Minor UX update to identities

Resolve PR review items, moved identity auth logic into separate controller, etc.
Restructure MIs to more generic Identity
2025-03-24 00:15:26 +00:00 · 2023-12-10 22:35:12 +07:00 · 2023-12-10 14:15:25 +07:00 · 2023-12-09 22:18:38 +07:00 · 2023-12-06 20:45:07 -05:00 · 2023-12-06 20:35:26 -05:00
154 changed files with 6741 additions and 3065 deletions
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -3,15 +3,22 @@ import jwt from "jsonwebtoken";
 import * as bigintConversion from "bigint-conversion";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require("jsrp");
-import { LoginSRPDetail, TokenVersion, User } from "../../models";
+import { 
+  LoginSRPDetail,
+  TokenVersion,
+  User
+} from "../../models";
 import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth";
 import { checkUserDevice } from "../../helpers/user";
 import { AuthTokenType } from "../../variables";
-import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
+import { 
+  BadRequestError, 
+  UnauthorizedRequestError
+} from "../../utils/errors";
 import {
  getAuthSecret,
  getHttpsEnabled,
-  getJwtAuthLifetime
+  getJwtAuthLifetime,
 } from "../../config";
 import { ActorType } from "../../ee/models";
 import { validateRequest } from "../../helpers/validation";
@ -25,10 +32,11 @@ declare module "jsonwebtoken" {
    userId: string;
    refreshVersion?: number;
  }
-  export interface ServiceRefreshTokenJwtPayload extends jwt.JwtPayload {
-    serviceTokenDataId: string;
+  export interface IdentityAccessTokenJwtPayload extends jwt.JwtPayload {
+    _id: string;
+    clientSecretId: string;
+    identityAccessTokenId: string;
    authTokenType: string;
-    tokenVersion: number;
  }
 }

@ -266,4 +274,4 @@ export const getNewToken = async (req: Request, res: Response) => {

 export const handleAuthProviderCallback = (req: Request, res: Response) => {
  res.redirect(`/login/provider/success?token=${encodeURIComponent(req.providerAuthToken)}`);
-};
+};
--- a/backend/src/controllers/v1/index.ts
+++ b/backend/src/controllers/v1/index.ts
@ -1,4 +1,5 @@
 import * as authController from "./authController";
+import * as universalAuthController from "./universalAuthController";
 import * as botController from "./botController";
 import * as integrationAuthController from "./integrationAuthController";
 import * as integrationController from "./integrationController";
@ -20,6 +21,7 @@ import * as adminController from "./adminController";

 export {
  authController,
+  universalAuthController,
  botController,
  integrationAuthController,
  integrationController,
--- a/backend/src/controllers/v1/membershipController.ts
+++ b/backend/src/controllers/v1/membershipController.ts
@ -4,9 +4,9 @@ import { IUser, Key, Membership, MembershipOrg, User, Workspace } from "../../mo
 import { EventType, Role } from "../../ee/models";
 import { deleteMembership as deleteMember, findMembership } from "../../helpers/membership";
 import { sendMail } from "../../helpers/nodemailer";
-import { ACCEPTED, ADMIN, CUSTOM, MEMBER, VIEWER } from "../../variables";
+import { ACCEPTED, ADMIN, CUSTOM, MEMBER, NO_ACCESS, VIEWER } from "../../variables";
 import { getSiteURL } from "../../config";
-import { EEAuditLogService } from "../../ee/services";
+import { EEAuditLogService, EELicenseService } from "../../ee/services";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/membership";
 import {
@ -129,7 +129,7 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
    ProjectPermissionSub.Member
  );

-  const isCustomRole = ![ADMIN, MEMBER, VIEWER].includes(role);
+  const isCustomRole = ![ADMIN, MEMBER, VIEWER, NO_ACCESS].includes(role);
  if (isCustomRole) {
    const wsRole = await Role.findOne({
      slug: role,
@ -137,6 +137,13 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
      workspace: membershipToChangeRole.workspace
    });
    if (!wsRole) throw BadRequestError({ message: "Role not found" });
+
+    const plan = await EELicenseService.getPlan(wsRole.organization);
+
+    if (!plan.rbac) return res.status(400).send({
+      message: "Failed to assign custom role due to RBAC restriction. Upgrade plan to assign custom role to member."
+    });
+
    const membership = await Membership.findByIdAndUpdate(membershipId, {
      role: CUSTOM,
      customRole: wsRole
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -21,7 +21,7 @@ import { validateRequest } from "../../helpers/validation";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
 import { ForbiddenError } from "@casl/ability";

@ -44,11 +44,12 @@ export const deleteMembershipOrg = async (req: Request, _res: Response) => {
  if (!membershipOrgToDelete) {
    throw new Error("Failed to delete organization membership that doesn't exist");
  }
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: membershipOrgToDelete.organization
+  });

-  const { permission, membership: membershipOrg } = await getUserOrgPermissions(
-    req.user._id,
-    membershipOrgToDelete.organization.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.Member
@ -60,7 +61,7 @@ export const deleteMembershipOrg = async (req: Request, _res: Response) => {
  });

  await updateSubscriptionOrgQuantity({
-    organizationId: membershipOrg.organization.toString()
+    organizationId: membershipOrgToDelete.organization.toString()
  });

  return membershipOrgToDelete;
@ -96,7 +97,11 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
    body: { inviteeEmail, organizationId }
  } = await validateRequest(reqValidator.InviteUserToOrgv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Member
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -1,4 +1,5 @@
 import { Request, Response } from "express";
+import { Types } from "mongoose";
 import {
  IncidentContactOrg,
  Membership,
@ -14,7 +15,7 @@ import { ACCEPTED } from "../../variables";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
 import { OrganizationNotFoundError } from "../../utils/errors";
 import { ForbiddenError } from "@casl/ability";
@ -44,7 +45,10 @@ export const getOrganization = async (req: Request, res: Response) => {
  } = await validateRequest(reqValidator.GetOrgv1, req);

  // ensure user has membership
-  await getUserOrgPermissions(req.user._id, organizationId);
+  await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  })

  const organization = await Organization.findById(organizationId);
  if (!organization) {
@ -68,8 +72,12 @@ export const getOrganizationMembers = async (req: Request, res: Response) => {
  const {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgMembersv1, req);
-
-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
+  
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Member
@ -95,7 +103,10 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgWorkspacesv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  })
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Workspace
@ -137,7 +148,10 @@ export const changeOrganizationName = async (req: Request, res: Response) => {
    body: { name }
  } = await validateRequest(reqValidator.ChangeOrgNamev1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Settings
@ -172,7 +186,10 @@ export const getOrganizationIncidentContacts = async (req: Request, res: Respons
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgIncidentContactv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.IncidentAccount
@ -199,7 +216,10 @@ export const addOrganizationIncidentContact = async (req: Request, res: Response
    body: { email }
  } = await validateRequest(reqValidator.CreateOrgIncideContact, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.IncidentAccount
@ -228,7 +248,10 @@ export const deleteOrganizationIncidentContact = async (req: Request, res: Respo
    body: { email }
  } = await validateRequest(reqValidator.DelOrgIncideContact, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.IncidentAccount
@ -257,7 +280,10 @@ export const createOrganizationPortalSession = async (req: Request, res: Respons
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlanBillingInfov1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Billing
@ -321,7 +347,10 @@ export const getOrganizationMembersAndTheirWorkspaces = async (req: Request, res
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgMembersv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Member
--- a/backend/src/controllers/v1/secretScanningController.ts
+++ b/backend/src/controllers/v1/secretScanningController.ts
@ -21,7 +21,7 @@ import * as reqValidator from "../../validation/secretScanning";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
 import { ForbiddenError } from "@casl/ability";

@ -37,8 +37,11 @@ export const createInstallationSession = async (req: Request, res: Response) =>
      message: "Failed to find organization"
    });
  }
-
-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.SecretScanning
@ -70,11 +73,12 @@ export const linkInstallationToOrganization = async (req: Request, res: Response
  if (!installationSession) {
    throw UnauthorizedRequestError();
  }
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: installationSession.organization
+  });

-  const { permission } = await getUserOrgPermissions(
-    req.user._id,
-    installationSession.organization.toString()
-  );
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.SecretScanning
@ -142,7 +146,10 @@ export const getRisksForOrganization = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgRisksv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.SecretScanning
@ -162,7 +169,10 @@ export const updateRisksStatus = async (req: Request, res: Response) => {
    body: { status }
  } = await validateRequest(reqValidator.UpdateRiskStatusv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.SecretScanning
--- a/backend/src/controllers/v1/universalAuthController.ts
+++ b/backend/src/controllers/v1/universalAuthController.ts
@ -0,0 +1,791 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import jwt from "jsonwebtoken";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
+import { 
+  IIdentity, 
+  IIdentityTrustedIp, 
+  IIdentityUniversalAuthClientSecret,
+  Identity,
+  IdentityAccessToken,
+  IdentityAuthMethod,
+  IdentityMembershipOrg,
+  IdentityUniversalAuth,
+  IdentityUniversalAuthClientSecret,
+} from "../../models";
+import { createToken } from "../../helpers/auth";
+import { AuthTokenType } from "../../variables";
+import { 
+  BadRequestError, 
+  ForbiddenRequestError, 
+  ResourceNotFoundError,
+  UnauthorizedRequestError
+} from "../../utils/errors";
+import {
+  getAuthSecret,
+  getSaltRounds
+} from "../../config";
+import { ActorType, EventType, IRole } from "../../ee/models";
+import { validateRequest } from "../../helpers/validation";
+import * as reqValidator from "../../validation/auth";
+import { checkIPAgainstBlocklist, extractIPDetails, isValidIpOrCidr } from "../../utils/ip";
+import { getUserAgentType } from "../../utils/posthog";
+import { EEAuditLogService, EELicenseService } from "../../ee/services";
+import { 
+  OrgPermissionActions, 
+  OrgPermissionSubjects, 
+  getAuthDataOrgPermissions, 
+  getOrgRolePermissions, 
+  isAtLeastAsPrivilegedOrg 
+} from "../../ee/services/RoleService";
+import { ForbiddenError } from "@casl/ability";
+
+const packageUniversalAuthClientSecretData = (identityUniversalAuthClientSecret: IIdentityUniversalAuthClientSecret) => ({
+    _id: identityUniversalAuthClientSecret._id,
+    identityUniversalAuth: identityUniversalAuthClientSecret.identityUniversalAuth,
+    isClientSecretRevoked: identityUniversalAuthClientSecret.isClientSecretRevoked,
+    description: identityUniversalAuthClientSecret.description,
+    clientSecretPrefix: identityUniversalAuthClientSecret.clientSecretPrefix,
+    clientSecretNumUses: identityUniversalAuthClientSecret.clientSecretNumUses,
+    clientSecretNumUsesLimit: identityUniversalAuthClientSecret.clientSecretNumUsesLimit,
+    clientSecretTTL: identityUniversalAuthClientSecret.clientSecretTTL,
+    createdAt: identityUniversalAuthClientSecret.createdAt,
+    updatedAt: identityUniversalAuthClientSecret.updatedAt
+});
+  
+/**
+ * Renews an access token by its TTL
+ * @param req 
+ * @param res 
+ */
+export const renewAccessToken = async (req: Request, res: Response) => {
+    const {
+        body: {
+            accessToken
+        }
+    } = await validateRequest(reqValidator.RenewAccessTokenV1, req);
+
+    const decodedToken = <jwt.IdentityAccessTokenJwtPayload>(
+        jwt.verify(accessToken, await getAuthSecret())
+    );
+
+    if (decodedToken.authTokenType !== AuthTokenType.IDENTITY_ACCESS_TOKEN) throw UnauthorizedRequestError();
+
+    const identityAccessToken = await IdentityAccessToken.findOne({
+        _id: decodedToken.identityAccessTokenId,
+        isAccessTokenRevoked: false
+    });
+
+    if (!identityAccessToken) throw UnauthorizedRequestError();
+
+    const {
+        accessTokenTTL,
+        accessTokenLastRenewedAt,
+        accessTokenMaxTTL,
+        createdAt: accessTokenCreatedAt
+    } = identityAccessToken;
+
+    if (accessTokenTTL === accessTokenMaxTTL) throw UnauthorizedRequestError({
+        message: "Failed to renew non-renewable access token"
+    });
+
+    // ttl check
+    if (accessTokenTTL > 0) {
+        const currentDate = new Date();
+        if (accessTokenLastRenewedAt) {
+            // access token has been renewed
+            const accessTokenRenewed = new Date(accessTokenLastRenewedAt);
+            const ttlInMilliseconds = accessTokenTTL * 1000;
+            const expirationDate = new Date(accessTokenRenewed.getTime() + ttlInMilliseconds);
+
+            if (currentDate > expirationDate) throw UnauthorizedRequestError({
+                message: "Failed to renew MI access token due to TTL expiration"
+            });
+        } else {
+            // access token has never been renewed
+            const accessTokenCreated = new Date(accessTokenCreatedAt);
+            const ttlInMilliseconds = accessTokenTTL * 1000;
+            const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
+
+            if (currentDate > expirationDate) throw UnauthorizedRequestError({
+                message: "Failed to renew MI access token due to TTL expiration"
+            });
+        }
+    }
+
+    // max ttl checks
+    if (accessTokenMaxTTL > 0) {
+        const accessTokenCreated = new Date(accessTokenCreatedAt);
+        const ttlInMilliseconds = accessTokenMaxTTL * 1000;
+        const currentDate = new Date();
+        const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
+
+        if (currentDate > expirationDate) throw UnauthorizedRequestError({
+            message: "Failed to renew MI access token due to Max TTL expiration"
+        });
+
+        const extendToDate = new Date(currentDate.getTime() + accessTokenTTL);
+        if (extendToDate > expirationDate) throw UnauthorizedRequestError({
+            message: "Failed to renew MI access token past its Max TTL expiration"
+        });
+    }
+
+    await IdentityAccessToken.findByIdAndUpdate(
+        identityAccessToken._id,
+        {
+            accessTokenLastRenewedAt: new Date()
+        }
+    );
+
+    return res.status(200).send({
+        accessToken,
+        expiresIn: identityAccessToken.accessTokenTTL,
+        tokenType: "Bearer"
+    });
+}
+
+/**
+ * Return access token for identity with client id [clientId]
+ * and client secret [clientSecret]
+ * @param req 
+ * @param res 
+ */
+export const loginIdentityUniversalAuth = async (req: Request, res: Response) => {
+    const {
+        body: {
+            clientId,
+            clientSecret
+        }
+    } = await validateRequest(reqValidator.LoginUniversalAuthV1, req);
+
+    const identityUniversalAuth = await IdentityUniversalAuth.findOne({
+        clientId
+    }).populate<{ identity: IIdentity }>("identity");
+    
+    if (!identityUniversalAuth) throw UnauthorizedRequestError();
+
+    checkIPAgainstBlocklist({
+        ipAddress: req.realIP,
+        trustedIps: identityUniversalAuth.clientSecretTrustedIps
+    });
+
+    const clientSecretData = await IdentityUniversalAuthClientSecret.find({
+        identity: identityUniversalAuth.identity,
+        isClientSecretRevoked: false
+    });
+
+    let validatedClientSecretDatum: IIdentityUniversalAuthClientSecret | undefined;
+
+    for (const clientSecretDatum of clientSecretData) {
+        const isSecretValid = await bcrypt.compare(
+            clientSecret,
+            clientSecretDatum.clientSecretHash
+        );
+
+        if (isSecretValid) {
+            validatedClientSecretDatum = clientSecretDatum;
+            break;
+        }
+    }
+
+    if (!validatedClientSecretDatum) throw UnauthorizedRequestError();
+
+    const {
+        clientSecretTTL,
+        clientSecretNumUses,
+        clientSecretNumUsesLimit,
+    } = validatedClientSecretDatum;
+
+    if (clientSecretTTL > 0) {
+        const clientSecretCreated = new Date(validatedClientSecretDatum.createdAt)
+        const ttlInMilliseconds = clientSecretTTL * 1000;
+        const currentDate = new Date();
+        const expirationTime = new Date(clientSecretCreated.getTime() + ttlInMilliseconds);
+
+        if (currentDate > expirationTime) {
+            await IdentityUniversalAuthClientSecret.findByIdAndUpdate(
+                validatedClientSecretDatum._id,
+                {
+                    isClientSecretRevoked: true
+                }
+            );
+
+            throw UnauthorizedRequestError({
+                message: "Failed to authenticate identity credentials due to expired client secret"
+            });
+        }
+    }
+
+    if (clientSecretNumUsesLimit > 0 && clientSecretNumUses === clientSecretNumUsesLimit) {
+        // number of times client secret can be used for 
+        // a login operation reached
+        await IdentityUniversalAuthClientSecret.findByIdAndUpdate(
+            validatedClientSecretDatum._id,
+            {
+                isClientSecretRevoked: true
+            },
+            {
+                new: true
+            }
+        );
+
+        throw UnauthorizedRequestError({
+            message: "Failed to authenticate identity credentials due to client secret number of uses limit reached"
+        });
+    }
+
+    // increment usage count by 1
+    await IdentityUniversalAuthClientSecret
+    .findByIdAndUpdate(
+        validatedClientSecretDatum._id,
+        {
+            clientSecretLastUsedAt: new Date(),
+            $inc: { clientSecretNumUses: 1 }
+        },
+        {
+            new: true
+        }
+    );
+
+    const identityAccessToken = await new IdentityAccessToken({
+        identity: identityUniversalAuth.identity,
+        identityUniversalAuthClientSecret: validatedClientSecretDatum._id,
+        accessTokenNumUses: 0,
+        accessTokenNumUsesLimit: identityUniversalAuth.accessTokenNumUsesLimit,
+        accessTokenTTL: identityUniversalAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityUniversalAuth.accessTokenMaxTTL,
+        accessTokenTrustedIps: identityUniversalAuth.accessTokenTrustedIps,
+        isAccessTokenRevoked: false
+    }).save();
+
+    // token version
+    const accessToken = createToken({
+        payload: {
+            identityId: identityUniversalAuth.identity.toString(),
+            clientSecretId: validatedClientSecretDatum._id.toString(),
+            identityAccessTokenId: identityAccessToken._id.toString(),
+            authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+        },
+        secret: await getAuthSecret()
+    });
+
+    const userAgent = req.headers["user-agent"] ?? "";
+
+    await EEAuditLogService.createAuditLog(
+        {
+            actor: {
+                type: ActorType.IDENTITY,
+                metadata: {
+                    identityId: identityUniversalAuth.identity._id.toString(),
+                    name: identityUniversalAuth.identity.name
+                }
+            },
+            authPayload: identityUniversalAuth.identity,
+            ipAddress: req.realIP,
+            userAgent,
+            userAgentType: getUserAgentType(userAgent)
+        },
+        {
+            type: EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH,
+            metadata: {
+                identityId: identityUniversalAuth.identity._id.toString(),
+                identityUniversalAuthId: identityUniversalAuth._id.toString(),
+                clientSecretId: validatedClientSecretDatum._id.toString(),
+                identityAccessTokenId: identityAccessToken._id.toString()
+            }
+        }
+    );
+
+    return res.status(200).send({
+        accessToken,
+        expiresIn: identityUniversalAuth.accessTokenTTL,
+        tokenType: "Bearer"
+    });
+}
+
+export const addIdentityUniversalAuth = async (req: Request, res: Response) => {
+    const {
+        params: { identityId },
+        body: {
+            clientSecretTrustedIps,
+            accessTokenTTL,
+            accessTokenMaxTTL,
+            accessTokenNumUsesLimit,
+            accessTokenTrustedIps,
+        }
+    } = await validateRequest(reqValidator.AddUniversalAuthToIdentityV1, req);
+
+    const identityMembershipOrg = await IdentityMembershipOrg
+        .findOne({
+            identity: new Types.ObjectId(identityId)
+        })
+        .populate<{
+            identity: IIdentity,
+            customRole: IRole
+        }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError({
+        message: `Failed to find identity with id ${identityId}`
+    });
+    
+    if (identityMembershipOrg.identity?.authMethod) throw BadRequestError({
+        message: "Failed to add universal auth to already-configured identity"
+    });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+        throw BadRequestError({ message: "Access token TTL cannot be greater than max TTL" })
+    }
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Create,
+        OrgPermissionSubjects.Identity
+    );
+
+    const plan = await EELicenseService.getPlan(identityMembershipOrg.organization);
+
+    // validate trusted ips
+    const reformattedClientSecretTrustedIps = clientSecretTrustedIps.map((clientSecretTrustedIp) => {
+        if (!plan.ipAllowlisting && clientSecretTrustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+            message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
+        });
+
+        const isValidIPOrCidr = isValidIpOrCidr(clientSecretTrustedIp.ipAddress);
+
+        if (!isValidIPOrCidr) return res.status(400).send({
+            message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+
+        return extractIPDetails(clientSecretTrustedIp.ipAddress);
+    });
+
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+        if (!plan.ipAllowlisting && accessTokenTrustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+            message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
+        });
+
+        const isValidIPOrCidr = isValidIpOrCidr(accessTokenTrustedIp.ipAddress);
+
+        if (!isValidIPOrCidr) return res.status(400).send({
+            message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+
+        return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+    
+    const identityUniversalAuth = await new IdentityUniversalAuth({
+        identity: identityMembershipOrg.identity._id,
+        clientId: crypto.randomUUID(),
+        clientSecretTrustedIps: reformattedClientSecretTrustedIps,
+        accessTokenTTL,
+        accessTokenMaxTTL,
+        accessTokenNumUsesLimit,
+        accessTokenTrustedIps: reformattedAccessTokenTrustedIps,
+    }).save();
+    
+    await Identity.findByIdAndUpdate(
+        identityMembershipOrg.identity._id,
+        {
+            authMethod: IdentityAuthMethod.UNIVERSAL_AUTH
+        }
+    );
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.ADD_IDENTITY_UNIVERSAL_AUTH,
+            metadata: {
+                identityId: identityMembershipOrg.identity._id.toString(),
+                clientSecretTrustedIps: reformattedClientSecretTrustedIps as Array<IIdentityTrustedIp>,
+                accessTokenTTL,
+                accessTokenMaxTTL,
+                accessTokenNumUsesLimit,
+                accessTokenTrustedIps: reformattedAccessTokenTrustedIps as Array<IIdentityTrustedIp>
+            }
+        }
+    );
+
+    return res.status(200).send({
+        identityUniversalAuth
+    });
+}
+
+export const updateIdentityUniversalAuth = async (req: Request, res: Response) => {
+    const {
+        params: { identityId },
+        body: {
+            clientSecretTrustedIps,
+            accessTokenTTL, // TODO: validate this and max TTL
+            accessTokenMaxTTL,
+            accessTokenNumUsesLimit,
+            accessTokenTrustedIps,
+        }
+    } = await validateRequest(reqValidator.UpdateUniversalAuthToIdentityV1, req);
+
+    const identityMembershipOrg = await IdentityMembershipOrg
+        .findOne({
+            identity: new Types.ObjectId(identityId)
+        })
+        .populate<{
+            identity: IIdentity,
+            customRole: IRole
+        }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError({
+        message: `Failed to find identity with id ${identityId}`
+    });
+    
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.UNIVERSAL_AUTH) throw BadRequestError({
+        message: "Failed to add universal auth to already-configured identity"
+    });
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Edit,
+        OrgPermissionSubjects.Identity
+    );
+
+    const plan = await EELicenseService.getPlan(identityMembershipOrg.organization);
+
+    // validate trusted ips
+    let reformattedClientSecretTrustedIps;
+    if (clientSecretTrustedIps) {
+        reformattedClientSecretTrustedIps = clientSecretTrustedIps.map((clientSecretTrustedIp) => {
+            if (!plan.ipAllowlisting && clientSecretTrustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+                message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
+            });
+
+            const isValidIPOrCidr = isValidIpOrCidr(clientSecretTrustedIp.ipAddress);
+
+            if (!isValidIPOrCidr) return res.status(400).send({
+                message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+            });
+
+            return extractIPDetails(clientSecretTrustedIp.ipAddress);
+        });
+    }
+
+    let reformattedAccessTokenTrustedIps;
+    if (accessTokenTrustedIps) {
+        reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+            if (!plan.ipAllowlisting && accessTokenTrustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+                message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
+            });
+
+            const isValidIPOrCidr = isValidIpOrCidr(accessTokenTrustedIp.ipAddress);
+
+            if (!isValidIPOrCidr) return res.status(400).send({
+                message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+            });
+
+            return extractIPDetails(accessTokenTrustedIp.ipAddress);
+        });
+    }
+    
+    const identityUniversalAuth = await IdentityUniversalAuth.findOneAndUpdate(
+        {
+            identity: identityMembershipOrg.identity._id,
+        },
+        {
+            clientSecretTrustedIps: reformattedClientSecretTrustedIps,
+            accessTokenTTL,
+            accessTokenMaxTTL,
+            accessTokenNumUsesLimit,
+            accessTokenTrustedIps: reformattedAccessTokenTrustedIps,
+        },
+        {
+            new: true
+        }
+    );
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.UPDATE_IDENTITY_UNIVERSAL_AUTH,
+            metadata: {
+                identityId: identityMembershipOrg.identity._id.toString(),
+                clientSecretTrustedIps: reformattedClientSecretTrustedIps as Array<IIdentityTrustedIp>,
+                accessTokenTTL,
+                accessTokenMaxTTL,
+                accessTokenNumUsesLimit,
+                accessTokenTrustedIps: reformattedAccessTokenTrustedIps as Array<IIdentityTrustedIp>
+            }
+        }
+    );
+
+    return res.status(200).send({
+        identityUniversalAuth
+    });
+}
+
+export const getIdentityUniversalAuth = async (req: Request, res: Response) => {
+    const {
+        params: { identityId }
+    } = await validateRequest(reqValidator.GetUniversalAuthForIdentityV1, req);
+    
+    const identityMembershipOrg = await IdentityMembershipOrg
+        .findOne({
+            identity: new Types.ObjectId(identityId)
+        })
+        .populate<{
+            identity: IIdentity,
+            customRole: IRole
+        }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError({
+        message: `Failed to find identity with id ${identityId}`
+    });
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Read,
+        OrgPermissionSubjects.Identity
+    );
+
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.UNIVERSAL_AUTH) throw BadRequestError({
+        message: "The identity does not have universal auth configured"
+    });
+    
+    const identityUniversalAuth = await IdentityUniversalAuth.findOne({
+        identity: identityMembershipOrg.identity._id,
+    });
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.GET_IDENTITY_UNIVERSAL_AUTH,
+            metadata: {
+                identityId: identityMembershipOrg.identity._id.toString(),
+            }
+        }
+    );
+
+    return res.status(200).send({
+        identityUniversalAuth
+    });
+}
+
+export const createUniversalAuthClientSecret = async (req: Request, res: Response) => {
+    const {
+        params: { identityId },
+        body: {
+            description,
+            numUsesLimit,
+            ttl
+        }
+    } = await validateRequest(reqValidator.CreateUniversalAuthClientSecretV1, req);
+
+    const identityMembershipOrg = await IdentityMembershipOrg.findOne({
+        identity: new Types.ObjectId(identityId)
+    }).populate<{
+        identity: IIdentity,
+        customRole: IRole
+    }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError({
+        message: `Failed to find identity with id ${identityId}`
+    });
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Create,
+        OrgPermissionSubjects.Identity
+    );
+
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.UNIVERSAL_AUTH) throw BadRequestError({
+        message: "The identity does not have universal auth configured"
+    });
+
+    const rolePermission = await getOrgRolePermissions(
+        identityMembershipOrg?.customRole?.slug ?? identityMembershipOrg.role,
+        identityMembershipOrg.organization.toString()
+    );
+    const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, rolePermission);
+
+    if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+        message: "Failed to create client secret for more privileged identity"
+    });
+
+    const clientSecret = crypto.randomBytes(32).toString("hex");
+    const clientSecretHash = await bcrypt.hash(clientSecret, await getSaltRounds());
+    
+    const identityUniversalAuth = await IdentityUniversalAuth.findOne({
+        identity: identityMembershipOrg.identity._id
+    });
+    
+    if (!identityUniversalAuth) throw ResourceNotFoundError();
+
+    const identityUniversalAuthClientSecret = await new IdentityUniversalAuthClientSecret({
+        identity: identityMembershipOrg.identity._id,
+        identityUniversalAuth: identityUniversalAuth._id,
+        description,
+        clientSecretPrefix: clientSecret.slice(0, 4),
+        clientSecretHash,
+        clientSecretNumUses: 0,
+        clientSecretNumUsesLimit: numUsesLimit,
+        clientSecretTTL: ttl,
+        isClientSecretRevoked: false
+    }).save();
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET,
+            metadata: {
+                identityId: identityMembershipOrg.identity._id.toString(),
+                clientSecretId: identityUniversalAuthClientSecret._id.toString()
+            }
+        }
+    );
+
+    return res.status(200).send({
+        clientSecret,
+        clientSecretData: packageUniversalAuthClientSecretData(identityUniversalAuthClientSecret)
+    });
+}
+
+export const getUniversalAuthClientSecrets = async (req: Request, res: Response) => {
+    const {
+        params: { identityId }
+    } = await validateRequest(reqValidator.GetUniversalAuthClientSecretsV1, req);
+    
+    const identityMembershipOrg = await IdentityMembershipOrg.findOne({
+        identity: new Types.ObjectId(identityId)
+    }).populate<{
+        identity: IIdentity,
+        customRole: IRole
+    }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError();
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Read,
+        OrgPermissionSubjects.Identity
+    );
+
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.UNIVERSAL_AUTH) throw BadRequestError({
+        message: "The identity does not have universal auth configured"
+    });
+
+    const rolePermission = await getOrgRolePermissions(
+        identityMembershipOrg?.customRole?.slug ?? identityMembershipOrg.role,
+        identityMembershipOrg.organization.toString()
+    );
+    const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, rolePermission);
+
+    if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+        message: "Failed to get client secrets for more privileged MI"
+    });
+
+    const clientSecretData = await IdentityUniversalAuthClientSecret
+        .find({
+            identity: identityMembershipOrg.identity,
+            isClientSecretRevoked: false
+        })
+        .sort({ createdAt: -1 })
+        .limit(5);
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS,
+            metadata: {
+                identityId: identityMembershipOrg.identity._id.toString()
+            }
+        }
+    );
+
+    return res.status(200).send({
+        clientSecretData: clientSecretData.map((clientSecretDatum) => packageUniversalAuthClientSecretData(clientSecretDatum))
+    });
+}
+
+export const revokeUniversalAuthClientSecret = async (req: Request, res: Response) => {
+    const {
+        params: { identityId, clientSecretId }
+    } = await validateRequest(reqValidator.RevokeUniversalAuthClientSecretV1, req);
+    
+    const identityMembershipOrg = await IdentityMembershipOrg
+        .findOne({
+            identity: new Types.ObjectId(identityId)
+        })
+        .populate<{
+            identity: IIdentity,
+            customRole: IRole
+        }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError({
+        message: `Failed to find identity with id ${identityId}`
+    });
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Delete,
+        OrgPermissionSubjects.Identity
+    );
+
+    const rolePermission = await getOrgRolePermissions(
+        identityMembershipOrg?.customRole?.slug ?? identityMembershipOrg.role,
+        identityMembershipOrg.organization.toString()
+    );
+    const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, rolePermission);
+
+    if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+        message: "Failed to delete client secrets for more privileged identity"
+    });
+
+    const clientSecretData = await IdentityUniversalAuthClientSecret.findOneAndUpdate(
+        {
+            _id: new Types.ObjectId(clientSecretId),
+            identity: identityMembershipOrg.identity._id
+        },
+        {
+            isClientSecretRevoked: true
+        },
+        {
+            new: true
+        }
+    );
+
+    if (!clientSecretData) throw ResourceNotFoundError();
+    
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET,
+            metadata: {
+                identityId: identityMembershipOrg.identity._id.toString(),
+                clientSecretId: clientSecretId
+            }
+        }
+    );
+
+    return res.status(200).send({
+        clientSecretData: packageUniversalAuthClientSecretData(clientSecretData)
+    })
+}
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -17,7 +17,7 @@ import { OrganizationNotFoundError } from "../../utils/errors";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
 import { ForbiddenError } from "@casl/ability";
 import { validateRequest } from "../../helpers/validation";
@ -152,7 +152,10 @@ export const createWorkspace = async (req: Request, res: Response) => {
    });
  }

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Workspace
--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@ -204,20 +204,16 @@ export const login2 = async (req: Request, res: Response) => {
 * @param res
 */
 export const sendMfaToken = async (req: Request, res: Response) => {
-  const {
-    body: { email }
-  } = await validateRequest(reqValidator.SendMfaTokenV2, req);
-
  const code = await TokenService.createToken({
    type: TOKEN_EMAIL_MFA,
-    email
+    email: req.user.email
  });

  // send MFA code [code] to [email]
  await sendMail({
    template: "emailMfa.handlebars",
    subjectLine: "Infisical MFA code",
-    recipients: [email],
+    recipients: [req.user.email],
    substitutions: {
      code
    }
@ -236,17 +232,17 @@ export const sendMfaToken = async (req: Request, res: Response) => {
 */
 export const verifyMfaToken = async (req: Request, res: Response) => {
  const {
-    body: { email, mfaToken }
+    body: { mfaToken }
  } = await validateRequest(reqValidator.VerifyMfaTokenV2, req);

  await TokenService.validateToken({
    type: TOKEN_EMAIL_MFA,
-    email,
+    email: req.user.email,
    token: mfaToken
  });

  const user = await User.findOne({
-    email
+    email: req.user.email
  }).select(
    "+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices"
  );
--- a/backend/src/controllers/v2/organizationsController.ts
+++ b/backend/src/controllers/v2/organizationsController.ts
@ -1,6 +1,11 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
-import { Membership, MembershipOrg, Workspace } from "../../models";
+import { 
+  IdentityMembershipOrg,
+  Membership, 
+  MembershipOrg,
+  Workspace
+} from "../../models";
 import { Role } from "../../ee/models";
 import { deleteMembershipOrg } from "../../helpers/membershipOrg";
 import {
@ -9,15 +14,16 @@ import {
  updateSubscriptionOrgQuantity
 } from "../../helpers/organization";
 import { addMembershipsOrg } from "../../helpers/membershipOrg";
-import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
-import { ACCEPTED, ADMIN, CUSTOM } from "../../variables";
+import { BadRequestError, ResourceNotFoundError, UnauthorizedRequestError } from "../../utils/errors";
+import { ACCEPTED, ADMIN, CUSTOM, MEMBER, NO_ACCESS } from "../../variables";
 import * as reqValidator from "../../validation/organization";
 import { validateRequest } from "../../helpers/validation";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../ee/services/RoleService";
+import { EELicenseService } from "../../ee/services";
 import { ForbiddenError } from "@casl/ability";

 /**
@ -63,7 +69,10 @@ export const getOrganizationMemberships = async (req: Request, res: Response) =>
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgMembersv2, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Member
@ -141,16 +150,32 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
    params: { organizationId, membershipId },
    body: { role }
  } = await validateRequest(reqValidator.UpdateOrgMemberv2, req);
-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Member
  );

-  const isCustomRole = !["admin", "member"].includes(role);
+  const isCustomRole = ![ADMIN, MEMBER, NO_ACCESS].includes(role);
  if (isCustomRole) {
-    const orgRole = await Role.findOne({ slug: role, isOrgRole: true });
+    const orgRole = await Role.findOne({ 
+      slug: role, 
+      isOrgRole: true,
+      organization: new Types.ObjectId(organizationId)
+    });
+
    if (!orgRole) throw BadRequestError({ message: "Role not found" });
+    
+    const plan = await EELicenseService.getPlan(new Types.ObjectId(organizationId));
+    
+    if (!plan.rbac) return res.status(400).send({
+      message:
+        "Failed to assign custom role due to RBAC restriction. Upgrade plan to assign custom role to member."
+    });

    const membership = await MembershipOrg.findByIdAndUpdate(membershipId, {
      role: CUSTOM,
@ -227,7 +252,18 @@ export const deleteOrganizationMembership = async (req: Request, res: Response)
  const {
    params: { organizationId, membershipId }
  } = await validateRequest(reqValidator.DeleteOrgMemberv2, req);
-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  
+  const membershipOrg = await MembershipOrg.findOne({
+    _id: new Types.ObjectId(membershipId),
+    organization: new Types.ObjectId(organizationId)
+  });
+  
+  if (!membershipOrg) throw ResourceNotFoundError();
+  
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: membershipOrg.organization
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.Member
@ -291,7 +327,11 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgWorkspacesv2, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
+
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Workspace
@ -377,3 +417,32 @@ export const deleteOrganizationById = async (req: Request, res: Response) => {
    organization
  });
 };
+
+/**
+ * Return list of identity memberships for organization with id [organizationId]
+ * @param req
+ * @param res 
+ * @returns 
+ */
+ export const getOrganizationIdentityMemberships = async (req: Request, res: Response) => {
+  const {
+    params: { organizationId }
+  } = await validateRequest(reqValidator.GetOrgIdentityMembershipsV2, req);
+
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
+  ForbiddenError.from(permission).throwUnlessCan(
+    OrgPermissionActions.Read,
+    OrgPermissionSubjects.Identity
+  );
+ 
+  const identityMemberships = await IdentityMembershipOrg.find({
+    organization: new Types.ObjectId(organizationId)
+  }).populate("identity customRole");
+  
+  return res.status(200).send({
+    identityMemberships
+  });
+}
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -1,6 +1,15 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
-import { Key, Membership, ServiceTokenData, Workspace } from "../../models";
+import { 
+  IIdentity,
+  IdentityMembership,
+  IdentityMembershipOrg,
+  Key, 
+  Membership,
+  ServiceTokenData,
+  Workspace
+} from "../../models";
+import { IRole, Role } from "../../ee/models";
 import {
  pullSecrets as pull,
  v2PushSecrets as push,
@ -16,9 +25,13 @@ import * as reqValidator from "../../validation";
 import {
  ProjectPermissionActions,
  ProjectPermissionSub,
-  getAuthDataProjectPermissions
+  getAuthDataProjectPermissions,
+  getWorkspaceRolePermissions,
+  isAtLeastAsPrivilegedWorkspace
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
+import { BadRequestError, ForbiddenRequestError, ResourceNotFoundError } from "../../utils/errors";
+import { ADMIN, CUSTOM, MEMBER, NO_ACCESS, VIEWER } from "../../variables";

 interface V2PushSecret {
  type: string; // personal or shared
@ -491,3 +504,254 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
    workspace
  });
 };
+
+/**
+ * Add identity with id [identityId] to workspace
+ * with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+ export const addIdentityToWorkspace = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId, identityId },
+    body: {
+      role
+    }
+  } = await validateRequest(reqValidator.AddIdentityToWorkspaceV2, req);
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.Identity
+  );
+
+  let identityMembership = await IdentityMembership.findOne({
+    identity: new Types.ObjectId(identityId),
+    workspace: new Types.ObjectId(workspaceId)
+  });
+
+  if (identityMembership) throw BadRequestError({
+    message: `Identity with id ${identityId} already exists in project with id ${workspaceId}`
+  });
+
+  
+  const workspace = await Workspace.findById(workspaceId);
+  if (!workspace) throw ResourceNotFoundError();
+
+  const identityMembershipOrg = await IdentityMembershipOrg.findOne({
+    identity: new Types.ObjectId(identityId),
+    organization: workspace.organization
+  });
+
+  if (!identityMembershipOrg) throw ResourceNotFoundError({
+    message: `Failed to find identity with id ${identityId}`
+  });
+  
+  if (!identityMembershipOrg.organization.equals(workspace.organization)) throw BadRequestError({
+    message: "Failed to add identity to project in another organization"
+  });
+
+  const rolePermission = await getWorkspaceRolePermissions(role, workspaceId);
+  const isAsPrivilegedAsIntendedRole = isAtLeastAsPrivilegedWorkspace(permission, rolePermission);
+  
+  if (!isAsPrivilegedAsIntendedRole) throw ForbiddenRequestError({
+      message: "Failed to add identity to project with more privileged role"
+  });
+
+  let customRole;
+  if (role) {
+    const isCustomRole = ![ADMIN, MEMBER, VIEWER, NO_ACCESS].includes(role);
+    if (isCustomRole) {
+      customRole = await Role.findOne({
+        slug: role,
+        isOrgRole: false,
+        workspace: new Types.ObjectId(workspaceId)
+      });
+      
+      if (!customRole) throw BadRequestError({ message: "Role not found" });
+    }
+  }
+  
+  identityMembership = await new IdentityMembership({
+    identity: identityMembershipOrg.identity,
+    workspace: new Types.ObjectId(workspaceId),
+    role: customRole ? CUSTOM : role,
+    customRole
+  }).save();
+  
+  return res.status(200).send({
+    identityMembership
+  });
+}
+
+/**
+ * Update role of identity with id [identityId] in workspace
+ * with id [workspaceId] to [role]
+ * @param req 
+ * @param res 
+ */
+ export const updateIdentityWorkspaceRole = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId, identityId },
+    body: {
+      role
+    }
+  } = await validateRequest(reqValidator.UpdateIdentityWorkspaceRoleV2, req);
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.Identity
+  );
+  
+  let identityMembership = await IdentityMembership
+    .findOne({
+      identity: new Types.ObjectId(identityId),
+      workspace: new Types.ObjectId(workspaceId)
+    })
+    .populate<{
+      identity: IIdentity,
+      customRole: IRole
+    }>("identity customRole");
+
+  if (!identityMembership) throw BadRequestError({
+    message: `Identity with id ${identityId} does not exist in project with id ${workspaceId}`
+  });
+  
+  const identityRolePermission = await getWorkspaceRolePermissions(
+    identityMembership?.customRole?.slug ?? identityMembership.role, 
+    identityMembership.workspace.toString()
+  );
+  const isAsPrivilegedAsIdentity = isAtLeastAsPrivilegedWorkspace(permission, identityRolePermission);
+  if (!isAsPrivilegedAsIdentity) throw ForbiddenRequestError({
+      message: "Failed to update role of more privileged identity"
+  });
+
+  const rolePermission = await getWorkspaceRolePermissions(role, workspaceId);
+  const isAsPrivilegedAsIntendedRole = isAtLeastAsPrivilegedWorkspace(permission, rolePermission);
+  
+  if (!isAsPrivilegedAsIntendedRole) throw ForbiddenRequestError({
+      message: "Failed to update identity to a more privileged role"
+  });
+
+  let customRole;
+  if (role) {
+    const isCustomRole = ![ADMIN, MEMBER, VIEWER, NO_ACCESS].includes(role);
+    if (isCustomRole) {
+      customRole = await Role.findOne({
+        slug: role,
+        isOrgRole: false,
+        workspace: new Types.ObjectId(workspaceId)
+      });
+      
+      if (!customRole) throw BadRequestError({ message: "Role not found" });
+    }
+  }
+  
+  identityMembership = await IdentityMembership.findOneAndUpdate(
+    {
+      identity: identityMembership.identity._id,
+      workspace: new Types.ObjectId(workspaceId),
+    },
+    {
+      role: customRole ? CUSTOM : role,
+      customRole
+    },
+    {
+      new: true
+    }
+  );
+
+  return res.status(200).send({
+    identityMembership
+  });
+}
+
+/**
+ * Delete identity with id [identityId] to workspace
+ * with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+ export const deleteIdentityFromWorkspace = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId, identityId }
+  } = await validateRequest(reqValidator.DeleteIdentityFromWorkspaceV2, req);
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.Identity
+  );
+  
+  const identityMembership = await IdentityMembership
+    .findOne({
+      identity: new Types.ObjectId(identityId),
+      workspace: new Types.ObjectId(workspaceId)
+    })
+    .populate<{
+      identity: IIdentity,
+      customRole: IRole
+    }>("identity customRole");
+  
+  if (!identityMembership) throw ResourceNotFoundError({
+    message: `Identity with id ${identityId} does not exist in project with id ${workspaceId}`
+  });
+  
+  const identityRolePermission = await getWorkspaceRolePermissions(
+    identityMembership?.customRole?.slug ?? identityMembership.role, 
+    identityMembership.workspace.toString()
+  );
+  const isAsPrivilegedAsIdentity = isAtLeastAsPrivilegedWorkspace(permission, identityRolePermission);
+  if (!isAsPrivilegedAsIdentity) throw ForbiddenRequestError({
+      message: "Failed to remove more privileged identity from project"
+  });
+  
+  await IdentityMembership.findByIdAndDelete(identityMembership._id);
+
+  return res.status(200).send({
+    identityMembership
+  });
+}
+
+/**
+ * Return list of identity memberships for workspace with id [workspaceId]
+ * @param req
+ * @param res 
+ * @returns 
+ */
+ export const getWorkspaceIdentityMemberships = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.GetWorkspaceIdentityMembersV2, req);
+  
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.Identity
+  );
+
+  const identityMemberships = await IdentityMembership.find({
+    workspace: new Types.ObjectId(workspaceId)
+  }).populate("identity customRole");
+
+  return res.status(200).send({
+    identityMemberships
+  });
+}
--- a/backend/src/controllers/v3/secretsController.ts
+++ b/backend/src/controllers/v3/secretsController.ts
@ -94,7 +94,7 @@ const checkSecretsPermission = async ({
      });
      return { authVerifier: () => true };
    }
-    case ActorType.SERVICE_V3: {
+    case ActorType.IDENTITY: {
      const { permission } = await getAuthDataProjectPermissions({
        authData,
        workspaceId: new Types.ObjectId(workspaceId)
--- a/backend/src/controllers/v3/workspacesController.ts
+++ b/backend/src/controllers/v3/workspacesController.ts
@ -1,7 +1,7 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { validateRequest } from "../../helpers/validation";
-import { Membership, Secret, ServiceTokenDataV3, User } from "../../models";
+import { Membership, Secret, User } from "../../models";
 import { SecretService } from "../../services";
 import { getAuthDataProjectPermissions } from "../../ee/services/ProjectRoleService";
 import { UnauthorizedRequestError } from "../../utils/errors";
@ -140,17 +140,3 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
    message: "Successfully named workspace secrets"
  });
 };
-
-export const getWorkspaceServiceTokenData = async (req: Request, res: Response) => {
-  const {
-    params: { workspaceId }
-  } = await validateRequest(reqValidator.GetWorkspaceServiceTokenDataV3, req);
-  
-  const serviceTokenData = await ServiceTokenDataV3.find({
-    workspace: new Types.ObjectId(workspaceId)
-  }).populate("customRole");
-  
-  return res.status(200).send({
-    serviceTokenData
-  });
-}
--- a/backend/src/ee/controllers/v1/identitiesController.ts
+++ b/backend/src/ee/controllers/v1/identitiesController.ts
@ -0,0 +1,324 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import {
+    IIdentity,
+    Identity,
+    IdentityAccessToken,
+    IdentityMembership,
+    IdentityMembershipOrg,
+    IdentityUniversalAuth,
+    IdentityUniversalAuthClientSecret,
+    Organization
+} from "../../../models";
+import {
+    EventType,
+    IRole,
+    Role
+} from "../../models";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../../validation/identities";
+import {
+    getAuthDataOrgPermissions,
+    getOrgRolePermissions,
+    isAtLeastAsPrivilegedOrg
+} from "../../services/RoleService";
+import {
+    BadRequestError,
+    ForbiddenRequestError,
+    ResourceNotFoundError,
+} from "../../../utils/errors";
+import { ADMIN, CUSTOM, MEMBER, NO_ACCESS } from "../../../variables";
+import {
+    OrgPermissionActions,
+    OrgPermissionSubjects
+} from "../../services/RoleService";
+import { EEAuditLogService } from "../../services";
+import { ForbiddenError } from "@casl/ability";
+
+/**
+ * Create identity
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createIdentity = async (req: Request, res: Response) => {
+    const {
+        body: {
+            name,
+            organizationId,
+            role
+        }
+    } = await validateRequest(reqValidator.CreateIdentityV1, req);
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: new Types.ObjectId(organizationId)
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Create,
+        OrgPermissionSubjects.Identity
+    );
+
+    const rolePermission = await getOrgRolePermissions(role, organizationId);
+    const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, rolePermission);
+
+    if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+        message: "Failed to create a more privileged identity"
+    });
+
+    const organization = await Organization.findById(organizationId);
+    if (!organization) throw BadRequestError({ message: `Organization with id ${organizationId} not found` });
+
+    const isCustomRole = ![ADMIN, MEMBER, NO_ACCESS].includes(role);
+
+    let customRole;
+    if (isCustomRole) {
+        customRole = await Role.findOne({
+            slug: role,
+            isOrgRole: true,
+            organization: new Types.ObjectId(organizationId)
+        });
+
+        if (!customRole) throw BadRequestError({ message: "Role not found" });
+    }
+    
+    const identity = await new Identity({
+        name
+    }).save();
+
+    await new IdentityMembershipOrg({
+        identity: identity._id,
+        organization: new Types.ObjectId(organizationId),
+        role: isCustomRole ? CUSTOM : role,
+        customRole
+    }).save();
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.CREATE_IDENTITY,
+            metadata: {
+                identityId: identity._id.toString(),
+                name
+            }
+        },
+        {
+            organizationId: new Types.ObjectId(organizationId)
+        }
+    );
+
+    return res.status(200).send({
+        identity
+    });
+}
+
+/**
+ * Update identity with id [identityId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+ export const updateIdentity = async (req: Request, res: Response) => {
+    const {
+        params: { identityId  },
+        body: {
+            name,
+            role
+        }
+    } = await validateRequest(reqValidator.UpdateIdentityV1, req);
+
+    const identityMembershipOrg = await IdentityMembershipOrg
+        .findOne({
+            identity: new Types.ObjectId(identityId)
+        })
+        .populate<{
+            identity: IIdentity,
+            customRole: IRole
+        }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError({
+        message: `Failed to find identity with id ${identityId}`
+    });
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Edit,
+        OrgPermissionSubjects.Identity
+    );
+
+    const identityRolePermission = await getOrgRolePermissions(
+        identityMembershipOrg?.customRole?.slug ?? identityMembershipOrg.role,
+        identityMembershipOrg.organization.toString()
+    );
+    const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, identityRolePermission);
+    if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+        message: "Failed to update more privileged identity"
+    });
+
+    if (role) {
+        const rolePermission = await getOrgRolePermissions(role, identityMembershipOrg.organization.toString());
+        const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, rolePermission);
+
+        if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+            message: "Failed to update identity to a more privileged role"
+        });
+    }
+
+    let customRole;
+    if (role) {
+        const isCustomRole = ![ADMIN, MEMBER, NO_ACCESS].includes(role);
+        if (isCustomRole) {
+            customRole = await Role.findOne({
+                slug: role,
+                isOrgRole: true,
+                organization: identityMembershipOrg.organization
+            });
+
+            if (!customRole) throw BadRequestError({ message: "Role not found" });
+        }
+    }
+
+    const identity = await Identity.findByIdAndUpdate(
+        identityId,
+        {
+            name,
+        },
+        {
+            new: true
+        }
+    );
+
+    if (!identity) throw BadRequestError({
+        message: `Failed to update identity with id ${identityId}`
+    });
+
+    await IdentityMembershipOrg.findOneAndUpdate(
+        {
+            identity: identity._id
+        },
+        {
+            role: customRole ? CUSTOM : role,
+            ...(customRole ? {
+                customRole
+            } : {}),
+            ...(role && !customRole ? { // non-custom role
+                $unset: {
+                    customRole: 1
+                }
+            } : {})
+        },
+        {
+            new: true
+        }
+    );
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.UPDATE_IDENTITY,
+            metadata: {
+                identityId: identity._id.toString(),
+                name: identity.name,
+            }
+        },
+        {
+            organizationId: identityMembershipOrg.organization
+        }
+    );
+
+    return res.status(200).send({
+        identity
+    });
+}
+
+/**
+ * Delete identity with id [identityId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+ export const deleteIdentity = async (req: Request, res: Response) => {
+    const {
+        params: { identityId }
+    } = await validateRequest(reqValidator.DeleteIdentityV1, req);
+    
+    const identityMembershipOrg = await IdentityMembershipOrg
+        .findOne({
+            identity: new Types.ObjectId(identityId)
+        })
+        .populate<{
+            identity: IIdentity,
+            customRole: IRole
+        }>("identity customRole");
+
+    if (!identityMembershipOrg) throw ResourceNotFoundError({
+        message: `Failed to find identity with id ${identityId}`
+    });
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: identityMembershipOrg.organization
+    });
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Delete,
+        OrgPermissionSubjects.Identity
+    );
+
+    const identityRolePermission = await getOrgRolePermissions(
+        identityMembershipOrg?.customRole?.slug ?? identityMembershipOrg.role,
+        identityMembershipOrg.organization.toString()
+    );
+    const hasRequiredPrivileges = isAtLeastAsPrivilegedOrg(permission, identityRolePermission);
+    if (!hasRequiredPrivileges) throw ForbiddenRequestError({
+        message: "Failed to delete more privileged identity"
+    });
+
+    const identity = await Identity.findByIdAndDelete(identityMembershipOrg.identity);
+    if (!identity) throw ResourceNotFoundError({
+        message: `Identity with id ${identityId} not found`
+    });
+
+    await IdentityMembershipOrg.findByIdAndDelete(identityMembershipOrg._id);
+
+    await IdentityMembership.deleteMany({
+        identity: identityMembershipOrg.identity
+    });
+    
+    await IdentityUniversalAuth.deleteMany({
+        identity: identityMembershipOrg.identity
+    });
+    
+    await IdentityUniversalAuthClientSecret.deleteMany({
+        identity: identityMembershipOrg.identity
+    });
+    
+    await IdentityAccessToken.deleteMany({
+        identity: identityMembershipOrg.identity
+    });
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.DELETE_IDENTITY,
+            metadata: {
+                identityId: identity._id.toString()
+            }
+        },
+        {
+            organizationId: identityMembershipOrg.organization
+        }
+    );
+
+    return res.status(200).send({
+        identity
+    });
+}
+
+
+
+
+
--- a/backend/src/ee/controllers/v1/index.ts
+++ b/backend/src/ee/controllers/v1/index.ts
@ -1,3 +1,4 @@
+import * as identitiesController from "./identitiesController";
 import * as secretController from "./secretController";
 import * as secretSnapshotController from "./secretSnapshotController";
 import * as organizationsController from "./organizationsController";
@ -13,6 +14,7 @@ import * as secretRotationProviderController from "./secretRotationProviderContr
 import * as secretRotationController from "./secretRotationController";

 export {
+  identitiesController,
  secretController,
  secretSnapshotController,
  organizationsController,
--- a/backend/src/ee/controllers/v1/organizationsController.ts
+++ b/backend/src/ee/controllers/v1/organizationsController.ts
@ -8,7 +8,7 @@ import * as reqValidator from "../../../validation/organization";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions,
 } from "../../services/RoleService";
 import { ForbiddenError } from "@casl/ability";
 import { Organization } from "../../../models";
@ -20,7 +20,10 @@ export const getOrganizationPlansTable = async (req: Request, res: Response) =>
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlansTablev1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -42,7 +45,10 @@ export const getOrganizationPlan = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlanv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -70,7 +76,10 @@ export const startOrganizationTrial = async (req: Request, res: Response) => {
    body: { success_url }
  } = await validateRequest(reqValidator.StartOrgTrailv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Billing
@ -116,7 +125,10 @@ export const getOrganizationPlanBillingInfo = async (req: Request, res: Response
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlanBillingInfov1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -149,7 +161,10 @@ export const getOrganizationPlanTable = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPlanTablev1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -176,7 +191,10 @@ export const getOrganizationBillingDetails = async (req: Request, res: Response)
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgBillingDetailsv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -204,7 +222,10 @@ export const updateOrganizationBillingDetails = async (req: Request, res: Respon
    body: { name, email }
  } = await validateRequest(reqValidator.UpdateOrgBillingDetailsv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Billing
@ -238,7 +259,10 @@ export const getOrganizationPmtMethods = async (req: Request, res: Response) =>
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgPmtMethodsv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -271,7 +295,10 @@ export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
    body: { success_url, cancel_url }
  } = await validateRequest(reqValidator.CreateOrgPmtMethodv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Billing
@ -312,7 +339,10 @@ export const deleteOrganizationPmtMethod = async (req: Request, res: Response) =
    params: { organizationId, pmtMethodId }
  } = await validateRequest(reqValidator.DelOrgPmtMethodv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.Billing
@ -342,7 +372,10 @@ export const getOrganizationTaxIds = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgTaxIdsv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -375,7 +408,10 @@ export const addOrganizationTaxId = async (req: Request, res: Response) => {
    body: { type, value }
  } = await validateRequest(reqValidator.CreateOrgTaxId, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Billing
@ -412,7 +448,10 @@ export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
    params: { organizationId, taxId }
  } = await validateRequest(reqValidator.DelOrgTaxIdv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Delete,
    OrgPermissionSubjects.Billing
@ -445,7 +484,10 @@ export const getOrganizationInvoices = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgInvoicesv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
@ -480,7 +522,10 @@ export const getOrganizationLicenses = async (req: Request, res: Response) => {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgLicencesv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Billing
--- a/backend/src/ee/controllers/v1/roleController.ts
+++ b/backend/src/ee/controllers/v1/roleController.ts
@ -15,14 +15,17 @@ import {
  adminProjectPermissions,
  getAuthDataProjectPermissions,
  memberProjectPermissions,
+  noAccessProjectPermissions,
  viewerProjectPermission
 } from "../../services/ProjectRoleService";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
  adminPermissions,
+  getAuthDataOrgPermissions,
  getUserOrgPermissions,
-  memberPermissions
+  memberPermissions,
+  noAccessPermissions
 } from "../../services/RoleService";
 import { BadRequestError } from "../../../utils/errors";
 import { Role } from "../../models";
@ -36,7 +39,11 @@ export const createRole = async (req: Request, res: Response) => {

  const isOrgRole = !workspaceId; // if workspaceid is provided then its a workspace rule
  if (isOrgRole) {
-    const { permission } = await getUserOrgPermissions(req.user.id, orgId);
+    const { permission } = await getAuthDataOrgPermissions({
+      authData: req.authData,
+      organizationId: new Types.ObjectId(orgId)
+    });
+    
    if (permission.cannot(OrgPermissionActions.Create, OrgPermissionSubjects.Role)) {
      throw BadRequestError({ message: "user doesn't have the permission." });
    }
@ -80,9 +87,12 @@ export const updateRole = async (req: Request, res: Response) => {
    body: { name, description, slug, permissions, workspaceId, orgId }
  } = await validateRequest(UpdateRoleSchema, req);
  const isOrgRole = !workspaceId; // if workspaceid is provided then its a workspace rule
-
+  
  if (isOrgRole) {
-    const { permission } = await getUserOrgPermissions(req.user.id, orgId);
+    const { permission } = await getAuthDataOrgPermissions({
+      authData: req.authData,
+      organizationId: new Types.ObjectId(orgId)
+    });
    if (permission.cannot(OrgPermissionActions.Edit, OrgPermissionSubjects.Role)) {
      throw BadRequestError({ message: "User doesn't have the org permission." });
    }
@ -138,7 +148,10 @@ export const deleteRole = async (req: Request, res: Response) => {

  const isOrgRole = !role.workspace;
  if (isOrgRole) {
-    const { permission } = await getUserOrgPermissions(req.user.id, role.organization.toString());
+    const { permission } = await getAuthDataOrgPermissions({
+      authData: req.authData,
+      organizationId: role.organization
+    });
    if (permission.cannot(OrgPermissionActions.Delete, OrgPermissionSubjects.Role)) {
      throw BadRequestError({ message: "User doesn't have the org permission." });
    }
@ -170,7 +183,10 @@ export const getRoles = async (req: Request, res: Response) => {

  const isOrgRole = !workspaceId;
  if (isOrgRole) {
-    const { permission } = await getUserOrgPermissions(req.user.id, orgId);
+    const { permission } = await getAuthDataOrgPermissions({
+      authData: req.authData,
+      organizationId: new Types.ObjectId(orgId)
+    });
    if (permission.cannot(OrgPermissionActions.Read, OrgPermissionSubjects.Role)) {
      throw BadRequestError({ message: "User doesn't have the org permission." });
    }
@ -195,6 +211,13 @@ export const getRoles = async (req: Request, res: Response) => {
      description: "Complete administration access over the organization",
      permissions: isOrgRole ? adminPermissions.rules : adminProjectPermissions.rules
    },
+    {
+      _id: "no-access",
+      name: "No Access",
+      slug: "no-access",
+      description: "No access to any resources in the organization",
+      permissions: isOrgRole ? noAccessPermissions.rules : noAccessProjectPermissions.rules
+    },
    {
      _id: "member",
      name: isOrgRole ? "Member" : "Developer",
@ -229,7 +252,7 @@ export const getUserPermissions = async (req: Request, res: Response) => {
  const {
    params: { orgId }
  } = await validateRequest(GetUserPermission, req);
-
+  
  const { permission, membership } = await getUserOrgPermissions(req.user._id, orgId);

  res.status(200).json({
--- a/backend/src/ee/controllers/v1/ssoController.ts
+++ b/backend/src/ee/controllers/v1/ssoController.ts
@ -13,7 +13,7 @@ import { validateRequest } from "../../../helpers/validation";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
-  getUserOrgPermissions
+  getAuthDataOrgPermissions
 } from "../../services/RoleService";
 import { ForbiddenError } from "@casl/ability";

@ -47,7 +47,10 @@ export const getSSOConfig = async (req: Request, res: Response) => {
    query: { organizationId }
  } = await validateRequest(reqValidator.GetSsoConfigv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Read,
    OrgPermissionSubjects.Sso
@ -71,7 +74,10 @@ export const updateSSOConfig = async (req: Request, res: Response) => {
    body: { organizationId, authProvider, isActive, entryPoint, issuer, cert }
  } = await validateRequest(reqValidator.UpdateSsoConfigv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Edit,
    OrgPermissionSubjects.Sso
@ -206,7 +212,10 @@ export const createSSOConfig = async (req: Request, res: Response) => {
    body: { organizationId, authProvider, isActive, entryPoint, issuer, cert }
  } = await validateRequest(reqValidator.CreateSsoConfigv1, req);

-  const { permission } = await getUserOrgPermissions(req.user._id, organizationId);
+  const { permission } = await getAuthDataOrgPermissions({
+    authData: req.authData,
+    organizationId: new Types.ObjectId(organizationId)
+  });
  ForbiddenError.from(permission).throwUnlessCan(
    OrgPermissionActions.Create,
    OrgPermissionSubjects.Sso
--- a/backend/src/ee/controllers/v1/workspaceController.ts
+++ b/backend/src/ee/controllers/v1/workspaceController.ts
@ -2,10 +2,11 @@ import { Request, Response } from "express";
 import { PipelineStage, Types } from "mongoose";
 import {
  Folder,
+  Identity,
+  IdentityMembership,
  Membership,
  Secret,
  ServiceTokenData,
-  ServiceTokenDataV3,
  TFolderSchema,
  User,
  Workspace
@ -17,10 +18,10 @@ import {
  FolderVersion,
  IPType,
  ISecretVersion,
+  IdentityActor,
  SecretSnapshot,
  SecretVersion,
  ServiceActor,
-  ServiceActorV3,
  TFolderRootVersionSchema,
  TrustedIP,
  UserActor
@ -669,6 +670,21 @@ export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
    ProjectPermissionSub.AuditLogs
  );

+  let actorMetadataQuery = "";
+  if (actor) {
+    switch (actor?.split("-", 2)[0]) {
+      case ActorType.USER:
+        actorMetadataQuery = "actor.metadata.userId";
+        break;
+      case ActorType.SERVICE:
+        actorMetadataQuery = "actor.metadata.serviceId";
+        break;
+      case ActorType.IDENTITY:
+        actorMetadataQuery = "actor.metadata.identityId";
+        break;
+    }
+  }
+
  const query = {
    workspace: new Types.ObjectId(workspaceId),
    ...(eventType
@ -684,13 +700,9 @@ export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
    ...(actor
      ? {
          "actor.type": actor.substring(0, actor.lastIndexOf("-")),
-          ...(actor.split("-", 2)[0] === ActorType.USER
-            ? {
-                "actor.metadata.userId": actor.substring(actor.lastIndexOf("-") + 1)
-              }
-            : {
-                "actor.metadata.serviceId": actor.substring(actor.lastIndexOf("-") + 1)
-              })
+          ...({
+            [actorMetadataQuery]: actor.substring(actor.lastIndexOf("-") + 1)
+          })
        }
      : {}),
    ...(startDate || endDate
@ -702,7 +714,9 @@ export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
        }
      : {})
  };
+  
  const auditLogs = await AuditLog.find(query).sort({ createdAt: -1 }).skip(offset).limit(limit);
+  
  return res.status(200).send({
    auditLogs
  });
@ -731,6 +745,7 @@ export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Res
  const userIds = await Membership.distinct("user", {
    workspace: new Types.ObjectId(workspaceId)
  });
+  
  const userActors: UserActor[] = (
    await User.find({
      _id: {
@ -757,19 +772,25 @@ export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Res
    }
  }));

-  const serviceV3Actors: ServiceActorV3[] = (
-    await ServiceTokenDataV3.find({
-      workspace: new Types.ObjectId(workspaceId)
+  const identityIds = await IdentityMembership.distinct("identity", {
+    workspace: new Types.ObjectId(workspaceId)
+  });
+  
+  const identityActors: IdentityActor[] = (
+    await Identity.find({
+      _id: {
+        $in: identityIds
+      }
    })
-  ).map((serviceTokenData) => ({
-    type: ActorType.SERVICE_V3,
+  ).map((identity) => ({
+    type: ActorType.IDENTITY,
    metadata: {
-      serviceId: serviceTokenData._id.toString(),
-      name: serviceTokenData.name
+      identityId: identity._id.toString(),
+      name: identity.name
    }
  }));

-  const actors = [...userActors, ...serviceActors, ...serviceV3Actors];
+  const actors = [...userActors, ...serviceActors, ...identityActors];

  return res.status(200).send({
    actors
--- a/backend/src/ee/controllers/v3/index.ts
+++ b/backend/src/ee/controllers/v3/index.ts
@ -1,7 +1,5 @@
-import * as serviceTokenDataController from "./serviceTokenDataController";
 import * as apiKeyDataController from "./apiKeyDataController";

 export {
-    serviceTokenDataController,
    apiKeyDataController
 }
--- a/backend/src/ee/controllers/v3/serviceTokenDataController.ts
+++ b/backend/src/ee/controllers/v3/serviceTokenDataController.ts
@ -1,469 +0,0 @@
-import jwt from "jsonwebtoken";
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import { 
-    IServiceTokenDataV3,
-    IUser,
-    ServiceTokenDataV3,
-    ServiceTokenDataV3Key,
-    Workspace
-} from "../../../models";
-import { IServiceTokenV3TrustedIp } from "../../../models/serviceTokenDataV3";
-import {
-    ActorType,
-    EventType,
-    Role
-} from "../../models";
-import { validateRequest } from "../../../helpers/validation";
-import * as reqValidator from "../../../validation/serviceTokenDataV3";
-import { createToken } from "../../../helpers/auth";
-import {
-  ProjectPermissionActions,
-  ProjectPermissionSub,
-  getAuthDataProjectPermissions
-} from "../../services/ProjectRoleService";
-import { ForbiddenError } from "@casl/ability"; 
-import { BadRequestError, ResourceNotFoundError, UnauthorizedRequestError } from "../../../utils/errors";
-import { extractIPDetails, isValidIpOrCidr } from "../../../utils/ip";
-import { EEAuditLogService, EELicenseService } from "../../services";
-import { getAuthSecret } from "../../../config";
-import { ADMIN, AuthTokenType, CUSTOM, MEMBER, VIEWER } from "../../../variables";
-
-/**
- * Return project key for service token V3
- * @param req 
- * @param res 
- */
-export const getServiceTokenDataKey = async (req: Request, res: Response) => {
-    const key = await ServiceTokenDataV3Key.findOne({
-        serviceTokenData: (req.authData.authPayload as IServiceTokenDataV3)._id
-    }).populate<{ sender: IUser }>("sender", "publicKey");
-    
-    if (!key) throw ResourceNotFoundError({
-        message: "Failed to find project key for service token"
-    });
-    
-    const { _id, workspace, encryptedKey, nonce, sender: { publicKey } } = key;
-    
-    return res.status(200).send({
-        key: {
-            _id,
-            workspace,
-            encryptedKey,
-            publicKey,
-            nonce
-        }
-    });
-}
-
-/**
- * Return access and refresh token as per refresh operation
- * @param req 
- * @param res 
- */
- export const refreshToken = async (req: Request, res: Response) => {
-    const {
-        body: {
-            refresh_token
-        }
-    } = await validateRequest(reqValidator.RefreshTokenV3, req);
-
-    const decodedToken = <jwt.ServiceRefreshTokenJwtPayload>(
-		jwt.verify(refresh_token, await getAuthSecret())
-	);
-    
-    if (decodedToken.authTokenType !== AuthTokenType.SERVICE_REFRESH_TOKEN) throw UnauthorizedRequestError();
-    
-    let serviceTokenData = await ServiceTokenDataV3.findOne({
-        _id: new Types.ObjectId(decodedToken.serviceTokenDataId),
-        isActive: true
-    });
-    
-    if (!serviceTokenData) throw UnauthorizedRequestError();
-
-    if (decodedToken.tokenVersion !== serviceTokenData.tokenVersion) {
-        // raise alarm
-        throw UnauthorizedRequestError();
-    }
-    
-    const response: {
-        refresh_token?: string;
-        access_token: string;
-        expires_in: number;
-        token_type: string;
-    } = {
-        refresh_token,
-        access_token: "",
-        expires_in: 0,
-        token_type: "Bearer"
-    };
-
-    if (serviceTokenData.isRefreshTokenRotationEnabled) {
-        serviceTokenData = await ServiceTokenDataV3.findByIdAndUpdate(
-            serviceTokenData._id,
-            {
-                $inc: {
-                    tokenVersion: 1
-                }
-            },
-            {
-                new: true
-            }
-        );
-        
-        if (!serviceTokenData) throw BadRequestError();
-        
-        response.refresh_token = createToken({
-            payload: {
-                serviceTokenDataId: serviceTokenData._id.toString(),
-                authTokenType: AuthTokenType.SERVICE_REFRESH_TOKEN,
-                tokenVersion: serviceTokenData.tokenVersion
-            },
-            secret: await getAuthSecret()
-        });
-    }
-
-    response.access_token = createToken({
-        payload: {
-            serviceTokenDataId: serviceTokenData._id.toString(),
-            authTokenType: AuthTokenType.SERVICE_ACCESS_TOKEN,
-            tokenVersion: serviceTokenData.tokenVersion
-        },
-        expiresIn: serviceTokenData.accessTokenTTL,
-        secret: await getAuthSecret()
-    });
-
-    response.expires_in = serviceTokenData.accessTokenTTL;
-
-    await ServiceTokenDataV3.findByIdAndUpdate(
-        serviceTokenData._id,
-        {
-            refreshTokenLastUsed: new Date(),
-            $inc: { refreshTokenUsageCount: 1 }
-        },
-        {
-            new: true
-        }
-    );
-    
-    return res.status(200).send(response);
-}
-
-/**
- * Create service token data V3
- * @param req 
- * @param res 
- * @returns 
- */
-export const createServiceTokenData = async (req: Request, res: Response) => {
-    const {
-        body: { 
-            name, 
-            workspaceId, 
-            publicKey, 
-            role,
-            trustedIps,
-            expiresIn, 
-            accessTokenTTL,
-            isRefreshTokenRotationEnabled,
-            encryptedKey, // for ServiceTokenDataV3Key
-            nonce, // for ServiceTokenDataV3Key
-        }
-    } = await validateRequest(reqValidator.CreateServiceTokenV3, req);
-    const { permission } = await getAuthDataProjectPermissions({
-        authData: req.authData,
-        workspaceId: new Types.ObjectId(workspaceId)
-      });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionActions.Create,
-        ProjectPermissionSub.ServiceTokens
-    );
-    
-    const workspace = await Workspace.findById(workspaceId);
-    if (!workspace) throw BadRequestError({ message: "Workspace not found" });
-
-    const isCustomRole = ![ADMIN, MEMBER, VIEWER].includes(role);
-    
-    let customRole;
-    if (isCustomRole) {
-        customRole = await Role.findOne({
-            slug: role,
-            isOrgRole: false,
-            workspace: workspace._id
-        });
-        
-        if (!customRole) throw BadRequestError({ message: "Role not found" });
-    }
-
-    const plan = await EELicenseService.getPlan(workspace.organization);
-    
-    // validate trusted ips
-    const reformattedTrustedIps = trustedIps.map((trustedIp) => {
-        if (!plan.ipAllowlisting && trustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
-            message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
-        });
-
-        const isValidIPOrCidr = isValidIpOrCidr(trustedIp.ipAddress);
-        
-        if (!isValidIPOrCidr) return res.status(400).send({
-            message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-        });
-        
-        return extractIPDetails(trustedIp.ipAddress);
-    });
-    
-    let expiresAt;
-    if (expiresIn) {
-        expiresAt = new Date();
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-    }
-    
-    let user;
-    if (req.authData.actor.type === ActorType.USER) {
-        user = req.authData.authPayload._id;
-    }
-    
-    const isActive = true;
-    const serviceTokenData = await new ServiceTokenDataV3({
-        name,
-        user,
-        workspace: new Types.ObjectId(workspaceId),
-        publicKey,
-        refreshTokenUsageCount: 0,
-        accessTokenUsageCount: 0,
-        tokenVersion: 1,
-        trustedIps: reformattedTrustedIps,
-        role: isCustomRole ? CUSTOM : role,
-        customRole,
-        isActive,
-        expiresAt,
-        accessTokenTTL,
-        isRefreshTokenRotationEnabled
-    }).save();
-    
-    await new ServiceTokenDataV3Key({
-        encryptedKey,
-        nonce,
-        sender: req.user._id,
-        serviceTokenData: serviceTokenData._id,
-        workspace: new Types.ObjectId(workspaceId)
-    }).save();
-    
-    const refreshToken = createToken({
-        payload: {
-            serviceTokenDataId: serviceTokenData._id.toString(),
-            authTokenType: AuthTokenType.SERVICE_REFRESH_TOKEN,
-            tokenVersion: serviceTokenData.tokenVersion
-        },
-        secret: await getAuthSecret()
-    });
-    
-    await EEAuditLogService.createAuditLog(
-        req.authData,
-        {
-            type: EventType.CREATE_SERVICE_TOKEN_V3, // TODO: update
-            metadata: {
-                name,
-                isActive,
-                role,
-                trustedIps: reformattedTrustedIps as Array<IServiceTokenV3TrustedIp>,
-                expiresAt
-            }
-        },
-        {
-            workspaceId: new Types.ObjectId(workspaceId)
-        }
-    );
-    
-    return res.status(200).send({
-        serviceTokenData,
-        refreshToken
-    });
-}
-
-/**
- * Update service token V3 data with id [serviceTokenDataId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateServiceTokenData = async (req: Request, res: Response) => {
-    const {
-        params: { serviceTokenDataId },
-        body: { 
-            name, 
-            isActive,
-            role,
-            trustedIps,
-            expiresIn,
-            accessTokenTTL,
-            isRefreshTokenRotationEnabled
-        }
-    } = await validateRequest(reqValidator.UpdateServiceTokenV3, req);
-
-    let serviceTokenData = await ServiceTokenDataV3.findById(serviceTokenDataId);
-    if (!serviceTokenData) throw ResourceNotFoundError({ 
-        message: "Service token not found" 
-    });
-    
-    const { permission } = await getAuthDataProjectPermissions({
-        authData: req.authData,
-        workspaceId: serviceTokenData.workspace
-    });
-    
-    ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionActions.Edit,
-        ProjectPermissionSub.ServiceTokens
-    );
-
-    const workspace = await Workspace.findById(serviceTokenData.workspace);
-    if (!workspace) throw BadRequestError({ message: "Workspace not found" });
-
-    let customRole;
-    if (role) {
-        const isCustomRole = ![ADMIN, MEMBER, VIEWER].includes(role);
-        if (isCustomRole) {
-            customRole = await Role.findOne({
-                slug: role,
-                isOrgRole: false,
-                workspace: workspace._id
-            });
-            
-            if (!customRole) throw BadRequestError({ message: "Role not found" });
-        }
-    }
-
-    const plan = await EELicenseService.getPlan(workspace.organization);
-
-    // validate trusted ips
-    let reformattedTrustedIps;
-    if (trustedIps) {
-        reformattedTrustedIps = trustedIps.map((trustedIp) => {
-            if (!plan.ipAllowlisting && trustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
-                message: "Failed to update IP access range to service token due to plan restriction. Upgrade plan to update IP access range."
-            });
-
-            const isValidIPOrCidr = isValidIpOrCidr(trustedIp.ipAddress);
-            
-            if (!isValidIPOrCidr) return res.status(400).send({
-                message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-            });
-            
-            return extractIPDetails(trustedIp.ipAddress);
-        });
-    }
-
-    let expiresAt;
-    if (expiresIn) {
-        expiresAt = new Date();
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-    }
-    
-    serviceTokenData = await ServiceTokenDataV3.findByIdAndUpdate(
-        serviceTokenDataId,
-        {
-            name,
-            isActive,
-            role: customRole ? CUSTOM : role,
-            ...(customRole ? {
-                customRole 
-            } : {}),
-            ...(role && !customRole ? { // non-custom role
-                $unset: {
-                    customRole: 1
-                }
-            } : {}),
-            trustedIps: reformattedTrustedIps,
-            expiresAt,
-            accessTokenTTL,
-            isRefreshTokenRotationEnabled
-        },
-        {
-            new: true
-        }
-    );
-
-    if (!serviceTokenData) throw BadRequestError({
-        message: "Failed to update service token"
-    });
-
-    await EEAuditLogService.createAuditLog(
-        req.authData,
-        {
-            type: EventType.UPDATE_SERVICE_TOKEN_V3,
-            metadata: {
-                name: serviceTokenData.name,
-                isActive,
-                role,
-                trustedIps: reformattedTrustedIps as Array<IServiceTokenV3TrustedIp>,
-                expiresAt
-            }
-        },
-        {
-            workspaceId: serviceTokenData.workspace
-        }
-    );
-
-    return res.status(200).send({
-        serviceTokenData
-    }); 
-}
-
-/**
- * Delete service token data with id [serviceTokenDataId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    const {
-        params: { serviceTokenDataId }
-    } = await validateRequest(reqValidator.DeleteServiceTokenV3, req);
-    
-    let serviceTokenData = await ServiceTokenDataV3.findById(serviceTokenDataId);
-    if (!serviceTokenData) throw ResourceNotFoundError({ 
-        message: "Service token not found" 
-    });
-    
-    const { permission } = await getAuthDataProjectPermissions({
-        authData: req.authData,
-        workspaceId: serviceTokenData.workspace
-    });
-    
-    ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionActions.Delete,
-        ProjectPermissionSub.ServiceTokens
-    );
-    
-    serviceTokenData = await ServiceTokenDataV3.findByIdAndDelete(serviceTokenDataId);
-    
-    if (!serviceTokenData) throw BadRequestError({
-        message: "Failed to delete service token"
-    });
-    
-    await ServiceTokenDataV3Key.findOneAndDelete({
-        serviceTokenData: serviceTokenData._id
-    });
-    
-    await EEAuditLogService.createAuditLog(
-        req.authData,
-        {
-            type: EventType.DELETE_SERVICE_TOKEN_V3,
-            metadata: {
-                name: serviceTokenData.name,
-                isActive: serviceTokenData.isActive,
-                role: serviceTokenData.role,
-                trustedIps: serviceTokenData.trustedIps as Array<IServiceTokenV3TrustedIp>,
-                expiresAt: serviceTokenData.expiresAt
-            }
-        },
-        {
-            workspaceId: serviceTokenData.workspace
-        }
-    );
-
-    return res.status(200).send({
-        serviceTokenData
-    }); 
-}
--- a/backend/src/ee/models/auditLog/auditLog.ts
+++ b/backend/src/ee/models/auditLog/auditLog.ts
@ -10,7 +10,7 @@ export interface IAuditLog {
  event: Event;
  userAgent: string;
  userAgentType: UserAgentType;
-  expiresAt: Date;
+  expiresAt?: Date;
 }

 const auditLogSchema = new Schema<IAuditLog>(
--- a/backend/src/ee/models/auditLog/enums.ts
+++ b/backend/src/ee/models/auditLog/enums.ts
@ -1,8 +1,7 @@
-export enum ActorType {
-  USER = "user",
-  SERVICE = "service",
-  SERVICE_V3 = "service-v3",
-  // Machine = "machine"
+export enum ActorType { // would extend to AWS, Azure, ...
+    USER = "user", // userIdentity
+    SERVICE = "service",
+    IDENTITY = "identity"
 }

 export enum UserAgentType {
@ -32,9 +31,16 @@ export enum EventType {
  DELETE_TRUSTED_IP = "delete-trusted-ip",
  CREATE_SERVICE_TOKEN = "create-service-token", // v2
  DELETE_SERVICE_TOKEN = "delete-service-token", // v2
-  CREATE_SERVICE_TOKEN_V3 = "create-service-token-v3", // v3
-  UPDATE_SERVICE_TOKEN_V3 = "update-service-token-v3", // v3
-  DELETE_SERVICE_TOKEN_V3 = "delete-service-token-v3", // v3
+  CREATE_IDENTITY = "create-identity",
+  UPDATE_IDENTITY = "update-identity",
+  DELETE_IDENTITY = "delete-identity",
+  LOGIN_IDENTITY_UNIVERSAL_AUTH = "login-identity-universal-auth",
+  ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
+  UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
+  GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
+  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
+  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET =  "revoke-identity-universal-auth-client-secret",
+  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
  CREATE_ENVIRONMENT = "create-environment",
  UPDATE_ENVIRONMENT = "update-environment",
  DELETE_ENVIRONMENT = "delete-environment",
--- a/backend/src/ee/models/auditLog/types.ts
+++ b/backend/src/ee/models/auditLog/types.ts
@ -1,5 +1,5 @@
 import { ActorType, EventType } from "./enums";
-import { IServiceTokenV3TrustedIp } from "../../../models/serviceTokenDataV3";
+import { IIdentityTrustedIp } from "../../../models";

 interface UserActorMetadata {
  userId: string;
@ -11,6 +11,11 @@ interface ServiceActorMetadata {
  name: string;
 }

+interface IdentityActorMetadata {
+  identityId: string;
+  name: string;
+}
+
 export interface UserActor {
  type: ActorType.USER;
  metadata: UserActorMetadata;
@ -21,16 +26,12 @@ export interface ServiceActor {
  metadata: ServiceActorMetadata;
 }

-export interface ServiceActorV3 {
-  type: ActorType.SERVICE_V3;
-  metadata: ServiceActorMetadata;
+export interface IdentityActor {
+  type: ActorType.IDENTITY;
+  metadata: IdentityActorMetadata;
 }

-// export interface MachineActor {
-//   type: ActorType.Machine;
-// }
-
-export type Actor = UserActor | ServiceActor | ServiceActorV3;
+export type Actor = UserActor | ServiceActor | IdentityActor;

 interface GetSecretsEvent {
  type: EventType.GET_SECRETS;
@ -220,36 +221,91 @@ interface DeleteServiceTokenEvent {
  };
 }

-interface CreateServiceTokenV3Event {
-  type: EventType.CREATE_SERVICE_TOKEN_V3;
+interface CreateIdentityEvent { // note: currently not logging org-role
+  type: EventType.CREATE_IDENTITY;
  metadata: {
+    identityId: string;
    name: string;
-    isActive: boolean;
-    role: string;
-    trustedIps: Array<IServiceTokenV3TrustedIp>;
-    expiresAt?: Date;
  };
 }

-interface UpdateServiceTokenV3Event {
-  type: EventType.UPDATE_SERVICE_TOKEN_V3;
+interface UpdateIdentityEvent {
+  type: EventType.UPDATE_IDENTITY;
  metadata: {
+    identityId: string;
    name?: string;
-    isActive?: boolean;
-    role?: string;
-    trustedIps?: Array<IServiceTokenV3TrustedIp>;
-    expiresAt?: Date;
  };
 }

-interface DeleteServiceTokenV3Event {
-  type: EventType.DELETE_SERVICE_TOKEN_V3;
+interface DeleteIdentityEvent {
+  type: EventType.DELETE_IDENTITY;
  metadata: {
-    name: string;
-    isActive: boolean;
-    role: string;
-    expiresAt?: Date;
-    trustedIps: Array<IServiceTokenV3TrustedIp>;
+    identityId: string;
+  };
+}
+
+interface LoginIdentityUniversalAuthEvent {
+  type: EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH ;
+  metadata: {
+    identityId: string;
+    identityUniversalAuthId: string;
+    clientSecretId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityUniversalAuthEvent {
+  type: EventType.ADD_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+    clientSecretTrustedIps: Array<IIdentityTrustedIp>;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<IIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityUniversalAuthEvent {
+  type: EventType.UPDATE_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+    clientSecretTrustedIps?: Array<IIdentityTrustedIp>;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<IIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityUniversalAuthEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface CreateIdentityUniversalAuthClientSecretEvent {
+  type: EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET ;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
+  };
+}
+
+interface GetIdentityUniversalAuthClientSecretsEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS;
+  metadata: {
+    identityId: string;
+  };
+}
+
+
+interface RevokeIdentityUniversalAuthClientSecretEvent {
+  type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET ;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
  };
 }

@ -495,9 +551,16 @@ export type Event =
  | DeleteTrustedIPEvent
  | CreateServiceTokenEvent
  | DeleteServiceTokenEvent
-  | CreateServiceTokenV3Event
-  | UpdateServiceTokenV3Event
-  | DeleteServiceTokenV3Event
+  | CreateIdentityEvent
+  | UpdateIdentityEvent
+  | DeleteIdentityEvent
+  | LoginIdentityUniversalAuthEvent
+  | AddIdentityUniversalAuthEvent
+  | UpdateIdentityUniversalAuthEvent
+  | GetIdentityUniversalAuthEvent
+  | CreateIdentityUniversalAuthClientSecretEvent
+  | GetIdentityUniversalAuthClientSecretsEvent
+  | RevokeIdentityUniversalAuthClientSecretEvent
  | CreateEnvironmentEvent
  | UpdateEnvironmentEvent
  | DeleteEnvironmentEvent
--- a/backend/src/ee/routes/v1/identities.ts
+++ b/backend/src/ee/routes/v1/identities.ts
@ -0,0 +1,31 @@
+import express from "express";
+const router = express.Router();
+import { requireAuth } from "../../../middleware";
+import { AuthMode } from "../../../variables";
+import { identitiesController } from "../../controllers/v1";
+
+router.post(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
+  }),
+  identitiesController.createIdentity
+);
+
+router.patch(
+  "/:identityId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  identitiesController.updateIdentity
+);
+
+router.delete(
+  "/:identityId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  identitiesController.deleteIdentity
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,3 +1,4 @@
+import identities from "./identities";
 import secret from "./secret";
 import secretSnapshot from "./secretSnapshot";
 import organizations from "./organizations";
@ -13,6 +14,7 @@ import secretRotationProvider from "./secretRotationProvider";
 import secretRotation from "./secretRotation";

 export {
+  identities,
  secret,
  secretSnapshot,
  organizations,
--- a/backend/src/ee/routes/v3/index.ts
+++ b/backend/src/ee/routes/v3/index.ts
@ -1,7 +1,5 @@
-import serviceTokenData from "./serviceTokenData";
 import apiKeyData from "./apiKeyData";

 export {
-    serviceTokenData,
    apiKeyData
 }
--- a/backend/src/ee/routes/v3/serviceTokenData.ts
+++ b/backend/src/ee/routes/v3/serviceTokenData.ts
@ -1,44 +0,0 @@
-import express from "express";
-const router = express.Router();
-import { requireAuth } from "../../../middleware";
-import { AuthMode } from "../../../variables";
-import { serviceTokenDataController } from "../../controllers/v3";
-
-router.get(
-  "/me/key",
-  requireAuth({
-    acceptedAuthModes: [AuthMode.SERVICE_ACCESS_TOKEN]
-  }),
-  serviceTokenDataController.getServiceTokenDataKey
-);
-
-router.post(
-  "/me/token",
-  serviceTokenDataController.refreshToken
-);
-
-router.post(
-    "/",
-    requireAuth({
-      acceptedAuthModes: [AuthMode.JWT]
-    }),
-    serviceTokenDataController.createServiceTokenData
-);
-
-router.patch(
-    "/:serviceTokenDataId",
-    requireAuth({
-      acceptedAuthModes: [AuthMode.JWT]
-    }),
-    serviceTokenDataController.updateServiceTokenData
-);
-
-router.delete(
-  "/:serviceTokenDataId",
-  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT]
-  }),
-  serviceTokenDataController.deleteServiceTokenData
-);
-
-export default router;
--- a/backend/src/ee/services/EEAuditLogService.ts
+++ b/backend/src/ee/services/EEAuditLogService.ts
@ -3,7 +3,6 @@ import { AuditLog, Event } from "../models";
 import { AuthData } from "../../interfaces/middleware";
 import EELicenseService from "./EELicenseService";
 import { Workspace } from "../../models";
-import { OrganizationNotFoundError } from "../../utils/errors";

 interface EventScope {
    workspaceId?: Types.ObjectId;
@ -14,31 +13,42 @@ type ValidEventScope =
    | Required<Pick<EventScope, "workspaceId">>
    | Required<Pick<EventScope, "organizationId">>
    | Required<EventScope>
+    | Record<string, never>;

 export default class EEAuditLogService {
-    static async createAuditLog(authData: AuthData, event: Event, eventScope: ValidEventScope, shouldSave = true) {
+    static async createAuditLog(authData: AuthData, event: Event, eventScope: ValidEventScope = {}, shouldSave = true) {
        
        const MS_IN_DAY = 24 * 60 * 60 * 1000;
        
-        const organizationId = ("organizationId" in eventScope)
-            ? eventScope.organizationId
-            : (await Workspace.findById(eventScope.workspaceId).select("organization").lean())?.organization;
+        let organizationId;
+        if ("organizationId" in eventScope) {
+            organizationId = eventScope.organizationId;
+        } 
        
-        if (!organizationId) throw OrganizationNotFoundError({
-            message: "createAuditLog: Failed to create audit log due to missing organizationId"
-        });
-
-        const ttl = (await EELicenseService.getPlan(organizationId)).auditLogsRetentionDays * MS_IN_DAY;
+        let workspaceId;
+        if ("workspaceId" in eventScope) {
+            workspaceId = eventScope.workspaceId;
+            
+            if (!organizationId) {
+                organizationId = (await Workspace.findById(workspaceId).select("organization").lean())?.organization;
+            }
+        }
+        
+        let expiresAt;
+        if (organizationId) {
+            const ttl = (await EELicenseService.getPlan(organizationId)).auditLogsRetentionDays * MS_IN_DAY;
+            expiresAt = new Date(Date.now() + ttl);
+        }
        
        const auditLog = await new AuditLog({
            actor: authData.actor,
            organization: organizationId,
-            workspace: ("workspaceId" in eventScope) ? eventScope.workspaceId : undefined,
+            workspace: workspaceId,
            ipAddress: authData.ipAddress,
            event,
            userAgent: authData.userAgent,
            userAgentType: authData.userAgentType,
-            expiresAt: new Date(Date.now() + ttl)
+            expiresAt
        });
        
        if (shouldSave) {
--- a/backend/src/ee/services/ProjectRoleService.ts
+++ b/backend/src/ee/services/ProjectRoleService.ts
@ -11,10 +11,15 @@ import { UnauthorizedRequestError } from "../../utils/errors";
 import { FieldCondition, FieldInstruction, JsInterpreter } from "@ucast/mongo2js";
 import picomatch from "picomatch";
 import { AuthData } from "../../interfaces/middleware";
-import { ActorType, IRole } from "../models";
-import { Membership, ServiceTokenData, ServiceTokenDataV3 } from "../../models";
-import { ADMIN, CUSTOM, MEMBER, VIEWER } from "../../variables";
-import { checkIPAgainstBlocklist } from "../../utils/ip";
+import { ActorType, IRole, Role } from "../models";
+import { 
+  IIdentity,
+  IdentityMembership,
+  Membership,
+  ServiceTokenData
+} from "../../models";
+import { ADMIN, CUSTOM, MEMBER, NO_ACCESS, VIEWER } from "../../variables";
+import { BadRequestError } from "../../utils/errors";

 const $glob: FieldInstruction<string> = {
  type: "field",
@ -55,7 +60,8 @@ export enum ProjectPermissionSub {
  Secrets = "secrets",
  SecretRollback = "secret-rollback",
  SecretApproval = "secret-approval",
-  SecretRotation = "secret-rotation"
+  SecretRotation = "secret-rotation",
+  Identity = "identity"
 }

 type SubjectFields = {
@ -80,6 +86,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
  | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
+  | [ProjectPermissionActions, ProjectPermissionSub.Identity]
  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Workspace]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Workspace]
  | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
@ -126,6 +133,11 @@ const buildAdminPermission = () => {
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Webhooks);
  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Webhooks);

+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+  can(ProjectPermissionActions.Create, ProjectPermissionSub.Identity);
+  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Identity);
+
  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.ServiceTokens);
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.ServiceTokens);
@ -191,6 +203,11 @@ const buildMemberPermission = () => {
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Webhooks);
  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Webhooks);

+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+  can(ProjectPermissionActions.Create, ProjectPermissionSub.Identity);
+  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Identity);
+
  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.ServiceTokens);
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.ServiceTokens);
@ -231,6 +248,7 @@ const buildViewerPermission = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
@ -243,6 +261,13 @@ const buildViewerPermission = () => {

 export const viewerProjectPermission = buildViewerPermission();

+const buildNoAccessProjectPermission = () => {
+  const { build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+  return build({ conditionsMatcher });
+}
+
+export const noAccessProjectPermissions = buildNoAccessProjectPermission();
+
 /**
 * Return permissions for user/service pertaining to workspace with id [workspaceId]
 * 
@ -256,7 +281,7 @@ export const getAuthDataProjectPermissions = async ({
  authData: AuthData;
  workspaceId: Types.ObjectId;
 }) => {
-  let role: "admin" | "member" | "viewer" | "custom";
+  let role: "admin" | "member" | "viewer" | "no-access" | "custom";
  let customRole;
  
  switch (authData.actor.type) {
@ -265,10 +290,10 @@ export const getAuthDataProjectPermissions = async ({
        user: authData.authPayload._id,
        workspace: workspaceId
      })
-        .populate<{
-          customRole: IRole & { permissions: RawRuleOf<MongoAbility<ProjectPermissionSet>>[] };
-        }>("customRole")
-        .exec();
+      .populate<{
+        customRole: IRole & { permissions: RawRuleOf<MongoAbility<ProjectPermissionSet>>[] };
+      }>("customRole")
+      .exec();
    
      if (!membership || (membership.role === "custom" && !membership.customRole)) {
        throw UnauthorizedRequestError();
@ -284,25 +309,24 @@ export const getAuthDataProjectPermissions = async ({
      role = "viewer";
      break;
    }
-    case ActorType.SERVICE_V3: {
-      const serviceTokenData = await ServiceTokenDataV3
-        .findById(authData.authPayload._id)
-        .populate<{
-          customRole: IRole & { permissions: RawRuleOf<MongoAbility<ProjectPermissionSet>>[] };
-        }>("customRole")
-        .exec();
-        
-      if (!serviceTokenData || (serviceTokenData.role === "custom" && !serviceTokenData.customRole)) {
+    case ActorType.IDENTITY: {
+      const identityMembership = await IdentityMembership.findOne({
+        identity: authData.authPayload._id,
+        workspace: workspaceId
+      })
+      .populate<{
+        customRole: IRole & { permissions: RawRuleOf<MongoAbility<ProjectPermissionSet>>[] };
+        identity: IIdentity
+      }>("customRole identity")
+      .exec();
+      
+      if (!identityMembership || (identityMembership.role === "custom" && !identityMembership.customRole)) {
        throw UnauthorizedRequestError();
      }
-
-      checkIPAgainstBlocklist({
-        ipAddress: authData.ipAddress,
-        trustedIps: serviceTokenData.trustedIps
-      });
    
-      role = serviceTokenData.role;
-      customRole = serviceTokenData.customRole;
+      role = identityMembership.role;
+      customRole = identityMembership.customRole;
+
      break;
    }
    default:
@ -316,6 +340,8 @@ export const getAuthDataProjectPermissions = async ({
      return { permission: memberProjectPermissions };
    case VIEWER:
      return { permission: viewerProjectPermission };
+    case NO_ACCESS:
+      return { permission: noAccessProjectPermissions };
    case CUSTOM: {
      if (!customRole) throw UnauthorizedRequestError();
      return { 
@ -329,3 +355,61 @@ export const getAuthDataProjectPermissions = async ({
      throw UnauthorizedRequestError();
  }
 }
+
+export const getWorkspaceRolePermissions = async (role: string, workspaceId: string) => {
+  const isCustomRole = ![ADMIN, MEMBER, VIEWER, NO_ACCESS].includes(role);
+  if (isCustomRole) {
+    const workspaceRole = await Role.findOne({
+      slug: role,
+      isOrgRole: false,
+      workspace: new Types.ObjectId(workspaceId)
+    });
+
+    if (!workspaceRole) throw BadRequestError({ message: "Role not found" });
+    
+    return createMongoAbility<ProjectPermissionSet>(workspaceRole.permissions as RawRuleOf<MongoAbility<ProjectPermissionSet>>[], {
+      conditionsMatcher
+    });
+  }
+
+  switch (role) {
+    case ADMIN:
+      return adminProjectPermissions;
+    case MEMBER:
+      return memberProjectPermissions;
+    case VIEWER:
+      return viewerProjectPermission;
+    case NO_ACCESS:
+      return noAccessProjectPermissions;
+    default:
+      throw BadRequestError({ message: "Role not found" });
+  }
+}
+
+/**
+ * Extracts and formats permissions from a CASL Ability object or a raw permission set. 
+ * @param ability
+ * @returns 
+ */
+ const extractPermissions = (ability: any) => {
+  return ability.A.map((permission: any) => `${permission.action}_${permission.subject}`);
+}
+
+/**
+ * Compares two sets of permissions to determine if the first set is at least as privileged as the second set.
+ * The function checks if all permissions in the second set are contained within the first set and if the first set has equal or more permissions.
+ * 
+*/
+export const isAtLeastAsPrivilegedWorkspace = (permissions1: MongoAbility<ProjectPermissionSet> | ProjectPermissionSet, permissions2: MongoAbility<ProjectPermissionSet> | ProjectPermissionSet) => {
+
+  const set1 = new Set(extractPermissions(permissions1));
+  const set2 = new Set(extractPermissions(permissions2));
+  
+  for (const perm of set2) {
+    if (!set1.has(perm)) {
+      return false;
+    }
+  }
+
+  return set1.size >= set2.size;
+}
--- a/backend/src/ee/services/RoleService.ts
+++ b/backend/src/ee/services/RoleService.ts
@ -1,9 +1,15 @@
+import { Types } from "mongoose";
 import { AbilityBuilder, MongoAbility, RawRuleOf, createMongoAbility } from "@casl/ability";
-import { MembershipOrg } from "../../models";
-import { IRole } from "../models/role";
+import { 
+  IIdentity,
+  IdentityMembershipOrg,
+  MembershipOrg
+} from "../../models";
+import { ActorType, IRole, Role } from "../models";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
-import { ACCEPTED } from "../../variables";
+import { ACCEPTED, ADMIN, CUSTOM, MEMBER, NO_ACCESS} from "../../variables";
 import { conditionsMatcher } from "./ProjectRoleService";
+import { AuthData } from "../../interfaces/middleware";

 export enum OrgPermissionActions {
  Read = "read",
@ -20,7 +26,8 @@ export enum OrgPermissionSubjects {
  IncidentAccount = "incident-contact",
  Sso = "sso",
  Billing = "billing",
-  SecretScanning = "secret-scanning"
+  SecretScanning = "secret-scanning",
+  Identity = "identity"
 }

 export type OrgPermissionSet =
@ -32,7 +39,8 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.IncidentAccount]
  | [OrgPermissionActions, OrgPermissionSubjects.Sso]
  | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
-  | [OrgPermissionActions, OrgPermissionSubjects.Billing];
+  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
+  | [OrgPermissionActions, OrgPermissionSubjects.Identity];

 const buildAdminPermission = () => {
  const { can, build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
@ -75,6 +83,11 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Billing);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
+
  return build({ conditionsMatcher });
 };

@ -98,13 +111,26 @@ const buildMemberPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.SecretScanning);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.SecretScanning);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
+
  return build({ conditionsMatcher });
 };

 export const memberPermissions = buildMemberPermission();

+const buildNoAccessPermission = () => {
+  const { build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
+  return build({ conditionsMatcher });
+}
+
+export const noAccessPermissions = buildNoAccessPermission();
+
 export const getUserOrgPermissions = async (userId: string, orgId: string) => {
  // TODO(akhilmhdh): speed this up by pulling from cache later
+  
  const membership = await MembershipOrg.findOne({
    user: userId,
    organization: orgId,
@ -119,11 +145,13 @@ export const getUserOrgPermissions = async (userId: string, orgId: string) => {
    throw UnauthorizedRequestError({ message: "User doesn't belong to organization" });
  }

-  if (membership.role === "admin") return { permission: adminPermissions, membership };
+  if (membership.role === ADMIN) return { permission: adminPermissions, membership };

-  if (membership.role === "member") return { permission: memberPermissions, membership };
+  if (membership.role === MEMBER) return { permission: memberPermissions, membership };
+  
+  if (membership.role === NO_ACCESS) return { permission: noAccessPermissions, membership }

-  if (membership.role === "custom") {
+  if (membership.role === CUSTOM) {
    const permission = createMongoAbility<OrgPermissionSet>(membership.customRole.permissions, {
      conditionsMatcher
    });
@ -132,3 +160,142 @@ export const getUserOrgPermissions = async (userId: string, orgId: string) => {

  throw BadRequestError({ message: "User role not found" });
 };
+
+/**
+ * Return permissions for user/service pertaining to organization with id [organizationId]
+ * 
+ * Note: should not rely on this function for ST V2 authorization logic
+ * b/c ST V2 does not support role-based access control but also not organization-level resources
+ */
+ export const getAuthDataOrgPermissions = async ({
+  authData,
+  organizationId
+}: {
+  authData: AuthData;
+  organizationId: Types.ObjectId;
+}) => {
+  let role: "admin" | "member" | "no-access" | "custom";
+  let customRole;
+  
+  switch (authData.actor.type) {
+    case ActorType.USER: {
+      const membershipOrg = await MembershipOrg.findOne({
+        user: authData.authPayload._id,
+        organization: organizationId,
+        status: ACCEPTED
+      })
+      .populate<{ customRole: IRole & { permissions: RawRuleOf<MongoAbility<OrgPermissionSet>>[] } }>(
+        "customRole"
+      )
+      .exec();
+      
+      if (!membershipOrg || (membershipOrg.role === "custom" && !membershipOrg.customRole)) {
+        throw UnauthorizedRequestError({ message: "User doesn't belong to organization" });
+      }
+      
+      role = membershipOrg.role;
+      customRole = membershipOrg.customRole;
+      break;
+    }
+    case ActorType.SERVICE: {
+      throw UnauthorizedRequestError({
+        message: "Failed to access organization-level resources with service token"
+      });
+    }
+    case ActorType.IDENTITY: {
+      const identityMembershipOrg = await IdentityMembershipOrg.findOne({
+        identity: authData.authPayload._id,
+        organization: organizationId
+      })
+      .populate<{
+        customRole: IRole & { permissions: RawRuleOf<MongoAbility<OrgPermissionSet>>[] };
+        identity: IIdentity
+      }>("customRole identity")
+      .exec();
+      
+      if (!identityMembershipOrg || (identityMembershipOrg.role === "custom" && !identityMembershipOrg.customRole)) {
+        throw UnauthorizedRequestError();
+      }
+      
+      role = identityMembershipOrg.role;
+      customRole = identityMembershipOrg.customRole;
+      break;
+    }
+    default:
+      throw UnauthorizedRequestError();
+  }
+
+  switch (role) {
+    case ADMIN:
+      return { permission: adminPermissions };
+    case MEMBER:
+      return { permission: memberPermissions };
+    case NO_ACCESS:
+      return { permission: noAccessPermissions };
+    case CUSTOM: {
+      if (!customRole) throw UnauthorizedRequestError();
+      return {
+        permission: createMongoAbility<OrgPermissionSet>(
+          customRole.permissions, 
+          { conditionsMatcher }
+        )
+      };
+    }
+  }
+}
+
+export const getOrgRolePermissions = async (role: string, orgId: string) => {
+  const isCustomRole = ![ADMIN, MEMBER, NO_ACCESS].includes(role);
+  if (isCustomRole) {
+    const orgRole = await Role.findOne({
+      slug: role,
+      isOrgRole: true,
+      organization: new Types.ObjectId(orgId)
+    });
+
+    if (!orgRole) throw BadRequestError({ message: "Org Role not found" });
+    
+    return createMongoAbility<OrgPermissionSet>(orgRole.permissions as RawRuleOf<MongoAbility<OrgPermissionSet>>[], {
+      conditionsMatcher
+    });
+  }
+
+  switch (role) {
+    case ADMIN:
+      return adminPermissions;
+    case MEMBER:
+      return memberPermissions;
+    case NO_ACCESS:
+      return noAccessPermissions;
+    default:
+      throw BadRequestError({ message: "User org role not found" });
+  }
+}
+
+/**
+ * Extracts and formats permissions from a CASL Ability object or a raw permission set. 
+ * @param ability
+ * @returns 
+ */
+const extractPermissions = (ability: any) => {
+  return ability.A.map((permission: any) => `${permission.action}_${permission.subject}`);
+}
+
+/**
+ * Compares two sets of permissions to determine if the first set is at least as privileged as the second set.
+ * The function checks if all permissions in the second set are contained within the first set and if the first set has equal or more permissions.
+ * 
+*/
+export const isAtLeastAsPrivilegedOrg = (permissions1: MongoAbility<OrgPermissionSet> | OrgPermissionSet, permissions2: MongoAbility<OrgPermissionSet> | OrgPermissionSet) => {
+
+  const set1 = new Set(extractPermissions(permissions1));
+  const set2 = new Set(extractPermissions(permissions2));
+  
+  for (const perm of set2) {
+    if (!set1.has(perm)) {
+      return false;
+    }
+  }
+
+  return set1.size >= set2.size;
+}
--- a/backend/src/helpers/membership.ts
+++ b/backend/src/helpers/membership.ts
@ -17,7 +17,7 @@ export const validateMembership = async ({
 }: {
  userId: Types.ObjectId | string;
  workspaceId: Types.ObjectId | string;
-  acceptedRoles?: Array<"admin" | "member" | "custom" | "viewer">;
+  acceptedRoles?: Array<"admin" | "member" | "custom" | "viewer" | "no-access">;
 }) => {
  const membership = await Membership.findOne({
    user: userId,
--- a/backend/src/helpers/membershipOrg.ts
+++ b/backend/src/helpers/membershipOrg.ts
@ -18,7 +18,7 @@ export const validateMembershipOrg = async ({
 }: {
  userId: Types.ObjectId;
  organizationId: Types.ObjectId;
-  acceptedRoles?: Array<"owner" | "admin" | "member" | "custom">;
+  acceptedRoles?: Array<"owner" | "admin" | "member" | "custom" | "no-access">;
  acceptedStatuses?: Array<"invited" | "accepted">;
 }) => {
  const membershipOrg = await MembershipOrg.findOne({
--- a/backend/src/helpers/organization.ts
+++ b/backend/src/helpers/organization.ts
@ -4,6 +4,11 @@ import {
  BotKey,
  BotOrg,
  Folder,
+  Identity,
+  IdentityMembership,
+  IdentityMembershipOrg,
+  IdentityUniversalAuth,
+  IdentityUniversalAuthClientSecret,
  IncidentContactOrg,
  Integration,
  IntegrationAuth,
@ -16,8 +21,6 @@ import {
  SecretImport,
  ServiceToken,
  ServiceTokenData,
-  ServiceTokenDataV3,
-  ServiceTokenDataV3Key,
  Tag,
  Webhook,
  Workspace
@ -123,6 +126,32 @@ export const deleteOrganization = async ({
  await MembershipOrg.deleteMany({
    organization: organization._id
  });
+
+  const identityIds = await IdentityMembershipOrg.distinct("identity", {
+    organization: organization._id
+  });
+  
+  await IdentityMembershipOrg.deleteMany({
+    organization: organization._id
+  });
+  
+  await Identity.deleteMany({
+    _id: {
+      $in: identityIds
+    }
+  });
+  
+  await IdentityUniversalAuth.deleteMany({
+    identity: {
+      $in: identityIds
+    }
+  });
+
+  await IdentityUniversalAuthClientSecret.deleteMany({
+    identity: {
+      $in: identityIds
+    }
+  });
  
  await BotOrg.deleteMany({
    organization: organization._id
@ -268,13 +297,7 @@ export const deleteOrganization = async ({
    }
  });

-  await ServiceTokenDataV3.deleteMany({
-    workspace: {
-      $in: workspaceIds
-    }
-  });
-  
-  await ServiceTokenDataV3Key.deleteMany({
+  await IdentityMembership.deleteMany({
    workspace: {
      $in: workspaceIds
    }
--- a/backend/src/helpers/workspace.ts
+++ b/backend/src/helpers/workspace.ts
@ -3,6 +3,7 @@ import {
 	Bot,
 	BotKey,
 	Folder,
+	IdentityMembership,
 	Integration,
 	IntegrationAuth,
 	Key,
@ -12,8 +13,6 @@ import {
 	SecretImport,
 	ServiceToken,
 	ServiceTokenData,
-	ServiceTokenDataV3,
-	ServiceTokenDataV3Key,
 	Tag,
 	Webhook,
 	Workspace
@ -178,12 +177,8 @@ export const deleteWorkspace = async ({
 	await ServiceTokenData.deleteMany({
 		workspace: workspace._id
 	});
-
-	await ServiceTokenDataV3.deleteMany({
-		workspace: workspace._id
-	});
-
-	await ServiceTokenDataV3Key.deleteMany({
+	
+	await IdentityMembership.deleteMany({
 		workspace: workspace._id
 	});

--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@ -25,6 +25,7 @@ import {
  secretSnapshot as eeSecretSnapshotRouter,
  users as eeUsersRouter,
  workspace as eeWorkspaceRouter,
+  identities as v1IdentitiesRouter,
  roles as v1RoleRouter,
  secretApprovalPolicy as v1SecretApprovalPolicyRouter,
  secretApprovalRequest as v1SecretApprovalRequestRouter,
@ -33,7 +34,6 @@ import {
  secretScanning as v1SecretScanningRouter
 } from "./ee/routes/v1";
 import { apiKeyData as v3apiKeyDataRouter } from "./ee/routes/v3";
-import { serviceTokenData as v3ServiceTokenDataRouter } from "./ee/routes/v3";
 import {
  admin as v1AdminRouter,
  auth as v1AuthRouter,
@ -52,6 +52,7 @@ import {
  secretsFolder as v1SecretsFolder,
  serviceToken as v1ServiceTokenRouter,
  signup as v1SignupRouter,
+  universalAuth as v1UniversalAuthRouter,
  userAction as v1UserActionRouter,
  user as v1UserRouter,
  webhooks as v1WebhooksRouter,
@ -198,6 +199,7 @@ const main = async () => {
  }

  // (EE) routes
+  app.use("/api/v1/identities", v1IdentitiesRouter);
  app.use("/api/v1/secret", eeSecretRouter);
  app.use("/api/v1/secret-snapshot", eeSecretSnapshotRouter);
  app.use("/api/v1/users", eeUsersRouter);
@ -205,14 +207,14 @@ const main = async () => {
  app.use("/api/v1/organizations", eeOrganizationsRouter);
  app.use("/api/v1/sso", eeSSORouter);
  app.use("/api/v1/cloud-products", eeCloudProductsRouter);
-  app.use("/api/v3/api-key", v3apiKeyDataRouter); // new
-  app.use("/api/v3/service-token", v3ServiceTokenDataRouter); // new
+  app.use("/api/v3/api-key", v3apiKeyDataRouter);
  app.use("/api/v1/secret-rotation-providers", v1SecretRotationProviderRouter);
  app.use("/api/v1/secret-rotations", v1SecretRotation);

  // v1 routes
  app.use("/api/v1/signup", v1SignupRouter);
  app.use("/api/v1/auth", v1AuthRouter);
+  app.use("/api/v1/auth", v1UniversalAuthRouter); // new
  app.use("/api/v1/admin", v1AdminRouter);
  app.use("/api/v1/bot", v1BotRouter);
  app.use("/api/v1/user", v1UserRouter);
@ -220,7 +222,7 @@ const main = async () => {
  app.use("/api/v1/organization", v1OrganizationRouter);
  app.use("/api/v1/workspace", v1WorkspaceRouter);
  app.use("/api/v1/membership-org", v1MembershipOrgRouter);
-  app.use("/api/v1/membership", v1MembershipRouter); //
+  app.use("/api/v1/membership", v1MembershipRouter);
  app.use("/api/v1/key", v1KeyRouter);
  app.use("/api/v1/invite-org", v1InviteOrgRouter);
  app.use("/api/v1/secret", v1SecretRouter); // deprecate
@ -247,7 +249,7 @@ const main = async () => {
  app.use("/api/v2/workspace", v2TagsRouter);
  app.use("/api/v2/workspace", v2WorkspaceRouter);
  app.use("/api/v2/secret", v2SecretRouter); // deprecate
-  app.use("/api/v2/secrets", v2SecretsRouter); // note: in the process of moving to v3/secrets
+  app.use("/api/v2/secrets", v2SecretsRouter);
  app.use("/api/v2/service-token", v2ServiceTokenDataRouter);

  // v3 routes (experimental)
--- a/backend/src/interfaces/middleware/index.ts
+++ b/backend/src/interfaces/middleware/index.ts
@ -1,6 +1,6 @@
 import { Types } from "mongoose";
-import { IServiceTokenData, IServiceTokenDataV3, IUser } from "../../models";
-import { ServiceActor, ServiceActorV3, UserActor, UserAgentType } from "../../ee/models";
+import { IIdentity, IServiceTokenData, IUser } from "../../models";
+import { IdentityActor, ServiceActor, UserActor, UserAgentType } from "../../ee/models";

 interface BaseAuthData {
  ipAddress: string;
@ -14,9 +14,9 @@ export interface UserAuthData extends BaseAuthData {
  authPayload: IUser;
 }

-export interface ServiceTokenV3AuthData extends BaseAuthData {
-  actor: ServiceActorV3;
-  authPayload: IServiceTokenDataV3;
+export interface IdentityAuthData extends BaseAuthData {
+  actor: IdentityActor;
+  authPayload: IIdentity;
 }

 export interface ServiceTokenAuthData extends BaseAuthData {
@ -24,4 +24,4 @@ export interface ServiceTokenAuthData extends BaseAuthData {
  authPayload: IServiceTokenData;
 }

-export type AuthData = UserAuthData | ServiceTokenV3AuthData | ServiceTokenAuthData;
+export type AuthData = UserAuthData | IdentityAuthData | ServiceTokenAuthData;
--- a/backend/src/middleware/requestErrorHandler.ts
+++ b/backend/src/middleware/requestErrorHandler.ts
@ -39,8 +39,9 @@ export const requestErrorHandler: ErrorRequestHandler = async (

  Sentry.captureException(error);

-  delete (<any>error).stacktrace // remove stack trace from being sent to client
-  res.status((<RequestError>error).statusCode).json(error); // revise json part here
+  res.status((<RequestError>error).statusCode).send(
+    await error.format(req)
+  );

  next();
 };
--- a/backend/src/middleware/requireAuth.ts
+++ b/backend/src/middleware/requireAuth.ts
@ -50,7 +50,7 @@ const requireAuth = ({
 			case AuthMode.SERVICE_TOKEN:
 				req.serviceTokenData = authData.authPayload;
 				break;
-			case AuthMode.SERVICE_ACCESS_TOKEN:
+			case AuthMode.IDENTITY_ACCESS_TOKEN:
 				req.serviceTokenData = authData.authPayload;
 				break;
 			case AuthMode.API_KEY:
--- a/backend/src/models/identity.ts
+++ b/backend/src/models/identity.ts
@ -0,0 +1,38 @@
+import { Document, Schema, Types, model } from "mongoose";
+import { IPType } from "../ee/models";
+
+export interface IIdentityTrustedIp {
+    ipAddress: string;
+    type: IPType;
+    prefix: number;
+}
+
+export enum IdentityAuthMethod {
+    UNIVERSAL_AUTH = "universal-auth"
+}
+
+export interface IIdentity extends Document {
+    _id: Types.ObjectId;
+    name: string;
+    authMethod?: IdentityAuthMethod;
+}
+
+const identitySchema = new Schema(
+    {
+        name: {
+            type: String,
+            required: true
+        },
+        authMethod: {
+            type: String,
+            enum: IdentityAuthMethod,
+            required: false,
+        },
+        
+    },
+    {
+        timestamps: true
+    }
+);
+
+export const Identity = model<IIdentity>("Identity", identitySchema);
--- a/backend/src/models/identityAccessToken.ts
+++ b/backend/src/models/identityAccessToken.ts
@ -0,0 +1,104 @@
+import { Document, Schema, Types, model } from "mongoose";
+import { IIdentityTrustedIp } from "./identity";
+import { IPType } from "../ee/models/trustedIp";
+
+export interface IIdentityAccessToken extends Document {
+    _id: Types.ObjectId;
+    identity: Types.ObjectId;
+    identityUniversalAuthClientSecret?: Types.ObjectId;
+    accessTokenLastUsedAt?: Date;
+    accessTokenLastRenewedAt?: Date;
+    accessTokenNumUses: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenTrustedIps: Array<IIdentityTrustedIp>;
+    isAccessTokenRevoked: boolean;
+    updatedAt: Date;
+    createdAt: Date;
+}
+
+const identityAccessTokenSchema = new Schema(
+    {
+        identity: {
+            type: Schema.Types.ObjectId,
+            ref: "Identity",
+            required: false
+        },
+        identityUniversalAuthClientSecret: {
+            type: Schema.Types.ObjectId,
+            ref: "IdentityUniversalAuthClientSecret",
+            required: false
+        },
+        accessTokenLastUsedAt: {
+            type: Date,
+            required: false
+        },
+        accessTokenLastRenewedAt: {
+            type: Date,
+            required: false
+        },
+        accessTokenNumUses: {
+            // number of times access token has been used
+            type: Number,
+            default: 0,
+            required: true
+        },
+        accessTokenNumUsesLimit: {
+            // number of times access token can be used for
+            type: Number,
+            default: 0, // default: used as many times as needed
+            required: true
+        },
+        accessTokenTTL: { // seconds
+            // incremental lifetime
+            type: Number,
+            default: 7200,
+            required: true
+        },
+        accessTokenMaxTTL: { // seconds
+            // max lifetime
+            type: Number,
+            default: 7200,
+            required: true
+        },
+        accessTokenTrustedIps: {
+            type: [
+                {
+                    ipAddress: {
+                        type: String,
+                        required: true
+                    },
+                    type: {
+                        type: String,
+                        enum: [
+                            IPType.IPV4,
+                            IPType.IPV6
+                        ],
+                        required: true
+                    },
+                    prefix: {
+                        type: Number,
+                        required: false
+                    }
+                }
+            ],
+            default: [{
+                ipAddress: "0.0.0.0",
+                type: IPType.IPV4.toString(),
+                prefix: 0
+            }],
+            required: true
+        },
+        isAccessTokenRevoked: {
+            type: Boolean,
+            default: false,
+            required: true
+        },
+    },
+    {
+        timestamps: true
+    }
+);
+
+export const IdentityAccessToken = model<IIdentityAccessToken>("IdentityAccessToken", identityAccessTokenSchema);
--- a/backend/src/models/identityMembership.ts
+++ b/backend/src/models/identityMembership.ts
@ -0,0 +1,39 @@
+import { Schema, Types, model } from "mongoose";
+import { ADMIN, CUSTOM, MEMBER, NO_ACCESS, VIEWER } from "../variables";
+
+export interface IIdentityMembership {
+  _id: Types.ObjectId;
+  identity: Types.ObjectId;
+  workspace: Types.ObjectId;
+  role: "admin" | "member" | "viewer" | "no-access" | "custom";
+  customRole: Types.ObjectId;
+}
+
+const identityMembershipSchema = new Schema<IIdentityMembership>(
+  {
+    identity: {
+      type: Schema.Types.ObjectId,
+      ref: "Identity"
+    },
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+      index: true,
+    },
+    role: {
+      type: String,
+      enum: [ADMIN, MEMBER, VIEWER, CUSTOM, NO_ACCESS],
+      required: true
+    },
+    customRole: {
+      type: Schema.Types.ObjectId,
+      ref: "Role"
+    }
+  },
+  {
+    timestamps: true
+  }
+);
+
+export const IdentityMembership = model<IIdentityMembership>("IdentityMembership", identityMembershipSchema);
--- a/backend/src/models/identityMembershipOrg.ts
+++ b/backend/src/models/identityMembershipOrg.ts
@ -0,0 +1,37 @@
+import { Schema, Types, model } from "mongoose";
+import { ADMIN, CUSTOM, MEMBER, NO_ACCESS} from "../variables";
+
+export interface IIdentityMembershipOrg {
+  _id: Types.ObjectId;
+  identity: Types.ObjectId;
+  organization: Types.ObjectId;
+  role: "admin" | "member" | "no-access" | "custom";
+  customRole: Types.ObjectId;
+}
+
+const identityMembershipOrgSchema = new Schema<IIdentityMembershipOrg>(
+  {
+    identity: {
+      type: Schema.Types.ObjectId,
+      ref: "Identity"
+    },
+    organization: {
+      type: Schema.Types.ObjectId,
+      ref: "Organization"
+    },
+    role: {
+      type: String,
+      enum: [ADMIN, MEMBER, NO_ACCESS, CUSTOM],
+      required: true
+    },
+    customRole: {
+      type: Schema.Types.ObjectId,
+      ref: "Role"
+    }
+  },
+  {
+    timestamps: true
+  }
+);
+
+export const IdentityMembershipOrg = model<IIdentityMembershipOrg>("IdentityMembershipOrg", identityMembershipOrgSchema);
--- a/backend/src/models/identityUniversalAuth.ts
+++ b/backend/src/models/identityUniversalAuth.ts
@ -0,0 +1,107 @@
+import { Document, Schema, Types, model } from "mongoose";
+import { IPType } from "../ee/models";
+import { IIdentityTrustedIp } from "./identity";
+
+export interface IIdentityUniversalAuth extends Document {
+    _id: Types.ObjectId;
+    identity: Types.ObjectId;
+    clientId: string;
+    clientSecretTrustedIps: Array<IIdentityTrustedIp>;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<IIdentityTrustedIp>;
+}
+
+const identityUniversalAuthSchema = new Schema(
+    {
+        identity: {
+            type: Schema.Types.ObjectId,
+            ref: "Identity",
+            required: true
+        },
+        clientId: {
+            type: String,
+            required: true
+        },
+        clientSecretTrustedIps: {
+            type: [
+                {
+                    ipAddress: {
+                        type: String,
+                        required: true
+                    },
+                    type: {
+                        type: String,
+                        enum: [
+                            IPType.IPV4,
+                            IPType.IPV6
+                        ],
+                        required: true
+                    },
+                    prefix: {
+                        type: Number,
+                        required: false
+                    }
+                }
+            ],
+            default: [{
+                ipAddress: "0.0.0.0",
+                type: IPType.IPV4.toString(),
+                prefix: 0
+            }],
+            required: true
+        },
+        accessTokenTTL: { // seconds
+            // incremental lifetime
+            type: Number,
+            default: 7200,
+            required: true
+        },
+        accessTokenMaxTTL: { // seconds
+            // max lifetime
+            type: Number,
+            default: 7200,
+            required: true
+        },
+        accessTokenNumUsesLimit: {
+            // number of times access token can be used for
+            type: Number,
+            default: 0, // default: used as many times as needed
+            required: true
+        },
+        accessTokenTrustedIps: {
+            type: [
+                {
+                    ipAddress: {
+                        type: String,
+                        required: true
+                    },
+                    type: {
+                        type: String,
+                        enum: [
+                            IPType.IPV4,
+                            IPType.IPV6
+                        ],
+                        required: true
+                    },
+                    prefix: {
+                        type: Number,
+                        required: false
+                    }
+                }
+            ],
+            default: [{
+                ipAddress: "0.0.0.0",
+                type: IPType.IPV4.toString(),
+                prefix: 0
+            }],
+            required: true
+        }
+    },
+    {
+        timestamps: true
+    }
+);
+
+export const IdentityUniversalAuth = model<IIdentityUniversalAuth>("IdentityUniversalAuth", identityUniversalAuthSchema);
--- a/backend/src/models/identityUniversalAuthClientSecret.ts
+++ b/backend/src/models/identityUniversalAuthClientSecret.ts
@ -0,0 +1,81 @@
+import { Document, Schema, Types, model } from "mongoose";
+
+export interface IIdentityUniversalAuthClientSecret extends Document {
+    _id: Types.ObjectId;
+    identity: Types.ObjectId;
+    identityUniversalAuth : Types.ObjectId;
+    description: string;
+    clientSecretPrefix: string;
+    clientSecretHash: string;
+    clientSecretLastUsedAt?: Date;
+    clientSecretNumUses: number;
+    clientSecretNumUsesLimit: number;
+    clientSecretTTL: number;
+    updatedAt: Date;
+    createdAt: Date;
+    isClientSecretRevoked: boolean;
+}
+
+const identityUniversalAuthClientSecretSchema = new Schema(
+    {
+        identity: {
+            type: Schema.Types.ObjectId,
+            ref: "Identity",
+            required: true
+        },
+        identityUniversalAuth: {
+            type: Schema.Types.ObjectId,
+            ref: "IdentityUniversalAuth",
+            required: true
+        },
+        description: {
+            type: String,
+            required: true
+        },
+        clientSecretPrefix: {
+            type: String,
+            required: true
+        },
+        clientSecretHash: {
+            type: String,
+            required: true
+        },
+        clientSecretLastUsedAt: {
+            type: Date,
+            required: false
+        },
+        clientSecretNumUses: {
+            // number of times client secret has been used
+            // in login operation
+            type: Number,
+            default: 0,
+            required: true
+        },
+        clientSecretNumUsesLimit: {
+            // number of times client secret can be used for
+            // a login operation
+            type: Number,
+            default: 0, // default: used as many times as needed
+            required: true
+        },
+        clientSecretTTL: {
+            type: Number,
+            default: 0, // default: does not expire
+            required: true
+        },
+        isClientSecretRevoked: {
+            type: Boolean,
+            default: false,
+            required: true
+        }
+    },
+    {
+        timestamps: true
+    }
+);
+
+identityUniversalAuthClientSecretSchema.index(
+    { identityUniversalAuth: 1, isClientSecretRevoked: 1 }
+);
+
+export const IdentityUniversalAuthClientSecret = model<IIdentityUniversalAuthClientSecret>("IdentityUniversalAuthClientSecret", identityUniversalAuthClientSecretSchema);
--- a/backend/src/models/index.ts
+++ b/backend/src/models/index.ts
@ -20,8 +20,15 @@ export * from "./user";
 export * from "./userAction";
 export * from "./workspace";
 export * from "./serviceTokenData"; // TODO: deprecate
-export * from "./serviceTokenDataV3";
-export * from "./serviceTokenDataV3Key";
+
+// new
+export * from "./identity";
+export * from "./identityMembership";
+export * from "./identityMembershipOrg";
+export * from "./identityUniversalAuth";
+export * from "./identityUniversalAuthClientSecret";
+export * from "./identityAccessToken";
+
 export * from "./apiKeyData"; // TODO: deprecate
 export * from "./apiKeyDataV2";
 export * from "./loginSRPDetail";
--- a/backend/src/models/membership.ts
+++ b/backend/src/models/membership.ts
@ -1,5 +1,5 @@
 import { Schema, Types, model } from "mongoose";
-import { ADMIN, CUSTOM, MEMBER, VIEWER } from "../variables";
+import { ADMIN, CUSTOM, MEMBER, NO_ACCESS, VIEWER } from "../variables";

 export interface IMembershipPermission {
  environmentSlug: string;
@ -11,7 +11,7 @@ export interface IMembership {
  user: Types.ObjectId;
  inviteEmail?: string;
  workspace: Types.ObjectId;
-  role: "admin" | "member" | "viewer" | "custom";
+  role: "admin" | "member" | "viewer" | "no-access" | "custom";
  customRole: Types.ObjectId;
  deniedPermissions: IMembershipPermission[];
 }
@ -44,7 +44,7 @@ const membershipSchema = new Schema<IMembership>(
    },
    role: {
      type: String,
-      enum: [ADMIN, MEMBER, VIEWER, CUSTOM],
+      enum: [ADMIN, MEMBER, VIEWER, NO_ACCESS, CUSTOM],
      required: true
    },
    customRole: {
--- a/backend/src/models/membershipOrg.ts
+++ b/backend/src/models/membershipOrg.ts
@ -1,12 +1,12 @@
 import { Document, Schema, Types, model } from "mongoose";
-import { ACCEPTED, ADMIN, CUSTOM, INVITED, MEMBER } from "../variables";
+import { ACCEPTED, ADMIN, CUSTOM, INVITED, MEMBER, NO_ACCESS } from "../variables";

 export interface IMembershipOrg extends Document {
  _id: Types.ObjectId;
  user: Types.ObjectId;
  inviteEmail: string;
  organization: Types.ObjectId;
-  role: "owner" | "admin" | "member" | "custom";
+  role: "admin" | "member" | "no-access" | "custom";
  customRole: Types.ObjectId;
  status: "invited" | "accepted";
 }
@ -26,7 +26,7 @@ const membershipOrgSchema = new Schema(
    },
    role: {
      type: String,
-      enum: [ADMIN, MEMBER, CUSTOM],
+      enum: [ADMIN, MEMBER, NO_ACCESS, CUSTOM],
      required: true
    },
    status: {
--- a/backend/src/models/serviceTokenDataV3.ts
+++ b/backend/src/models/serviceTokenDataV3.ts
@ -1,137 +0,0 @@
-import { Document, Schema, Types, model } from "mongoose";
-import { IPType } from "../ee/models";
-import { ADMIN, CUSTOM, MEMBER, VIEWER } from "../variables";
-
-export interface IServiceTokenV3TrustedIp {
-    ipAddress: string;
-    type: IPType;
-    prefix: number;
-}
-
-export interface IServiceTokenDataV3 extends Document {
-    _id: Types.ObjectId;
-    name: string;
-    workspace: Types.ObjectId;
-    user: Types.ObjectId;
-    publicKey: string;
-    isActive: boolean;
-    refreshTokenLastUsed?: Date;
-    accessTokenLastUsed?: Date;
-    refreshTokenUsageCount: number;
-    accessTokenUsageCount: number;
-    tokenVersion: number;
-    isRefreshTokenRotationEnabled: boolean;
-    expiresAt?: Date;
-    accessTokenTTL: number;
-    role: "admin" | "member" | "viewer" | "custom";
-    customRole: Types.ObjectId;
-    trustedIps: Array<IServiceTokenV3TrustedIp>;
-}
-
-const serviceTokenDataV3Schema = new Schema(
-    {
-        name: {
-            type: String,
-            required: true
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: "Workspace",
-            required: true
-        },
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: "User",
-            required: true
-        },
-        publicKey: {
-            type: String,
-            required: true
-        },
-        isActive: {
-            type: Boolean,
-            default: true,
-            required: true
-        },
-        refreshTokenLastUsed: {
-            type: Date,
-            required: false
-        },
-        accessTokenLastUsed: {
-            type: Date,
-            required: false
-        },
-        refreshTokenUsageCount: {
-            type: Number,
-            default: 0,
-            required: true
-        },
-        accessTokenUsageCount: {
-            type: Number,
-            default: 0,
-            required: true
-        },
-        tokenVersion: {
-            type: Number,
-            default: 1,
-            required: true
-        },
-        isRefreshTokenRotationEnabled: {
-            type: Boolean,
-            default: false,
-            required: true
-        },
-        expiresAt: { // consider revising field name
-            type: Date,
-            required: false,
-            // expires: 0
-        },
-        accessTokenTTL: { // seconds
-            type: Number,
-            default: 7200,
-            required: true
-        },
-        role: {
-            type: String,
-            enum: [ADMIN, MEMBER, VIEWER, CUSTOM],
-            required: true
-        },
-        customRole: {
-            type: Schema.Types.ObjectId,
-            ref: "Role"
-        },
-        trustedIps: {
-            type: [
-                {
-                    ipAddress: {
-                        type: String,
-                        required: true
-                    },
-                    type: {
-                        type: String,
-                        enum: [
-                            IPType.IPV4,
-                            IPType.IPV6
-                        ],
-                        required: true
-                    },
-                    prefix: {
-                        type: Number,
-                        required: false
-                    }
-                }
-            ],
-            default: [{
-                ipAddress: "0.0.0.0",
-                type: IPType.IPV4.toString(),
-                prefix: 0
-            }],
-            required: true
-        }
-    },
-    {
-        timestamps: true
-    }
-);
-
-export const ServiceTokenDataV3 = model<IServiceTokenDataV3>("ServiceTokenDataV3", serviceTokenDataV3Schema);
--- a/backend/src/models/serviceTokenDataV3Key.ts
+++ b/backend/src/models/serviceTokenDataV3Key.ts
@ -1,43 +0,0 @@
-import { Document, Schema, Types, model } from "mongoose";
-
-export interface IServiceTokenDataV3Key extends Document {
-	_id: Types.ObjectId;
-	encryptedKey: string;
-	nonce: string;
-    sender: Types.ObjectId;
-    serviceTokenData: Types.ObjectId;
-	workspace: Types.ObjectId;
-}
-
-const serviceTokenDataV3KeySchema = new Schema(
-    {
-        encryptedKey: {
-            type: String,
-            required: true
-        },
-        nonce: {
-            type: String,
-            required: true
-        },
-        sender: {
-            type: Schema.Types.ObjectId,
-            ref: "User",
-            required: true
-        },
-        serviceTokenData: {
-			type: Schema.Types.ObjectId,
-			ref: "ServiceTokenDataV3",
-			required: true,
-        },
-		workspace: {
-			type: Schema.Types.ObjectId,
-			ref: "Workspace",
-			required: true,
-		}
-    },
-    {
-        timestamps: true
-    }
-);
-
-export const ServiceTokenDataV3Key = model<IServiceTokenDataV3Key>("ServiceTokenDataV3Key", serviceTokenDataV3KeySchema);
--- a/backend/src/routes/v1/index.ts
+++ b/backend/src/routes/v1/index.ts
@ -1,6 +1,7 @@
 import signup from "./signup";
 import bot from "./bot";
 import auth from "./auth";
+import universalAuth from "./universalAuth";
 import user from "./user";
 import userAction from "./userAction";
 import organization from "./organization";
@ -23,6 +24,7 @@ import admin from "./admin";
 export {
  signup,
  auth,
+  universalAuth,
  bot,
  user,
  userAction,
--- a/backend/src/routes/v1/universalAuth.ts
+++ b/backend/src/routes/v1/universalAuth.ts
@ -0,0 +1,66 @@
+
+import express from "express";
+const router = express.Router();
+import { requireAuth } from "../../middleware";
+import { universalAuthController } from "../../controllers/v1";
+import { AuthMode } from "../../variables";
+
+router.post(
+    "/token/renew", 
+    universalAuthController.renewAccessToken
+);
+
+router.post(
+    "/universal-auth/login",
+    universalAuthController.loginIdentityUniversalAuth
+);
+
+router.post(
+    "/universal-auth/identities/:identityId",
+    requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+    }),
+    universalAuthController.addIdentityUniversalAuth
+);
+
+router.patch(
+    "/universal-auth/identities/:identityId",
+    requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+    }),
+    universalAuthController.updateIdentityUniversalAuth
+);
+
+router.get(
+    "/universal-auth/identities/:identityId",
+    requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+    }),
+    universalAuthController.getIdentityUniversalAuth
+);
+
+router.post(
+    "/universal-auth/identities/:identityId/client-secrets",
+    requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+    }),
+    universalAuthController.createUniversalAuthClientSecret
+);
+
+router.get(
+    "/universal-auth/identities/:identityId/client-secrets",
+    requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+    }),
+    universalAuthController.getUniversalAuthClientSecrets
+);
+
+router.post(
+    "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
+    requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+    }),
+    universalAuthController.revokeUniversalAuthClientSecret
+);
+
+export default router;
--- a/backend/src/routes/v2/auth.ts
+++ b/backend/src/routes/v2/auth.ts
@ -26,7 +26,7 @@ router.post(
 );

 //remove above ones after depreciation
-router.post("/mfa/send", authLimiter, authController.sendMfaToken);
+router.post("/mfa/send", authLimiter, requireMfaAuth, authController.sendMfaToken);

 router.post("/mfa/verify", authLimiter, requireMfaAuth, authController.verifyMfaToken);

--- a/backend/src/routes/v2/organizations.ts
+++ b/backend/src/routes/v2/organizations.ts
@ -54,4 +54,12 @@ router.delete(
  organizationsController.deleteOrganizationById
 );

+router.get(
+  "/:organizationId/identity-memberships",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  organizationsController.getOrganizationIdentityMemberships
+);
+
 export default router;
--- a/backend/src/routes/v2/serviceTokenData.ts
+++ b/backend/src/routes/v2/serviceTokenData.ts
@ -6,7 +6,7 @@ import {
 import { AuthMode } from "../../variables";
 import { serviceTokenDataController } from "../../controllers/v2";

-router.get( // TODO: deprecate (moving to ST V3)
+router.get( // TODO: deprecate (moving to identity)
  "/",
  requireAuth({
    acceptedAuthModes: [AuthMode.SERVICE_TOKEN]
@ -14,7 +14,7 @@ router.get( // TODO: deprecate (moving to ST V3)
  serviceTokenDataController.getServiceTokenData
 );

-router.post( // TODO: deprecate (moving to ST V3)
+router.post( // TODO: deprecate (moving to identity)
  "/",
  requireAuth({
    acceptedAuthModes: [AuthMode.JWT]
@ -22,7 +22,7 @@ router.post( // TODO: deprecate (moving to ST V3)
  serviceTokenDataController.createServiceTokenData
 );

-router.delete( // TODO: deprecate (moving to ST V3)
+router.delete( // TODO: deprecate (moving to identity)
  "/:serviceTokenDataId",
  requireAuth({
    acceptedAuthModes: [AuthMode.JWT]
--- a/backend/src/routes/v2/workspace.ts
+++ b/backend/src/routes/v2/workspace.ts
@ -93,4 +93,37 @@ router.patch(
  workspaceController.toggleAutoCapitalization
 );

+router.post(
+  "/:workspaceId/identity-memberships/:identityId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+  }),
+  workspaceController.addIdentityToWorkspace
+);
+
+router.patch(
+  "/:workspaceId/identity-memberships/:identityId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+  }),
+  workspaceController.updateIdentityWorkspaceRole
+);
+
+router.delete(
+  "/:workspaceId/identity-memberships/:identityId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+  }),
+  workspaceController.deleteIdentityFromWorkspace
+);
+
+router.get(
+  "/:workspaceId/identity-memberships",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  workspaceController.getWorkspaceIdentityMemberships
+);
+
+
 export default router;
--- a/backend/src/routes/v3/secrets.ts
+++ b/backend/src/routes/v3/secrets.ts
@ -7,7 +7,7 @@ import { AuthMode } from "../../variables";
 router.get(
  "/raw",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  secretsController.getSecretsRaw
 );
@ -15,7 +15,7 @@ router.get(
 router.get(
  "/raw/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "query"
@ -29,7 +29,7 @@ router.get(
 router.post(
  "/raw/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -43,7 +43,7 @@ router.post(
 router.patch(
  "/raw/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -57,7 +57,7 @@ router.patch(
 router.delete(
  "/raw/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -71,7 +71,7 @@ router.delete(
 router.get(
  "/",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "query"
@ -116,7 +116,7 @@ router.delete(
 router.post(
  "/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -127,7 +127,7 @@ router.post(
 router.get(
  "/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "query"
@ -138,7 +138,7 @@ router.get(
 router.patch(
  "/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -149,7 +149,7 @@ router.patch(
 router.delete(
  "/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
--- a/backend/src/routes/v3/workspaces.ts
+++ b/backend/src/routes/v3/workspaces.ts
@ -34,12 +34,4 @@ router.post(

 // --

-router.get(
-  "/:workspaceId/service-token",
-  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT]
-  }),
-  workspacesController.getWorkspaceServiceTokenData
-);
-
 export default router;
--- a/backend/src/utils/authn/authModeValidators/identity.ts
+++ b/backend/src/utils/authn/authModeValidators/identity.ts
@ -0,0 +1,104 @@
+import jwt from "jsonwebtoken";
+import { IIdentity, IdentityAccessToken } from "../../../models";
+import { getAuthSecret } from "../../../config";
+import { AuthTokenType } from "../../../variables";
+import { UnauthorizedRequestError } from "../../errors";
+import { checkIPAgainstBlocklist } from "../../../utils/ip";
+
+interface ValidateIdentityParams {
+    authTokenValue: string;
+	ipAddress: string;
+}
+
+export const validateIdentity = async ({
+    authTokenValue,
+	ipAddress
+}: ValidateIdentityParams) => {
+    const decodedToken = <jwt.IdentityAccessTokenJwtPayload>(
+		jwt.verify(authTokenValue, await getAuthSecret())
+	);
+
+	if (decodedToken.authTokenType !== AuthTokenType.IDENTITY_ACCESS_TOKEN) throw UnauthorizedRequestError();
+	
+	const identityAccessToken = await IdentityAccessToken
+		.findOne({
+			_id: decodedToken.identityAccessTokenId,
+			isAccessTokenRevoked: false
+		})
+		.populate<{ identity: IIdentity }>("identity");
+	
+	if (!identityAccessToken || !identityAccessToken?.identity) throw UnauthorizedRequestError();
+	
+	const {
+		accessTokenNumUsesLimit,
+		accessTokenNumUses,
+		accessTokenTTL,
+		accessTokenLastRenewedAt,
+		accessTokenMaxTTL,
+		createdAt: accessTokenCreatedAt
+	} = identityAccessToken;
+
+	checkIPAgainstBlocklist({
+		ipAddress,
+		trustedIps: identityAccessToken.accessTokenTrustedIps
+	});
+	
+	// ttl check
+	if (accessTokenTTL > 0) {
+		const currentDate = new Date();
+		if (accessTokenLastRenewedAt) {
+			// access token has been renewed
+			const accessTokenRenewed = new Date(accessTokenLastRenewedAt);
+			const ttlInMilliseconds = accessTokenTTL * 1000;
+			const expirationDate = new Date(accessTokenRenewed.getTime() + ttlInMilliseconds);
+			
+			if (currentDate > expirationDate) throw UnauthorizedRequestError({
+				message: "Failed to authenticate identity access token due to TTL expiration"
+			});
+		} else {
+			// access token has never been renewed
+			const accessTokenCreated = new Date(accessTokenCreatedAt);
+			const ttlInMilliseconds = accessTokenTTL * 1000;
+			const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
+			
+			if (currentDate > expirationDate) throw UnauthorizedRequestError({
+				message: "Failed to authenticate identity access token due to TTL expiration"
+			});
+		}
+	}
+	
+	// max ttl check
+    if (accessTokenMaxTTL > 0) {
+        const accessTokenCreated = new Date(accessTokenCreatedAt);
+        const ttlInMilliseconds = accessTokenMaxTTL * 1000;
+        const currentDate = new Date();
+        const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
+
+        if (currentDate > expirationDate) throw UnauthorizedRequestError({
+			message: "Failed to authenticate identity access token due to Max TTL expiration"
+		});
+    }
+
+	// num uses check
+	if (
+		accessTokenNumUsesLimit > 0
+		&& accessTokenNumUses === accessTokenNumUsesLimit
+	) {
+		throw UnauthorizedRequestError({
+			message: "Failed to authenticate MI access token due to access token number of uses limit reached"
+		});
+	}
+	
+	await IdentityAccessToken.findByIdAndUpdate(
+		identityAccessToken._id,
+		{
+			accessTokenLastUsedAt: new Date(),
+			$inc: { accessTokenNumUses: 1 }
+		},
+		{
+			new: true
+		}
+	);
+
+    return identityAccessToken.identity;
+}
--- a/backend/src/utils/authn/authModeValidators/index.ts
+++ b/backend/src/utils/authn/authModeValidators/index.ts
@ -2,4 +2,4 @@ export * from "./apiKey";
 export * from "./apiKeyV2";
 export * from "./jwt";
 export * from "./serviceTokenV2";
-export * from "./serviceTokenV3";
+export * from "./identity";
--- a/backend/src/utils/authn/authModeValidators/serviceTokenV3.ts
+++ b/backend/src/utils/authn/authModeValidators/serviceTokenV3.ts
@ -1,64 +0,0 @@
-import jwt from "jsonwebtoken";
-import { Types } from "mongoose";
-import { ServiceTokenDataV3 } from "../../../models";
-import { getAuthSecret } from "../../../config";
-import { AuthTokenType } from "../../../variables";
-import { UnauthorizedRequestError } from "../../errors";
-
-interface ValidateServiceTokenV3Params {
-    authTokenValue: string;
-}
-
-export const validateServiceTokenV3 = async ({
-    authTokenValue
-}: ValidateServiceTokenV3Params) => {
-    const decodedToken = <jwt.ServiceRefreshTokenJwtPayload>(
-		jwt.verify(authTokenValue, await getAuthSecret())
-	);
-
-	if (decodedToken.authTokenType !== AuthTokenType.SERVICE_ACCESS_TOKEN) throw UnauthorizedRequestError();
-	
-	const serviceTokenData = await ServiceTokenDataV3.findOne({
-		_id: new Types.ObjectId(decodedToken.serviceTokenDataId),
-		isActive: true
-	});
-	
-	if (!serviceTokenData) {
-		throw UnauthorizedRequestError({ 
-			message: "Failed to authenticate"
-		});
-	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-		// case: service token expired
-		await ServiceTokenDataV3.findByIdAndUpdate(
-			serviceTokenData._id,
-			{
-				isActive: false
-			},
-			{
-				new: true
-			}
-		);
-		
-		throw UnauthorizedRequestError({
-			message: "Failed to authenticate",
-		});
-	} else if (decodedToken.tokenVersion !== serviceTokenData.tokenVersion) {
-		// TODO: raise alarm
-		throw UnauthorizedRequestError({
-			message: "Failed to authenticate",
-		});
-	}
-	
-	await ServiceTokenDataV3.findByIdAndUpdate(
-		serviceTokenData._id,
-		{
-			accessTokenLastUsed: new Date(),
-			$inc: { accessTokenUsageCount: 1 }
-		},
-		{
-			new: true
-		}
-	);
-
-    return serviceTokenData;
-}
--- a/backend/src/utils/authn/helpers/authDataExtractors.ts
+++ b/backend/src/utils/authn/helpers/authDataExtractors.ts
@ -1,7 +1,7 @@
 import { AuthData } from "../../../interfaces/middleware";
 import {
+  Identity,
  ServiceTokenData,
-  ServiceTokenDataV3,
  User
 } from "../../../models";

@ -19,7 +19,7 @@ import {
        return { serviceTokenDataId: authData.authPayload._id };
    }
  
-    if (authData.authPayload instanceof ServiceTokenDataV3) {
+    if (authData.authPayload instanceof Identity) {
        return { serviceTokenDataId: authData.authPayload._id };
    }
 };
@ -38,7 +38,7 @@ export const getAuthDataPayloadUserObj = (authData: AuthData) => {
        return { user: authData.authPayload.user };
    }

-    if (authData.authPayload instanceof ServiceTokenDataV3) {
-        return { user: authData.authPayload.user };
+    if (authData.authPayload instanceof Identity) {
+        return {};
    }
 }
--- a/backend/src/utils/authn/helpers/index.ts
+++ b/backend/src/utils/authn/helpers/index.ts
@ -7,9 +7,9 @@ import { UnauthorizedRequestError } from "../../errors";
 import {
  validateAPIKey,
  validateAPIKeyV2,
+  validateIdentity,
  validateJWT,
-  validateServiceTokenV2,
-  validateServiceTokenV3
+  validateServiceTokenV2
 } from "../authModeValidators";
 import { getUserAgentType } from "../../posthog";

@ -36,7 +36,7 @@ interface GetAuthDataParams {
 * - SERVICE_TOKEN
 * - API_KEY
 * - JWT
- * - SERVICE_ACCESS_TOKEN (from ST V3)
+ * - IDENTITY_ACCESS_TOKEN (from identity)
 * - API_KEY_V2
 * @param {Object} params
 * @param {Object.<string, (string|string[]|undefined)>} params.headers - The HTTP request headers, usually from Express's `req.headers`.
@ -77,8 +77,8 @@ export const extractAuthMode = async ({
            return { authMode: AuthMode.JWT, authTokenValue };
        case AuthTokenType.API_KEY:
            return { authMode: AuthMode.API_KEY_V2, authTokenValue };
-        case AuthTokenType.SERVICE_ACCESS_TOKEN:
-            return { authMode: AuthMode.SERVICE_ACCESS_TOKEN, authTokenValue };
+        case AuthTokenType.IDENTITY_ACCESS_TOKEN:
+            return { authMode: AuthMode.IDENTITY_ACCESS_TOKEN, authTokenValue };
        default:
            throw UnauthorizedRequestError({
                message: "Failed to authenticate unknown authentication method"
@ -115,20 +115,21 @@ export const getAuthData = async ({
                userAgentType
            }
        }
-        case AuthMode.SERVICE_ACCESS_TOKEN: {
-            const serviceTokenData = await validateServiceTokenV3({
-                authTokenValue
+        case AuthMode.IDENTITY_ACCESS_TOKEN: {
+            const identity = await validateIdentity({
+                authTokenValue,
+                ipAddress
            });

            return {
                actor: {
-                    type: ActorType.SERVICE_V3,
+                    type: ActorType.IDENTITY,
                    metadata: {
-                        serviceId: serviceTokenData._id.toString(),
-                        name: serviceTokenData.name
+                        identityId: identity._id.toString(),
+                        name: identity.name
                    }
                },
-                authPayload: serviceTokenData,
+                authPayload: identity,
                ipAddress,
                userAgent,
                userAgentType
--- a/backend/src/utils/requestError.ts
+++ b/backend/src/utils/requestError.ts
@ -53,9 +53,10 @@ export default class RequestError extends Error {
        ){
        
        super(message)
-        this._logLevel = logLevel || LogLevel.INFO
+        this._logLevel = logLevel || LogLevel.INFO;
        this._logName = LogLevel[this._logLevel];
-        this.statusCode = statusCode
+        this.statusCode = statusCode;
+        this.message = message;
        this.type = type
        this.context = context || {}
        this.extra = []
--- a/backend/src/validation/auth.ts
+++ b/backend/src/validation/auth.ts
@ -84,15 +84,101 @@ export const ResetPasswordV1 = z.object({
  })
 });

-export const SendMfaTokenV2 = z.object({
+export const RenewAccessTokenV1 = z.object({
  body: z.object({
-    email: z.string().email().trim()
+    accessToken: z.string().trim(),
+  })
+});
+
+export const LoginUniversalAuthV1 = z.object({
+  body: z.object({
+    clientId: z.string().trim(),
+    clientSecret: z.string().trim()
+  })
+});
+
+export const AddUniversalAuthToIdentityV1 = z.object({
+  params: z.object({
+    identityId: z.string().trim()
+  }),
+  body: z.object({
+    clientSecretTrustedIps: z
+      .object({
+        ipAddress: z.string().trim(),
+      })
+      .array()
+      .min(1)
+      .default([{ ipAddress: "0.0.0.0/0" }]),
+    accessTokenTrustedIps: z
+      .object({
+        ipAddress: z.string().trim(),
+      })
+      .array()
+      .min(1)
+      .default([{ ipAddress: "0.0.0.0/0" }]),
+    accessTokenTTL: z.number().int().min(0).default(7200),
+    accessTokenMaxTTL: z.number().int().min(0).default(0),
+    accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+  })
+});
+
+export const UpdateUniversalAuthToIdentityV1 = z.object({
+  params: z.object({
+    identityId: z.string()
+  }),
+  body: z.object({
+    clientSecretTrustedIps: z
+      .object({
+        ipAddress: z.string().trim()
+      })
+      .array()
+      .min(1)
+      .optional(),
+    accessTokenTrustedIps: z
+      .object({
+        ipAddress: z.string().trim(),
+      })
+      .array()
+      .min(1)
+      .optional(),
+    accessTokenTTL: z.number().int().min(0).optional(),
+    accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+    accessTokenMaxTTL: z.number().int().min(0).default(0),
+  }),
+});
+
+export const GetUniversalAuthForIdentityV1 = z.object({
+  params: z.object({
+    identityId: z.string().trim()
+  })
+});
+
+export const CreateUniversalAuthClientSecretV1 = z.object({
+  params: z.object({
+    identityId: z.string()
+  }),
+  body: z.object({
+    description: z.string().trim().default(""),
+    numUsesLimit: z.number().min(0).default(0),
+    ttl: z.number().min(0).default(0),
+  }),
+});
+
+export const GetUniversalAuthClientSecretsV1 = z.object({
+  params: z.object({
+    identityId: z.string()
+  })
+});
+
+export const RevokeUniversalAuthClientSecretV1 = z.object({
+  params: z.object({
+    identityId: z.string(),
+    clientSecretId: z.string()
  })
 });

 export const VerifyMfaTokenV2 = z.object({
  body: z.object({
-    email: z.string().email().trim(),
    mfaToken: z.string().trim()
  })
 });
--- a/backend/src/validation/identities.ts
+++ b/backend/src/validation/identities.ts
@ -0,0 +1,26 @@
+import { z } from "zod";
+import { NO_ACCESS } from "../variables";
+
+export const CreateIdentityV1 = z.object({
+  body: z.object({
+    name: z.string().trim(),
+    organizationId: z.string().trim(),
+    role: z.string().trim().min(1).default(NO_ACCESS)
+  })
+});
+
+export const UpdateIdentityV1 = z.object({
+  params: z.object({
+    identityId: z.string()
+  }),
+  body: z.object({
+    name: z.string().trim().optional(),
+    role: z.string().trim().min(1).optional()
+  }),
+});
+
+export const DeleteIdentityV1 = z.object({
+  params: z.object({
+    identityId: z.string()
+  }),
+});
--- a/backend/src/validation/index.ts
+++ b/backend/src/validation/index.ts
@ -8,5 +8,5 @@ export * from "./membershipOrg";
 export * from "./organization";
 export * from "./secrets";
 export * from "./serviceTokenData";
-export * from "./serviceTokenDataV3";
+export * from "./identities";
 export * from "./apiKeyDataV3";
--- a/backend/src/validation/integrationAuth.ts
+++ b/backend/src/validation/integrationAuth.ts
@ -58,9 +58,9 @@ const validateClientForIntegrationAuth = async ({
      throw UnauthorizedRequestError({
        message: "Failed service token authorization for integration authorization"
      });
-    case ActorType.SERVICE_V3:
+    case ActorType.IDENTITY:
      throw UnauthorizedRequestError({
-        message: "Failed service token authorization for integration authorization"
+        message: "Failed identity authorization for integration authorization"
      });
  }
 };
--- a/backend/src/validation/organization.ts
+++ b/backend/src/validation/organization.ts
@ -46,9 +46,9 @@ export const validateClientForOrganization = async ({
      throw UnauthorizedRequestError({
        message: "Failed service token authorization for organization"
      });
-    case ActorType.SERVICE_V3:
+    case ActorType.IDENTITY:
      throw UnauthorizedRequestError({
-        message: "Failed service token authorization for organization"
+        message: "Failed identity authorization for organization"
      });
  }
 };
@ -212,4 +212,12 @@ export const CreateOrgv2 = z.object({

 export const DeleteOrgv2 = z.object({
  params: z.object({ organizationId: z.string().trim() })
+});
+
+export const GetOrgServiceMembersV2 = z.object({
+  params: z.object({ organizationId: z.string().trim() })
+});
+
+export const GetOrgIdentityMembershipsV2 = z.object({
+  params: z.object({ organizationId: z.string().trim() })
 });
--- a/backend/src/validation/serviceTokenDataV3.ts
+++ b/backend/src/validation/serviceTokenDataV3.ts
@ -1,56 +0,0 @@
-import { z } from "zod";
-import { MEMBER } from "../variables";
-
-export const RefreshTokenV3 = z.object({
-  body: z.object({
-    refresh_token: z.string().trim()
-  })
-});
-
-export const CreateServiceTokenV3 = z.object({
-  body: z.object({
-    name: z.string().trim(),
-    workspaceId: z.string().trim(),
-    publicKey: z.string().trim(),
-    role: z.string().trim().min(1).default(MEMBER),
-    trustedIps: z // TODO: provide default
-      .object({
-        ipAddress: z.string().trim(),
-      })
-      .array()
-      .min(1)
-      .default([{ ipAddress: "0.0.0.0/0" }]),
-    expiresIn: z.number().optional(),
-    accessTokenTTL: z.number().int().min(1),
-    encryptedKey: z.string().trim(),
-    nonce: z.string().trim(),
-    isRefreshTokenRotationEnabled: z.boolean().default(false)
-  })
-});
-  
-export const UpdateServiceTokenV3 = z.object({
-  params: z.object({
-    serviceTokenDataId: z.string()
-  }),
-  body: z.object({
-    name: z.string().trim().optional(),
-    isActive: z.boolean().optional(),
-    role: z.string().trim().min(1).optional(),
-    trustedIps: z
-      .object({
-        ipAddress: z.string().trim()
-      })
-      .array()
-      .min(1)
-      .optional(),
-    expiresIn: z.number().optional(),
-    accessTokenTTL: z.number().int().min(1).optional(),
-    isRefreshTokenRotationEnabled: z.boolean().optional()
-  }),
-});
-
-export const DeleteServiceTokenV3 = z.object({
-  params: z.object({
-    serviceTokenDataId: z.string()
-  }),
-});
--- a/backend/src/validation/workspace.ts
+++ b/backend/src/validation/workspace.ts
@ -8,6 +8,7 @@ import { AuthData } from "../interfaces/middleware";
 import { z } from "zod";
 import { EventType, UserAgentType } from "../ee/models";
 import { UnauthorizedRequestError } from "../utils/errors";
+import { NO_ACCESS } from "../variables";

 /**
 * Validate authenticated clients for workspace with id [workspaceId] based
@ -59,9 +60,9 @@ export const validateClientForWorkspace = async ({
        requiredPermissions
      });
      return { membership, workspace };
-    case ActorType.SERVICE_V3:
+    case ActorType.IDENTITY:
      throw UnauthorizedRequestError({
-        message: "Failed service token authorization for organization"
+        message: "Failed identity authorization for organization"
      });
  }
 };
@ -279,6 +280,39 @@ export const ToggleAutoCapitalizationV2 = z.object({
  })
 });

+export const AddIdentityToWorkspaceV2 = z.object({
+  params: z.object({
+    workspaceId: z.string().trim(),
+    identityId: z.string().trim()
+  }),
+  body: z.object({
+    role: z.string().trim().min(1).default(NO_ACCESS),
+  })
+});
+
+export const UpdateIdentityWorkspaceRoleV2 = z.object({
+  params: z.object({
+    workspaceId: z.string().trim(),
+    identityId: z.string().trim()
+  }),
+  body: z.object({
+    role: z.string().trim().min(1).default(NO_ACCESS),
+  })
+});
+
+export const DeleteIdentityFromWorkspaceV2 = z.object({
+  params: z.object({
+    workspaceId: z.string().trim(),
+    identityId: z.string().trim()
+  })
+});
+
+export const GetWorkspaceIdentityMembersV2 = z.object({
+  params: z.object({
+    workspaceId: z.string().trim()
+  }),
+});
+
 export const GetWorkspaceBlinkIndexStatusV3 = z.object({
  params: z.object({
    workspaceId: z.string().trim()
@ -304,9 +338,3 @@ export const NameWorkspaceSecretsV3 = z.object({
      .array()
  })
 });
-
-export const GetWorkspaceServiceTokenDataV3 = z.object({
-  params: z.object({
-    workspaceId: z.string().trim()
-  })
-});
--- a/backend/src/variables/authentication.ts
+++ b/backend/src/variables/authentication.ts
@ -7,14 +7,13 @@ export enum AuthTokenType {
    MFA_TOKEN = "mfaToken", // TODO: remove in favor of claim
    PROVIDER_TOKEN = "providerToken", // TODO: remove in favor of claim
    API_KEY = "apiKey",
-    SERVICE_ACCESS_TOKEN = "serviceAccessToken",
-    SERVICE_REFRESH_TOKEN = "serviceRefreshToken"
+    IDENTITY_ACCESS_TOKEN = "identityAccessToken",
 }

 export enum AuthMode {
    JWT = "jwt",
    SERVICE_TOKEN = "serviceToken",
-    SERVICE_ACCESS_TOKEN = "serviceAccessToken",
+    IDENTITY_ACCESS_TOKEN = "identityAccessToken",
    API_KEY = "apiKey",
    API_KEY_V2 = "apiKeyV2"
 }
--- a/backend/src/variables/organization.ts
+++ b/backend/src/variables/organization.ts
@ -3,6 +3,7 @@ export const OWNER = "owner"; // depreciated
 export const ADMIN = "admin";
 export const MEMBER = "member";
 export const VIEWER = "viewer";
+export const NO_ACCESS = "no-access";
 export const CUSTOM = "custom";

 // membership statuses
--- a/docs/documentation/platform/identity.mdx
+++ b/docs/documentation/platform/identity.mdx
@ -0,0 +1,168 @@
+---
+title:  Identity
+description: "Programmatically interact with Infisical"
+---
+
+A (machine) identity is an entity that you can create in Infisical. 
+Each identity represents a workload that wishes to access the Infisical API via an authentication method; this is similar to an IAM user in AWS or service account in GCP.
+
+An identity can be provisioned scoped access to resources at the organization or project-level via [role-based access controls (RBAC)](/documentation/platform/role-based-access-controls). For instance, you may create a identity with scoped access to
+fetch secrets back from the `/` path of the `development` environment in some project.
+
+<Note>
+  The identity feature is in beta.
+  
+  Currently, an identity can only be used to make authenticated requests to the Infisical API and does not work with any clients such as [Node SDK](https://github.com/Infisical/infisical-node)
+  , [Python SDK](https://github.com/Infisical/infisical-python), CLI, K8s operator, Terraform Provider, etc.
+
+  We will be releasing compatibility with it across clients in the coming quarter.
+</Note>
+
+Each identity can be configured an authentication method. The only supported method at the moment is **Universal Auth (UA)**
+which has the following properties:
+
+- In UA, each identity is assigned a **Client ID** for which you can generate one or more **Client Secret(s)**. Together, a **Client ID** and **Client Secret** can be exchanged for an access token (i.e. login operation) to authenticate with the Infisical API.
+- UA supports restrictions on the number of times that the **Client Secret(s)** and access token(s) can be used.
+- UA supports token renewal that is the ability to extend the lifetime of a token by its TTL up to its maximum TTL since its creation.
+- UA supports IP allowlisting; this means you can restrict the usage of **Client Secret(s)** and access token to a specific IP or CIDR range.
+- UA support expiration, so, if specified, the client secret of the identity will automatically be defunct after a period of time.
+- UA tracks most recent usage of their client secrets and access tokens; it also keeps track of each token's usage count.
+
+## Using identities
+
+In the following steps, we explore how to create and use identities for your applications to access the Infisical API.
+
+<Steps>
+  <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+    ![machine identities organization](../../images/platform/machine-identity/machine-identity-org.png)
+    
+    ![machine identities organization create](../../images/platform/machine-identity/machine-identity-org-create.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the **Organization Roles** tab to permit the identity to access certain resources.
+    
+    Once you've created an identity, you'll be prompted to configure the **Universal Auth** authentication method for it.
+
+    - Access Token TTL (default is `7200`): The incremental lifetime for an acccess token in seconds; a value of `0` implies an infinite incremental lifetime.
+    - Access Token Max TTL (default is `7200`): The maximum lifetime for an acccess token in seconds; a value of `0` implies an infinite maximum lifetime.
+    - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+    - Client Secret Trusted IPs: The IPs or CIDR ranges that the **Client Secret** can be used from together with the **Client ID** to get back an access token. By default, **Client Secrets** are given the `0.0.0.0/0` entry representing all possible IPv4 addresses.
+    - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0` entry representing all possible IPv4 addresses.
+
+    <Warning>
+    Restricting **Client Secret** and access token usage to specific trusted IPs is a paid feature.
+
+    If you’re using Infisical Cloud, then it is available under the Pro Tier. If you’re self-hosting Infisical, then you should contact team@infisical.com to purchase an enterprise license to use it.
+    </Warning>
+
+  </Step>
+  <Step title="Creating a Client Secret">
+    In order to use the identity, you'll need the non-sensitive **Client ID**
+    of the identity and a **Client Secret** for it; you can think of these credentials akin to a username
+    and password used to authenticate with the Infisical API. With that, press on the key icon on the identity to generate a **Client Secret**
+    for it.
+    
+    ![machine identities client secret create](../../images/platform/machine-identity/machine-identity-org-client-secret.png)
+    ![machine identities client secret create](../../images/platform/machine-identity/machine-identity-org-client-secret-create-1.png)
+    ![machine identities client secret create](../../images/platform/machine-identity/machine-identity-org-client-secret-create-2.png)
+    
+    Feel free to input any (optional) details for the **Client Secret** configuration:
+    
+    - Description: A description for the **Client Secret**.
+    - TTL (default is `0`): The time-to-live for the **Client Secret**. By default, the TTL will be set to 0 which implies that the **Client Secret** will never expire; a value of `0` implies an infinite lifetime.
+    - Max Number of Uses (default is `0`): The maximum number of times that the **Client Secret** can be used together with the **Client ID** to get back an access token; a value of `0` implies infinite number of uses.
+  </Step>
+  <Step title="Adding an identity to a project">
+    To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+    To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+    Next, select the identity you want to add to the project and the role you want to assign it.
+
+    ![machine identities project](../../images/platform/machine-identity/machine-identity-project.png)
+    
+    ![machine identities project create](../../images/platform/machine-identity/machine-identity-project-create.png)
+  </Step>
+  <Step title="Accessing the Infisical API with the identity">
+    To access the Infisical API as the identity, you should first perform a login operation
+    that is to exchange the **Client ID** and **Client Secret** of the MI for an access token
+    by making a request to the `/api/v1/auth/universal-auth/login` endpoint.
+    
+    #### Sample request
+
+    ```
+    curl --location --request POST 'https://app.infisical.com/api/v1/auth/universal-auth/login' \
+      --header 'Content-Type: application/x-www-form-urlencoded' \
+      --data-urlencode 'clientSecret=...' \
+      --data-urlencode 'clientId=...'
+    ```
+    
+    #### Sample response
+    
+    ```
+    {
+      "accessToken": "...",
+      "expiresIn": 7200,
+      "tokenType": "Bearer"
+    }
+    ```
+
+    Next, you can use the access token to authenticate with the [Infisical API](/api-reference/overview/introduction)
+    
+    <Note>
+      Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+      the default TTL is `7200` seconds which can be adjusted.
+
+      If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+      a new access token should be obtained from the aforementioned login operation.
+    </Note>
+  </Step>
+</Steps>
+
+**FAQ**
+
+<AccordionGroup>
+<Accordion title="What is the difference between an identity and service token?">
+  A service token is a project-level authentication method that is being phased out in favor of identities.
+  
+  Amongst many differences, identities provide broader access over the Infisical API, utilizes the same role-based
+  permission system used by users, and comes with ample more configurable security measures.
+</Accordion>
+<Accordion title="Why is the Infisical API rejecting my identity credentials?">
+  There are a few reasons for why this might happen:
+  
+  - The client secret or access token has expired.
+  - The identity is insufficently permissioned to interact with the resources you wish to access.
+  - You are attempting to access a `/raw` secrets endpoint that requires your project to disable E2EE.
+  - The client secret/access token is being used from an untrusted IP.
+</Accordion>
+<Accordion title="What is token renewal and TTL/Max TTL?">
+  A identity access token can have a time-to-live (TTL) or incremental lifetime afterwhich it expires.
+  
+  In certain cases, you may want to extend the lifespan of an access token; to do so, you must use the max TTL parameter.
+  When TTL and max TTL are equal, a token is not renewable; when max TTL is greater than TTL, a token is renewable.
+  In the latter case, a token still expires at its TTL but its lifetime can be extended/renewed up until its max TLL.
+  
+  Note that the max TTL cannot be less than the TTL for an access token.
+</Accordion>
+<Accordion title="Why can I not create, read, update, or delete an identity?">
+  There are a few reasons for why this might happen:
+  
+  - You have insufficient organization permissions to create, read, update, delete identities.
+  - The identity you are trying to read, update, or delete is more privileged than yourself.
+  - The role you are trying to create an identity for or update an identity to is more privileged than yours.
+</Accordion>
+<Accordion title="Can you provide examples for using glob patterns?">
+  1. `/**`: This pattern matches all folders at any depth in the directory structure. For example, it would match folders like `/folder1/`, `/folder1/subfolder/`, and so on.
+
+  2. `/*`: This pattern matches all immediate subfolders in the current directory. It does not match any folders at a deeper level. For example, it would match folders like `/folder1/`, `/folder2/`, but not `/folder1/subfolder/`.
+
+  3. `/*/*`: This pattern matches all subfolders at a depth of two levels in the current directory. It does not match any folders at a shallower or deeper level. For example, it would match folders like `/folder1/subfolder/`, `/folder2/subfolder/`, but not `/folder1/` or `/folder1/subfolder/subsubfolder/`.
+
+  4. `/folder1/*`: This pattern matches all immediate subfolders within the `/folder1/` directory. It does not match any folders outside of `/folder1/`, nor does it match any subfolders within those immediate subfolders. For example, it would match folders like `/folder1/subfolder1/`, `/folder1/subfolder2/`, but not `/folder2/subfolder/`.
+</Accordion>
+</AccordionGroup>
--- a/docs/documentation/platform/token.mdx
+++ b/docs/documentation/platform/token.mdx
@ -14,10 +14,6 @@ You can manage service tokens in Project Settings > Service Tokens.

 Service Token (ST) is the current widely-used authentication method for managing secrets.

-<Note>
-  We're soon releasing ST V3, a revised version of this Service Token, so stay tuned.
-</Note>
-
 Here's a few pointers to get you acquainted with it:

 - When you create a ST, you get a token prefixed with `st`. The part after the last `.` delimiter is a symmetric key; everything
--- a/docs/documentation/platform/token3.mdx
+++ b/docs/documentation/platform/token3.mdx
@ -1,105 +0,0 @@
---
-title: "Service token"
-description: "Infisical service tokens allows you to programmatically interact with Infisical"
---
-
-Service tokens are authentication credentials that services can use to access designated endpoints in the Infisical API to manage project resources like secrets.
-Each service token can be provisioned scoped access to select environment(s) and path(s) within them.
-
-## Service Tokens
-
-Infisical currently offers Service Token V3 and Service Token; you can manage both types of tokens in Project Settings > Service Tokens.
-
-### Service Token V3 (Beta)
-
-Service Token V3 (ST V3) is a new and improved authentication method that is in beta. 
-
-<Note>
-  Currently, the Service Token V3 authentication method can only be used with the latest [Node SDK](https://github.com/Infisical/infisical-node) and [Python SDK](https://github.com/Infisical/infisical-python).
-  You can also make an API call with it to create, read, update, or delete secrets.
-
-  We will be releasing compatibility for it with the CLI and K8s operator in the coming month.
-  
-  That said, we recommend using ST V3 whenever possible.
-</Note>
-
-Here's a few pointers to get you acquainted with it:
-
- When you create a ST V3, you export a `JSON` file containing 3 components: `publicKey`, `privateKey`, and `serviceToken` where
-`serviceToken` is a JWT token prefixed with `stv3`. The token provides access to the Infisical API and the public-private key
-pairs are to support cryptographic operations for the client whenever E2EE is needed.
- ST V3 supports IP allowlisting; this means you can restrict the usage of a ST V3 to a specific IP or CIDR range.
- ST V3 supports provisioning granular `read` or `readWrite` access down to each path.
- ST V3 supports toggling on/off active states, so you can render a ST V3 inactive without deleting it.
- ST V3 supports expiration, so, if specified, a token will automatically turn inactive after a period of time.
- ST V3 tracks most recent usage; it also keeps track of each token's usage count.
- ST V3 is editable.
-
-### Service Token (Current)
-
-Service Token (ST) is the current widely-used authentication method.
-
-<Note>
-  We recently released ST V3, a revised version of this Service Token, which you can read about above.
-
-  Whenever possible, you should use ST V3 because we will be deprecating ST sometime Q4 2023.
-</Note>
-
-Here's a few pointers to get you acquainted with it:
-
- When you create a ST, you get a token prefixed with `st`. The part after the last `.` delimiter is a symmetric key; everything
-before it is an access token. When authenticating with the Infisical API, it is important to send in only the access token portion
-of the token.
- ST supports expiration; it gets deleted automatically upon expiration.
- ST supports provisioning `read` and/or `write` permissions broadly applied to all accessible environment(s) and path(s).
- ST is not editable.
-
-## Creating a service token
-
-To create a service token, head to Project Settings > Service Tokens as shown below and press **Create token**.
-
-![token add](../../images/project-token-add.png)
-
-Now input any token configuration details such as which environment(s) and path(s) you'd like to provision
-the token access to. Here's some guidance for each field:
-
- Name: A friendly name for the token.
- Scopes: The environment(s) and path(s) the token should have access to.
-If using ST V3, you can also indicate whether or not the token should have `read` or `readWrite` access to each path.
-Also, note that Infisical supports [glob patterns](https://www.malikbrowne.com/blog/a-beginners-guide-glob-patterns/) when defining access scopes to path(s).
- Trusted IPs: The IPs or CIDR ranges that the token can be used from. By default, each token is given the `0.0.0.0/0` entry representing all possible IPv4 addresses.
- Expiration: The time when this token should be rendered inactive.
-
-<Warning>
-  Restricting token usage to specific trusted IPs is a paid feature.
-
-  If you’re using Infisical Cloud, then it is available under the Pro Tier. If you’re self-hosting Infisical, then you should contact team@infisical.com to purchase an enterprise license to use it.
-</Warning>
-
-![token add](../../images/project-token-permissions.png)
-
-In the above screenshot, you can see that we are creating a token token with `read` access to all subfolders at any depth
-of the `/common` path within the development environment of the project; the token expires in 6 months and can be used from any IP address. 
-
-**FAQ**
-
-<AccordionGroup>
-<Accordion title="Why is the Infisical API rejecting my service token?">
-  There are a few reasons for why this might happen:
-  
-  - The service token has expired.
-  - The service token is insufficently permissioned to interact with the secrets in the given environment and path.
-  - You are attempting to access a `/raw` secrets endpoint that requires your project to disable E2EE.
-  - (If using ST V3) The service token has not been activated yet.
-  - (If using ST V3) The service token is being used from an untrusted IP.
-</Accordion>
-<Accordion title="Can you provide examples for using glob patterns?">
-  1. `/**`: This pattern matches all folders at any depth in the directory structure. For example, it would match folders like `/folder1/`, `/folder1/subfolder/`, and so on.
-
-  2. `/*`: This pattern matches all immediate subfolders in the current directory. It does not match any folders at a deeper level. For example, it would match folders like `/folder1/`, `/folder2/`, but not `/folder1/subfolder/`.
-
-  3. `/*/*`: This pattern matches all subfolders at a depth of two levels in the current directory. It does not match any folders at a shallower or deeper level. For example, it would match folders like `/folder1/subfolder/`, `/folder2/subfolder/`, but not `/folder1/` or `/folder1/subfolder/subsubfolder/`.
-
-  4. `/folder1/*`: This pattern matches all immediate subfolders within the `/folder1/` directory. It does not match any folders outside of `/folder1/`, nor does it match any subfolders within those immediate subfolders. For example, it would match folders like `/folder1/subfolder1/`, `/folder1/subfolder2/`, but not `/folder2/subfolder/`.
-</Accordion>
-</AccordionGroup>
--- a/docs/images/platform/machine-identity/machine-identity-org-client-secret-create-1.png
+++ b/docs/images/platform/machine-identity/machine-identity-org-client-secret-create-1.png
--- a/docs/images/platform/machine-identity/machine-identity-org-client-secret-create-2.png
+++ b/docs/images/platform/machine-identity/machine-identity-org-client-secret-create-2.png
--- a/docs/images/platform/machine-identity/machine-identity-org-client-secret.png
+++ b/docs/images/platform/machine-identity/machine-identity-org-client-secret.png
--- a/docs/images/platform/machine-identity/machine-identity-org-create.png
+++ b/docs/images/platform/machine-identity/machine-identity-org-create.png
--- a/docs/images/platform/machine-identity/machine-identity-org.png
+++ b/docs/images/platform/machine-identity/machine-identity-org.png
--- a/docs/images/platform/machine-identity/machine-identity-project-create.png
+++ b/docs/images/platform/machine-identity/machine-identity-project-create.png
--- a/docs/images/platform/machine-identity/machine-identity-project.png
+++ b/docs/images/platform/machine-identity/machine-identity-project.png
--- a/docs/internals/service-tokens-new.mdx
+++ b/docs/internals/service-tokens-new.mdx
@ -1,72 +1,57 @@
 ---
-title: "Service tokens"
-description: "Understanding service tokens and their best practices"
+title: "Machine identities"
+description: "Understanding machine identities and their best practices"
 ---

-Many clients use service tokens to authenticate and read/write secrets from/to Infisical; they can be created in your project settings.
+Many clients use machine identities (MIs) to authenticate and read/write secrets from/to Infisical; they can be created in your organization settings.

-On this page, we discuss Service Token V3, the new and improved authentication method.
+On this page, we discuss MIs, the new and improved authentication method.

 ## Anatomy

-A service token in Infisical exports a `JSON` file containing 3 components: `publicKey`, `privateKey`, and `serviceToken` where
-`serviceToken` is a JWT token prefixed with `proj_token`. The token provides access to the Infisical API and the public-private key
-pairs are to support cryptographic operations for the client whenever E2EE is needed.
+A MI in Infisical comes with a JWT-based refresh token authentication credential. The refresh token can be exchanged for an access token
+with a time-to-live (TTL) to access the Infisical API.

 ### Database model

-The storage backend model for a token contains the following information:
+The storage backend model for a MI contains the following notable data:

- ID: The token identifier.
- Expiration: The date at which point the token is invalid.
- Project: The project that the token is part of.
- Status: The active/inactive state of a token.
- Scopes: The project environment(s) and path(s) that the token has access to as well as `read` or `readWrite` permissions for them.
+- ID: The internal ID of the MI.
+- Name: The name of the MI.
+- Organization: The organization that the MI belongs to.
+- Refresh/Access Token last used: The last used dates of the MI refresh and access tokens.
+- Refresh/Access Token usage count: The number of times the MI refresh and access tokens have been used.
+- Refresh Token Rotation Enabled: Whether or not a new MI refresh token should be returned when exchanging an existing refresh token for an access token; if enabled, the old refresh token is invalidated at each refresh operation.
+- Token Version: The token version used to keep track of old/current refresh and access tokens.
+- Expiration: The date at which point the MI refresh token credential can no longer be used.
+- Access Token TTL: the time-to-live of each access token issued at each refresh token exchange.
 - Trusted IPs: The specific (IPv4 or IPv6) IPs or CIDR ranges that the token can be used from.
- Last used: The date at which point the token was last used.
- Usage count: The number of times that the token has been used.

-### Token
-
-As mentioned before, a service token consists of three components, exported as a `JSON`, used for authentication and cryptographic purposes.
-
-Consider the following `JSON`:
-
-```
-{
-  "publicKey": "...",
-  "privateKey": "...",
-  "serviceToken": "stv3..."
-}
-```
-
-Here, the `serviceToken` component can be used to authenticate with the API, by including it in the `Authorization` header under `Bearer <serviceToken>` and retrieve (encrypted) secrets as well as a project key back. Meanwhile, the `privateKey` (in the `JSON`), and `publicKey` (returned in the encrypted project key response) can be used to decrypt the project key used to decrypt the secrets.
-
-Note that when using service tokens via select client methods like SDK or CLI, cryptographic operations are abstracted for you that is the token is parsed and encryption/decryption operations are handled. If using service tokens with the REST API and end-to-end encryption enabled, then you will have to handle the encryption/decryption operations yourself.
+Separately, another model stores the mapping of a MI and the organization or project-role it is bound to.

 ## Recommendations

 ### Permissions

-You should consider the [principle of least privilege(PoLP)](https://en.wikipedia.org/wiki/Principle_of_least_privilege) when setting which environment(s) and path(s)
-should be accessible by a service token; you should also consider whether or not it needs `read` or `readWrite` access.
+You should consider the [principle of least privilege(PoLP)](https://en.wikipedia.org/wiki/Principle_of_least_privilege) when
+creating and assigning roles to MIs.

-For example, if the client using the token only requires `read` access to the secrets in the `/config` path of the staging environment, then you should scope the token to the `/config` path of that environment only with `read` permission.
+For example, if an MI only requires `read` access to the secrets in the `/config` path of the staging environment, then you should scope the role of the MI to the `/config` path of that environment only with `read` permission.

 ### Status & Expiration

-We recommend considering whether or not a service token should be able to access secrets indefinitely or within a finite lifetime such as until 6 months or 1 year from now
+We recommend considering whether or not a MI should be able to access secrets indefinitely or within a finite lifetime such as until 6 months or 1 year from now

 ### Network access

-We recommend configuring the IP allowlist configuration of each service token to restrict its usage to specific IP addresses or CIDR-notated range of addresses.
+We recommend configuring the IP allowlist configuration of each MI to restrict its usage to specific IP addresses or CIDR-notated range of addresses.

 ### Storage

-Since service tokens grant access to your secrets, we recommend storing them securely across your development cycle whether it be in a .env file in local development or as an environment variable of your deployment platform.
+Since MIs grant access to your secrets, we recommend storing the refresh token credential securely across your development cycle whether it be in a .env file in local development or as an environment variable of your deployment platform.

 ### Rotation

-We recommend periodically rotating the service token, even in the absence of compromise. Since service tokens are capable of decrypting project keys used to decrypt secrets, they should be rotated before approximately 2^32 encryptions have been performed; this follows the guidance set forth by [NIST publication 800-38D](https://csrc.nist.gov/pubs/sp/800/38/d/final).
-
-Note that Infisical keeps track of the number of times that service tokens are used and will alert you when you have reached 90% of the recommended capacity.
+We recommend periodically rotating the MI refresh token, even in the absence of compromise. If using the Infisical Agent, we recommend enabling the **Refresh Token Rotation** option
+on your MI; this will issue a new refresh token and invalidate the old one upon a refresh token exchange operation — In doing so, the refresh token is kept as a moving target
+and secret zero risk is mitigated.
--- a/docs/mint.json
+++ b/docs/mint.json
@ -118,6 +118,7 @@
        "documentation/platform/pit-recovery",
        "documentation/platform/audit-logs",
        "documentation/platform/token",
+        "documentation/platform/identity",
        "documentation/platform/mfa",
        "documentation/platform/pr-workflows",
        "documentation/platform/role-based-access-controls",
--- a/frontend/src/context/OrgPermissionContext/types.ts
+++ b/frontend/src/context/OrgPermissionContext/types.ts
@ -15,7 +15,8 @@ export enum OrgPermissionSubjects {
  IncidentAccount = "incident-contact",
  Sso = "sso",
  Billing = "billing",
-  SecretScanning = "secret-scanning"
+  SecretScanning = "secret-scanning",
+  Identity = "identity"
 }

 export type OrgPermissionSet =
@ -27,6 +28,7 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.IncidentAccount]
  | [OrgPermissionActions, OrgPermissionSubjects.Sso]
  | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
-  | [OrgPermissionActions, OrgPermissionSubjects.Billing];
+  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
+  | [OrgPermissionActions, OrgPermissionSubjects.Identity];

 export type TOrgPermission = MongoAbility<OrgPermissionSet>;
--- a/frontend/src/context/ProjectPermissionContext/types.ts
+++ b/frontend/src/context/ProjectPermissionContext/types.ts
@ -22,7 +22,8 @@ export enum ProjectPermissionSub {
  Secrets = "secrets",
  SecretRollback = "secret-rollback",
  SecretApproval = "secret-approval",
-  SecretRotation = "secret-rotation"
+  SecretRotation = "secret-rotation",
+  Identity = "identity"
 }

 type SubjectFields = {
@ -44,6 +45,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.Environments]
  | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
  | [ProjectPermissionActions, ProjectPermissionSub.Settings]
+  | [ProjectPermissionActions, ProjectPermissionSub.Identity]
  | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
  | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
--- a/frontend/src/hooks/api/auditLogs/constants.tsx
+++ b/frontend/src/hooks/api/auditLogs/constants.tsx
@ -16,9 +16,17 @@ export const eventToNameMap: { [K in EventType]: string } = {
    [EventType.DELETE_TRUSTED_IP]: "Delete trusted IP",
    [EventType.CREATE_SERVICE_TOKEN]: "Create service token",
    [EventType.DELETE_SERVICE_TOKEN]: "Delete service token",
-    [EventType.CREATE_SERVICE_TOKEN_V3]: "Create (new) service token",
-    [EventType.UPDATE_SERVICE_TOKEN_V3]: "Update (new) service token",
-    [EventType.DELETE_SERVICE_TOKEN_V3]: "Delete (new) service token",
+    [EventType.CREATE_IDENTITY]: "Create identity",
+    [EventType.UPDATE_IDENTITY]: "Update identity",
+    [EventType.DELETE_IDENTITY]: "Delete identity",
+    [EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH]: "Login via universal auth",
+    [EventType.ADD_IDENTITY_UNIVERSAL_AUTH]: "Add universal auth",
+    [EventType.UPDATE_IDENTITY_UNIVERSAL_AUTH]: "Update universal auth",
+    [EventType.GET_IDENTITY_UNIVERSAL_AUTH]: "Get universal auth",
+    [EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET]: "Create universal auth client secret",
+    [EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET]: "Revoke universal auth client secret",
+    [EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS]: "Get universal auth client secrets",
+    [EventType.GET_IDENTITY_UNIVERSAL_AUTH]: "Get universal auth",
    [EventType.CREATE_ENVIRONMENT]: "Create environment",
    [EventType.UPDATE_ENVIRONMENT]: "Update environment",
    [EventType.DELETE_ENVIRONMENT]: "Delete environment",
--- a/frontend/src/hooks/api/auditLogs/enums.tsx
+++ b/frontend/src/hooks/api/auditLogs/enums.tsx
@ -1,7 +1,7 @@
 export enum ActorType {
  USER = "user",
  SERVICE = "service",
-  SERVICE_V3 = "service-v3"
+  IDENTITY = "identity"
 }

 export enum UserAgentType {
@ -27,9 +27,16 @@ export enum EventType {
  DELETE_TRUSTED_IP = "delete-trusted-ip",
  CREATE_SERVICE_TOKEN = "create-service-token", // v2
  DELETE_SERVICE_TOKEN = "delete-service-token", // v2
-  CREATE_SERVICE_TOKEN_V3 = "create-service-token-v3", // v3
-  UPDATE_SERVICE_TOKEN_V3 = "update-service-token-v3", // v3
-  DELETE_SERVICE_TOKEN_V3 = "delete-service-token-v3", // v3
+  CREATE_IDENTITY = "create-identity",
+  UPDATE_IDENTITY = "update-identity",
+  DELETE_IDENTITY = "delete-identity",
+  LOGIN_IDENTITY_UNIVERSAL_AUTH = "login-identity-universal-auth",
+  ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
+  UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
+  GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
+  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
+  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET =  "revoke-identity-universal-auth-client-secret",
+  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
  CREATE_ENVIRONMENT = "create-environment",
  UPDATE_ENVIRONMENT = "update-environment",
  DELETE_ENVIRONMENT = "delete-environment",
--- a/frontend/src/hooks/api/auditLogs/types.tsx
+++ b/frontend/src/hooks/api/auditLogs/types.tsx
@ -1,3 +1,4 @@
+import { IdentityTrustedIp } from "../identities/types";
 import { ActorType, EventType, UserAgentType } from "./enums";

 interface UserActorMetadata {
@ -10,6 +11,11 @@ interface ServiceActorMetadata {
  name: string;
 }

+interface IdentityActorMetadata {
+  identityId: string;
+  name: string;
+}
+
 interface UserActor {
  type: ActorType.USER;
  metadata: UserActorMetadata;
@ -20,12 +26,12 @@ export interface ServiceActor {
  metadata: ServiceActorMetadata;
 }

-export interface ServiceActorV3 {
-  type: ActorType.SERVICE_V3;
-  metadata: ServiceActorMetadata;
+export interface IdentityActor {
+  type: ActorType.IDENTITY;
+  metadata: IdentityActorMetadata;
 }

-export type Actor = UserActor | ServiceActor | ServiceActorV3;
+export type Actor = UserActor | ServiceActor | IdentityActor;

 interface GetSecretsEvent {
  type: EventType.GET_SECRETS;
@ -188,34 +194,92 @@ interface DeleteServiceTokenEvent {
  };
 }

-interface CreateServiceTokenV3Event {
-    type: EventType.CREATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        role: string;
-        expiresAt?: Date;
-    }
+interface CreateIdentityEvent { // note: currently not logging org-role
+  type: EventType.CREATE_IDENTITY;
+  metadata: {
+    identityId: string;
+    name: string;
+  };
 }

-interface UpdateServiceTokenV3Event {
-    type: EventType.UPDATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name?: string;
-        isActive?: boolean;
-        role?: string;
-        expiresAt?: Date;
-    }
+interface UpdateIdentityEvent {
+  type: EventType.UPDATE_IDENTITY;
+  metadata: {
+    identityId: string;
+    name?: string;
+  };
 }

-interface DeleteServiceTokenV3Event {
-    type: EventType.DELETE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        role?: string;
-        expiresAt?: Date;
-    }
+interface DeleteIdentityEvent {
+  type: EventType.DELETE_IDENTITY;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface LoginIdentityUniversalAuthEvent {
+  type: EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH ;
+  metadata: {
+    identityId: string;
+    identityUniversalAuthId: string;
+    clientSecretId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityUniversalAuthEvent {
+  type: EventType.ADD_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+    clientSecretTrustedIps: Array<IdentityTrustedIp>;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<IdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityUniversalAuthEvent {
+  type: EventType.UPDATE_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+    clientSecretTrustedIps?: Array<IdentityTrustedIp>;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<IdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityUniversalAuthEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface CreateIdentityUniversalAuthClientSecretEvent {
+  type: EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET ;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
+  };
+}
+
+interface GetIdentityUniversalAuthClientSecretsEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS;
+  metadata: {
+    identityId: string;
+  };
+}
+
+
+interface RevokeIdentityUniversalAuthClientSecretEvent {
+  type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET ;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
+  };
 }

 interface CreateEnvironmentEvent {
@ -414,9 +478,16 @@ export type Event =
  | DeleteTrustedIPEvent
  | CreateServiceTokenEvent
  | DeleteServiceTokenEvent
-  | CreateServiceTokenV3Event
-  | UpdateServiceTokenV3Event
-  | DeleteServiceTokenV3Event
+  | CreateIdentityEvent
+  | UpdateIdentityEvent
+  | DeleteIdentityEvent
+  | LoginIdentityUniversalAuthEvent
+  | AddIdentityUniversalAuthEvent
+  | UpdateIdentityUniversalAuthEvent
+  | GetIdentityUniversalAuthEvent
+  | CreateIdentityUniversalAuthClientSecretEvent
+  | GetIdentityUniversalAuthClientSecretsEvent
+  | RevokeIdentityUniversalAuthClientSecretEvent
  | CreateEnvironmentEvent
  | UpdateEnvironmentEvent
  | DeleteEnvironmentEvent
--- a/frontend/src/hooks/api/identities/constants.tsx
+++ b/frontend/src/hooks/api/identities/constants.tsx
@ -0,0 +1,5 @@
+import { IdentityAuthMethod } from "./enums";
+
+export const identityAuthToNameMap: { [I in IdentityAuthMethod]: string } = {
+    [IdentityAuthMethod.UNIVERSAL_AUTH]: "Universal Auth"
+};
--- a/frontend/src/hooks/api/identities/enums.tsx
+++ b/frontend/src/hooks/api/identities/enums.tsx
@ -0,0 +1,3 @@
+export enum IdentityAuthMethod {
+    UNIVERSAL_AUTH = "universal-auth"
+}
--- a/frontend/src/hooks/api/identities/index.tsx
+++ b/frontend/src/hooks/api/identities/index.tsx
@ -0,0 +1,14 @@
+export { identityAuthToNameMap } from "./constants";
+export { IdentityAuthMethod } from "./enums";
+export {
+    useAddIdentityUniversalAuth,
+    useCreateIdentity,
+    useCreateIdentityUniversalAuthClientSecret,
+    useDeleteIdentity,
+    useRevokeIdentityUniversalAuthClientSecret,
+    useUpdateIdentity,
+    useUpdateIdentityUniversalAuth} from "./mutations";
+export {
+    useGetIdentityUniversalAuth,
+    useGetIdentityUniversalAuthClientSecrets
+} from "./queries";
--- a/frontend/src/hooks/api/identities/mutations.tsx
+++ b/frontend/src/hooks/api/identities/mutations.tsx
@ -0,0 +1,164 @@
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { organizationKeys } from "../organization/queries";
+import { identitiesKeys } from "./queries";
+import { 
+    AddIdentityUniversalAuthDTO,
+    ClientSecretData,
+    CreateIdentityDTO, 
+    CreateIdentityUniversalAuthClientSecretDTO,
+    CreateIdentityUniversalAuthClientSecretRes,
+    DeleteIdentityDTO,
+    DeleteIdentityUniversalAuthClientSecretDTO,
+    Identity,
+    IdentityUniversalAuth,
+    UpdateIdentityDTO,
+    UpdateIdentityUniversalAuthDTO} from "./types";
+
+export const useCreateIdentity = () => {
+    const queryClient = useQueryClient();
+    return useMutation<Identity, {}, CreateIdentityDTO>({
+        mutationFn: async (body) => {
+            const { data: { identity } } = await apiRequest.post("/api/v1/identities/", body);
+            return identity;
+        },
+        onSuccess: (_, { organizationId }) => {
+            queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
+        }
+    });
+};
+
+export const useUpdateIdentity = () => {
+    const queryClient = useQueryClient();
+    return useMutation<Identity, {}, UpdateIdentityDTO>({
+        mutationFn: async ({
+            identityId,
+            name,
+            role
+        }) => {
+            
+            const { data: { identity } } = await apiRequest.patch(`/api/v1/identities/${identityId}`, {
+                name,
+                role
+            });
+
+            return identity;
+        },
+        onSuccess: (_, { organizationId }) => {
+            queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
+        }
+    });
+}
+
+export const useDeleteIdentity = () => {
+    const queryClient = useQueryClient();
+    return useMutation<Identity, {}, DeleteIdentityDTO>({
+        mutationFn: async ({
+            identityId,
+        }) => {
+            const { data: { identity } } = await apiRequest.delete(`/api/v1/identities/${identityId}`);
+            return identity;
+        },
+        onSuccess: (_, { organizationId }) => {
+            queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
+        }
+    });
+};
+
+// TODO: move these to /auth
+
+export const useAddIdentityUniversalAuth = () => {
+    const queryClient = useQueryClient();
+    return useMutation<IdentityUniversalAuth, {}, AddIdentityUniversalAuthDTO>({
+        mutationFn: async ({
+            identityId,
+            clientSecretTrustedIps,
+            accessTokenTTL,
+            accessTokenMaxTTL,
+            accessTokenNumUsesLimit,
+            accessTokenTrustedIps,
+        }) => {
+            const { data: { identityUniversalAuth } } = await apiRequest.post(`/api/v1/auth/universal-auth/identities/${identityId}`,
+                {
+                    clientSecretTrustedIps,
+                    accessTokenTTL,
+                    accessTokenMaxTTL,
+                    accessTokenNumUsesLimit,
+                    accessTokenTrustedIps,
+                }
+            );
+            return identityUniversalAuth;
+        },
+        onSuccess: (_, { organizationId }) => {
+            queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
+        }
+    });
+};
+
+export const useUpdateIdentityUniversalAuth = () => {
+    const queryClient = useQueryClient();
+    return useMutation<IdentityUniversalAuth, {}, UpdateIdentityUniversalAuthDTO>({
+        mutationFn: async ({
+            identityId,
+            clientSecretTrustedIps,
+            accessTokenTTL,
+            accessTokenMaxTTL,
+            accessTokenNumUsesLimit,
+            accessTokenTrustedIps,
+        }) => {
+            const { data: { identityUniversalAuth } } = await apiRequest.patch(`/api/v1/auth/universal-auth/identities/${identityId}`,
+                {
+                    clientSecretTrustedIps,
+                    accessTokenTTL,
+                    accessTokenMaxTTL,
+                    accessTokenNumUsesLimit,
+                    accessTokenTrustedIps,
+                }
+            );
+            return identityUniversalAuth;
+        },
+        onSuccess: (_, { organizationId }) => {
+            queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
+        }
+    });
+};
+
+export const useCreateIdentityUniversalAuthClientSecret = () => {
+    const queryClient = useQueryClient();
+    return useMutation<CreateIdentityUniversalAuthClientSecretRes, {}, CreateIdentityUniversalAuthClientSecretDTO>({
+        mutationFn: async ({
+            identityId,
+            description,
+            ttl,
+            numUsesLimit
+        }) => {
+            const { data } = await apiRequest.post(`/api/v1/auth/universal-auth/identities/${identityId}/client-secrets`, {
+                description,
+                ttl,
+                numUsesLimit
+            });
+            return data;
+        },
+        onSuccess: (_, { identityId }) => {
+            queryClient.invalidateQueries(identitiesKeys.getIdentityUniversalAuthClientSecrets(identityId));
+        }
+    });
+};
+
+export const useRevokeIdentityUniversalAuthClientSecret = () => {
+    const queryClient = useQueryClient();
+    return useMutation<ClientSecretData, {}, DeleteIdentityUniversalAuthClientSecretDTO>({
+        mutationFn: async ({
+            identityId,
+            clientSecretId
+        }) => {
+            const { data: { clientSecretData } } = await apiRequest.post<{ clientSecretData: ClientSecretData }>(`/api/v1/auth/universal-auth/identities/${identityId}/client-secrets/${clientSecretId}/revoke`);
+            return clientSecretData;
+        },
+        onSuccess: (_, { identityId }) => {
+            queryClient.invalidateQueries(identitiesKeys.getIdentityUniversalAuthClientSecrets(identityId));
+        }
+    });
+};
--- a/frontend/src/hooks/api/identities/queries.tsx
+++ b/frontend/src/hooks/api/identities/queries.tsx
@ -0,0 +1,40 @@
+import { useQuery } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { ClientSecretData , IdentityUniversalAuth } from "./types";
+
+export const identitiesKeys = {
+    getIdentityUniversalAuth: (identityId: string) => [{ identityId }, "identity-universal-auth"] as const,
+    getIdentityUniversalAuthClientSecrets: (identityId: string) => [{ identityId }, "identity-universal-auth-client-secrets"] as const
+}
+
+export const useGetIdentityUniversalAuth = (identityId: string) => {
+    return useQuery({
+        queryKey: identitiesKeys.getIdentityUniversalAuth(identityId),
+        queryFn: async () => {
+            if (identityId === "") throw new Error("Identity ID is required");
+
+            const { data: { identityUniversalAuth } } = await apiRequest.get<{ identityUniversalAuth: IdentityUniversalAuth }>(
+                `/api/v1/auth/universal-auth/identities/${identityId}`
+            );
+        
+            return identityUniversalAuth;
+        }
+    });
+}
+
+export const useGetIdentityUniversalAuthClientSecrets = (identityId: string) => {
+    return useQuery({
+        queryKey: identitiesKeys.getIdentityUniversalAuthClientSecrets(identityId),
+        queryFn: async () => {
+            if (identityId === "") return [];
+
+            const { data: { clientSecretData } } = await apiRequest.get<{ clientSecretData: ClientSecretData[] }>(
+                `/api/v1/auth/universal-auth/identities/${identityId}/client-secrets`
+            );
+        
+            return clientSecretData;
+        }
+    });
+}
--- a/frontend/src/hooks/api/identities/types.ts
+++ b/frontend/src/hooks/api/identities/types.ts
@ -0,0 +1,123 @@
+import { TRole } from "../roles/types";
+import { IdentityAuthMethod } from "./enums";
+
+export type IdentityTrustedIp = {
+    _id: string;
+    ipAddress: string;
+    type: "ipv4" | "ipv6";
+    prefix?: number;
+}
+
+export type Identity = {
+    _id: string;
+    name: string;
+    authMethod?: IdentityAuthMethod;
+    createdAt: string;
+    updatedAt: string;
+};
+
+export type IdentityMembershipOrg = {
+    _id: string;
+    identity: Identity;
+    organization: string;
+    role: "admin" | "member" | "viewer" | "no-access" | "custom";
+    customRole?: TRole<string>;
+    createdAt: string;
+    updatedAt: string;
+}
+
+export type IdentityMembership = {
+    _id: string;
+    identity: Identity;
+    organization: string;
+    role: "admin" | "member" | "viewer" | "no-access" | "custom";
+    customRole?: TRole<string>;
+    createdAt: string;
+    updatedAt: string;
+}
+
+export type CreateIdentityDTO = {
+    name: string;
+    organizationId: string;
+    role?: string;
+}
+
+export type UpdateIdentityDTO = {
+    identityId: string;
+    name?: string;
+    role?: string;
+    organizationId: string;
+}
+
+export type DeleteIdentityDTO = {
+    identityId: string;
+    organizationId: string;
+}
+
+export type IdentityUniversalAuth = {
+    identityId: string;
+    clientId: string;
+    clientSecretTrustedIps: IdentityTrustedIp[];
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: IdentityTrustedIp[];
+}
+
+export type AddIdentityUniversalAuthDTO = {
+    organizationId: string;
+    identityId: string;
+    clientSecretTrustedIps: {
+        ipAddress: string;
+    }[];
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: {
+        ipAddress: string;
+    }[];
+}
+
+export type UpdateIdentityUniversalAuthDTO = {
+    organizationId: string;
+    identityId: string;
+    clientSecretTrustedIps?: {
+        ipAddress: string;
+    }[];
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: {
+        ipAddress: string;
+    }[];
+}
+
+export type CreateIdentityUniversalAuthClientSecretDTO = {
+    identityId: string;
+    description?: string;
+    ttl?: number;
+    numUsesLimit?: number;
+}
+
+export type ClientSecretData = {
+    _id: string;
+    identityUniversalAuth: string;
+    isClientSecretRevoked: boolean;
+    description: string;
+    clientSecretPrefix: string;
+    clientSecretNumUses: number;
+    clientSecretNumUsesLimit: number;
+    clientSecretTTL: number;
+    createdAt: string;
+    updatedAt: string;
+}
+
+export type CreateIdentityUniversalAuthClientSecretRes = {
+    clientSecret: string;
+    clientSecretData: ClientSecretData;
+}
+
+export type DeleteIdentityUniversalAuthClientSecretDTO = {
+    identityId: string;
+    clientSecretId: string;
+}
--- a/frontend/src/hooks/api/index.tsx
+++ b/frontend/src/hooks/api/index.tsx
@ -1,8 +1,9 @@
-export * from "./apiKeys";
 export * from "./admin"
+export * from "./apiKeys";
 export * from "./auditLogs";
 export * from "./auth";
 export * from "./bots";
+export * from "./identities";
 export * from "./incidentContacts";
 export * from "./integrationAuth";
 export * from "./integrations";
@ -16,6 +17,7 @@ export * from "./secretImports";
 export * from "./secretRotation";
 export * from "./secrets";
 export * from "./secretSnapshots";
+export * from "./serverDetails";
 export * from "./serviceTokens";
 export * from "./ssoConfig";
 export * from "./subscriptions";
@ -23,4 +25,4 @@ export * from "./tags";
 export * from "./trustedIps";
 export * from "./users";
 export * from "./webhooks";
-export * from "./workspace";
+export * from "./workspace";
--- a/frontend/src/hooks/api/organization/index.ts
+++ b/frontend/src/hooks/api/organization/index.ts
@ -6,6 +6,7 @@ export {
    useDeleteOrgById,
    useDeleteOrgPmtMethod,
    useDeleteOrgTaxId,
+    useGetIdentityMembershipOrgs,
    useGetOrganizations, 
    useGetOrgBillingDetails,
    useGetOrgInvoices,
@ -17,4 +18,5 @@ export {
    useGetOrgTaxIds,
    useGetOrgTrialUrl,
    useRenameOrg, 
-    useUpdateOrgBillingDetails} from "./queries";
+    useUpdateOrgBillingDetails
+} from "./queries";
--- a/frontend/src/hooks/api/organization/queries.tsx
+++ b/frontend/src/hooks/api/organization/queries.tsx
@ -2,6 +2,7 @@ import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";

 import { apiRequest } from "@app/config/request";

+import { IdentityMembershipOrg } from "../identities/types";
 import {
  BillingDetails,
  Invoice,
@ -15,7 +16,7 @@ import {
  TaxID
 } from "./types";

-const organizationKeys = {
+export const organizationKeys = {
  getUserOrganizations: ["organization"] as const,
  getOrgPlanBillingInfo: (orgId: string) => [{ orgId }, "organization-plan-billing"] as const,
  getOrgPlanTable: (orgId: string) => [{ orgId }, "organization-plan-table"] as const,
@ -25,7 +26,8 @@ const organizationKeys = {
  getOrgPmtMethods: (orgId: string) => [{ orgId }, "organization-pmt-methods"] as const,
  getOrgTaxIds: (orgId: string) => [{ orgId }, "organization-tax-ids"] as const,
  getOrgInvoices: (orgId: string) => [{ orgId }, "organization-invoices"] as const,
-  getOrgLicenses: (orgId: string) => [{ orgId }, "organization-licenses"] as const
+  getOrgLicenses: (orgId: string) => [{ orgId }, "organization-licenses"] as const,
+  getOrgIdentityMemberships: (orgId: string) => [{ orgId }, "organization-identity-memberships"] as const,
 };

 export const fetchOrganizations = async () => {
@ -349,6 +351,22 @@ export const useGetOrgLicenses = (organizationId: string) => {
  });
 };

+export const useGetIdentityMembershipOrgs = (organizationId: string) => {
+  return useQuery({
+    queryKey: organizationKeys.getOrgIdentityMemberships(organizationId),
+    queryFn: async () => {
+      const {
+        data: { identityMemberships }
+      } = await apiRequest.get<{ identityMemberships: IdentityMembershipOrg[] }>(
+        `/api/v2/organizations/${organizationId}/identity-memberships`
+      );
+
+      return identityMemberships;
+    },
+    enabled: true
+  });
+};
+
 export const useDeleteOrgById = () => {
  const queryClient = useQueryClient();

--- a/frontend/src/hooks/api/serviceTokens/index.ts
+++ b/frontend/src/hooks/api/serviceTokens/index.ts
@ -1,8 +1,5 @@
 export { 
    useCreateServiceToken, 
-    useCreateServiceTokenV3,
    useDeleteServiceToken, 
-    useDeleteServiceTokenV3,
    useGetUserWsServiceTokens,
-    useUpdateServiceTokenV3
 } from "./queries";
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tuan Dang	4f6adb50d1	Minor UX update to identities	2023-12-10 22:35:12 +07:00
Tuan Dang	444ce9508d	Resolve PR review items, moved identity auth logic into separate controller, etc.	2023-12-10 14:15:25 +07:00
Tuan Dang	50ef23e8a0	Restructure MIs to more generic Identity	2023-12-09 22:18:38 +07:00
Maidul Islam	89d0c0e3c3	temporarily disable max access token ttl	2023-12-06 20:45:07 -05:00
Maidul Islam	a4f6b828ad	fix update machine params + default to no max ttl	2023-12-06 20:35:26 -05:00
Maidul Islam	0fb2056b8b	update delete client secret to revoke client secret	2023-12-06 18:16:14 -05:00
Tuan Dang	ec5cf97f18	Add case for MI token renewal	2023-12-07 00:29:08 +07:00
Tuan Dang	69b57817d6	Switch access token tracking to be persistent, add num uses, draft token renewal, update docs	2023-12-07 00:11:16 +07:00
Maidul Islam	aafbe40c02	add machineIdentityAccessToken model	2023-12-05 16:58:21 -05:00
Maidul Islam	9d9b83f909	fix expired client secret logic	2023-12-05 16:38:43 -05:00
Maidul Islam	ea1f144b54	add index to machine identity model	2023-12-05 16:37:16 -05:00
Tuan Dang	591f33ffbe	Move MI endpoints from v3 to v1	2023-12-05 22:24:25 +07:00
Tuan Dang	855158d0bb	Allow MI to create another MI test	2023-12-05 19:34:43 +07:00
Tuan Dang	87e997e7a0	Replace most getUserOrgPermissions with more generic getAuthDataOrgPermissions for MIs in backend	2023-12-05 19:20:30 +07:00
Tuan Dang	3c449214d1	Add error messages for MI expired client secret, num uses limit reached	2023-12-05 17:53:35 +07:00
Tuan Dang	d813f0716f	Switch RBAC flag	2023-12-05 17:47:46 +07:00
Tuan Dang	6787c0eaaa	Update authz logic for MI	2023-12-05 17:46:50 +07:00
Tuan Dang	c91f6521c1	Update MI fields numUses, numUsesLimit, ttl, added modal for delete client secret confirmation	2023-12-05 11:15:57 +07:00
Tuan Dang	0ebd1d3d81	Merge branch 'stv3-org-roles' of https://github.com/Infisical/infisical into stv3-org-roles	2023-12-05 08:57:50 +07:00
Maidul Islam	d257a449bb	add compound index to machineIdentityClientSecretDataSchema	2023-12-04 19:42:09 -05:00
Maidul Islam	6a744c96e5	add index to workspace to improve query	2023-12-04 19:41:40 -05:00
Tuan Dang	28b617fd89	Update MI docs for client id/secret	2023-12-04 23:04:04 +07:00
Tuan Dang	8b1eaad7b5	Fix audit logs UI rendering	2023-12-04 18:23:04 +07:00
Tuan Dang	c917cf8a18	Add logging to MI secret endpoints	2023-12-04 17:48:32 +07:00
Tuan Dang	282830e7a2	Fix lint issues	2023-12-04 16:24:55 +07:00
Tuan Dang	3d6f04b94e	Merge remote-tracking branch 'origin' into stv3-org-roles	2023-12-04 16:15:14 +07:00
Tuan Dang	60a5092947	Merge remote-tracking branch 'origin' into stv3-org-roles	2023-12-04 16:14:31 +07:00
Tuan Dang	69dae1f0b2	Move MI from refresh token to client id / client secrets approach	2023-12-04 16:13:00 +07:00
Maidul Islam	4b41664fa4	chores: clean login	2023-12-02 13:28:32 -05:00
Maidul Islam	735cf093f0	Merge pull request #1210 from Infisical/hide-blind-index Hide blind index notice	2023-11-30 18:15:58 -05:00
Maidul Islam	5f80e2f432	Merge pull request #1205 from Infisical/add-docs-for-folders-cli add docs for folder cli command	2023-11-29 10:03:06 -05:00
Tuan Dang	6557d7668e	Add docs for MIs	2023-11-29 15:55:15 +07:00
Tuan Dang	77e3d10a64	Flip RBAC	2023-11-27 15:50:59 +07:00
Tuan Dang	814b71052d	Update error-handling, show underprivileged notification error	2023-11-27 15:50:00 +07:00
Tuan Dang	6579b3c93f	Update MI authz logic	2023-11-27 14:19:10 +07:00
Tuan Dang	99c41bb63b	Add no access role, replace ST V3 refs with machine	2023-11-27 09:59:15 +07:00
Tuan Dang	63df0dba64	Add default org and project-level no access roles	2023-11-26 17:02:03 +07:00
Tuan Dang	4e050cfe7a	Fix frontend lint issues	2023-11-26 13:34:50 +07:00
Tuan Dang	32f5c96dd2	Move custom role paywall to assignment step	2023-11-26 13:18:49 +07:00
Tuan Dang	5b923c25b5	Added authz logic to MI	2023-11-25 18:37:20 +07:00
Tuan Dang	29016fbb23	Fix populate service in getAuthDataProjectPermissions	2023-11-24 20:10:50 +07:00
Tuan Dang	0c0139ac8f	Restyle project members page	2023-11-24 20:00:40 +07:00
Tuan Dang	180274be34	Add endpoint to update MI project-level roles	2023-11-24 19:50:01 +07:00
Tuan Dang	595a26a366	Update ST V3 to machine identity	2023-11-24 19:19:31 +07:00
Tuan Dang	41c41a647f	Standardize org members page styling	2023-11-24 14:09:56 +07:00
Tuan Dang	c3d2b7d3fc	Pull main	2023-11-23 18:00:07 +07:00
Tuan Dang	87984a704a	Fix merge conflicts	2023-11-23 15:37:14 +07:00
Tuan Dang	33e4104e98	Fix merge conflicts	2023-11-23 15:36:19 +07:00
Tuan Dang	597e1e1ca8	Continue ST V3 roles	2023-11-23 11:56:56 +07:00