,
+    initializeBackgroundSync,
+    syncRateLimitConfiguration
+  };
+};
--- a/backend/src/services/rate-limit/rate-limit-types.ts
+++ b/backend/src/services/rate-limit/rate-limit-types.ts
@@ -0,0 +1,16 @@
+export type TRateLimitUpdateDTO = {
+  readRateLimit: number;
+  writeRateLimit: number;
+  secretsRateLimit: number;
+  authRateLimit: number;
+  inviteUserRateLimit: number;
+  mfaRateLimit: number;
+  creationLimit: number;
+  publicEndpointLimit: number;
+};
+
+export type TRateLimit = {
+  id: string;
+  createdAt: Date;
+  updatedAt: Date;
+} & TRateLimitUpdateDTO;
--- a/backend/src/services/resource-cleanup/resource-cleanup-queue.ts
+++ b/backend/src/services/resource-cleanup/resource-cleanup-queue.ts
@@ -1,13 +1,19 @@
 import { TAuditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
+import { TSnapshotDALFactory } from "@app/ee/services/secret-snapshot/snapshot-dal";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";

 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TSecretVersionDALFactory } from "../secret/secret-version-dal";
+import { TSecretFolderVersionDALFactory } from "../secret-folder/secret-folder-version-dal";
 import { TSecretSharingDALFactory } from "../secret-sharing/secret-sharing-dal";

 type TDailyResourceCleanUpQueueServiceFactoryDep = {
  auditLogDAL: Pick<TAuditLogDALFactory, "pruneAuditLog">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "removeExpiredTokens">;
+  secretVersionDAL: Pick<TSecretVersionDALFactory, "pruneExcessVersions">;
+  secretFolderVersionDAL: Pick<TSecretFolderVersionDALFactory, "pruneExcessVersions">;
+  snapshotDAL: Pick<TSnapshotDALFactory, "pruneExcessSnapshots">;
  secretSharingDAL: Pick<TSecretSharingDALFactory, "pruneExpiredSharedSecrets">;
  queueService: TQueueServiceFactory;
 };
@@ -17,6 +23,9 @@ export type TDailyResourceCleanUpQueueServiceFactory = ReturnType<typeof dailyRe
 export const dailyResourceCleanUpQueueServiceFactory = ({
  auditLogDAL,
  queueService,
+  snapshotDAL,
+  secretVersionDAL,
+  secretFolderVersionDAL,
  identityAccessTokenDAL,
  secretSharingDAL
 }: TDailyResourceCleanUpQueueServiceFactoryDep) => {
@@ -25,6 +34,9 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
    await auditLogDAL.pruneAuditLog();
    await identityAccessTokenDAL.removeExpiredTokens();
    await secretSharingDAL.pruneExpiredSharedSecrets();
+    await snapshotDAL.pruneExcessSnapshots();
+    await secretVersionDAL.pruneExcessVersions();
+    await secretFolderVersionDAL.pruneExcessVersions();
    logger.info(`${QueueName.DailyResourceCleanUp}: queue task completed`);
  });

--- a/backend/src/services/secret-folder/secret-folder-version-dal.ts
+++ b/backend/src/services/secret-folder/secret-folder-version-dal.ts
@@ -62,5 +62,32 @@ export const secretFolderVersionDALFactory = (db: TDbClient) => {
    }
  };

-  return { ...secretFolderVerOrm, findLatestFolderVersions, findLatestVersionByFolderId };
+  const pruneExcessVersions = async () => {
+    try {
+      await db(TableName.SecretFolderVersion)
+        .with("folder_cte", (qb) => {
+          void qb
+            .from(TableName.SecretFolderVersion)
+            .select(
+              "id",
+              "folderId",
+              db.raw(
+                `ROW_NUMBER() OVER (PARTITION BY ${TableName.SecretFolderVersion}."folderId" ORDER BY ${TableName.SecretFolderVersion}."createdAt" DESC) AS row_num`
+              )
+            );
+        })
+        .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolderVersion}.envId`)
+        .join(TableName.Project, `${TableName.Project}.id`, `${TableName.Environment}.projectId`)
+        .join("folder_cte", "folder_cte.id", `${TableName.SecretFolderVersion}.id`)
+        .whereRaw(`folder_cte.row_num > ${TableName.Project}."pitVersionLimit"`)
+        .delete();
+    } catch (error) {
+      throw new DatabaseError({
+        error,
+        name: "Secret Folder Version Prune"
+      });
+    }
+  };
+
+  return { ...secretFolderVerOrm, findLatestFolderVersions, findLatestVersionByFolderId, pruneExcessVersions };
 };
--- a/backend/src/services/secret/secret-fns.ts
+++ b/backend/src/services/secret/secret-fns.ts
@@ -309,7 +309,7 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
  };

  const expandSecrets = async (
-    secrets: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }>
+    secrets: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean | null }>
  ) => {
    const expandedSec: Record<string, string> = {};
    const interpolatedSec: Record<string, string> = {};
@@ -329,8 +329,8 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
        // should not do multi line encoding if user has set it to skip
        // eslint-disable-next-line
        secrets[key].value = secrets[key].skipMultilineEncoding
-          ? expandedSec[key]
-          : formatMultiValueEnv(expandedSec[key]);
+          ? formatMultiValueEnv(expandedSec[key])
+          : expandedSec[key];
        // eslint-disable-next-line
        continue;
      }
@@ -347,7 +347,7 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
      );

      // eslint-disable-next-line
-      secrets[key].value = secrets[key].skipMultilineEncoding ? expandedVal : formatMultiValueEnv(expandedVal);
+      secrets[key].value = secrets[key].skipMultilineEncoding ? formatMultiValueEnv(expandedVal) : expandedVal;
    }

    return secrets;
@@ -395,7 +395,8 @@ export const decryptSecretRaw = (
    type: secret.type,
    _id: secret.id,
    id: secret.id,
-    user: secret.userId
+    user: secret.userId,
+    skipMultilineEncoding: secret.skipMultilineEncoding
  };
 };

--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@@ -69,7 +69,10 @@ const MAX_SYNC_SECRET_DEPTH = 5;
 export const uniqueSecretQueueKey = (environment: string, secretPath: string) =>
  `secret-queue-dedupe-${environment}-${secretPath}`;

-type TIntegrationSecret = Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }>;
+type TIntegrationSecret = Record<
+  string,
+  { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
+>;
 export const secretQueueFactory = ({
  queueService,
  integrationDAL,
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@@ -952,15 +952,49 @@ export const secretServiceFactory = ({
    });

    const decryptedSecrets = secrets.map((el) => decryptSecretRaw(el, botKey));
-    const decryptedImports = (imports || [])?.map(({ secrets: importedSecrets, ...el }) => ({
-      ...el,
-      secrets: importedSecrets.map((sec) =>
+    const processedImports = (imports || [])?.map(({ secrets: importedSecrets, ...el }) => {
+      const decryptedImportSecrets = importedSecrets.map((sec) =>
        decryptSecretRaw(
          { ...sec, environment: el.environment, workspace: projectId, secretPath: el.secretPath },
          botKey
        )
-      )
-    }));
+      );
+
+      // secret-override to handle duplicate keys from different import levels
+      // this prioritizes secret values from direct imports
+      const importedKeys = new Set<string>();
+      const importedEntries = decryptedImportSecrets.reduce(
+        (
+          accum: {
+            secretKey: string;
+            secretPath: string;
+            workspace: string;
+            environment: string;
+            secretValue: string;
+            secretComment: string;
+            version: number;
+            type: string;
+            _id: string;
+            id: string;
+            user: string | null | undefined;
+            skipMultilineEncoding: boolean | null | undefined;
+          }[],
+          sec
+        ) => {
+          if (!importedKeys.has(sec.secretKey)) {
+            importedKeys.add(sec.secretKey);
+            return [...accum, sec];
+          }
+          return accum;
+        },
+        []
+      );
+
+      return {
+        ...el,
+        secrets: importedEntries
+      };
+    });

    if (expandSecretReferences) {
      const expandSecrets = interpolateSecrets({
@@ -971,10 +1005,24 @@ export const secretServiceFactory = ({
      });

      const batchSecretsExpand = async (
-        secretBatch: { secretKey: string; secretValue: string; secretComment?: string; secretPath: string }[]
+        secretBatch: {
+          secretKey: string;
+          secretValue: string;
+          secretComment?: string;
+          secretPath: string;
+          skipMultilineEncoding: boolean | null | undefined;
+        }[]
      ) => {
        // Group secrets by secretPath
-        const secretsByPath: Record<string, { secretKey: string; secretValue: string; secretComment?: string }[]> = {};
+        const secretsByPath: Record<
+          string,
+          {
+            secretKey: string;
+            secretValue: string;
+            secretComment?: string;
+            skipMultilineEncoding: boolean | null | undefined;
+          }[]
+        > = {};

        secretBatch.forEach((secret) => {
          if (!secretsByPath[secret.secretPath]) {
@@ -990,11 +1038,15 @@ export const secretServiceFactory = ({
            continue;
          }

-          const secretRecord: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }> = {};
+          const secretRecord: Record<
+            string,
+            { value: string; comment?: string; skipMultilineEncoding: boolean | null | undefined }
+          > = {};
          secretsByPath[secPath].forEach((decryptedSecret) => {
            secretRecord[decryptedSecret.secretKey] = {
              value: decryptedSecret.secretValue,
-              comment: decryptedSecret.secretComment
+              comment: decryptedSecret.secretComment,
+              skipMultilineEncoding: decryptedSecret.skipMultilineEncoding
            };
          });

@@ -1011,12 +1063,12 @@ export const secretServiceFactory = ({
      await batchSecretsExpand(decryptedSecrets);

      // expand imports by batch
-      await Promise.all(decryptedImports.map((decryptedImport) => batchSecretsExpand(decryptedImport.secrets)));
+      await Promise.all(processedImports.map((processedImport) => batchSecretsExpand(processedImport.secrets)));
    }

    return {
      secrets: decryptedSecrets,
-      imports: decryptedImports
+      imports: processedImports
    };
  };

--- a/backend/src/services/secret/secret-version-dal.ts
+++ b/backend/src/services/secret/secret-version-dal.ts
@@ -111,8 +111,37 @@ export const secretVersionDALFactory = (db: TDbClient) => {
    }
  };

+  const pruneExcessVersions = async () => {
+    try {
+      await db(TableName.SecretVersion)
+        .with("version_cte", (qb) => {
+          void qb
+            .from(TableName.SecretVersion)
+            .select(
+              "id",
+              "folderId",
+              db.raw(
+                `ROW_NUMBER() OVER (PARTITION BY ${TableName.SecretVersion}."secretId" ORDER BY ${TableName.SecretVersion}."createdAt" DESC) AS row_num`
+              )
+            );
+        })
+        .join(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.SecretVersion}.folderId`)
+        .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
+        .join(TableName.Project, `${TableName.Project}.id`, `${TableName.Environment}.projectId`)
+        .join("version_cte", "version_cte.id", `${TableName.SecretVersion}.id`)
+        .whereRaw(`version_cte.row_num > ${TableName.Project}."pitVersionLimit"`)
+        .delete();
+    } catch (error) {
+      throw new DatabaseError({
+        error,
+        name: "Secret Version Prune"
+      });
+    }
+  };
+
  return {
    ...secretVersionOrm,
+    pruneExcessVersions,
    findLatestVersionMany,
    bulkUpdate,
    findLatestVersionByFolderId,
--- a/backend/src/services/smtp/smtp-service.ts
+++ b/backend/src/services/smtp/smtp-service.ts
@@ -41,21 +41,8 @@ export enum SmtpHost {
  Office365 = "smtp.office365.com"
 }

-export const getTlsOption = (host?: SmtpHost | string, secure?: boolean) => {
-  if (!secure) return { secure: false };
-  if (!host) return { secure: true };
-
-  if ((host as SmtpHost) === SmtpHost.Sendgrid) {
-    return { secure: true, port: 465 }; // more details here https://nodemailer.com/smtp/
-  }
-  if (host.includes("amazonaws.com")) {
-    return { tls: { ciphers: "TLSv1.2" } };
-  }
-  return { requireTLS: true, tls: { ciphers: "TLSv1.2" } };
-};
-
 export const smtpServiceFactory = (cfg: TSmtpConfig) => {
-  const smtp = createTransport({ ...cfg, ...getTlsOption(cfg.host, cfg.secure) });
+  const smtp = createTransport(cfg);
  const isSmtpOn = Boolean(cfg.host);

  const sendMail = async ({ substitutions, recipients, template, subjectLine }: TSmtpSendMail) => {
--- a/backend/src/services/user/user-service.ts
+++ b/backend/src/services/user/user-service.ts
@@ -21,6 +21,7 @@ type TUserServiceFactoryDep = {
    | "findOneUserAction"
    | "createUserAction"
    | "findUserEncKeyByUserId"
+    | "delete"
  >;
  userAliasDAL: Pick<TUserAliasDALFactory, "find" | "insertMany">;
  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "insertMany">;
@@ -85,7 +86,7 @@ export const userServiceFactory = ({
        tx
      );

-      // check if there are users with the same email.
+      // check if there are verified users with the same email.
      const users = await userDAL.find(
        {
          email,
@@ -134,6 +135,15 @@ export const userServiceFactory = ({
          );
        }
      } else {
+        await userDAL.delete(
+          {
+            email,
+            isAccepted: false,
+            isEmailVerified: false
+          },
+          tx
+        );
+
        // update current user's username to [email]
        await userDAL.updateById(
          user.id,
--- a/cli/.gitignore
+++ b/cli/.gitignore
@@ -1,3 +1,4 @@
 .infisical.json
 dist/
 agent-config.test.yaml
+.test.env
--- a/cli/go.mod
+++ b/cli/go.mod
@@ -3,7 +3,9 @@ module github.com/Infisical/infisical-merge
 go 1.21

 require (
+	github.com/bradleyjkemp/cupaloy/v2 v2.8.0
 	github.com/charmbracelet/lipgloss v0.5.0
+	github.com/creack/pty v1.1.21
 	github.com/denisbrodbeck/machineid v1.0.1
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
@@ -29,7 +31,6 @@ require (
 require (
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
-	github.com/bradleyjkemp/cupaloy/v2 v2.8.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
--- a/cli/go.sum
+++ b/cli/go.sum
@@ -74,6 +74,8 @@ github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
+github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE=
 github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
--- a/cli/packages/util/common.go
+++ b/cli/packages/util/common.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+
+	"github.com/Infisical/infisical-merge/packages/config"
 )

 func GetHomeDir() (string, error) {
@@ -21,7 +23,7 @@ func WriteToFile(fileName string, dataToWrite []byte, filePerm os.FileMode) erro
 	return nil
 }

-func CheckIsConnectedToInternet() (ok bool) {
-	_, err := http.Get("http://clients3.google.com/generate_204")
+func ValidateInfisicalAPIConnection() (ok bool) {
+	_, err := http.Get(fmt.Sprintf("%v/status", config.INFISICAL_URL))
 	return err == nil
 }
--- a/cli/packages/util/secrets.go
+++ b/cli/packages/util/secrets.go
@@ -307,32 +307,33 @@ func FilterSecretsByTag(plainTextSecrets []models.SingleEnvironmentVariable, tag
 }

 func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectConfigFilePath string) ([]models.SingleEnvironmentVariable, error) {
-	isConnected := CheckIsConnectedToInternet()
 	var secretsToReturn []models.SingleEnvironmentVariable
 	// var serviceTokenDetails api.GetServiceTokenDetailsResponse
 	var errorToReturn error

 	if params.InfisicalToken == "" && params.UniversalAuthAccessToken == "" {
-		if isConnected {
-			log.Debug().Msg("GetAllEnvironmentVariables: Connected to internet, checking logged in creds")
-
-			if projectConfigFilePath == "" {
-				RequireLocalWorkspaceFile()
-			} else {
-				ValidateWorkspaceFile(projectConfigFilePath)
-			}
-
-			RequireLogin()
+		if projectConfigFilePath == "" {
+			RequireLocalWorkspaceFile()
+		} else {
+			ValidateWorkspaceFile(projectConfigFilePath)
 		}

+		RequireLogin()
+
 		log.Debug().Msg("GetAllEnvironmentVariables: Trying to fetch secrets using logged in details")

 		loggedInUserDetails, err := GetCurrentLoggedInUserDetails()
+		isConnected := ValidateInfisicalAPIConnection()
+
+		if isConnected {
+			log.Debug().Msg("GetAllEnvironmentVariables: Connected to Infisical instance, checking logged in creds")
+		}
+
 		if err != nil {
 			return nil, err
 		}

-		if loggedInUserDetails.LoginExpired {
+		if isConnected && loggedInUserDetails.LoginExpired {
 			PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
 		}

@@ -364,12 +365,12 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo

 		backupSecretsEncryptionKey := []byte(loggedInUserDetails.UserCredentials.PrivateKey)[0:32]
 		if errorToReturn == nil {
-			WriteBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, backupSecretsEncryptionKey, secretsToReturn)
+			WriteBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, params.SecretsPath, backupSecretsEncryptionKey, secretsToReturn)
 		}

 		// only attempt to serve cached secrets if no internet connection and if at least one secret cached
 		if !isConnected {
-			backedSecrets, err := ReadBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, backupSecretsEncryptionKey)
+			backedSecrets, err := ReadBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, params.SecretsPath, backupSecretsEncryptionKey)
 			if len(backedSecrets) > 0 {
 				PrintWarning("Unable to fetch latest secret(s) due to connection error, serving secrets from last successful fetch. For more info, run with --debug")
 				secretsToReturn = backedSecrets
@@ -634,8 +635,9 @@ func GetPlainTextSecrets(key []byte, encryptedSecrets []api.EncryptedSecretV3) (
 	return plainTextSecrets, nil
 }

-func WriteBackupSecrets(workspace string, environment string, encryptionKey []byte, secrets []models.SingleEnvironmentVariable) error {
-	fileName := fmt.Sprintf("secrets_%s_%s", workspace, environment)
+func WriteBackupSecrets(workspace string, environment string, secretsPath string, encryptionKey []byte, secrets []models.SingleEnvironmentVariable) error {
+	formattedPath := strings.ReplaceAll(secretsPath, "/", "-")
+	fileName := fmt.Sprintf("secrets_%s_%s_%s", workspace, environment, formattedPath)
 	secrets_backup_folder_name := "secrets-backup"

 	_, fullConfigFileDirPath, err := GetFullConfigFilePath()
@@ -672,8 +674,9 @@ func WriteBackupSecrets(workspace string, environment string, encryptionKey []by
 	return nil
 }

-func ReadBackupSecrets(workspace string, environment string, encryptionKey []byte) ([]models.SingleEnvironmentVariable, error) {
-	fileName := fmt.Sprintf("secrets_%s_%s", workspace, environment)
+func ReadBackupSecrets(workspace string, environment string, secretsPath string, encryptionKey []byte) ([]models.SingleEnvironmentVariable, error) {
+	formattedPath := strings.ReplaceAll(secretsPath, "/", "-")
+	fileName := fmt.Sprintf("secrets_%s_%s_%s", workspace, environment, formattedPath)
 	secrets_backup_folder_name := "secrets-backup"

 	_, fullConfigFileDirPath, err := GetFullConfigFilePath()
--- a/cli/scripts/export_test_env.sh
+++ b/cli/scripts/export_test_env.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+TEST_ENV_FILE=".test.env"
+
+# Check if the .env file exists
+if [ ! -f "$TEST_ENV_FILE" ]; then
+    echo "$TEST_ENV_FILE does not exist."
+    exit 1
+fi
+
+# Export the variables
+while IFS= read -r line
+do
+    # Skip empty lines and lines starting with #
+    if [[ -z "$line" || "$line" =~ ^\# ]]; then
+        continue
+    fi
+    # Read the key-value pair
+    IFS='=' read -r key value <<< "$line"
+    eval export $key=\$value
+done < "$TEST_ENV_FILE"
+
+echo "Test environment variables set."
--- a/cli/test/.snapshots/test-TestUserAuth_SecretsGetAll
+++ b/cli/test/.snapshots/test-TestUserAuth_SecretsGetAll
@@ -0,0 +1,7 @@
+┌───────────────┬──────────────┬─────────────┐
+│ SECRET NAME   │ SECRET VALUE │ SECRET TYPE │
+├───────────────┼──────────────┼─────────────┤
+│ TEST-SECRET-1 │ test-value-1 │ shared      │
+│ TEST-SECRET-2 │ test-value-2 │ shared      │
+│ TEST-SECRET-3 │ test-value-3 │ shared      │
+└───────────────┴──────────────┴─────────────┘
--- a/cli/test/.snapshots/test-testUserAuth_SecretsGetAllWithoutConnection
+++ b/cli/test/.snapshots/test-testUserAuth_SecretsGetAllWithoutConnection
@@ -0,0 +1,8 @@
+Warning: Unable to fetch latest secret(s) due to connection error, serving secrets from last successful fetch. For more info, run with --debug 
+┌───────────────┬──────────────┬─────────────┐
+│ SECRET NAME   │ SECRET VALUE │ SECRET TYPE │
+├───────────────┼──────────────┼─────────────┤
+│ TEST-SECRET-1 │ test-value-1 │ shared      │
+│ TEST-SECRET-2 │ test-value-2 │ shared      │
+│ TEST-SECRET-3 │ test-value-3 │ shared      │
+└───────────────┴──────────────┴─────────────┘
--- a/cli/test/export_test.go
+++ b/cli/test/export_test.go
@@ -8,7 +8,6 @@ import (

 func TestUniversalAuth_ExportSecretsWithImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)

 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent")

@@ -24,8 +23,6 @@ func TestUniversalAuth_ExportSecretsWithImports(t *testing.T) {
 }

 func TestServiceToken_ExportSecretsWithImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent")

 	if err != nil {
@@ -41,8 +38,6 @@ func TestServiceToken_ExportSecretsWithImports(t *testing.T) {

 func TestUniversalAuth_ExportSecretsWithoutImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false")

 	if err != nil {
@@ -57,8 +52,6 @@ func TestUniversalAuth_ExportSecretsWithoutImports(t *testing.T) {
 }

 func TestServiceToken_ExportSecretsWithoutImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false")

 	if err != nil {
--- a/cli/test/helper.go
+++ b/cli/test/helper.go
@@ -2,10 +2,10 @@ package tests

 import (
 	"fmt"
+	"log"
 	"os"
 	"os/exec"
 	"strings"
-	"testing"
 )

 const (
@@ -23,6 +23,8 @@ type Credentials struct {
 	ServiceToken  string
 	ProjectID     string
 	EnvSlug       string
+	UserEmail     string
+	UserPassword  string
 }

 var creds = Credentials{
@@ -32,18 +34,21 @@ var creds = Credentials{
 	ServiceToken:  os.Getenv("CLI_TESTS_SERVICE_TOKEN"),
 	ProjectID:     os.Getenv("CLI_TESTS_PROJECT_ID"),
 	EnvSlug:       os.Getenv("CLI_TESTS_ENV_SLUG"),
+	UserEmail:     os.Getenv("CLI_TESTS_USER_EMAIL"),
+	UserPassword:  os.Getenv("CLI_TESTS_USER_PASSWORD"),
 }

 func ExecuteCliCommand(command string, args ...string) (string, error) {
 	cmd := exec.Command(command, args...)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
+		fmt.Println(fmt.Sprint(err) + ": " + string(output))
 		return strings.TrimSpace(string(output)), err
 	}
 	return strings.TrimSpace(string(output)), nil
 }

-func SetupCli(t *testing.T) {
+func SetupCli() {

 	if creds.ClientID == "" || creds.ClientSecret == "" || creds.ServiceToken == "" || creds.ProjectID == "" || creds.EnvSlug == "" {
 		panic("Missing required environment variables")
@@ -57,7 +62,7 @@ func SetupCli(t *testing.T) {

 	if !alreadyBuilt {
 		if err := exec.Command("go", "build", "../.").Run(); err != nil {
-			t.Fatal(err)
+			log.Fatal(err)
 		}
 	}

--- a/cli/test/login_test.go
+++ b/cli/test/login_test.go
@@ -1,14 +1,124 @@
 package tests

 import (
+	"log"
+	"os/exec"
+	"strings"
 	"testing"

+	"github.com/creack/pty"
 	"github.com/stretchr/testify/assert"
 )

-func MachineIdentityLoginCmd(t *testing.T) {
-	SetupCli(t)
+func UserInitCmd() {
+	c := exec.Command(FORMATTED_CLI_NAME, "init")
+	ptmx, err := pty.Start(c)
+	if err != nil {
+		log.Fatalf("error running CLI command: %v", err)
+    }
+ 	defer func() { _ = ptmx.Close() }()

+	stepChan := make(chan int, 10)
+
+	go func() {
+		buf := make([]byte, 1024)
+		step := -1
+		for {
+			n, err := ptmx.Read(buf)
+			if n > 0 {
+				terminalOut := string(buf)
+				if strings.Contains(terminalOut, "Which Infisical organization would you like to select a project from?") && step < 0  {
+					step += 1
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Which of your Infisical projects would you like to connect this project to?") && step < 1 {
+					step += 1;
+					stepChan <- step
+				}
+			}
+			if err != nil {
+				close(stepChan)
+				return
+			}
+		}
+	}()
+
+	for i := range stepChan {
+		switch i {
+		case 0: 
+			ptmx.Write([]byte("\n"))
+		case 1:
+			ptmx.Write([]byte("\n"))
+		}
+	}
+}
+
+func UserLoginCmd() {
+	// set vault to file because CI has no keyring
+	vaultCmd := exec.Command(FORMATTED_CLI_NAME, "vault", "set", "file")
+	_, err := vaultCmd.Output()
+	if err != nil {
+		log.Fatalf("error setting vault: %v", err)
+	}
+
+	// Start programmatic interaction with CLI
+	c := exec.Command(FORMATTED_CLI_NAME, "login", "--interactive")
+	ptmx, err := pty.Start(c)
+	if err != nil {
+		log.Fatalf("error running CLI command: %v", err)
+    }
+ 	defer func() { _ = ptmx.Close() }()
+
+	stepChan := make(chan int, 10)
+
+	go func() {
+		buf := make([]byte, 1024)
+		step := -1
+		for {
+			n, err := ptmx.Read(buf)
+			if n > 0 {
+				terminalOut := string(buf)
+				if strings.Contains(terminalOut, "Infisical Cloud") && step < 0 {
+					step += 1;
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Email") && step < 1 {
+					step += 1;
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Password") && step < 2 {
+					step += 1;
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Infisical organization") && step < 3 {
+					step += 1;
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Enter passphrase") && step < 4 {
+					step += 1;
+					stepChan <- step
+				}
+			}
+			if err != nil {
+				close(stepChan)
+				return
+			}
+		}
+	}()
+
+	for i := range stepChan {
+		switch i {
+		case 0:
+			ptmx.Write([]byte("\n"))
+		case 1:
+			ptmx.Write([]byte(creds.UserEmail))
+			ptmx.Write([]byte("\n"))
+		case 2:
+			ptmx.Write([]byte(creds.UserPassword))
+			ptmx.Write([]byte("\n"))
+		case 3:
+			ptmx.Write([]byte("\n"))
+		}
+	}
+
+}
+
+func MachineIdentityLoginCmd(t *testing.T) {
 	if creds.UAAccessToken != "" {
 		return
 	}
--- a/cli/test/main_test.go
+++ b/cli/test/main_test.go
@@ -0,0 +1,23 @@
+package tests
+
+import (
+	"fmt"
+	"os"
+	"testing"
+)
+
+func TestMain(m *testing.M) {
+    // Setup
+	fmt.Println("Setting up CLI...")
+	SetupCli()
+	fmt.Println("Performing user login...")
+	UserLoginCmd()
+	fmt.Println("Performing infisical init...")
+	UserInitCmd()
+
+    // Run the tests
+    code := m.Run()
+
+    // Exit
+    os.Exit(code)
+}
--- a/cli/test/run_test.go
+++ b/cli/test/run_test.go
@@ -8,8 +8,6 @@ import (
 )

 func TestServiceToken_RunCmdRecursiveAndImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent", "--", "echo", "hello world")

 	if err != nil {
@@ -25,8 +23,6 @@ func TestServiceToken_RunCmdRecursiveAndImports(t *testing.T) {
 	}
 }
 func TestServiceToken_RunCmdWithImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--", "echo", "hello world")

 	if err != nil {
@@ -44,8 +40,6 @@ func TestServiceToken_RunCmdWithImports(t *testing.T) {

 func TestUniversalAuth_RunCmdRecursiveAndImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent", "--", "echo", "hello world")

 	if err != nil {
@@ -63,8 +57,6 @@ func TestUniversalAuth_RunCmdRecursiveAndImports(t *testing.T) {

 func TestUniversalAuth_RunCmdWithImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--", "echo", "hello world")

 	if err != nil {
@@ -83,8 +75,6 @@ func TestUniversalAuth_RunCmdWithImports(t *testing.T) {

 func TestUniversalAuth_RunCmdWithoutImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false", "--", "echo", "hello world")

 	if err != nil {
@@ -101,8 +91,6 @@ func TestUniversalAuth_RunCmdWithoutImports(t *testing.T) {
 }

 func TestServiceToken_RunCmdWithoutImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false", "--", "echo", "hello world")

 	if err != nil {
--- a/cli/test/secrets_by_name_test.go
+++ b/cli/test/secrets_by_name_test.go
@@ -7,8 +7,6 @@ import (
 )

 func TestServiceToken_GetSecretsByNameRecursive(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")

 	if err != nil {
@@ -23,8 +21,6 @@ func TestServiceToken_GetSecretsByNameRecursive(t *testing.T) {
 }

 func TestServiceToken_GetSecretsByNameWithNotFoundSecret(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "DOES-NOT-EXIST", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")

 	if err != nil {
@@ -39,8 +35,6 @@ func TestServiceToken_GetSecretsByNameWithNotFoundSecret(t *testing.T) {
 }

 func TestServiceToken_GetSecretsByNameWithImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "STAGING-SECRET-2", "FOLDER-SECRET-1", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")

 	if err != nil {
@@ -56,8 +50,6 @@ func TestServiceToken_GetSecretsByNameWithImports(t *testing.T) {

 func TestUniversalAuth_GetSecretsByNameRecursive(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")

 	if err != nil {
@@ -73,8 +65,6 @@ func TestUniversalAuth_GetSecretsByNameRecursive(t *testing.T) {

 func TestUniversalAuth_GetSecretsByNameWithNotFoundSecret(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "DOES-NOT-EXIST", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")

 	if err != nil {
@@ -90,8 +80,6 @@ func TestUniversalAuth_GetSecretsByNameWithNotFoundSecret(t *testing.T) {

 func TestUniversalAuth_GetSecretsByNameWithImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "STAGING-SECRET-2", "FOLDER-SECRET-1", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")

 	if err != nil {
--- a/cli/test/secrets_test.go
+++ b/cli/test/secrets_test.go
@@ -3,12 +3,12 @@ package tests
 import (
 	"testing"

+	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/bradleyjkemp/cupaloy/v2"
 )

-func TestServiceToken_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
-	SetupCli(t)

+func TestServiceToken_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")

 	if err != nil {
@@ -23,8 +23,6 @@ func TestServiceToken_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
 }

 func TestServiceToken_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")

 	if err != nil {
@@ -39,7 +37,6 @@ func TestServiceToken_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing.
 }

 func TestUniversalAuth_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
-	SetupCli(t)
 	MachineIdentityLoginCmd(t)

 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
@@ -56,7 +53,6 @@ func TestUniversalAuth_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
 }

 func TestUniversalAuth_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing.T) {
-	SetupCli(t)
 	MachineIdentityLoginCmd(t)

 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")
@@ -73,7 +69,6 @@ func TestUniversalAuth_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing
 }

 func TestUniversalAuth_SecretsGetWrongEnvironment(t *testing.T) {
-	SetupCli(t)
 	MachineIdentityLoginCmd(t)

 	output, _ := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", "invalid-env", "--recursive", "--silent")
@@ -85,3 +80,45 @@ func TestUniversalAuth_SecretsGetWrongEnvironment(t *testing.T) {
 	}

 }
+
+func TestUserAuth_SecretsGetAll(t *testing.T) {
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+
+	// explicitly called here because it should happen directly after successful secretsGetAll
+	testUserAuth_SecretsGetAllWithoutConnection(t)
+}
+
+func testUserAuth_SecretsGetAllWithoutConnection(t *testing.T) {
+	originalConfigFile, err := util.GetConfigFile()
+	if err != nil {
+		t.Fatalf("error getting config file")
+	}
+	newConfigFile := originalConfigFile
+
+	// set it to a URL that will always be unreachable
+	newConfigFile.LoggedInUserDomain = "http://localhost:4999"
+	util.WriteConfigFile(&newConfigFile)
+	
+	// restore config file
+	defer util.WriteConfigFile(&originalConfigFile)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
--- a/docs/integrations/platforms/kubernetes.mdx
+++ b/docs/integrations/platforms/kubernetes.mdx
@@ -58,46 +58,108 @@ Once you apply the manifest, the operator will be installed in `infisical-operat
 Once you have installed the operator to your cluster, you'll need to create a `InfisicalSecret` custom resource definition (CRD).

 ```yaml example-infisical-secret-crd.yaml
+
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalSecret
 metadata:
-  name: infisicalsecret-sample
-  labels:
-    label-to-be-passed-to-managed-secret: sample-value
-  annotations:
-    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
+    name: infisicalsecret-sample
+    labels:
+        label-to-be-passed-to-managed-secret: sample-value
+    annotations:
+        example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
 spec:
-  hostAPI: https://app.infisical.com/api
-  resyncInterval: 10
-  authentication:
-    # Make sure to only have 1 authentication method defined, serviceToken/universalAuth.
-    # If you have multiple authentication methods defined, it may cause issues.
-    universalAuth:
-      secretsScope:
-        projectSlug: <project-slug>
-        envSlug: <env-slug> # "dev", "staging", "prod", etc..
-        secretsPath: "<secrets-path>" # Root is "/"
-        recursive: true # Fetch all secrets from the specified path and all sub-directories. Default is false.
-      
-      credentialsRef:
-        secretName: universal-auth-credentials
-        secretNamespace: default
+    hostAPI: https://app.infisical.com/api
+    resyncInterval: 10
+    authentication:
+        # Make sure to only have 1 authentication method defined, serviceToken/universalAuth.
+        # If you have multiple authentication methods defined, it may cause issues.
+
+        # (Deprecated) Service Token Auth
+        serviceToken:
+            serviceTokenSecretReference:
+                secretName: service-token
+                secretNamespace: default
+            secretsScope:
+                envSlug: <env-slug>
+                secretsPath: <secrets-path>
+                recursive: true
+
+        # Universal Auth
+        universalAuth:
+            secretsScope:
+                projectSlug: new-ob-em
+                envSlug: dev # "dev", "staging", "prod", etc..
+                secretsPath: "/" # Root is "/"
+                recursive: true # Wether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
+            credentialsRef:
+                secretName: universal-auth-credentials
+                secretNamespace: default
+
+        # Native Kubernetes Auth
+        kubernetesAuth:
+            identityId: <machine-identity-id>
+            serviceAccountRef:
+              name: <service-account-name>
+              namespace: <service-account-namespace>
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
+        # AWS IAM Auth
+        awsIamAuth:
+            identityId: <your-machine-identity-id>
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
+        # Azure Auth
+        azureAuth:
+            identityId: <your-machine-identity-id>
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
+        # GCP ID Token Auth
+        gcpIdTokenAuth:
+            identityId: <your-machine-identity-id>
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
+        # GCP IAM Auth
+        gcpIamAuth:
+            identityId: <your-machine-identity-id>
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
+    managedSecretReference:
+        secretName: managed-secret
+        secretNamespace: default
+        creationPolicy: "Orphan" ## Owner | Orphan
+        # secretType: kubernetes.io/dockerconfigjson

-      # Service tokens are deprecated and will be removed in the near future. Please use Machine Identities for authenticating with Infisical.
-    serviceToken:
-      serviceTokenSecretReference:
-        secretName: service-token
-        secretNamespace: default
-      secretsScope:
-        envSlug: <env-slug>
-        secretsPath: <secrets-path> # Root is "/"
-        recursive: true # Fetch all secrets from the specified path and all sub-directories. Default is false.

-  managedSecretReference:
-    secretName: managed-secret
-    secretNamespace: default
-    creationPolicy: "Orphan" ## Owner | Orphan (default)
-    # secretType: kubernetes.io/dockerconfigjson
 ```

 ### InfisicalSecret CRD properties
@@ -156,7 +218,7 @@ When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud.

  </Steps>

-{" "}
+

 <Info>
  Make sure to also populate the `secretsScope` field with the project slug
@@ -187,6 +249,233 @@ spec:

 </Accordion>

+<Accordion title="authentication.kubernetesAuth">
+  The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.
+
+  <Steps>
+    <Step title="Create a machine identity">
+      You need to create a machine identity, and give it access to the project(s) you want to interact with. You can [read more about Kubernetes machine identities here](/documentation/platform/identities/kubernetes-auth).
+    </Step>
+    <Step title="Add your identity ID to your InfisicalSecret resource">
+      Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the `authentication.kubernetesAuth.identityId` field, add the identity ID of the machine identity you created. See the example below for more details.
+    </Step>
+    <Step title="Add your Kubernetes service account token to the InfisicalSecret resource">
+    When you configured your Kubernetes machine identity, you would have created a service account token if you followed the [Kubernetes machine identity guide](/documentation/platform/identities/kubernetes-auth). If you did not create a service account token, please follow the guide to do so.
+
+    You will need to enter the name of the service account and the namespace where the service account lives. The example below shows how to add the service account token to the InfisicalSecret resource.
+    </Step> 
+
+  </Steps>
+
+<Info>
+  Make sure to also populate the `secretsScope` field with the project slug
+  _`projectSlug`_, environment slug _`envSlug`_, and secrets path
+  _`secretsPath`_ that you want to fetch secrets from. Please see the example
+  below.
+</Info>
+
+## Example
+
+```yaml example-kubernetes-auth.yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample-crd
+spec:
+  authentication:
+      kubernetesAuth:
+          identityId: <machine-identity-id>
+          serviceAccountRef:
+            name: <service-account-name>
+            namespace: <service-account-namespace>
+
+          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+          secretsScope:
+              projectSlug: your-project-slug
+              envSlug: prod
+              secretsPath: "/path"
+              recursive: true
+  ...
+```
+
+</Accordion>
+
+<Accordion title="authentication.awsIamAuth">
+  The AWS IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within an AWS environment like an EC2 or a Lambda function.
+
+  <Steps>
+    <Step title="Create a machine identity">
+      You need to create a machine identity, and give it access to the project(s) you want to interact with. You can [read more about AWS machine identities here](/documentation/platform/identities/aws-auth).
+    </Step>
+    <Step title="Add your identity ID to your InfisicalSecret resource">
+      Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the `authentication.awsIamAuth.identityId` field, add the identity ID of the machine identity you created. See the example below for more details.
+    </Step>
+
+  </Steps>
+
+<Info>
+  Make sure to also populate the `secretsScope` field with the project slug
+  _`projectSlug`_, environment slug _`envSlug`_, and secrets path
+  _`secretsPath`_ that you want to fetch secrets from. Please see the example
+  below.
+</Info>
+
+## Example
+
+```yaml example-aws-iam-auth.yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample-crd
+spec:
+  authentication:
+      awsIamAuth:
+          identityId: <your-machine-identity-id>
+
+          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+          secretsScope:
+              projectSlug: your-project-slug
+              envSlug: prod
+              secretsPath: "/path"
+              recursive: true
+  ...
+```
+
+</Accordion>
+
+<Accordion title="authentication.azureAuth">
+  The Azure machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within an Azure environment.
+
+  <Steps>
+    <Step title="Create a machine identity">
+      You need to create a machine identity, and give it access to the project(s) you want to interact with. You can [read more about Azure machine identities here](/documentation/platform/identities/azure-auth).
+    </Step>
+    <Step title="Add your identity ID to your InfisicalSecret resource">
+      Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the `authentication.azureAuth.identityId` field, add the identity ID of the machine identity you created. See the example below for more details.
+    </Step>
+
+  </Steps>
+
+<Info>
+  Make sure to also populate the `secretsScope` field with the project slug
+  _`projectSlug`_, environment slug _`envSlug`_, and secrets path
+  _`secretsPath`_ that you want to fetch secrets from. Please see the example
+  below.
+</Info>
+
+## Example
+
+```yaml example-azure-auth.yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample-crd
+spec:
+  authentication:
+      azureAuth:
+          identityId: <your-machine-identity-id>
+
+          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+          secretsScope:
+              projectSlug: your-project-slug
+              envSlug: prod
+              secretsPath: "/path"
+              recursive: true
+  ...
+```
+
+</Accordion>
+
+<Accordion title="authentication.gcpIdTokenAuth">
+  The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments.
+
+  <Steps>
+    <Step title="Create a machine identity">
+      You need to create a machine identity, and give it access to the project(s) you want to interact with. You can [read more about GCP machine identities here](/documentation/platform/identities/gcp-auth).
+    </Step>
+    <Step title="Add your identity ID to your InfisicalSecret resource">
+      Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the `authentication.gcpIdTokenAuth.identityId` field, add the identity ID of the machine identity you created. See the example below for more details.
+    </Step>
+
+  </Steps>
+
+<Info>
+  Make sure to also populate the `secretsScope` field with the project slug
+  _`projectSlug`_, environment slug _`envSlug`_, and secrets path
+  _`secretsPath`_ that you want to fetch secrets from. Please see the example
+  below.
+</Info>
+
+## Example
+
+```yaml example-gcp-id-token-auth.yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample-crd
+spec:
+  authentication:
+      gcpIdTokenAuth:
+          identityId: <your-machine-identity-id>
+
+          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+          secretsScope:
+              projectSlug: your-project-slug
+              envSlug: prod
+              secretsPath: "/path"
+              recursive: true
+  ...
+```
+
+</Accordion>
+
+
+
+<Accordion title="authentication.gcpIamAuth">
+  The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.
+
+  <Steps>
+    <Step title="Create a machine identity">
+      You need to create a machine identity, and give it access to the project(s) you want to interact with. You can [read more about GCP machine identities here](/documentation/platform/identities/gcp-auth).
+    </Step>
+    <Step title="Add your identity ID and service account token path to your InfisicalSecret resource">
+      Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. In the `authentication.gcpIamAuth.identityId` field, add the identity ID of the machine identity you created.
+      You'll also need to add the service account key file path to your InfisicalSecret resource. In the `authentication.gcpIamAuth.serviceAccountKeyFilePath` field, add the path to your service account key file path. Please see the example below for more details.
+    </Step>
+
+  </Steps>
+
+<Info>
+  Make sure to also populate the `secretsScope` field with the project slug
+  _`projectSlug`_, environment slug _`envSlug`_, and secrets path
+  _`secretsPath`_ that you want to fetch secrets from. Please see the example
+  below.
+</Info>
+
+## Example
+
+```yaml example-gcp-id-token-auth.yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample-crd
+spec:
+  authentication:
+      gcpIamAuth:
+          identityId: <your-machine-identity-id>
+          serviceAccountKeyFilePath: "/path/to-service-account-key-file-path.json"
+
+          # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+          secretsScope:
+              projectSlug: your-project-slug
+              envSlug: prod
+              secretsPath: "/path"
+              recursive: true
+  ...
+```
+
+</Accordion>
+
 <Accordion title="authentication.serviceToken">
  <Warning>
  Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
--- a/docs/sdks/languages/go.mdx
+++ b/docs/sdks/languages/go.mdx
@@ -9,7 +9,7 @@ icon: "golang"
 If you're working with Go Lang, the official [Infisical Go SDK](https://github.com/infisical/go-sdk) package is the easiest way to fetch and work with secrets for your application.

 - [Package](https://pkg.go.dev/github.com/infisical/go-sdk)
- [Github Repository](https://github.com/infiscial/go-sdk)
+- [Github Repository](https://github.com/infisical/go-sdk)

 ## Basic Usage

@@ -282,7 +282,7 @@ Retrieve all secrets within the Infisical project and environment that client is

 </ParamField>

-### client.Secrets().Get(options)
+### client.Secrets().Retrieve(options)

 ```go
 secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
@@ -294,7 +294,7 @@ secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{

 Retrieve a secret from Infisical.

-By default, `Secrets().Get()` fetches and returns a shared secret.
+By default, `Secrets().Retrieve()` fetches and returns a shared secret.

 #### Parameters

--- a/docs/self-hosting/configuration/envars.mdx
+++ b/docs/self-hosting/configuration/envars.mdx
@@ -48,44 +48,44 @@ The platform utilizes Postgres to persist all of its data and Redis for caching
 Without email configuration, Infisical's core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.

 <Accordion title="Generic Configuration">
-  <ParamField query="SMTP_HOST" type="string" default="none" optional>
-    Hostname to connect to for establishing SMTP connections
-  </ParamField>
-
-{" "}
-
-<ParamField query="SMTP_USERNAME" type="string" default="none" optional>
-  Credential to connect to host (e.g. team@infisical.com)
+<ParamField query="SMTP_HOST" type="string" default="none" optional>
+  Hostname to connect to for establishing SMTP connections
 </ParamField>

-{" "}
-
-<ParamField query="SMTP_PASSWORD" type="string" default="none" optional>
-  Credential to connect to host
-</ParamField>
-
-{" "}
-
 <ParamField query="SMTP_PORT" type="string" default="587" optional>
  Port to connect to for establishing SMTP connections
 </ParamField>

-{" "}
-
-<ParamField query="SMTP_SECURE" type="string" default="none" optional>
-  If true, use TLS when connecting to host. If false, TLS will be used if
-  STARTTLS is supported
+<ParamField query="SMTP_USERNAME" type="string" default="none" optional>
+  Credential to connect to host (e.g. team@infisical.com)
 </ParamField>

-{" "}
+<ParamField query="SMTP_PASSWORD" type="string" default="none" optional>
+  Credential to connect to host
+</ParamField>

 <ParamField query="SMTP_FROM_ADDRESS" type="string" default="none" optional>
  Email address to be used for sending emails
 </ParamField>

-  <ParamField query="SMTP_FROM_NAME" type="string" default="none" optional>
-    Name label to be used in From field (e.g. Team)
-  </ParamField>
+<ParamField query="SMTP_FROM_NAME" type="string" default="none" optional>
+  Name label to be used in From field (e.g. Team)
+</ParamField>
+
+<ParamField query="SMTP_IGNORE_TLS" type="bool" default="false" optional>
+  If this is `true` and `SMTP_PORT` is not 465 then TLS is not used even if the
+  server supports STARTTLS extension.
+</ParamField>
+
+<ParamField query="SMTP_REQUIRE_TLS" type="bool" default="true" optional>
+  If this is `true` and `SMTP_PORT` is not 465 then Infisical tries to use
+  STARTTLS even if the server does not advertise support for it. If the
+  connection can not be encrypted then message is not sent.
+</ParamField>
+
+<ParamField query="SMTP_TLS_REJECT_UNAUTHORIZED" type="bool" default="true" optional>
+  If this is `true`, Infisical will validate the server's SSL/TLS certificate and reject the connection if the certificate is invalid or not trusted. If set to `false`, the client will accept the server's certificate regardless of its validity, which can be useful in development or testing environments but is not recommended for production use.
+</ParamField>
 </Accordion>

 <Accordion title="Twilio SendGrid">
@@ -105,7 +105,6 @@ SMTP_HOST=smtp.sendgrid.net
 SMTP_USERNAME=apikey
 SMTP_PASSWORD=SG.rqFsfjxYPiqE1lqZTgD_lz7x8IVLx # your SendGrid API Key from step above
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
 SMTP_FROM_NAME=Infisical
 ```
@@ -128,7 +127,6 @@ SMTP_HOST=smtp.mailgun.org # obtained from credentials page
 SMTP_USERNAME=postmaster@example.mailgun.org # obtained from credentials page
 SMTP_PASSWORD=password # obtained from credentials page
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
 SMTP_FROM_NAME=Infisical
 ```
@@ -159,7 +157,6 @@ SMTP_FROM_NAME=Infisical
      SMTP_USERNAME=xxx # your SMTP username
      SMTP_PASSWORD=xxx # your SMTP password
      SMTP_PORT=465
-      SMTP_SECURE=true
      SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
      SMTP_FROM_NAME=Infisical
      ```
@@ -187,7 +184,6 @@ SMTP_HOST=smtp.socketlabs.com
 SMTP_USERNAME=username # obtained from your credentials
 SMTP_PASSWORD=password # obtained from your credentials
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
 SMTP_FROM_NAME=Infisical
 ```
@@ -229,7 +225,6 @@ SMTP_HOST=smtp.resend.com
 SMTP_USERNAME=resend
 SMTP_PASSWORD=YOUR_API_KEY
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
 SMTP_FROM_NAME=Infisical
 ```
@@ -253,7 +248,6 @@ SMTP_HOST=smtp.gmail.com
 SMTP_USERNAME=hey@gmail.com # your email
 SMTP_PASSWORD=password # your password
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@gmail.com
 SMTP_FROM_NAME=Infisical
 ```
@@ -277,7 +271,6 @@ SMTP_HOST=smtp.office365.com
 SMTP_USERNAME=username@yourdomain.com # your username
 SMTP_PASSWORD=password # your password
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=username@yourdomain.com
 SMTP_FROM_NAME=Infisical
 ```
@@ -294,7 +287,6 @@ SMTP_HOST=smtp.zoho.com
 SMTP_USERNAME=username # your email
 SMTP_PASSWORD=password # your password
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your personal Zoho email or domain-based email linked to Zoho Mail
 SMTP_FROM_NAME=Infisical
 ```
@@ -320,7 +312,8 @@ To login into Infisical with OAuth providers such as Google, configure the assoc

 <ParamField query="DEFAULT_SAML_ORG_SLUG" type="string">

-  When set, all visits to the Infisical login page will automatically redirect users of your Infisical instance to the SAML identity provider associated with the specified organization slug.
+When set, all visits to the Infisical login page will automatically redirect users of your Infisical instance to the SAML identity provider associated with the specified organization slug.
+
 </ParamField>

 <Accordion title="Google">
--- a/frontend/src/components/v2/SecretPathInput/SecretPathInput.tsx
+++ b/frontend/src/components/v2/SecretPathInput/SecretPathInput.tsx
@@ -78,7 +78,8 @@ export const SecretPathInput = ({
    const validPaths = inputValue.split("/");
    validPaths.pop();

-    const newValue = `${validPaths.join("/")}/${suggestions[selectedIndex]}/`;
+    // removed trailing slash
+    const newValue = `${validPaths.join("/")}/${suggestions[selectedIndex]}`;
    onChange?.(newValue);
    setInputValue(newValue);
    setSecretPath(newValue);
--- a/frontend/src/helpers/project.ts
+++ b/frontend/src/helpers/project.ts
@@ -93,27 +93,29 @@ const initProjectHelper = async ({ projectName }: { projectName: string }) => {
  });

  try {
-    secrets?.forEach((secret) => {
-      createSecret({
-        workspaceId: project.id,
-        environment: secret.environment,
-        type: secret.type,
-        secretKey: secret.secretName,
-        secretKeyCiphertext: secret.secretKeyCiphertext,
-        secretKeyIV: secret.secretKeyIV,
-        secretKeyTag: secret.secretKeyTag,
-        secretValueCiphertext: secret.secretValueCiphertext,
-        secretValueIV: secret.secretValueIV,
-        secretValueTag: secret.secretValueTag,
-        secretCommentCiphertext: secret.secretCommentCiphertext,
-        secretCommentIV: secret.secretCommentIV,
-        secretCommentTag: secret.secretCommentTag,
-        secretPath: "/",
-        metadata: {
-          source: "signup"
-        }
-      });
-    });
+    await Promise.allSettled(
+      (secrets || []).map((secret) =>
+        createSecret({
+          workspaceId: project.id,
+          environment: secret.environment,
+          type: secret.type,
+          secretKey: secret.secretName,
+          secretKeyCiphertext: secret.secretKeyCiphertext,
+          secretKeyIV: secret.secretKeyIV,
+          secretKeyTag: secret.secretKeyTag,
+          secretValueCiphertext: secret.secretValueCiphertext,
+          secretValueIV: secret.secretValueIV,
+          secretValueTag: secret.secretValueTag,
+          secretCommentCiphertext: secret.secretCommentCiphertext,
+          secretCommentIV: secret.secretCommentIV,
+          secretCommentTag: secret.secretCommentTag,
+          secretPath: "/",
+          metadata: {
+            source: "signup"
+          }
+        })
+      )
+    );
  } catch (err) {
    console.error("Failed to upload secrets", err);
  }
--- a/frontend/src/hooks/api/index.tsx
+++ b/frontend/src/hooks/api/index.tsx
@@ -17,6 +17,7 @@ export * from "./keys";
 export * from "./ldapConfig";
 export * from "./organization";
 export * from "./projectUserAdditionalPrivilege";
+export * from "./rateLimit";
 export * from "./roles";
 export * from "./scim";
 export * from "./secretApproval";
--- a/frontend/src/hooks/api/rateLimit/index.ts
+++ b/frontend/src/hooks/api/rateLimit/index.ts
@@ -0,0 +1,2 @@
+export { useUpdateRateLimit } from "./mutation";
+export { useGetRateLimit } from "./queries";
--- a/frontend/src/hooks/api/rateLimit/mutation.ts
+++ b/frontend/src/hooks/api/rateLimit/mutation.ts
@@ -0,0 +1,21 @@
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { rateLimitQueryKeys } from "./queries";
+import { TRateLimit } from "./types";
+
+export const useUpdateRateLimit = () => {
+  const queryClient = useQueryClient();
+
+  return useMutation<TRateLimit, {}, TRateLimit>({
+    mutationFn: async (opt) => {
+      const { data } = await apiRequest.put<{ rateLimit: TRateLimit }>("/api/v1/rate-limit", opt);
+      return data.rateLimit;
+    },
+    onSuccess: (data) => {
+      queryClient.setQueryData(rateLimitQueryKeys.rateLimit(), data);
+      queryClient.invalidateQueries(rateLimitQueryKeys.rateLimit());
+    }
+  });
+};
--- a/frontend/src/hooks/api/rateLimit/queries.ts
+++ b/frontend/src/hooks/api/rateLimit/queries.ts
@@ -0,0 +1,34 @@
+import { useQuery, UseQueryOptions } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { TRateLimit } from "./types";
+
+export const rateLimitQueryKeys = {
+  rateLimit: () => ["rate-limit"] as const
+};
+
+const fetchRateLimit = async () => {
+  const { data } = await apiRequest.get<{ rateLimit: TRateLimit }>("/api/v1/rate-limit");
+  return data.rateLimit;
+};
+
+export const useGetRateLimit = ({
+  options = {}
+}: {
+  options?: Omit<
+    UseQueryOptions<
+      TRateLimit,
+      unknown,
+      TRateLimit,
+      ReturnType<typeof rateLimitQueryKeys.rateLimit>
+    >,
+    "queryKey" | "queryFn"
+  >;
+} = {}) =>
+  useQuery({
+    queryKey: rateLimitQueryKeys.rateLimit(),
+    queryFn: fetchRateLimit,
+    ...options,
+    enabled: options?.enabled ?? true
+  });
--- a/frontend/src/hooks/api/rateLimit/types.ts
+++ b/frontend/src/hooks/api/rateLimit/types.ts
@@ -0,0 +1,10 @@
+export type TRateLimit = {
+  readRateLimit: number;
+  writeRateLimit: number;
+  secretsRateLimit: number;
+  authRateLimit: number;
+  inviteUserRateLimit: number;
+  mfaRateLimit: number;
+  creationLimit: number;
+  publicEndpointLimit: number;
+};
--- a/frontend/src/hooks/api/secretImports/queries.tsx
+++ b/frontend/src/hooks/api/secretImports/queries.tsx
@@ -264,13 +264,12 @@ export const useGetImportedSecretsAllEnvs = ({
  });

  const isImportedSecretPresentInEnv = useCallback(
-    (secPath: string, envSlug: string, secretName: string) => {
+    (envSlug: string, secretName: string) => {
      const selectedEnvIndex = environments.indexOf(envSlug);

      if (selectedEnvIndex !== -1) {
-        const isPresent = secretImports?.[selectedEnvIndex]?.data?.find(
-          ({ secretPath, secrets }) =>
-            secretPath === secPath && secrets.some((s) => s.key === secretName)
+        const isPresent = secretImports?.[selectedEnvIndex]?.data?.find(({ secrets }) =>
+          secrets.some((s) => s.key === secretName)
        );

        return Boolean(isPresent);
--- a/frontend/src/hooks/api/workspace/queries.tsx
+++ b/frontend/src/hooks/api/workspace/queries.tsx
@@ -20,6 +20,7 @@ import {
  TUpdateWorkspaceIdentityRoleDTO,
  TUpdateWorkspaceUserRoleDTO,
  UpdateEnvironmentDTO,
+  UpdatePitVersionLimitDTO,
  Workspace
 } from "./types";

@@ -249,6 +250,21 @@ export const useToggleAutoCapitalization = () => {
  });
 };

+export const useUpdateWorkspaceVersionLimit = () => {
+  const queryClient = useQueryClient();
+
+  return useMutation<{}, {}, UpdatePitVersionLimitDTO>({
+    mutationFn: ({ projectSlug, pitVersionLimit }) => {
+      return apiRequest.put(`/api/v1/workspace/${projectSlug}/version-limit`, {
+        pitVersionLimit
+      });
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries(workspaceKeys.getAllUserWorkspace);
+    }
+  });
+};
+
 export const useDeleteWorkspace = () => {
  const queryClient = useQueryClient();

--- a/frontend/src/hooks/api/workspace/types.ts
+++ b/frontend/src/hooks/api/workspace/types.ts
@@ -14,8 +14,10 @@ export type Workspace = {
  orgId: string;
  version: ProjectVersion;
  upgradeStatus: string | null;
+  updatedAt: string;
  autoCapitalization: boolean;
  environments: WorkspaceEnv[];
+  pitVersionLimit: number;
  slug: string;
 };

@@ -48,6 +50,7 @@ export type CreateWorkspaceDTO = {
 };

 export type RenameWorkspaceDTO = { workspaceID: string; newWorkspaceName: string };
+export type UpdatePitVersionLimitDTO = { projectSlug: string; pitVersionLimit: number };
 export type ToggleAutoCapitalizationDTO = { workspaceID: string; state: boolean };

 export type DeleteWorkspaceDTO = { workspaceID: string };
@@ -128,4 +131,4 @@ export type TUpdateWorkspaceGroupRoleDTO = {
        temporaryAccessStartTime: string;
      }
  )[];
-};
+};
--- a/frontend/src/lib/fn/date.ts
+++ b/frontend/src/lib/fn/date.ts
@@ -0,0 +1,46 @@
+export const timeAgo = (inputDate: Date, currentDate: Date): string => {
+  const now = new Date(currentDate).getTime();
+  const date = new Date(inputDate).getTime();
+  const elapsedMilliseconds = now - date;
+  const elapsedSeconds = Math.abs(Math.floor(elapsedMilliseconds / 1000));
+  const elapsedMinutes = Math.abs(Math.floor(elapsedSeconds / 60));
+  const elapsedHours = Math.abs(Math.floor(elapsedMinutes / 60));
+  const elapsedDays = Math.abs(Math.floor(elapsedHours / 24));
+  const elapsedWeeks = Math.abs(Math.floor(elapsedDays / 7));
+  const elapsedMonths = Math.abs(Math.floor(elapsedDays / 30));
+  const elapsedYears = Math.abs(Math.floor(elapsedDays / 365));
+
+  if (elapsedYears > 0) {
+    return `${elapsedYears} year${elapsedYears === 1 ? "" : "s"} ${
+      elapsedMilliseconds >= 0 ? "ago" : "from now"
+    }`;
+  }
+  if (elapsedMonths > 0) {
+    return `${elapsedMonths} month${elapsedMonths === 1 ? "" : "s"} ${
+      elapsedMilliseconds >= 0 ? "ago" : "from now"
+    }`;
+  }
+  if (elapsedWeeks > 0) {
+    return `${elapsedWeeks} week${elapsedWeeks === 1 ? "" : "s"} ${
+      elapsedMilliseconds >= 0 ? "ago" : "from now"
+    }`;
+  }
+  if (elapsedDays > 0) {
+    return `${elapsedDays} day${elapsedDays === 1 ? "" : "s"} ${
+      elapsedMilliseconds >= 0 ? "ago" : "from now"
+    }`;
+  }
+  if (elapsedHours > 0) {
+    return `${elapsedHours} hour${elapsedHours === 1 ? "" : "s"} ${
+      elapsedMilliseconds >= 0 ? "ago" : "from now"
+    }`;
+  }
+  if (elapsedMinutes > 0) {
+    return `${elapsedMinutes} minute${elapsedMinutes === 1 ? "" : "s"} ${
+      elapsedMilliseconds >= 0 ? "ago" : "from now"
+    }`;
+  }
+  return `${elapsedSeconds} second${elapsedSeconds === 1 ? "" : "s"} ${
+    elapsedMilliseconds >= 0 ? "ago" : "from now"
+  }`;
+};
--- a/frontend/src/pages/org/[id]/overview/index.tsx
+++ b/frontend/src/pages/org/[id]/overview/index.tsx
@@ -12,11 +12,14 @@ import { faFolderOpen } from "@fortawesome/free-regular-svg-icons";
 import {
  faArrowRight,
  faArrowUpRightFromSquare,
+  faBorderAll,
  faCheck,
  faCheckCircle,
  faClipboard,
  faExclamationCircle,
+  faFileShield,
  faHandPeace,
+  faList,
  faMagnifyingGlass,
  faNetworkWired,
  faPlug,
@@ -35,6 +38,7 @@ import {
  Button,
  Checkbox,
  FormControl,
+  IconButton,
  Input,
  Modal,
  ModalContent,
@@ -86,6 +90,11 @@ type ItemProps = {
  link?: string;
 };

+enum ProjectsViewMode {
+  GRID = "grid",
+  LIST = "list"
+}
+
 function copyToClipboard(id: string, setState: (value: boolean) => void) {
  // Get the text field
  const copyText = document.getElementById(id) as HTMLInputElement;
@@ -309,8 +318,9 @@ const LearningItem = ({
        href={link}
      >
        <div
-          className={`${complete ? "bg-gradient-to-r from-primary-500/70 p-[0.07rem]" : ""
-            } mb-3 rounded-md`}
+          className={`${
+            complete ? "bg-gradient-to-r from-primary-500/70 p-[0.07rem]" : ""
+          } mb-3 rounded-md`}
        >
          <div
            onKeyDown={() => null}
@@ -321,10 +331,11 @@ const LearningItem = ({
                await registerUserAction.mutateAsync(userAction);
              }
            }}
-            className={`group relative flex h-[5.5rem] w-full items-center justify-between overflow-hidden rounded-md border ${complete
+            className={`group relative flex h-[5.5rem] w-full items-center justify-between overflow-hidden rounded-md border ${
+              complete
                ? "cursor-default border-mineshaft-900 bg-gradient-to-r from-[#0e1f01] to-mineshaft-700"
                : "cursor-pointer border-mineshaft-600 bg-mineshaft-800 shadow-xl hover:bg-mineshaft-700"
-              } text-mineshaft-100 duration-200`}
+            } text-mineshaft-100 duration-200`}
          >
            <div className="mr-4 flex flex-row items-center">
              <FontAwesomeIcon icon={icon} className="mx-2 w-16 text-4xl" />
@@ -402,8 +413,9 @@ const LearningItemSquare = ({
      href={link}
    >
      <div
-        className={`${complete ? "bg-gradient-to-r from-primary-500/70 p-[0.07rem]" : ""
-          } w-full rounded-md`}
+        className={`${
+          complete ? "bg-gradient-to-r from-primary-500/70 p-[0.07rem]" : ""
+        } w-full rounded-md`}
      >
        <div
          onKeyDown={() => null}
@@ -414,10 +426,11 @@ const LearningItemSquare = ({
              await registerUserAction.mutateAsync(userAction);
            }
          }}
-          className={`group relative flex w-full items-center justify-between overflow-hidden rounded-md border ${complete
+          className={`group relative flex w-full items-center justify-between overflow-hidden rounded-md border ${
+            complete
              ? "cursor-default border-mineshaft-900 bg-gradient-to-r from-[#0e1f01] to-mineshaft-700"
              : "cursor-pointer border-mineshaft-600 bg-mineshaft-800 shadow-xl hover:bg-mineshaft-700"
-            } text-mineshaft-100 duration-200`}
+          } text-mineshaft-100 duration-200`}
        >
          <div className="flex w-full flex-col items-center px-6 py-4">
            <div className="flex w-full flex-row items-start justify-between">
@@ -431,8 +444,9 @@ const LearningItemSquare = ({
                </div>
              )}
              <div
-                className={`text-right text-sm font-normal text-mineshaft-300 ${complete ? "font-semibold text-primary" : ""
-                  }`}
+                className={`text-right text-sm font-normal text-mineshaft-300 ${
+                  complete ? "font-semibold text-primary" : ""
+                }`}
              >
                {complete ? "Complete!" : `About ${time}`}
              </div>
@@ -461,7 +475,6 @@ const formSchema = yup.object({
 type TAddProjectFormData = yup.InferType<typeof formSchema>;

 // #TODO: Update all the workspaceIds
-
 const OrganizationPage = withPermission(
  () => {
    const { t } = useTranslation();
@@ -496,6 +509,9 @@ const OrganizationPage = withPermission(
    const createWs = useCreateWorkspace();
    const { user } = useUser();
    const { data: serverDetails } = useFetchServerStatus();
+    const [projectsViewMode, setProjectsViewMode] = useState<ProjectsViewMode>(
+      (localStorage.getItem("projectsViewMode") as ProjectsViewMode) || ProjectsViewMode.GRID
+    );

    const onCreateProject = async ({ name, addMembers }: TAddProjectFormData) => {
      // type check
@@ -550,6 +566,95 @@ const OrganizationPage = withPermission(
    }, []);

    const isWorkspaceEmpty = !isWorkspaceLoading && orgWorkspaces?.length === 0;
+    const filteredWorkspaces = orgWorkspaces.filter((ws) =>
+      ws?.name?.toLowerCase().includes(searchFilter.toLowerCase())
+    );
+
+    const projectsGridView = (
+      <div className="mt-4 grid w-full grid-cols-1 gap-4 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
+        {isWorkspaceLoading &&
+          Array.apply(0, Array(3)).map((_x, i) => (
+            <div
+              key={`workspace-cards-loading-${i + 1}`}
+              className="min-w-72 flex h-40 flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
+            >
+              <div className="mt-0 text-lg text-mineshaft-100">
+                <Skeleton className="w-3/4 bg-mineshaft-600" />
+              </div>
+              <div className="mt-0 pb-6 text-sm text-mineshaft-300">
+                <Skeleton className="w-1/2 bg-mineshaft-600" />
+              </div>
+              <div className="flex justify-end">
+                <Skeleton className="w-1/2 bg-mineshaft-600" />
+              </div>
+            </div>
+          ))}
+        {filteredWorkspaces.map((workspace) => (
+          // eslint-disable-next-line jsx-a11y/no-static-element-interactions, jsx-a11y/click-events-have-key-events
+          <div
+            onClick={() => {
+              router.push(`/project/${workspace.id}/secrets/overview`);
+              localStorage.setItem("projectData.id", workspace.id);
+            }}
+            key={workspace.id}
+            className="min-w-72 group flex h-40 cursor-pointer flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
+          >
+            <div className="mt-0 truncate text-lg text-mineshaft-100">{workspace.name}</div>
+            <div className="mt-0 pb-6 text-sm text-mineshaft-300">
+              {workspace.environments?.length || 0} environments
+            </div>
+            <button type="button">
+              <div className="group ml-auto w-max cursor-pointer rounded-full border border-mineshaft-600 bg-mineshaft-900 py-2 px-4 text-sm text-mineshaft-300 transition-all group-hover:border-primary-500/80 group-hover:bg-primary-800/20 group-hover:text-mineshaft-200">
+                Explore{" "}
+                <FontAwesomeIcon
+                  icon={faArrowRight}
+                  className="pl-1.5 pr-0.5 duration-200 group-hover:pl-2 group-hover:pr-0"
+                />
+              </div>
+            </button>
+          </div>
+        ))}
+      </div>
+    );
+
+    const projectsListView = (
+      <div className="mt-4 w-full rounded-md">
+        {isWorkspaceLoading &&
+          Array.apply(0, Array(3)).map((_x, i) => (
+            <div
+              key={`workspace-cards-loading-${i + 1}`}
+              className={`min-w-72 group flex h-12 cursor-pointer flex-row items-center justify-between border border-mineshaft-600 bg-mineshaft-800 px-6 hover:bg-mineshaft-700 ${
+                i === 0 && "rounded-t-md"
+              } ${i === 2 && "rounded-b-md border-b"}`}
+            >
+              <Skeleton className="w-full bg-mineshaft-600" />
+            </div>
+          ))}
+        {filteredWorkspaces.map((workspace, ind) => (
+          // eslint-disable-next-line jsx-a11y/no-static-element-interactions, jsx-a11y/click-events-have-key-events
+          <div
+            onClick={() => {
+              router.push(`/project/${workspace.id}/secrets/overview`);
+              localStorage.setItem("projectData.id", workspace.id);
+            }}
+            key={workspace.id}
+            className={`min-w-72 group grid h-14 cursor-pointer grid-cols-6 border-t border-l border-r border-mineshaft-600 bg-mineshaft-800 px-6 hover:bg-mineshaft-700 ${
+              ind === 0 && "rounded-t-md"
+            } ${ind === filteredWorkspaces.length - 1 && "rounded-b-md border-b"}`}
+          >
+            <div className="flex items-center sm:col-span-3 lg:col-span-4">
+              <FontAwesomeIcon icon={faFileShield} className="text-sm text-primary/70" />
+              <div className="ml-5 truncate text-sm text-mineshaft-100">{workspace.name}</div>
+            </div>
+            <div className="flex items-center justify-end sm:col-span-3 lg:col-span-2">
+              <div className="text-center text-sm text-mineshaft-300">
+                {workspace.environments?.length || 0} environments
+              </div>
+            </div>
+          </div>
+        ))}
+      </div>
+    );

    return (
      <div className="mx-auto flex max-w-7xl flex-col justify-start bg-bunker-800 md:h-screen">
@@ -580,7 +685,9 @@ const OrganizationPage = withPermission(
          </div>
        )}
        <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-0 text-3xl">
-          <p className="mr-4 font-semibold text-white">Projects</p>
+          <div className="flex w-full justify-between">
+            <p className="mr-4 font-semibold text-white">Projects</p>
+          </div>
          <div className="mt-6 flex w-full flex-row">
            <Input
              className="h-[2.3rem] bg-mineshaft-800 text-sm placeholder-mineshaft-50 duration-200 focus:bg-mineshaft-700/80"
@@ -589,6 +696,36 @@ const OrganizationPage = withPermission(
              onChange={(e) => setSearchFilter(e.target.value)}
              leftIcon={<FontAwesomeIcon icon={faMagnifyingGlass} />}
            />
+            <div className="ml-2 flex rounded-md border border-mineshaft-600 bg-mineshaft-800 p-1">
+              <IconButton
+                variant="outline_bg"
+                onClick={() => {
+                  localStorage.setItem("projectsViewMode", ProjectsViewMode.GRID);
+                  setProjectsViewMode(ProjectsViewMode.GRID);
+                }}
+                ariaLabel="grid"
+                size="xs"
+                className={`${
+                  projectsViewMode === ProjectsViewMode.GRID ? "bg-mineshaft-500" : "bg-transparent"
+                } min-w-[2.4rem] border-none hover:bg-mineshaft-600`}
+              >
+                <FontAwesomeIcon icon={faBorderAll} />
+              </IconButton>
+              <IconButton
+                variant="outline_bg"
+                onClick={() => {
+                  localStorage.setItem("projectsViewMode", ProjectsViewMode.LIST);
+                  setProjectsViewMode(ProjectsViewMode.LIST);
+                }}
+                ariaLabel="list"
+                size="xs"
+                className={`${
+                  projectsViewMode === ProjectsViewMode.LIST ? "bg-mineshaft-500" : "bg-transparent"
+                } min-w-[2.4rem] border-none hover:bg-mineshaft-600`}
+              >
+                <FontAwesomeIcon icon={faList} />
+              </IconButton>
+            </div>
            <OrgPermissionCan I={OrgPermissionActions.Create} an={OrgPermissionSubjects.Workspace}>
              {(isAllowed) => (
                <Button
@@ -609,52 +746,7 @@ const OrganizationPage = withPermission(
              )}
            </OrgPermissionCan>
          </div>
-          <div className="mt-4 grid w-full grid-cols-1 gap-4 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
-            {isWorkspaceLoading &&
-              Array.apply(0, Array(3)).map((_x, i) => (
-                <div
-                  key={`workspace-cards-loading-${i + 1}`}
-                  className="min-w-72 flex h-40 flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
-                >
-                  <div className="mt-0 text-lg text-mineshaft-100">
-                    <Skeleton className="w-3/4 bg-mineshaft-600" />
-                  </div>
-                  <div className="mt-0 pb-6 text-sm text-mineshaft-300">
-                    <Skeleton className="w-1/2 bg-mineshaft-600" />
-                  </div>
-                  <div className="flex justify-end">
-                    <Skeleton className="w-1/2 bg-mineshaft-600" />
-                  </div>
-                </div>
-              ))}
-            {orgWorkspaces
-              .filter((ws) => ws?.name?.toLowerCase().includes(searchFilter.toLowerCase()))
-              .map((workspace) => (
-                // eslint-disable-next-line jsx-a11y/no-static-element-interactions, jsx-a11y/click-events-have-key-events
-                <div
-                  onClick={() => {
-                    router.push(`/project/${workspace.id}/secrets/overview`);
-                    localStorage.setItem("projectData.id", workspace.id);
-                  }}
-                  key={workspace.id}
-                  className="min-w-72 group flex h-40 cursor-pointer flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
-                >
-                  <div className="mt-0 truncate text-lg text-mineshaft-100">{workspace.name}</div>
-                  <div className="mt-0 pb-6 text-sm text-mineshaft-300">
-                    {workspace.environments?.length || 0} environments
-                  </div>
-                  <button type="button">
-                    <div className="group ml-auto w-max cursor-pointer rounded-full border border-mineshaft-600 bg-mineshaft-900 py-2 px-4 text-sm text-mineshaft-300 transition-all group-hover:border-primary-500/80 group-hover:bg-primary-800/20 group-hover:text-mineshaft-200">
-                      Explore{" "}
-                      <FontAwesomeIcon
-                        icon={faArrowRight}
-                        className="pl-1.5 pr-0.5 duration-200 group-hover:pl-2 group-hover:pr-0"
-                      />
-                    </div>
-                  </button>
-                </div>
-              ))}
-          </div>
+          {projectsViewMode === ProjectsViewMode.LIST ? projectsListView : projectsGridView}
          {isWorkspaceEmpty && (
            <div className="w-full rounded-md border border-mineshaft-700 bg-mineshaft-800 px-4 py-6 text-base text-mineshaft-300">
              <FontAwesomeIcon
@@ -709,94 +801,95 @@ const OrganizationPage = withPermission(
          new Date().getTime() - new Date(user?.createdAt).getTime() <
          30 * 24 * 60 * 60 * 1000
        ) && (
-            <div className="mb-4 flex flex-col items-start justify-start px-6 pb-0 text-3xl">
-              <p className="mr-4 mb-4 font-semibold text-white">Onboarding Guide</p>
-              <div className="mb-3 grid w-full grid-cols-1 gap-3 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
-                <LearningItemSquare
-                  text="Watch Infisical demo"
-                  subText="Set up Infisical in 3 min."
-                  complete={hasUserClickedIntro}
-                  icon={faHandPeace}
-                  time="3 min"
-                  userAction="intro_cta_clicked"
-                  link="https://www.youtube.com/watch?v=PK23097-25I"
-                />
-                {orgWorkspaces.length !== 0 && (
-                  <>
-                    <LearningItemSquare
-                      text="Add your secrets"
-                      subText="Drop a .env file or type your secrets."
-                      complete={hasUserPushedSecrets}
-                      icon={faPlus}
-                      time="1 min"
-                      userAction="first_time_secrets_pushed"
-                      link={`/project/${orgWorkspaces[0]?.id}/secrets/overview`}
-                    />
-                    <LearningItemSquare
-                      text="Invite your teammates"
-                      subText="Infisical is better used as a team."
-                      complete={usersInOrg}
-                      icon={faUserPlus}
-                      time="2 min"
-                      link={`/org/${router.query.id}/members?action=invite`}
-                    />
-                  </>
-                )}
-                <div className="block xl:hidden 2xl:block">
-                  <LearningItemSquare
-                    text="Join Infisical Slack"
-                    subText="Have any questions? Ask us!"
-                    complete={hasUserClickedSlack}
-                    icon={faSlack}
-                    time="1 min"
-                    userAction="slack_cta_clicked"
-                    link="https://infisical.com/slack"
-                  />
-                </div>
-              </div>
+          <div className="mb-4 flex flex-col items-start justify-start px-6 pb-0 text-3xl">
+            <p className="mr-4 mb-4 font-semibold text-white">Onboarding Guide</p>
+            <div className="mb-3 grid w-full grid-cols-1 gap-3 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
+              <LearningItemSquare
+                text="Watch Infisical demo"
+                subText="Set up Infisical in 3 min."
+                complete={hasUserClickedIntro}
+                icon={faHandPeace}
+                time="3 min"
+                userAction="intro_cta_clicked"
+                link="https://www.youtube.com/watch?v=PK23097-25I"
+              />
              {orgWorkspaces.length !== 0 && (
-                <div className="group relative mb-3 flex h-full w-full cursor-default flex-col items-center justify-between overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-800 pl-2 pr-2 pt-4 pb-2 text-mineshaft-100 shadow-xl duration-200">
-                  <div className="mb-4 flex w-full flex-row items-center pr-4">
-                    <div className="mr-4 flex w-full flex-row items-center">
-                      <FontAwesomeIcon icon={faNetworkWired} className="mx-2 w-16 text-4xl" />
-                      {false && (
-                        <div className="absolute left-12 top-10 flex h-7 w-7 items-center justify-center rounded-full bg-bunker-500 p-2 group-hover:bg-mineshaft-700">
-                          <FontAwesomeIcon
-                            icon={faCheckCircle}
-                            className="h-5 w-5 text-4xl text-green"
-                          />
-                        </div>
-                      )}
-                      <div className="flex flex-col items-start pl-0.5">
-                        <div className="mt-0.5 text-xl font-semibold">Inject secrets locally</div>
-                        <div className="text-sm font-normal">
-                          Replace .env files with a more secure and efficient alternative.
-                        </div>
+                <>
+                  <LearningItemSquare
+                    text="Add your secrets"
+                    subText="Drop a .env file or type your secrets."
+                    complete={hasUserPushedSecrets}
+                    icon={faPlus}
+                    time="1 min"
+                    userAction="first_time_secrets_pushed"
+                    link={`/project/${orgWorkspaces[0]?.id}/secrets/overview`}
+                  />
+                  <LearningItemSquare
+                    text="Invite your teammates"
+                    subText="Infisical is better used as a team."
+                    complete={usersInOrg}
+                    icon={faUserPlus}
+                    time="2 min"
+                    link={`/org/${router.query.id}/members?action=invite`}
+                  />
+                </>
+              )}
+              <div className="block xl:hidden 2xl:block">
+                <LearningItemSquare
+                  text="Join Infisical Slack"
+                  subText="Have any questions? Ask us!"
+                  complete={hasUserClickedSlack}
+                  icon={faSlack}
+                  time="1 min"
+                  userAction="slack_cta_clicked"
+                  link="https://infisical.com/slack"
+                />
+              </div>
+            </div>
+            {orgWorkspaces.length !== 0 && (
+              <div className="group relative mb-3 flex h-full w-full cursor-default flex-col items-center justify-between overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-800 pl-2 pr-2 pt-4 pb-2 text-mineshaft-100 shadow-xl duration-200">
+                <div className="mb-4 flex w-full flex-row items-center pr-4">
+                  <div className="mr-4 flex w-full flex-row items-center">
+                    <FontAwesomeIcon icon={faNetworkWired} className="mx-2 w-16 text-4xl" />
+                    {false && (
+                      <div className="absolute left-12 top-10 flex h-7 w-7 items-center justify-center rounded-full bg-bunker-500 p-2 group-hover:bg-mineshaft-700">
+                        <FontAwesomeIcon
+                          icon={faCheckCircle}
+                          className="h-5 w-5 text-4xl text-green"
+                        />
+                      </div>
+                    )}
+                    <div className="flex flex-col items-start pl-0.5">
+                      <div className="mt-0.5 text-xl font-semibold">Inject secrets locally</div>
+                      <div className="text-sm font-normal">
+                        Replace .env files with a more secure and efficient alternative.
                      </div>
                    </div>
-                    <div
-                      className={`w-28 pr-4 text-right text-sm font-semibold ${false && "text-green"
-                        }`}
-                    >
-                      About 2 min
-                    </div>
                  </div>
-                  <TabsObject />
-                  {false && <div className="absolute bottom-0 left-0 h-1 w-full bg-green" />}
+                  <div
+                    className={`w-28 pr-4 text-right text-sm font-semibold ${
+                      false && "text-green"
+                    }`}
+                  >
+                    About 2 min
+                  </div>
                </div>
-              )}
-              {orgWorkspaces.length !== 0 && (
-                <LearningItem
-                  text="Integrate Infisical with your infrastructure"
-                  subText="Connect Infisical to various 3rd party services and platforms."
-                  complete={false}
-                  icon={faPlug}
-                  time="15 min"
-                  link="https://infisical.com/docs/integrations/overview"
-                />
-              )}
-            </div>
-          )}
+                <TabsObject />
+                {false && <div className="absolute bottom-0 left-0 h-1 w-full bg-green" />}
+              </div>
+            )}
+            {orgWorkspaces.length !== 0 && (
+              <LearningItem
+                text="Integrate Infisical with your infrastructure"
+                subText="Connect Infisical to various 3rd party services and platforms."
+                complete={false}
+                icon={faPlug}
+                time="15 min"
+                link="https://infisical.com/docs/integrations/overview"
+              />
+            )}
+          </div>
+        )}
        <Modal
          isOpen={popUp.addNewWs.isOpen}
          onOpenChange={(isModalOpen) => {
--- a/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleModifySection/MultiEnvProjectPermission.tsx
+++ b/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleModifySection/MultiEnvProjectPermission.tsx
@@ -70,6 +70,7 @@ export const MultiEnvProjectPermission = ({
  }, [allRule]);

  const handlePermissionChange = (val: Permission) => {
+    if(!val) return
    switch (val) {
      case Permission.NoAccess: {
        const permissions = getValue("permissions");
@@ -106,7 +107,7 @@ export const MultiEnvProjectPermission = ({
      className={twMerge(
        "rounded-md bg-mineshaft-800 px-10 py-6",
        (selectedPermissionCategory !== Permission.NoAccess || isCustom) &&
-        "border-l-2 border-primary-600"
+          "border-l-2 border-primary-600"
      )}
    >
      <div className="flex items-center space-x-4">
--- a/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleModifySection/SecretRollbackPermission.tsx
+++ b/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleModifySection/SecretRollbackPermission.tsx
@@ -53,6 +53,7 @@ export const SecretRollbackPermission = ({ isNonEditable, setValue, control }: P
  }, [selectedPermissionCategory]);

  const handlePermissionChange = (val: Permission) => {
+    if(!val) return;
    if (val === Permission.Custom) setIsCustom.on();
    else setIsCustom.off();

--- a/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleModifySection/SingleProjectPermission.tsx
+++ b/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleModifySection/SingleProjectPermission.tsx
@@ -98,6 +98,7 @@ export const SingleProjectPermission = ({
  }, [selectedPermissionCategory]);

  const handlePermissionChange = (val: Permission) => {
+    if(!val) return;
    if (val === Permission.Custom) setIsCustom.on();
    else setIsCustom.off();

--- a/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleModifySection/WsProjectPermission.tsx
+++ b/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleModifySection/WsProjectPermission.tsx
@@ -52,6 +52,7 @@ export const WsProjectPermission = ({ isNonEditable, setValue, control }: Props)
  }, [selectedPermissionCategory]);

  const handlePermissionChange = (val: Permission) => {
+    if(!val) return;
    if (val === Permission.Custom) setIsCustom.on();
    else setIsCustom.off();

--- a/frontend/src/views/SecretMainPage/components/SecretListView/SecretDetaiSidebar.tsx
+++ b/frontend/src/views/SecretMainPage/components/SecretListView/SecretDetaiSidebar.tsx
@@ -393,15 +393,15 @@ export const SecretDetailSidebar = ({
                      {(isAllowed) => (
                        <Switch
                          id="skipmultiencoding-option"
-                          onCheckedChange={(isChecked) => onChange(!isChecked)}
-                          isChecked={!value}
+                          onCheckedChange={(isChecked) => onChange(isChecked)}
+                          isChecked={value}
                          onBlur={onBlur}
                          isDisabled={!isAllowed}
                          className="items-center"
                        >
-                          Enable multi line encoding
+                          Multi line encoding
                          <Tooltip
-                            content="Infisical encodes multiline secrets by escaping newlines and wrapping in quotes. To disable, enable this option"
+                            content="When enabled, multiline secrets will be handled by escaping newlines and enclosing the entire value in double quotes."
                            className="z-[100]"
                          >
                            <FontAwesomeIcon icon={faCircleQuestion} className="ml-1" size="sm" />
--- a/frontend/src/views/SecretOverviewPage/components/SecretOverviewTableRow/SecretOverviewTableRow.tsx
+++ b/frontend/src/views/SecretOverviewPage/components/SecretOverviewTableRow/SecretOverviewTableRow.tsx
@@ -29,7 +29,7 @@ type Props = {
  onSecretCreate: (env: string, key: string, value: string) => Promise<void>;
  onSecretUpdate: (env: string, key: string, value: string, secretId?: string) => Promise<void>;
  onSecretDelete: (env: string, key: string, secretId?: string) => Promise<void>;
-  isImportedSecretPresentInEnv: (name: string, env: string, secretName: string) => boolean;
+  isImportedSecretPresentInEnv: (env: string, secretName: string) => boolean;
 };

 export const SecretOverviewTableRow = ({
@@ -53,9 +53,8 @@ export const SecretOverviewTableRow = ({
    <>
      <Tr isHoverable isSelectable onClick={() => setIsFormExpanded.toggle()} className="group">
        <Td
-          className={`sticky left-0 z-10 bg-mineshaft-800 bg-clip-padding py-0 px-0 group-hover:bg-mineshaft-700 ${
-            isFormExpanded && "border-t-2 border-mineshaft-500"
-          }`}
+          className={`sticky left-0 z-10 bg-mineshaft-800 bg-clip-padding py-0 px-0 group-hover:bg-mineshaft-700 ${isFormExpanded && "border-t-2 border-mineshaft-500"
+            }`}
        >
          <div className="h-full w-full border-r border-mineshaft-600 py-2.5 px-5">
            <div className="flex items-center space-x-5">
@@ -83,7 +82,7 @@ export const SecretOverviewTableRow = ({
        {environments.map(({ slug }, i) => {
          const secret = getSecretByKey(slug, secretKey);

-          const isSecretImported = isImportedSecretPresentInEnv(secretPath, slug, secretKey);
+          const isSecretImported = isImportedSecretPresentInEnv(slug, secretKey);

          const isSecretPresent = Boolean(secret);
          const isSecretEmpty = secret?.value === "";
@@ -108,8 +107,8 @@ export const SecretOverviewTableRow = ({
                        isSecretPresent
                          ? "Present secret"
                          : isSecretImported
-                          ? "Imported secret"
-                          : "Missing secret"
+                            ? "Imported secret"
+                            : "Missing secret"
                      }
                    >
                      <FontAwesomeIcon
@@ -133,9 +132,8 @@ export const SecretOverviewTableRow = ({
        <Tr>
          <Td
            colSpan={totalCols}
-            className={`bg-bunker-600 px-0 py-0 ${
-              isFormExpanded && "border-b-2 border-mineshaft-500"
-            }`}
+            className={`bg-bunker-600 px-0 py-0 ${isFormExpanded && "border-b-2 border-mineshaft-500"
+              }`}
          >
            <div
              className="ml-2 p-2"
@@ -180,11 +178,7 @@ export const SecretOverviewTableRow = ({
                      const secret = getSecretByKey(slug, secretKey);
                      const isCreatable = !secret;

-                      const isImportedSecret = isImportedSecretPresentInEnv(
-                        secretPath,
-                        slug,
-                        secretKey
-                      );
+                      const isImportedSecret = isImportedSecretPresentInEnv(slug, secretKey);

                      return (
                        <tr
--- a/frontend/src/views/Settings/ProjectSettingsPage/components/PointInTimeVersionLimitSection/PointInTimeVersionLimitSection.tsx
+++ b/frontend/src/views/Settings/ProjectSettingsPage/components/PointInTimeVersionLimitSection/PointInTimeVersionLimitSection.tsx
@@ -0,0 +1,92 @@
+import { Controller, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, FormControl, Input } from "@app/components/v2";
+import { useProjectPermission, useWorkspace } from "@app/context";
+import { ProjectMembershipRole } from "@app/hooks/api/roles/types";
+import { useUpdateWorkspaceVersionLimit } from "@app/hooks/api/workspace/queries";
+
+const formSchema = z.object({
+  pitVersionLimit: z.coerce.number().min(1).max(100)
+});
+
+type TForm = z.infer<typeof formSchema>;
+
+export const PointInTimeVersionLimitSection = () => {
+  const { mutateAsync: updatePitVersion } = useUpdateWorkspaceVersionLimit();
+
+  const { currentWorkspace } = useWorkspace();
+  const { membership } = useProjectPermission();
+
+  const {
+    control,
+    formState: { isSubmitting, isDirty },
+    handleSubmit
+  } = useForm<TForm>({
+    resolver: zodResolver(formSchema),
+    values: {
+      pitVersionLimit: currentWorkspace?.pitVersionLimit || 10
+    }
+  });
+
+  if (!currentWorkspace) return null;
+
+  const handleVersionLimitSubmit = async ({ pitVersionLimit }: TForm) => {
+    try {
+      await updatePitVersion({
+        pitVersionLimit,
+        projectSlug: currentWorkspace.slug
+      });
+
+      createNotification({
+        text: "Successfully updated version limit",
+        type: "success"
+      });
+    } catch (err) {
+      createNotification({
+        text: "Failed updating project's version limit",
+        type: "error"
+      });
+    }
+  };
+
+  const isAdmin = membership.roles.includes(ProjectMembershipRole.Admin);
+  return (
+    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <div className="flex w-full items-center justify-between">
+        <p className="text-xl font-semibold">Version Retention</p>
+      </div>
+      <p className="mb-4 mt-2 max-w-2xl text-sm text-gray-400">
+      This defines the maximum number of recent secret versions to keep per folder. Excess versions will be removed at midnight (UTC) each day.
+      </p>
+      <form onSubmit={handleSubmit(handleVersionLimitSubmit)} autoComplete="off">
+        <div className="max-w-xs">
+          <Controller
+            control={control}
+            defaultValue={0}
+            name="pitVersionLimit"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                isError={Boolean(error)}
+                errorText={error?.message}
+                label="Recent versions to keep"
+              >
+                <Input {...field} type="number" min={1} step={1} isDisabled={!isAdmin} />
+              </FormControl>
+            )}
+          />
+        </div>
+        <Button
+          colorSchema="secondary"
+          type="submit"
+          isLoading={isSubmitting}
+          disabled={!isAdmin || !isDirty}
+        >
+          Save
+        </Button>
+      </form>
+    </div>
+  );
+};
--- a/frontend/src/views/Settings/ProjectSettingsPage/components/PointInTimeVersionLimitSection/index.tsx
+++ b/frontend/src/views/Settings/ProjectSettingsPage/components/PointInTimeVersionLimitSection/index.tsx
@@ -0,0 +1 @@
+export { PointInTimeVersionLimitSection } from "./PointInTimeVersionLimitSection";
--- a/frontend/src/views/Settings/ProjectSettingsPage/components/ProjectGeneralTab/ProjectGeneralTab.tsx
+++ b/frontend/src/views/Settings/ProjectSettingsPage/components/ProjectGeneralTab/ProjectGeneralTab.tsx
@@ -3,6 +3,7 @@ import { BackfillSecretReferenceSecretion } from "../BackfillSecretReferenceSect
 import { DeleteProjectSection } from "../DeleteProjectSection";
 import { E2EESection } from "../E2EESection";
 import { EnvironmentSection } from "../EnvironmentSection";
+import { PointInTimeVersionLimitSection } from "../PointInTimeVersionLimitSection";
 import { ProjectNameChangeSection } from "../ProjectNameChangeSection";
 import { SecretTagsSection } from "../SecretTagsSection";

@@ -14,6 +15,7 @@ export const ProjectGeneralTab = () => {
      <SecretTagsSection />
      <AutoCapitalizationSection />
      <E2EESection />
+      <PointInTimeVersionLimitSection />
      <BackfillSecretReferenceSecretion />
      <DeleteProjectSection />
    </div>
--- a/frontend/src/views/ShareSecretPublicPage/ShareSecretPublicPage.tsx
+++ b/frontend/src/views/ShareSecretPublicPage/ShareSecretPublicPage.tsx
@@ -7,7 +7,7 @@ import { decryptSymmetric } from "@app/components/utilities/cryptography/crypto"
 import { useTimedReset } from "@app/hooks";
 import { useGetActiveSharedSecretByIdAndHashedHex } from "@app/hooks/api/secretSharing";

-import { DragonMainImage, SecretTable } from "./components";
+import { SecretTable } from "./components";

 export const ShareSecretPublicPage = () => {
  const router = useRouter();
@@ -68,7 +68,7 @@ export const ShareSecretPublicPage = () => {
        A secret has been shared with you securely via Infisical
      </p>
      <div className="flex min-h-screen w-full flex-col md:flex-row">
-        <DragonMainImage />
+        {/* <DragonMainImage /> */}
        <div className="m-4 flex flex-1 flex-col items-center justify-start md:m-0">
          <p className="mt-8 mb-2 text-xl font-semibold text-mineshaft-100 md:mt-20">
            Shared Secret
--- a/frontend/src/views/admin/DashboardPage/DashboardPage.tsx
+++ b/frontend/src/views/admin/DashboardPage/DashboardPage.tsx
@@ -18,12 +18,16 @@ import {
  Tab,
  TabList,
  TabPanel,
-  Tabs} from "@app/components/v2";
+  Tabs
+} from "@app/components/v2";
 import { useOrganization, useServerConfig, useUser } from "@app/context";
 import { useUpdateServerConfig } from "@app/hooks/api";

+import { RateLimitPanel } from "./RateLimitPanel";
+
 enum TabSections {
-  Settings = "settings"
+  Settings = "settings",
+  RateLimit = "rate-limit"
 }

 enum SignUpModes {
@@ -117,6 +121,7 @@ export const AdminDashboardPage = () => {
            <TabList>
              <div className="flex w-full flex-row border-b border-mineshaft-600">
                <Tab value={TabSections.Settings}>General</Tab>
+                <Tab value={TabSections.RateLimit}>Rate Limit</Tab>
              </div>
            </TabList>
            <TabPanel value={TabSections.Settings}>
@@ -233,6 +238,9 @@ export const AdminDashboardPage = () => {
                </Button>
              </form>
            </TabPanel>
+            <TabPanel value={TabSections.RateLimit}>
+              <RateLimitPanel />
+            </TabPanel>
          </Tabs>
        </div>
      )}
--- a/frontend/src/views/admin/DashboardPage/RateLimitPanel.tsx
+++ b/frontend/src/views/admin/DashboardPage/RateLimitPanel.tsx
@@ -0,0 +1,250 @@
+import { Controller, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, ContentLoader, FormControl, Input } from "@app/components/v2";
+import { useGetRateLimit, useUpdateRateLimit } from "@app/hooks/api";
+
+const formSchema = z.object({
+  readRateLimit: z.number(),
+  writeRateLimit: z.number(),
+  secretsRateLimit: z.number(),
+  authRateLimit: z.number(),
+  inviteUserRateLimit: z.number(),
+  mfaRateLimit: z.number(),
+  creationLimit: z.number(),
+  publicEndpointLimit: z.number()
+});
+
+type TRateLimitForm = z.infer<typeof formSchema>;
+
+export const RateLimitPanel = () => {
+  const { data: rateLimit, isLoading } = useGetRateLimit();
+  const { mutateAsync: updateRateLimit } = useUpdateRateLimit();
+
+  const {
+    control,
+    handleSubmit,
+    formState: { isSubmitting, isDirty }
+  } = useForm<TRateLimitForm>({
+    resolver: zodResolver(formSchema),
+    values: {
+      // eslint-disable-next-line
+      readRateLimit: rateLimit?.readRateLimit ?? 600,
+      writeRateLimit: rateLimit?.writeRateLimit ?? 200,
+      secretsRateLimit: rateLimit?.secretsRateLimit ?? 60,
+      authRateLimit: rateLimit?.authRateLimit ?? 60,
+      inviteUserRateLimit: rateLimit?.inviteUserRateLimit ?? 30,
+      mfaRateLimit: rateLimit?.mfaRateLimit ?? 20,
+      creationLimit: rateLimit?.creationLimit ?? 30,
+      publicEndpointLimit: rateLimit?.publicEndpointLimit ?? 30
+    }
+  });
+
+  const onRateLimitFormSubmit = async (formData: TRateLimitForm) => {
+    try {
+      const {
+        readRateLimit,
+        writeRateLimit,
+        secretsRateLimit,
+        authRateLimit,
+        inviteUserRateLimit,
+        mfaRateLimit,
+        creationLimit,
+        publicEndpointLimit
+      } = formData;
+
+      await updateRateLimit({
+        readRateLimit,
+        writeRateLimit,
+        secretsRateLimit,
+        authRateLimit,
+        inviteUserRateLimit,
+        mfaRateLimit,
+        creationLimit,
+        publicEndpointLimit
+      });
+      createNotification({
+        text: "Rate limits have been successfully updated. Please allow at least 10 minutes for the changes to take effect.",
+        type: "success"
+      });
+    } catch (e) {
+      console.error(e);
+      createNotification({
+        type: "error",
+        text: "Failed to update rate limiting setting."
+      });
+    }
+  };
+
+  return isLoading ? (
+    <ContentLoader />
+  ) : (
+    <form
+      className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4"
+      onSubmit={handleSubmit(onRateLimitFormSubmit)}
+    >
+      <div className="mb-8 flex flex-col justify-start">
+        <div className="mb-4 text-xl font-semibold text-mineshaft-100">
+          Configure rate limits
+        </div>
+        <Controller
+          control={control}
+          name="readRateLimit"
+          defaultValue={300}
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Global read requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="writeRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Global write requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="secretsRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Secret requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="authRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Auth requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="inviteUserRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="User invitation requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="mfaRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Multi factor auth requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="creationLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="New resource creation requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="publicEndpointLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Secret sharing requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+      </div>
+      <Button type="submit" isLoading={isSubmitting} isDisabled={isSubmitting || !isDirty}>
+        Save
+      </Button>
+    </form>
+  );
+};
--- a/helm-charts/secrets-operator/Chart.yaml
+++ b/helm-charts/secrets-operator/Chart.yaml
@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v0.5.2
+version: v0.6.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.5.2"
+appVersion: "v0.6.0"
--- a/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml
+++ b/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml
@@ -37,6 +37,135 @@ spec:
            properties:
              authentication:
                properties:
+                  awsIamAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                    required:
+                    - identityId
+                    - secretsScope
+                    type: object
+                  azureAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                    required:
+                    - identityId
+                    - secretsScope
+                    type: object
+                  gcpIamAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                      serviceAccountKeyFilePath:
+                        type: string
+                    required:
+                    - identityId
+                    - secretsScope
+                    - serviceAccountKeyFilePath
+                    type: object
+                  gcpIdTokenAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                    required:
+                    - identityId
+                    - secretsScope
+                    type: object
+                  kubernetesAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                      serviceAccountRef:
+                        properties:
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                        required:
+                        - name
+                        - namespace
+                        type: object
+                    required:
+                    - identityId
+                    - secretsScope
+                    - serviceAccountRef
+                    type: object
                  serviceAccount:
                    properties:
                      environmentName:
--- a/helm-charts/secrets-operator/values.yaml
+++ b/helm-charts/secrets-operator/values.yaml
@@ -32,7 +32,7 @@ controllerManager:
        - ALL
    image:
      repository: infisical/kubernetes-operator
-      tag: v0.5.2 # fixed to prevent accidental upgrade
+      tag: v0.6.0
    resources:
      limits:
        cpu: 500m
--- a/k8-operator/api/v1alpha1/infisicalsecret_types.go
+++ b/k8-operator/api/v1alpha1/infisicalsecret_types.go
@@ -11,6 +11,16 @@ type Authentication struct {
 	ServiceToken ServiceTokenDetails `json:"serviceToken"`
 	// +kubebuilder:validation:Optional
 	UniversalAuth UniversalAuthDetails `json:"universalAuth"`
+	// +kubebuilder:validation:Optional
+	KubernetesAuth KubernetesAuthDetails `json:"kubernetesAuth"`
+	// +kubebuilder:validation:Optional
+	AwsIamAuth AWSIamAuthDetails `json:"awsIamAuth"`
+	// +kubebuilder:validation:Optional
+	AzureAuth AzureAuthDetails `json:"azureAuth"`
+	// +kubebuilder:validation:Optional
+	GcpIdTokenAuth GCPIdTokenAuthDetails `json:"gcpIdTokenAuth"`
+	// +kubebuilder:validation:Optional
+	GcpIamAuth GcpIamAuthDetails `json:"gcpIamAuth"`
 }

 type UniversalAuthDetails struct {
@@ -20,6 +30,57 @@ type UniversalAuthDetails struct {
 	SecretsScope MachineIdentityScopeInWorkspace `json:"secretsScope"`
 }

+type KubernetesAuthDetails struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+	// +kubebuilder:validation:Required
+	ServiceAccountRef KubernetesServiceAccountRef `json:"serviceAccountRef"`
+
+	// +kubebuilder:validation:Required
+	SecretsScope MachineIdentityScopeInWorkspace `json:"secretsScope"`
+}
+
+type KubernetesServiceAccountRef struct {
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+	// +kubebuilder:validation:Required
+	Namespace string `json:"namespace"`
+}
+
+type AWSIamAuthDetails struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+
+	// +kubebuilder:validation:Required
+	SecretsScope MachineIdentityScopeInWorkspace `json:"secretsScope"`
+}
+
+type AzureAuthDetails struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+
+	// +kubebuilder:validation:Required
+	SecretsScope MachineIdentityScopeInWorkspace `json:"secretsScope"`
+}
+
+type GCPIdTokenAuthDetails struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+
+	// +kubebuilder:validation:Required
+	SecretsScope MachineIdentityScopeInWorkspace `json:"secretsScope"`
+}
+
+type GcpIamAuthDetails struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+	// +kubebuilder:validation:Required
+	ServiceAccountKeyFilePath string `json:"serviceAccountKeyFilePath"`
+
+	// +kubebuilder:validation:Required
+	SecretsScope MachineIdentityScopeInWorkspace `json:"secretsScope"`
+}
+
 type ServiceTokenDetails struct {
 	// +kubebuilder:validation:Required
 	ServiceTokenSecretReference KubeSecretReference `json:"serviceTokenSecretReference"`
--- a/k8-operator/api/v1alpha1/zz_generated.deepcopy.go
+++ b/k8-operator/api/v1alpha1/zz_generated.deepcopy.go
@@ -26,12 +26,33 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSIamAuthDetails) DeepCopyInto(out *AWSIamAuthDetails) {
+	*out = *in
+	out.SecretsScope = in.SecretsScope
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSIamAuthDetails.
+func (in *AWSIamAuthDetails) DeepCopy() *AWSIamAuthDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSIamAuthDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Authentication) DeepCopyInto(out *Authentication) {
 	*out = *in
 	out.ServiceAccount = in.ServiceAccount
 	out.ServiceToken = in.ServiceToken
 	out.UniversalAuth = in.UniversalAuth
+	out.KubernetesAuth = in.KubernetesAuth
+	out.AwsIamAuth = in.AwsIamAuth
+	out.AzureAuth = in.AzureAuth
+	out.GcpIdTokenAuth = in.GcpIdTokenAuth
+	out.GcpIamAuth = in.GcpIamAuth
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authentication.
@@ -44,6 +65,54 @@ func (in *Authentication) DeepCopy() *Authentication {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureAuthDetails) DeepCopyInto(out *AzureAuthDetails) {
+	*out = *in
+	out.SecretsScope = in.SecretsScope
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureAuthDetails.
+func (in *AzureAuthDetails) DeepCopy() *AzureAuthDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureAuthDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPIdTokenAuthDetails) DeepCopyInto(out *GCPIdTokenAuthDetails) {
+	*out = *in
+	out.SecretsScope = in.SecretsScope
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPIdTokenAuthDetails.
+func (in *GCPIdTokenAuthDetails) DeepCopy() *GCPIdTokenAuthDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPIdTokenAuthDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GcpIamAuthDetails) DeepCopyInto(out *GcpIamAuthDetails) {
+	*out = *in
+	out.SecretsScope = in.SecretsScope
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpIamAuthDetails.
+func (in *GcpIamAuthDetails) DeepCopy() *GcpIamAuthDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(GcpIamAuthDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InfisicalSecret) DeepCopyInto(out *InfisicalSecret) {
 	*out = *in
@@ -158,6 +227,38 @@ func (in *KubeSecretReference) DeepCopy() *KubeSecretReference {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesAuthDetails) DeepCopyInto(out *KubernetesAuthDetails) {
+	*out = *in
+	out.ServiceAccountRef = in.ServiceAccountRef
+	out.SecretsScope = in.SecretsScope
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesAuthDetails.
+func (in *KubernetesAuthDetails) DeepCopy() *KubernetesAuthDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesAuthDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesServiceAccountRef) DeepCopyInto(out *KubernetesServiceAccountRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesServiceAccountRef.
+func (in *KubernetesServiceAccountRef) DeepCopy() *KubernetesServiceAccountRef {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesServiceAccountRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MachineIdentityScopeInWorkspace) DeepCopyInto(out *MachineIdentityScopeInWorkspace) {
 	*out = *in
--- a/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml
+++ b/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml
@@ -37,6 +37,135 @@ spec:
            properties:
              authentication:
                properties:
+                  awsIamAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                    required:
+                    - identityId
+                    - secretsScope
+                    type: object
+                  azureAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                    required:
+                    - identityId
+                    - secretsScope
+                    type: object
+                  gcpIamAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                      serviceAccountKeyFilePath:
+                        type: string
+                    required:
+                    - identityId
+                    - secretsScope
+                    - serviceAccountKeyFilePath
+                    type: object
+                  gcpIdTokenAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                    required:
+                    - identityId
+                    - secretsScope
+                    type: object
+                  kubernetesAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      secretsScope:
+                        properties:
+                          envSlug:
+                            type: string
+                          projectSlug:
+                            type: string
+                          recursive:
+                            type: boolean
+                          secretsPath:
+                            type: string
+                        required:
+                        - envSlug
+                        - projectSlug
+                        - secretsPath
+                        type: object
+                      serviceAccountRef:
+                        properties:
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                        required:
+                        - name
+                        - namespace
+                        type: object
+                    required:
+                    - identityId
+                    - secretsScope
+                    - serviceAccountRef
+                    type: object
                  serviceAccount:
                    properties:
                      environmentName:
--- a/k8-operator/config/samples/k8s-auth/cluster-role-binding.yaml
+++ b/k8-operator/config/samples/k8s-auth/cluster-role-binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: role-tokenreview-binding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: infisical-auth
+    namespace: default
--- a/k8-operator/config/samples/k8s-auth/infisical-service-account.yaml
+++ b/k8-operator/config/samples/k8s-auth/infisical-service-account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: infisical-auth
+  namespace: default
--- a/k8-operator/config/samples/k8s-auth/sample.yaml
+++ b/k8-operator/config/samples/k8s-auth/sample.yaml
@@ -0,0 +1,32 @@
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+    name: infisicalsecret-sample
+    labels:
+        label-to-be-passed-to-managed-secret: sample-value
+    annotations:
+        example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
+spec:
+    hostAPI: https://app.infisical.com/api
+    resyncInterval: 10
+    authentication:
+        # Native Kubernetes Auth
+        kubernetesAuth:
+            identityId: <>
+            serviceAccountRef:
+              name: infisical-auth
+              namespace: default
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: dsf-gpb-t
+                envSlug: dev
+                secretsPath: "/"
+                recursive: true
+
+
+    managedSecretReference:
+        secretName: managed-secret-k8s
+        secretNamespace: default
+        creationPolicy: "Orphan" ## Owner | Orphan
+        # secretType: kubernetes.io/dockerconfigjson
--- a/k8-operator/config/samples/k8s-auth/service-account-token.yaml
+++ b/k8-operator/config/samples/k8s-auth/service-account-token.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: infisical-auth-token
+  annotations:
+    kubernetes.io/service-account.name: "infisical-auth"
--- a/k8-operator/config/samples/sample.yaml
+++ b/k8-operator/config/samples/sample.yaml
@@ -12,26 +12,85 @@ spec:
    authentication:
        # Make sure to only have 1 authentication method defined, serviceToken/universalAuth.
        # If you have multiple authentication methods defined, it may cause issues.
+
+        # (Deprecated) Service Token Auth
        serviceToken:
            serviceTokenSecretReference:
                secretName: service-token
                secretNamespace: default
            secretsScope:
                envSlug: <env-slug>
-                secretsPath: <secrets-path> # Root is "/"
-                recursive: true # Wether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
+                secretsPath: <secrets-path>
+                recursive: true

+        # Universal Auth
        universalAuth:
            secretsScope:
-                projectSlug: <project-slug>
-                envSlug: <env-slug> # "dev", "staging", "prod", etc..
-                secretsPath: "<secrets-path>" # Root is "/"
+                projectSlug: new-ob-em
+                envSlug: dev # "dev", "staging", "prod", etc..
+                secretsPath: "/" # Root is "/"
                recursive: true # Wether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
-
            credentialsRef:
                secretName: universal-auth-credentials
                secretNamespace: default

+        # Native Kubernetes Auth
+        kubernetesAuth:
+            identityId: <machine-identity-id>
+            serviceAccountTokenPath: "/path/to/your/service-account/token" # Optional, defaults to /var/run/secrets/kubernetes.io/serviceaccount/token
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
+        # AWS IAM Auth
+        awsIamAuth:
+            identityId: <your-machine-identity-id>
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
+        # Azure Auth
+        azureAuth:
+            identityId: <your-machine-identity-id>
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
+        # GCP ID Token Auth
+        gcpIdTokenAuth:
+            identityId: <your-machine-identity-id>
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
+        # GCP IAM Auth
+        gcpIamAuth:
+            identityId: <your-machine-identity-id>
+            serviceAccountKeyFilePath: "/path/to-service-account-key-file-path.json"
+
+            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+            secretsScope:
+                projectSlug: your-project-slug
+                envSlug: prod
+                secretsPath: "/path"
+                recursive: true
+
    managedSecretReference:
        secretName: managed-secret
        secretNamespace: default
--- a/k8-operator/controllers/conditions.go
+++ b/k8-operator/controllers/conditions.go
@@ -40,7 +40,7 @@ func (r *InfisicalSecretReconciler) SetReadyToSyncSecretsConditions(ctx context.
 	return r.Client.Status().Update(ctx, infisicalSecret)
 }

-func (r *InfisicalSecretReconciler) SetInfisicalTokenLoadCondition(ctx context.Context, infisicalSecret *v1alpha1.InfisicalSecret, errorToConditionOn error) {
+func (r *InfisicalSecretReconciler) SetInfisicalTokenLoadCondition(ctx context.Context, infisicalSecret *v1alpha1.InfisicalSecret, authStrategy AuthStrategyType, errorToConditionOn error) {
 	if infisicalSecret.Status.Conditions == nil {
 		infisicalSecret.Status.Conditions = []metav1.Condition{}
 	}
@@ -50,7 +50,7 @@ func (r *InfisicalSecretReconciler) SetInfisicalTokenLoadCondition(ctx context.C
 			Type:    "secrets.infisical.com/LoadedInfisicalToken",
 			Status:  metav1.ConditionTrue,
 			Reason:  "OK",
-			Message: "Infisical controller has located the Infisical token in provided Kubernetes secret",
+			Message: fmt.Sprintf("Infisical controller has loaded the Infisical token in provided Kubernetes secret, using %v authentication strategy", authStrategy),
 		})
 	} else {
 		meta.SetStatusCondition(&infisicalSecret.Status.Conditions, metav1.Condition{
--- a/k8-operator/controllers/infisicalsecret_auth.go
+++ b/k8-operator/controllers/infisicalsecret_auth.go
@@ -0,0 +1,150 @@
+package controllers
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/Infisical/infisical/k8-operator/api/v1alpha1"
+	"github.com/Infisical/infisical/k8-operator/packages/util"
+	infisicalSdk "github.com/infisical/go-sdk"
+)
+
+type AuthStrategyType string
+
+var AuthStrategy = struct {
+	SERVICE_TOKEN                 AuthStrategyType
+	SERVICE_ACCOUNT               AuthStrategyType
+	UNIVERSAL_MACHINE_IDENTITY    AuthStrategyType
+	KUBERNETES_MACHINE_IDENTITY   AuthStrategyType
+	AWS_IAM_MACHINE_IDENTITY      AuthStrategyType
+	AZURE_MACHINE_IDENTITY        AuthStrategyType
+	GCP_ID_TOKEN_MACHINE_IDENTITY AuthStrategyType
+	GCP_IAM_MACHINE_IDENTITY      AuthStrategyType
+}{
+	SERVICE_TOKEN:                 "SERVICE_TOKEN",
+	SERVICE_ACCOUNT:               "SERVICE_ACCOUNT",
+	UNIVERSAL_MACHINE_IDENTITY:    "UNIVERSAL_MACHINE_IDENTITY",
+	KUBERNETES_MACHINE_IDENTITY:   "KUBERNETES_AUTH_MACHINE_IDENTITY",
+	AWS_IAM_MACHINE_IDENTITY:      "AWS_IAM_MACHINE_IDENTITY",
+	AZURE_MACHINE_IDENTITY:        "AZURE_MACHINE_IDENTITY",
+	GCP_ID_TOKEN_MACHINE_IDENTITY: "GCP_ID_TOKEN_MACHINE_IDENTITY",
+	GCP_IAM_MACHINE_IDENTITY:      "GCP_IAM_MACHINE_IDENTITY",
+}
+
+type AuthenticationDetails struct {
+	authStrategy          AuthStrategyType
+	machineIdentityScope  v1alpha1.MachineIdentityScopeInWorkspace // This will only be set if a machine identity auth method is used (e.g. UniversalAuth or KubernetesAuth, etc.)
+	isMachineIdentityAuth bool
+}
+
+var ErrAuthNotApplicable = errors.New("authentication not applicable")
+
+func (r *InfisicalSecretReconciler) handleUniversalAuth(ctx context.Context, infisicalSecret v1alpha1.InfisicalSecret, infisicalClient infisicalSdk.InfisicalClientInterface) (AuthenticationDetails, error) {
+
+	// Machine Identities:
+	universalAuthKubeSecret, err := r.GetInfisicalUniversalAuthFromKubeSecret(ctx, infisicalSecret)
+	universalAuthSpec := infisicalSecret.Spec.Authentication.UniversalAuth
+
+	if err != nil {
+		return AuthenticationDetails{}, fmt.Errorf("ReconcileInfisicalSecret: unable to get machine identity creds from kube secret [err=%s]", err)
+	}
+
+	if universalAuthKubeSecret.ClientId == "" && universalAuthKubeSecret.ClientSecret == "" {
+		return AuthenticationDetails{}, ErrAuthNotApplicable
+	}
+
+	_, err = infisicalClient.Auth().UniversalAuthLogin(universalAuthKubeSecret.ClientId, universalAuthKubeSecret.ClientSecret)
+	if err != nil {
+		return AuthenticationDetails{}, fmt.Errorf("unable to login with machine identity credentials [err=%s]", err)
+	}
+
+	fmt.Println("Successfully authenticated with machine identity credentials")
+
+	return AuthenticationDetails{authStrategy: AuthStrategy.UNIVERSAL_MACHINE_IDENTITY, machineIdentityScope: universalAuthSpec.SecretsScope, isMachineIdentityAuth: true}, nil
+
+}
+
+func (r *InfisicalSecretReconciler) handleKubernetesAuth(ctx context.Context, infisicalSecret v1alpha1.InfisicalSecret, infisicalClient infisicalSdk.InfisicalClientInterface) (AuthenticationDetails, error) {
+	kubernetesAuthSpec := infisicalSecret.Spec.Authentication.KubernetesAuth
+
+	if kubernetesAuthSpec.IdentityID == "" {
+		return AuthenticationDetails{}, ErrAuthNotApplicable
+	}
+
+	serviceAccountToken, err := util.GetServiceAccountToken(r.Client, kubernetesAuthSpec.ServiceAccountRef.Namespace, kubernetesAuthSpec.ServiceAccountRef.Name)
+	if err != nil {
+		return AuthenticationDetails{}, fmt.Errorf("unable to get service account token [err=%s]", err)
+	}
+
+	_, err = infisicalClient.Auth().KubernetesRawServiceAccountTokenLogin(kubernetesAuthSpec.IdentityID, serviceAccountToken)
+	if err != nil {
+		return AuthenticationDetails{}, fmt.Errorf("unable to login with Kubernetes native auth [err=%s]", err)
+	}
+
+	return AuthenticationDetails{authStrategy: AuthStrategy.KUBERNETES_MACHINE_IDENTITY, machineIdentityScope: kubernetesAuthSpec.SecretsScope, isMachineIdentityAuth: true}, nil
+
+}
+
+func (r *InfisicalSecretReconciler) handleAwsIamAuth(ctx context.Context, infisicalSecret v1alpha1.InfisicalSecret, infisicalClient infisicalSdk.InfisicalClientInterface) (AuthenticationDetails, error) {
+	awsIamAuthSpec := infisicalSecret.Spec.Authentication.AwsIamAuth
+
+	if awsIamAuthSpec.IdentityID == "" {
+		return AuthenticationDetails{}, ErrAuthNotApplicable
+	}
+
+	_, err := infisicalClient.Auth().AwsIamAuthLogin(awsIamAuthSpec.IdentityID)
+	if err != nil {
+		return AuthenticationDetails{}, fmt.Errorf("unable to login with AWS IAM auth [err=%s]", err)
+	}
+
+	return AuthenticationDetails{authStrategy: AuthStrategy.AWS_IAM_MACHINE_IDENTITY, machineIdentityScope: awsIamAuthSpec.SecretsScope, isMachineIdentityAuth: true}, nil
+
+}
+
+func (r *InfisicalSecretReconciler) handleAzureAuth(ctx context.Context, infisicalSecret v1alpha1.InfisicalSecret, infisicalClient infisicalSdk.InfisicalClientInterface) (AuthenticationDetails, error) {
+	azureAuthSpec := infisicalSecret.Spec.Authentication.AzureAuth
+
+	if azureAuthSpec.IdentityID == "" {
+		return AuthenticationDetails{}, ErrAuthNotApplicable
+	}
+
+	_, err := infisicalClient.Auth().AzureAuthLogin(azureAuthSpec.IdentityID)
+	if err != nil {
+		return AuthenticationDetails{}, fmt.Errorf("unable to login with Azure auth [err=%s]", err)
+	}
+
+	return AuthenticationDetails{authStrategy: AuthStrategy.AZURE_MACHINE_IDENTITY, machineIdentityScope: azureAuthSpec.SecretsScope, isMachineIdentityAuth: true}, nil
+
+}
+
+func (r *InfisicalSecretReconciler) handleGcpIdTokenAuth(ctx context.Context, infisicalSecret v1alpha1.InfisicalSecret, infisicalClient infisicalSdk.InfisicalClientInterface) (AuthenticationDetails, error) {
+	gcpIdTokenSpec := infisicalSecret.Spec.Authentication.GcpIdTokenAuth
+
+	if gcpIdTokenSpec.IdentityID == "" {
+		return AuthenticationDetails{}, ErrAuthNotApplicable
+	}
+
+	_, err := infisicalClient.Auth().GcpIdTokenAuthLogin(gcpIdTokenSpec.IdentityID)
+	if err != nil {
+		return AuthenticationDetails{}, fmt.Errorf("unable to login with GCP Id Token auth [err=%s]", err)
+	}
+
+	return AuthenticationDetails{authStrategy: AuthStrategy.GCP_ID_TOKEN_MACHINE_IDENTITY, machineIdentityScope: gcpIdTokenSpec.SecretsScope, isMachineIdentityAuth: true}, nil
+
+}
+
+func (r *InfisicalSecretReconciler) handleGcpIamAuth(ctx context.Context, infisicalSecret v1alpha1.InfisicalSecret, infisicalClient infisicalSdk.InfisicalClientInterface) (AuthenticationDetails, error) {
+	gcpIamSpec := infisicalSecret.Spec.Authentication.GcpIamAuth
+
+	if gcpIamSpec.IdentityID == "" && gcpIamSpec.ServiceAccountKeyFilePath == "" {
+		return AuthenticationDetails{}, ErrAuthNotApplicable
+	}
+
+	_, err := infisicalClient.Auth().GcpIamAuthLogin(gcpIamSpec.IdentityID, gcpIamSpec.ServiceAccountKeyFilePath)
+	if err != nil {
+		return AuthenticationDetails{}, fmt.Errorf("unable to login with GCP IAM auth [err=%s]", err)
+	}
+
+	return AuthenticationDetails{authStrategy: AuthStrategy.GCP_IAM_MACHINE_IDENTITY, machineIdentityScope: gcpIamSpec.SecretsScope, isMachineIdentityAuth: true}, nil
+}
--- a/k8-operator/controllers/infisicalsecret_controller.go
+++ b/k8-operator/controllers/infisicalsecret_controller.go
@@ -9,10 +9,11 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	controllerUtil "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

-	"github.com/Infisical/infisical/k8-operator/api/v1alpha1"
 	secretsv1alpha1 "github.com/Infisical/infisical/k8-operator/api/v1alpha1"
 	"github.com/Infisical/infisical/k8-operator/packages/api"
+	infisicalSdk "github.com/infisical/go-sdk"
 )

 // InfisicalSecretReconciler reconciles a InfisicalSecret object
@@ -32,19 +33,54 @@ type InfisicalSecretReconciler struct {
 // move the current state of the cluster closer to the desired state.
 // For more details, check Reconcile and its Result here:
 // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.13.1/pkg/reconcile
+
+type ResourceVariables struct {
+	infisicalClient infisicalSdk.InfisicalClientInterface
+	authDetails     AuthenticationDetails
+}
+
+// Maps the infisicalSecretCR.UID to a infisicalSdk.InfisicalClientInterface and AuthenticationDetails.
+var resourceVariablesMap = make(map[string]ResourceVariables)
+
+const FINALIZER_NAME = "secrets.finalizers.infisical.com"
+
+func (r *InfisicalSecretReconciler) addFinalizer(ctx context.Context, infisicalSecret *secretsv1alpha1.InfisicalSecret) error {
+	if !controllerUtil.ContainsFinalizer(infisicalSecret, FINALIZER_NAME) {
+		controllerUtil.AddFinalizer(infisicalSecret, FINALIZER_NAME)
+		if err := r.Update(ctx, infisicalSecret); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *InfisicalSecretReconciler) handleFinalizer(ctx context.Context, infisicalSecret *secretsv1alpha1.InfisicalSecret) error {
+	if controllerUtil.ContainsFinalizer(infisicalSecret, FINALIZER_NAME) {
+		// Cleanup deployment variables
+		delete(resourceVariablesMap, string(infisicalSecret.UID))
+
+		// Remove the finalizer and update the resource
+		controllerUtil.RemoveFinalizer(infisicalSecret, FINALIZER_NAME)
+		if err := r.Update(ctx, infisicalSecret); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	var infisicalSecretCR v1alpha1.InfisicalSecret
+	var infisicalSecretCR secretsv1alpha1.InfisicalSecret
 	requeueTime := time.Minute // seconds

 	err := r.Get(ctx, req.NamespacedName, &infisicalSecretCR)
 	if err != nil {
 		if errors.IsNotFound(err) {
-			fmt.Printf("Infisical Secret CRD not found [err=%v]", err)
+			fmt.Printf("\nInfisical Secret CRD not found [err=%v]", err)
 			return ctrl.Result{
 				Requeue: false,
 			}, nil
 		} else {
-			fmt.Printf("Unable to fetch Infisical Secret CRD from cluster because [err=%v]", err)
+			fmt.Printf("\nUnable to fetch Infisical Secret CRD from cluster because [err=%v]", err)
 			return ctrl.Result{
 				RequeueAfter: requeueTime,
 			}, nil
@@ -58,8 +94,20 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		fmt.Printf("\nRe-sync interval set. Interval: %v\n", requeueTime)
 	}

+	// Add the finalizer if it does not exist, and only add it if the resource is not marked for deletion
+	if infisicalSecretCR.GetDeletionTimestamp() == nil || infisicalSecretCR.GetDeletionTimestamp().IsZero() {
+		if err := r.addFinalizer(ctx, &infisicalSecretCR); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
 	// Check if the resource is already marked for deletion
 	if infisicalSecretCR.GetDeletionTimestamp() != nil {
+		// Handle the finalizer logic
+		if err := r.handleFinalizer(ctx, &infisicalSecretCR); err != nil {
+			return ctrl.Result{}, err
+		}
+
 		return ctrl.Result{
 			Requeue: false,
 		}, nil
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Maidul Islam	61d60498a9	Revert "Revert "GH Action: rename new migration file timestamp""	2024-06-14 09:13:29 -04:00
Maidul Islam	93f3395bde	Merge pull request #1969 from Infisical/revert-1967-create-pull-request/patch-1718327327 Revert "GH Action: rename new migration file timestamp"	2024-06-14 09:10:43 -04:00
Maidul Islam	d6060781e4	Revert "GH Action: rename new migration file timestamp"	2024-06-14 09:10:29 -04:00
Maidul Islam	2d8a2a6a3a	remove dragon	2024-06-13 23:33:36 -04:00
Maidul Islam	5eeea767a3	Merge pull request #1967 from Infisical/create-pull-request/patch-1718327327 GH Action: rename new migration file timestamp	2024-06-13 23:09:28 -04:00
github-actions	2b4f5962e2	chore: renamed new migration files to latest timestamp (gh-action)	2024-06-14 01:08:46 +00:00
Maidul Islam	bf14bbfeee	Merge pull request #1965 from Infisical/feat/allow-custom-rate-limits feat: allow custom rate limits	2024-06-13 21:08:24 -04:00
Maidul Islam	fa77dc01df	apply nits for rate limits	2024-06-13 21:01:18 -04:00
Maidul Islam	ed5044a102	Revert "temporary: increase daily clean up interval" This reverts commit `ec7fe013fd`.	2024-06-13 19:59:08 -04:00
Maidul Islam	ec7fe013fd	temporary: increase daily clean up interval	2024-06-13 19:09:06 -04:00
Daniel Hougaard	a26ad6cfb0	Merge pull request #1966 from Infisical/daniel/operator-release-fix Fix: Operator release step	2024-06-14 00:56:58 +02:00
Daniel Hougaard	dd0399d12e	Fix: Remove go toolchain and go mod tidy	2024-06-14 00:48:59 +02:00
Daniel Hougaard	04456fe996	Merge pull request #1954 from Infisical/daniel/k8-operator-go-sdk Feat: K8 operator authentication methods	2024-06-14 00:29:56 +02:00
Daniel Hougaard	2605987289	Helm versioning	2024-06-14 00:25:41 +02:00
Daniel Hougaard	7edcf5ff90	Merge branch 'daniel/k8-operator-go-sdk' of https://github.com/Infisical/infisical into daniel/k8-operator-go-sdk	2024-06-14 00:24:06 +02:00
Daniel Hougaard	3947e3dabf	Helm versioning	2024-06-14 00:23:40 +02:00
Maidul Islam	fe6e5e09ac	nits: update logs format	2024-06-13 17:57:15 -04:00
Daniel Hougaard	068eb9246d	Merge branch 'daniel/k8-operator-go-sdk' of https://github.com/Infisical/infisical into daniel/k8-operator-go-sdk	2024-06-13 22:53:57 +02:00
Daniel Hougaard	3472be480a	Fix: Only add finalizer if not marked for deletion	2024-06-13 22:53:54 +02:00
Maidul Islam	df71ecffa0	uppercase for constants	2024-06-13 16:37:56 -04:00
Daniel Hougaard	68818beb38	Update infisicalsecret_helper.go	2024-06-13 22:36:59 +02:00
Daniel Hougaard	e600b68684	Docs: Updated kubernetes	2024-06-13 22:15:57 +02:00
Sheen Capadngan	b52aebfd92	misc: added error log	2024-06-14 02:55:25 +08:00
Sheen Capadngan	c9e56e4e9f	misc: updated rate limit labels	2024-06-14 02:46:51 +08:00
Maidul Islam	ef03e9bf3b	Merge pull request #1964 from akhilmhdh/feat/ui-permission-check-broken broken permission page fixed	2024-06-13 14:40:09 -04:00
Sheen Capadngan	08a77f6ddb	misc: added missing auth check for rate-limit endpoint	2024-06-14 02:37:01 +08:00
Sheen Capadngan	bc3f21809e	misc: migrated to structured singleton pattern	2024-06-14 02:32:21 +08:00
Sheen Capadngan	46b48cea63	misc: added loader	2024-06-14 01:14:26 +08:00
Sheen Capadngan	44956c6a37	misc: reorganized cron structure and removed unnecessary checks	2024-06-14 00:58:54 +08:00
Sheen Capadngan	4de63b6140	fix: updated test	2024-06-13 19:00:33 +08:00
Sheen Capadngan	5cee228f5f	misc: updated rate limit update message	2024-06-13 18:45:15 +08:00
Sheen Capadngan	20fea1e25f	misc: added flag to disable rate limit updates via API	2024-06-13 18:37:29 +08:00
Sheen Capadngan	d0ffb94bc7	misc: added handling of automatic config sync	2024-06-13 18:19:46 +08:00
=	d3932d8f08	fix(ui): broken permission page fixed	2024-06-13 15:16:00 +05:30
Sheen Capadngan	d5658d374a	misc: finalized backend flow	2024-06-13 16:27:13 +08:00
Sheen Capadngan	810a58c836	Merge remote-tracking branch 'origin/main' into shubham/eng-993-allow-self-hosted-users-to-set-their-own-rate-limits-in	2024-06-13 15:44:50 +08:00
Sheen Capadngan	9e24050f17	misc: addressed review comments	2024-06-13 15:42:15 +08:00
Daniel Hougaard	7057d399bc	Fix: Naming convention	2024-06-13 07:23:36 +02:00
Daniel Hougaard	c63d57f086	Generated	2024-06-13 07:21:48 +02:00
Daniel Hougaard	a9ce3789b0	Helm	2024-06-13 07:21:40 +02:00
Daniel Hougaard	023a0d99ab	Fix: Kubernetes native auth	2024-06-13 07:20:23 +02:00
Daniel Hougaard	5aadc41a4a	Feat: Resource Variables	2024-06-13 07:19:33 +02:00
Daniel Hougaard	4f38352765	Create auth.go	2024-06-13 07:09:04 +02:00
Daniel Hougaard	cf5e367aba	Update SDK	2024-06-13 07:08:11 +02:00
Daniel Hougaard	a70043b80d	Conditioning	2024-06-13 03:05:22 +02:00
Daniel Hougaard	b94db5d674	Standalone infisical SDK instance	2024-06-13 02:55:00 +02:00
Daniel Hougaard	bd6a89fa9a	Feat: Improved authentication handler	2024-06-13 02:25:49 +02:00
Maidul Islam	81513e4a75	remove time ago	2024-06-12 20:17:09 -04:00
Maidul Islam	a28b458653	Merge pull request #1958 from Infisical/feat/added-projects-list-view feat: added projects list view	2024-06-12 19:59:42 -04:00
Maidul Islam	9977329741	add sample resources for k8s auth	2024-06-12 18:25:18 -04:00
Maidul Islam	cd030b0370	Merge pull request #1963 from Infisical/create-pull-request/patch-1718222719 GH Action: rename new migration file timestamp	2024-06-12 16:06:03 -04:00
github-actions	6c86db7d4e	chore: renamed new migration files to latest timestamp (gh-action)	2024-06-12 20:05:18 +00:00
Maidul Islam	d48e7eca2d	Merge pull request #1906 from Infisical/feat/add-version-limits feat: add limit to the number of retained snapshots and versions	2024-06-12 16:04:55 -04:00
Maidul Islam	30f3dac35f	rephrase input and filer for resvered folder	2024-06-12 15:56:47 -04:00
Sheen Capadngan	0e5f0eefc1	misc: added rounded design to loading entries	2024-06-13 02:56:48 +08:00
Sheen Capadngan	2a005d2654	misc: added rounding to list view	2024-06-13 02:40:08 +08:00
Daniel Hougaard	42425d91d5	Merge pull request #1962 from Infisical/daniel/go-sdk-improvements Fix: Go SDK Docs typos	2024-06-12 19:44:11 +02:00
Daniel Hougaard	a0770baff2	Update go.mdx	2024-06-12 19:40:58 +02:00
Sheen Capadngan	f101366bce	fix: resolved double border conflict	2024-06-13 01:35:17 +08:00
Vladyslav Matsiiako	76c468ecc7	style updates	2024-06-12 10:12:51 -07:00
Sheen Capadngan	dcf315a524	misc: addressed ui comments	2024-06-13 00:09:35 +08:00
Sheen Capadngan	f8a4b6365c	Merge pull request #1961 from Infisical/misc/resolved-goreleaser-hardcode misc: resolved goreleaser hardcoded version	2024-06-12 22:02:41 +08:00
Sheen Capadngan	e27d273e8f	misc: resolved goreleaser hardcoded version	2024-06-12 22:00:14 +08:00
Maidul Islam	30dc2d0fcb	Merge pull request #1960 from Infisical/misc/hardcoded-goreleaser-version-for-cli misc: hardcoded goreleaser version	2024-06-12 09:57:37 -04:00
Sheen Capadngan	12e217d200	misc: hardcoded goreleaser version	2024-06-12 21:54:35 +08:00
Maidul Islam	a3a1c9d2e5	Merge pull request #1959 from Infisical/fix/resolved-cli-release-action fix: resolved secret name mismatch for cli release action	2024-06-12 08:52:58 -04:00
Sheen Capadngan	0f266ebe9e	fix: resolved secret name mismatch for cli release action	2024-06-12 20:45:57 +08:00
Maidul Islam	506e0b1342	Merge pull request #1953 from akhilmhdh/main Trailing slash in secret approval policy and overview bug	2024-06-12 08:43:08 -04:00
Sheen Capadngan	579948ea6d	feat: added projects list view	2024-06-12 20:18:39 +08:00
Akhil Mohan	958ad8236a	Merge pull request #1932 from minuchi/fix/typo-in-gh-actions fix: remove extraneous 'r' causing script error in github actions	2024-06-12 16:04:45 +05:30
ShubhamPalriwala	e6ed1231cd	feat: custom rate limit for self hosters	2024-06-12 10:24:36 +05:30
Daniel Hougaard	b06b8294e9	Merge pull request #1946 from Infisical/daniel/fix-username-unique-bug Fix: Email confirmation during SAML login failing (edge-case)	2024-06-12 04:39:32 +02:00
Tuan Dang	cb9dabe03f	Delete unaccepted users upon merge user op	2024-06-11 18:41:35 -07:00
Daniel Hougaard	9197530b43	Docs	2024-06-12 02:37:09 +02:00
Daniel Hougaard	1eae7d0c30	Feat: Full auth method support	2024-06-12 02:12:54 +02:00
Daniel Hougaard	cc8119766a	Feat: Implementation of Go SDK	2024-06-12 02:10:56 +02:00
Daniel Hougaard	928d5a5240	Delete machine-identity-token.go	2024-06-12 02:10:37 +02:00
Daniel Hougaard	32dd478894	Fix: Local ETag computation	2024-06-12 02:10:35 +02:00
Daniel Hougaard	c3f7c1d46b	Install Infisical Go SDK	2024-06-12 02:10:26 +02:00
Daniel Hougaard	89644703a0	Update sample.yaml	2024-06-12 02:10:11 +02:00
Daniel Hougaard	d20b897f28	Update secrets.infisical.com_infisicalsecrets.yaml	2024-06-12 02:01:03 +02:00
Daniel Hougaard	70e022826e	Update zz_generated.deepcopy.go	2024-06-12 02:00:59 +02:00
Daniel Hougaard	b7f5fa2cec	Types	2024-06-12 01:58:45 +02:00
Daniel Hougaard	7b444e91a8	Helm	2024-06-12 01:58:35 +02:00
Daniel Hougaard	7626dbb96e	Fix: Permission error page displayed after user sign up if organization enforces SAML auth	2024-06-12 00:55:33 +02:00
Daniel Hougaard	869be3c273	Improvements	2024-06-12 00:28:11 +02:00
=	9a2355fe63	feat: removed trailing slash from secret input and fixed overview not showing nested imported secrets	2024-06-12 00:17:42 +05:30
=	3929a82099	feat: resolved approval failing for trailing slash	2024-06-12 00:16:27 +05:30
BlackMagiq	40e5c6ef66	Merge pull request #1945 from Infisical/daniel/scim-fix Fix: SCIM Groups find by filter	2024-06-11 10:42:24 -07:00
Maidul Islam	6c95e75d0d	Merge pull request #1952 from akhilmhdh/feat/fix-signup fix: resolved signup failing in cloud	2024-06-11 11:36:53 -04:00
=	d6c9e6db75	fix: resolved signup failing in cloud	2024-06-11 21:03:06 +05:30
Akhil Mohan	76f87a7708	Merge pull request #1951 from akhilmhdh/fix/password-state-stuck fix: stuck on password step resolved	2024-06-11 20:09:51 +05:30
Sheen Capadngan	366f03080d	Merge pull request #1757 from Infisical/fix/resolved-cli-offline-mode-get fix: resolved cli offline mode get	2024-06-11 22:32:59 +08:00
Sheen Capadngan	dfdd8e95f9	misc: renamed connection check method	2024-06-11 22:14:19 +08:00
Sheen Capadngan	87df5a2749	misc: addressed PR comments	2024-06-11 21:54:14 +08:00
=	c4797ea060	fix: stuck on password step resolved	2024-06-11 19:09:12 +05:30
Sheen Capadngan	6e011a0b52	Merge pull request #1950 from Infisical/fix/resolved-import-override-display-1 feat: handled import override in the API layer	2024-06-11 17:41:43 +08:00
Sheen Capadngan	05ed00834a	misc: used set	2024-06-11 17:14:24 +08:00
Sheen Capadngan	38b0edf510	fix: addressed lint issue	2024-06-11 17:07:24 +08:00
Sheen Capadngan	56b9506b39	fix: type fix	2024-06-11 16:48:16 +08:00
Sheen Capadngan	ae34e015db	fix: added missing required property	2024-06-11 16:43:51 +08:00
Sheen Capadngan	7c42768cd8	feat: handled import overwrite in the API layer	2024-06-11 16:27:12 +08:00
Sheen Capadngan	b4a9e0e62d	Merge pull request #1948 from Infisical/fix/resolved-import-override-display fix: resolved import override behavior	2024-06-11 15:55:19 +08:00
BlackMagiq	30606093f4	Merge pull request #1949 from Infisical/streamline-smtp Update SMTP configuration	2024-06-11 00:32:50 -07:00
Tuan Dang	16862a3b33	Fix lint issue	2024-06-11 00:01:58 -07:00
Tuan Dang	e800a455c4	Update SMTP config	2024-06-10 23:45:40 -07:00
Maidul Islam	bfc82105bd	Merge pull request #1947 from Infisical/patch-multi-line-encoding Patch multi line encoding when expandSecretRef is enabled	2024-06-11 00:55:31 -04:00
Maidul Islam	00fd44b33a	fix type issues	2024-06-11 00:34:54 -04:00
Maidul Islam	e2550d70b5	make skipMultilineEncoding null\|undefined\|bool	2024-06-11 00:28:55 -04:00
Maidul Islam	163d33509b	Patch multi line encoding when expandSecretRef is enabled By default when you create a secret, it will have multi line encoding off but we actually treat this as true in the backend and UI. User’s aren’t expecting their multi line secrets to be double quoted by and made into a single line with/n, however we are doing it by default at the moment. This PR makes multi line encoding opt in and not opt out	2024-06-10 23:42:07 -04:00
Daniel Hougaard	985116c6f2	Update user-service.ts	2024-06-11 04:04:42 +02:00
Daniel Hougaard	8bc9a5efcd	Fix: SCIM Groups find by filter	2024-06-11 00:00:16 +02:00
Sheen Capadngan	cf9169ad6f	test: resolved test issues	2024-06-11 03:37:51 +08:00
Sheen Capadngan	69b76aea64	misc: added secrets folder path to backup scoping	2024-06-11 01:45:34 +08:00
Sheen Capadngan	c9a95023be	Revert "adjustment: moved backup logic to cmd layer" This reverts commit `8fc4fd64f8`.	2024-06-11 01:03:26 +08:00
Sheen Capadngan	9db5be1c91	Revert "adjustment: moved secret backup logic to cmd layer" This reverts commit `920b9a7dfa`.	2024-06-11 00:58:36 +08:00
Sheen Capadngan	a1b41ca454	Revert "feature: added offline support for infisical export" This reverts commit `88a4fb84e6`.	2024-06-11 00:52:59 +08:00
Sheen Capadngan	6c252b4bfb	misc: revert backup flow modification for run.go	2024-06-11 00:49:57 +08:00
Sheen Capadngan	e696bff004	misc: optimized prune orphan snapshots	2024-06-10 21:08:14 +08:00
Sheen Capadngan	d9c4c332ea	feat: added handling of versioned folders and cleanup script	2024-06-10 20:40:19 +08:00
Sheen Capadngan	120e482c6f	Merge remote-tracking branch 'origin/main' into fix/resolved-cli-offline-mode-get	2024-06-10 14:15:18 +08:00
minuchi	4c0e04528e	fix: remove extraneous 'r' causing script error in github actions	2024-06-09 02:21:57 +09:00
Sheen Capadngan	7fe7056af4	Merge remote-tracking branch 'origin/main' into feat/add-version-limits	2024-06-08 01:37:14 +08:00
Sheen Capadngan	ee152f2d20	misc: added cleanup frequency note for pit versions	2024-06-04 23:50:10 +08:00
Sheen Capadngan	f21a13f388	adjustment: removed artificial limiting of pit versions	2024-06-04 23:46:02 +08:00
Sheen Capadngan	68a30f4212	misc: removed transactional	2024-06-03 22:06:32 +08:00
Sheen Capadngan	4d830f1d1a	misc: added outer try catch block	2024-06-03 17:58:39 +08:00
Sheen Capadngan	cd6caab508	misc: migrated to using keyset pagnination	2024-06-03 17:56:00 +08:00
Sheen Capadngan	ab093dfc85	misc: simplified delete query for secret folder version	2024-06-03 12:49:40 +08:00
Sheen Capadngan	b8e9417466	misc: modified pruning sql logic	2024-06-01 03:26:35 +08:00
Sheen Capadngan	4eb08c64d4	misc: updated error message	2024-06-01 01:07:25 +08:00
Sheen Capadngan	d76760fa9c	misc: updated schema	2024-05-31 23:42:49 +08:00
Sheen Capadngan	4d8f94a9dc	feat: added version prune to daily resource queue	2024-05-31 23:25:56 +08:00
Sheen Capadngan	abd8d6aa8a	feat: added support for version limit update	2024-05-31 23:18:02 +08:00
Sheen Capadngan	9117067ab5	feat: finalized pruning logic	2024-05-31 21:38:16 +08:00
Sheen Capadngan	3a1168c7e8	feat: added initial version pruning and result limiting	2024-05-31 19:12:55 +08:00
Sheen Capadngan	88a4fb84e6	feature: added offline support for infisical export	2024-05-02 03:21:20 +08:00
Sheen Capadngan	a1e8f45a86	misc: added new cli secrets to release build gh action	2024-05-02 01:35:19 +08:00
Sheen Capadngan	04dca9432d	misc: updated test comment	2024-05-02 01:09:12 +08:00
Sheen Capadngan	920b9a7dfa	adjustment: moved secret backup logic to cmd layer	2024-05-02 00:59:17 +08:00
Sheen Capadngan	8fc4fd64f8	adjustment: moved backup logic to cmd layer	2024-05-02 00:49:29 +08:00
Sheen Capadngan	24f7ecc548	misc: removed infisical init logs	2024-05-01 21:41:07 +08:00
Sheen Capadngan	a5ca96f2df	test: restructed setup and added scripting for infisical init	2024-05-01 21:39:20 +08:00
Sheen Capadngan	505ccdf8ea	misc: added script for cli-tests env setup	2024-05-01 21:37:18 +08:00
Sheen Capadngan	3897bd70fa	adjustment: removed cli display for pty	2024-05-01 11:08:58 +08:00
Sheen Capadngan	4479e626c7	adjustment: renamed cli vault file phrase env	2024-05-01 01:56:10 +08:00
Sheen Capadngan	6640b55504	misc: added envs required for cli test of infisical login	2024-05-01 01:49:06 +08:00
Sheen Capadngan	85f024c814	test: added scripting for user login	2024-05-01 01:45:24 +08:00
Sheen Capadngan	531fa634a2	feature: add logs for cli execution error	2024-04-30 22:02:22 +08:00
Sheen Capadngan	772dd464f5	test: added integration test for secrets get all and secrets get all without connection	2024-04-30 21:11:29 +08:00
Sheen Capadngan	877b9a409e	adjustment: modified isConnected check to query linked infisical URL	2024-04-30 21:00:34 +08:00
Sheen Capadngan	104a91647c	fix: resolved cli offline mode get	2024-04-29 21:18:13 +08:00
				`@@ -0,0 +1 @@`
				`export { PointInTimeVersionLimitSection } from "./PointInTimeVersionLimitSection";`