update path examples

add docs for agent auth and template details
start agent docs overview
2025-04-11 16:58:11 +00:00 · 2023-11-28 00:57:12 -05:00 · 2023-11-28 00:55:06 -05:00 · 2023-11-27 20:08:04 -05:00 · 2023-11-27 18:32:05 -05:00 · 2023-11-27 18:15:08 -05:00
869 changed files with 48949 additions and 19395 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,2 +1,10 @@
 backend/node_modules
-frontend/node_modules
+frontend/node_modules
+backend/frontend-build
+**/node_modules
+**/.next
+.dockerignore
+.git
+README.md
+.dockerignore
+**/Dockerfile
--- a/.env.example
+++ b/.env.example
@ -1,23 +1,12 @@
 # Keys
 # Required key for platform encryption/decryption ops
-# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NOT BE USED FOR PRODUCTION
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218

 # JWT
 # Required secrets to sign JWT tokens
-JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
-JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
-JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
-JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
-JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
-
-# JWT lifetime
-# Optional lifetimes for JWT tokens expressed in seconds or a string 
-# describing a time span (e.g. 60, "2 days", "10h", "7d")
-JWT_AUTH_LIFETIME=
-JWT_REFRESH_LIFETIME=
-JWT_SIGNUP_LIFETIME=
-JWT_PROVIDER_AUTH_LIFETIME=
+# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
+AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=

 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@ -67,5 +56,12 @@ SENTRY_DSN=
 POSTHOG_HOST=
 POSTHOG_PROJECT_API_KEY=

-CLIENT_ID_GOOGLE=
-CLIENT_SECRET_GOOGLE=
+# SSO-specific variables
+CLIENT_ID_GOOGLE_LOGIN=
+CLIENT_SECRET_GOOGLE_LOGIN=
+
+CLIENT_ID_GITHUB_LOGIN=
+CLIENT_SECRET_GITHUB_LOGIN=
+
+CLIENT_ID_GITLAB_LOGIN=
+CLIENT_SECRET_GITLAB_LOGIN=
--- a/.github/resources/docker-compose.be-test.yml
+++ b/.github/resources/docker-compose.be-test.yml
@ -6,7 +6,7 @@ services:
    restart: unless-stopped
    depends_on:
      - mongo
-    image: infisical/backend:test
+    image: infisical/infisical:test
    command: npm run start
    environment:
      - NODE_ENV=production
--- a/.github/values.yaml
+++ b/.github/values.yaml
@ -1,29 +1,3 @@
-# secretScanningGitApp:
-#   enabled: false
-#   deploymentAnnotations:
-#     secrets.infisical.com/auto-reload: "true"
-#   image:
-#     repository: infisical/staging_deployment_secret-scanning-git-app
-    
-frontend:
-  enabled: true
-  name: frontend
-  podAnnotations: {}
-  deploymentAnnotations:
-    secrets.infisical.com/auto-reload: "true"
-  replicaCount: 2
-  image:
-    repository: infisical/staging_deployment_frontend
-    tag: "latest"
-    pullPolicy: Always
-  kubeSecretRef: managed-secret-frontend
-  service:
-    annotations: {}
-    type: ClusterIP
-    nodePort: ""
-
-frontendEnvironmentVariables: null
-
 backend:
  enabled: true
  name: backend
@ -32,7 +6,7 @@ backend:
    secrets.infisical.com/auto-reload: "true"
  replicaCount: 2
  image:
-    repository: infisical/staging_deployment_backend
+    repository: infisical/staging_infisical
    tag: "latest"
    pullPolicy: Always
  kubeSecretRef: managed-backend-secret
@ -40,12 +14,15 @@ backend:
    annotations: {}
    type: ClusterIP
    nodePort: ""
+  resources:
+    limits:
+      memory: 300Mi

 backendEnvironmentVariables: null

 ## Mongo DB persistence
 mongodb:
-  enabled: true
+  enabled: false
  persistence:
    enabled: false

@ -60,14 +37,8 @@ ingress:
  enabled: true
  # annotations:
  #   kubernetes.io/ingress.class: "nginx"
-    # cert-manager.io/issuer: letsencrypt-nginx
+  # cert-manager.io/issuer: letsencrypt-nginx
  hostName: gamma.infisical.com ## <- Replace with your own domain
-  frontend:
-    path: /
-    pathType: Prefix
-  backend:
-    path: /api
-    pathType: Prefix
  tls:
    []
    # - secretName: letsencrypt-nginx
--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@ -39,7 +39,7 @@ jobs:
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          load: true
          context: backend
-          tags: infisical/backend:test
+          tags: infisical/infisical:test
      - name: ⏻ Spawn backend container and dependencies
        run: |
          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
@ -93,6 +93,7 @@ jobs:
          tags: infisical/frontend:test
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
      - name: ⏻ Spawn frontend container
        run: |
          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
@ -116,3 +117,4 @@ jobs:
          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/build-staging-img.yml
+++ b/.github/workflows/build-staging-img.yml
@ -2,7 +2,7 @@ name: Build, Publish and Deploy to Gamma
 on: [workflow_dispatch]

 jobs:
-  backend-image:
+  infisical-image:
    name: Build backend image
    runs-on: ubuntu-latest
    steps:
@ -32,8 +32,9 @@ jobs:
          project: 64mmf0n610
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          load: true
-          context: backend
-          tags: infisical/backend:test
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: infisical/infisical:test
      - name: ⏻ Spawn backend container and dependencies
        run: |
          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
@ -49,66 +50,20 @@ jobs:
          project: 64mmf0n610
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          push: true
-          context: backend
+          context: .
+          file: Dockerfile.standalone-infisical
          tags: |
-            infisical/staging_deployment_backend:${{ steps.commit.outputs.short }}
-            infisical/staging_deployment_backend:latest
+            infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            infisical/staging_infisical:latest
          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

-  frontend-image:
-    name: Build frontend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build frontend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          load: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          project: 64mmf0n610
-          context: frontend
-          tags: infisical/staging_deployment_frontend:test
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-      - name: ⏻ Spawn frontend container
-        run: |
-          docker run -d --rm --name infisical-frontend-test infisical/staging_deployment_frontend:test
-      - name: 🧪 Test frontend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-frontend-test
-      - name: ⏻ Shut down frontend container
-        run: |
-          docker stop infisical-frontend-test
-      - name: 🏗️ Build frontend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          push: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: frontend
-          tags: |
-            infisical/staging_deployment_frontend:${{ steps.commit.outputs.short }}
-            infisical/staging_deployment_frontend:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
  gamma-deployment:
    name: Deploy to gamma
    runs-on: ubuntu-latest
-    needs: [frontend-image, backend-image]
+    needs: [infisical-image]
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
--- a/.github/workflows/release-standalone-docker-img.yml
+++ b/.github/workflows/release-standalone-docker-img.yml
@ -73,3 +73,6 @@ jobs:
            infisical/infisical:${{ steps.extract_version.outputs.version }}
          platforms: linux/amd64,linux/arm64
          file: Dockerfile.standalone-infisical
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.gitignore
+++ b/.gitignore
@ -33,7 +33,7 @@ reports
 junit.xml

 # next.js
-/.next/
+.next/
 /out/

 # production
@ -59,4 +59,6 @@ yarn-error.log*
 .infisical.json

 # Editor specific
-.vscode/*
+.vscode/*
+
+frontend-build
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -1,7 +1,13 @@
 ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
+ARG INTERCOM_ID=intercom-id

-FROM node:16-alpine AS frontend-dependencies
+FROM  node:16-alpine AS base
+
+FROM base AS frontend-dependencies
+
+# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
+RUN apk add --no-cache libc6-compat

 WORKDIR /app

@ -11,7 +17,7 @@ COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
 RUN npm ci --only-production --ignore-scripts

 # Rebuild the source code only when needed
-FROM node:16-alpine AS frontend-builder
+FROM base AS frontend-builder
 WORKDIR /app

 # Copy dependencies
@ -27,41 +33,38 @@ ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
 ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ARG INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION

 # Build
 RUN npm run build

 # Production image
-FROM node:16-alpine AS frontend-runner
+FROM base AS frontend-runner
 WORKDIR /app

 RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 nextjs
+RUN adduser --system --uid 1001 non-root-user

-RUN mkdir -p /app/.next/cache/images && chown nextjs:nodejs /app/.next/cache/images
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
 VOLUME /app/.next/cache/images

-ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
-ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
-
-COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public
-RUN chown nextjs:nodejs ./public/data
-COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+RUN chown non-root-user:nodejs ./public/data
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static

-USER nextjs
+USER non-root-user

 ENV NEXT_TELEMETRY_DISABLED 1

 ##
 ## BACKEND
 ##
-FROM node:16-alpine AS backend-build
+FROM base AS backend-build
+RUN addgroup --system --gid 1001 nodejs \
+  && adduser --system --uid 1001 non-root-user

 WORKDIR /app

@ -69,10 +72,11 @@ COPY backend/package*.json ./
 RUN npm ci --only-production

 COPY /backend .
+COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
 RUN npm run build

 # Production stage
-FROM node:16-alpine AS backend-runner
+FROM base AS backend-runner

 WORKDIR /app

@ -81,27 +85,44 @@ RUN npm ci --only-production

 COPY --from=backend-build /app .

+RUN mkdir frontend-build
+
 # Production stage
-FROM node:16-alpine AS production
+FROM base AS production
+RUN addgroup --system --gid 1001 nodejs \
+  && adduser --system --uid 1001 non-root-user
+
+## set pre baked keys
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID=intercom-id
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID

 WORKDIR / 

-# Install PM2
-RUN npm install -g pm2
-# Copy ecosystem.config.js
-COPY ecosystem.config.js .
-
-RUN apk add --no-cache nginx
-
-COPY nginx/default-stand-alone-docker.conf /etc/nginx/nginx.conf
-
 COPY --from=backend-runner /app /backend

-COPY --from=frontend-runner /app/ /app/
+COPY --from=frontend-runner /app ./backend/frontend-build

-EXPOSE 80
+ENV PORT 8080
 ENV HTTPS_ENABLED false 
+ENV NODE_ENV production
+ENV STANDALONE_BUILD true 
+
+WORKDIR /backend
+
+ENV TELEMETRY_ENABLED true
+
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
+  CMD node healthcheck.js
+
+EXPOSE 8080
+
+USER non-root-user
+
+CMD ["./standalone-entrypoint.sh"]

-CMD ["pm2-runtime", "start", "ecosystem.config.js"]


--- a/README.md
+++ b/README.md
@ -1,9 +1,8 @@
 <h1 align="center">
-  <img width="300" src="/img/logoname-black.svg#gh-light-mode-only" alt="infisical">
  <img width="300" src="/img/logoname-white.svg#gh-dark-mode-only" alt="infisical">
 </h1>
 <p align="center">
-  <p align="center"><b>Open-source, end-to-end encrypted secret management platform</b>: distribute secrets/configs across your team/infrastructure and prevent secret leaks.</p>
+  <p align="center"><b>The open-source secret management platform</b>: Sync secrets/configs across your team/infrastructure and prevent secret leaks.</p>
 </p>

 <h4 align="center">
@ -34,7 +33,7 @@
    <img src="https://img.shields.io/github/commit-activity/m/infisical/infisical" alt="git commit activity" />
  </a>
  <a href="https://cloudsmith.io/~infisical/repos/">
-    <img src="https://img.shields.io/badge/Downloads-1.38M-orange" alt="Cloudsmith downloads" />
+    <img src="https://img.shields.io/badge/Downloads-2.58M-orange" alt="Cloudsmith downloads" />
  </a>
  <a href="https://infisical.com/slack">
    <img src="https://img.shields.io/badge/chat-on%20Slack-blueviolet" alt="Slack community channel" />
@ -44,11 +43,11 @@
  </a>
 </h4>

-<img src="/img/infisical_github_repo.png" width="100%" alt="Dashboard" />
+<img src="/img/infisical_github_repo2.png" width="100%" alt="Dashboard" />

 ## Introduction

-**[Infisical](https://infisical.com)** is an open source, end-to-end encrypted secret management platform that teams use to centralize their secrets like API keys, database credentials, and configurations.
+**[Infisical](https://infisical.com)** is the open source secret management platform that teams use to centralize their secrets like API keys, database credentials, and configurations.

 We're on a mission to make secret management more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.

@ -134,7 +133,6 @@ Whether it's big or small, we love contributions. Check out our guide to see how

 Not sure where to get started? You can:

- [Book a free, non-pressure pairing session / code walkthrough with one of our teammates](https://cal.com/tony-infisical/30-min-meeting-contributing)!
 - Join our <a href="https://infisical.com/slack">Slack</a>, and ask us any questions there.
 - Join our [community calls](https://us06web.zoom.us/j/82623506356) every Wednesday at 11am EST to ask any questions, provide feedback, hangout and more.

--- a/backend/.eslintrc
+++ b/backend/.eslintrc
@ -26,6 +26,7 @@
    ],
    "@typescript-eslint/no-unused-vars": "off",
    "unused-imports/no-unused-imports": "error",
+    "@typescript-eslint/no-extra-semi": "off", // added to be able to push
    "unused-imports/no-unused-vars": [
      "warn",
      {
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -6,11 +6,12 @@
    "@godaddy/terminus": "^4.12.0",
    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.49.0",
+    "@sentry/node": "^7.77.0",
    "@sentry/tracing": "^7.48.0",
    "@types/crypto-js": "^4.1.1",
    "@types/libsodium-wrappers": "^0.7.10",
    "@ucast/mongo2js": "^1.3.4",
+    "ajv": "^8.12.0",
    "argon2": "^0.30.3",
    "aws-sdk": "^2.1364.0",
    "axios": "^1.3.5",
@ -19,7 +20,7 @@
    "bigint-conversion": "^2.4.0",
    "cookie-parser": "^1.4.6",
    "cors": "^2.8.5",
-    "crypto-js": "^4.1.1",
+    "crypto-js": "^4.2.0",
    "dotenv": "^16.0.1",
    "express": "^4.18.1",
    "express-async-errors": "^3.1.1",
@ -29,19 +30,25 @@
    "helmet": "^5.1.1",
    "infisical-node": "^1.2.1",
    "ioredis": "^5.3.2",
+    "jmespath": "^0.16.0",
    "js-yaml": "^4.1.0",
    "jsonwebtoken": "^9.0.0",
    "jsrp": "^0.2.4",
    "libsodium-wrappers": "^0.7.10",
    "lodash": "^4.17.21",
-    "mongodb": "^5.7.0",
    "mongoose": "^7.4.1",
+    "mysql2": "^3.6.2",
    "nanoid": "^3.3.6",
    "node-cache": "^5.1.2",
    "nodemailer": "^6.8.0",
+    "ora": "^5.4.1",
    "passport": "^0.6.0",
    "passport-github": "^1.1.0",
+    "passport-gitlab2": "^5.0.0",
    "passport-google-oauth20": "^2.0.0",
+    "pg": "^8.11.3",
+    "pino": "^8.16.1",
+    "pino-http": "^8.5.1",
    "posthog-node": "^2.6.0",
    "probot": "^12.3.1",
    "query-string": "^7.1.3",
@ -52,16 +59,19 @@
    "tweetnacl-util": "^0.15.1",
    "typescript": "^4.9.3",
    "utility-types": "^3.10.0",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6",
-    "zod": "^3.21.4"
+    "zod": "^3.22.3"
+  },
+  "overrides": {
+    "rate-limit-mongo": {
+      "mongodb": "5.8.0"
+    }
  },
  "name": "infisical-api",
  "version": "1.0.0",
  "main": "src/index.js",
  "scripts": {
    "start": "node build/index.js",
-    "dev": "nodemon",
+    "dev": "nodemon index.js | pino-pretty --colorize",
    "swagger-autogen": "node ./swagger/index.ts",
    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build && cp -R ./src/data ./build",
    "lint": "eslint . --ext .ts",
@ -93,12 +103,15 @@
    "@types/cors": "^2.8.12",
    "@types/express": "^4.17.14",
    "@types/jest": "^29.5.0",
+    "@types/jmespath": "^0.15.1",
    "@types/jsonwebtoken": "^8.5.9",
    "@types/lodash": "^4.14.191",
    "@types/node": "^18.11.3",
    "@types/nodemailer": "^6.4.6",
    "@types/passport": "^1.0.12",
+    "@types/pg": "^8.10.7",
    "@types/picomatch": "^2.3.0",
+    "@types/pino": "^7.0.5",
    "@types/supertest": "^2.0.12",
    "@types/swagger-jsdoc": "^6.0.1",
    "@types/swagger-ui-express": "^4.1.3",
@ -112,6 +125,7 @@
    "jest-junit": "^15.0.0",
    "nodemon": "^2.0.19",
    "npm": "^8.19.3",
+    "pino-pretty": "^10.2.3",
    "smee-client": "^1.2.3",
    "supertest": "^6.3.3",
    "swagger-autogen": "^2.23.5",
--- a/backend/spec.json
+++ b/backend/spec.json
--- a/backend/src/bootstrap.ts
+++ b/backend/src/bootstrap.ts
@ -0,0 +1,43 @@
+import ora from "ora";
+import nodemailer from "nodemailer";
+import { getSmtpHost, getSmtpPort } from "./config";
+import { logger } from "./utils/logging";
+import mongoose from "mongoose";
+import { redisClient } from "./services/RedisService";
+
+type BootstrapOpt = {
+  transporter: nodemailer.Transporter;
+};
+
+export const bootstrap = async ({ transporter }: BootstrapOpt) => {
+  const spinner = ora().start();
+  spinner.info("Checking configurations...");
+  spinner.info("Testing smtp connection");
+
+  await transporter
+    .verify()
+    .then(async () => {
+      spinner.succeed("SMTP successfully connected");
+    })
+    .catch(async (err) => {
+      spinner.fail(`SMTP - Failed to connect to ${await getSmtpHost()}:${await getSmtpPort()}`);
+      logger.error(err);
+    });
+
+  spinner.info("Testing mongodb connection");
+  if (mongoose.connection.readyState !== mongoose.ConnectionStates.connected) {
+    spinner.fail("Mongo DB - Failed to connect");
+  } else {
+    spinner.succeed("Mongodb successfully connected");
+  }
+
+  spinner.info("Testing redis connection");
+  const redisPing = await redisClient?.ping();
+  if (!redisPing) {
+    spinner.fail("Redis - Failed to connect");
+  } else {
+    spinner.succeed("Redis successfully connected");
+  }
+
+  spinner.stop();
+};
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -1,100 +1,158 @@
+import { GITLAB_URL } from "../variables";
+
 import InfisicalClient from "infisical-node";

 export const client = new InfisicalClient({
-  token: process.env.INFISICAL_TOKEN!,
+  token: process.env.INFISICAL_TOKEN!
 });

 export const getPort = async () => (await client.getSecret("PORT")).secretValue || 4000;
 export const getEncryptionKey = async () => {
  const secretValue = (await client.getSecret("ENCRYPTION_KEY")).secretValue;
  return secretValue === "" ? undefined : secretValue;
-}
+};
 export const getRootEncryptionKey = async () => {
  const secretValue = (await client.getSecret("ROOT_ENCRYPTION_KEY")).secretValue;
  return secretValue === "" ? undefined : secretValue;
-}
-export const getInviteOnlySignup = async () => (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true"
-export const getSaltRounds = async () => parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
-export const getJwtAuthLifetime = async () => (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
-export const getJwtAuthSecret = async () => (await client.getSecret("JWT_AUTH_SECRET")).secretValue;
-export const getJwtMfaLifetime = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
-export const getJwtMfaSecret = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
-export const getJwtRefreshLifetime = async () => (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
-export const getJwtRefreshSecret = async () => (await client.getSecret("JWT_REFRESH_SECRET")).secretValue;
-export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue;
-export const getJwtSignupLifetime = async () => (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
-export const getJwtProviderAuthSecret = async () => (await client.getSecret("JWT_PROVIDER_AUTH_SECRET")).secretValue;
-export const getJwtProviderAuthLifetime = async () => (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
-export const getJwtSignupSecret = async () => (await client.getSecret("JWT_SIGNUP_SECRET")).secretValue;
+};
+export const getInviteOnlySignup = async () =>
+  (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true";
+export const getSaltRounds = async () =>
+  parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
+export const getAuthSecret = async () =>
+  (await client.getSecret("JWT_AUTH_SECRET")).secretValue ??
+  (await client.getSecret("AUTH_SECRET")).secretValue;
+export const getJwtAuthLifetime = async () =>
+  (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
+export const getJwtMfaLifetime = async () =>
+  (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
+export const getJwtRefreshLifetime = async () =>
+  (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
+export const getJwtServiceSecret = async () =>
+  (await client.getSecret("JWT_SERVICE_SECRET")).secretValue; // TODO: deprecate (related to ST V1)
+export const getJwtSignupLifetime = async () =>
+  (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
+export const getJwtProviderAuthLifetime = async () =>
+  (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
 export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue;
-export const getNodeEnv = async () => (await client.getSecret("NODE_ENV")).secretValue || "production";
-export const getVerboseErrorOutput = async () => (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
+export const getNodeEnv = async () =>
+  (await client.getSecret("NODE_ENV")).secretValue || "production";
+export const getVerboseErrorOutput = async () =>
+  (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
 export const getLokiHost = async () => (await client.getSecret("LOKI_HOST")).secretValue;
 export const getClientIdAzure = async () => (await client.getSecret("CLIENT_ID_AZURE")).secretValue;
-export const getClientIdHeroku = async () => (await client.getSecret("CLIENT_ID_HEROKU")).secretValue;
-export const getClientIdVercel = async () => (await client.getSecret("CLIENT_ID_VERCEL")).secretValue;
-export const getClientIdNetlify = async () => (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
-export const getClientIdGitHub = async () => (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
-export const getClientIdGitLab = async () => (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
-export const getClientIdBitBucket = async () => (await client.getSecret("CLIENT_ID_BITBUCKET")).secretValue;
-export const getClientIdGCPSecretManager = async () => (await client.getSecret("CLIENT_ID_GCP_SECRET_MANAGER")).secretValue;
-export const getClientSecretAzure = async () => (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
-export const getClientSecretHeroku = async () => (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
-export const getClientSecretVercel = async () => (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
-export const getClientSecretNetlify = async () => (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
-export const getClientSecretGitHub = async () => (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
-export const getClientSecretGitLab = async () => (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
-export const getClientSecretBitBucket = async () => (await client.getSecret("CLIENT_SECRET_BITBUCKET")).secretValue;
-export const getClientSecretGCPSecretManager = async () => (await client.getSecret("CLIENT_SECRET_GCP_SECRET_MANAGER")).secretValue;
-export const getClientSlugVercel = async () => (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
+export const getClientIdHeroku = async () =>
+  (await client.getSecret("CLIENT_ID_HEROKU")).secretValue;
+export const getClientIdVercel = async () =>
+  (await client.getSecret("CLIENT_ID_VERCEL")).secretValue;
+export const getClientIdNetlify = async () =>
+  (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
+export const getClientIdGitHub = async () =>
+  (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
+export const getClientIdGitLab = async () =>
+  (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
+export const getClientIdBitBucket = async () =>
+  (await client.getSecret("CLIENT_ID_BITBUCKET")).secretValue;
+export const getClientIdGCPSecretManager = async () =>
+  (await client.getSecret("CLIENT_ID_GCP_SECRET_MANAGER")).secretValue;
+export const getClientSecretAzure = async () =>
+  (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
+export const getClientSecretHeroku = async () =>
+  (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
+export const getClientSecretVercel = async () =>
+  (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
+export const getClientSecretNetlify = async () =>
+  (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
+export const getClientSecretGitHub = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
+export const getClientSecretGitLab = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
+export const getClientSecretBitBucket = async () =>
+  (await client.getSecret("CLIENT_SECRET_BITBUCKET")).secretValue;
+export const getClientSecretGCPSecretManager = async () =>
+  (await client.getSecret("CLIENT_SECRET_GCP_SECRET_MANAGER")).secretValue;
+export const getClientSlugVercel = async () =>
+  (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;

-export const getClientIdGoogleLogin = async () => (await client.getSecret("CLIENT_ID_GOOGLE_LOGIN")).secretValue;
-export const getClientSecretGoogleLogin = async () => (await client.getSecret("CLIENT_SECRET_GOOGLE_LOGIN")).secretValue;
-export const getClientIdGitHubLogin = async () => (await client.getSecret("CLIENT_ID_GITHUB_LOGIN")).secretValue;
-export const getClientSecretGitHubLogin = async () => (await client.getSecret("CLIENT_SECRET_GITHUB_LOGIN")).secretValue;
+export const getClientIdGoogleLogin = async () =>
+  (await client.getSecret("CLIENT_ID_GOOGLE_LOGIN")).secretValue;
+export const getClientSecretGoogleLogin = async () =>
+  (await client.getSecret("CLIENT_SECRET_GOOGLE_LOGIN")).secretValue;
+export const getClientIdGitHubLogin = async () =>
+  (await client.getSecret("CLIENT_ID_GITHUB_LOGIN")).secretValue;
+export const getClientSecretGitHubLogin = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITHUB_LOGIN")).secretValue;
+export const getClientIdGitLabLogin = async () =>
+  (await client.getSecret("CLIENT_ID_GITLAB_LOGIN")).secretValue;
+export const getClientSecretGitLabLogin = async () =>
+  (await client.getSecret("CLIENT_SECRET_GITLAB_LOGIN")).secretValue;
+export const getUrlGitLabLogin = async () =>
+  (await client.getSecret("URL_GITLAB_LOGIN")).secretValue || GITLAB_URL;

-export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
-export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
+export const getPostHogHost = async () =>
+  (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
+export const getPostHogProjectApiKey = async () =>
+  (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue ||
+  "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
 export const getSentryDSN = async () => (await client.getSecret("SENTRY_DSN")).secretValue;
 export const getSiteURL = async () => (await client.getSecret("SITE_URL")).secretValue;
 export const getSmtpHost = async () => (await client.getSecret("SMTP_HOST")).secretValue;
-export const getSmtpSecure = async () => (await client.getSecret("SMTP_SECURE")).secretValue === "true" || false;
-export const getSmtpPort = async () => parseInt((await client.getSecret("SMTP_PORT")).secretValue) || 587;
+export const getSmtpSecure = async () =>
+  (await client.getSecret("SMTP_SECURE")).secretValue === "true" || false;
+export const getSmtpPort = async () =>
+  parseInt((await client.getSecret("SMTP_PORT")).secretValue) || 587;
 export const getSmtpUsername = async () => (await client.getSecret("SMTP_USERNAME")).secretValue;
 export const getSmtpPassword = async () => (await client.getSecret("SMTP_PASSWORD")).secretValue;
-export const getSmtpFromAddress = async () => (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
-export const getSmtpFromName = async () => (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";
+export const getSmtpFromAddress = async () =>
+  (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
+export const getSmtpFromName = async () =>
+  (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";

-export const getSecretScanningWebhookProxy = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_PROXY")).secretValue;
-export const getSecretScanningWebhookSecret = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_SECRET")).secretValue;
-export const getSecretScanningGitAppId = async () => (await client.getSecret("SECRET_SCANNING_GIT_APP_ID")).secretValue;
-export const getSecretScanningPrivateKey = async () => (await client.getSecret("SECRET_SCANNING_PRIVATE_KEY")).secretValue;
+export const getSecretScanningWebhookProxy = async () =>
+  (await client.getSecret("SECRET_SCANNING_WEBHOOK_PROXY")).secretValue;
+export const getSecretScanningWebhookSecret = async () =>
+  (await client.getSecret("SECRET_SCANNING_WEBHOOK_SECRET")).secretValue;
+export const getSecretScanningGitAppId = async () =>
+  (await client.getSecret("SECRET_SCANNING_GIT_APP_ID")).secretValue;
+export const getSecretScanningPrivateKey = async () =>
+  (await client.getSecret("SECRET_SCANNING_PRIVATE_KEY")).secretValue;

 export const getRedisUrl = async () => (await client.getSecret("REDIS_URL")).secretValue;
+export const getIsInfisicalCloud = async () =>
+  (await client.getSecret("INFISICAL_CLOUD")).secretValue === "true";

 export const getLicenseKey = async () => {
  const secretValue = (await client.getSecret("LICENSE_KEY")).secretValue;
  return secretValue === "" ? undefined : secretValue;
-}
+};
 export const getLicenseServerKey = async () => {
  const secretValue = (await client.getSecret("LICENSE_SERVER_KEY")).secretValue;
  return secretValue === "" ? undefined : secretValue;
-}
-export const getLicenseServerUrl = async () => (await client.getSecret("LICENSE_SERVER_URL")).secretValue || "https://portal.infisical.com";
+};
+export const getLicenseServerUrl = async () =>
+  (await client.getSecret("LICENSE_SERVER_URL")).secretValue || "https://portal.infisical.com";

-export const getTelemetryEnabled = async () => (await client.getSecret("TELEMETRY_ENABLED")).secretValue !== "false" && true;
+export const getTelemetryEnabled = async () =>
+  (await client.getSecret("TELEMETRY_ENABLED")).secretValue !== "false" && true;
 export const getLoopsApiKey = async () => (await client.getSecret("LOOPS_API_KEY")).secretValue;
-export const getSmtpConfigured = async () => (await client.getSecret("SMTP_HOST")).secretValue == "" || (await client.getSecret("SMTP_HOST")).secretValue == undefined ? false : true
+export const getSmtpConfigured = async () =>
+  (await client.getSecret("SMTP_HOST")).secretValue == "" ||
+  (await client.getSecret("SMTP_HOST")).secretValue == undefined
+    ? false
+    : true;
 export const getHttpsEnabled = async () => {
  if ((await getNodeEnv()) != "production") {
    // no https for anything other than prod
-    return false
+    return false;
  }

-  if ((await client.getSecret("HTTPS_ENABLED")).secretValue == undefined || (await client.getSecret("HTTPS_ENABLED")).secretValue == "") {
+  if (
+    (await client.getSecret("HTTPS_ENABLED")).secretValue == undefined ||
+    (await client.getSecret("HTTPS_ENABLED")).secretValue == ""
+  ) {
    // default when no value present
-    return true
+    return true;
  }

-  return (await client.getSecret("HTTPS_ENABLED")).secretValue === "true" && true
-}
+  return (await client.getSecret("HTTPS_ENABLED")).secretValue === "true" && true;
+};
--- a/backend/src/config/serverConfig.ts
+++ b/backend/src/config/serverConfig.ts
@ -0,0 +1,24 @@
+import { IServerConfig, ServerConfig } from "../models/serverConfig";
+
+let serverConfig: IServerConfig;
+
+export const serverConfigInit = async () => {
+  const cfg = await ServerConfig.findOne({});
+  if (!cfg) {
+    const cfg = new ServerConfig();
+    await cfg.save();
+    serverConfig = cfg;
+  } else {
+    serverConfig = cfg;
+  }
+  return serverConfig;
+};
+
+export const getServerConfig = () => serverConfig;
+
+export const updateServerConfig = async (data: Partial<IServerConfig>) => {
+  const cfg = await ServerConfig.findByIdAndUpdate(serverConfig._id, data, { new: true });
+  if (!cfg) throw new Error("Failed to update server config");
+  serverConfig = cfg;
+  return serverConfig;
+};
--- a/backend/src/controllers/v1/adminController.ts
+++ b/backend/src/controllers/v1/adminController.ts
@ -0,0 +1,100 @@
+import { Request, Response } from "express";
+import { getHttpsEnabled } from "../../config";
+import { getServerConfig, updateServerConfig as setServerConfig } from "../../config/serverConfig";
+import { initializeDefaultOrg, issueAuthTokens } from "../../helpers";
+import { validateRequest } from "../../helpers/validation";
+import { User } from "../../models";
+import { TelemetryService } from "../../services";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
+import * as reqValidator from "../../validation/admin";
+
+export const getServerConfigInfo = (_req: Request, res: Response) => {
+  const config = getServerConfig();
+  return res.send({ config });
+};
+
+export const updateServerConfig = async (req: Request, res: Response) => {
+  const {
+    body: { allowSignUp }
+  } = await validateRequest(reqValidator.UpdateServerConfigV1, req);
+  const config = await setServerConfig({ allowSignUp });
+  return res.send({ config });
+};
+
+export const adminSignUp = async (req: Request, res: Response) => {
+  const cfg = getServerConfig();
+  if (cfg.initialized) throw UnauthorizedRequestError({ message: "Admin has been created" });
+  const {
+    body: {
+      email,
+      publicKey,
+      salt,
+      lastName,
+      verifier,
+      firstName,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,
+      encryptedPrivateKey,
+      encryptedPrivateKeyIV,
+      encryptedPrivateKeyTag
+    }
+  } = await validateRequest(reqValidator.SignupV1, req);
+  let user = await User.findOne({ email });
+  if (user) throw BadRequestError({ message: "User already exist" });
+  user = new User({
+    email,
+    firstName,
+    lastName,
+    encryptionVersion: 2,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    iv: encryptedPrivateKeyIV,
+    tag: encryptedPrivateKeyTag,
+    salt,
+    verifier,
+    superAdmin: true
+  });
+  await user.save();
+  await initializeDefaultOrg({ organizationName: "Admin Org", user });
+
+  await setServerConfig({ initialized: true });
+
+  // issue tokens
+  const tokens = await issueAuthTokens({
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? ""
+  });
+
+  const token = tokens.token;
+
+  const postHogClient = await TelemetryService.getPostHogClient();
+  if (postHogClient) {
+    postHogClient.capture({
+      event: "admin initialization",
+      properties: {
+        email: user.email,
+        lastName,
+        firstName
+      }
+    });
+  }
+
+  // store (refresh) token in httpOnly cookie
+  res.cookie("jid", tokens.refreshToken, {
+    httpOnly: true,
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled()
+  });
+
+  return res.status(200).send({
+    message: "Successfully set up admin account",
+    user,
+    token
+  });
+};
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -6,25 +6,30 @@ const jsrp = require("jsrp");
 import { LoginSRPDetail, TokenVersion, User } from "../../models";
 import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth";
 import { checkUserDevice } from "../../helpers/user";
-import { ACTION_LOGIN, ACTION_LOGOUT } from "../../variables";
+import { AuthTokenType } from "../../variables";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
-import { EELogService } from "../../ee/services";
-import { getUserAgentType } from "../../utils/posthog";
 import {
+  getAuthSecret,
  getHttpsEnabled,
-  getJwtAuthLifetime,
-  getJwtAuthSecret,
-  getJwtRefreshSecret
+  getJwtAuthLifetime
 } from "../../config";
 import { ActorType } from "../../ee/models";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";

 declare module "jsonwebtoken" {
+  export interface AuthnJwtPayload extends jwt.JwtPayload {
+    authTokenType: AuthTokenType;
+  }
  export interface UserIDJwtPayload extends jwt.JwtPayload {
    userId: string;
    refreshVersion?: number;
  }
+  export interface ServiceRefreshTokenJwtPayload extends jwt.JwtPayload {
+    serviceTokenDataId: string;
+    authTokenType: string;
+    tokenVersion: number;
+  }
 }

 /**
@ -134,19 +139,6 @@ export const login2 = async (req: Request, res: Response) => {
          secure: await getHttpsEnabled()
        });

-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id
-        });
-
-        loginAction &&
-          (await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ipAddress: req.realIP
-          }));
-
        // return (access) token in response
        return res.status(200).send({
          token: tokens.token,
@ -183,19 +175,6 @@ export const logout = async (req: Request, res: Response) => {
    secure: (await getHttpsEnabled()) as boolean
  });

-  const logoutAction = await EELogService.createAction({
-    name: ACTION_LOGOUT,
-    userId: req.user._id
-  });
-
-  logoutAction &&
-    (await EELogService.createLog({
-      userId: req.user._id,
-      actions: [logoutAction],
-      channel: getUserAgentType(req.headers["user-agent"]),
-      ipAddress: req.realIP
-    }));
-
  return res.status(200).send({
    message: "Successfully logged out."
  });
@ -238,6 +217,7 @@ export const checkAuth = async (req: Request, res: Response) => {
 * @returns
 */
 export const getNewToken = async (req: Request, res: Response) => {
+
  const refreshToken = req.cookies.jid;

  if (!refreshToken)
@ -245,7 +225,9 @@ export const getNewToken = async (req: Request, res: Response) => {
      message: "Failed to find refresh token in request cookies"
    });

-  const decodedToken = <jwt.UserIDJwtPayload>jwt.verify(refreshToken, await getJwtRefreshSecret());
+  const decodedToken = <jwt.UserIDJwtPayload>jwt.verify(refreshToken, await getAuthSecret());
+  
+  if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN) throw UnauthorizedRequestError();

  const user = await User.findOne({
    _id: decodedToken.userId
@ -268,12 +250,13 @@ export const getNewToken = async (req: Request, res: Response) => {

  const token = createToken({
    payload: {
+      authTokenType: AuthTokenType.ACCESS_TOKEN,
      userId: decodedToken.userId,
      tokenVersionId: tokenVersion._id.toString(),
      accessVersion: tokenVersion.refreshVersion
    },
    expiresIn: await getJwtAuthLifetime(),
-    secret: await getJwtAuthSecret()
+    secret: await getAuthSecret()
  });

  return res.status(200).send({
--- a/backend/src/controllers/v1/index.ts
+++ b/backend/src/controllers/v1/index.ts
@ -16,6 +16,7 @@ import * as workspaceController from "./workspaceController";
 import * as secretScanningController from "./secretScanningController";
 import * as webhookController from "./webhookController";
 import * as secretImpsController from "./secretImpsController";
+import * as adminController from "./adminController";

 export {
  authController,
@ -35,5 +36,6 @@ export {
  workspaceController,
  secretScanningController,
  webhookController,
-  secretImpsController
+  secretImpsController,
+  adminController
 };
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -10,6 +10,7 @@ import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
  INTEGRATION_BITBUCKET_API_URL,
+  INTEGRATION_CHECKLY_API_URL,
  INTEGRATION_GCP_SECRET_MANAGER,
  INTEGRATION_NORTHFLANK_API_URL,
  INTEGRATION_QOVERY_API_URL,
@ -28,7 +29,6 @@ import {
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
 import { getIntegrationAuthAccessHelper } from "../../helpers";
-import { ObjectId } from "mongodb";

 /***
 * Return integration authorization with id [integrationAuthId]
@ -222,7 +222,7 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken, accessId } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -260,7 +260,7 @@ export const getIntegrationAuthTeams = async (req: Request, res: Response) => {

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -296,7 +296,7 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -345,6 +345,59 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
  });
 };

+/**
+ * Return list of Checkly groups for a specific user
+ * @param req
+ * @param res
+ */
+export const getIntegrationAuthChecklyGroups = async (req: Request, res: Response) => {
+  const {
+    params: { integrationAuthId },
+    query: { accountId }
+  } = await validateRequest(reqValidator.GetIntegrationAuthChecklyGroupsV1, req);
+  
+  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getUserProjectPermissions(
+    req.user._id,
+    integrationAuth.workspace.toString()
+  );
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.Integrations
+  );
+
+  interface ChecklyGroup {
+    id: number;
+    name: string;
+  }
+  
+  if (accountId && accountId !== "") {
+    const { data }: { data: ChecklyGroup[] } = (
+      await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/check-groups`, {
+          headers: {
+              Authorization: `Bearer ${accessToken}`,
+              Accept: "application/json",
+              "X-Checkly-Account": accountId
+          }
+      })
+    );
+    
+    return res.status(200).send({
+      groups: data.map((g: ChecklyGroup) => ({
+        name: g.name,
+        groupId: g.id,
+      }))
+    });
+  }
+
+  return res.status(200).send({
+    groups: []
+  });
+}
+
 /**
 * Return list of Qovery Orgs for a specific user
 * @param req
@ -357,7 +410,7 @@ export const getIntegrationAuthQoveryOrgs = async (req: Request, res: Response)

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -409,7 +462,7 @@ export const getIntegrationAuthQoveryProjects = async (req: Request, res: Respon
  
  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -470,7 +523,7 @@ export const getIntegrationAuthQoveryEnvironments = async (req: Request, res: Re

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -531,7 +584,7 @@ export const getIntegrationAuthQoveryApps = async (req: Request, res: Response)

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -592,7 +645,7 @@ export const getIntegrationAuthQoveryContainers = async (req: Request, res: Resp

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -653,7 +706,7 @@ export const getIntegrationAuthQoveryJobs = async (req: Request, res: Response)

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -715,7 +768,7 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -808,7 +861,7 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -932,7 +985,7 @@ export const getIntegrationAuthBitBucketWorkspaces = async (req: Request, res: R

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -988,7 +1041,7 @@ export const getIntegrationAuthNorthflankSecretGroups = async (req: Request, res

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -1076,7 +1129,7 @@ export const getIntegrationAuthTeamCityBuildConfigs = async (req: Request, res:
  
  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
@ -1145,7 +1198,7 @@ export const deleteIntegrationAuth = async (req: Request, res: Response) => {

  // TODO(akhilmhdh): remove class -> static function path and makes these into reusable independent functions
  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
-    integrationAuthId: new ObjectId(integrationAuthId)
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
  });

  const { permission } = await getUserProjectPermissions(
--- a/backend/src/controllers/v1/membershipController.ts
+++ b/backend/src/controllers/v1/membershipController.ts
@ -1,7 +1,7 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { IUser, Key, Membership, MembershipOrg, User, Workspace } from "../../models";
-import { EventType } from "../../ee/models";
+import { EventType, Role } from "../../ee/models";
 import { deleteMembership as deleteMember, findMembership } from "../../helpers/membership";
 import { sendMail } from "../../helpers/nodemailer";
 import { ACCEPTED, ADMIN, CUSTOM, MEMBER, VIEWER } from "../../variables";
@ -15,7 +15,6 @@ import {
  getUserProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
-import Role from "../../ee/models/role";
 import { BadRequestError } from "../../utils/errors";
 import { InviteUserToWorkspaceV1 } from "../../validation/workspace";

--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -8,11 +8,11 @@ import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
 import { EELicenseService } from "../../ee/services";
-import { ACCEPTED, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables";
+import { ACCEPTED, AuthTokenType, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables";
 import * as reqValidator from "../../validation/membershipOrg";
 import {
+  getAuthSecret,
  getJwtSignupLifetime,
-  getJwtSignupSecret,
  getSiteURL,
  getSmtpConfigured
 } from "../../config";
@ -272,10 +272,11 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
  // generate temporary signup token
  const token = createToken({
    payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
      userId: user._id.toString()
    },
    expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
  });

  return res.status(200).send({
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -6,13 +6,11 @@ import {
  Organization,
  Workspace
 } from "../../models";
-import { createOrganization as create } from "../../helpers/organization";
-import { addMembershipsOrg } from "../../helpers/membershipOrg";
-import { ACCEPTED, ADMIN } from "../../variables";
 import { getLicenseServerUrl, getSiteURL } from "../../config";
 import { licenseServerKeyRequest } from "../../config/request";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/organization";
+import { ACCEPTED } from "../../variables";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
@ -34,36 +32,6 @@ export const getOrganizations = async (req: Request, res: Response) => {
  });
 };

-/**
- * Create new organization named [organizationName]
- * and add user as owner
- * @param req
- * @param res
- * @returns
- */
-export const createOrganization = async (req: Request, res: Response) => {
-  const {
-    body: { organizationName }
-  } = await validateRequest(reqValidator.CreateOrgv1, req);
-
-  // create organization and add user as member
-  const organization = await create({
-    email: req.user.email,
-    name: organizationName
-  });
-
-  await addMembershipsOrg({
-    userIds: [req.user._id.toString()],
-    organizationId: organization._id.toString(),
-    roles: [ADMIN],
-    statuses: [ACCEPTED]
-  });
-
-  return res.status(200).send({
-    organization
-  });
-};
-
 /**
 * Return organization with id [organizationId]
 * @param req
--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -5,12 +5,12 @@ import * as bigintConversion from "bigint-conversion";
 import { BackupPrivateKey, LoginSRPDetail, User } from "../../models";
 import { clearTokens, createToken, sendMail } from "../../helpers";
 import { TokenService } from "../../services";
-import { TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
+import { AuthTokenType, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
 import { BadRequestError } from "../../utils/errors";
 import {
+  getAuthSecret,
  getHttpsEnabled,
  getJwtSignupLifetime,
-  getJwtSignupSecret,
  getSiteURL
 } from "../../config";
 import { ActorType } from "../../ee/models";
@ -88,10 +88,11 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
  // generate temporary password-reset token
  const token = createToken({
    payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
      userId: user._id.toString()
    },
    expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
  });

  return res.status(200).send({
--- a/backend/src/controllers/v1/secretImpsController.ts
+++ b/backend/src/controllers/v1/secretImpsController.ts
@ -2,7 +2,7 @@ import { Request, Response } from "express";
 import { isValidScope } from "../../helpers";
 import { Folder, IServiceTokenData, SecretImport, ServiceTokenData } from "../../models";
 import { getAllImportedSecrets } from "../../services/SecretImportService";
-import { getFolderWithPathFromId } from "../../services/FolderService";
+import { getFolderByPath, getFolderWithPathFromId } from "../../services/FolderService";
 import {
  BadRequestError,
  ResourceNotFoundError,
@ -22,7 +22,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 export const createSecretImp = async (req: Request, res: Response) => {
  /* 
    #swagger.summary = 'Create secret import'
-    #swagger.description = 'Create a new secret import for a specified workspace and environment'
+    #swagger.description = 'Create secret import'

    #swagger.requestBody = {
        content: {
@ -32,36 +32,36 @@ export const createSecretImp = async (req: Request, res: Response) => {
                    "properties": {
                        "workspaceId": {
                            "type": "string",
-                            "description": "ID of the workspace where the secret import will be created",
+                            "description": "ID of workspace where to create secret import",
                            "example": "someWorkspaceId"
                        },
                        "environment": {
                            "type": "string",
-                            "description": "Environment to import to",
-                            "example": "production"
+                            "description": "Slug of environment where to create secret import",
+                            "example": "dev"
                        },
-                        "folderId": {
+                        "directory": {
                            "type": "string",
-                            "description": "Folder ID. Use root for the root folder.",
-                            "example": "my_folder"
+                            "description": "Path where to create secret import like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                        },
                        "secretImport": {
                            "type": "object",
                            "properties": {
                              "environment": {
                                "type": "string",
-                                "description": "Import from environment",
+                                "description": "Slug of environment to import from",
                                "example": "development"
                              },
                              "secretPath": {
                                "type": "string",
-                                "description": "Import from secret path",
+                                "description": "Path where to import from like / or /foo/bar.",
                                "example": "/user/oauth"
                              }
                            }
                        }
                    },
-                    "required": ["workspaceId", "environment", "folderName"]
+                    "required": ["workspaceId", "environment", "directory", "secretImport"]
                }
            }
        }
@ -95,37 +95,12 @@ export const createSecretImp = async (req: Request, res: Response) => {
  */

  const {
-    body: { workspaceId, environment, folderId, secretImport }
+    body: { workspaceId, environment, directory, secretImport }
  } = await validateRequest(reqValidator.CreateSecretImportV1, req);

-  const folders = await Folder.findOne({
-    workspace: workspaceId,
-    environment
-  }).lean();
-
-  if (!folders && folderId !== "root") {
-    throw ResourceNotFoundError({
-      message: "Failed to find folder"
-    });
-  }
-
-  let secretPath = "/";
-  if (folders) {
-    const { folderPath } = getFolderWithPathFromId(folders.nodes, folderId);
-    secretPath = folderPath;
-  }
-
  if (req.authData.authPayload instanceof ServiceTokenData) {
    // root check
-    let isValidScopeAccess = isValidScope(req.authData.authPayload, environment, secretPath);
-    if (!isValidScopeAccess) {
-      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
-    }
-    isValidScopeAccess = isValidScope(
-      req.authData.authPayload,
-      secretImport.environment,
-      secretImport.secretPath
-    );
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, directory);
    if (!isValidScopeAccess) {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
@ -133,27 +108,31 @@ export const createSecretImp = async (req: Request, res: Response) => {
    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, {
-        environment: secretImport.environment,
-        secretPath: secretImport.secretPath
-      })
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
    );
  }

+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment
+  }).lean();
+
+  if (!folders && directory !== "/")
+    throw ResourceNotFoundError({ message: "Failed to find folder" });
+
+  let folderId = "root";
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, directory);
+    if (!folder) throw BadRequestError({ message: "Folder not found" });
+    folderId = folder.id;
+  }
+
  const importSecDoc = await SecretImport.findOne({
    workspace: workspaceId,
    environment,
    folderId
  });

-  const importToSecretPath = folders
-    ? getFolderWithPathFromId(folders.nodes, folderId).folderPath
-    : "/";
-
  if (!importSecDoc) {
    const doc = new SecretImport({
      workspace: workspaceId,
@ -173,7 +152,7 @@ export const createSecretImp = async (req: Request, res: Response) => {
          importFromEnvironment: secretImport.environment,
          importFromSecretPath: secretImport.secretPath,
          importToEnvironment: environment,
-          importToSecretPath
+          importToSecretPath: directory
        }
      },
      {
@ -206,7 +185,7 @@ export const createSecretImp = async (req: Request, res: Response) => {
        importFromEnvironment: secretImport.environment,
        importFromSecretPath: secretImport.secretPath,
        importToEnvironment: environment,
-        importToSecretPath
+        importToSecretPath: directory
      }
    },
    {
@ -227,12 +206,12 @@ export const createSecretImp = async (req: Request, res: Response) => {
 */
 export const updateSecretImport = async (req: Request, res: Response) => {
  /*
-    #swagger.summary = 'Update a secret import'
-    #swagger.description = 'Updates an existing secret import based on the provided ID and new import details'
+    #swagger.summary = 'Update secret import'
+    #swagger.description = 'Update secret import'

    #swagger.parameters['id'] = {
        in: 'path',
-        description: 'ID of the secret import to be updated',
+        description: 'ID of secret import to update',
        required: true,
        type: 'string',
        example: 'import12345'
@ -246,19 +225,19 @@ export const updateSecretImport = async (req: Request, res: Response) => {
                    "properties": {
                        "secretImports": {
                            "type": "array",
-                            "description": "List of new secret imports",
+                            "description": "List of secret imports to update to",
                            "items": {
                                "type": "object",
                                "properties": {
                                    "environment": {
                                        "type": "string",
-                                        "description": "Environment of the secret import",
-                                        "example": "production"
+                                        "description": "Slug of environment to import from",
+                                        "example": "dev"
                                    },
                                    "secretPath": {
                                        "type": "string",
-                                        "description": "Path of the secret import",
-                                        "example": "/path/to/secret"
+                                        "description": "Path where to import secrets from like / or /foo/bar",
+                                        "example": "/foo/bar"
                                    }
                                },
                                "required": ["environment", "secretPath"]
@ -385,7 +364,7 @@ export const deleteSecretImport = async (req: Request, res: Response) => {

    #swagger.parameters['id'] = {
        in: 'path',
-        description: 'ID of the secret import',
+        description: 'ID of parent secret import document from which to delete secret import',
        required: true,
        type: 'string',
        example: '12345abcde'
@ -399,12 +378,12 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
                    "properties": {
                        "secretImportEnv": {
                            "type": "string",
-                            "description": "Import from environment",
+                            "description": "Slug of environment of import to delete",
                            "example": "someWorkspaceId"
                        },
                        "secretImportPath": {
                            "type": "string",
-                            "description": "Import from secret path",
+                            "description": "Path like / or /foo/bar of import to delete",
                            "example": "production"
                        }
                    },
@ -510,12 +489,12 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
 */
 export const getSecretImports = async (req: Request, res: Response) => {
  /*
-    #swagger.summary = 'Retrieve secret imports'
-    #swagger.description = 'Fetches the secret imports based on the workspaceId, environment, and folderId'
+    #swagger.summary = 'Get secret imports'
+    #swagger.description = 'Get secret imports'

    #swagger.parameters['workspaceId'] = {
        in: 'query',
-        description: 'ID of the workspace of secret imports to get',
+        description: 'ID of workspace where to get secret imports from',
        required: true,
        type: 'string',
        example: 'workspace12345'
@ -523,15 +502,15 @@ export const getSecretImports = async (req: Request, res: Response) => {

    #swagger.parameters['environment'] = {
        in: 'query',
-        description: 'Environment of secret imports to get',
+        description: 'Slug of environment where to get secret imports from',
        required: true,
        type: 'string',
        example: 'production'
    }

-    #swagger.parameters['folderId'] = {
+    #swagger.parameters['directory'] = {
        in: 'query',
-        description: 'ID of the folder containing the secret imports. Default: root',
+        description: 'Path where to get secret imports from like / or /foo/bar. Default is /',
        required: false,
        type: 'string',
        example: 'folder12345'
@ -545,8 +524,7 @@ export const getSecretImports = async (req: Request, res: Response) => {
                    "type": "object",
                    "properties": {
                        "secretImport": {
-                            "type": "object",
-                            "description": "Details of a secret import"
+                          $ref: '#/definitions/SecretImport'
                        }
                    }
                }
@ -563,8 +541,38 @@ export const getSecretImports = async (req: Request, res: Response) => {
    }
  */
  const {
-    query: { workspaceId, environment, folderId }
+    query: { workspaceId, environment, directory }
  } = await validateRequest(reqValidator.GetSecretImportsV1, req);
+
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, directory);
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  } else {
+    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, {
+        environment,
+        secretPath: directory
+      })
+    );
+  }
+
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment
+  }).lean();
+  if (!folders && directory !== "/") throw BadRequestError({ message: "Folder not found" });
+
+  let folderId = "root";
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, directory);
+    if (!folder) throw BadRequestError({ message: "Folder not found" });
+    folderId = folder.id;
+  }
+
  const importSecDoc = await SecretImport.findOne({
    workspace: workspaceId,
    environment,
@ -575,41 +583,6 @@ export const getSecretImports = async (req: Request, res: Response) => {
    return res.status(200).json({ secretImport: {} });
  }

-  // check for service token validity
-  const folders = await Folder.findOne({
-    workspace: importSecDoc.workspace,
-    environment: importSecDoc.environment
-  }).lean();
-
-  let secretPath = "/";
-  if (folders) {
-    const { folderPath } = getFolderWithPathFromId(folders.nodes, importSecDoc.folderId);
-    secretPath = folderPath;
-  }
-
-  if (req.authData.authPayload instanceof ServiceTokenData) {
-    const isValidScopeAccess = isValidScope(
-      req.authData.authPayload,
-      importSecDoc.environment,
-      secretPath
-    );
-    if (!isValidScopeAccess) {
-      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
-    }
-  } else {
-    const { permission } = await getUserProjectPermissions(
-      req.user._id,
-      importSecDoc.workspace.toString()
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, {
-        environment: importSecDoc.environment,
-        secretPath
-      })
-    );
-  }
-
  return res.status(200).json({ secretImport: importSecDoc });
 };

@ -621,9 +594,39 @@ export const getSecretImports = async (req: Request, res: Response) => {
 */
 export const getAllSecretsFromImport = async (req: Request, res: Response) => {
  const {
-    query: { workspaceId, environment, folderId }
+    query: { workspaceId, environment, directory }
  } = await validateRequest(reqValidator.GetAllSecretsFromImportV1, req);

+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    // check for service token validity
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, directory);
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  } else {
+    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, {
+        environment,
+        secretPath: directory
+      })
+    );
+  }
+
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment
+  }).lean();
+  if (!folders && directory !== "/") throw BadRequestError({ message: "Folder not found" });
+
+  let folderId = "root";
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, directory);
+    if (!folder) throw BadRequestError({ message: "Folder not found" });
+    folderId = folder.id;
+  }
+
  const importSecDoc = await SecretImport.findOne({
    workspace: workspaceId,
    environment,
@ -634,11 +637,6 @@ export const getAllSecretsFromImport = async (req: Request, res: Response) => {
    return res.status(200).json({ secrets: [] });
  }

-  const folders = await Folder.findOne({
-    workspace: importSecDoc.workspace,
-    environment: importSecDoc.environment
-  }).lean();
-
  let secretPath = "/";
  if (folders) {
    const { folderPath } = getFolderWithPathFromId(folders.nodes, importSecDoc.folderId);
--- a/backend/src/controllers/v1/secretScanningController.ts
+++ b/backend/src/controllers/v1/secretScanningController.ts
@ -1,12 +1,15 @@
 import { Request, Response } from "express";
-import GitAppInstallationSession from "../../ee/models/gitAppInstallationSession";
+import {
+  GitAppInstallationSession,
+  GitAppOrganizationInstallation,
+  GitRisks
+} from "../../ee/models";
 import crypto from "crypto";
 import { Types } from "mongoose";
 import { OrganizationNotFoundError, UnauthorizedRequestError } from "../../utils/errors";
-import GitAppOrganizationInstallation from "../../ee/models/gitAppOrganizationInstallation";
 import { scanGithubFullRepoForSecretLeaks } from "../../queues/secret-scanning/githubScanFullRepository";
 import { getSecretScanningGitAppId, getSecretScanningPrivateKey } from "../../config";
-import GitRisks, {
+import {
  STATUS_RESOLVED_FALSE_POSITIVE,
  STATUS_RESOLVED_NOT_REVOKED,
  STATUS_RESOLVED_REVOKED
--- a/backend/src/controllers/v1/secretsFolderController.ts
+++ b/backend/src/controllers/v1/secretsFolderController.ts
@ -9,12 +9,9 @@ import { Secret, ServiceTokenData } from "../../models";
 import { Folder } from "../../models/folder";
 import {
  appendFolder,
-  deleteFolderById,
-  generateFolderId,
  getAllFolderIds,
  getFolderByPath,
  getFolderWithPathFromId,
-  getParentFromFolderId,
  validateFolderName
 } from "../../services/FolderService";
 import {
@ -25,20 +22,17 @@ import {
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import * as reqValidator from "../../validation/folders";

-/**
- * Create folder with name [folderName] for workspace with id [workspaceId]
- * and environment [environment]
- * @param req
- * @param res
- * @returns
- */
+const ERR_FOLDER_NOT_FOUND = BadRequestError({ message: "The folder doesn't exist" });
+
+// verify workspace id/environment
 export const createFolder = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Create a folder'
-    #swagger.description = 'Create a new folder in a specified workspace and environment'
+    #swagger.summary = 'Create folder'
+    #swagger.description = 'Create folder'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

    #swagger.requestBody = {
@ -49,23 +43,23 @@ export const createFolder = async (req: Request, res: Response) => {
                    "properties": {
                        "workspaceId": {
                            "type": "string",
-                            "description": "ID of the workspace where the folder will be created",
+                            "description": "ID of the workspace where to create folder",
                            "example": "someWorkspaceId"
                        },
                        "environment": {
                            "type": "string",
-                            "description": "Environment where the folder will reside",
+                            "description": "Slug of environment where to create folder",
                            "example": "production"
                        },
                        "folderName": {
                            "type": "string",
-                            "description": "Name of the folder to be created",
+                            "description": "Name of folder to create",
                            "example": "my_folder"
                        },
-                        "parentFolderId": {
+                        "directory": {
                            "type": "string",
-                            "description": "ID of the parent folder under which this folder will be created. If not specified, it will be created at the root level.",
-                            "example": "someParentFolderId"
+                            "description": "Path where to create folder like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                        }
                    },
                    "required": ["workspaceId", "environment", "folderName"]
@ -85,14 +79,21 @@ export const createFolder = async (req: Request, res: Response) => {
                            "properties": {
                                "id": {
                                    "type": "string",
+                                    "description": "ID of folder",
                                    "example": "someFolderId"
                                },
                                "name": {
                                    "type": "string",
+                                    "description": "Name of folder",
                                    "example": "my_folder"
+                                },
+                                "version": {
+                                    "type": "number",
+                                    "description": "Version of folder",
+                                    "example": 1
                                }
                            },
-                            "description": "Details of the created folder"
+                            "description": "Details of created folder"
                        }
                    }
                }
@ -107,7 +108,7 @@ export const createFolder = async (req: Request, res: Response) => {
    }
  */
  const {
-    body: { workspaceId, environment, folderName, parentFolderId }
+    body: { workspaceId, environment, folderName, directory }
  } = await validateRequest(reqValidator.CreateFolderV1, req);

  if (!validateFolderName(folderName)) {
@ -116,35 +117,28 @@ export const createFolder = async (req: Request, res: Response) => {
    });
  }

+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    // token check
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, directory);
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  } else {
+    // user check
+    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
+    );
+  }
+
  const folders = await Folder.findOne({
    workspace: workspaceId,
    environment
  }).lean();

-  if (req.user) {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
-    const secretPath =
-      folders && parentFolderId
-        ? getFolderWithPathFromId(folders.nodes, parentFolderId).folderPath
-        : "/";
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
-  }
-
  // space has no folders initialized
-
  if (!folders) {
-    if (req.authData.authPayload instanceof ServiceTokenData) {
-      // root check
-      const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, "/");
-      if (!isValidScopeAccess) {
-        throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
-      }
-    }
-
-    const id = generateFolderId();
    const folder = new Folder({
      workspace: workspaceId,
      environment,
@ -152,14 +146,15 @@ export const createFolder = async (req: Request, res: Response) => {
        id: "root",
        name: "root",
        version: 1,
-        children: [{ id, name: folderName, children: [], version: 1 }]
+        children: []
      }
    });
+    const { parent, child } = appendFolder(folder.nodes, { folderName, directory });
    await folder.save();
    const folderVersion = new FolderVersion({
      workspace: workspaceId,
      environment,
-      nodes: folder.nodes
+      nodes: parent
    });
    await folderVersion.save();
    await EESecretService.takeSecretSnapshot({
@ -173,9 +168,9 @@ export const createFolder = async (req: Request, res: Response) => {
        type: EventType.CREATE_FOLDER,
        metadata: {
          environment,
-          folderId: id,
+          folderId: child.id,
          folderName,
-          folderPath: `root/${folderName}`
+          folderPath: directory
        }
      },
      {
@ -183,56 +178,37 @@ export const createFolder = async (req: Request, res: Response) => {
      }
    );

-    return res.json({ folder: { id, name: folderName } });
+    return res.json({ folder: { id: child.id, name: folderName } });
  }

-  const folder = appendFolder(folders.nodes, { folderName, parentFolderId });
+  const { parent, child, hasCreated } = appendFolder(folders.nodes, { folderName, directory });

-  await Folder.findByIdAndUpdate(folders._id, folders);
-
-  const { folder: parentFolder, folderPath: parentFolderPath } = getFolderWithPathFromId(
-    folders.nodes,
-    parentFolderId || "root"
-  );
-
-  if (req.authData.authPayload instanceof ServiceTokenData) {
-    // root check
-    const isValidScopeAccess = isValidScope(
-      req.authData.authPayload,
-      environment,
-      parentFolderPath
-    );
-    if (!isValidScopeAccess) {
-      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
-    }
-  }
+  if (!hasCreated) return res.json({ folder: child });

  await Folder.findByIdAndUpdate(folders._id, folders);

  const folderVersion = new FolderVersion({
    workspace: workspaceId,
    environment,
-    nodes: parentFolder
+    nodes: parent
  });
  await folderVersion.save();

  await EESecretService.takeSecretSnapshot({
    workspaceId: new Types.ObjectId(workspaceId),
    environment,
-    folderId: parentFolderId
+    folderId: child.id
  });

-  const { folderPath } = getFolderWithPathFromId(folders.nodes, folder.id);
-
  await EEAuditLogService.createAuditLog(
    req.authData,
    {
      type: EventType.CREATE_FOLDER,
      metadata: {
        environment,
-        folderId: folder.id,
+        folderId: child.id,
        folderName,
-        folderPath
+        folderPath: directory
      }
    },
    {
@ -240,7 +216,7 @@ export const createFolder = async (req: Request, res: Response) => {
    }
  );

-  return res.json({ folder });
+  return res.json({ folder: child });
 };

 /**
@ -251,18 +227,18 @@ export const createFolder = async (req: Request, res: Response) => {
 */
 export const updateFolderById = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Update a folder by ID'
-    #swagger.description = 'Update the name of a folder in a specified workspace and environment by its ID'
+    #swagger.summary = 'Update folder'
+    #swagger.description = 'Update folder'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

-    #swagger.parameters['folderId'] = {
-        "description": "ID of the folder to be updated",
+    #swagger.parameters['folderName'] = {
+        "description": "Name of folder to update",
        "required": true,
-        "type": "string",
-        "in": "path"
+        "type": "string"
    }

    #swagger.requestBody = {
@ -273,18 +249,23 @@ export const updateFolderById = async (req: Request, res: Response) => {
                    "properties": {
                        "workspaceId": {
                            "type": "string",
-                            "description": "ID of the workspace where the folder is located",
+                            "description": "ID of workspace where to update folder",
                            "example": "someWorkspaceId"
                        },
                        "environment": {
                            "type": "string",
-                            "description": "Environment where the folder is located",
+                            "description": "Slug of environment where to update folder",
                            "example": "production"
                        },
                        "name": {
                            "type": "string",
-                            "description": "New name for the folder",
+                            "description": "Name of folder to update to",
                            "example": "updated_folder_name"
+                        },
+                        "directory": {
+                            "type": "string",
+                            "description": "Path where to update folder like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                        }
                    },
                    "required": ["workspaceId", "environment", "name"]
@ -301,6 +282,7 @@ export const updateFolderById = async (req: Request, res: Response) => {
                    "properties": {
                        "message": {
                            "type": "string",
+                            "description": "Success message",
                            "example": "Successfully updated folder"
                        },
                        "folder": {
@ -308,11 +290,13 @@ export const updateFolderById = async (req: Request, res: Response) => {
                            "properties": {
                                "name": {
                                    "type": "string",
+                                    "description": "Name of updated folder",
                                    "example": "updated_folder_name"
                                },
                                "id": {
                                    "type": "string",
-                                    "example": "someFolderId"
+                                    "description": "ID of created folder",
+                                    "example": "abc123"
                                }
                            },
                            "description": "Details of the updated folder"
@ -332,8 +316,8 @@ export const updateFolderById = async (req: Request, res: Response) => {
    }
  */
  const {
-    body: { workspaceId, environment, name },
-    params: { folderId }
+    body: { workspaceId, environment, name, directory },
+    params: { folderName }
  } = await validateRequest(reqValidator.UpdateFolderV1, req);

  if (!validateFolderName(name)) {
@ -342,38 +326,31 @@ export const updateFolderById = async (req: Request, res: Response) => {
    });
  }

+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, directory);
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  } else {
+    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Edit,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
+    );
+  }
+
  const folders = await Folder.findOne({ workspace: workspaceId, environment });
  if (!folders) {
    throw BadRequestError({ message: "The folder doesn't exist" });
  }

-  const parentFolder = getParentFromFolderId(folders.nodes, folderId);
+  const parentFolder = getFolderByPath(folders.nodes, directory);
  if (!parentFolder) {
    throw BadRequestError({ message: "The folder doesn't exist" });
  }

-  if (req.user) {
-    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
-    const secretPath = getFolderWithPathFromId(folders.nodes, parentFolder.id).folderPath;
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
-  }
-
-  const folder = parentFolder.children.find(({ id }) => id === folderId);
-  if (!folder) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
-  }
-
-  if (req.authData.authPayload instanceof ServiceTokenData) {
-    const { folderPath: secretPath } = getFolderWithPathFromId(folders.nodes, parentFolder.id);
-    // root check
-    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, secretPath);
-    if (!isValidScopeAccess) {
-      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
-    }
-  }
+  const folder = parentFolder.children.find(({ name }) => name === folderName);
+  if (!folder) throw ERR_FOLDER_NOT_FOUND;

  const oldFolderName = folder.name;
  parentFolder.version += 1;
@ -426,15 +403,16 @@ export const updateFolderById = async (req: Request, res: Response) => {
 */
 export const deleteFolder = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Delete a folder by ID'
-    #swagger.description = 'Delete the specified folder from a specified workspace and environment using its ID'
+    #swagger.summary = 'Delete folder'
+    #swagger.description = 'Delete folder'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

-    #swagger.parameters['folderId'] = {
-        "description": "ID of the folder to be deleted",
+    #swagger.parameters['folderName'] = {
+        "description": "Name of folder to delete",
        "required": true,
        "type": "string",
        "in": "path"
@ -448,13 +426,18 @@ export const deleteFolder = async (req: Request, res: Response) => {
                    "properties": {
                        "workspaceId": {
                            "type": "string",
-                            "description": "ID of the workspace where the folder is located",
+                            "description": "ID of the workspace where to delete folder",
                            "example": "someWorkspaceId"
                        },
                        "environment": {
                            "type": "string",
-                            "description": "Environment where the folder is located",
+                            "description": "Slug of environment where to delete folder",
                            "example": "production"
+                        },
+                        "directory": {
+                            "type": "string",
+                            "description": "Path where to delete folder like / or /foo/bar. Default is /",
+                            "example": "/foo/bar"
                        }
                    },
                    "required": ["workspaceId", "environment"]
@ -471,6 +454,7 @@ export const deleteFolder = async (req: Request, res: Response) => {
                    "properties": {
                        "message": {
                            "type": "string",
+                            "description": "Success message",
                            "example": "successfully deleted folders"
                        },
                        "folders": {
@ -480,15 +464,17 @@ export const deleteFolder = async (req: Request, res: Response) => {
                                "properties": {
                                    "id": {
                                        "type": "string",
-                                        "example": "someFolderId"
+                                        "description": "ID of deleted folder",
+                                        "example": "abc123"
                                    },
                                    "name": {
                                        "type": "string",
+                                        "description": "Name of deleted folder",
                                        "example": "someFolderName"
                                    }
                                }
                            },
-                            "description": "List of IDs and names of the deleted folders"
+                            "description": "List of IDs and names of deleted folders"
                        }
                    }
                }
@ -505,24 +491,12 @@ export const deleteFolder = async (req: Request, res: Response) => {
    }
  */
  const {
-    params: { folderId },
-    body: { environment, workspaceId }
+    params: { folderName },
+    body: { environment, workspaceId, directory }
  } = await validateRequest(reqValidator.DeleteFolderV1, req);

-  const folders = await Folder.findOne({ workspace: workspaceId, environment });
-  if (!folders) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
-  }
-
-  const delOp = deleteFolderById(folders.nodes, folderId);
-  if (!delOp) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
-  }
-  const { deletedNode: delFolder, parent: parentFolder } = delOp;
-  const { folderPath: secretPath } = getFolderWithPathFromId(folders.nodes, parentFolder.id);
-
  if (req.authData.authPayload instanceof ServiceTokenData) {
-    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, secretPath);
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, directory);
    if (!isValidScopeAccess) {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
@ -531,12 +505,23 @@ export const deleteFolder = async (req: Request, res: Response) => {
    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
    );
  }

+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) throw ERR_FOLDER_NOT_FOUND;
+
+  const parentFolder = getFolderByPath(folders.nodes, directory);
+  if (!parentFolder) throw ERR_FOLDER_NOT_FOUND;
+
+  const index = parentFolder.children.findIndex(({ name }) => name === folderName);
+  if (index === -1) throw ERR_FOLDER_NOT_FOUND;
+
+  const deletedFolder = parentFolder.children.splice(index, 1)[0];
+
  parentFolder.version += 1;
-  const delFolderIds = getAllFolderIds(delFolder);
+  const delFolderIds = getAllFolderIds(deletedFolder);

  await Folder.findByIdAndUpdate(folders._id, folders);
  const folderVersion = new FolderVersion({
@ -565,9 +550,9 @@ export const deleteFolder = async (req: Request, res: Response) => {
      type: EventType.DELETE_FOLDER,
      metadata: {
        environment,
-        folderId,
-        folderName: delFolder.name,
-        folderPath: secretPath
+        folderId: deletedFolder.id,
+        folderName: deletedFolder.name,
+        folderPath: directory
      }
    },
    {
@ -575,48 +560,42 @@ export const deleteFolder = async (req: Request, res: Response) => {
    }
  );

-  res.send({ message: "successfully deleted folders", folders: delFolderIds });
+  return res.send({ message: "successfully deleted folders", folders: delFolderIds });
 };

 /**
 * Get folders for workspace with id [workspaceId] and environment [environment]
- * considering [parentFolderId] and [parentFolderPath]
+ * considering directory/path [directory]
 * @param req
 * @param res
 * @returns
 */
 export const getFolders = async (req: Request, res: Response) => {
  /*
-    #swagger.summary = 'Retrieve folders based on specific conditions'
-    #swagger.description = 'Fetches folders from the specified workspace and environment, optionally providing either a parentFolderId or a parentFolderPath to narrow down results'
+    #swagger.summary = 'Get folders'
+    #swagger.description = 'Get folders'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

    #swagger.parameters['workspaceId'] = {
-        "description": "ID of the workspace from which the folders are to be fetched",
+        "description": "ID of the workspace where to get folders from",
        "required": true,
        "type": "string",
        "in": "query"
    }

    #swagger.parameters['environment'] = {
-        "description": "Environment where the folder is located",
+        "description": "Slug of environment where to get folders from",
        "required": true,
        "type": "string",
        "in": "query"
    }

-    #swagger.parameters['parentFolderId'] = {
-        "description": "ID of the parent folder",
-        "required": false,
-        "type": "string",
-        "in": "query"
-    }
-
-    #swagger.parameters['parentFolderPath'] = {
-        "description": "Path of the parent folder, like /folder1/folder2",
+    #swagger.parameters['directory'] = {
+        "description": "Path where to get fodlers from like / or /foo/bar. Default is /",
        "required": false,
        "type": "string",
        "in": "query"
@ -644,23 +623,6 @@ export const getFolders = async (req: Request, res: Response) => {
                                }
                            },
                            "description": "List of folders"
-                        },
-                        "dir": {
-                            "type": "array",
-                            "items": {
-                                "type": "object",
-                                "properties": {
-                                    "name": {
-                                        "type": "string",
-                                        "example": "parentFolderName"
-                                    },
-                                    "id": {
-                                        "type": "string",
-                                        "example": "parentFolderId"
-                                    }
-                                }
-                            },
-                            "description": "List of directories"
                        }
                    }
                }
@ -677,69 +639,27 @@ export const getFolders = async (req: Request, res: Response) => {
    }
  */
  const {
-    query: { workspaceId, environment, parentFolderId, parentFolderPath }
+    query: { workspaceId, environment, directory }
  } = await validateRequest(reqValidator.GetFoldersV1, req);

-  const folders = await Folder.findOne({ workspace: workspaceId, environment });
-
-  if (req.user) await getUserProjectPermissions(req.user._id, workspaceId);
-
-  if (!folders) {
-    res.send({ folders: [], dir: [] });
-    return;
-  }
-
-  // if instead of parentFolderId given a path like /folder1/folder2
-  if (parentFolderPath) {
-    if (req.authData.authPayload instanceof ServiceTokenData) {
-      const isValidScopeAccess = isValidScope(
-        req.authData.authPayload,
-        environment,
-        parentFolderPath
-      );
-      if (!isValidScopeAccess) {
-        throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
-      }
-    }
-    const folder = getFolderByPath(folders.nodes, parentFolderPath);
-
-    if (!folder) {
-      res.send({ folders: [], dir: [] });
-      return;
-    }
-    // dir is not needed at present as this is only used in overview section of secrets
-    res.send({
-      folders: folder.children.map(({ id, name }) => ({ id, name })),
-      dir: [{ name: folder.name, id: folder.id }]
-    });
-  }
-
-  if (!parentFolderId) {
-    if (req.authData.authPayload instanceof ServiceTokenData) {
-      const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, "/");
-      if (!isValidScopeAccess) {
-        throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
-      }
-    }
-
-    const rootFolders = folders.nodes.children.map(({ id, name }) => ({
-      id,
-      name
-    }));
-    res.send({ folders: rootFolders });
-    return;
-  }
-
-  const { folder, folderPath, dir } = getFolderWithPathFromId(folders.nodes, parentFolderId);
  if (req.authData.authPayload instanceof ServiceTokenData) {
-    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, folderPath);
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, directory);
    if (!isValidScopeAccess) {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
+  } else {
+    // check that user is a member of the workspace
+    await getUserProjectPermissions(req.user._id, workspaceId);
  }

-  res.send({
-    folders: folder.children.map(({ id, name }) => ({ id, name })),
-    dir
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    return res.send({ folders: [], dir: [] });
+  }
+
+  const folder = getFolderByPath(folders.nodes, directory);
+
+  return res.send({
+    folders: folder?.children?.map(({ id, name }) => ({ id, name })) || []
  });
 };
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -2,16 +2,15 @@ import { Request, Response } from "express";
 import { AuthMethod, User } from "../../models";
 import { checkEmailVerification, sendEmailVerification } from "../../helpers/signup";
 import { createToken } from "../../helpers/auth";
-import { BadRequestError } from "../../utils/errors";
 import {
-  getInviteOnlySignup,
+  getAuthSecret,
  getJwtSignupLifetime,
-  getJwtSignupSecret,
  getSmtpConfigured
 } from "../../config";
 import { validateUserEmail } from "../../validation";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
+import { AuthTokenType } from "../../variables";

 /**
 * Signup step 1: Initialize account for user under email [email] and send a verification code
@ -67,16 +66,6 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
    });
  }

-  if (await getInviteOnlySignup()) {
-    // Only one user can create an account without being invited. The rest need to be invited in order to make an account
-    const userCount = await User.countDocuments({});
-    if (userCount != 0) {
-      throw BadRequestError({
-        message: "New user sign ups are not allowed at this time. You must be invited to sign up."
-      });
-    }
-  }
-
  // verify email
  if (await getSmtpConfigured()) {
    await checkEmailVerification({
@ -95,10 +84,11 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
  // generate temporary signup token
  const token = createToken({
    payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
      userId: user._id.toString()
    },
    expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
  });

  return res.status(200).send({
--- a/backend/src/controllers/v1/webhookController.ts
+++ b/backend/src/controllers/v1/webhookController.ts
@ -1,12 +1,16 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
-import { client, getRootEncryptionKey } from "../../config";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
 import { Webhook } from "../../models";
 import { getWebhookPayload, triggerWebhookRequest } from "../../services/WebhookService";
 import { BadRequestError, ResourceNotFoundError } from "../../utils/errors";
 import { EEAuditLogService } from "../../ee/services";
 import { EventType } from "../../ee/models";
-import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_BASE64 } from "../../variables";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/webhooks";
 import {
@ -15,6 +19,7 @@ import {
  getUserProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";

 export const createWebhook = async (req: Request, res: Response) => {
  const {
@ -31,17 +36,31 @@ export const createWebhook = async (req: Request, res: Response) => {
    workspace: workspaceId,
    environment,
    secretPath,
-    url: webhookUrl,
-    algorithm: ALGORITHM_AES_256_GCM,
-    keyEncoding: ENCODING_SCHEME_BASE64
+    url: webhookUrl
  });

  if (webhookSecretKey) {
+    const encryptionKey = await getEncryptionKey();
    const rootEncryptionKey = await getRootEncryptionKey();
-    const { ciphertext, iv, tag } = client.encryptSymmetric(webhookSecretKey, rootEncryptionKey);
-    webhook.iv = iv;
-    webhook.tag = tag;
-    webhook.encryptedSecretKey = ciphertext;
+
+    if (rootEncryptionKey) {
+      const { ciphertext, iv, tag } = client.encryptSymmetric(webhookSecretKey, rootEncryptionKey);
+      webhook.iv = iv;
+      webhook.tag = tag;
+      webhook.encryptedSecretKey = ciphertext;
+      webhook.algorithm = ALGORITHM_AES_256_GCM;
+      webhook.keyEncoding = ENCODING_SCHEME_BASE64;
+    } else if (encryptionKey) {
+      const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+        plaintext: webhookSecretKey,
+        key: encryptionKey
+      });
+      webhook.iv = iv;
+      webhook.tag = tag;
+      webhook.encryptedSecretKey = ciphertext;
+      webhook.algorithm = ALGORITHM_AES_256_GCM;
+      webhook.keyEncoding = ENCODING_SCHEME_UTF8;
+    }
  }

  await webhook.save();
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -202,12 +202,12 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
  );

  // delete workspace
-  await deleteWork({
-    id: workspaceId
+  const workspace = await deleteWork({
+    workspaceId: new Types.ObjectId(workspaceId)
  });

  return res.status(200).send({
-    message: "Successfully deleted workspace"
+    workspace
  });
 };

--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@ -8,11 +8,9 @@ import { createToken, issueAuthTokens } from "../../helpers/auth";
 import { checkUserDevice } from "../../helpers/user";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
-import { EELogService } from "../../ee/services";
 import { BadRequestError, InternalServerError } from "../../utils/errors";
-import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables";
-import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
-import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config";
+import { AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables";
+import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";

@ -109,10 +107,11 @@ export const login2 = async (req: Request, res: Response) => {
          // generate temporary MFA token
          const token = createToken({
            payload: {
+              authTokenType: AuthTokenType.MFA_TOKEN,
              userId: user._id.toString()
            },
            expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret()
+            secret: await getAuthSecret()
          });

          const code = await TokenService.createToken({
@ -189,19 +188,6 @@ export const login2 = async (req: Request, res: Response) => {
          response.protectedKeyTag = user.protectedKeyTag;
        }

-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id
-        });
-
-        loginAction &&
-          (await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ipAddress: req.ip
-          }));
-
        return res.status(200).send(response);
      }

@ -329,18 +315,5 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
    resObj.protectedKeyTag = user.protectedKeyTag;
  }

-  const loginAction = await EELogService.createAction({
-    name: ACTION_LOGIN,
-    userId: user._id
-  });
-
-  loginAction &&
-    (await EELogService.createLog({
-      userId: user._id,
-      actions: [loginAction],
-      channel: getUserAgentType(req.headers["user-agent"]),
-      ipAddress: req.realIP
-    }));
-
  return res.status(200).send(resObj);
 };
--- a/backend/src/controllers/v2/environmentController.ts
+++ b/backend/src/controllers/v2/environmentController.ts
@ -1,6 +1,7 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import {
+  Folder,
  Integration,
  Membership,
  Secret,
@ -21,43 +22,32 @@ import {
  getUserProjectPermissions
 } from "../../ee/services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability";
+import { SecretImport } from "../../models";
+import { Webhook } from "../../models";

 /**
- * Create new workspace environment named [environmentName] 
+ * Create new workspace environment named [environmentName]
 * with slug [environmentSlug] under workspace with id
 * @param req
 * @param res
 * @returns
 */
 export const createWorkspaceEnvironment = async (req: Request, res: Response) => {
-  /* 
+  /*
    #swagger.summary = 'Create environment'
    #swagger.description = 'Create environment'
-    
+
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
    }]

 	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
+		"description": "ID of workspace where to create environment",
 		"required": true,
-		"type": "string"
-	} 
-
-  /* 
-    #swagger.summary = 'Create environment'
-    #swagger.description = 'Create environment'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
+		"type": "string",
+    "in": "path"
+	}
+  
  #swagger.requestBody = {
      content: {
          "application/json": {
@ -66,12 +56,12 @@ export const createWorkspaceEnvironment = async (req: Request, res: Response) =>
                  "properties": {
                      "environmentName": {
                          "type": "string",
-                          "description": "Name of the environment",
+                          "description": "Name of the environment to create",
                          "example": "development"
                      },
                      "environmentSlug": {
                          "type": "string",
-                          "description": "Slug of the environment",
+                          "description": "Slug of environment to create",
                          "example": "dev-environment"
                      }
                  },
@ -82,38 +72,42 @@ export const createWorkspaceEnvironment = async (req: Request, res: Response) =>
  }

  #swagger.responses[200] = {
-      content: {
-          "application/json": {
-              "schema": { 
-                  "type": "object",
-                  "properties": {
-                      "message": {
-                          "type": "string",
-                          "example": "Successfully created new environment"
-                      },
-                      "workspace": {
-                          "type": "string",
-                          "example": "someWorkspaceId"
-                      },
-                      "environment": {
-                          "type": "object",
-                          "properties": {
-                              "name": {
-                                  "type": "string",
-                                  "example": "someEnvironmentName"
-                              },
-                              "slug": {
-                                  "type": "string",
-                                  "example": "someEnvironmentSlug"
-                              }
-                          }
-                      }
-                  },
-                  "description": "Response after creating a new environment"
-              }
-          }           
-      }
-  }
+        content: {
+            "application/json": {
+                "schema": {
+                    "type": "object",
+                    "properties": {
+                        "message": {
+                            "type": "string",
+                            "description": "Sucess message",
+                            "example": "Successfully created environment"
+                        },
+                        "workspace": {
+                            "type": "string",
+                            "description": "ID of workspace where environment was created",
+                            "example": "abc123"
+                        },
+                        "environment": {
+                            "type": "object",
+                            "properties": {
+                                "name": {
+                                    "type": "string",
+                                    "description": "Name of created environment",
+                                    "example": "Staging"
+                                },
+                                "slug": {
+                                    "type": "string",
+                                    "description": "Slug of created environment",
+                                    "example": "staging"
+                                }
+                            }
+                        }
+                    },
+                    "description": "Details of the created environment"
+                }
+            }
+        }
+    }
  */
  const {
    params: { workspaceId },
@ -242,16 +236,20 @@ export const reorderWorkspaceEnvironments = async (req: Request, res: Response)
 * @returns
 */
 export const renameWorkspaceEnvironment = async (req: Request, res: Response) => {
-  /* 
-    #swagger.summary = 'Rename workspace environment'
-    #swagger.description = 'Rename a specific environment within a workspace'
+  /*
+    #swagger.summary = 'Update environment'
+    #swagger.description = 'Update environment'
+
+    #swagger.security = [{
+        "apiKeyAuth": [],
+    }]

    #swagger.parameters['workspaceId'] = {
-    "description": "ID of the workspace",
-    "required": true,
-    "type": "string",
-        "in": "path"
-  }
+      "description": "ID of workspace where to update environment",
+      "required": true,
+      "type": "string",
+      "in": "path"
+    }

    #swagger.requestBody = {
        content: {
@ -261,17 +259,17 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
                    "properties": {
                        "environmentName": {
                            "type": "string",
-                            "description": "New name for the environment",
+                            "description": "Name of environment to update to",
                            "example": "Staging-Renamed"
                        },
                        "environmentSlug": {
                            "type": "string",
-                            "description": "New slug for the environment",
+                            "description": "Slug of environment to update to",
                            "example": "staging-renamed"
                        },
                        "oldEnvironmentSlug": {
                            "type": "string",
-                            "description": "Current slug of the environment to rename",
+                            "description": "Current slug of environment",
                            "example": "staging-old"
                        }
                    },
@ -289,21 +287,25 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
                    "properties": {
                        "message": {
                            "type": "string",
+                            "description": "Success message",
                            "example": "Successfully update environment"
                        },
                        "workspace": {
                            "type": "string",
-                            "example": "someWorkspaceId"
+                            "description": "ID of workspace where environment was updated",
+                            "example": "abc123"
                        },
                        "environment": {
                            "type": "object",
                            "properties": {
                                "name": {
                                    "type": "string",
+                                    "description": "Name of updated environment",
                                    "example": "Staging-Renamed"
                                },
                                "slug": {
                                    "type": "string",
+                                    "description": "Slug of updated environment",
                                    "example": "staging-renamed"
                                }
                            }
@ -313,7 +315,7 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
                }
            }
        }
-    }   
+    }
  */
  const {
    params: { workspaceId },
@ -369,13 +371,38 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
    { environment: environmentSlug }
  );
  await ServiceTokenData.updateMany(
-    { workspace: workspaceId, environment: oldEnvironmentSlug },
-    { environment: environmentSlug }
+    {
+      workspace: workspaceId,
+      "scopes.environment": oldEnvironmentSlug
+    },
+    { $set: { "scopes.$[element].environment": environmentSlug } },
+    { arrayFilters: [{ "element.environment": oldEnvironmentSlug }] }
  );
  await Integration.updateMany(
    { workspace: workspaceId, environment: oldEnvironmentSlug },
    { environment: environmentSlug }
  );
+
+  await Folder.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+
+  await SecretImport.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await SecretImport.updateMany(
+    { workspace: workspaceId, "imports.environment": oldEnvironmentSlug },
+    { $set: { "imports.$[element].environment": environmentSlug } },
+    { arrayFilters: [{ "element.environment": oldEnvironmentSlug }] },
+  );
+
+  await Webhook.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+
  await Membership.updateMany(
    {
      workspace: workspaceId,
@ -418,20 +445,20 @@ export const renameWorkspaceEnvironment = async (req: Request, res: Response) =>
 * @returns
 */
 export const deleteWorkspaceEnvironment = async (req: Request, res: Response) => {
-  /* 
-    #swagger.summary = 'Delete workspace environment'
-    #swagger.description = 'Delete a specific environment from a workspace'
-    
+  /*
+    #swagger.summary = 'Delete environment'
+    #swagger.description = 'Delete environment'
+
    #swagger.security = [{
        "apiKeyAuth": []
    }]

    #swagger.parameters['workspaceId'] = {
-		"description": "ID of the workspace",
-		"required": true,
-		"type": "string",
-        "in": "path"
-	}
+      "description": "ID of workspace where to delete environment",
+      "required": true,
+      "type": "string",
+      "in": "path"
+	  }

    #swagger.requestBody = {
        content: {
@ -441,8 +468,8 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
                    "properties": {
                        "environmentSlug": {
                            "type": "string",
-                            "description": "Slug of the environment to delete",
-                            "example": "dev-environment"
+                            "description": "Slug of environment to delete",
+                            "example": "dev"
                        }
                    },
                    "required": ["environmentSlug"]
@ -454,27 +481,30 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>
    #swagger.responses[200] = {
        content: {
            "application/json": {
-                "schema": { 
+                "schema": {
                    "type": "object",
                    "properties": {
                        "message": {
                            "type": "string",
+                            "description": "Success message",
                            "example": "Successfully deleted environment"
                        },
                        "workspace": {
                            "type": "string",
-                            "example": "someWorkspaceId"
+                            "description": "ID of workspace where environment was deleted",
+                            "example": "abc123"
                        },
                        "environment": {
                            "type": "string",
-                            "example": "dev-environment"
+                            "description": "Slug of deleted environment",
+                            "example": "dev"
                        }
                    },
                    "description": "Response after deleting an environment from a workspace"
                }
-            }           
+            }
        }
-    }   
+    }
 */
  const {
    params: { workspaceId },
@ -561,10 +591,10 @@ export const deleteWorkspaceEnvironment = async (req: Request, res: Response) =>

 // TODO(akhilmhdh) after rbac this can be completely removed
 export const getAllAccessibleEnvironmentsOfWorkspace = async (req: Request, res: Response) => {
-  /* 
+  /*
    #swagger.summary = 'Get all accessible environments of a workspace'
    #swagger.description = 'Fetch all environments that the user has access to in a specified workspace'
-    
+
    #swagger.security = [{
        "apiKeyAuth": []
    }]
@ -611,7 +641,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (req: Request, res:
                }
            }
        }
-    }   
+    }
  */
  const {
    params: { workspaceId }
--- a/backend/src/controllers/v2/index.ts
+++ b/backend/src/controllers/v2/index.ts
@ -6,20 +6,20 @@ import * as workspaceController from "./workspaceController";
 import * as serviceTokenDataController from "./serviceTokenDataController";
 import * as secretController from "./secretController";
 import * as secretsController from "./secretsController";
-import * as serviceAccountsController from "./serviceAccountsController";
 import * as environmentController from "./environmentController";
 import * as tagController from "./tagController";
+import * as membershipController from "./membershipController";

 export {
-    authController,
-    signupController,
-    usersController,
-    organizationsController,
-    workspaceController,
-    serviceTokenDataController,
-    secretController,
-    secretsController,
-    serviceAccountsController,
-    environmentController,
-    tagController,
-}
+  authController,
+  signupController,
+  usersController,
+  organizationsController,
+  workspaceController,
+  serviceTokenDataController,
+  secretController,
+  secretsController,
+  environmentController,
+  tagController,
+  membershipController
+};
--- a/backend/src/controllers/v2/membershipController.ts
+++ b/backend/src/controllers/v2/membershipController.ts
@ -0,0 +1,103 @@
+import { ForbiddenError } from "@casl/ability";
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+
+import { getSiteURL } from "../../config";
+import { EventType } from "../../ee/models";
+import { EEAuditLogService } from "../../ee/services";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getUserProjectPermissions
+} from "../../ee/services/ProjectRoleService";
+import { sendMail } from "../../helpers";
+import { validateRequest } from "../../helpers/validation";
+import { IUser, Key, Membership, MembershipOrg, Workspace } from "../../models";
+import { BadRequestError } from "../../utils/errors";
+import * as reqValidator from "../../validation/membership";
+import { ACCEPTED, MEMBER } from "../../variables";
+
+export const addUserToWorkspace = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId },
+    body: { members }
+  } = await validateRequest(reqValidator.AddUserToWorkspaceV2, req);
+  // check workspace
+  const workspace = await Workspace.findById(workspaceId);
+  if (!workspace) throw new Error("Failed to find workspace");
+
+  // check permission
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.Member
+  );
+
+  // validate members are part of the organization
+  const orgMembers = await MembershipOrg.find({
+    status: ACCEPTED,
+    _id: { $in: members.map(({ orgMembershipId }) => orgMembershipId) },
+    organization: workspace.organization
+  })
+    .populate<{ user: IUser }>("user")
+    .select({ _id: 1, user: 1 })
+    .lean();
+  if (orgMembers.length !== members.length)
+    throw BadRequestError({ message: "Org member not found" });
+
+  const existingMember = await Membership.find({
+    workspace: workspaceId,
+    user: { $in: orgMembers.map(({ user }) => user) }
+  });
+  if (existingMember?.length)
+    throw BadRequestError({ message: "Some users are already part of workspace" });
+
+  await Membership.insertMany(
+    orgMembers.map(({ user }) => ({ user: user._id, workspace: workspaceId, role: MEMBER }))
+  );
+
+  const encKeyGroupedByOrgMemberId = members.reduce<Record<string, (typeof members)[number]>>(
+    (prev, curr) => ({ ...prev, [curr.orgMembershipId]: curr }),
+    {}
+  );
+  await Key.insertMany(
+    orgMembers.map(({ user, _id: id }) => ({
+      encryptedKey: encKeyGroupedByOrgMemberId[id.toString()].workspaceEncryptedKey,
+      nonce: encKeyGroupedByOrgMemberId[id.toString()].workspaceEncryptedNonce,
+      sender: req.user._id,
+      receiver: user._id,
+      workspace: workspaceId
+    }))
+  );
+
+  await sendMail({
+    template: "workspaceInvitation.handlebars",
+    subjectLine: "Infisical workspace invitation",
+    recipients: orgMembers.map(({ user }) => user.email),
+    substitutions: {
+      inviterFirstName: req.user.firstName,
+      inviterEmail: req.user.email,
+      workspaceName: workspace.name,
+      callback_url: (await getSiteURL()) + "/login"
+    }
+  });
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.ADD_BATCH_WORKSPACE_MEMBER,
+      metadata: orgMembers.map(({ user }) => ({
+        userId: user._id.toString(),
+        email: user.email
+      }))
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );
+
+  return res.status(200).send({
+    success: true,
+    data: orgMembers
+  });
+};
--- a/backend/src/controllers/v2/organizationsController.ts
+++ b/backend/src/controllers/v2/organizationsController.ts
@ -1,11 +1,24 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
-import { Membership, MembershipOrg, ServiceAccount, Workspace } from "../../models";
+import { 
+  Membership, 
+  MembershipOrg, 
+  Workspace 
+} from "../../models";
+import { Role } from "../../ee/models";
 import { deleteMembershipOrg } from "../../helpers/membershipOrg";
-import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
-import Role from "../../ee/models/role";
-import { BadRequestError } from "../../utils/errors";
-import { CUSTOM } from "../../variables";
+import { 
+  createOrganization as create,
+  deleteOrganization,
+  updateSubscriptionOrgQuantity
+} from "../../helpers/organization";
+import { addMembershipsOrg } from "../../helpers/membershipOrg";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
+import {
+  ACCEPTED,
+  ADMIN,
+  CUSTOM 
+} from "../../variables";
 import * as reqValidator from "../../validation/organization";
 import { validateRequest } from "../../helpers/validation";
 import {
@ -317,18 +330,58 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
 };

 /**
- * Return service accounts for organization with id [organizationId]
+ * Create new organization named [organizationName]
+ * and add user as owner
 * @param req
 * @param res
+ * @returns
 */
-export const getOrganizationServiceAccounts = async (req: Request, res: Response) => {
-  const { organizationId } = req.params;
+ export const createOrganization = async (req: Request, res: Response) => {
+  const {
+    body: { name }
+  } = await validateRequest(reqValidator.CreateOrgv2, req);

-  const serviceAccounts = await ServiceAccount.find({
-    organization: new Types.ObjectId(organizationId)
+  // create organization and add user as member
+  const organization = await create({
+    email: req.user.email,
+    name
+  });
+
+  await addMembershipsOrg({
+    userIds: [req.user._id.toString()],
+    organizationId: organization._id.toString(),
+    roles: [ADMIN],
+    statuses: [ACCEPTED]
  });

  return res.status(200).send({
-    serviceAccounts
+    organization
  });
 };
+
+/**
+ * Delete organization with id [organizationId]
+ * @param req 
+ * @param res 
+ */
+export const deleteOrganizationById = async (req: Request, res: Response) => {
+  const {
+    params: { organizationId }
+  } = await validateRequest(reqValidator.DeleteOrgv2, req);
+  
+  const membershipOrg = await MembershipOrg.findOne({
+    user: req.user._id,
+    organization: new Types.ObjectId(organizationId),
+    role: ADMIN
+  });
+  
+  if (!membershipOrg) throw UnauthorizedRequestError();
+  
+  const organization = await deleteOrganization({
+    organizationId: new Types.ObjectId(organizationId)
+  });
+  
+  return res.status(200).send({
+    organization
+  });
+}
--- a/backend/src/controllers/v2/secretController.ts
+++ b/backend/src/controllers/v2/secretController.ts
@ -11,7 +11,6 @@ import {
  ValidationError as RouteValidationError,
  UnauthorizedRequestError
 } from "../../utils/errors";
-import { AnyBulkWriteOperation } from "mongodb";
 import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
@ -19,7 +18,7 @@ import {
  SECRET_SHARED
 } from "../../variables";
 import { TelemetryService } from "../../services";
-import { ISecret, Secret, User } from "../../models";
+import { Secret, User } from "../../models";
 import { AccountNotFoundError } from "../../utils/errors";

 /**
@ -145,22 +144,22 @@ export const deleteSecrets = async (req: Request, res: Response) => {
  const secretsUserCanDeleteSet: Set<string> = new Set(
    secretIdsUserCanDelete.map((objectId) => objectId._id.toString())
  );
-  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = [];

-  let numSecretsDeleted = 0;
-  secretIdsToDelete.forEach((secretIdToDelete) => {
-    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
-      const deleteOperation = {
-        deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
-      };
-      deleteOperationsToPerform.push(deleteOperation);
-      numSecretsDeleted++;
-    } else {
-      throw RouteValidationError({
-        message: "You cannot delete secrets that you do not have access to"
-      });
-    }
-  });
+  // Filter out IDs that user can delete and then map them to delete operations
+  const deleteOperationsToPerform = secretIdsToDelete
+    .filter(secretIdToDelete => {
+      if (!secretsUserCanDeleteSet.has(secretIdToDelete)) {
+        throw RouteValidationError({
+          message: "You cannot delete secrets that you do not have access to"
+        });
+      }
+      return true;
+    })
+    .map(secretIdToDelete => ({
+      deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
+    }));
+
+  const numSecretsDeleted = deleteOperationsToPerform.length;

  await Secret.bulkWrite(deleteOperationsToPerform);

--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
@ -1,12 +1,8 @@
 import { Types } from "mongoose";
 import { Request, Response } from "express";
 import { Folder, ISecret, Secret, ServiceTokenData, Tag } from "../../models";
-import { AuditLog, EventType, IAction, SecretVersion } from "../../ee/models";
+import { AuditLog, EventType, SecretVersion } from "../../ee/models";
 import {
-  ACTION_ADD_SECRETS,
-  ACTION_DELETE_SECRETS,
-  ACTION_READ_SECRETS,
-  ACTION_UPDATE_SECRETS,
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
  K8_USER_AGENT_NAME,
@ -15,7 +11,7 @@ import {
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { EventService } from "../../services";
 import { eventPushSecrets } from "../../events";
-import { EEAuditLogService, EELogService, EESecretService } from "../../ee/services";
+import { EEAuditLogService, EESecretService } from "../../ee/services";
 import { SecretService, TelemetryService } from "../../services";
 import { getUserAgentType } from "../../utils/posthog";
 import { PERMISSION_WRITE_SECRETS } from "../../variables";
@ -82,7 +78,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
  const createSecrets: any[] = [];
  const updateSecrets: any[] = [];
  const deleteSecrets: { _id: Types.ObjectId; secretName: string }[] = [];
-  const actions: IAction[] = [];

  // get secret blind index salt
  const salt = await SecretService.getSecretBlindIndexSalt({
@ -224,16 +219,6 @@ export const batchSecrets = async (req: Request, res: Response) => {

    await AuditLog.insertMany(auditLogs);

-    const addAction = (await EELogService.createAction({
-      name: ACTION_ADD_SECRETS,
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: createdSecrets.map((n) => n._id)
-    })) as IAction;
-    actions.push(addAction);
-
    if (postHogClient) {
      postHogClient.capture({
        event: "secrets added",
@ -350,14 +335,6 @@ export const batchSecrets = async (req: Request, res: Response) => {

    await AuditLog.insertMany(auditLogs);

-    const updateAction = (await EELogService.createAction({
-      name: ACTION_UPDATE_SECRETS,
-      userId: req.user._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: updatedSecrets.map((u) => u._id)
-    })) as IAction;
-    actions.push(updateAction);
-
    if (postHogClient) {
      postHogClient.capture({
        event: "secrets modified",
@ -428,14 +405,6 @@ export const batchSecrets = async (req: Request, res: Response) => {

    await AuditLog.insertMany(auditLogs);

-    const deleteAction = (await EELogService.createAction({
-      name: ACTION_DELETE_SECRETS,
-      userId: req.user._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: deleteSecretIds
-    })) as IAction;
-    actions.push(deleteAction);
-
    if (postHogClient) {
      postHogClient.capture({
        event: "secrets deleted",
@ -451,17 +420,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
    }
  }

-  if (actions.length > 0) {
-    // (EE) create (audit) log
-    await EELogService.createLog({
-      userId: req.user._id.toString(),
-      workspaceId: new Types.ObjectId(workspaceId),
-      actions,
-      channel,
-      ipAddress: req.realIP
-    });
-  }
-
  // // trigger event - push secrets
  await EventService.handleEvent({
    event: eventPushSecrets({
@ -731,27 +689,6 @@ export const createSecrets = async (req: Request, res: Response) => {
    )
  });

-  const addAction = await EELogService.createAction({
-    name: ACTION_ADD_SECRETS,
-    userId: req.user?._id,
-    serviceAccountId: req.serviceAccount?._id,
-    serviceTokenDataId: req.serviceTokenData?._id,
-    workspaceId: new Types.ObjectId(workspaceId),
-    secretIds: newlyCreatedSecrets.map((n) => n._id)
-  });
-
-  // (EE) create (audit) log
-  addAction &&
-    (await EELogService.createLog({
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(workspaceId),
-      actions: [addAction],
-      channel,
-      ipAddress: req.realIP
-    }));
-
  // (EE) take a secret snapshot
  await EESecretService.takeSecretSnapshot({
    workspaceId: new Types.ObjectId(workspaceId),
@ -960,22 +897,6 @@ export const getSecrets = async (req: Request, res: Response) => {
    secrets = await Secret.find(secretQuery).populate("tags");
  }

-  // case: client authorization is via service account
-  if (req.serviceAccount) {
-    const secretQuery: any = {
-      workspace: workspaceId,
-      environment,
-      folder: folderId,
-      user: { $exists: false } // shared secrets only from workspace
-    };
-
-    if (tagIds.length > 0) {
-      secretQuery.tags = { $in: tagIds };
-    }
-
-    secrets = await Secret.find(secretQuery).populate("tags");
-  }
-
  // TODO(akhilmhdh) - secret-imp change this to org type
  let importedSecrets: any[] = [];
  if (include_imports) {
@ -988,28 +909,6 @@ export const getSecrets = async (req: Request, res: Response) => {
    );
  }

-  const channel = getUserAgentType(req.headers["user-agent"]);
-
-  const readAction = await EELogService.createAction({
-    name: ACTION_READ_SECRETS,
-    userId: req.user?._id,
-    serviceAccountId: req.serviceAccount?._id,
-    serviceTokenDataId: req.serviceTokenData?._id,
-    workspaceId: new Types.ObjectId(workspaceId as string),
-    secretIds: secrets.map((n: any) => n._id)
-  });
-
-  readAction &&
-    (await EELogService.createLog({
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(workspaceId as string),
-      actions: [readAction],
-      channel,
-      ipAddress: req.realIP
-    }));
-
  await EEAuditLogService.createAuditLog(
    req.authData,
    {
@ -1247,27 +1146,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
    //   });
    // }, 10000);

-    const updateAction = await EELogService.createAction({
-      name: ACTION_UPDATE_SECRETS,
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
-    });
-
-    // (EE) create (audit) log
-    updateAction &&
-      (await EELogService.createLog({
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(key),
-        actions: [updateAction],
-        channel,
-        ipAddress: req.realIP
-      }));
-
    // (EE) take a secret snapshot
    // IMP(akhilmhdh): commented out due to unknown where the environment is
    // await EESecretService.takeSecretSnapshot({
@ -1387,26 +1265,6 @@ export const deleteSecrets = async (req: Request, res: Response) => {
    //     workspaceId: new Types.ObjectId(key)
    //   })
    // });
-    const deleteAction = await EELogService.createAction({
-      name: ACTION_DELETE_SECRETS,
-      userId: req.user?._id,
-      serviceAccountId: req.serviceAccount?._id,
-      serviceTokenDataId: req.serviceTokenData?._id,
-      workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
-    });
-
-    // (EE) create (audit) log
-    deleteAction &&
-      (await EELogService.createLog({
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(key),
-        actions: [deleteAction],
-        channel,
-        ipAddress: req.realIP
-      }));

    // (EE) take a secret snapshot
    // IMP(akhilmhdh): Not sure how to take secretSnapshot
--- a/backend/src/controllers/v2/serviceAccountsController.ts
+++ b/backend/src/controllers/v2/serviceAccountsController.ts
@ -1,306 +0,0 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import crypto from "crypto";
-import bcrypt from "bcrypt";
-import {
-    ServiceAccount,
-    ServiceAccountKey,
-    ServiceAccountOrganizationPermission,
-    ServiceAccountWorkspacePermission,
-} from "../../models";
-import {
-    CreateServiceAccountDto,
-} from "../../interfaces/serviceAccounts/dto";
-import { BadRequestError, ServiceAccountNotFoundError } from "../../utils/errors";
-import { getSaltRounds } from "../../config";
-
-/**
- * Return service account tied to the request (service account) client
- * @param req
- * @param res
- */
-export const getCurrentServiceAccount = async (req: Request, res: Response) => {
-    const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
-
-    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
-    }
-
-    return res.status(200).send({
-        serviceAccount,
-    });
-}
-
-/**
- * Return service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const getServiceAccountById = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-
-    const serviceAccount = await ServiceAccount.findById(serviceAccountId);
-
-    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
-    }
-
-    return res.status(200).send({
-        serviceAccount,
-    });
-}
-
-/**
- * Create a new service account under organization with id [organizationId]
- * that has access to workspaces [workspaces]
- * @param req 
- * @param res 
- * @returns
- */
-export const createServiceAccount = async (req: Request, res: Response) => {
-    const {
-        name,
-        organizationId,
-        publicKey,
-        expiresIn,
-    }: CreateServiceAccountDto = req.body;
-
-    let expiresAt;
-    if (expiresIn) {
-        expiresAt = new Date();
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-    }
-
-    const secret = crypto.randomBytes(16).toString("base64");
-    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-
-    // create service account
-    const serviceAccount = await new ServiceAccount({
-        name,
-        organization: new Types.ObjectId(organizationId),
-        user: req.user,
-        publicKey,
-        lastUsed: new Date(),
-        expiresAt,
-        secretHash,
-    }).save()
-
-    const serviceAccountObj = serviceAccount.toObject();
-
-    delete (serviceAccountObj as any).secretHash;
-
-    // provision default org-level permission for service account
-    await new ServiceAccountOrganizationPermission({
-        serviceAccount: serviceAccount._id,
-    }).save();
-
-    const secretId = Buffer.from(serviceAccount._id.toString(), "hex").toString("base64");
-
-    return res.status(200).send({
-        serviceAccountAccessKey: `sa.${secretId}.${secret}`,
-        serviceAccount: serviceAccountObj,
-    });
-}
-
-/**
- * Change name of service account with id [serviceAccountId] to [name]
- * @param req 
- * @param res 
- * @returns 
- */
-export const changeServiceAccountName = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    const { name } = req.body;
-
-    const serviceAccount = await ServiceAccount.findOneAndUpdate(
-        {
-            _id: new Types.ObjectId(serviceAccountId),
-        },
-        {
-            name,
-        },
-        {
-            new: true,
-        }
-    );
-
-    return res.status(200).send({
-        serviceAccount,
-    });
-}
-
-/**
- * Add a service account key to service account with id [serviceAccountId]
- * for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const addServiceAccountKey = async (req: Request, res: Response) => {
-    const {
-        workspaceId,
-        encryptedKey,
-        nonce,
-    } = req.body;
-
-    const serviceAccountKey = await new ServiceAccountKey({
-        encryptedKey,
-        nonce,
-        sender: req.user._id,
-        serviceAccount: req.serviceAccount._d,
-        workspace: new Types.ObjectId(workspaceId),
-    }).save();
-
-    return serviceAccountKey;
-}
-
-/**
- * Return workspace-level permission for service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
-    const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
-        serviceAccount: req.serviceAccount._id,
-    }).populate("workspace");
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermissions,
-    });
-}
-
-/**
- * Add a workspace permission to service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const addServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    const {
-        environment,
-        workspaceId,
-        read = false,
-        write = false,
-        encryptedKey,
-        nonce,
-    } = req.body;
-
-    if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
-        return res.status(400).send({
-            message: "Failed to validate workspace environment",
-        });
-    }
-
-    const existingPermission = await ServiceAccountWorkspacePermission.findOne({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-        environment,
-    });
-
-    if (existingPermission) throw BadRequestError({ message: "Failed to add workspace permission to service account due to already-existing " });
-
-    const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-        environment,
-        read,
-        write,
-    }).save();
-
-    const existingServiceAccountKey = await ServiceAccountKey.findOne({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-    });
-
-    if (!existingServiceAccountKey) {
-        await new ServiceAccountKey({
-            encryptedKey,
-            nonce,
-            sender: req.user._id,
-            serviceAccount: new Types.ObjectId(serviceAccountId),
-            workspace: new Types.ObjectId(workspaceId),
-        }).save();
-    }
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermission,
-    });
-}
-
-/**
- * Delete workspace permission from service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const deleteServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
-    const { serviceAccountWorkspacePermissionId } = req.params;
-    const serviceAccountWorkspacePermission = await ServiceAccountWorkspacePermission.findByIdAndDelete(serviceAccountWorkspacePermissionId);
-
-    if (serviceAccountWorkspacePermission) {
-        const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
-        const count = await ServiceAccountWorkspacePermission.countDocuments({
-            serviceAccount,
-            workspace,
-        });
-
-        if (count === 0) {
-            await ServiceAccountKey.findOneAndDelete({
-                serviceAccount,
-                workspace,
-            });
-        }
-    }
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermission,
-    });
-}
-
-/**
- * Delete service account with id [serviceAccountId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteServiceAccount = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-
-    const serviceAccount = await ServiceAccount.findByIdAndDelete(serviceAccountId);
-
-    if (serviceAccount) {
-        await ServiceAccountKey.deleteMany({
-            serviceAccount: serviceAccount._id,
-        });
-
-        await ServiceAccountOrganizationPermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId),
-        });
-
-        await ServiceAccountWorkspacePermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId),
-        });
-    }
-
-    return res.status(200).send({
-        serviceAccount,
-    });
-}
-
-/**
- * Return service account keys for service account with id [serviceAccountId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getServiceAccountKeys = async (req: Request, res: Response) => {
-    const workspaceId = req.query.workspaceId as string;
-
-    const serviceAccountKeys = await ServiceAccountKey.find({
-        serviceAccount: req.serviceAccount._id,
-        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {}),
-    });
-
-    return res.status(200).send({
-        serviceAccountKeys,
-    });
-}
--- a/backend/src/controllers/v2/usersController.ts
+++ b/backend/src/controllers/v2/usersController.ts
@ -5,49 +5,9 @@ import bcrypt from "bcrypt";
 import { APIKeyData, AuthMethod, MembershipOrg, TokenVersion, User } from "../../models";
 import { getSaltRounds } from "../../config";
 import { validateRequest } from "../../helpers/validation";
+import { deleteUser } from "../../helpers/user";
 import * as reqValidator from "../../validation";

-/**
- * Return the current user.
- * @param req
- * @param res
- * @returns
- */
-export const getMe = async (req: Request, res: Response) => {
-  /* 
-    #swagger.summary = "Retrieve the current user on the request"
-    #swagger.description = "Retrieve the current user on the request"
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-                    "properties": {
-                        "user": {
-                            "type": "object",
-                            $ref: "#/components/schemas/CurrentUser",
-                            "description": "Current user on request"
-                        }
-                    }
-                }
-            }           
-        }
-    }   
-    */
-  const user = await User.findById(req.user._id).select(
-    "+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag"
-  );
-
-  return res.status(200).send({
-    user
-  });
-};
-
 /**
 * Update the current user's MFA-enabled status [isMfaEnabled].
 * Note: Infisical currently only supports email-based 2FA only; this will expand to
@ -296,3 +256,59 @@ export const deleteMySessions = async (req: Request, res: Response) => {
    message: "Successfully revoked all sessions"
  });
 };
+
+/**
+ * Return the current user.
+ * @param req
+ * @param res
+ * @returns
+ */
+ export const getMe = async (req: Request, res: Response) => {
+  /* 
+    #swagger.summary = "Retrieve the current user on the request"
+    #swagger.description = "Retrieve the current user on the request"
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "user": {
+                            "type": "object",
+                            $ref: "#/components/schemas/CurrentUser",
+                            "description": "Current user on request"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+  const user = await User.findById(req.user._id).select(
+    "+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag"
+  );
+
+  return res.status(200).send({
+    user
+  });
+};
+
+/**
+ * Delete the current user.
+ * @param req 
+ * @param res 
+ */
+export const deleteMe = async (req: Request, res: Response) => {
+  const user = await deleteUser({
+    userId: req.user._id
+  });
+
+  return res.status(200).send({
+    user
+  });
+}
--- a/backend/src/controllers/v3/authController.ts
+++ b/backend/src/controllers/v3/authController.ts
@ -8,11 +8,9 @@ import { createToken, issueAuthTokens, validateProviderAuthToken } from "../../h
 import { checkUserDevice } from "../../helpers/user";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
-import { EELogService } from "../../ee/services";
 import { BadRequestError, InternalServerError } from "../../utils/errors";
-import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables";
-import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
-import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config";
+import { AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables";
+import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config";
 import { AuthMethod } from "../../models/user";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
@ -134,10 +132,11 @@ export const login2 = async (req: Request, res: Response) => {
          // generate temporary MFA token
          const token = createToken({
            payload: {
+              authTokenType: AuthTokenType.MFA_TOKEN,
              userId: user._id.toString()
            },
            expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret()
+            secret: await getAuthSecret()
          });

          const code = await TokenService.createToken({
@ -214,19 +213,6 @@ export const login2 = async (req: Request, res: Response) => {
          response.protectedKeyTag = user.protectedKeyTag;
        }

-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id
-        });
-
-        loginAction &&
-          (await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ipAddress: req.realIP
-          }));
-
        return res.status(200).send(response);
      }

--- a/backend/src/controllers/v3/index.ts
+++ b/backend/src/controllers/v3/index.ts
@ -1,11 +1,13 @@
+import * as usersController from "./usersController";
 import * as secretsController from "./secretsController";
 import * as workspacesController from "./workspacesController";
 import * as authController from "./authController";
 import * as signupController from "./signupController";

 export {
+    usersController,
    authController,
    secretsController,
    signupController,
-    workspacesController,
+    workspacesController
 }
--- a/backend/src/controllers/v3/secretsController.ts
+++ b/backend/src/controllers/v3/secretsController.ts
--- a/backend/src/controllers/v3/signupController.ts
+++ b/backend/src/controllers/v3/signupController.ts
@ -5,10 +5,10 @@ import { MembershipOrg, User } from "../../models";
 import { completeAccount } from "../../helpers/user";
 import { initializeDefaultOrg } from "../../helpers/signup";
 import { issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
-import { ACCEPTED, INVITED } from "../../variables";
+import { ACCEPTED, AuthTokenType, INVITED } from "../../variables";
 import { standardRequest } from "../../config/request";
-import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
-import { BadRequestError } from "../../utils/errors";
+import { getAuthSecret, getHttpsEnabled, getLoopsApiKey } from "../../config";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { TelemetryService } from "../../services";
 import { AuthMethod } from "../../models";
 import { validateRequest } from "../../helpers/validation";
@ -78,12 +78,11 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
      }

      const decodedToken = <jwt.UserIDJwtPayload>(
-        jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
+        jwt.verify(AUTH_TOKEN_VALUE, await getAuthSecret())
      );
-
-      if (decodedToken.userId !== user.id) {
-        throw BadRequestError();
-      }
+      
+      if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) throw UnauthorizedRequestError();
+      if (decodedToken.userId !== user.id) throw UnauthorizedRequestError();
    }

    // complete setting up user's account
--- a/backend/src/controllers/v3/usersController.ts
+++ b/backend/src/controllers/v3/usersController.ts
@ -0,0 +1,18 @@
+import { Request, Response } from "express";
+import { APIKeyDataV2 } from "../../models";
+
+/**
+ * Return API keys belonging to current user.
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getMyAPIKeys = async (req: Request, res: Response) => {
+    const apiKeyData = await APIKeyDataV2.find({
+        user: req.user._id
+    });
+
+    return res.status(200).send({
+        apiKeyData
+    });
+}
--- a/backend/src/controllers/v3/workspacesController.ts
+++ b/backend/src/controllers/v3/workspacesController.ts
@ -1,7 +1,7 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { validateRequest } from "../../helpers/validation";
-import { Secret } from "../../models";
+import { Secret, ServiceTokenDataV3 } from "../../models";
 import { SecretService } from "../../services";
 import { getUserProjectPermissions } from "../../ee/services/ProjectRoleService";
 import { UnauthorizedRequestError } from "../../utils/errors";
@ -101,3 +101,17 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
    message: "Successfully named workspace secrets"
  });
 };
+
+export const getWorkspaceServiceTokenData = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.GetWorkspaceServiceTokenDataV3, req);
+  
+  const serviceTokenData = await ServiceTokenDataV3.find({
+    workspace: new Types.ObjectId(workspaceId)
+  });
+  
+  return res.status(200).send({
+    serviceTokenData
+  });
+}
--- a/backend/src/ee/controllers/v1/actionController.ts
+++ b/backend/src/ee/controllers/v1/actionController.ts
@ -1,32 +0,0 @@
-import { Request, Response } from "express";
-import { Action } from "../../models";
-import { ActionNotFoundError } from "../../../utils/errors";
-import { validateRequest } from "../../../helpers/validation";
-import * as reqValidator from "../../../validation/action";
-
-export const getAction = async (req: Request, res: Response) => {
-  let action;
-  try {
-    const {
-      params: { actionId }
-    } = await validateRequest(reqValidator.GetActionV1, req);
-
-    action = await Action.findById(actionId).populate([
-      "payload.secretVersions.oldSecretVersion",
-      "payload.secretVersions.newSecretVersion"
-    ]);
-
-    if (!action)
-      throw ActionNotFoundError({
-        message: "Failed to find action"
-      });
-  } catch (err) {
-    throw ActionNotFoundError({
-      message: "Failed to find action"
-    });
-  }
-
-  return res.status(200).send({
-    action
-  });
-};
--- a/backend/src/ee/controllers/v1/index.ts
+++ b/backend/src/ee/controllers/v1/index.ts
@ -4,10 +4,13 @@ import * as organizationsController from "./organizationsController";
 import * as ssoController from "./ssoController";
 import * as usersController from "./usersController";
 import * as workspaceController from "./workspaceController";
-import * as actionController from "./actionController";
 import * as membershipController from "./membershipController";
 import * as cloudProductsController from "./cloudProductsController";
 import * as roleController from "./roleController";
+import * as secretApprovalPolicyController from "./secretApprovalPolicyController";
+import * as secretApprovalRequestController from "./secretApprovalRequestsController";
+import * as secretRotationProviderController from "./secretRotationProviderController";
+import * as secretRotationController from "./secretRotationController";

 export {
  secretController,
@ -16,8 +19,11 @@ export {
  ssoController,
  usersController,
  workspaceController,
-  actionController,
  membershipController,
  cloudProductsController,
-  roleController
+  roleController,
+  secretApprovalPolicyController,
+  secretApprovalRequestController,
+  secretRotationProviderController,
+  secretRotationController
 };
--- a/backend/src/ee/controllers/v1/roleController.ts
+++ b/backend/src/ee/controllers/v1/roleController.ts
@ -23,7 +23,7 @@ import {
  memberPermissions
 } from "../../services/RoleService";
 import { BadRequestError } from "../../../utils/errors";
-import Role from "../../models/role";
+import { Role } from "../../models";
 import { validateRequest } from "../../../helpers/validation";
 import { packRules } from "@casl/ability/extra";

@ -212,11 +212,13 @@ export const getUserPermissions = async (req: Request, res: Response) => {
  const {
    params: { orgId }
  } = await validateRequest(GetUserPermission, req);
-  const { permission } = await getUserOrgPermissions(req.user._id, orgId);
+
+  const { permission, membership } = await getUserOrgPermissions(req.user._id, orgId);

  res.status(200).json({
    data: {
-      permissions: packRules(permission.rules)
+      permissions: packRules(permission.rules),
+      membership
    }
  });
 };
@ -225,11 +227,12 @@ export const getUserWorkspacePermissions = async (req: Request, res: Response) =
  const {
    params: { workspaceId }
  } = await validateRequest(GetUserProjectPermission, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission, membership } = await getUserProjectPermissions(req.user._id, workspaceId);

  res.status(200).json({
    data: {
-      permissions: packRules(permission.rules)
+      permissions: packRules(permission.rules),
+      membership
    }
  });
 };
--- a/backend/src/ee/controllers/v1/secretApprovalPolicyController.ts
+++ b/backend/src/ee/controllers/v1/secretApprovalPolicyController.ts
@ -0,0 +1,128 @@
+import { ForbiddenError, subject } from "@casl/ability";
+import { Request, Response } from "express";
+import { nanoid } from "nanoid";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getUserProjectPermissions
+} from "../../services/ProjectRoleService";
+import { validateRequest } from "../../../helpers/validation";
+import { SecretApprovalPolicy } from "../../models/secretApprovalPolicy";
+import { getSecretPolicyOfBoard } from "../../services/SecretApprovalService";
+import { BadRequestError } from "../../../utils/errors";
+import * as reqValidator from "../../validation/secretApproval";
+
+const ERR_SECRET_APPROVAL_NOT_FOUND = BadRequestError({ message: "secret approval not found" });
+
+export const createSecretApprovalPolicy = async (req: Request, res: Response) => {
+  const {
+    body: { approvals, secretPath, approvers, environment, workspaceId, name }
+  } = await validateRequest(reqValidator.CreateSecretApprovalRule, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.SecretApproval
+  );
+
+  const secretApproval = new SecretApprovalPolicy({
+    workspace: workspaceId,
+    name: name ?? `${environment}-${nanoid(3)}`,
+    secretPath,
+    environment,
+    approvals,
+    approvers
+  });
+  await secretApproval.save();
+
+  return res.send({
+    approval: secretApproval
+  });
+};
+
+export const updateSecretApprovalPolicy = async (req: Request, res: Response) => {
+  const {
+    body: { approvals, approvers, secretPath, name },
+    params: { id }
+  } = await validateRequest(reqValidator.UpdateSecretApprovalRule, req);
+
+  const secretApproval = await SecretApprovalPolicy.findById(id);
+  if (!secretApproval) throw ERR_SECRET_APPROVAL_NOT_FOUND;
+
+  const { permission } = await getUserProjectPermissions(
+    req.user._id,
+    secretApproval.workspace.toString()
+  );
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.SecretApproval
+  );
+
+  const updatedDoc = await SecretApprovalPolicy.findByIdAndUpdate(id, {
+    approvals,
+    approvers,
+    name: (name || secretApproval?.name) ?? `${secretApproval.environment}-${nanoid(3)}`,
+    ...(secretPath === null ? { $unset: { secretPath: 1 } } : { secretPath })
+  });
+
+  return res.send({
+    approval: updatedDoc
+  });
+};
+
+export const deleteSecretApprovalPolicy = async (req: Request, res: Response) => {
+  const {
+    params: { id }
+  } = await validateRequest(reqValidator.DeleteSecretApprovalRule, req);
+
+  const secretApproval = await SecretApprovalPolicy.findById(id);
+  if (!secretApproval) throw ERR_SECRET_APPROVAL_NOT_FOUND;
+
+  const { permission } = await getUserProjectPermissions(
+    req.user._id,
+    secretApproval.workspace.toString()
+  );
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.SecretApproval
+  );
+
+  const deletedDoc = await SecretApprovalPolicy.findByIdAndDelete(id);
+
+  return res.send({
+    approval: deletedDoc
+  });
+};
+
+export const getSecretApprovalPolicy = async (req: Request, res: Response) => {
+  const {
+    query: { workspaceId }
+  } = await validateRequest(reqValidator.GetSecretApprovalRuleList, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretApproval
+  );
+
+  const doc = await SecretApprovalPolicy.find({ workspace: workspaceId });
+
+  return res.send({
+    approvals: doc
+  });
+};
+
+export const getSecretApprovalPolicyOfBoard = async (req: Request, res: Response) => {
+  const {
+    query: { workspaceId, environment, secretPath }
+  } = await validateRequest(reqValidator.GetSecretApprovalPolicyOfABoard, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    subject(ProjectPermissionSub.Secrets, { secretPath, environment })
+  );
+
+  const secretApprovalPolicy = await getSecretPolicyOfBoard(workspaceId, environment, secretPath);
+  return res.send({ policy: secretApprovalPolicy });
+};
--- a/backend/src/ee/controllers/v1/secretApprovalRequestsController.ts
+++ b/backend/src/ee/controllers/v1/secretApprovalRequestsController.ts
@ -0,0 +1,333 @@
+import { Request, Response } from "express";
+import { getUserProjectPermissions } from "../../services/ProjectRoleService";
+import { validateRequest } from "../../../helpers/validation";
+import { Folder } from "../../../models";
+import { ApprovalStatus, SecretApprovalRequest } from "../../models/secretApprovalRequest";
+import * as reqValidator from "../../validation/secretApprovalRequest";
+import { getFolderWithPathFromId } from "../../../services/FolderService";
+import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
+import { ISecretApprovalPolicy, SecretApprovalPolicy } from "../../models/secretApprovalPolicy";
+import { performSecretApprovalRequestMerge } from "../../services/SecretApprovalService";
+import { Types } from "mongoose";
+import { EEAuditLogService } from "../../services";
+import { EventType } from "../../models";
+
+export const getSecretApprovalRequestCount = async (req: Request, res: Response) => {
+  const {
+    query: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretApprovalRequestCount, req);
+
+  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const approvalRequestCount = await SecretApprovalRequest.aggregate([
+    {
+      $match: {
+        workspace: new Types.ObjectId(workspaceId)
+      }
+    },
+    {
+      $lookup: {
+        from: SecretApprovalPolicy.collection.name,
+        localField: "policy",
+        foreignField: "_id",
+        as: "policy"
+      }
+    },
+    { $unwind: "$policy" },
+    ...(membership.role !== "admin"
+      ? [
+          {
+            $match: {
+              $or: [
+                { committer: new Types.ObjectId(membership.id) },
+                { "policy.approvers": new Types.ObjectId(membership.id) }
+              ]
+            }
+          }
+        ]
+      : []),
+    {
+      $group: {
+        _id: "$status",
+        count: { $sum: 1 }
+      }
+    }
+  ]);
+  const openRequests = approvalRequestCount.find(({ _id }) => _id === "open");
+  const closedRequests = approvalRequestCount.find(({ _id }) => _id === "close");
+
+  return res.send({
+    approvals: { open: openRequests?.count || 0, closed: closedRequests?.count || 0 }
+  });
+};
+
+export const getSecretApprovalRequests = async (req: Request, res: Response) => {
+  const {
+    query: { status, committer, workspaceId, environment, limit, offset }
+  } = await validateRequest(reqValidator.getSecretApprovalRequests, req);
+
+  const { membership } = await getUserProjectPermissions(req.user._id, workspaceId);
+
+  const query = {
+    workspace: new Types.ObjectId(workspaceId),
+    environment,
+    committer: committer ? new Types.ObjectId(committer) : undefined,
+    status
+  };
+  // to strip of undefined in query we use es6 spread to ignore those fields
+  Object.entries(query).forEach(
+    ([key, value]) => value === undefined && delete query[key as keyof typeof query]
+  );
+  const approvalRequests = await SecretApprovalRequest.aggregate([
+    {
+      $match: query
+    },
+    { $sort: { createdAt: -1 } },
+    {
+      $lookup: {
+        from: SecretApprovalPolicy.collection.name,
+        localField: "policy",
+        foreignField: "_id",
+        as: "policy"
+      }
+    },
+    { $unwind: "$policy" },
+    ...(membership.role !== "admin"
+      ? [
+          {
+            $match: {
+              $or: [
+                { committer: new Types.ObjectId(membership.id) },
+                { "policy.approvers": new Types.ObjectId(membership.id) }
+              ]
+            }
+          }
+        ]
+      : []),
+    { $skip: offset },
+    { $limit: limit }
+  ]);
+  if (!approvalRequests.length) return res.send({ approvals: [] });
+
+  const unqiueEnvs = environment ?? {
+    $in: [...new Set(approvalRequests.map(({ environment }) => environment))]
+  };
+  const approvalRootFolders = await Folder.find({
+    workspace: workspaceId,
+    environment: unqiueEnvs
+  }).lean();
+
+  const formatedApprovals = approvalRequests.map((el) => {
+    let secretPath = "/";
+    const folders = approvalRootFolders.find(({ environment }) => environment === el.environment);
+    if (folders) {
+      secretPath = getFolderWithPathFromId(folders?.nodes, el.folderId)?.folderPath || "/";
+    }
+    return { ...el, secretPath };
+  });
+
+  return res.send({
+    approvals: formatedApprovals
+  });
+};
+
+export const getSecretApprovalRequestDetails = async (req: Request, res: Response) => {
+  const {
+    params: { id }
+  } = await validateRequest(reqValidator.getSecretApprovalRequestDetails, req);
+  const secretApprovalRequest = await SecretApprovalRequest.findById(id)
+    .populate<{ policy: ISecretApprovalPolicy }>("policy")
+    .populate({
+      path: "commits.secretVersion",
+      populate: {
+        path: "tags"
+      }
+    })
+    .populate("commits.secret", "version")
+    .populate("commits.newVersion.tags")
+    .lean();
+  if (!secretApprovalRequest)
+    throw BadRequestError({ message: "Secret approval request not found" });
+
+  const { membership } = await getUserProjectPermissions(
+    req.user._id,
+    secretApprovalRequest.workspace.toString()
+  );
+  // allow to fetch only if its admin or is the committer or approver
+  if (
+    membership.role !== "admin" &&
+    secretApprovalRequest.committer !== membership.id &&
+    !secretApprovalRequest.policy.approvers.find(
+      (approverId) => approverId.toString() === membership._id.toString()
+    )
+  ) {
+    throw UnauthorizedRequestError({ message: "User has no access" });
+  }
+
+  let secretPath = "/";
+  const approvalRootFolders = await Folder.findOne({
+    workspace: secretApprovalRequest.workspace,
+    environment: secretApprovalRequest.environment
+  }).lean();
+  if (approvalRootFolders) {
+    secretPath =
+      getFolderWithPathFromId(approvalRootFolders?.nodes, secretApprovalRequest.folderId)
+        ?.folderPath || "/";
+  }
+
+  return res.send({
+    approval: { ...secretApprovalRequest, secretPath }
+  });
+};
+
+export const updateSecretApprovalReviewStatus = async (req: Request, res: Response) => {
+  const {
+    body: { status },
+    params: { id }
+  } = await validateRequest(reqValidator.updateSecretApprovalReviewStatus, req);
+  const secretApprovalRequest = await SecretApprovalRequest.findById(id).populate<{
+    policy: ISecretApprovalPolicy;
+  }>("policy");
+  if (!secretApprovalRequest)
+    throw BadRequestError({ message: "Secret approval request not found" });
+
+  const { membership } = await getUserProjectPermissions(
+    req.user._id,
+    secretApprovalRequest.workspace.toString()
+  );
+  if (
+    membership.role !== "admin" &&
+    secretApprovalRequest.committer !== membership.id &&
+    !secretApprovalRequest.policy.approvers.find((approverId) => approverId.equals(membership.id))
+  ) {
+    throw UnauthorizedRequestError({ message: "User has no access" });
+  }
+
+  const reviewerPos = secretApprovalRequest.reviewers.findIndex(
+    ({ member }) => member.toString() === membership._id.toString()
+  );
+  if (reviewerPos !== -1) {
+    secretApprovalRequest.reviewers[reviewerPos].status = status;
+  } else {
+    secretApprovalRequest.reviewers.push({ member: membership._id, status });
+  }
+  await secretApprovalRequest.save();
+
+  return res.send({ status });
+};
+
+export const mergeSecretApprovalRequest = async (req: Request, res: Response) => {
+  const {
+    params: { id }
+  } = await validateRequest(reqValidator.mergeSecretApprovalRequest, req);
+
+  const secretApprovalRequest = await SecretApprovalRequest.findById(id).populate<{
+    policy: ISecretApprovalPolicy;
+  }>("policy");
+
+  if (!secretApprovalRequest)
+    throw BadRequestError({ message: "Secret approval request not found" });
+
+  const { membership } = await getUserProjectPermissions(
+    req.user._id,
+    secretApprovalRequest.workspace.toString()
+  );
+  if (
+    membership.role !== "admin" &&
+    secretApprovalRequest.committer !== membership.id &&
+    !secretApprovalRequest.policy.approvers.find((approverId) => approverId.equals(membership.id))
+  ) {
+    throw UnauthorizedRequestError({ message: "User has no access" });
+  }
+
+  const reviewers = secretApprovalRequest.reviewers.reduce<Record<string, ApprovalStatus>>(
+    (prev, curr) => ({ ...prev, [curr.member.toString()]: curr.status }),
+    {}
+  );
+  const hasMinApproval =
+    secretApprovalRequest.policy.approvals <=
+    secretApprovalRequest.policy.approvers.filter(
+      (approverId) => reviewers[approverId.toString()] === ApprovalStatus.APPROVED
+    ).length;
+
+  if (!hasMinApproval) throw BadRequestError({ message: "Doesn't have minimum approvals needed" });
+
+  const approval = await performSecretApprovalRequestMerge(
+    id,
+    req.authData,
+    membership._id.toString()
+  );
+  return res.send({ approval });
+};
+
+export const updateSecretApprovalRequestStatus = async (req: Request, res: Response) => {
+  const {
+    body: { status },
+    params: { id }
+  } = await validateRequest(reqValidator.updateSecretApprovalRequestStatus, req);
+
+  const secretApprovalRequest = await SecretApprovalRequest.findById(id).populate<{
+    policy: ISecretApprovalPolicy;
+  }>("policy");
+
+  if (!secretApprovalRequest)
+    throw BadRequestError({ message: "Secret approval request not found" });
+
+  const { membership } = await getUserProjectPermissions(
+    req.user._id,
+    secretApprovalRequest.workspace.toString()
+  );
+
+  if (
+    membership.role !== "admin" &&
+    secretApprovalRequest.committer !== membership.id &&
+    !secretApprovalRequest.policy.approvers.find((approverId) => approverId.equals(membership._id))
+  ) {
+    throw UnauthorizedRequestError({ message: "User has no access" });
+  }
+
+  if (secretApprovalRequest.hasMerged)
+    throw BadRequestError({ message: "Approval request has been merged" });
+  if (secretApprovalRequest.status === "close" && status === "close")
+    throw BadRequestError({ message: "Approval request is already closed" });
+  if (secretApprovalRequest.status === "open" && status === "open")
+    throw BadRequestError({ message: "Approval request is already open" });
+
+  const updatedRequest = await SecretApprovalRequest.findByIdAndUpdate(
+    id,
+    { status, statusChangeBy: membership._id },
+    { new: true }
+  );
+
+  if (status === "close") {
+    await EEAuditLogService.createAuditLog(
+      req.authData,
+      {
+        type: EventType.SECRET_APPROVAL_CLOSED,
+        metadata: {
+          closedBy: membership._id.toString(),
+          secretApprovalRequestId: id,
+          secretApprovalRequestSlug: secretApprovalRequest.slug
+        }
+      },
+      {
+        workspaceId: secretApprovalRequest.workspace
+      }
+    );
+  } else {
+    await EEAuditLogService.createAuditLog(
+      req.authData,
+      {
+        type: EventType.SECRET_APPROVAL_REOPENED,
+        metadata: {
+          reopenedBy: membership._id.toString(),
+          secretApprovalRequestId: id,
+          secretApprovalRequestSlug: secretApprovalRequest.slug
+        }
+      },
+      {
+        workspaceId: secretApprovalRequest.workspace
+      }
+    );
+  }
+  return res.send({ approval: updatedRequest });
+};
--- a/backend/src/ee/controllers/v1/secretRotationController.ts
+++ b/backend/src/ee/controllers/v1/secretRotationController.ts
@ -0,0 +1,91 @@
+import { Request, Response } from "express";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotation";
+import * as secretRotationService from "../../secretRotation/service";
+import {
+  getUserProjectPermissions,
+  ProjectPermissionActions,
+  ProjectPermissionSub
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const createSecretRotation = async (req: Request, res: Response) => {
+  const {
+    body: {
+      provider,
+      customProvider,
+      interval,
+      outputs,
+      secretPath,
+      environment,
+      workspaceId,
+      inputs
+    }
+  } = await validateRequest(reqValidator.createSecretRotationV1, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.createSecretRotation({
+    workspaceId,
+    inputs,
+    environment,
+    secretPath,
+    outputs,
+    interval,
+    customProvider,
+    provider
+  });
+
+  return res.send({ secretRotation });
+};
+
+export const restartSecretRotations = async (req: Request, res: Response) => {
+  const {
+    body: { id }
+  } = await validateRequest(reqValidator.restartSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+  const { permission } = await getUserProjectPermissions(req.user._id, doc.workspace.toString());
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.restartSecretRotation({ id });
+  return res.send({ secretRotation });
+};
+
+export const deleteSecretRotations = async (req: Request, res: Response) => {
+  const {
+    params: { id }
+  } = await validateRequest(reqValidator.removeSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+  const { permission } = await getUserProjectPermissions(req.user._id, doc.workspace.toString());
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.deleteSecretRotation({ id });
+  return res.send({ secretRotations });
+};
+
+export const getSecretRotations = async (req: Request, res: Response) => {
+  const {
+    query: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationV1, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.getSecretRotationOfWorkspace(workspaceId);
+  return res.send({ secretRotations });
+};
--- a/backend/src/ee/controllers/v1/secretRotationProviderController.ts
+++ b/backend/src/ee/controllers/v1/secretRotationProviderController.ts
@ -0,0 +1,28 @@
+import { Request, Response } from "express";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotationProvider";
+import * as secretRotationProviderService from "../../secretRotation/service";
+import {
+  getUserProjectPermissions,
+  ProjectPermissionActions,
+  ProjectPermissionSub
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const getProviderTemplates = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationProvidersV1, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const rotationProviderList = await secretRotationProviderService.getProviderTemplate({
+    workspaceId
+  });
+
+  return res.send(rotationProviderList);
+};
--- a/backend/src/ee/controllers/v1/workspaceController.ts
+++ b/backend/src/ee/controllers/v1/workspaceController.ts
@ -5,6 +5,7 @@ import {
  Membership,
  Secret,
  ServiceTokenData,
+  ServiceTokenDataV3,
  TFolderSchema,
  User,
  Workspace
@ -16,10 +17,10 @@ import {
  FolderVersion,
  IPType,
  ISecretVersion,
-  Log,
  SecretSnapshot,
  SecretVersion,
  ServiceActor,
+  ServiceActorV3,
  TFolderRootVersionSchema,
  TrustedIP,
  UserActor
@ -27,7 +28,7 @@ import {
 import { EESecretService } from "../../services";
 import { getLatestSecretVersionIds } from "../../helpers/secretVersion";
 // import Folder, { TFolderSchema } from "../../../models/folder";
-import { searchByFolderId } from "../../../services/FolderService";
+import { getFolderByPath, searchByFolderId } from "../../../services/FolderService";
 import { EEAuditLogService, EELicenseService } from "../../services";
 import { extractIPDetails, isValidIpOrCidr } from "../../../utils/ip";
 import { validateRequest } from "../../../helpers/validation";
@ -36,7 +37,6 @@ import {
  DeleteWorkspaceTrustedIpV1,
  GetWorkspaceAuditLogActorFilterOptsV1,
  GetWorkspaceAuditLogsV1,
-  GetWorkspaceLogsV1,
  GetWorkspaceSecretSnapshotsCountV1,
  GetWorkspaceSecretSnapshotsV1,
  GetWorkspaceTrustedIpsV1,
@ -104,7 +104,7 @@ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) =
    */
  const {
    params: { workspaceId },
-    query: { environment, folderId, offset, limit }
+    query: { environment, directory, offset, limit }
  } = await validateRequest(GetWorkspaceSecretSnapshotsV1, req);

  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
@ -113,10 +113,20 @@ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) =
    ProjectPermissionSub.SecretRollback
  );

+  let folderId = "root";
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders && directory !== "/") throw BadRequestError({ message: "Folder not found" });
+
+  if (folders) {
+    const folder = getFolderByPath(folders?.nodes, directory);
+    if (!folder) throw BadRequestError({ message: "Invalid folder id" });
+    folderId = folder.id;
+  }
+
  const secretSnapshots = await SecretSnapshot.find({
    workspace: workspaceId,
    environment,
-    folderId: folderId || "root"
+    folderId
  })
    .sort({ createdAt: -1 })
    .skip(offset)
@ -135,7 +145,7 @@ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) =
 export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Response) => {
  const {
    params: { workspaceId },
-    query: { environment, folderId }
+    query: { environment, directory }
  } = await validateRequest(GetWorkspaceSecretSnapshotsCountV1, req);

  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
@ -144,10 +154,20 @@ export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Respon
    ProjectPermissionSub.SecretRollback
  );

+  let folderId = "root";
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders && directory !== "/") throw BadRequestError({ message: "Folder not found" });
+
+  if (folders) {
+    const folder = getFolderByPath(folders?.nodes, directory);
+    if (!folder) throw BadRequestError({ message: "Invalid folder id" });
+    folderId = folder.id;
+  }
+
  const count = await SecretSnapshot.countDocuments({
    workspace: workspaceId,
    environment,
-    folderId: folderId || "root"
+    folderId
  });

  return res.status(200).send({
@ -215,7 +235,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons

  const {
    params: { workspaceId },
-    body: { folderId, environment, version }
+    body: { directory, environment, version }
  } = await validateRequest(RollbackWorkspaceSecretSnapshotV1, req);

  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
@ -224,6 +244,16 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
    ProjectPermissionSub.SecretRollback
  );

+  let folderId = "root";
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders && directory !== "/") throw BadRequestError({ message: "Folder not found" });
+
+  if (folders) {
+    const folder = getFolderByPath(folders?.nodes, directory);
+    if (!folder) throw BadRequestError({ message: "Invalid folder id" });
+    folderId = folder.id;
+  }
+
  // validate secret snapshot
  const secretSnapshot = await SecretSnapshot.findOne({
    workspace: workspaceId,
@ -531,112 +561,6 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
  });
 };

-/**
- * Return (audit) logs for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaceLogs = async (req: Request, res: Response) => {
-  /* 
-    #swagger.summary = 'Return project (audit) logs'
-    #swagger.description = 'Return project (audit) logs'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['userId'] = {
-		"description": "ID of project member",
-		"required": false,
-		"type": "string"
-	} 
-
-	#swagger.parameters['offset'] = {
-		"description": "Number of logs to skip",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['limit'] = {
-		"description": "Maximum number of logs to return",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['sortBy'] = {
-		"description": "Order to sort the logs by",
-		"schema": {
-			"type": "string",
-			"@enum": ["oldest", "recent"]
-		},
-		"required": false
-	}
-
-	#swagger.parameters['actionNames'] = {
-		"description": "Names of log actions (comma-separated)",
-		"required": false,
-		"type": "string"
-	}
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-					"type": "object",
-					"properties": {
-						"logs": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Log" 
-							},
-							"description": "Project logs"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-  const {
-    query: { limit, offset, userId, sortBy, actionNames },
-    params: { workspaceId }
-  } = await validateRequest(GetWorkspaceLogsV1, req);
-
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
-  ForbiddenError.from(permission).throwUnlessCan(
-    ProjectPermissionActions.Read,
-    ProjectPermissionSub.AuditLogs
-  );
-
-  const logs = await Log.find({
-    workspace: workspaceId,
-    ...(userId ? { user: userId } : {}),
-    ...(actionNames
-      ? {
-          actionNames: {
-            $in: actionNames.split(",")
-          }
-        }
-      : {})
-  })
-    .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
-    .skip(offset)
-    .limit(limit)
-    .populate("actions")
-    .populate("user serviceAccount serviceTokenData");
-
-  return res.status(200).send({
-    logs
-  });
-};
-
 /**
 * Return audit logs for workspace with id [workspaceId]
 * @param req
@ -653,7 +577,7 @@ export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
    ProjectPermissionActions.Read,
    ProjectPermissionSub.AuditLogs
  );
-
+  
  const query = {
    workspace: new Types.ObjectId(workspaceId),
    ...(eventType
@ -668,13 +592,13 @@ export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
      : {}),
    ...(actor
      ? {
-          "actor.type": actor.split("-", 2)[0],
+          "actor.type": actor.substring(0, actor.lastIndexOf("-")),
          ...(actor.split("-", 2)[0] === ActorType.USER
            ? {
-                "actor.metadata.userId": actor.split("-", 2)[1]
+                "actor.metadata.userId": actor.substring(actor.lastIndexOf("-") + 1)
              }
            : {
-                "actor.metadata.serviceId": actor.split("-", 2)[1]
+                "actor.metadata.serviceId": actor.substring(actor.lastIndexOf("-") + 1)
              })
        }
      : {}),
@ -742,9 +666,27 @@ export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Res
      name: serviceTokenData.name
    }
  }));
+  
+  const serviceV3Actors: ServiceActorV3[] = (
+    await ServiceTokenDataV3.find({
+      workspace: new Types.ObjectId(workspaceId)
+    })
+  ).map((serviceTokenData) => ({
+    type: ActorType.SERVICE_V3,
+    metadata: {
+      serviceId: serviceTokenData._id.toString(),
+      name: serviceTokenData.name
+    }
+  }));
+  
+  const actors = [
+    ...userActors, 
+    ...serviceActors,
+    ...serviceV3Actors
+  ];

  return res.status(200).send({
-    actors: [...userActors, ...serviceActors]
+    actors
  });
 };

--- a/backend/src/ee/controllers/v3/apiKeyDataController.ts
+++ b/backend/src/ee/controllers/v3/apiKeyDataController.ts
@ -0,0 +1,101 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { APIKeyDataV2 } from "../../../models/apiKeyDataV2";
+import { validateRequest } from "../../../helpers/validation";
+import { BadRequestError } from "../../../utils/errors";
+import * as reqValidator from "../../../validation";
+import { createToken } from "../../../helpers";
+import { AuthTokenType } from "../../../variables";
+import { getAuthSecret } from "../../../config";
+
+/**
+ * Create API key data v2
+ * @param req 
+ * @param res 
+ */
+export const createAPIKeyData = async (req: Request, res: Response) => {
+    const {
+        body: {
+            name
+        }
+    } = await validateRequest(reqValidator.CreateAPIKeyV3, req);
+
+    const apiKeyData = await new APIKeyDataV2({
+        name,
+        user: req.user._id,
+        usageCount: 0,
+    }).save();
+    
+    const apiKey = createToken({
+        payload: {
+            authTokenType: AuthTokenType.API_KEY,
+            apiKeyDataId: apiKeyData._id.toString(),
+            userId: req.user._id.toString()
+        },
+        secret: await getAuthSecret()
+    });
+
+    return res.status(200).send({
+        apiKeyData,
+        apiKey
+    });
+}
+
+/**
+ * Update API key data v2 with id [apiKeyDataId]
+ * @param req 
+ * @param res 
+ */
+ export const updateAPIKeyData = async (req: Request, res: Response) => {
+    const {
+        params: { apiKeyDataId },
+        body: { 
+            name, 
+        }
+    } = await validateRequest(reqValidator.UpdateAPIKeyV3, req);
+
+    const apiKeyData = await APIKeyDataV2.findOneAndUpdate(
+        {
+            _id: new Types.ObjectId(apiKeyDataId),
+            user: req.user._id
+        },
+        {
+            name
+        },
+        {
+            new: true
+        }
+    );
+    
+    if (!apiKeyData) throw BadRequestError({
+        message: "Failed to update API key"
+    });
+
+    return res.status(200).send({
+        apiKeyData
+    });
+}
+
+/**
+ * Delete API key data v2 with id [apiKeyDataId]
+ * @param req 
+ * @param res 
+ */
+ export const deleteAPIKeyData = async (req: Request, res: Response) => {
+    const {
+        params: { apiKeyDataId }
+    } = await validateRequest(reqValidator.DeleteAPIKeyV3, req);
+
+    const apiKeyData = await APIKeyDataV2.findOneAndDelete({
+        _id: new Types.ObjectId(apiKeyDataId),
+        user: req.user._id
+    });
+
+    if (!apiKeyData) throw BadRequestError({
+        message: "Failed to delete API key"
+    });
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}
--- a/backend/src/ee/controllers/v3/index.ts
+++ b/backend/src/ee/controllers/v3/index.ts
@ -0,0 +1,7 @@
+import * as serviceTokenDataController from "./serviceTokenDataController";
+import * as apiKeyDataController from "./apiKeyDataController";
+
+export {
+    serviceTokenDataController,
+    apiKeyDataController
+}
--- a/backend/src/ee/controllers/v3/serviceTokenDataController.ts
+++ b/backend/src/ee/controllers/v3/serviceTokenDataController.ts
@ -0,0 +1,431 @@
+import jwt from "jsonwebtoken";
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { 
+    IServiceTokenDataV3,
+    IUser,
+    ServiceTokenDataV3,
+    ServiceTokenDataV3Key,
+    Workspace
+} from "../../../models";
+import {
+    IServiceTokenV3Scope, 
+    IServiceTokenV3TrustedIp 
+} from "../../../models/serviceTokenDataV3";
+import {
+    ActorType,
+    EventType
+} from "../../models";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../../validation/serviceTokenDataV3";
+import { createToken } from "../../../helpers/auth";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  getUserProjectPermissions
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability"; 
+import { BadRequestError, ResourceNotFoundError, UnauthorizedRequestError } from "../../../utils/errors";
+import { extractIPDetails, isValidIpOrCidr } from "../../../utils/ip";
+import { EEAuditLogService, EELicenseService } from "../../services";
+import { getAuthSecret } from "../../../config";
+import { AuthTokenType } from "../../../variables";
+
+/**
+ * Return project key for service token V3
+ * @param req 
+ * @param res 
+ */
+export const getServiceTokenDataKey = async (req: Request, res: Response) => {
+    const key = await ServiceTokenDataV3Key.findOne({
+        serviceTokenData: (req.authData.authPayload as IServiceTokenDataV3)._id
+    }).populate<{ sender: IUser }>("sender", "publicKey");
+    
+    if (!key) throw ResourceNotFoundError({
+        message: "Failed to find project key for service token"
+    });
+    
+    const { _id, workspace, encryptedKey, nonce, sender: { publicKey } } = key;
+    
+    return res.status(200).send({
+        key: {
+            _id,
+            workspace,
+            encryptedKey,
+            publicKey,
+            nonce
+        }
+    });
+}
+
+/**
+ * Return access and refresh token as per refresh operation
+ * @param req 
+ * @param res 
+ */
+ export const refreshToken = async (req: Request, res: Response) => {
+    const {
+        body: {
+            refresh_token
+        }
+    } = await validateRequest(reqValidator.RefreshTokenV3, req);
+
+    const decodedToken = <jwt.ServiceRefreshTokenJwtPayload>(
+		jwt.verify(refresh_token, await getAuthSecret())
+	);
+    
+    if (decodedToken.authTokenType !== AuthTokenType.SERVICE_REFRESH_TOKEN) throw UnauthorizedRequestError();
+    
+    let serviceTokenData = await ServiceTokenDataV3.findOne({
+        _id: new Types.ObjectId(decodedToken.serviceTokenDataId),
+        isActive: true
+    });
+    
+    if (!serviceTokenData) throw UnauthorizedRequestError();
+
+    if (decodedToken.tokenVersion !== serviceTokenData.tokenVersion) {
+        // raise alarm
+        throw UnauthorizedRequestError();
+    }
+    
+    const response: {
+        refresh_token?: string;
+        access_token: string;
+        expires_in: number;
+        token_type: string;
+    } = {
+        refresh_token,
+        access_token: "",
+        expires_in: 0,
+        token_type: "Bearer"
+    };
+
+    if (serviceTokenData.isRefreshTokenRotationEnabled) {
+        serviceTokenData = await ServiceTokenDataV3.findByIdAndUpdate(
+            serviceTokenData._id,
+            {
+                $inc: {
+                    tokenVersion: 1
+                }
+            },
+            {
+                new: true
+            }
+        );
+        
+        if (!serviceTokenData) throw BadRequestError();
+        
+        response.refresh_token = createToken({
+            payload: {
+                serviceTokenDataId: serviceTokenData._id.toString(),
+                authTokenType: AuthTokenType.SERVICE_REFRESH_TOKEN,
+                tokenVersion: serviceTokenData.tokenVersion
+            },
+            secret: await getAuthSecret()
+        });
+    }
+
+    response.access_token = createToken({
+        payload: {
+            serviceTokenDataId: serviceTokenData._id.toString(),
+            authTokenType: AuthTokenType.SERVICE_ACCESS_TOKEN,
+            tokenVersion: serviceTokenData.tokenVersion
+        },
+        expiresIn: serviceTokenData.accessTokenTTL,
+        secret: await getAuthSecret()
+    });
+
+    response.expires_in = serviceTokenData.accessTokenTTL;
+
+    await ServiceTokenDataV3.findByIdAndUpdate(
+        serviceTokenData._id,
+        {
+            refreshTokenLastUsed: new Date(),
+            $inc: { refreshTokenUsageCount: 1 }
+        },
+        {
+            new: true
+        }
+    );
+    
+    return res.status(200).send(response);
+}
+
+/**
+ * Create service token data V3
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createServiceTokenData = async (req: Request, res: Response) => {
+    const {
+        body: { 
+            name, 
+            workspaceId, 
+            publicKey, 
+            scopes,
+            trustedIps,
+            expiresIn, 
+            accessTokenTTL,
+            isRefreshTokenRotationEnabled,
+            encryptedKey, // for ServiceTokenDataV3Key
+            nonce, // for ServiceTokenDataV3Key
+        }
+    } = await validateRequest(reqValidator.CreateServiceTokenV3, req);
+    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+    ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        ProjectPermissionSub.ServiceTokens
+    );
+    
+    const workspace = await Workspace.findById(workspaceId);
+    if (!workspace) throw BadRequestError({ message: "Workspace not found" });
+
+    const plan = await EELicenseService.getPlan(workspace.organization);
+    
+    // validate trusted ips
+    const reformattedTrustedIps = trustedIps.map((trustedIp) => {
+        if (!plan.ipAllowlisting && trustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+            message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
+        });
+
+        const isValidIPOrCidr = isValidIpOrCidr(trustedIp.ipAddress);
+        
+        if (!isValidIPOrCidr) return res.status(400).send({
+            message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+        
+        return extractIPDetails(trustedIp.ipAddress);
+    });
+    
+    let expiresAt;
+    if (expiresIn) {
+        expiresAt = new Date();
+        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+    }
+    
+    let user;
+    if (req.authData.actor.type === ActorType.USER) {
+        user = req.authData.authPayload._id;
+    }
+    
+    const isActive = true;
+    const serviceTokenData = await new ServiceTokenDataV3({
+        name,
+        user,
+        workspace: new Types.ObjectId(workspaceId),
+        publicKey,
+        refreshTokenUsageCount: 0,
+        accessTokenUsageCount: 0,
+        tokenVersion: 1,
+        trustedIps: reformattedTrustedIps,
+        scopes,
+        isActive,
+        expiresAt,
+        accessTokenTTL,
+        isRefreshTokenRotationEnabled
+    }).save();
+    
+    await new ServiceTokenDataV3Key({
+        encryptedKey,
+        nonce,
+        sender: req.user._id,
+        serviceTokenData: serviceTokenData._id,
+        workspace: new Types.ObjectId(workspaceId)
+    }).save();
+    
+    const refreshToken = createToken({
+        payload: {
+            serviceTokenDataId: serviceTokenData._id.toString(),
+            authTokenType: AuthTokenType.SERVICE_REFRESH_TOKEN,
+            tokenVersion: serviceTokenData.tokenVersion
+        },
+        secret: await getAuthSecret()
+    });
+    
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.CREATE_SERVICE_TOKEN_V3, // TODO: update
+            metadata: {
+                name,
+                isActive,
+                scopes: scopes as Array<IServiceTokenV3Scope>,
+                trustedIps: reformattedTrustedIps as Array<IServiceTokenV3TrustedIp>,
+                expiresAt
+            }
+        },
+        {
+            workspaceId: new Types.ObjectId(workspaceId)
+        }
+    );
+    
+    return res.status(200).send({
+        serviceTokenData,
+        refreshToken
+    });
+}
+
+/**
+ * Update service token V3 data with id [serviceTokenDataId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateServiceTokenData = async (req: Request, res: Response) => {
+    const {
+        params: { serviceTokenDataId },
+        body: { 
+            name, 
+            isActive,
+            scopes,
+            trustedIps,
+            expiresIn,
+            accessTokenTTL,
+            isRefreshTokenRotationEnabled
+        }
+    } = await validateRequest(reqValidator.UpdateServiceTokenV3, req);
+
+    let serviceTokenData = await ServiceTokenDataV3.findById(serviceTokenDataId);
+    if (!serviceTokenData) throw ResourceNotFoundError({ 
+        message: "Service token not found" 
+    });
+    
+    const { permission } = await getUserProjectPermissions(
+        req.user._id,
+        serviceTokenData.workspace.toString()
+    );
+    
+    ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        ProjectPermissionSub.ServiceTokens
+    );
+
+    const workspace = await Workspace.findById(serviceTokenData.workspace);
+    if (!workspace) throw BadRequestError({ message: "Workspace not found" });
+
+    const plan = await EELicenseService.getPlan(workspace.organization);
+
+    // validate trusted ips
+    let reformattedTrustedIps;
+    if (trustedIps) {
+        reformattedTrustedIps = trustedIps.map((trustedIp) => {
+            if (!plan.ipAllowlisting && trustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+                message: "Failed to update IP access range to service token due to plan restriction. Upgrade plan to update IP access range."
+            });
+
+            const isValidIPOrCidr = isValidIpOrCidr(trustedIp.ipAddress);
+            
+            if (!isValidIPOrCidr) return res.status(400).send({
+                message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+            });
+            
+            return extractIPDetails(trustedIp.ipAddress);
+        });
+    }
+
+    let expiresAt;
+    if (expiresIn) {
+        expiresAt = new Date();
+        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+    }
+    
+    serviceTokenData = await ServiceTokenDataV3.findByIdAndUpdate(
+        serviceTokenDataId,
+        {
+            name,
+            isActive,
+            scopes,
+            trustedIps: reformattedTrustedIps,
+            expiresAt,
+            accessTokenTTL,
+            isRefreshTokenRotationEnabled
+        },
+        {
+            new: true
+        }
+    );
+
+    if (!serviceTokenData) throw BadRequestError({
+        message: "Failed to update service token"
+    });
+
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.UPDATE_SERVICE_TOKEN_V3,
+            metadata: {
+                name: serviceTokenData.name,
+                isActive,
+                scopes: scopes as Array<IServiceTokenV3Scope>,
+                trustedIps: reformattedTrustedIps as Array<IServiceTokenV3TrustedIp>,
+                expiresAt
+            }
+        },
+        {
+            workspaceId: serviceTokenData.workspace
+        }
+    );
+
+    return res.status(200).send({
+        serviceTokenData
+    }); 
+}
+
+/**
+ * Delete service token data with id [serviceTokenDataId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteServiceTokenData = async (req: Request, res: Response) => {
+    const {
+        params: { serviceTokenDataId }
+    } = await validateRequest(reqValidator.DeleteServiceTokenV3, req);
+    
+    let serviceTokenData = await ServiceTokenDataV3.findById(serviceTokenDataId);
+    if (!serviceTokenData) throw ResourceNotFoundError({ 
+        message: "Service token not found" 
+    });
+    
+    const { permission } = await getUserProjectPermissions(
+        req.user._id,
+        serviceTokenData.workspace.toString()
+    );
+    
+    ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Delete,
+        ProjectPermissionSub.ServiceTokens
+    );
+    
+    serviceTokenData = await ServiceTokenDataV3.findByIdAndDelete(serviceTokenDataId);
+    
+    if (!serviceTokenData) throw BadRequestError({
+        message: "Failed to delete service token"
+    });
+    
+    await ServiceTokenDataV3Key.findOneAndDelete({
+        serviceTokenData: serviceTokenData._id
+    });
+    
+    await EEAuditLogService.createAuditLog(
+        req.authData,
+        {
+            type: EventType.DELETE_SERVICE_TOKEN_V3,
+            metadata: {
+                name: serviceTokenData.name,
+                isActive: serviceTokenData.isActive,
+                scopes: serviceTokenData.scopes as Array<IServiceTokenV3Scope>,
+                trustedIps: serviceTokenData.trustedIps as Array<IServiceTokenV3TrustedIp>,
+                expiresAt: serviceTokenData.expiresAt
+            }
+        },
+        {
+            workspaceId: serviceTokenData.workspace
+        }
+    );
+
+    return res.status(200).send({
+        serviceTokenData
+    }); 
+}
--- a/backend/src/ee/helpers/action.ts
+++ b/backend/src/ee/helpers/action.ts
@ -1,195 +0,0 @@
-import { Types } from "mongoose";
-import { Action } from "../models";
-import { 
-    getLatestNSecretSecretVersionIds,
-    getLatestSecretVersionIds,
-} from "../helpers/secretVersion";
-import { 
-    ACTION_ADD_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_READ_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from "../../variables";
-
-/**
- * Create an (audit) action for updating secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionUpdateSecret = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
-            secretIds,
-            n: 2,
-        }))
-        .map((s) => ({
-            oldSecretVersion: s.versions[0]._id,
-            newSecretVersion: s.versions[1]._id,
-        }));
-    
-    const action = await new Action({
-        name,
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-        workspace: workspaceId,
-        payload: {
-            secretVersions: latestSecretVersions,
-        },
-    }).save();
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for creating, reading, and deleting
- * secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionSecret = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    // case: action is adding, deleting, or reading secrets
-    // -> add new secret versions
-    const latestSecretVersions = (await getLatestSecretVersionIds({
-        secretIds,
-    }))
-    .map((s) => ({
-        newSecretVersion: s.versionId,
-    }));
-    
-   const action = await new Action({
-        name,
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-        workspace: workspaceId,
-        payload: {
-            secretVersions: latestSecretVersions,
-        },
-    }).save(); 
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for client with id [userId],
- * [serviceAccountId], or [serviceTokenDataId]
- * @param {Object} obj 
- * @param {String} obj.name - name of action
- * @param {String} obj.userId - id of user associated with action
- * @returns 
- */
-const createActionClient = ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-}) => {
-    const action = new Action({
-        name,
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-    }).save();
-
-    return action; 
-}
-
-/**
- * Create an (audit) action. 
- * @param {Object} obj
- * @param {Object} obj.name - name of action
- * @param {Types.ObjectId} obj.userId - id of user associated with action
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with action
- * @param {Types.ObjectId[]} obj.secretIds - ids of secrets associated with action
-*/
-const createActionHelper = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    secretIds?: Types.ObjectId[];
-}) => {
-    let action;
-    switch (name) {
-        case ACTION_LOGIN:
-        case ACTION_LOGOUT:
-            action = await createActionClient({
-                name,
-                userId,
-            });
-            break;
-        case ACTION_ADD_SECRETS:
-        case ACTION_READ_SECRETS:
-        case ACTION_DELETE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
-            action = await createActionSecret({
-                name,
-                userId,
-                workspaceId,
-                secretIds,
-            });
-            break;
-        case ACTION_UPDATE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
-            action = await createActionUpdateSecret({
-                name,
-                userId,
-                workspaceId,
-                secretIds,
-            });
-            break;
-    }
-    
-    return action;
-}
-
-export { 
-    createActionHelper,
-};
--- a/backend/src/ee/helpers/log.ts
+++ b/backend/src/ee/helpers/log.ts
@ -1,50 +0,0 @@
-import { Types } from "mongoose";
-import { 
-    IAction,
-    Log,
-} from "../models";
-
-/**
- * Create an (audit) log
- * @param {Object} obj
- * @param {Types.ObjectId} obj.userId - id of user associated with the log
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the log
- * @param {IAction[]} obj.actions - actions to include in log
- * @param {String} obj.channel - channel (web/cli/auto) associated with the log
- * @param {String} obj.ipAddress - ip address associated with the log
- * @returns {Log} log - new audit log
- */
-const createLogHelper = async ({
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    actions,
-    channel,
-    ipAddress,
-}: {
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    actions: IAction[];
-    channel: string;
-    ipAddress: string;
-}) => {
-    const log = await new Log({
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-        workspace: workspaceId ?? undefined,
-        actionNames: actions.map((a) => a.name),
-        actions,
-        channel,
-        ipAddress,
-    }).save();
-
-    return log;
-}
-
-export {
-    createLogHelper,
-}
--- a/backend/src/ee/middleware/index.ts
+++ b/backend/src/ee/middleware/index.ts
@ -1,5 +0,0 @@
-import requireSecretSnapshotAuth from "./requireSecretSnapshotAuth";
-
-export {
-    requireSecretSnapshotAuth,
-}
--- a/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
+++ b/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
@ -1,43 +0,0 @@
-import { NextFunction, Request, Response } from "express";
-import { SecretSnapshotNotFoundError } from "../../utils/errors";
-import { SecretSnapshot } from "../models";
-import {
-    validateMembership,
-} from "../../helpers/membership";
-
-/**
- * Validate if user on request has proper membership for secret snapshot
- * @param {Object} obj
- * @param {String[]} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
- * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
- */
-const requireSecretSnapshotAuth = ({
-    acceptedRoles,
-}: {
-    acceptedRoles: Array<"admin" | "member">;
-}) => {
-    return async (req: Request, res: Response, next: NextFunction) => {
-        const { secretSnapshotId } = req.params;
-        
-        const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
-        
-        if (!secretSnapshot) {
-            return next(SecretSnapshotNotFoundError({
-                message: "Failed to find secret snapshot",
-            }));
-        }
-        
-        await validateMembership({
-            userId: req.user._id,
-            workspaceId: secretSnapshot.workspace,
-            acceptedRoles,
-        });
-        
-        req.secretSnapshot = secretSnapshot as any;
-
-        next();
-    }
-}
-
-export default requireSecretSnapshotAuth;
--- a/backend/src/ee/models/action.ts
+++ b/backend/src/ee/models/action.ts
@ -1,69 +0,0 @@
-import { Schema, Types, model } from "mongoose";
-import {
-    ACTION_ADD_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_READ_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from "../../variables";
-
-export interface IAction {
-    name: string;
-    user?: Types.ObjectId,
-    serviceAccount?: Types.ObjectId,
-    serviceTokenData?: Types.ObjectId,
-    workspace?: Types.ObjectId,
-    payload?: {
-        secretVersions?: Types.ObjectId[]
-    }
-}
-
-const actionSchema = new Schema<IAction>(
-    {
-        name: {
-            type: String,
-            required: true,
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS,
-            ],
-        },
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: "User",
-        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: "ServiceAccount",
-        },
-        serviceTokenData: {
-            type: Schema.Types.ObjectId,
-            ref: "ServiceTokenData",
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: "Workspace",
-        },
-        payload: {
-            secretVersions: [{
-                oldSecretVersion: {
-                    type: Schema.Types.ObjectId,
-                    ref: "SecretVersion",
-                },
-                newSecretVersion: {
-                    type: Schema.Types.ObjectId,
-                    ref: "SecretVersion",
-                },
-            }],
-        },
-    }, {
-        timestamps: true,
-    }
-);
-
-export const Action = model<IAction>("Action", actionSchema);
--- a/backend/src/ee/models/auditLog/enums.ts
+++ b/backend/src/ee/models/auditLog/enums.ts
@ -1,47 +1,60 @@
 export enum ActorType {
-    USER = "user",
-    SERVICE = "service"
+  USER = "user",
+  SERVICE = "service",
+  SERVICE_V3 = "service-v3",
+  Machine = "machine"
 }

 export enum UserAgentType {
-    WEB = "web",
-    CLI = "cli",
-    K8_OPERATOR = "k8-operator",
-    OTHER = "other"
+  WEB = "web",
+  CLI = "cli",
+  K8_OPERATOR = "k8-operator",
+  OTHER = "other"
 }

 export enum EventType {
-    GET_SECRETS = "get-secrets",
-    GET_SECRET = "get-secret",
-    REVEAL_SECRET = "reveal-secret",
-    CREATE_SECRET = "create-secret",
-    UPDATE_SECRET = "update-secret",
-    DELETE_SECRET = "delete-secret",
-    GET_WORKSPACE_KEY = "get-workspace-key",
-    AUTHORIZE_INTEGRATION = "authorize-integration",
-    UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
-    CREATE_INTEGRATION = "create-integration",
-    DELETE_INTEGRATION = "delete-integration",
-    ADD_TRUSTED_IP = "add-trusted-ip",
-    UPDATE_TRUSTED_IP = "update-trusted-ip",
-    DELETE_TRUSTED_IP = "delete-trusted-ip",
-    CREATE_SERVICE_TOKEN = "create-service-token",
-    DELETE_SERVICE_TOKEN = "delete-service-token",
-    CREATE_ENVIRONMENT = "create-environment",
-    UPDATE_ENVIRONMENT = "update-environment",
-    DELETE_ENVIRONMENT = "delete-environment",
-    ADD_WORKSPACE_MEMBER = "add-workspace-member",
-    REMOVE_WORKSPACE_MEMBER = "remove-workspace-member",
-    CREATE_FOLDER = "create-folder",
-    UPDATE_FOLDER = "update-folder",
-    DELETE_FOLDER = "delete-folder",
-    CREATE_WEBHOOK = "create-webhook",
-    UPDATE_WEBHOOK_STATUS = "update-webhook-status",
-    DELETE_WEBHOOK = "delete-webhook",
-    GET_SECRET_IMPORTS = "get-secret-imports",
-    CREATE_SECRET_IMPORT = "create-secret-import",
-    UPDATE_SECRET_IMPORT = "update-secret-import",
-    DELETE_SECRET_IMPORT = "delete-secret-import",
-    UPDATE_USER_WORKSPACE_ROLE = "update-user-workspace-role",
-    UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS = "update-user-workspace-denied-permissions"
-}
+  GET_SECRETS = "get-secrets",
+  GET_SECRET = "get-secret",
+  REVEAL_SECRET = "reveal-secret",
+  CREATE_SECRET = "create-secret",
+  CREATE_SECRETS = "create-secrets",
+  UPDATE_SECRET = "update-secret",
+  UPDATE_SECRETS = "update-secrets",
+  DELETE_SECRET = "delete-secret",
+  DELETE_SECRETS = "delete-secrets",
+  GET_WORKSPACE_KEY = "get-workspace-key",
+  AUTHORIZE_INTEGRATION = "authorize-integration",
+  UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
+  CREATE_INTEGRATION = "create-integration",
+  DELETE_INTEGRATION = "delete-integration",
+  ADD_TRUSTED_IP = "add-trusted-ip",
+  UPDATE_TRUSTED_IP = "update-trusted-ip",
+  DELETE_TRUSTED_IP = "delete-trusted-ip",
+  CREATE_SERVICE_TOKEN = "create-service-token", // v2
+  DELETE_SERVICE_TOKEN = "delete-service-token", // v2
+  CREATE_SERVICE_TOKEN_V3 = "create-service-token-v3", // v3
+  UPDATE_SERVICE_TOKEN_V3 = "update-service-token-v3", // v3
+  DELETE_SERVICE_TOKEN_V3 = "delete-service-token-v3", // v3
+  CREATE_ENVIRONMENT = "create-environment",
+  UPDATE_ENVIRONMENT = "update-environment",
+  DELETE_ENVIRONMENT = "delete-environment",
+  ADD_WORKSPACE_MEMBER = "add-workspace-member",
+  ADD_BATCH_WORKSPACE_MEMBER = "add-workspace-members",
+  REMOVE_WORKSPACE_MEMBER = "remove-workspace-member",
+  CREATE_FOLDER = "create-folder",
+  UPDATE_FOLDER = "update-folder",
+  DELETE_FOLDER = "delete-folder",
+  CREATE_WEBHOOK = "create-webhook",
+  UPDATE_WEBHOOK_STATUS = "update-webhook-status",
+  DELETE_WEBHOOK = "delete-webhook",
+  GET_SECRET_IMPORTS = "get-secret-imports",
+  CREATE_SECRET_IMPORT = "create-secret-import",
+  UPDATE_SECRET_IMPORT = "update-secret-import",
+  DELETE_SECRET_IMPORT = "delete-secret-import",
+  UPDATE_USER_WORKSPACE_ROLE = "update-user-workspace-role",
+  UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS = "update-user-workspace-denied-permissions",
+  SECRET_APPROVAL_MERGED = "secret-approval-merged",
+  SECRET_APPROVAL_REQUEST = "secret-approval-request",
+  SECRET_APPROVAL_CLOSED = "secret-approval-closed",
+  SECRET_APPROVAL_REOPENED = "secret-approval-reopened"
+}
--- a/backend/src/ee/models/auditLog/types.ts
+++ b/backend/src/ee/models/auditLog/types.ts
@ -1,403 +1,522 @@
-import {
-    ActorType,
-    EventType
-} from "./enums";
+import { ActorType, EventType } from "./enums";
+import { IServiceTokenV3Scope, IServiceTokenV3TrustedIp } from "../../../models/serviceTokenDataV3";

 interface UserActorMetadata {
-    userId: string;
-    email: string;
+  userId: string;
+  email: string;
 }

 interface ServiceActorMetadata {
-    serviceId: string;
-    name: string;
+  serviceId: string;
+  name: string;
 }

 export interface UserActor {
-    type: ActorType.USER;
-    metadata: UserActorMetadata;
+  type: ActorType.USER;
+  metadata: UserActorMetadata;
 }

 export interface ServiceActor {
-    type: ActorType.SERVICE;
-    metadata: ServiceActorMetadata;
+  type: ActorType.SERVICE;
+  metadata: ServiceActorMetadata;
 }

-export type Actor = 
-    | UserActor
-    | ServiceActor;
+export interface ServiceActorV3 {
+  type: ActorType.SERVICE_V3;
+  metadata: ServiceActorMetadata;
+}
+
+export interface MachineActor {
+  type: ActorType.Machine;
+}
+
+export type Actor = UserActor | ServiceActor | ServiceActorV3 | MachineActor;

 interface GetSecretsEvent {
-    type: EventType.GET_SECRETS;
-    metadata: {
-        environment: string;
-        secretPath: string;
-        numberOfSecrets: number;
-    };
+  type: EventType.GET_SECRETS;
+  metadata: {
+    environment: string;
+    secretPath: string;
+    numberOfSecrets: number;
+  };
 }

 interface GetSecretEvent {
-    type: EventType.GET_SECRET;
-    metadata: {
-        environment: string;
-        secretPath: string;
-        secretId: string;
-        secretKey: string;
-        secretVersion: number;
-    };
+  type: EventType.GET_SECRET;
+  metadata: {
+    environment: string;
+    secretPath: string;
+    secretId: string;
+    secretKey: string;
+    secretVersion: number;
+  };
 }

 interface CreateSecretEvent {
-    type: EventType.CREATE_SECRET;
-    metadata: {
-        environment: string;
-        secretPath: string;
-        secretId: string;
-        secretKey: string;
-        secretVersion: number;
-    }
+  type: EventType.CREATE_SECRET;
+  metadata: {
+    environment: string;
+    secretPath: string;
+    secretId: string;
+    secretKey: string;
+    secretVersion: number;
+  };
+}
+
+interface CreateSecretBatchEvent {
+  type: EventType.CREATE_SECRETS;
+  metadata: {
+    environment: string;
+    secretPath: string;
+    secrets: Array<{ secretId: string; secretKey: string; secretVersion: number }>;
+  };
 }

 interface UpdateSecretEvent {
-    type: EventType.UPDATE_SECRET;
-    metadata: {
-        environment: string;
-        secretPath: string;
-        secretId: string;
-        secretKey: string;
-        secretVersion: number;
-    }
+  type: EventType.UPDATE_SECRET;
+  metadata: {
+    environment: string;
+    secretPath: string;
+    secretId: string;
+    secretKey: string;
+    secretVersion: number;
+  };
+}
+
+interface UpdateSecretBatchEvent {
+  type: EventType.UPDATE_SECRETS;
+  metadata: {
+    environment: string;
+    secretPath: string;
+    secrets: Array<{ secretId: string; secretKey: string; secretVersion: number }>;
+  };
 }

 interface DeleteSecretEvent {
-    type: EventType.DELETE_SECRET;
-    metadata: {
-        environment: string;
-        secretPath: string;
-        secretId: string;
-        secretKey: string;
-        secretVersion: number;
-    }
+  type: EventType.DELETE_SECRET;
+  metadata: {
+    environment: string;
+    secretPath: string;
+    secretId: string;
+    secretKey: string;
+    secretVersion: number;
+  };
+}
+
+interface DeleteSecretBatchEvent {
+  type: EventType.DELETE_SECRETS;
+  metadata: {
+    environment: string;
+    secretPath: string;
+    secrets: Array<{ secretId: string; secretKey: string; secretVersion: number }>;
+  };
 }

 interface GetWorkspaceKeyEvent {
-    type: EventType.GET_WORKSPACE_KEY,
-    metadata: {
-        keyId: string;
-    }
+  type: EventType.GET_WORKSPACE_KEY;
+  metadata: {
+    keyId: string;
+  };
 }

 interface AuthorizeIntegrationEvent {
-    type: EventType.AUTHORIZE_INTEGRATION;
-    metadata: {
-        integration: string;
-    }
+  type: EventType.AUTHORIZE_INTEGRATION;
+  metadata: {
+    integration: string;
+  };
 }

 interface UnauthorizeIntegrationEvent {
-    type: EventType.UNAUTHORIZE_INTEGRATION;
-    metadata: {
-        integration: string;
-    }
+  type: EventType.UNAUTHORIZE_INTEGRATION;
+  metadata: {
+    integration: string;
+  };
 }

 interface CreateIntegrationEvent {
-    type: EventType.CREATE_INTEGRATION;
-    metadata: {
-        integrationId: string;
-        integration: string; // TODO: fix type
-        environment: string;
-        secretPath: string;
-        url?: string;
-        app?: string;
-        appId?: string;
-        targetEnvironment?: string;
-        targetEnvironmentId?: string;
-        targetService?: string;
-        targetServiceId?: string;
-        path?: string;
-        region?: string;
-    }
+  type: EventType.CREATE_INTEGRATION;
+  metadata: {
+    integrationId: string;
+    integration: string; // TODO: fix type
+    environment: string;
+    secretPath: string;
+    url?: string;
+    app?: string;
+    appId?: string;
+    targetEnvironment?: string;
+    targetEnvironmentId?: string;
+    targetService?: string;
+    targetServiceId?: string;
+    path?: string;
+    region?: string;
+  };
 }

 interface DeleteIntegrationEvent {
-    type: EventType.DELETE_INTEGRATION;
-    metadata: {
-        integrationId: string;
-        integration: string; // TODO: fix type
-        environment: string;
-        secretPath: string;
-        url?: string;
-        app?: string;
-        appId?: string;
-        targetEnvironment?: string;
-        targetEnvironmentId?: string;
-        targetService?: string;
-        targetServiceId?: string;
-        path?: string;
-        region?: string;
-    }
+  type: EventType.DELETE_INTEGRATION;
+  metadata: {
+    integrationId: string;
+    integration: string; // TODO: fix type
+    environment: string;
+    secretPath: string;
+    url?: string;
+    app?: string;
+    appId?: string;
+    targetEnvironment?: string;
+    targetEnvironmentId?: string;
+    targetService?: string;
+    targetServiceId?: string;
+    path?: string;
+    region?: string;
+  };
 }

 interface AddTrustedIPEvent {
-    type: EventType.ADD_TRUSTED_IP;
-    metadata: {
-        trustedIpId: string;
-        ipAddress: string;
-        prefix?: number;
-    }
+  type: EventType.ADD_TRUSTED_IP;
+  metadata: {
+    trustedIpId: string;
+    ipAddress: string;
+    prefix?: number;
+  };
 }

 interface UpdateTrustedIPEvent {
-    type: EventType.UPDATE_TRUSTED_IP;
-    metadata: {
-        trustedIpId: string;
-        ipAddress: string;
-        prefix?: number;
-    }
+  type: EventType.UPDATE_TRUSTED_IP;
+  metadata: {
+    trustedIpId: string;
+    ipAddress: string;
+    prefix?: number;
+  };
 }

 interface DeleteTrustedIPEvent {
-    type: EventType.DELETE_TRUSTED_IP;
-    metadata: {
-        trustedIpId: string;
-        ipAddress: string;
-        prefix?: number;
-    }
+  type: EventType.DELETE_TRUSTED_IP;
+  metadata: {
+    trustedIpId: string;
+    ipAddress: string;
+    prefix?: number;
+  };
 }

 interface CreateServiceTokenEvent {
-    type: EventType.CREATE_SERVICE_TOKEN;
-    metadata: {
-        name: string;
-        scopes: Array<{
-            environment: string;
-            secretPath: string;
-        }>;
-    }
+  type: EventType.CREATE_SERVICE_TOKEN;
+  metadata: {
+    name: string;
+    scopes: Array<{
+      environment: string;
+      secretPath: string;
+    }>;
+  };
 }

 interface DeleteServiceTokenEvent {
-    type: EventType.DELETE_SERVICE_TOKEN;
-    metadata: {
-        name: string;
-        scopes: Array<{
-            environment: string;
-            secretPath: string;
-        }>;
-    }
+  type: EventType.DELETE_SERVICE_TOKEN;
+  metadata: {
+    name: string;
+    scopes: Array<{
+      environment: string;
+      secretPath: string;
+    }>;
+  };
+}
+
+interface CreateServiceTokenV3Event {
+  type: EventType.CREATE_SERVICE_TOKEN_V3;
+  metadata: {
+    name: string;
+    isActive: boolean;
+    scopes: Array<IServiceTokenV3Scope>;
+    trustedIps: Array<IServiceTokenV3TrustedIp>;
+    expiresAt?: Date;
+  };
+}
+
+interface UpdateServiceTokenV3Event {
+  type: EventType.UPDATE_SERVICE_TOKEN_V3;
+  metadata: {
+    name?: string;
+    isActive?: boolean;
+    scopes?: Array<IServiceTokenV3Scope>;
+    trustedIps?: Array<IServiceTokenV3TrustedIp>;
+    expiresAt?: Date;
+  };
+}
+
+interface DeleteServiceTokenV3Event {
+  type: EventType.DELETE_SERVICE_TOKEN_V3;
+  metadata: {
+    name: string;
+    isActive: boolean;
+    scopes: Array<IServiceTokenV3Scope>;
+    expiresAt?: Date;
+    trustedIps: Array<IServiceTokenV3TrustedIp>;
+  };
 }

 interface CreateEnvironmentEvent {
-    type: EventType.CREATE_ENVIRONMENT;
-    metadata: {
-        name: string;
-        slug: string;
-    }
+  type: EventType.CREATE_ENVIRONMENT;
+  metadata: {
+    name: string;
+    slug: string;
+  };
 }

 interface UpdateEnvironmentEvent {
-    type: EventType.UPDATE_ENVIRONMENT;
-    metadata: {
-        oldName: string;
-        newName: string;
-        oldSlug: string;
-        newSlug: string;
-    }
+  type: EventType.UPDATE_ENVIRONMENT;
+  metadata: {
+    oldName: string;
+    newName: string;
+    oldSlug: string;
+    newSlug: string;
+  };
 }

 interface DeleteEnvironmentEvent {
-    type: EventType.DELETE_ENVIRONMENT;
-    metadata: {
-        name: string;
-        slug: string;
-    }
+  type: EventType.DELETE_ENVIRONMENT;
+  metadata: {
+    name: string;
+    slug: string;
+  };
 }

 interface AddWorkspaceMemberEvent {
-    type: EventType.ADD_WORKSPACE_MEMBER;
-    metadata: {
-        userId: string;
-        email: string;
-    }
+  type: EventType.ADD_WORKSPACE_MEMBER;
+  metadata: {
+    userId: string;
+    email: string;
+  };
+}
+
+interface AddBatchWorkspaceMemberEvent {
+  type: EventType.ADD_BATCH_WORKSPACE_MEMBER;
+  metadata: Array<{
+    userId: string;
+    email: string;
+  }>;
 }

 interface RemoveWorkspaceMemberEvent {
-    type: EventType.REMOVE_WORKSPACE_MEMBER;
-    metadata: {
-        userId: string;
-        email: string;
-    }
+  type: EventType.REMOVE_WORKSPACE_MEMBER;
+  metadata: {
+    userId: string;
+    email: string;
+  };
 }

 interface CreateFolderEvent {
-    type: EventType.CREATE_FOLDER;
-    metadata: {
-        environment: string;
-        folderId: string;
-        folderName: string;
-        folderPath: string;
-    }
+  type: EventType.CREATE_FOLDER;
+  metadata: {
+    environment: string;
+    folderId: string;
+    folderName: string;
+    folderPath: string;
+  };
 }

 interface UpdateFolderEvent {
-    type: EventType.UPDATE_FOLDER;
-    metadata: {
-        environment: string;
-        folderId: string;
-        oldFolderName: string;
-        newFolderName: string;
-        folderPath: string;
-    }
+  type: EventType.UPDATE_FOLDER;
+  metadata: {
+    environment: string;
+    folderId: string;
+    oldFolderName: string;
+    newFolderName: string;
+    folderPath: string;
+  };
 }

 interface DeleteFolderEvent {
-    type: EventType.DELETE_FOLDER;
-    metadata: {
-        environment: string;
-        folderId: string;
-        folderName: string;
-        folderPath: string;
-    }
+  type: EventType.DELETE_FOLDER;
+  metadata: {
+    environment: string;
+    folderId: string;
+    folderName: string;
+    folderPath: string;
+  };
 }

 interface CreateWebhookEvent {
-    type: EventType.CREATE_WEBHOOK,
-    metadata: {
-        webhookId: string;
-        environment: string;
-        secretPath: string;
-        webhookUrl: string;
-        isDisabled: boolean;
-    }
+  type: EventType.CREATE_WEBHOOK;
+  metadata: {
+    webhookId: string;
+    environment: string;
+    secretPath: string;
+    webhookUrl: string;
+    isDisabled: boolean;
+  };
 }

 interface UpdateWebhookStatusEvent {
-    type: EventType.UPDATE_WEBHOOK_STATUS,
-    metadata: {
-        webhookId: string;
-        environment: string;
-        secretPath: string;
-        webhookUrl: string;
-        isDisabled: boolean;
-    }
+  type: EventType.UPDATE_WEBHOOK_STATUS;
+  metadata: {
+    webhookId: string;
+    environment: string;
+    secretPath: string;
+    webhookUrl: string;
+    isDisabled: boolean;
+  };
 }

 interface DeleteWebhookEvent {
-    type: EventType.DELETE_WEBHOOK,
-    metadata: {
-        webhookId: string;
-        environment: string;
-        secretPath: string;
-        webhookUrl: string;
-        isDisabled: boolean;
-    }
+  type: EventType.DELETE_WEBHOOK;
+  metadata: {
+    webhookId: string;
+    environment: string;
+    secretPath: string;
+    webhookUrl: string;
+    isDisabled: boolean;
+  };
 }

 interface GetSecretImportsEvent {
-    type: EventType.GET_SECRET_IMPORTS,
-    metadata: {
-        environment: string;
-        secretImportId: string;
-        folderId: string;
-        numberOfImports: number;
-    }
+  type: EventType.GET_SECRET_IMPORTS;
+  metadata: {
+    environment: string;
+    secretImportId: string;
+    folderId: string;
+    numberOfImports: number;
+  };
 }

 interface CreateSecretImportEvent {
-    type: EventType.CREATE_SECRET_IMPORT,
-    metadata: {
-        secretImportId: string;
-        folderId: string;
-        importFromEnvironment: string;
-        importFromSecretPath: string;
-        importToEnvironment: string;
-        importToSecretPath: string;
-    }
+  type: EventType.CREATE_SECRET_IMPORT;
+  metadata: {
+    secretImportId: string;
+    folderId: string;
+    importFromEnvironment: string;
+    importFromSecretPath: string;
+    importToEnvironment: string;
+    importToSecretPath: string;
+  };
 }

 interface UpdateSecretImportEvent {
-    type: EventType.UPDATE_SECRET_IMPORT,
-    metadata: {
-        secretImportId: string;
-        folderId: string;
-        importToEnvironment: string;
-        importToSecretPath: string;
-        orderBefore: {
-          environment: string;
-          secretPath: string;
-        }[],
-        orderAfter: {
-          environment: string;
-          secretPath: string;
-        }[]
-    }
+  type: EventType.UPDATE_SECRET_IMPORT;
+  metadata: {
+    secretImportId: string;
+    folderId: string;
+    importToEnvironment: string;
+    importToSecretPath: string;
+    orderBefore: {
+      environment: string;
+      secretPath: string;
+    }[];
+    orderAfter: {
+      environment: string;
+      secretPath: string;
+    }[];
+  };
 }

 interface DeleteSecretImportEvent {
-    type: EventType.DELETE_SECRET_IMPORT,
-    metadata: {
-        secretImportId: string;
-        folderId: string;
-        importFromEnvironment: string;
-        importFromSecretPath: string;
-        importToEnvironment: string;
-        importToSecretPath: string;
-    }
+  type: EventType.DELETE_SECRET_IMPORT;
+  metadata: {
+    secretImportId: string;
+    folderId: string;
+    importFromEnvironment: string;
+    importFromSecretPath: string;
+    importToEnvironment: string;
+    importToSecretPath: string;
+  };
 }

 interface UpdateUserRole {
-    type: EventType.UPDATE_USER_WORKSPACE_ROLE,
-    metadata: {
-        userId: string;
-        email: string;
-        oldRole: string;
-        newRole: string;
-    }
+  type: EventType.UPDATE_USER_WORKSPACE_ROLE;
+  metadata: {
+    userId: string;
+    email: string;
+    oldRole: string;
+    newRole: string;
+  };
 }

 interface UpdateUserDeniedPermissions {
-    type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS,
-    metadata: {
-        userId: string;
-        email: string;
-        deniedPermissions: {
-            environmentSlug: string;
-            ability: string;
-        }[]
-    }
+  type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS;
+  metadata: {
+    userId: string;
+    email: string;
+    deniedPermissions: {
+      environmentSlug: string;
+      ability: string;
+    }[];
+  };
+}
+interface SecretApprovalMerge {
+  type: EventType.SECRET_APPROVAL_MERGED;
+  metadata: {
+    mergedBy: string;
+    secretApprovalRequestSlug: string;
+    secretApprovalRequestId: string;
+  };
 }

-export type Event = 
-    | GetSecretsEvent
-    | GetSecretEvent
-    | CreateSecretEvent
-    | UpdateSecretEvent
-    | DeleteSecretEvent
-    | GetWorkspaceKeyEvent
-    | AuthorizeIntegrationEvent
-    | UnauthorizeIntegrationEvent
-    | CreateIntegrationEvent
-    | DeleteIntegrationEvent
-    | AddTrustedIPEvent
-    | UpdateTrustedIPEvent
-    | DeleteTrustedIPEvent
-    | CreateServiceTokenEvent
-    | DeleteServiceTokenEvent
-    | CreateEnvironmentEvent
-    | UpdateEnvironmentEvent
-    | DeleteEnvironmentEvent
-    | AddWorkspaceMemberEvent
-    | RemoveWorkspaceMemberEvent
-    | CreateFolderEvent
-    | UpdateFolderEvent
-    | DeleteFolderEvent
-    | CreateWebhookEvent
-    | UpdateWebhookStatusEvent
-    | DeleteWebhookEvent
-    | GetSecretImportsEvent
-    | CreateSecretImportEvent
-    | UpdateSecretImportEvent
-    | DeleteSecretImportEvent
-    | UpdateUserRole
-    | UpdateUserDeniedPermissions;
+interface SecretApprovalClosed {
+  type: EventType.SECRET_APPROVAL_CLOSED;
+  metadata: {
+    closedBy: string;
+    secretApprovalRequestSlug: string;
+    secretApprovalRequestId: string;
+  };
+}
+
+interface SecretApprovalReopened {
+  type: EventType.SECRET_APPROVAL_REOPENED;
+  metadata: {
+    reopenedBy: string;
+    secretApprovalRequestSlug: string;
+    secretApprovalRequestId: string;
+  };
+}
+
+interface SecretApprovalRequest {
+  type: EventType.SECRET_APPROVAL_REQUEST;
+  metadata: {
+    committedBy: string;
+    secretApprovalRequestSlug: string;
+    secretApprovalRequestId: string;
+  };
+}
+
+export type Event =
+  | GetSecretsEvent
+  | GetSecretEvent
+  | CreateSecretEvent
+  | CreateSecretBatchEvent
+  | UpdateSecretEvent
+  | UpdateSecretBatchEvent
+  | DeleteSecretEvent
+  | DeleteSecretBatchEvent
+  | GetWorkspaceKeyEvent
+  | AuthorizeIntegrationEvent
+  | UnauthorizeIntegrationEvent
+  | CreateIntegrationEvent
+  | DeleteIntegrationEvent
+  | AddTrustedIPEvent
+  | UpdateTrustedIPEvent
+  | DeleteTrustedIPEvent
+  | CreateServiceTokenEvent
+  | DeleteServiceTokenEvent
+  | CreateServiceTokenV3Event
+  | UpdateServiceTokenV3Event
+  | DeleteServiceTokenV3Event
+  | CreateEnvironmentEvent
+  | UpdateEnvironmentEvent
+  | DeleteEnvironmentEvent
+  | AddWorkspaceMemberEvent
+  | AddBatchWorkspaceMemberEvent
+  | RemoveWorkspaceMemberEvent
+  | CreateFolderEvent
+  | UpdateFolderEvent
+  | DeleteFolderEvent
+  | CreateWebhookEvent
+  | UpdateWebhookStatusEvent
+  | DeleteWebhookEvent
+  | GetSecretImportsEvent
+  | CreateSecretImportEvent
+  | UpdateSecretImportEvent
+  | DeleteSecretImportEvent
+  | UpdateUserRole
+  | UpdateUserDeniedPermissions
+  | SecretApprovalMerge
+  | SecretApprovalClosed
+  | SecretApprovalRequest
+  | SecretApprovalReopened;
--- a/backend/src/ee/models/gitAppInstallationSession.ts
+++ b/backend/src/ee/models/gitAppInstallationSession.ts
@ -29,6 +29,4 @@ const gitAppInstallationSession = new Schema<GitAppInstallationSession>({
 });


-const GitAppInstallationSession = model<GitAppInstallationSession>("git_app_installation_session", gitAppInstallationSession);
-
-export default GitAppInstallationSession;
+export const GitAppInstallationSession = model<GitAppInstallationSession>("git_app_installation_session", gitAppInstallationSession);
--- a/backend/src/ee/models/gitAppOrganizationInstallation.ts
+++ b/backend/src/ee/models/gitAppOrganizationInstallation.ts
@ -26,6 +26,4 @@ const gitAppOrganizationInstallation = new Schema<Installation>({
 });


-const GitAppOrganizationInstallation = model<Installation>("git_app_organization_installation", gitAppOrganizationInstallation);
-
-export default GitAppOrganizationInstallation;
+export const GitAppOrganizationInstallation = model<Installation>("git_app_organization_installation", gitAppOrganizationInstallation);
--- a/backend/src/ee/models/gitRisks.ts
+++ b/backend/src/ee/models/gitRisks.ts
@ -5,7 +5,7 @@ export const STATUS_RESOLVED_REVOKED = "RESOLVED_REVOKED";
 export const STATUS_RESOLVED_NOT_REVOKED = "RESOLVED_NOT_REVOKED";
 export const STATUS_UNRESOLVED = "UNRESOLVED";

-export type GitRisks = {
+export type IGitRisks = {
  id: string;
  description: string;
  startLine: string;
@ -42,7 +42,7 @@ export type GitRisks = {
  organization: Schema.Types.ObjectId,
 }

-const gitRisks = new Schema<GitRisks>({
+const gitRisks = new Schema<IGitRisks>({
  id: {
    type: String,
  },
@ -147,6 +147,4 @@ const gitRisks = new Schema<GitRisks>({
  }
 }, { timestamps: true });

-const GitRisks = model<GitRisks>("GitRisks", gitRisks);
-
-export default GitRisks;
+export const GitRisks = model<IGitRisks>("GitRisks", gitRisks);
--- a/backend/src/ee/models/index.ts
+++ b/backend/src/ee/models/index.ts
@ -1,11 +1,12 @@
 export * from "./secretSnapshot";
 export * from "./secretVersion";
 export * from "./folderVersion";
-export * from "./log";
-export * from "./action";
+export * from "./role";
 export * from "./ssoConfig";
 export * from "./trustedIp";
 export * from "./auditLog";
 export * from  "./gitRisks";
 export * from  "./gitAppOrganizationInstallation";
 export * from  "./gitAppInstallationSession";
+export * from "./secretApprovalPolicy";
+export * from "./secretApprovalRequest";
--- a/backend/src/ee/models/log.ts
+++ b/backend/src/ee/models/log.ts
@ -1,72 +0,0 @@
-import { Schema, Types, model } from "mongoose";
-import {
-    ACTION_ADD_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_READ_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from "../../variables";
-
-export interface ILog {
-    _id: Types.ObjectId;
-    user?: Types.ObjectId;
-    serviceAccount?: Types.ObjectId;
-    serviceTokenData?: Types.ObjectId;
-    workspace?: Types.ObjectId;
-    actionNames: string[];
-    actions: Types.ObjectId[];
-    channel: string;
-    ipAddress?: string;
-}
-
-const logSchema = new Schema<ILog>(
-    {
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: "User",
-        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: "ServiceAccount",
-        },
-        serviceTokenData: {
-            type: Schema.Types.ObjectId,
-            ref: "ServiceTokenData",
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: "Workspace",
-        },
-        actionNames: {
-            type: [String],
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS,
-            ],
-            required: true,
-        },
-        actions: [{
-            type: Schema.Types.ObjectId,
-            ref: "Action",
-            required: true,
-        }],
-        channel: {
-            type: String,
-            enum: ["web", "cli", "auto", "k8-operator", "other"],
-            required: true,
-        },
-        ipAddress: {
-            type: String,
-        },
-    }, 
-    {
-        timestamps: true,
-    }
-);
-
-export const Log = model<ILog>("Log", logSchema);
--- a/backend/src/ee/models/role.ts
+++ b/backend/src/ee/models/role.ts
@ -50,6 +50,4 @@ const roleSchema = new Schema<IRole>(

 roleSchema.index({ organization: 1, workspace: 1 });

-const Role = model<IRole>("Role", roleSchema);
-
-export default Role;
+export const Role = model<IRole>("Role", roleSchema);
--- a/backend/src/ee/models/secretApprovalPolicy.ts
+++ b/backend/src/ee/models/secretApprovalPolicy.ts
@ -0,0 +1,51 @@
+import { Schema, Types, model } from "mongoose";
+
+export interface ISecretApprovalPolicy {
+  _id: Types.ObjectId;
+  workspace: Types.ObjectId;
+  name: string;
+  environment: string;
+  secretPath?: string;
+  approvers: Types.ObjectId[];
+  approvals: number;
+}
+
+const secretApprovalPolicySchema = new Schema<ISecretApprovalPolicy>(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true
+    },
+    approvers: [
+      {
+        // user associated with the personal secret
+        type: Schema.Types.ObjectId,
+        ref: "Membership"
+      }
+    ],
+    name: {
+      type: String
+    },
+    environment: {
+      type: String,
+      required: true
+    },
+    secretPath: {
+      type: String,
+      required: false
+    },
+    approvals: {
+      type: Number,
+      default: 1
+    }
+  },
+  {
+    timestamps: true
+  }
+);
+
+export const SecretApprovalPolicy = model<ISecretApprovalPolicy>(
+  "SecretApprovalPolicy",
+  secretApprovalPolicySchema
+);
--- a/backend/src/ee/models/secretApprovalRequest.ts
+++ b/backend/src/ee/models/secretApprovalRequest.ts
@ -0,0 +1,203 @@
+import { Schema, Types, model } from "mongoose";
+import { customAlphabet } from "nanoid";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
+
+export enum ApprovalStatus {
+  PENDING = "pending",
+  APPROVED = "approved",
+  REJECTED = "rejected"
+}
+
+export enum CommitType {
+  DELETE = "delete",
+  UPDATE = "update",
+  CREATE = "create"
+}
+
+const SLUG_ALPHABETS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+const nanoId = customAlphabet(SLUG_ALPHABETS, 10);
+
+export interface ISecretApprovalSecChange {
+  _id: Types.ObjectId;
+  version: number;
+  secretBlindIndex?: string;
+  secretKeyCiphertext: string;
+  secretKeyIV: string;
+  secretKeyTag: string;
+  secretValueCiphertext: string;
+  secretValueIV: string;
+  secretValueTag: string;
+  secretCommentIV?: string;
+  secretCommentTag?: string;
+  secretCommentCiphertext?: string;
+  skipMultilineEncoding?: boolean;
+  algorithm?: "aes-256-gcm";
+  keyEncoding?: "utf8" | "base64";
+  tags?: string[];
+}
+
+export type ISecretCommits<T = Types.ObjectId, J = Types.ObjectId> = Array<
+  | {
+      newVersion: ISecretApprovalSecChange;
+      op: CommitType.CREATE;
+    }
+  | {
+      // secret is recorded to get the latest version, we can keep ref to secret for pulling change as it will also get changed
+      //  on merge
+      secretVersion: J;
+      secret: T;
+      newVersion: Partial<Omit<ISecretApprovalSecChange, "_id">> & { _id: Types.ObjectId };
+      op: CommitType.UPDATE;
+    }
+  | {
+      secret: T;
+      secretVersion: J;
+      op: CommitType.DELETE;
+    }
+>;
+export interface ISecretApprovalRequest {
+  _id: Types.ObjectId;
+  committer: Types.ObjectId;
+  slug: string;
+  statusChangeBy: Types.ObjectId;
+  reviewers: {
+    member: Types.ObjectId;
+    status: ApprovalStatus;
+  }[];
+  workspace: Types.ObjectId;
+  environment: string;
+  folderId: string;
+  hasMerged: boolean;
+  status: "open" | "close";
+  policy: Types.ObjectId;
+  commits: ISecretCommits;
+  conflicts: Array<{ secretId: string; op: CommitType }>;
+}
+
+const secretApprovalSecretChangeSchema = new Schema<ISecretApprovalSecChange>({
+  version: {
+    type: Number,
+    default: 1,
+    required: true
+  },
+  secretBlindIndex: {
+    type: String,
+    select: false
+  },
+  secretKeyCiphertext: {
+    type: String,
+    required: true
+  },
+  secretKeyIV: {
+    type: String, // symmetric
+    required: true
+  },
+  secretKeyTag: {
+    type: String, // symmetric
+    required: true
+  },
+  secretValueCiphertext: {
+    type: String,
+    required: true
+  },
+  secretValueIV: {
+    type: String, // symmetric
+    required: true
+  },
+  secretValueTag: {
+    type: String, // symmetric
+    required: true
+  },
+  skipMultilineEncoding: {
+    type: Boolean,
+    required: false
+  },
+  algorithm: {
+    // the encryption algorithm used
+    type: String,
+    enum: [ALGORITHM_AES_256_GCM],
+    required: true,
+    default: ALGORITHM_AES_256_GCM
+  },
+  keyEncoding: {
+    type: String,
+    enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
+    required: true,
+    default: ENCODING_SCHEME_UTF8
+  },
+  tags: {
+    ref: "Tag",
+    type: [Schema.Types.ObjectId],
+    default: []
+  }
+});
+
+const secretApprovalRequestSchema = new Schema<ISecretApprovalRequest>(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true
+    },
+    environment: {
+      type: String,
+      required: true
+    },
+    folderId: {
+      type: String,
+      required: true,
+      default: "root"
+    },
+    slug: {
+      type: String,
+      default: () => nanoId()
+    },
+    reviewers: {
+      type: [
+        {
+          member: {
+            // user associated with the personal secret
+            type: Schema.Types.ObjectId,
+            ref: "Membership"
+          },
+          status: { type: String, enum: ApprovalStatus, default: ApprovalStatus.PENDING }
+        }
+      ],
+      default: []
+    },
+    policy: { type: Schema.Types.ObjectId, ref: "SecretApprovalPolicy" },
+    hasMerged: { type: Boolean, default: false },
+    status: { type: String, enum: ["close", "open"], default: "open" },
+    committer: { type: Schema.Types.ObjectId, ref: "Membership" },
+    statusChangeBy: { type: Schema.Types.ObjectId, ref: "Membership" },
+    commits: [
+      {
+        secret: { type: Types.ObjectId, ref: "Secret" },
+        newVersion: secretApprovalSecretChangeSchema,
+        secretVersion: { type: Types.ObjectId, ref: "SecretVersion" },
+        op: { type: String, enum: [CommitType], required: true }
+      }
+    ],
+    conflicts: {
+      type: [
+        {
+          secretId: { type: String, required: true },
+          op: { type: String, enum: [CommitType], required: true }
+        }
+      ],
+      default: []
+    }
+  },
+  {
+    timestamps: true
+  }
+);
+
+export const SecretApprovalRequest = model<ISecretApprovalRequest>(
+  "SecretApprovalRequest",
+  secretApprovalRequestSchema
+);
--- a/backend/src/ee/models/secretVersion.ts
+++ b/backend/src/ee/models/secretVersion.ts
@ -4,7 +4,7 @@ import {
  ENCODING_SCHEME_BASE64,
  ENCODING_SCHEME_UTF8,
  SECRET_PERSONAL,
-  SECRET_SHARED,
+  SECRET_SHARED
 } from "../../variables";

 export interface ISecretVersion {
@ -23,6 +23,7 @@ export interface ISecretVersion {
  secretValueCiphertext: string;
  secretValueIV: string;
  secretValueTag: string;
+  skipMultilineEncoding?: boolean;
  algorithm: "aes-256-gcm";
  keyEncoding: "utf8" | "base64";
  createdAt: string;
@ -36,95 +37,96 @@ const secretVersionSchema = new Schema<ISecretVersion>(
      // could be deleted
      type: Schema.Types.ObjectId,
      ref: "Secret",
-      required: true,
+      required: true
    },
    version: {
      type: Number,
      default: 1,
-      required: true,
+      required: true
    },
    workspace: {
      type: Schema.Types.ObjectId,
      ref: "Workspace",
-      required: true,
+      required: true
    },
    type: {
      type: String,
      enum: [SECRET_SHARED, SECRET_PERSONAL],
-      required: true,
+      required: true
    },
    user: {
      // user associated with the personal secret
      type: Schema.Types.ObjectId,
-      ref: "User",
+      ref: "User"
    },
    environment: {
      type: String,
-      required: true,
+      required: true
    },
    isDeleted: {
      // consider removing field
      type: Boolean,
      default: false,
-      required: true,
+      required: true
    },
    secretBlindIndex: {
      type: String,
-      select: false,
+      select: false
    },
    secretKeyCiphertext: {
      type: String,
-      required: true,
+      required: true
    },
    secretKeyIV: {
      type: String, // symmetric
-      required: true,
+      required: true
    },
    secretKeyTag: {
      type: String, // symmetric
-      required: true,
+      required: true
    },
    secretValueCiphertext: {
      type: String,
-      required: true,
+      required: true
    },
    secretValueIV: {
      type: String, // symmetric
-      required: true,
+      required: true
    },
    secretValueTag: {
      type: String, // symmetric
-      required: true,
+      required: true
+    },
+    skipMultilineEncoding: {
+      type: Boolean,
+      required: false
    },
    algorithm: {
      // the encryption algorithm used
      type: String,
      enum: [ALGORITHM_AES_256_GCM],
      required: true,
-      default: ALGORITHM_AES_256_GCM,
+      default: ALGORITHM_AES_256_GCM
    },
    keyEncoding: {
      type: String,
      enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
      required: true,
-      default: ENCODING_SCHEME_UTF8,
+      default: ENCODING_SCHEME_UTF8
    },
    folder: {
      type: String,
-      required: true,
+      required: true
    },
    tags: {
      ref: "Tag",
      type: [Schema.Types.ObjectId],
-      default: [],
+      default: []
    }
  },
  {
-    timestamps: true,
+    timestamps: true
  }
 );

-export const SecretVersion = model<ISecretVersion>(
-  "SecretVersion",
-  secretVersionSchema
-);
+export const SecretVersion = model<ISecretVersion>("SecretVersion", secretVersionSchema);
--- a/backend/src/ee/routes/v1/action.ts
+++ b/backend/src/ee/routes/v1/action.ts
@ -1,8 +0,0 @@
-import express from "express";
-const router = express.Router();
-import { actionController } from "../../controllers/v1";
-
-// TODO: put into action controller
-router.get("/:actionId", actionController.getAction);
-
-export default router;
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -4,10 +4,13 @@ import organizations from "./organizations";
 import sso from "./sso";
 import users from "./users";
 import workspace from "./workspace";
-import action from "./action";
 import cloudProducts from "./cloudProducts";
 import secretScanning from "./secretScanning";
 import roles from "./role";
+import secretApprovalPolicy from "./secretApprovalPolicy";
+import secretApprovalRequest from "./secretApprovalRequest";
+import secretRotationProvider from "./secretRotationProvider";
+import secretRotation from "./secretRotation";

 export {
  secret,
@ -16,8 +19,11 @@ export {
  sso,
  users,
  workspace,
-  action,
  cloudProducts,
  secretScanning,
-  roles
+  roles,
+  secretApprovalPolicy,
+  secretApprovalRequest,
+  secretRotationProvider,
+  secretRotation
 };
--- a/backend/src/ee/routes/v1/secretApprovalPolicy.ts
+++ b/backend/src/ee/routes/v1/secretApprovalPolicy.ts
@ -0,0 +1,47 @@
+import express from "express";
+const router = express.Router();
+import { requireAuth } from "../../../middleware";
+import { secretApprovalPolicyController } from "../../controllers/v1";
+import { AuthMode } from "../../../variables";
+
+router.get(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalPolicyController.getSecretApprovalPolicy
+);
+
+router.get(
+  "/board",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalPolicyController.getSecretApprovalPolicyOfBoard
+);
+
+router.post(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalPolicyController.createSecretApprovalPolicy
+);
+
+router.patch(
+  "/:id",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalPolicyController.updateSecretApprovalPolicy
+);
+
+router.delete(
+  "/:id",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalPolicyController.deleteSecretApprovalPolicy
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/secretApprovalRequest.ts
+++ b/backend/src/ee/routes/v1/secretApprovalRequest.ts
@ -0,0 +1,55 @@
+import express from "express";
+const router = express.Router();
+import { requireAuth } from "../../../middleware";
+import { secretApprovalRequestController } from "../../controllers/v1";
+import { AuthMode } from "../../../variables";
+
+router.get(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalRequestController.getSecretApprovalRequests
+);
+
+router.get(
+  "/count",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalRequestController.getSecretApprovalRequestCount
+);
+
+router.get(
+  "/:id",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalRequestController.getSecretApprovalRequestDetails
+);
+
+router.post(
+  "/:id/merge",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalRequestController.mergeSecretApprovalRequest
+);
+
+router.post(
+  "/:id/review",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalRequestController.updateSecretApprovalReviewStatus
+);
+
+router.post(
+  "/:id/status",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretApprovalRequestController.updateSecretApprovalRequestStatus
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/secretRotation.ts
+++ b/backend/src/ee/routes/v1/secretRotation.ts
@ -0,0 +1,41 @@
+import express from "express";
+
+import { AuthMode } from "../../../variables";
+import { requireAuth } from "../../../middleware";
+import { secretRotationController } from "../../controllers/v1";
+
+const router = express.Router();
+
+router.post(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.createSecretRotation
+);
+
+router.post(
+  "/restart",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.restartSecretRotations
+);
+
+router.get(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.getSecretRotations
+);
+
+router.delete(
+  "/:id",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.deleteSecretRotations
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/secretRotationProvider.ts
+++ b/backend/src/ee/routes/v1/secretRotationProvider.ts
@ -0,0 +1,17 @@
+import express from "express";
+
+import { AuthMode } from "../../../variables";
+import { requireAuth } from "../../../middleware";
+import { secretRotationProviderController } from "../../controllers/v1";
+
+const router = express.Router();
+
+router.get(
+  "/:workspaceId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationProviderController.getProviderTemplates
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/sso.ts
+++ b/backend/src/ee/routes/v1/sso.ts
@ -6,58 +6,23 @@ import { ssoController } from "../../controllers/v1";
 import { authLimiter } from "../../../helpers/rateLimiter";
 import { AuthMode } from "../../../variables";

-router.get("/redirect/google", authLimiter, (req, res, next) => {
-  passport.authenticate("google", {
-    scope: ["profile", "email"],
-    session: false,
-    ...(req.query.callback_port
-      ? {
-          state: req.query.callback_port as string
-        }
-      : {})
-  })(req, res, next);
-});
-
 router.get(
-  "/google",
-  passport.authenticate("google", {
-    failureRedirect: "/login/provider/error",
-    session: false
-  }),
-  ssoController.redirectSSO
-);
-
-router.get("/redirect/github", authLimiter, (req, res, next) => {
-  passport.authenticate("github", {
-    session: false,
-    ...(req.query.callback_port
-      ? {
-          state: req.query.callback_port as string
-        }
-      : {})
-  })(req, res, next);
-});
-
-router.get(
-  "/github",
+  "/redirect/saml2/:ssoIdentifier",
  authLimiter,
-  passport.authenticate("github", {
-    failureRedirect: "/login/provider/error",
-    session: false
-  }),
-  ssoController.redirectSSO
+  (req, res, next) => {
+    const options = {
+        failureRedirect: "/",
+        additionalParams: {
+          RelayState: JSON.stringify({
+            spInitiated: true,
+            callbackPort: req.query.callback_port ?? ""
+          })
+        },
+    };
+    passport.authenticate("saml", options)(req, res, next);
+  }
 );

-router.get("/redirect/saml2/:ssoIdentifier", authLimiter, (req, res, next) => {
-  const options = {
-    failureRedirect: "/",
-    additionalParams: {
-      RelayState: req.query.callback_port ?? ""
-    }
-  };
-  passport.authenticate("saml", options)(req, res, next);
-});
-
 router.post(
  "/saml2/:ssoIdentifier",
  passport.authenticate("saml", {
--- a/backend/src/ee/routes/v1/workspace.ts
+++ b/backend/src/ee/routes/v1/workspace.ts
@ -28,14 +28,6 @@ router.post(
  workspaceController.rollbackWorkspaceSecretSnapshot
 );

-router.get(
-  "/:workspaceId/logs",
-  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
-  }),
-  workspaceController.getWorkspaceLogs
-);
-
 router.get(
  "/:workspaceId/audit-logs",
  requireAuth({
--- a/backend/src/ee/routes/v3/apiKeyData.ts
+++ b/backend/src/ee/routes/v3/apiKeyData.ts
@ -0,0 +1,31 @@
+import express from "express";
+const router = express.Router();
+import { requireAuth } from "../../../middleware";
+import { AuthMode } from "../../../variables";
+import { apiKeyDataController } from "../../controllers/v3";
+
+router.post(
+    "/",
+    requireAuth({
+        acceptedAuthModes: [AuthMode.JWT]
+    }),
+    apiKeyDataController.createAPIKeyData
+);
+
+router.patch(
+    "/:apiKeyDataId",
+    requireAuth({
+        acceptedAuthModes: [AuthMode.JWT]
+    }),
+    apiKeyDataController.updateAPIKeyData
+);
+
+router.delete(
+    "/:apiKeyDataId",
+    requireAuth({
+        acceptedAuthModes: [AuthMode.JWT]
+    }),
+    apiKeyDataController.deleteAPIKeyData
+);
+
+export default router;
--- a/backend/src/ee/routes/v3/index.ts
+++ b/backend/src/ee/routes/v3/index.ts
@ -0,0 +1,7 @@
+import serviceTokenData from "./serviceTokenData";
+import apiKeyData from "./apiKeyData";
+
+export {
+    serviceTokenData,
+    apiKeyData
+}
--- a/backend/src/ee/routes/v3/serviceTokenData.ts
+++ b/backend/src/ee/routes/v3/serviceTokenData.ts
@ -0,0 +1,44 @@
+import express from "express";
+const router = express.Router();
+import { requireAuth } from "../../../middleware";
+import { AuthMode } from "../../../variables";
+import { serviceTokenDataController } from "../../controllers/v3";
+
+router.get(
+  "/me/key",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.SERVICE_ACCESS_TOKEN]
+  }),
+  serviceTokenDataController.getServiceTokenDataKey
+);
+
+router.post(
+  "/me/token",
+  serviceTokenDataController.refreshToken
+);
+
+router.post(
+    "/",
+    requireAuth({
+      acceptedAuthModes: [AuthMode.JWT]
+    }),
+    serviceTokenDataController.createServiceTokenData
+);
+
+router.patch(
+    "/:serviceTokenDataId",
+    requireAuth({
+      acceptedAuthModes: [AuthMode.JWT]
+    }),
+    serviceTokenDataController.updateServiceTokenData
+);
+
+router.delete(
+  "/:serviceTokenDataId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  serviceTokenDataController.deleteServiceTokenData
+);
+
+export default router;
--- a/backend/src/ee/secretRotation/db.ts
+++ b/backend/src/ee/secretRotation/db.ts
--- a/backend/src/ee/secretRotation/models.ts
+++ b/backend/src/ee/secretRotation/models.ts
@ -0,0 +1,91 @@
+import { Schema, model } from "mongoose";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
+import { ISecretRotation } from "./types";
+
+const secretRotationSchema = new Schema(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace"
+    },
+    provider: {
+      type: String,
+      required: true
+    },
+    customProvider: {
+      type: Schema.Types.ObjectId,
+      ref: "SecretRotationProvider"
+    },
+    environment: {
+      type: String,
+      required: true
+    },
+    secretPath: {
+      type: String,
+      required: true
+    },
+    interval: {
+      type: Number,
+      required: true
+    },
+    lastRotatedAt: {
+      type: String
+    },
+    status: {
+      type: String,
+      enum: ["success", "failed"]
+    },
+    statusMessage: {
+      type: String
+    },
+    // encrypted data on input keys and secrets got
+    encryptedData: {
+      type: String,
+      select: false
+    },
+    encryptedDataIV: {
+      type: String,
+      select: false
+    },
+    encryptedDataTag: {
+      type: String,
+      select: false
+    },
+    algorithm: {
+      // the encryption algorithm used
+      type: String,
+      enum: [ALGORITHM_AES_256_GCM],
+      required: true,
+      select: false,
+      default: ALGORITHM_AES_256_GCM
+    },
+    keyEncoding: {
+      type: String,
+      enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
+      required: true,
+      select: false,
+      default: ENCODING_SCHEME_UTF8
+    },
+    outputs: [
+      {
+        key: {
+          type: String,
+          required: true
+        },
+        secret: {
+          type: Schema.Types.ObjectId,
+          ref: "Secret"
+        }
+      }
+    ]
+  },
+  {
+    timestamps: true
+  }
+);
+
+export const SecretRotation = model<ISecretRotation>("SecretRotation", secretRotationSchema);
--- a/backend/src/ee/secretRotation/queue/queue.ts
+++ b/backend/src/ee/secretRotation/queue/queue.ts
@ -0,0 +1,288 @@
+import Queue, { Job } from "bull";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../../config";
+import { BotService, EventService, TelemetryService } from "../../../services";
+import { SecretRotation } from "../models";
+import { rotationTemplates } from "../templates";
+import {
+  ISecretRotationData,
+  ISecretRotationEncData,
+  ISecretRotationProviderTemplate,
+  TProviderFunctionTypes
+} from "../types";
+import {
+  decryptSymmetric128BitHexKeyUTF8,
+  encryptSymmetric128BitHexKeyUTF8
+} from "../../../utils/crypto";
+import { ISecret, Secret } from "../../../models";
+import { ENCODING_SCHEME_BASE64, ENCODING_SCHEME_UTF8, SECRET_SHARED } from "../../../variables";
+import { EESecretService } from "../../services";
+import { SecretVersion } from "../../models";
+import { eventPushSecrets } from "../../../events";
+import { logger } from "../../../utils/logging";
+
+import {
+  secretRotationPreSetFn,
+  secretRotationRemoveFn,
+  secretRotationSetFn,
+  secretRotationTestFn
+} from "./queue.utils";
+
+const secretRotationQueue = new Queue("secret-rotation-service", process.env.REDIS_URL as string);
+
+secretRotationQueue.process(async (job: Job) => {
+  logger.info(`secretRotationQueue.process: [rotationDocument=${job.data.rotationDocId}]`);
+  const rotationStratDocId = job.data.rotationDocId;
+  const secretRotation = await SecretRotation.findById(rotationStratDocId)
+    .select("+encryptedData +encryptedDataTag +encryptedDataIV +keyEncoding")
+    .populate<{
+      outputs: [
+        {
+          key: string;
+          secret: ISecret;
+        }
+      ];
+    }>("outputs.secret");
+
+  const infisicalRotationProvider = rotationTemplates.find(
+    ({ name }) => name === secretRotation?.provider
+  );
+
+  try {
+    if (!infisicalRotationProvider || !secretRotation)
+      throw new Error("Failed to find rotation strategy");
+
+    if (secretRotation.outputs.some(({ secret }) => !secret))
+      throw new Error("Secrets not found in dashboard");
+
+    const workspaceId = secretRotation.workspace;
+
+    // deep copy
+    const provider = JSON.parse(
+      JSON.stringify(infisicalRotationProvider)
+    ) as ISecretRotationProviderTemplate;
+
+    // decrypt user  provided inputs for secret rotation
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();
+    let decryptedData = "";
+    if (rootEncryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_BASE64) {
+      // case: encoding scheme is base64
+      decryptedData = client.decryptSymmetric(
+        secretRotation.encryptedData,
+        rootEncryptionKey,
+        secretRotation.encryptedDataIV,
+        secretRotation.encryptedDataTag
+      );
+    } else if (encryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_UTF8) {
+      // case: encoding scheme is utf8
+      decryptedData = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secretRotation.encryptedData,
+        iv: secretRotation.encryptedDataIV,
+        tag: secretRotation.encryptedDataTag,
+        key: encryptionKey
+      });
+    }
+
+    const variables = JSON.parse(decryptedData) as ISecretRotationEncData;
+
+    // rotation set cycle
+    const newCredential: ISecretRotationData = {
+      inputs: variables.inputs,
+      outputs: {},
+      internal: {}
+    };
+    // special glue code for database
+    if (provider.template.functions.set.type === TProviderFunctionTypes.DB) {
+      const lastCred = variables.creds.at(-1);
+      if (lastCred && variables.creds.length === 1) {
+        newCredential.internal.username =
+          lastCred.internal.username === variables.inputs.username1
+            ? variables.inputs.username2
+            : variables.inputs.username1;
+      } else {
+        newCredential.internal.username = lastCred
+          ? lastCred.internal.username
+          : variables.inputs.username1;
+      }
+    }
+    if (provider.template.functions.set?.pre) {
+      secretRotationPreSetFn(provider.template.functions.set.pre, newCredential);
+    }
+    await secretRotationSetFn(provider.template.functions.set, newCredential);
+    await secretRotationTestFn(provider.template.functions.test, newCredential);
+
+    if (variables.creds.length === 2) {
+      const deleteCycleCred = variables.creds.pop();
+      if (deleteCycleCred && provider.template.functions.remove) {
+        const deleteCycleVar = { inputs: variables.inputs, ...deleteCycleCred };
+        await secretRotationRemoveFn(provider.template.functions.remove, deleteCycleVar);
+      }
+    }
+    variables.creds.unshift({ outputs: newCredential.outputs, internal: newCredential.internal });
+    const { ciphertext, iv, tag } = client.encryptSymmetric(
+      JSON.stringify(variables),
+      rootEncryptionKey
+    );
+
+    // save the rotation state
+    await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
+      encryptedData: ciphertext,
+      encryptedDataIV: iv,
+      encryptedDataTag: tag,
+      status: "success",
+      statusMessage: "Rotated successfully",
+      lastRotatedAt: new Date().toUTCString()
+    });
+
+    const key = await BotService.getWorkspaceKeyWithBot({
+      workspaceId: secretRotation.workspace
+    });
+
+    const encryptedSecrets = secretRotation.outputs.map(({ key: outputKey, secret }) => ({
+      secret,
+      value: encryptSymmetric128BitHexKeyUTF8({
+        plaintext:
+          typeof newCredential.outputs[outputKey] === "object"
+            ? JSON.stringify(newCredential.outputs[outputKey])
+            : String(newCredential.outputs[outputKey]),
+        key
+      })
+    }));
+
+    // now save the secret do a bulk update
+    // can't use the updateSecret function due to various parameter required issue
+    // REFACTOR(akhilmhdh): secret module should be lot more flexible. Ability to update bulk or individually by blindIndex, by id etc
+    await Secret.bulkWrite(
+      encryptedSecrets.map(({ secret, value }) => ({
+        updateOne: {
+          filter: {
+            workspace: workspaceId,
+            environment: secretRotation.environment,
+            _id: secret._id,
+            type: SECRET_SHARED
+          },
+          update: {
+            $inc: {
+              version: 1
+            },
+            secretValueCiphertext: value.ciphertext,
+            secretValueIV: value.iv,
+            secretValueTag: value.tag
+          }
+        }
+      }))
+    );
+
+    await EESecretService.addSecretVersions({
+      secretVersions: encryptedSecrets.map(({ secret, value }) => {
+        const {
+          _id,
+          version,
+          workspace,
+          type,
+          folder,
+          secretBlindIndex,
+          secretKeyIV,
+          secretKeyTag,
+          secretKeyCiphertext,
+          skipMultilineEncoding,
+          environment,
+          algorithm,
+          keyEncoding
+        } = secret;
+
+        return new SecretVersion({
+          secret: _id,
+          version: version + 1,
+          workspace: workspace,
+          type,
+          folder,
+          environment,
+          isDeleted: false,
+          secretBlindIndex: secretBlindIndex,
+          secretKeyCiphertext: secretKeyCiphertext,
+          secretKeyIV: secretKeyIV,
+          secretKeyTag: secretKeyTag,
+          secretValueCiphertext: value.ciphertext,
+          secretValueIV: value.iv,
+          secretValueTag: value.tag,
+          algorithm,
+          keyEncoding,
+          skipMultilineEncoding
+        });
+      })
+    });
+
+    // akhilmhdh: @tony need to do something about this as its depend on authData which is not possibile in here
+    // await EEAuditLogService.createAuditLog(
+    //   {actor:ActorType.Machine},
+    //   {
+    //     type: EventType.UPDATE_SECRETS,
+    //     metadata: {
+    //       environment,
+    //       secretPath,
+    //       secrets: secretsToBeUpdated.map(({ _id, version, secretBlindIndex }) => ({
+    //         secretId: _id.toString(),
+    //         secretKey: secretBlindIndexToKey[secretBlindIndex || ""],
+    //         secretVersion: version + 1
+    //       }))
+    //     }
+    //   },
+    //   {
+    //     workspaceId
+    //   }
+    // );
+
+    const folderId = encryptedSecrets?.[0]?.secret?.folder;
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+      workspaceId,
+      environment: secretRotation.environment,
+      folderId
+    });
+
+    await EventService.handleEvent({
+      event: eventPushSecrets({
+        workspaceId: secretRotation.workspace,
+        environment: secretRotation.environment,
+        secretPath: secretRotation.secretPath
+      })
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+    if (postHogClient) {
+      postHogClient.capture({
+        event: "secrets rotated",
+        properties: {
+          numberOfSecrets: encryptedSecrets.length,
+          environment: secretRotation.environment,
+          workspaceId,
+          folderId
+        }
+      });
+    }
+  } catch (err) {
+    logger.error(err);
+    await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
+      status: "failed",
+      statusMessage: (err as Error).message,
+      lastRotatedAt: new Date().toUTCString()
+    });
+  }
+
+  return Promise.resolve();
+});
+
+const daysToMillisecond = (days: number) => days * 24 * 60 * 60 * 1000;
+export const startSecretRotationQueue = async (rotationDocId: string, interval: number) => {
+  // when migration to bull mq just use the option immedite to trigger repeatable immediately
+  secretRotationQueue.add({ rotationDocId }, { jobId: rotationDocId, removeOnComplete: true });
+  return secretRotationQueue.add(
+    { rotationDocId },
+    { repeat: { every: daysToMillisecond(interval) }, jobId: rotationDocId }
+  );
+};
+
+export const removeSecretRotationQueue = async (rotationDocId: string, interval: number) => {
+  return secretRotationQueue.removeRepeatable({ every: interval * 1000, jobId: rotationDocId });
+};
--- a/backend/src/ee/secretRotation/queue/queue.utils.ts
+++ b/backend/src/ee/secretRotation/queue/queue.utils.ts
@ -0,0 +1,179 @@
+import axios from "axios";
+import jmespath from "jmespath";
+import { customAlphabet } from "nanoid";
+import { Client as PgClient } from "pg";
+import mysql from "mysql2";
+import {
+  ISecretRotationData,
+  TAssignOp,
+  TDbProviderClients,
+  TDbProviderFunction,
+  TDirectAssignOp,
+  THttpProviderFunction,
+  TProviderFunction,
+  TProviderFunctionTypes
+} from "../types";
+const REGEX = /\${([^}]+)}/g;
+const SLUG_ALPHABETS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+const nanoId = customAlphabet(SLUG_ALPHABETS, 10);
+
+export const interpolate = (data: any, getValue: (key: string) => unknown) => {
+  if (!data) return;
+
+  if (typeof data === "number") return data;
+
+  if (typeof data === "string") {
+    return data.replace(REGEX, (_a, b) => getValue(b) as string);
+  }
+
+  if (typeof data === "object" && Array.isArray(data)) {
+    data.forEach((el, index) => {
+      data[index] = interpolate(el, getValue);
+    });
+  }
+
+  if (typeof data === "object") {
+    if ((data as { ref: string })?.ref) return getValue((data as { ref: string }).ref);
+    const temp = data as Record<string, unknown>; // for converting ts object to record type
+    Object.keys(temp).forEach((key) => {
+      temp[key as keyof typeof temp] = interpolate(data[key as keyof typeof temp], getValue);
+    });
+  }
+  return data;
+};
+
+const getInterpolationValue = (variables: ISecretRotationData) => (key: string) => {
+  if (key.includes("|")) {
+    const [keyword, ...arg] = key.split("|").map((el) => el.trim());
+    switch (keyword) {
+      case "random": {
+        return nanoId(parseInt(arg[0], 10));
+      }
+      default: {
+        throw Error(`Interpolation key not found - ${key}`);
+      }
+    }
+  }
+  const [type, keyName] = key.split(".").map((el) => el.trim());
+  return variables[type as keyof ISecretRotationData][keyName];
+};
+
+export const secretRotationHttpFn = async (
+  func: THttpProviderFunction,
+  variables: ISecretRotationData
+) => {
+  // string interpolation
+  const headers = interpolate(func.header, getInterpolationValue(variables));
+  const url = interpolate(func.url, getInterpolationValue(variables));
+  const body = interpolate(func.body, getInterpolationValue(variables));
+  // axios will automatically throw error if req status is not between 2xx range
+  return axios({ method: func.method, url, headers, data: body });
+};
+
+export const secretRotationDbFn = async (
+  func: TDbProviderFunction,
+  variables: ISecretRotationData
+) => {
+  const { type, client, pre, ...dbConnection } = func;
+  const { username, password, host, database, port, query, ca } = interpolate(
+    dbConnection,
+    getInterpolationValue(variables)
+  );
+  const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
+  if (host === "localhost" || host === "127.0.0.1") throw new Error("Invalid db host");
+  if (client === TDbProviderClients.Pg) {
+    const pgClient = new PgClient({ user: username, password, host, database, port, ssl });
+    await pgClient.connect();
+    const res = await pgClient.query(query);
+    await pgClient.end();
+    return res.rows[0];
+  } else if (client === TDbProviderClients.Sql) {
+    const sqlClient = mysql.createPool({
+      user: username,
+      password,
+      host,
+      database,
+      port,
+      connectionLimit: 1,
+      ssl
+    });
+    const res = await new Promise((resolve, reject) => {
+      sqlClient.query(query, (err, data) => {
+        if (err) return reject(err);
+        resolve(data);
+      });
+    });
+    await new Promise((resolve, reject) => {
+      sqlClient.end(function (err) {
+        if (err) return reject(err);
+        return resolve({});
+      });
+    });
+    return (res as any)?.[0];
+  }
+};
+
+export const secretRotationPreSetFn = (
+  op: Record<string, TDirectAssignOp>,
+  variables: ISecretRotationData
+) => {
+  const getValFn = getInterpolationValue(variables);
+  Object.entries(op || {}).forEach(([key, assignFn]) => {
+    const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+    variables[type][keyName] = interpolate(assignFn.value, getValFn);
+  });
+};
+
+export const secretRotationSetFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  const getValFn = getInterpolationValue(variables);
+  // http setter
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    const res = await secretRotationHttpFn(func, variables);
+    Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
+      const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+      if (assignFn.assign === TAssignOp.JmesPath) {
+        variables[type][keyName] = jmespath.search(res.data, assignFn.path);
+      } else if (assignFn.value) {
+        variables[type][keyName] = interpolate(assignFn.value, getValFn);
+      }
+    });
+    // db setter
+  } else if (func.type === TProviderFunctionTypes.DB) {
+    const data = await secretRotationDbFn(func, variables);
+    Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
+      const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+      if (assignFn.assign === TAssignOp.JmesPath) {
+        if (typeof data === "object") {
+          variables[type][keyName] = jmespath.search(data, assignFn.path);
+        }
+      } else if (assignFn.value) {
+        variables[type][keyName] = interpolate(assignFn.value, getValFn);
+      }
+    });
+  }
+};
+
+export const secretRotationTestFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    await secretRotationHttpFn(func, variables);
+  } else if (func.type === TProviderFunctionTypes.DB) {
+    await secretRotationDbFn(func, variables);
+  }
+};
+
+export const secretRotationRemoveFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  if (!func) return;
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    // string interpolation
+    return await secretRotationHttpFn(func, variables);
+  }
+};
--- a/backend/src/ee/secretRotation/service.ts
+++ b/backend/src/ee/secretRotation/service.ts
@ -0,0 +1,130 @@
+import { ISecretRotationEncData, TCreateSecretRotation, TGetProviderTemplates } from "./types";
+import { rotationTemplates } from "./templates";
+import { SecretRotation } from "./models";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import Ajv from "ajv";
+import { removeSecretRotationQueue, startSecretRotationQueue } from "./queue/queue";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
+
+const ajv = new Ajv({ strict: false });
+
+export const getProviderTemplate = async ({ workspaceId }: TGetProviderTemplates) => {
+  return {
+    custom: [],
+    providers: rotationTemplates
+  };
+};
+
+export const createSecretRotation = async ({
+  workspaceId,
+  secretPath,
+  environment,
+  provider,
+  interval,
+  inputs,
+  outputs
+}: TCreateSecretRotation) => {
+  const rotationTemplate = rotationTemplates.find(({ name }) => name === provider);
+  if (!rotationTemplate) throw BadRequestError({ message: "Provider not found" });
+
+  const formattedInputs: Record<string, unknown> = {};
+  Object.entries(inputs).forEach(([key, value]) => {
+    const type = rotationTemplate.template.inputs.properties[key].type;
+    if (type === "string") {
+      formattedInputs[key] = value;
+      return;
+    }
+    if (type === "integer") {
+      formattedInputs[key] = parseInt(value as string, 10);
+      return;
+    }
+    formattedInputs[key] = JSON.parse(value as string);
+  });
+  // ensure input one follows the correct schema
+  const valid = ajv.validate(rotationTemplate.template.inputs, formattedInputs);
+  if (!valid) {
+    throw BadRequestError({ message: ajv.errors?.[0].message });
+  }
+
+  const encData: Partial<ISecretRotationEncData> = {
+    inputs: formattedInputs,
+    creds: []
+  };
+
+  const secretRotation = new SecretRotation({
+    workspace: workspaceId,
+    provider,
+    environment,
+    secretPath,
+    interval,
+    outputs: Object.entries(outputs).map(([key, secret]) => ({ key, secret }))
+  });
+
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
+  if (rootEncryptionKey) {
+    const { ciphertext, iv, tag } = client.encryptSymmetric(
+      JSON.stringify(encData),
+      rootEncryptionKey
+    );
+    secretRotation.encryptedDataIV = iv;
+    secretRotation.encryptedDataTag = tag;
+    secretRotation.encryptedData = ciphertext;
+    secretRotation.algorithm = ALGORITHM_AES_256_GCM;
+    secretRotation.keyEncoding = ENCODING_SCHEME_BASE64;
+  } else if (encryptionKey) {
+    const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+      plaintext: JSON.stringify(encData),
+      key: encryptionKey
+    });
+    secretRotation.encryptedDataIV = iv;
+    secretRotation.encryptedDataTag = tag;
+    secretRotation.encryptedData = ciphertext;
+    secretRotation.algorithm = ALGORITHM_AES_256_GCM;
+    secretRotation.keyEncoding = ENCODING_SCHEME_UTF8;
+  }
+
+  await secretRotation.save();
+  await startSecretRotationQueue(secretRotation._id.toString(), interval);
+
+  return secretRotation;
+};
+
+export const deleteSecretRotation = async ({ id }: { id: string }) => {
+  const doc = await SecretRotation.findByIdAndRemove(id);
+  if (!doc) throw BadRequestError({ message: "Rotation not found" });
+
+  await removeSecretRotationQueue(doc._id.toString(), doc.interval);
+  return doc;
+};
+
+export const restartSecretRotation = async ({ id }: { id: string }) => {
+  const secretRotation = await SecretRotation.findById(id);
+  if (!secretRotation) throw BadRequestError({ message: "Rotation not found" });
+
+  await removeSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
+  await startSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
+
+  return secretRotation;
+};
+
+export const getSecretRotationById = async ({ id }: { id: string }) => {
+  const doc = await SecretRotation.findById(id);
+  if (!doc) throw BadRequestError({ message: "Rotation not found" });
+  return doc;
+};
+
+export const getSecretRotationOfWorkspace = async (workspaceId: string) => {
+  const secretRotations = await SecretRotation.find({
+    workspace: workspaceId
+  }).populate("outputs.secret");
+
+  return secretRotations;
+};
--- a/backend/src/ee/secretRotation/templates/index.ts
+++ b/backend/src/ee/secretRotation/templates/index.ts
@ -0,0 +1,28 @@
+import { ISecretRotationProviderTemplate } from "../types";
+import { MYSQL_TEMPLATE } from "./mysql";
+import { POSTGRES_TEMPLATE } from "./postgres";
+import { SENDGRID_TEMPLATE } from "./sendgrid";
+
+export const rotationTemplates: ISecretRotationProviderTemplate[] = [
+  {
+    name: "sendgrid",
+    title: "Twilio Sendgrid",
+    image: "sendgrid.png",
+    description: "Rotate Twilio Sendgrid API keys",
+    template: SENDGRID_TEMPLATE
+  },
+  {
+    name: "postgres",
+    title: "PostgreSQL",
+    image: "postgres.png",
+    description: "Rotate PostgreSQL/CockroachDB user credentials",
+    template: POSTGRES_TEMPLATE
+  },
+  {
+    name: "mysql",
+    title: "MySQL",
+    image: "mysql.png",
+    description: "Rotate MySQL@7/MariaDB user credentials",
+    template: MYSQL_TEMPLATE
+  }
+];
--- a/backend/src/ee/secretRotation/templates/mysql.ts
+++ b/backend/src/ee/secretRotation/templates/mysql.ts
@ -0,0 +1,83 @@
+import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
+
+export const MYSQL_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_username: { type: "string" as const },
+      admin_password: { type: "string" as const },
+      host: { type: "string" as const },
+      database: { type: "string" as const },
+      port: { type: "integer" as const, default: "3306" },
+      username1: {
+        type: "string",
+        default: "infisical-sql-user1",
+        desc: "This user must be created in your database"
+      },
+      username2: {
+        type: "string",
+        default: "infisical-sql-user2",
+        desc: "This user must be created in your database"
+      },
+      ca: { type: "string", desc: "SSL certificate for db auth(string)" }
+    },
+    required: [
+      "admin_username",
+      "admin_password",
+      "host",
+      "database",
+      "username1",
+      "username2",
+      "port"
+    ],
+    additionalProperties: false
+  },
+  outputs: {
+    db_username: { type: "string" },
+    db_password: { type: "string" }
+  },
+  internal: {
+    rotated_password: { type: "string" },
+    username: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Sql,
+      username: "${inputs.admin_username}",
+      password: "${inputs.admin_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "ALTER USER ${internal.username} IDENTIFIED BY '${internal.rotated_password}'",
+      setter: {
+        "outputs.db_username": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.username}"
+        },
+        "outputs.db_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.rotated_password}"
+        }
+      },
+      pre: {
+        "internal.rotated_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${random | 32}"
+        }
+      }
+    },
+    test: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Sql,
+      username: "${internal.username}",
+      password: "${internal.rotated_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "SELECT NOW()"
+    }
+  }
+};
--- a/backend/src/ee/secretRotation/templates/postgres.ts
+++ b/backend/src/ee/secretRotation/templates/postgres.ts
@ -0,0 +1,83 @@
+import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
+
+export const POSTGRES_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_username: { type: "string" as const },
+      admin_password: { type: "string" as const },
+      host: { type: "string" as const },
+      database: { type: "string" as const },
+      port: { type: "integer" as const, default: "5432" },
+      username1: {
+        type: "string",
+        default: "infisical-pg-user1",
+        desc: "This user must be created in your database"
+      },
+      username2: {
+        type: "string",
+        default: "infisical-pg-user2",
+        desc: "This user must be created in your database"
+      },
+      ca: { type: "string", desc: "SSL certificate for db auth(string)" }
+    },
+    required: [
+      "admin_username",
+      "admin_password",
+      "host",
+      "database",
+      "username1",
+      "username2",
+      "port"
+    ],
+    additionalProperties: false
+  },
+  outputs: {
+    db_username: { type: "string" },
+    db_password: { type: "string" }
+  },
+  internal: {
+    rotated_password: { type: "string" },
+    username: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Pg,
+      username: "${inputs.admin_username}",
+      password: "${inputs.admin_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "ALTER USER ${internal.username} WITH PASSWORD '${internal.rotated_password}'",
+      setter: {
+        "outputs.db_username": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.username}"
+        },
+        "outputs.db_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.rotated_password}"
+        }
+      },
+      pre: {
+        "internal.rotated_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${random | 32}"
+        }
+      }
+    },
+    test: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Pg,
+      username: "${internal.username}",
+      password: "${internal.rotated_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "SELECT NOW()"
+    }
+  }
+};
--- a/backend/src/ee/secretRotation/templates/sendgrid.ts
+++ b/backend/src/ee/secretRotation/templates/sendgrid.ts
@ -0,0 +1,63 @@
+import { TAssignOp, TProviderFunctionTypes } from "../types";
+
+export const SENDGRID_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_api_key: { type: "string" as const, desc: "Sendgrid admin api key to create new keys" },
+      api_key_scopes: {
+        type: "array",
+        items: { type: "string" as const },
+        desc: "Scopes for created tokens by rotation(Array)"
+      }
+    },
+    required: ["admin_api_key", "api_key_scopes"],
+    additionalProperties: false
+  },
+  outputs: {
+    api_key: { type: "string" }
+  },
+  internal: {
+    api_key_id: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys",
+      method: "POST",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      body: {
+        name: "infisical-${random | 16}",
+        scopes: { ref: "inputs.api_key_scopes" }
+      },
+      setter: {
+        "outputs.api_key": {
+          assign: TAssignOp.JmesPath as const,
+          path: "api_key"
+        },
+        "internal.api_key_id": {
+          assign: TAssignOp.JmesPath as const,
+          path: "api_key_id"
+        }
+      }
+    },
+    remove: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      method: "DELETE"
+    },
+    test: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      method: "GET"
+    }
+  }
+};
--- a/backend/src/ee/secretRotation/types.ts
+++ b/backend/src/ee/secretRotation/types.ts
@ -0,0 +1,131 @@
+import { Document, Types } from "mongoose";
+
+export interface ISecretRotation extends Document {
+  _id: Types.ObjectId;
+  name: string;
+  interval: number;
+  provider: string;
+  customProvider: Types.ObjectId;
+  workspace: Types.ObjectId;
+  environment: string;
+  secretPath: string;
+  outputs: Array<{
+    key: string;
+    secret: Types.ObjectId;
+  }>;
+  status?: "success" | "failed";
+  lastRotatedAt?: string;
+  statusMessage?: string;
+  encryptedData: string;
+  encryptedDataIV: string;
+  encryptedDataTag: string;
+  algorithm: string;
+  keyEncoding: string;
+}
+
+export type ISecretRotationEncData = {
+  inputs: Record<string, unknown>;
+  creds: Array<{
+    outputs: Record<string, unknown>;
+    internal: Record<string, unknown>;
+  }>;
+};
+
+export type ISecretRotationData = {
+  inputs: Record<string, unknown>;
+  outputs: Record<string, unknown>;
+  internal: Record<string, unknown>;
+};
+
+export type ISecretRotationProviderTemplate = {
+  name: string;
+  title: string;
+  image?: string;
+  description?: string;
+  template: TProviderTemplate;
+};
+
+export enum TProviderFunctionTypes {
+  HTTP = "http",
+  DB = "database"
+}
+
+export enum TDbProviderClients {
+  // postgres, cockroack db, amazon red shift
+  Pg = "pg",
+  // mysql and maria db
+  Sql = "sql"
+}
+
+export enum TAssignOp {
+  Direct = "direct",
+  JmesPath = "jmesopath"
+}
+
+export type TJmesPathAssignOp = {
+  assign: TAssignOp.JmesPath;
+  path: string;
+};
+
+export type TDirectAssignOp = {
+  assign: TAssignOp.Direct;
+  value: string;
+};
+
+export type TAssignFunction = TJmesPathAssignOp | TDirectAssignOp;
+
+export type THttpProviderFunction = {
+  type: TProviderFunctionTypes.HTTP;
+  url: string;
+  method: string;
+  header?: Record<string, string>;
+  query?: Record<string, string>;
+  body?: Record<string, unknown>;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TDbProviderFunction = {
+  type: TProviderFunctionTypes.DB;
+  client: TDbProviderClients;
+  username: string;
+  password: string;
+  host: string;
+  database: string;
+  port: string;
+  query: string;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TProviderFunction = THttpProviderFunction | TDbProviderFunction;
+
+export type TProviderTemplate = {
+  inputs: {
+    type: "object";
+    properties: Record<string, { type: string; [x: string]: unknown; desc?: string }>;
+    required?: string[];
+  };
+  outputs: Record<string, unknown>;
+  functions: {
+    set: TProviderFunction;
+    remove?: TProviderFunction;
+    test: TProviderFunction;
+  };
+};
+
+// function type args
+export type TGetProviderTemplates = {
+  workspaceId: string;
+};
+
+export type TCreateSecretRotation = {
+  provider: string;
+  customProvider?: string;
+  workspaceId: string;
+  secretPath: string;
+  environment: string;
+  interval: number;
+  inputs: Record<string, unknown>;
+  outputs: Record<string, string>;
+};
--- a/backend/src/ee/services/EELicenseService.ts
+++ b/backend/src/ee/services/EELicenseService.ts
@ -1,12 +1,12 @@
 import { Types } from "mongoose";
 import * as Sentry from "@sentry/node";
 import NodeCache from "node-cache";
-import { 
+import {
    getLicenseKey,
    getLicenseServerKey,
    getLicenseServerUrl,
 } from "../../config";
-import { 
+import {
    licenseKeyRequest,
    licenseServerKeyRequest,
    refreshLicenseKeyToken,
@ -37,6 +37,8 @@ interface FeatureSet {
    status: "incomplete" | "incomplete_expired" | "trialing" | "active" | "past_due" | "canceled" | "unpaid" | null;
    trial_end: number | null;
    has_used_trial: boolean;
+    secretApproval: boolean;
+    secretRotation: boolean;
 }

 /**
@ -46,7 +48,7 @@ interface FeatureSet {
 * - Self-hosted enterprise: Fetch and update global feature set
 */
 class EELicenseService {
-    
+
    private readonly _isLicenseValid: boolean; // TODO: deprecate

    public instanceType: "self-hosted" | "enterprise-self-hosted" | "cloud" = "self-hosted";
@ -64,7 +66,7 @@ class EELicenseService {
        secretVersioning: true,
        pitRecovery: false,
        ipAllowlisting: false,
-        rbac: true,
+        rbac: false,
        customRateLimits: false,
        customAlerts: false,
        auditLogs: false,
@ -72,18 +74,20 @@ class EELicenseService {
        samlSSO: false,
        status: null,
        trial_end: null,
-        has_used_trial: true
+        has_used_trial: true,
+        secretApproval: false,
+        secretRotation: true,
    }

    public localFeatureSet: NodeCache;
-    
+
    constructor() {
        this._isLicenseValid = true;
        this.localFeatureSet = new NodeCache({
            stdTTL: 60,
        });
    }
-    
+
    public async getPlan(organizationId: Types.ObjectId, workspaceId?: Types.ObjectId): Promise<FeatureSet> {
        try {
            if (this.instanceType === "cloud") {
@ -96,7 +100,7 @@ class EELicenseService {
                if (!organization) throw OrganizationNotFoundError();

                let url = `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`;
-                
+
                if (workspaceId) {
                    url += `?workspaceId=${workspaceId}`;
                }
@ -114,14 +118,14 @@ class EELicenseService {

        return this.globalFeatureSet;
    }
-    
+
    public async refreshPlan(organizationId: Types.ObjectId, workspaceId?: Types.ObjectId) {
        if (this.instanceType === "cloud") {
            this.localFeatureSet.del(`${organizationId.toString()}-${workspaceId?.toString() ?? ""}`);
            await this.getPlan(organizationId, workspaceId);
        }
    }
-    
+
    public async delPlan(organizationId: Types.ObjectId) {
        if (this.instanceType === "cloud") {
            this.localFeatureSet.del(`${organizationId.toString()}-`);
@ -136,23 +140,23 @@ class EELicenseService {
            if (licenseServerKey) {
                // license server key is present -> validate it
                const token = await refreshLicenseServerKeyToken()
-                    
+
                if (token) {
                    this.instanceType = "cloud";
                }
-                
+
                return;
            }
-            
+
            if (licenseKey) {
                // license key is present -> validate it
                const token = await refreshLicenseKeyToken();
-                    
+
                if (token) {
                    const { data: { currentPlan } } = await licenseKeyRequest.get(
                        `${await getLicenseServerUrl()}/api/license/v1/plan`
                    );
-                    
+
                    this.globalFeatureSet = currentPlan;
                    this.instanceType = "enterprise-self-hosted";
                }
--- a/backend/src/ee/services/EELogService.ts
+++ b/backend/src/ee/services/EELogService.ts
@ -1,91 +0,0 @@
-import { Types } from "mongoose";
-import { 
-    IAction,
-} from "../models";
-import {
-    createLogHelper,
-} from "../helpers/log";
-import {
-    createActionHelper,
-} from "../helpers/action";
-import EELicenseService from "./EELicenseService";
-
-/**
- * Class to handle Enterprise Edition log actions
- */
-class EELogService {
-    /**
-     * Create an (audit) log
-     * @param {Object} obj
-     * @param {String} obj.userId - id of user associated with the log
-     * @param {String} obj.workspaceId - id of workspace associated with the log
-     * @param {Action} obj.actions - actions to include in log
-     * @param {String} obj.channel - channel (web/cli/auto) associated with the log
-     * @param {String} obj.ipAddress - ip address associated with the log
-     * @returns {Log} log - new audit log
-     */
-    static async createLog({
-        userId,
-        serviceAccountId,
-        serviceTokenDataId,
-        workspaceId,
-        actions,
-        channel,
-        ipAddress,
-    }: {
-        userId?: Types.ObjectId;
-        serviceAccountId?: Types.ObjectId;
-        serviceTokenDataId?: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        actions: IAction[];
-        channel: string;
-        ipAddress: string;
-    }) {
-        if (!EELicenseService.isLicenseValid) return null;
-        return await createLogHelper({
-            userId,
-            serviceAccountId,
-            serviceTokenDataId,
-            workspaceId,
-            actions,
-            channel,
-            ipAddress,
-        })
-    }
-    
-    /**
-     * Create an (audit) action
-     * @param {Object} obj
-     * @param {String} obj.name - name of action
-     * @param {Types.ObjectId} obj.userId - id of user associated with the action
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the action
-     * @param {ObjectId[]} obj.secretIds - ids of secrets associated with the action
-     * @returns {Action} action - new action
-     */
-    static async createAction({
-        name,
-        userId,
-        serviceAccountId,
-        serviceTokenDataId,
-        workspaceId,
-        secretIds,
-    }: {
-        name: string;
-        userId?: Types.ObjectId;
-        serviceAccountId?: Types.ObjectId;
-        serviceTokenDataId?: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        secretIds?: Types.ObjectId[];
-    }) {
-        return await createActionHelper({
-            name,
-            userId,
-            serviceAccountId,
-            serviceTokenDataId,
-            workspaceId,
-            secretIds,
-        });
-    }
-}
-
-export default EELogService;
--- a/backend/src/ee/services/GithubSecretScanning/GithubSecretScanningService.ts
+++ b/backend/src/ee/services/GithubSecretScanning/GithubSecretScanningService.ts
@ -1,6 +1,8 @@
 import { Probot } from "probot";
-import GitRisks from "../../models/gitRisks";
-import GitAppOrganizationInstallation from "../../models/gitAppOrganizationInstallation";
+import {
+  GitAppOrganizationInstallation,
+  GitRisks 
+} from "../../models";
 import { scanGithubPushEventForSecretLeaks } from "../../../queues/secret-scanning/githubScanPushEvent";
 export default async (app: Probot) => {
  app.on("installation.deleted", async (context) => {
--- a/backend/src/ee/services/ProjectRoleService.ts
+++ b/backend/src/ee/services/ProjectRoleService.ts
@ -49,7 +49,9 @@ export enum ProjectPermissionSub {
  IpAllowList = "ip-allowlist",
  Workspace = "workspace",
  Secrets = "secrets",
-  SecretRollback = "secret-rollback"
+  SecretRollback = "secret-rollback",
+  SecretApproval = "secret-approval",
+  SecretRotation = "secret-rotation"
 }

 type SubjectFields = {
@ -72,6 +74,8 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
  | [ProjectPermissionActions, ProjectPermissionSub.Settings]
  | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Workspace]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Workspace]
  | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
@ -85,6 +89,16 @@ const buildAdminPermission = () => {
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets);

+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretApproval);
+
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretRotation);
+
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);

@ -154,6 +168,9 @@ const buildMemberPermission = () => {
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets);

+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
+
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);

@ -203,7 +220,9 @@ const buildViewerPermission = () => {
  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);

  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
--- a/backend/src/ee/services/SecretApprovalService.ts
+++ b/backend/src/ee/services/SecretApprovalService.ts
@ -0,0 +1,656 @@
+import picomatch from "picomatch";
+import { Types } from "mongoose";
+import {
+  containsGlobPatterns,
+  generateSecretBlindIndexWithSaltHelper,
+  getSecretBlindIndexSaltHelper
+} from "../../helpers/secrets";
+import { Folder, ISecret, Secret } from "../../models";
+import { ISecretApprovalPolicy, SecretApprovalPolicy } from "../models/secretApprovalPolicy";
+import {
+  CommitType,
+  ISecretApprovalRequest,
+  ISecretApprovalSecChange,
+  ISecretCommits,
+  SecretApprovalRequest
+} from "../models/secretApprovalRequest";
+import { BadRequestError } from "../../utils/errors";
+import { getFolderByPath } from "../../services/FolderService";
+import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, SECRET_SHARED } from "../../variables";
+import TelemetryService from "../../services/TelemetryService";
+import { EEAuditLogService, EESecretService } from "../services";
+import { EventType, SecretVersion } from "../models";
+import { AuthData } from "../../interfaces/middleware";
+
+// if glob pattern score is 1, if not exist score is 0 and if its not both then its exact path meaning score 2
+const getPolicyScore = (policy: ISecretApprovalPolicy) =>
+  policy.secretPath ? (containsGlobPatterns(policy.secretPath) ? 1 : 2) : 0;
+
+// this will fetch the policy that gets priority for an environment and secret path
+export const getSecretPolicyOfBoard = async (
+  workspaceId: string,
+  environment: string,
+  secretPath: string
+) => {
+  const policies = await SecretApprovalPolicy.find({ workspace: workspaceId, environment });
+  if (!policies) return;
+  // this will filter policies either without scoped to secret path or the one that matches with secret path
+  const policiesFilteredByPath = policies.filter(
+    ({ secretPath: policyPath }) =>
+      !policyPath || picomatch.isMatch(secretPath, policyPath, { strictSlashes: false })
+  );
+  // now sort by priority. exact secret path gets first match followed by glob followed by just env scoped
+  // if that is tie get by first createdAt
+  const policiesByPriority = policiesFilteredByPath.sort(
+    (a, b) => getPolicyScore(b) - getPolicyScore(a)
+  );
+  const finalPolicy = policiesByPriority.shift();
+  return finalPolicy;
+};
+
+const getLatestSecretVersion = async (secretIds: Types.ObjectId[]) => {
+  const latestSecretVersions = await SecretVersion.aggregate([
+    {
+      $match: {
+        secret: {
+          $in: secretIds
+        },
+        type: SECRET_SHARED
+      }
+    },
+    {
+      $sort: { version: -1 }
+    },
+    {
+      $group: {
+        _id: "$secret",
+        version: { $max: "$version" },
+        versionId: { $max: "$_id" }, // id of latest secret versionId
+        secret: { $first: "$$ROOT" }
+      }
+    }
+  ]).exec();
+  // reduced with secret id and latest version as document
+  return latestSecretVersions.reduce(
+    (prev, curr) => ({ ...prev, [curr._id.toString()]: curr.secret }),
+    {}
+  );
+};
+
+type TApprovalCreateSecret = Omit<ISecretApprovalSecChange, "_id" | "version"> & {
+  secretName: string;
+};
+type TApprovalUpdateSecret = Partial<Omit<ISecretApprovalSecChange, "_id" | "version">> & {
+  secretName: string;
+  newSecretName?: string;
+};
+
+type TGenerateSecretApprovalRequestArg = {
+  workspaceId: string;
+  environment: string;
+  secretPath: string;
+  policy: ISecretApprovalPolicy;
+  data: {
+    [CommitType.CREATE]?: TApprovalCreateSecret[];
+    [CommitType.UPDATE]?: TApprovalUpdateSecret[];
+    [CommitType.DELETE]?: { secretName: string }[];
+  };
+  commiterMembershipId: string;
+  authData: AuthData;
+};
+
+export const generateSecretApprovalRequest = async ({
+  workspaceId,
+  environment,
+  secretPath,
+  policy,
+  data,
+  commiterMembershipId,
+  authData
+}: TGenerateSecretApprovalRequestArg) => {
+  // calculate folder id from secret path
+  let folderId = "root";
+  const rootFolder = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!rootFolder && secretPath !== "/") throw BadRequestError({ message: "Folder not found" });
+  if (rootFolder) {
+    const folder = getFolderByPath(rootFolder.nodes, secretPath);
+    if (!folder) throw BadRequestError({ message: "Folder not found" });
+    folderId = folder.id;
+  }
+
+  // generate secret blindIndexes
+  const salt = await getSecretBlindIndexSaltHelper({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  const commits: ISecretApprovalRequest["commits"] = [];
+
+  // -----
+  // for created secret approval change
+  const createdSecret = data[CommitType.CREATE];
+  if (createdSecret && createdSecret?.length) {
+    // validation checks whether secret exists for creation
+    const secretBlindIndexes = await Promise.all(
+      createdSecret.map(({ secretName }) =>
+        generateSecretBlindIndexWithSaltHelper({
+          secretName,
+          salt
+        })
+      )
+    ).then((blindIndexes) =>
+      blindIndexes.reduce<Record<string, string>>((prev, curr, i) => {
+        prev[createdSecret[i].secretName] = curr;
+        return prev;
+      }, {})
+    );
+    // check created secret exists
+    const exists = await Secret.exists({
+      workspace: new Types.ObjectId(workspaceId),
+      folder: folderId,
+      environment
+    })
+      .or(
+        createdSecret.map(({ secretName }) => ({
+          secretBlindIndex: secretBlindIndexes[secretName],
+          type: SECRET_SHARED
+        }))
+      )
+      .exec();
+    if (exists) throw BadRequestError({ message: "Secrets already exist" });
+    commits.push(
+      ...createdSecret.map((el) => ({
+        op: CommitType.CREATE as const,
+        newVersion: {
+          ...el,
+          version: 0,
+          _id: new Types.ObjectId(),
+          secretBlindIndex: secretBlindIndexes[el.secretName]
+        }
+      }))
+    );
+  }
+
+  // ----
+  // updated secrets approval change
+  const updatedSecret = data[CommitType.UPDATE];
+  if (updatedSecret && updatedSecret?.length) {
+    // validation checks whether secret doesn't exists for update
+    const secretBlindIndexes = await Promise.all(
+      updatedSecret.map(({ secretName }) =>
+        generateSecretBlindIndexWithSaltHelper({
+          secretName,
+          salt
+        })
+      )
+    ).then((blindIndexes) =>
+      blindIndexes.reduce<Record<string, string>>((prev, curr, i) => {
+        prev[updatedSecret[i].secretName] = curr;
+        return prev;
+      }, {})
+    );
+    // check update secret exists
+    const oldSecrets = await Secret.find({
+      workspace: new Types.ObjectId(workspaceId),
+      folder: folderId,
+      environment,
+      type: SECRET_SHARED,
+      secretBlindIndex: {
+        $in: updatedSecret.map(({ secretName }) => secretBlindIndexes[secretName])
+      }
+    })
+      .select("+secretBlindIndex")
+      .lean()
+      .exec();
+    if (oldSecrets.length !== updatedSecret.length)
+      throw BadRequestError({ message: "Secrets already exist" });
+
+    // finally check updating blindindex exist
+    const nameUpdatedSecrets = updatedSecret.filter(({ newSecretName }) => Boolean(newSecretName));
+    const newSecretBlindIndexes = await Promise.all(
+      nameUpdatedSecrets.map(({ newSecretName }) =>
+        generateSecretBlindIndexWithSaltHelper({
+          secretName: newSecretName as string,
+          salt
+        })
+      )
+    ).then((blindIndexes) =>
+      blindIndexes.reduce<Record<string, string>>((prev, curr, i) => {
+        prev[nameUpdatedSecrets[i].secretName] = curr;
+        return prev;
+      }, {})
+    );
+    const doesAnySecretExistWithNewIndex = await Secret.find({
+      workspace: new Types.ObjectId(workspaceId),
+      folder: folderId,
+      environment,
+      secretBlindIndex: { $in: Object.values(newSecretBlindIndexes) }
+    });
+    if (doesAnySecretExistWithNewIndex.length)
+      throw BadRequestError({ message: "Secret with new name already exist" });
+
+    const oldSecretsGroupById = oldSecrets.reduce<Record<string, ISecret>>(
+      (prev, curr) => ({ ...prev, [curr?.secretBlindIndex || ""]: curr }),
+      {}
+    );
+    const latestSecretVersions = await getLatestSecretVersion(
+      updatedSecret.map((el) => oldSecretsGroupById[secretBlindIndexes[el.secretName]]._id)
+    );
+
+    commits.push(
+      ...updatedSecret.map((el) => {
+        const secretId = oldSecretsGroupById[secretBlindIndexes[el.secretName]]._id;
+        return {
+          op: CommitType.UPDATE as const,
+          secret: secretId,
+          secretVersion: latestSecretVersions[secretId.toString()]._id,
+          newVersion: {
+            ...el,
+            secretBlindIndex: newSecretBlindIndexes?.[el.secretName],
+            _id: new Types.ObjectId(),
+            version: oldSecretsGroupById[secretBlindIndexes[el.secretName]].version || 1
+          }
+        };
+      })
+    );
+  }
+
+  // -----
+  // deleted secrets
+  const deletedSecrets = data[CommitType.DELETE];
+  if (deletedSecrets && deletedSecrets.length) {
+    const secretBlindIndexes = await Promise.all(
+      deletedSecrets.map(({ secretName }) =>
+        generateSecretBlindIndexWithSaltHelper({
+          secretName,
+          salt
+        })
+      )
+    ).then((blindIndexes) =>
+      blindIndexes.reduce<Record<string, string>>((prev, curr, i) => {
+        prev[deletedSecrets[i].secretName] = curr;
+        return prev;
+      }, {})
+    );
+
+    const secretsToDelete = await Secret.find({
+      workspace: new Types.ObjectId(workspaceId),
+      folder: folderId,
+      environment,
+      type: SECRET_SHARED,
+      secretBlindIndex: {
+        $in: deletedSecrets.map(({ secretName }) => secretBlindIndexes[secretName])
+      }
+    })
+      .select({ secretBlindIndex: 1, _id: 1 })
+      .lean()
+      .exec();
+    if (secretsToDelete.length !== deletedSecrets.length)
+      throw BadRequestError({ message: "Deleted secrets not found" });
+
+    const oldSecretsGroupById = secretsToDelete.reduce<Record<string, ISecret>>(
+      (prev, curr) => ({ ...prev, [curr?.secretBlindIndex || ""]: curr }),
+      {}
+    );
+    const latestSecretVersions = await getLatestSecretVersion(
+      deletedSecrets.map((el) => oldSecretsGroupById[secretBlindIndexes[el.secretName]]._id)
+    );
+
+    commits.push(
+      ...deletedSecrets.map((el) => {
+        const secretId = oldSecretsGroupById[secretBlindIndexes[el.secretName]]._id;
+        return {
+          op: CommitType.DELETE as const,
+          secret: secretId,
+          secretVersion: latestSecretVersions[secretId.toString()]
+        };
+      })
+    );
+  }
+
+  const secretApprovalRequest = new SecretApprovalRequest({
+    workspace: workspaceId,
+    environment,
+    folderId,
+    policy,
+    commits,
+    committer: commiterMembershipId
+  });
+  await secretApprovalRequest.save();
+
+  await EEAuditLogService.createAuditLog(
+    authData,
+    {
+      type: EventType.SECRET_APPROVAL_REQUEST,
+      metadata: {
+        committedBy: commiterMembershipId,
+        secretApprovalRequestId: secretApprovalRequest._id.toString(),
+        secretApprovalRequestSlug: secretApprovalRequest.slug
+      }
+    },
+    {
+      workspaceId: secretApprovalRequest.workspace
+    }
+  );
+
+  return secretApprovalRequest;
+};
+
+// validation for a merge conditions happen in another function in controller
+export const performSecretApprovalRequestMerge = async (
+  id: string,
+  authData: AuthData,
+  userMembershipId: string
+) => {
+  const secretApprovalRequest = await SecretApprovalRequest.findById(id)
+    .populate<{ commits: ISecretCommits<ISecret> }>({
+      path: "commits.secret",
+      select: "+secretBlindIndex",
+      populate: {
+        path: "tags"
+      }
+    })
+    .select("+commits.newVersion.secretBlindIndex");
+  if (!secretApprovalRequest) throw BadRequestError({ message: "Approval request not found" });
+
+  const workspaceId = secretApprovalRequest.workspace;
+  const environment = secretApprovalRequest.environment;
+  const folderId = secretApprovalRequest.folderId;
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const conflicts: Array<{ secretId: string; op: CommitType }> = [];
+
+  const secretCreationCommits = secretApprovalRequest.commits.filter(
+    ({ op }) => op === CommitType.CREATE
+  ) as Array<{ op: CommitType.CREATE; newVersion: ISecretApprovalSecChange }>;
+  if (secretCreationCommits.length) {
+    // the created secrets already exist thus creation conflict ones
+    const conflictedSecrets = await Secret.find({
+      workspace: workspaceId,
+      environment,
+      folder: folderId,
+      secretBlindIndex: {
+        $in: secretCreationCommits.map(({ newVersion }) => newVersion.secretBlindIndex)
+      }
+    })
+      .select("+secretBlindIndex")
+      .lean();
+    const conflictGroupByBlindIndex = conflictedSecrets.reduce<Record<string, boolean>>(
+      (prev, curr) => ({ ...prev, [curr.secretBlindIndex || ""]: true }),
+      {}
+    );
+    const nonConflictSecrets = secretCreationCommits.filter(
+      ({ newVersion }) => !conflictGroupByBlindIndex[newVersion.secretBlindIndex || ""]
+    );
+    secretCreationCommits
+      .filter(({ newVersion }) => conflictGroupByBlindIndex[newVersion.secretBlindIndex || ""])
+      .forEach((el) => {
+        conflicts.push({ op: CommitType.CREATE, secretId: el.newVersion._id.toString() });
+      });
+
+    // create secret
+    const newlyCreatedSecrets: ISecret[] = await Secret.insertMany(
+      nonConflictSecrets.map(
+        ({
+          newVersion: {
+            secretKeyIV,
+            secretKeyTag,
+            secretValueIV,
+            secretValueTag,
+            secretCommentIV,
+            secretCommentTag,
+            secretKeyCiphertext,
+            secretValueCiphertext,
+            secretCommentCiphertext,
+            skipMultilineEncoding,
+            secretBlindIndex,
+            algorithm,
+            keyEncoding,
+            tags
+          }
+        }) => ({
+          version: 1,
+          workspace: new Types.ObjectId(workspaceId),
+          environment,
+          type: SECRET_SHARED,
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          secretCommentCiphertext,
+          secretCommentIV,
+          secretCommentTag,
+          folder: folderId,
+          algorithm: algorithm || ALGORITHM_AES_256_GCM,
+          keyEncoding: keyEncoding || ENCODING_SCHEME_UTF8,
+          tags,
+          skipMultilineEncoding,
+          secretBlindIndex
+        })
+      )
+    );
+
+    await EESecretService.addSecretVersions({
+      secretVersions: newlyCreatedSecrets.map(
+        (secret) =>
+          new SecretVersion({
+            secret: secret._id,
+            version: secret.version,
+            workspace: secret.workspace,
+            type: secret.type,
+            folder: folderId,
+            tags: secret.tags,
+            skipMultilineEncoding: secret?.skipMultilineEncoding,
+            environment: secret.environment,
+            isDeleted: false,
+            secretBlindIndex: secret.secretBlindIndex,
+            secretKeyCiphertext: secret.secretKeyCiphertext,
+            secretKeyIV: secret.secretKeyIV,
+            secretKeyTag: secret.secretKeyTag,
+            secretValueCiphertext: secret.secretValueCiphertext,
+            secretValueIV: secret.secretValueIV,
+            secretValueTag: secret.secretValueTag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
+          })
+      )
+    });
+  }
+
+  const secretUpdationCommits = secretApprovalRequest.commits.filter(
+    ({ op }) => op === CommitType.UPDATE
+  ) as Array<{
+    op: CommitType.UPDATE;
+    newVersion: Partial<Omit<ISecretApprovalSecChange, "_id">> & { _id: Types.ObjectId };
+    secret: ISecret;
+  }>;
+  if (secretUpdationCommits.length) {
+    const conflictedByNewBlindIndex = await Secret.find({
+      workspace: workspaceId,
+      environment,
+      folder: folderId,
+      secretBlindIndex: {
+        $in: secretUpdationCommits
+          .map(({ newVersion }) => newVersion?.secretBlindIndex)
+          .filter(Boolean)
+      }
+    })
+      .select("+secretBlindIndex")
+      .lean();
+    const conflictGroupByBlindIndex = conflictedByNewBlindIndex.reduce<Record<string, boolean>>(
+      (prev, curr) => (curr?.secretBlindIndex ? { ...prev, [curr.secretBlindIndex]: true } : prev),
+      {}
+    );
+    secretUpdationCommits
+      .filter(
+        ({ newVersion, secret }) =>
+          (newVersion.secretBlindIndex && conflictGroupByBlindIndex[newVersion.secretBlindIndex]) ||
+          !secret
+      )
+      .forEach((el) => {
+        conflicts.push({ op: CommitType.UPDATE, secretId: el.newVersion._id.toString() });
+      });
+
+    const nonConflictSecrets = secretUpdationCommits.filter(
+      ({ newVersion, secret }) =>
+        Boolean(secret) &&
+        (newVersion?.secretBlindIndex
+          ? !conflictGroupByBlindIndex[newVersion.secretBlindIndex]
+          : true)
+    );
+    await Secret.bulkWrite(
+      // id and version are stripped off
+      nonConflictSecrets.map(
+        ({
+          newVersion: {
+            secretKeyIV,
+            secretKeyTag,
+            secretValueIV,
+            secretValueTag,
+            secretCommentIV,
+            secretCommentTag,
+            secretKeyCiphertext,
+            secretValueCiphertext,
+            secretCommentCiphertext,
+            skipMultilineEncoding,
+            secretBlindIndex,
+            tags
+          },
+          secret
+        }) => ({
+          updateOne: {
+            filter: {
+              workspace: new Types.ObjectId(workspaceId),
+              environment,
+              folder: folderId,
+              secretBlindIndex: secret.secretBlindIndex,
+              type: SECRET_SHARED
+            },
+            update: {
+              $inc: {
+                version: 1
+              },
+              secretKeyIV,
+              secretKeyTag,
+              secretValueIV,
+              secretValueTag,
+              secretCommentIV,
+              secretCommentTag,
+              secretKeyCiphertext,
+              secretValueCiphertext,
+              secretCommentCiphertext,
+              skipMultilineEncoding,
+              secretBlindIndex,
+              tags,
+              algorithm: ALGORITHM_AES_256_GCM,
+              keyEncoding: ENCODING_SCHEME_UTF8
+            }
+          }
+        })
+      )
+    );
+
+    await EESecretService.addSecretVersions({
+      secretVersions: nonConflictSecrets.map(({ newVersion, secret }) => {
+        return new SecretVersion({
+          secret: secret._id,
+          version: secret.version + 1,
+          workspace: workspaceId,
+          type: SECRET_SHARED,
+          folder: folderId,
+          environment,
+          isDeleted: false,
+          secretBlindIndex: newVersion?.secretBlindIndex ?? secret.secretBlindIndex,
+          secretKeyCiphertext: newVersion?.secretKeyCiphertext ?? secret.secretKeyCiphertext,
+          secretKeyIV: newVersion?.secretKeyIV ?? secret.secretKeyCiphertext,
+          secretKeyTag: newVersion?.secretKeyTag ?? secret.secretKeyTag,
+          secretValueCiphertext: newVersion?.secretValueCiphertext ?? secret.secretValueCiphertext,
+          secretValueIV: newVersion?.secretValueIV ?? secret.secretValueIV,
+          secretValueTag: newVersion?.secretValueTag ?? secret.secretValueTag,
+          tags: newVersion?.tags ?? secret.tags,
+          algorithm: ALGORITHM_AES_256_GCM,
+          keyEncoding: ENCODING_SCHEME_UTF8,
+          skipMultilineEncoding: newVersion?.skipMultilineEncoding ?? secret.skipMultilineEncoding
+        });
+      })
+    });
+  }
+
+  const secretDeletionCommits = secretApprovalRequest.commits.filter(
+    ({ op }) => op === CommitType.DELETE
+  ) as Array<{
+    op: CommitType.DELETE;
+    secret: ISecret;
+  }>;
+  if (secretDeletionCommits.length) {
+    await Secret.deleteMany({
+      workspace: new Types.ObjectId(workspaceId),
+      folder: folderId,
+      environment
+    })
+      .or(
+        secretDeletionCommits.map(({ secret: { secretBlindIndex } }) => ({
+          secretBlindIndex,
+          type: { $in: ["shared", "personal"] }
+        }))
+      )
+      .exec();
+
+    await EESecretService.markDeletedSecretVersions({
+      secretIds: secretDeletionCommits.map(({ secret }) => secret._id)
+    });
+  }
+
+  const updatedSecretApproval = await SecretApprovalRequest.findByIdAndUpdate(
+    id,
+    {
+      conflicts,
+      hasMerged: true,
+      status: "close",
+      statusChangeBy: userMembershipId
+    },
+    { new: true }
+  );
+
+  if (postHogClient) {
+    if (postHogClient) {
+      postHogClient.capture({
+        event: "secrets merged",
+        distinctId: await TelemetryService.getDistinctId({
+          authData
+        }),
+        properties: {
+          numberOfSecrets: secretApprovalRequest.commits.length,
+          environment,
+          workspaceId,
+          folderId,
+          channel: authData.userAgentType,
+          userAgent: authData.userAgent
+        }
+      });
+    }
+  }
+
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId
+  });
+
+  // question to team where to keep secretKey
+  await EEAuditLogService.createAuditLog(
+    authData,
+    {
+      type: EventType.SECRET_APPROVAL_MERGED,
+      metadata: {
+        mergedBy: userMembershipId,
+        secretApprovalRequestId: id,
+        secretApprovalRequestSlug: secretApprovalRequest.slug
+      }
+    },
+    {
+      workspaceId
+    }
+  );
+
+  return updatedSecretApproval;
+};
--- a/backend/src/ee/services/index.ts
+++ b/backend/src/ee/services/index.ts
@ -1,13 +1,11 @@
 import EELicenseService from "./EELicenseService";
 import EESecretService from "./EESecretService";
-import EELogService from "./EELogService";
 import EEAuditLogService from "./EEAuditLogService";
 import GithubSecretScanningService from "./GithubSecretScanning/GithubSecretScanningService"

 export {
    EELicenseService,
    EESecretService,
-    EELogService,
    EEAuditLogService,
    GithubSecretScanningService
 }
--- a/Show More
+++ b/Show More