Added decryption screen for sso

2025-03-21 13:36:03 +00:00 · 2022-12-22 10:50:59 -05:00
1321 changed files with 22545 additions and 123555 deletions
--- a/.env.example
+++ b/.env.example
@ -1,22 +1,26 @@
 # Keys
-# Required key for platform encryption/decryption ops
-# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NOT BE USED FOR PRODUCTION
-ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
+# Required keys for platform encryption/decryption ops
+PRIVATE_KEY=replace_with_nacl_sk
+PUBLIC_KEY=replace_with_nacl_pk
+ENCRYPTION_KEY=replace_with_lengthy_secure_hex

 # JWT
 # Required secrets to sign JWT tokens
-JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
-JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
-JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
-JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
+JWT_SIGNUP_SECRET=replace_with_lengthy_secure_hex
+JWT_REFRESH_SECRET=replace_with_lengthy_secure_hex
+JWT_AUTH_SECRET=replace_with_lengthy_secure_hex

 # JWT lifetime
 # Optional lifetimes for JWT tokens expressed in seconds or a string 
 # describing a time span (e.g. 60, "2 days", "10h", "7d")
 JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
+JWT_SERVICE_SECRET=
 JWT_SIGNUP_LIFETIME=

+# Optional lifetimes for OTP expressed in seconds
+EMAIL_TOKEN_LIFETIME=
+
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
 # to the MongoDB container instance or Mongo Cloud
@ -29,13 +33,16 @@ MONGO_PASSWORD=example

 # Website URL
 # Required
+
 SITE_URL=http://localhost:8080

-# Mail/SMTP 
-SMTP_HOST=
-SMTP_PORT=
-SMTP_NAME=
-SMTP_USERNAME=
+# Mail/SMTP
+# Required to send emails
+# By default, SMTP_HOST is set to smtp.gmail.com
+SMTP_HOST=smtp.gmail.com
+SMTP_PORT=587
+SMTP_NAME=Team
+SMTP_USERNAME=team@infisical.com
 SMTP_PASSWORD=

 # Integration
@ -43,14 +50,9 @@ SMTP_PASSWORD=
 CLIENT_ID_HEROKU=
 CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
-CLIENT_ID_GITHUB=
-CLIENT_ID_GITLAB=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
-CLIENT_SECRET_GITHUB=
-CLIENT_SECRET_GITLAB=
-CLIENT_SLUG_VERCEL=

 # Sentry (optional) for monitoring errors
 SENTRY_DSN=
@ -62,7 +64,7 @@ POSTHOG_PROJECT_API_KEY=
 STRIPE_SECRET_KEY=
 STRIPE_PUBLISHABLE_KEY=
 STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_STARTER=
-STRIPE_PRODUCT_TEAM=
+STRIPE_PRODUCT_CARD_AUTH=
 STRIPE_PRODUCT_PRO=
-NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+STRIPE_PRODUCT_STARTER=
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
--- a/.eslintignore
+++ b/.eslintignore
@ -1,4 +1,3 @@
 node_modules
 built
 healthcheck.js
-tailwind.config.js
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,22 +0,0 @@
-# Description 📣
-
-<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
-
-## Type ✨
-
- [ ] Bug fix
- [ ] New feature
- [ ] Breaking change
- [ ] Documentation
-
-# Tests 🛠️
-
-<!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible -->
-
-```sh
-# Here's some code block to paste some code snippets
-```
-
---
-
- [ ] I have read the [contributing guide](https://infisical.com/docs/contributing/overview), agreed and acknowledged the [code of conduct](https://infisical.com/docs/contributing/code-of-conduct). 📝
--- a/.github/values.yaml
+++ b/.github/values.yaml
@ -1,71 +0,0 @@
-frontend:
-  enabled: true
-  name: frontend
-  podAnnotations: {}
-  deploymentAnnotations:
-    secrets.infisical.com/auto-reload: "true"
-  replicaCount: 2
-  image:
-    repository: infisical/frontend
-    tag: "latest"
-    pullPolicy: Always
-  kubeSecretRef: managed-secret-frontend
-  service:
-    annotations: {}
-    type: ClusterIP
-    nodePort: ""
-
-frontendEnvironmentVariables: null
-
-backend:
-  enabled: true
-  name: backend
-  podAnnotations: {}
-  deploymentAnnotations:
-    secrets.infisical.com/auto-reload: "true"
-  replicaCount: 2
-  image:
-    repository: infisical/backend
-    tag: "latest"
-    pullPolicy: Always
-  kubeSecretRef: managed-backend-secret
-  service:
-    annotations: {}
-    type: ClusterIP
-    nodePort: ""
-
-backendEnvironmentVariables: null
-
-## Mongo DB persistence
-mongodb:
-  enabled: true
-  persistence:
-    enabled: false
-
-## By default the backend will be connected to a Mongo instance within the cluster
-## However, it is recommended to add a managed document DB connection string for production-use (DBaaS)
-## Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
-## e.g. "mongodb://<user>:<pass>@<host>:<port>/<database-name>"
-mongodbConnection:
-  externalMongoDBConnectionString: ""
-
-ingress:
-  enabled: true
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
-    # cert-manager.io/issuer: letsencrypt-nginx
-  hostName: gamma.infisical.com ## <- Replace with your own domain
-  frontend:
-    path: /
-    pathType: Prefix
-  backend:
-    path: /api
-    pathType: Prefix
-  tls:
-    []
-    # - secretName: letsencrypt-nginx
-    #   hosts:
-    #     - infisical.local
-
-mailhog:
-  enabled: false
--- a/.github/workflows/be-test-report.yml
+++ b/.github/workflows/be-test-report.yml
@ -1,41 +0,0 @@
-name: "Backend Test Report"
-
-on:
-  workflow_run:
-    workflows: ["Check Backend Pull Request"]
-    types:
-      - completed
-
-jobs:
-  be-report:
-    name: Backend test report
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-      - name: 📁 Download test results
-        id: download-artifact
-        uses: dawidd6/action-download-artifact@v2
-        with:
-          name: be-test-results
-          path: backend
-          workflow: check-be-pull-request.yml
-          workflow_conclusion: success
-      - name: 📋 Publish test results
-        uses: dorny/test-reporter@v1
-        with:
-          name: Test Results
-          path: reports/jest-*.xml
-          reporter: jest-junit
-          working-directory: backend
-      - name: 📋 Publish coverage
-        uses: ArtiomTr/jest-coverage-report-action@v2
-        id: coverage
-        with:
-          output: comment, report-markdown
-          coverage-file: coverage/report.json
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          working-directory: backend
-      - uses: marocchino/sticky-pull-request-comment@v2
-        with:
-          message: ${{ steps.coverage.outputs.report }}
--- a/.github/workflows/check-be-pull-request.yml
+++ b/.github/workflows/check-be-pull-request.yml
@ -1,42 +1,41 @@
-name: "Check Backend Pull Request"
+name: Check Backend Pull Request

 on:
  pull_request:
-    types: [opened, synchronize]
+    types: [ opened, synchronize ]
    paths:
-      - "backend/**"
-      - "!backend/README.md"
-      - "!backend/.*"
-      - "backend/.eslintrc.js"
+      - 'backend/**'
+      - '!backend/README.md'
+      - '!backend/.*'
+      - 'backend/.eslintrc.js'
+

 jobs:
+
  check-be-pr:
    name: Check
    runs-on: ubuntu-latest

    steps:
-      - name: ☁️ Checkout source
+      -
+        name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Setup Node 16
+      -
+        name: 🔧 Setup Node 16
        uses: actions/setup-node@v3
        with:
-          node-version: "16"
-          cache: "npm"
+          node-version: '16'
+          cache: 'npm'
          cache-dependency-path: backend/package-lock.json
-      - name: 📦 Install dependencies
-        run: npm ci --only-production
+      -
+        name: 📦 Install dependencies
+        run: npm ci --only-production --ignore-scripts
        working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
-      - name: 📁 Upload test results
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: be-test-results
-          path: |
-            ./backend/reports
-            ./backend/coverage
-      - name: 🏗️ Run build
+      # -
+      #   name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      -
+        name: 🏗️ Run build
        run: npm run build
        working-directory: backend
--- a/.github/workflows/close_inactive_issues.yml
+++ b/.github/workflows/close_inactive_issues.yml
@ -0,0 +1,22 @@
+name: Close inactive issues
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v4
+        with:
+          days-before-issue-stale: 30
+          days-before-issue-close: 14
+          stale-issue-label: "stale"
+          stale-issue-message: "This issue is stale because it has been open for 30 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -1,28 +1,17 @@
-name: Build, Publish and Deploy to Gamma
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
+name: Push to Docker Hub
+
+on: [workflow_dispatch]

 jobs:
  backend-image:
    name: Build backend image
    runs-on: ubuntu-latest
+
    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up QEMU
+        uses: docker/setup-qemu-action@v2
      - name: 🔧 Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: 🐋 Login to Docker Hub
@ -30,13 +19,9 @@ jobs:
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
+        uses: docker/build-push-action@v3
        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          load: true
          context: backend
          tags: infisical/backend:test
@ -50,30 +35,22 @@ jobs:
        run: |
          docker compose -f .github/resources/docker-compose.be-test.yml down
      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
+        uses: docker/build-push-action@v3
        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          push: true
          context: backend
-          tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
+          tags: infisical/backend:latest
          platforms: linux/amd64,linux/arm64

  frontend-image:
    name: Build frontend image
    runs-on: ubuntu-latest
+
    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up QEMU
+        uses: docker/setup-qemu-action@v2
      - name: 🔧 Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: 🐋 Login to Docker Hub
@ -81,14 +58,10 @@ jobs:
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
      - name: 📦 Build frontend and export to Docker
-        uses: depot/build-push-action@v1
+        uses: docker/build-push-action@v3
        with:
          load: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          project: 64mmf0n610
          context: frontend
          tags: infisical/frontend:test
          build-args: |
@ -103,53 +76,11 @@ jobs:
        run: |
          docker stop infisical-frontend-test
      - name: 🏗️ Build frontend and push
-        uses: depot/build-push-action@v1
+        uses: docker/build-push-action@v3
        with:
-          project: 64mmf0n610
          push: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          context: frontend
-          tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
+          tags: infisical/frontend:latest
          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [frontend-image, backend-image]
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install infisical helm chart
-        run: |
-          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
-          helm repo update
-      - name: Install kubectl
-        uses: azure/setup-kubectl@v3
-      - name: Install doctl
-        uses: digitalocean/action-doctl@v2
-        with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
-      - name: Save DigitalOcean kubeconfig with short-lived credentials
-        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 k8s-1-25-4-do-0-nyc1-1670645170179
-      - name: switch to gamma namespace
-        run: kubectl config set-context --current --namespace=gamma
-      - name: test kubectl
-        run: kubectl get ingress
-      - name: Download helm values to file and upgrade gamma deploy
-        run: |
-          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
-          if [[ $(helm status infisical) == *"FAILED"* ]]; then
-            echo "Helm upgrade failed"
-            exit 1
-          else
-            echo "Helm upgrade was successful"
-          fi
--- a/.github/workflows/release-standalone-docker-img.yml
+++ b/.github/workflows/release-standalone-docker-img.yml
@ -1,68 +0,0 @@
-name: Release standalone docker image
-on: [workflow_dispatch]
-
-jobs:
-  infisical-standalone:
-    name: Build infisical standalone image
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - uses: paulhatch/semantic-version@v5.0.2
-        id: version
-        with:
-          # The prefix to use to identify tags
-          tag_prefix: "infisical-standalone/v"
-          # A string which, if present in a git commit, indicates that a change represents a
-          # major (breaking) change, supports regular expressions wrapped with '/'
-          major_pattern: "(MAJOR)"
-          # Same as above except indicating a minor change, supports regular expressions wrapped with '/'
-          minor_pattern: "(MINOR)"
-          # A string to determine the format of the version output
-          version_format: "${major}.${minor}.${patch}-prerelease${increment}"
-          # Optional path to check for changes. If any changes are detected in the path the
-          # 'changed' output will true. Enter multiple paths separated by spaces.
-          change_path: "backend,frontend"
-          # Prevents pre-v1.0.0 version from automatically incrementing the major version.
-          # If enabled, when the major version is 0, major releases will be treated as minor and minor as patch. Note that the version_type output is unchanged.
-          enable_prerelease_mode: true
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      - name: version output
-        run: |
-          echo "Output Value: ${{ steps.version.outputs.major }}"
-          echo "Output Value: ${{ steps.version.outputs.minor }}"
-          echo "Output Value: ${{ steps.version.outputs.patch }}"
-          echo "Output Value: ${{ steps.version.outputs.version }}"
-          echo "Output Value: ${{ steps.version.outputs.version_type }}"
-          echo "Output Value: ${{ steps.version.outputs.increment }}"
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          tags: |
-            infisical/infisical:latest
-            infisical/infisical:${{ steps.commit.outputs.short }}
-          platforms: linux/amd64,linux/arm64
-          file: Dockerfile.standalone-infisical
--- a/.github/workflows/release_build.yml
+++ b/.github/workflows/release_build.yml
@ -1,10 +1,10 @@
-name: Build and release CLI
+name: Go releaser

 on:
  push:
    # run only against tags
    tags:
-      - "infisical-cli/v*.*.*"
+      - 'v*'

 permissions:
  contents: write
@ -13,46 +13,29 @@ permissions:

 jobs:
  goreleaser:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - run: git fetch --force --tags
-      - run: echo "Ref name ${{github.ref_name}}"
      - uses: actions/setup-go@v3
        with:
-          go-version: ">=1.19.3"
+          go-version: '>=1.19.3'
          cache: true
          cache-dependency-path: cli/go.sum
-      - name: libssl1.1 => libssl1.0-dev for OSXCross
-        run: |
-          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-          sudo apt update && apt-cache policy libssl1.0-dev
-          sudo apt-get install libssl1.0-dev
-      - name: OSXCross for CGO Support
-        run: |
-          mkdir ../../osxcross
-          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v4
+      - uses: goreleaser/goreleaser-action@v2
        with:
-          distribution: goreleaser-pro
+          distribution: goreleaser
          version: latest
-          args: release --clean
+          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
      - uses: actions/setup-python@v4
      - run: pip install --upgrade cloudsmith-cli
-      - name: Publish to CloudSmith
+      - name: Publish to CloudSmith 
        run: sh cli/upload_to_cloudsmith.sh
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+      
--- a/.gitignore
+++ b/.gitignore
@ -12,8 +12,6 @@ node_modules
 .DS_Store

 /dist
-/completions/
-/manpages/

 # frontend

@ -27,9 +25,7 @@ node_modules
 .env

 # testing
-coverage
-reports
-junit.xml
+/coverage

 # next.js
 /.next/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -6,83 +6,49 @@
 #     - cd cli && go mod tidy
 #     # you may remove this if you don't need go generate
 #     - cd cli && go generate ./...
-before:
-  hooks:
-    - ./cli/scripts/completions.sh
-    - ./cli/scripts/manpages.sh
-
-monorepo:
-  tag_prefix: infisical-cli/
-  dir: cli
-
 builds:
-  - id: darwin-build
-    binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
-    flags:
-      - -trimpath
-    env:
-      - CGO_ENABLED=1
-      - CC=/home/runner/work/osxcross/target/bin/o64-clang
-      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
-    goos:
-      - darwin
-    ignore:
-      - goos: darwin
-        goarch: "386"
-    dir: ./cli
-
-  - id: all-other-builds
-    env:
+  - env:
      - CGO_ENABLED=0
    binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
-    flags:
-      - -trimpath
+    id: infisical
    goos:
+      - darwin
      - freebsd
      - linux
      - netbsd
      - openbsd
      - windows
    goarch:
-      - "386"
+      - 386
      - amd64
      - arm
      - arm64
    goarm:
-      - "6"
-      - "7"
+      - 6
+      - 7
    ignore:
+      - goos: darwin
+        goarch: "386"
      - goos: windows
        goarch: "386"
      - goos: freebsd
        goarch: "386"
    dir: ./cli

-archives:
-  - format_overrides:
-      - goos: windows
-        format: zip
-    files:
-      - ../README*
-      - ../LICENSE*
-      - ../manpages/*
-      - ../completions/*
-
 release:
  replace_existing_draft: true
-  mode: "replace"
+  mode: 'replace'

 checksum:
-  name_template: "checksums.txt"
-
+  name_template: 'checksums.txt'
 snapshot:
-  name_template: "{{ .Version }}-devel"
+  name_template: "{{ incpatch .Version }}"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'

 # publishers:
 #   - name: fury.io
@ -90,7 +56,6 @@ snapshot:
 #       - infisical
 #     dir: "{{ dir .ArtifactPath }}"
 #     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
-
 brews:
  - name: infisical
    tap:
@ -102,39 +67,22 @@ brews:
    folder: Formula
    homepage: "https://infisical.com"
    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
-
 nfpms:
-  - id: infisical
-    package_name: infisical
-    builds:
-      - all-other-builds
-    vendor: Infisical, Inc
-    homepage: https://infisical.com/
-    maintainer: Infisical, Inc
-    description: The offical Infisical CLI
-    license: MIT
-    formats:
-      - rpm
-      - deb
-      - apk
-      - archlinux
-    bindir: /usr/bin
-    contents:
-      - src: ./completions/infisical.bash
-        dst: /etc/bash_completion.d/infisical
-      - src: ./completions/infisical.fish
-        dst: /usr/share/fish/vendor_completions.d/infisical.fish
-      - src: ./completions/infisical.zsh
-        dst: /usr/share/zsh/site-functions/_infisical
-      - src: ./manpages/infisical.1.gz
-        dst: /usr/share/man/man1/infisical.1.gz
-
+- id: infisical
+  package_name: infisical
+  builds:
+    - infisical
+  vendor: Infisical, Inc
+  homepage: https://infisical.com/
+  maintainer: Infisical, Inc
+  description: The offical Infisical CLI
+  license: Apache 2.0
+  formats:
+  - rpm
+  - deb
+  - apk
+  - archlinux
+  bindir: /usr/bin
 scoop:
  bucket:
    owner: Infisical
@ -144,38 +92,20 @@ scoop:
    email: ai@infisical.com
  homepage: "https://infisical.com"
  description: "The official Infisical CLI"
-  license: MIT
-
-aurs:
-  - name: infisical-bin
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    maintainers:
-      - Infisical, Inc <support@infisical.com>
-    license: MIT
-    private_key: "{{ .Env.AUR_KEY }}"
-    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
-    package: |-
-      # bin
-      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
-      # license
-      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
-      # completions
-      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
-      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
-      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
-      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
-      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
-      # man pages
-      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
-
+  license: Apache-2.0
 # dockers:
-#   - dockerfile: cli/docker/Dockerfile
+#   - dockerfile: goreleaser.dockerfile
 #     goos: linux
 #     goarch: amd64
 #     ids:
 #       - infisical
 #     image_templates:
-#       - "infisical/cli:{{ .Version }}"
+#       - "infisical/cli:{{ .Version }}"             
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}"  
+#       - "infisical/cli:{{ .Major }}"               
 #       - "infisical/cli:latest"
+#     build_flag_templates:
+#       - "--label=org.label-schema.schema-version=1.0"
+#       - "--label=org.label-schema.version={{.Version}}"
+#       - "--label=org.label-schema.name={{.ProjectName}}"
+#       - "--platform=linux/amd64"
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -1,102 +0,0 @@
-ARG POSTHOG_HOST=https://app.posthog.com
-ARG POSTHOG_API_KEY=posthog-api-key
-
-FROM node:16-alpine AS frontend-dependencies
-
-WORKDIR /app
-
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
-
-# Install dependencies
-RUN npm ci --only-production --ignore-scripts
-
-# Rebuild the source code only when needed
-FROM node:16-alpine AS frontend-builder
-WORKDIR /app
-
-# Copy dependencies
-COPY --from=frontend-dependencies /app/node_modules ./node_modules
-# Copy all files 
-COPY /frontend .
-
-ENV NODE_ENV production
-ENV NEXT_PUBLIC_ENV production
-ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
-ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
-
-# Build
-RUN npm run build
-
-# Production image
-FROM node:16-alpine AS frontend-runner
-WORKDIR /app
-
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 nextjs
-
-RUN mkdir -p /app/.next/cache/images && chown nextjs:nodejs /app/.next/cache/images
-VOLUME /app/.next/cache/images
-
-ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
-
-COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
-COPY --from=frontend-builder /app/public ./public
-RUN chown nextjs:nodejs ./public/data
-COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/static ./.next/static
-
-USER nextjs
-
-ENV NEXT_TELEMETRY_DISABLED 1
-
-##
-## BACKEND
-##
-FROM node:16-alpine AS backend-build
-
-WORKDIR /app
-
-COPY backend/package*.json ./
-RUN npm ci --only-production
-
-COPY /backend .
-RUN npm run build
-
-# Production stage
-FROM node:16-alpine AS backend-runner
-
-WORKDIR /app
-
-COPY backend/package*.json ./
-RUN npm ci --only-production
-
-COPY --from=backend-build /app .
-
-# Production stage
-FROM node:14-alpine AS production
-
-WORKDIR / 
-
-# Install PM2
-RUN npm install -g pm2
-# Copy ecosystem.config.js
-COPY ecosystem.config.js .
-
-RUN apk add --no-cache nginx
-
-COPY nginx/default-stand-alone-docker.conf /etc/nginx/nginx.conf
-
-COPY --from=backend-runner /app /backend
-
-COPY --from=frontend-runner /app/ /app/
-
-EXPOSE 80
-ENV HTTPS_ENABLED false 
-
-CMD ["pm2-runtime", "start", "ecosystem.config.js"]
-
-
--- a/3
+++ b/3
@ -7,9 +7,6 @@ push:
 up-dev:
 	docker-compose -f docker-compose.dev.yml up --build

-i-dev:
-	infisical run -- docker-compose -f docker-compose.dev.yml up --build
-
 up-prod:
 	docker-compose -f docker-compose.yml up --build

--- a/README.md
+++ b/README.md
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,13 +1,9 @@
 # Security Policy

-## Supported versions
+## Supported Versions

 We always recommend using the latest version of Infisical to ensure you get all security updates.

-## Reporting vulnerabilities
+## Reporting a Vulnerability

-Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!
-
-Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address security@infisical.com. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.
-
-Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.
+Please report security vulnerabilities or concerns to team@infisical.com.
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -1,27 +1,15 @@
-# Build stage
-FROM node:16-alpine AS build
+FROM node:16-bullseye-slim

 WORKDIR /app

-COPY package*.json ./
-RUN npm ci --only-production
+COPY package.json package-lock.json ./
+
+RUN npm ci --only-production --ignore-scripts

 COPY . .
-RUN npm run build
-
-# Production stage
-FROM node:16-alpine
-
-WORKDIR /app
-
-COPY package*.json ./
-RUN npm ci --only-production
-
-COPY --from=build /app .

 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
  CMD node healthcheck.js

-EXPOSE 4000

-CMD ["npm", "run", "start"]
+CMD ["npm", "run", "start"]
--- a/backend/environment.d.ts
+++ b/backend/environment.d.ts
@ -3,9 +3,8 @@ export {};
 declare global {
  namespace NodeJS {
    interface ProcessEnv {
-      PORT: string;
+      EMAIL_TOKEN_LIFETIME: string;
      ENCRYPTION_KEY: string;
-      SALT_ROUNDS: string;
      JWT_AUTH_LIFETIME: string;
      JWT_AUTH_SECRET: string;
      JWT_REFRESH_LIFETIME: string;
@ -15,38 +14,28 @@ declare global {
 			JWT_SIGNUP_SECRET: string;
      MONGO_URL: string;
      NODE_ENV: 'development' | 'staging' | 'testing' | 'production';
-      VERBOSE_ERROR_OUTPUT: string;
-      LOKI_HOST: string;
      CLIENT_ID_HEROKU: string;
      CLIENT_ID_VERCEL: string;
      CLIENT_ID_NETLIFY: string;
-      CLIENT_ID_GITHUB: string;
-      CLIENT_ID_GITLAB: string;
      CLIENT_SECRET_HEROKU: string;
      CLIENT_SECRET_VERCEL: string;
      CLIENT_SECRET_NETLIFY: string;
-      CLIENT_SECRET_GITHUB: string;
-      CLIENT_SECRET_GITLAB: string;
-      CLIENT_SLUG_VERCEL: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;
+      PRIVATE_KEY: string;
+      PUBLIC_KEY: string;
      SENTRY_DSN: string;
      SITE_URL: string;
      SMTP_HOST: string;
-      SMTP_SECURE: string;
-      SMTP_PORT: string;
-      SMTP_USERNAME: string;
+      SMTP_NAME: string;
      SMTP_PASSWORD: string;
-      SMTP_FROM_ADDRESS: string;
-      SMTP_FROM_NAME: string;
-      STRIPE_PRODUCT_STARTER: string;
-      STRIPE_PRODUCT_TEAM: string;
+      SMTP_USERNAME: string;
+      STRIPE_PRODUCT_CARD_AUTH: string;
      STRIPE_PRODUCT_PRO: string;
+      STRIPE_PRODUCT_STARTER: string;
      STRIPE_PUBLISHABLE_KEY: string;
      STRIPE_SECRET_KEY: string;
      STRIPE_WEBHOOK_SECRET: string;
-      TELEMETRY_ENABLED: string;
-      LICENSE_KEY: string;
    }
  }
 }
--- a/backend/jest.config.ts
+++ b/backend/jest.config.ts
@ -1,9 +0,0 @@
-export default {
-  preset: 'ts-jest',
-  testEnvironment: 'node',
-  collectCoverageFrom: ['src/*.{js,ts}', '!**/node_modules/**'],
-  modulePaths: ['<rootDir>/src'],
-  testMatch: ['<rootDir>/tests/**/*.test.ts'],
-  setupFiles: ['<rootDir>/test-resources/env-vars.js'],
-  setupFilesAfterEnv: ['<rootDir>/tests/setupTests.ts']
-};
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -1,20 +1,11 @@
 {
  "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.319.0",
-    "@godaddy/terminus": "^4.12.0",
-    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.49.0",
-    "@sentry/tracing": "^7.48.0",
+    "@godaddy/terminus": "^4.11.2",
+    "@sentry/node": "^7.14.0",
+    "@sentry/tracing": "^7.19.0",
    "@types/crypto-js": "^4.1.1",
-    "@types/libsodium-wrappers": "^0.7.10",
-    "argon2": "^0.30.3",
-    "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1364.0",
-    "axios": "^1.3.5",
-    "axios-retry": "^3.4.0",
-    "bcrypt": "^5.1.0",
-    "bigint-conversion": "^2.4.0",
-    "builder-pattern": "^2.2.0",
+    "axios": "^1.1.3",
+    "bigint-conversion": "^2.2.2",
    "cookie-parser": "^1.4.6",
    "cors": "^2.8.5",
    "crypto-js": "^4.1.1",
@ -24,43 +15,29 @@
    "express-validator": "^6.14.2",
    "handlebars": "^4.7.7",
    "helmet": "^5.1.1",
-    "infisical-node": "^1.1.3",
-    "js-yaml": "^4.1.0",
-    "jsonwebtoken": "^9.0.0",
+    "jsonwebtoken": "^8.5.1",
    "jsrp": "^0.2.4",
-    "libsodium-wrappers": "^0.7.10",
-    "lodash": "^4.17.21",
-    "mongoose": "^6.10.5",
+    "mongoose": "^6.7.2",
    "nodemailer": "^6.8.0",
-    "posthog-node": "^2.6.0",
+    "posthog-node": "^2.1.0",
    "query-string": "^7.1.3",
-    "request-ip": "^3.3.0",
    "rimraf": "^3.0.2",
    "stripe": "^10.7.0",
-    "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.2",
    "tweetnacl": "^1.0.3",
    "tweetnacl-util": "^0.15.1",
-    "typescript": "^4.9.3",
-    "utility-types": "^3.10.0",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6"
+    "typescript": "^4.9.3"
  },
  "name": "infisical-api",
  "version": "1.0.0",
  "main": "src/index.js",
  "scripts": {
-    "start": "node build/index.js",
+    "prepare": "cd .. && npm install",
+    "start": "npm run build && node build/index.js",
    "dev": "nodemon",
-    "swagger-autogen": "node ./swagger/index.ts",
    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
    "lint": "eslint . --ext .ts",
    "lint-and-fix": "eslint . --ext .ts --fix",
-    "lint-staged": "lint-staged",
-    "pretest": "docker compose -f test-resources/docker-compose.test.yml up -d",
-    "test": "cross-env NODE_ENV=test jest --verbose --testTimeout=10000 --detectOpenHandles; npm run posttest",
-    "test:ci": "npm test -- --watchAll=false --ci --reporters=default --reporters=jest-junit --reporters=github-actions --coverage --testLocationInResults --json --outputFile=coverage/report.json",
-    "posttest": "docker compose -f test-resources/docker-compose.test.yml down"
+    "lint-staged": "lint-staged"
  },
  "repository": {
    "type": "git",
@ -74,41 +51,22 @@
  "homepage": "https://github.com/Infisical/infisical-api#readme",
  "description": "",
  "devDependencies": {
-    "@jest/globals": "^29.3.1",
    "@posthog/plugin-scaffold": "^1.3.4",
-    "@types/bcrypt": "^5.0.0",
-    "@types/bcryptjs": "^2.4.2",
    "@types/cookie-parser": "^1.4.3",
    "@types/cors": "^2.8.12",
    "@types/express": "^4.17.14",
-    "@types/jest": "^29.5.0",
    "@types/jsonwebtoken": "^8.5.9",
-    "@types/lodash": "^4.14.191",
    "@types/node": "^18.11.3",
    "@types/nodemailer": "^6.4.6",
-    "@types/supertest": "^2.0.12",
    "@types/swagger-jsdoc": "^6.0.1",
    "@types/swagger-ui-express": "^4.1.3",
-    "@typescript-eslint/eslint-plugin": "^5.54.0",
+    "@typescript-eslint/eslint-plugin": "^5.40.1",
    "@typescript-eslint/parser": "^5.40.1",
-    "cross-env": "^7.0.3",
    "eslint": "^8.26.0",
    "install": "^0.13.0",
    "jest": "^29.3.1",
-    "jest-junit": "^15.0.0",
    "nodemon": "^2.0.19",
    "npm": "^8.19.3",
-    "supertest": "^6.3.3",
-    "ts-jest": "^29.0.3",
    "ts-node": "^10.9.1"
-  },
-  "jest-junit": {
-    "outputDirectory": "reports",
-    "outputName": "jest-junit.xml",
-    "ancestorSeparator": " › ",
-    "uniqueOutputName": "false",
-    "suiteNameTemplate": "{filepath}",
-    "classNameTemplate": "{classname}",
-    "titleTemplate": "{title}"
  }
 }
--- a/backend/spec.json
+++ b/backend/spec.json
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -1,69 +1,79 @@
-import InfisicalClient from 'infisical-node';
+const PORT = process.env.PORT || 4000;
+const EMAIL_TOKEN_LIFETIME = process.env.EMAIL_TOKEN_LIFETIME! || '86400';
+const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
+const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
+const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
+const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
+const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;
+const JWT_SERVICE_SECRET = process.env.JWT_SERVICE_SECRET!;
+const JWT_SIGNUP_LIFETIME = process.env.JWT_SIGNUP_LIFETIME! || '15m';
+const JWT_SIGNUP_SECRET = process.env.JWT_SIGNUP_SECRET!;
+const MONGO_URL = process.env.MONGO_URL!;
+const NODE_ENV = process.env.NODE_ENV! || 'production';
+const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
+const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
+const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
+const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
+const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
+const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
+const CLIENT_SLUG_VERCEL= process.env.CLIENT_SLUG_VERCEL!;
+const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
+const POSTHOG_PROJECT_API_KEY =
+  process.env.POSTHOG_PROJECT_API_KEY! ||
+  'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+const PRIVATE_KEY = process.env.PRIVATE_KEY!;
+const PUBLIC_KEY = process.env.PUBLIC_KEY!;
+const SENTRY_DSN = process.env.SENTRY_DSN!;
+const SITE_URL = process.env.SITE_URL!;
+const SMTP_HOST = process.env.SMTP_HOST! || 'smtp.gmail.com';
+const SMTP_PORT = process.env.SMTP_PORT! || 587;
+const SMTP_NAME = process.env.SMTP_NAME!;
+const SMTP_USERNAME = process.env.SMTP_USERNAME!;
+const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
+const STRIPE_PRODUCT_CARD_AUTH = process.env.STRIPE_PRODUCT_CARD_AUTH!;
+const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
+const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
+const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
+const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
+const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
+const TELEMETRY_ENABLED = process.env.TELEMETRY_ENABLED! !== 'false' && true;

-const client = new InfisicalClient({
-  token: process.env.INFISICAL_TOKEN!
-});
-
-export const getPort = async () => (await client.getSecret('PORT')).secretValue || 4000;
-export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue == undefined ? false : (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue;
-export const getEncryptionKey = async () => (await client.getSecret('ENCRYPTION_KEY')).secretValue;
-export const getSaltRounds = async () => parseInt((await client.getSecret('SALT_ROUNDS')).secretValue) || 10;
-export const getJwtAuthLifetime = async () => (await client.getSecret('JWT_AUTH_LIFETIME')).secretValue || '10d';
-export const getJwtAuthSecret = async () => (await client.getSecret('JWT_AUTH_SECRET')).secretValue;
-export const getJwtMfaLifetime = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
-export const getJwtMfaSecret = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
-export const getJwtRefreshLifetime = async () => (await client.getSecret('JWT_REFRESH_LIFETIME')).secretValue || '90d';
-export const getJwtRefreshSecret = async () => (await client.getSecret('JWT_REFRESH_SECRET')).secretValue;
-export const getJwtServiceSecret = async () => (await client.getSecret('JWT_SERVICE_SECRET')).secretValue;
-export const getJwtSignupLifetime = async () => (await client.getSecret('JWT_SIGNUP_LIFETIME')).secretValue || '15m';
-export const getJwtSignupSecret = async () => (await client.getSecret('JWT_SIGNUP_SECRET')).secretValue;
-export const getMongoURL = async () => (await client.getSecret('MONGO_URL')).secretValue;
-export const getNodeEnv = async () => (await client.getSecret('NODE_ENV')).secretValue || 'production';
-export const getVerboseErrorOutput = async () => (await client.getSecret('VERBOSE_ERROR_OUTPUT')).secretValue === 'true' && true;
-export const getLokiHost = async () => (await client.getSecret('LOKI_HOST')).secretValue;
-export const getClientIdAzure = async () => (await client.getSecret('CLIENT_ID_AZURE')).secretValue;
-export const getClientIdHeroku = async () => (await client.getSecret('CLIENT_ID_HEROKU')).secretValue;
-export const getClientIdVercel = async () => (await client.getSecret('CLIENT_ID_VERCEL')).secretValue;
-export const getClientIdNetlify = async () => (await client.getSecret('CLIENT_ID_NETLIFY')).secretValue;
-export const getClientIdGitHub = async () => (await client.getSecret('CLIENT_ID_GITHUB')).secretValue;
-export const getClientIdGitLab = async () => (await client.getSecret('CLIENT_ID_GITLAB')).secretValue;
-export const getClientSecretAzure = async () => (await client.getSecret('CLIENT_SECRET_AZURE')).secretValue;
-export const getClientSecretHeroku = async () => (await client.getSecret('CLIENT_SECRET_HEROKU')).secretValue;
-export const getClientSecretVercel = async () => (await client.getSecret('CLIENT_SECRET_VERCEL')).secretValue;
-export const getClientSecretNetlify = async () => (await client.getSecret('CLIENT_SECRET_NETLIFY')).secretValue;
-export const getClientSecretGitHub = async () => (await client.getSecret('CLIENT_SECRET_GITHUB')).secretValue;
-export const getClientSecretGitLab = async () => (await client.getSecret('CLIENT_SECRET_GITLAB')).secretValue;
-export const getClientSlugVercel = async () => (await client.getSecret('CLIENT_SLUG_VERCEL')).secretValue;
-export const getPostHogHost = async () => (await client.getSecret('POSTHOG_HOST')).secretValue || 'https://app.posthog.com';
-export const getPostHogProjectApiKey = async () => (await client.getSecret('POSTHOG_PROJECT_API_KEY')).secretValue || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-export const getSentryDSN = async () => (await client.getSecret('SENTRY_DSN')).secretValue;
-export const getSiteURL = async () => (await client.getSecret('SITE_URL')).secretValue;
-export const getSmtpHost = async () => (await client.getSecret('SMTP_HOST')).secretValue;
-export const getSmtpSecure = async () => (await client.getSecret('SMTP_SECURE')).secretValue === 'true' || false;
-export const getSmtpPort = async () => parseInt((await client.getSecret('SMTP_PORT')).secretValue) || 587;
-export const getSmtpUsername = async () => (await client.getSecret('SMTP_USERNAME')).secretValue;
-export const getSmtpPassword = async () => (await client.getSecret('SMTP_PASSWORD')).secretValue;
-export const getSmtpFromAddress = async () => (await client.getSecret('SMTP_FROM_ADDRESS')).secretValue;
-export const getSmtpFromName = async () => (await client.getSecret('SMTP_FROM_NAME')).secretValue || 'Infisical';
-export const getStripeProductStarter = async () => (await client.getSecret('STRIPE_PRODUCT_STARTER')).secretValue;
-export const getStripeProductPro = async () => (await client.getSecret('STRIPE_PRODUCT_PRO')).secretValue;
-export const getStripeProductTeam = async () => (await client.getSecret('STRIPE_PRODUCT_TEAM')).secretValue;
-export const getStripePublishableKey = async () => (await client.getSecret('STRIPE_PUBLISHABLE_KEY')).secretValue;
-export const getStripeSecretKey = async () => (await client.getSecret('STRIPE_SECRET_KEY')).secretValue;
-export const getStripeWebhookSecret = async () => (await client.getSecret('STRIPE_WEBHOOK_SECRET')).secretValue;
-export const getTelemetryEnabled = async () => (await client.getSecret('TELEMETRY_ENABLED')).secretValue !== 'false' && true;
-export const getLoopsApiKey = async () => (await client.getSecret('LOOPS_API_KEY')).secretValue;
-export const getSmtpConfigured = async () => (await client.getSecret('SMTP_HOST')).secretValue == '' || (await client.getSecret('SMTP_HOST')).secretValue == undefined ? false : true
-export const getHttpsEnabled = async () => {
-  if ((await getNodeEnv()) != "production") {
-    // no https for anything other than prod
-    return false
-  }
-
-  if ((await client.getSecret('HTTPS_ENABLED')).secretValue == undefined || (await client.getSecret('HTTPS_ENABLED')).secretValue == "") {
-    // default when no value present
-    return true
-  }
-
-  return (await client.getSecret('HTTPS_ENABLED')).secretValue === 'true' && true
-}
+export {
+  PORT,
+  EMAIL_TOKEN_LIFETIME,
+  ENCRYPTION_KEY,
+  JWT_AUTH_LIFETIME,
+  JWT_AUTH_SECRET,
+  JWT_REFRESH_LIFETIME,
+  JWT_REFRESH_SECRET,
+  JWT_SERVICE_SECRET,
+  JWT_SIGNUP_LIFETIME,
+  JWT_SIGNUP_SECRET,
+  MONGO_URL,
+  NODE_ENV,
+  CLIENT_ID_HEROKU,
+  CLIENT_ID_VERCEL,
+  CLIENT_ID_NETLIFY,
+  CLIENT_SECRET_HEROKU,
+  CLIENT_SECRET_VERCEL,
+  CLIENT_SECRET_NETLIFY,
+  CLIENT_SLUG_VERCEL,
+  POSTHOG_HOST,
+  POSTHOG_PROJECT_API_KEY,
+  PRIVATE_KEY,
+  PUBLIC_KEY,
+  SENTRY_DSN,
+  SITE_URL,
+  SMTP_HOST,
+  SMTP_PORT,
+  SMTP_NAME,
+  SMTP_USERNAME,
+  SMTP_PASSWORD,
+  STRIPE_PRODUCT_CARD_AUTH,
+  STRIPE_PRODUCT_PRO,
+  STRIPE_PRODUCT_STARTER,
+  STRIPE_PUBLISHABLE_KEY,
+  STRIPE_SECRET_KEY,
+  STRIPE_WEBHOOK_SECRET,
+  TELEMETRY_ENABLED
+};
--- a/backend/src/config/request.ts
+++ b/backend/src/config/request.ts
@ -1,16 +0,0 @@
-import axios from 'axios';
-import axiosRetry from 'axios-retry';
-
-const axiosInstance = axios.create();
-
-// add retry functionality to the axios instance
-axiosRetry(axiosInstance, {
-  retries: 3,
-  retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
-  retryCondition: (error) => {
-    // only retry if the error is a network error or a 5xx server error
-    return axiosRetry.isNetworkError(error) || axiosRetry.isRetryableError(error);
-  },
-});
-
-export default axiosInstance;
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -1,25 +1,17 @@
-import * as Sentry from '@sentry/node';
+/* eslint-disable @typescript-eslint/no-var-requires */
 import { Request, Response } from 'express';
 import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
-// eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
+import { User } from '../models';
+import { createToken, issueTokens, clearTokens } from '../helpers/auth';
 import {
-  ACTION_LOGIN,
-  ACTION_LOGOUT
-} from '../../variables';
-import { BadRequestError } from '../../utils/errors';
-import { EELogService } from '../../ee/services';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
-import {
-  getJwtRefreshSecret,
-  getJwtAuthLifetime,
-  getJwtAuthSecret,
-  getHttpsEnabled
-} from '../../config';
+  NODE_ENV,
+  JWT_AUTH_LIFETIME,
+  JWT_AUTH_SECRET,
+  JWT_REFRESH_SECRET
+} from '../config';

 declare module 'jsonwebtoken' {
  export interface UserIDJwtPayload extends jwt.JwtPayload {
@ -27,6 +19,8 @@ declare module 'jsonwebtoken' {
  }
 }

+const clientPublicKeys: any = {};
+
 /**
 * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
 * @param req
@ -52,15 +46,13 @@ export const login1 = async (req: Request, res: Response) => {
        salt: user.salt,
        verifier: user.verifier
      },
-      async () => {
+      () => {
        // generate server-side public key
        const serverPublicKey = server.getPublicKey();
-
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false })
+        clientPublicKeys[email] = {
+          clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt)
+        };

        return res.status(200).send({
          serverPublicKey,
@ -93,52 +85,27 @@ export const login2 = async (req: Request, res: Response) => {

    if (!user) throw new Error('Failed to find user');

-    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
-
-    if (!loginSRPDetailFromDB) {
-      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-    }
-
    const server = new jsrp.server();
    server.init(
      {
        salt: user.salt,
        verifier: user.verifier,
-        b: loginSRPDetailFromDB.serverBInt
+        b: clientPublicKeys[email].serverBInt
      },
      async () => {
-        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+        server.setClientPublicKey(clientPublicKeys[email].clientPublicKey);

        // compare server and client shared keys
        if (server.checkClientProof(clientProof)) {
          // issue tokens
-
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
-          });
-
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
+          const tokens = await issueTokens({ userId: user._id.toString() });

          // store (refresh) token in httpOnly cookie
          res.cookie('jid', tokens.refreshToken, {
            httpOnly: true,
            path: '/',
            sameSite: 'strict',
-            secure: await getHttpsEnabled()
-          });
-
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
-          });
-
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
+            secure: NODE_ENV === 'production' ? true : false
          });

          // return (access) token in response
@ -182,21 +149,8 @@ export const logout = async (req: Request, res: Response) => {
      httpOnly: true,
      path: '/',
      sameSite: 'strict',
-      secure: (await getHttpsEnabled()) as boolean
+      secure: NODE_ENV === 'production' ? true : false
    });
-
-    const logoutAction = await EELogService.createAction({
-      name: ACTION_LOGOUT,
-      userId: req.user._id
-    });
-
-    logoutAction && await EELogService.createLog({
-      userId: req.user._id,
-      actions: [logoutAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
-    });
-
  } catch (err) {
    Sentry.setUser({ email: req.user.email });
    Sentry.captureException(err);
@ -216,11 +170,10 @@ export const logout = async (req: Request, res: Response) => {
 * @param res
 * @returns
 */
-export const checkAuth = async (req: Request, res: Response) => {
-  return res.status(200).send({
+export const checkAuth = async (req: Request, res: Response) =>
+  res.status(200).send({
    message: 'Authenticated'
  });
-}

 /**
 * Return new token by redeeming refresh token
@ -237,7 +190,7 @@ export const getNewToken = async (req: Request, res: Response) => {
    }

    const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, await getJwtRefreshSecret())
+      jwt.verify(refreshToken, JWT_REFRESH_SECRET)
    );

    const user = await User.findOne({
@ -252,8 +205,8 @@ export const getNewToken = async (req: Request, res: Response) => {
      payload: {
        userId: decodedToken.userId
      },
-      expiresIn: await getJwtAuthLifetime(),
-      secret: await getJwtAuthSecret()
+      expiresIn: JWT_AUTH_LIFETIME,
+      secret: JWT_AUTH_SECRET
    });

    return res.status(200).send({
--- a/backend/src/controllers/v1/botController.ts
+++ b/backend/src/controllers/v1/botController.ts
@ -1,8 +1,7 @@
 import { Request, Response } from 'express';
-import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
-import { Bot, BotKey } from '../../models';
-import { createBot } from '../../helpers/bot';
+import { Bot, BotKey } from '../models';
+import { createBot } from '../helpers/bot';

 interface BotKey {
    encryptedKey: string;
@ -30,7 +29,7 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
            // -> create a new bot and return it
            bot = await createBot({
                name: 'Infisical Bot',
-                workspaceId: new Types.ObjectId(workspaceId)
+                workspaceId
            });
        }
 	} catch (err) {
--- a/backend/src/controllers/v1/index.ts
+++ b/backend/src/controllers/v1/index.ts
--- a/backend/src/controllers/integrationAuthController.ts
+++ b/backend/src/controllers/integrationAuthController.ts
@ -0,0 +1,104 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import axios from 'axios';
+import { readFileSync } from 'fs';
+import { IntegrationAuth, Integration } from '../models';
+import { INTEGRATION_SET, INTEGRATION_OPTIONS, ENV_DEV } from '../variables';
+import { IntegrationService } from '../services';
+import { getApps, revokeAccess } from '../integrations';
+
+export const getIntegrationOptions = async (
+	req: Request,
+	res: Response
+) => {
+	return res.status(200).send({
+		integrationOptions: INTEGRATION_OPTIONS
+	});
+}
+
+/**
+ * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const oAuthExchange = async (
+	req: Request,
+	res: Response
+) => {
+	try {
+		const { workspaceId, code, integration } = req.body;
+
+		if (!INTEGRATION_SET.has(integration))
+			throw new Error('Failed to validate integration');
+	
+		await IntegrationService.handleOAuthExchange({
+			workspaceId,
+			integration,
+			code
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get OAuth2 code-token exchange'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully enabled integration authorization'
+	});
+};
+
+/**
+ * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getIntegrationAuthApps = async (req: Request, res: Response) => {
+	let apps;
+	try {
+		apps = await getApps({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+        Sentry.captureException(err);	
+		return res.status(400).send({
+			message: 'Failed to get integration authorization applications'
+		});
+	}
+
+	return res.status(200).send({
+		apps
+	});
+};
+
+/**
+ * Delete integration authorization with id [integrationAuthId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteIntegrationAuth = async (req: Request, res: Response) => {
+	try {
+		const { integrationAuthId } = req.params;
+
+		await revokeAccess({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+        Sentry.captureException(err);	
+		return res.status(400).send({
+			message: 'Failed to delete integration authorization'
+		});
+	}
+	
+	return res.status(200).send({
+		message: 'Successfully deleted integration authorization'
+	});
+}
--- a/backend/src/controllers/integrationController.ts
+++ b/backend/src/controllers/integrationController.ts
@ -0,0 +1,134 @@
+import { Request, Response } from 'express';
+import { readFileSync } from 'fs';
+import * as Sentry from '@sentry/node';
+import { Integration, Bot, BotKey } from '../models';
+import { EventService } from '../services';
+import { eventPushSecrets } from '../events';
+
+interface Key {
+	encryptedKey: string;
+	nonce: string;
+}
+
+interface PushSecret {
+	ciphertextKey: string;
+	ivKey: string;
+	tagKey: string;
+	hashKey: string;
+	ciphertextValue: string;
+	ivValue: string;
+	tagValue: string;
+	hashValue: string;
+	type: 'shared' | 'personal';
+}
+
+/**
+ * Change environment or name of integration with id [integrationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const updateIntegration = async (req: Request, res: Response) => {
+	let integration;
+	
+	// TODO: add integration-specific validation to ensure that each
+	// integration has the correct fields populated in [Integration]
+	
+	try {
+		const { 
+			app, 
+			environment, 
+			isActive, 
+			target, // vercel-specific integration param
+			context, // netlify-specific integration param
+			siteId // netlify-specific integration param
+		} = req.body;
+		
+		integration = await Integration.findOneAndUpdate(
+			{
+				_id: req.integration._id
+			},
+			{
+				environment,
+				isActive,
+				app,
+				target,
+				context,
+				siteId
+			},
+			{
+				new: true
+			}
+		);
+		
+		if (integration) {
+			// trigger event - push secrets
+			EventService.handleEvent({
+				event: eventPushSecrets({
+					workspaceId: integration.workspace.toString()
+				})
+			});
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update integration'
+		});
+	}
+
+	return res.status(200).send({
+		integration
+	});
+};
+
+/**
+ * Delete integration with id [integrationId] and deactivate bot if there are
+ * no integrations left
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteIntegration = async (req: Request, res: Response) => {
+	let deletedIntegration;
+	try {
+		const { integrationId } = req.params;
+
+		deletedIntegration = await Integration.findOneAndDelete({
+			_id: integrationId
+		});
+		
+		if (!deletedIntegration) throw new Error('Failed to find integration');
+		
+		const integrations = await Integration.find({
+			workspace: deletedIntegration.workspace
+		});
+			
+		if (integrations.length === 0) {
+			// case: no integrations left, deactivate bot
+			const bot = await Bot.findOneAndUpdate({
+				workspace: deletedIntegration.workspace
+			}, {
+				isActive: false
+			}, {
+				new: true
+			});
+			
+			if (bot) {
+				await BotKey.deleteOne({
+					bot: bot._id
+				});
+			}
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete integration'
+		});
+	}
+
+	return res.status(200).send({
+		deletedIntegration
+	});
+};
--- a/backend/src/controllers/v1/keyController.ts
+++ b/backend/src/controllers/v1/keyController.ts
@ -1,7 +1,9 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Key } from '../../models';
-import { findMembership } from '../../helpers/membership';
+import { Key } from '../models';
+import { findMembership } from '../helpers/membership';
+import { PUBLIC_KEY } from '../config';
+import { GRANTED } from '../variables';

 /**
 * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
@ -25,6 +27,9 @@ export const uploadKey = async (req: Request, res: Response) => {
 			throw new Error('Failed receiver membership validation for workspace');
 		}

+		receiverMembership.status = GRANTED;
+		await receiverMembership.save();
+
 		await new Key({
 			encryptedKey: key.encryptedKey,
 			nonce: key.nonce,
@ -79,4 +84,16 @@ export const getLatestKey = async (req: Request, res: Response) => {
 	}

 	return res.status(200).send(resObj);
-};
+};
+
+/**
+ * Return public key of Infisical
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getPublicKeyInfisical = async (req: Request, res: Response) => {
+	return res.status(200).send({
+		publicKey: PUBLIC_KEY
+	});
+};
--- a/backend/src/controllers/v1/membershipController.ts
+++ b/backend/src/controllers/v1/membershipController.ts
@ -1,13 +1,13 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
-import { Membership, MembershipOrg, User, Key } from '../../models';
+import * as Sentry from '@sentry/node';
+import { Membership, MembershipOrg, User, Key } from '../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
-} from '../../helpers/membership';
-import { sendMail } from '../../helpers/nodemailer';
-import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
-import { getSiteURL } from '../../config';
+} from '../helpers/membership';
+import { sendMail } from '../helpers/nodemailer';
+import { SITE_URL } from '../config';
+import { ADMIN, MEMBER, GRANTED, ACCEPTED } from '../variables';

 /**
 * Check that user is a member of workspace with id [workspaceId]
@ -175,7 +175,8 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		// already a member of the workspace
 		const inviteeMembership = await Membership.findOne({
 			user: invitee._id,
-			workspace: workspaceId
+			workspace: workspaceId,
+			status: GRANTED
 		});

 		if (inviteeMembership)
@ -204,7 +205,8 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		const m = await new Membership({
 			user: invitee._id,
 			workspace: workspaceId,
-			role: MEMBER
+			role: MEMBER,
+			status: GRANTED
 		}).save();

 		await sendMail({
@ -215,7 +217,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 				inviterFirstName: req.user.firstName,
 				inviterEmail: req.user.email,
 				workspaceName: req.membership.workspace.name,
-				callback_url: (await getSiteURL()) + '/login'
+				callback_url: SITE_URL + '/login'
 			}
 		});
 	} catch (err) {
@ -230,4 +232,4 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		invitee,
 		latestKey
 	});
-};
+};
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -1,14 +1,14 @@
-import { Types } from 'mongoose';
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { MembershipOrg, Organization, User } from '../../models';
-import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
-import { createToken } from '../../helpers/auth';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
+import crypto from 'crypto';
+import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../config';
+import { MembershipOrg, Organization, User, Token } from '../models';
+import { deleteMembershipOrg as deleteMemberFromOrg } from '../helpers/membershipOrg';
+import { checkEmailVerification } from '../helpers/signup';
+import { createToken } from '../helpers/auth';
+import { updateSubscriptionOrgQuantity } from '../helpers/organization';
+import { sendMail } from '../helpers/nodemailer';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../variables';

 /**
 * Delete organization membership with id [membershipOrgId] from organization
@ -77,15 +77,17 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// change role for (target) organization membership with id
 	// [membershipOrgId]

+	// TODO
+
 	let membershipToChangeRole;
-	// try {
-	// } catch (err) {
-	// 	Sentry.setUser({ email: req.user.email });
-	// 	Sentry.captureException(err);
-	// 	return res.status(400).send({
-	// 		message: 'Failed to change organization membership role'
-	// 	});
-	// }
+	try {
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change organization membership role'
+		});
+	}

 	return res.status(200).send({
 		membershipOrg: membershipToChangeRole
@ -100,11 +102,9 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 * @returns
 */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
-	let invitee, inviteeMembershipOrg, completeInviteLink;
+	let invitee, inviteeMembershipOrg;
 	try {
 		const { organizationId, inviteeEmail } = req.body;
-		const host = req.headers.host;
-		const siteUrl = `${req.protocol}://${host}`;

 		// validate membership
 		const membershipOrg = await MembershipOrg.findOne({
@ -118,11 +118,10 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {

 		invitee = await User.findOne({
 			email: inviteeEmail
-		}).select('+publicKey');
+		});

 		if (invitee) {
 			// case: invitee is an existing user
-
 			inviteeMembershipOrg = await MembershipOrg.findOne({
 				user: invitee._id,
 				organization: organizationId
@ -140,7 +139,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 					inviteEmail: inviteeEmail,
 					organization: organizationId,
 					role: MEMBER,
-					status: INVITED
+					status: invitee?.publicKey ? ACCEPTED : INVITED
 				}).save();
 			}
 		} else {
@ -165,12 +164,17 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		const organization = await Organization.findOne({ _id: organizationId });

 		if (organization) {
+			const token = crypto.randomBytes(16).toString('hex');

-			const token = await TokenService.createToken({
-				type: TOKEN_EMAIL_ORG_INVITATION,
-				email: inviteeEmail,
-				organizationId: organization._id
-			});
+			await Token.findOneAndUpdate(
+				{ email: inviteeEmail },
+				{
+					email: inviteeEmail,
+					token,
+					createdAt: new Date()
+				},
+				{ upsert: true, new: true }
+			);

 			await sendMail({
 				template: 'organizationInvitation.handlebars',
@ -181,15 +185,10 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 					inviterEmail: req.user.email,
 					organizationName: organization.name,
 					email: inviteeEmail,
-					organizationId: organization._id.toString(),
 					token,
-					callback_url: (await getSiteURL()) + '/signupinvite'
+					callback_url: SITE_URL + '/signupinvite'
 				}
 			});
-
-			if (!(await getSmtpConfigured())) {
-				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`
-			}
 		}

 		await updateSubscriptionOrgQuantity({ organizationId });
@ -202,8 +201,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 	}

 	return res.status(200).send({
-		message: `Sent an invite link to ${req.body.inviteeEmail}`,
-		completeInviteLink
+		message: `Sent an invite link to ${req.body.inviteeEmail}`
 	});
 };

@ -217,42 +215,29 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
 	let user, token;
 	try {
-		const {
-			email,
-			organizationId,
-			code
-		} = req.body;
+		const { email, code } = req.body;

 		user = await User.findOne({ email }).select('+publicKey');
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+			return res.status(403).send({
+				error: 'Failed email magic link verification for complete account'
+			});
+		}

 		const membershipOrg = await MembershipOrg.findOne({
 			inviteEmail: email,
-			status: INVITED,
-			organization: new Types.ObjectId(organizationId)
+			status: INVITED
 		});

 		if (!membershipOrg)
 			throw new Error('Failed to find any invitations for email');

-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_ORG_INVITATION,
+		await checkEmailVerification({
 			email,
-			organizationId: membershipOrg.organization,
-			token: code
+			code
 		});

-		if (user && user?.publicKey) {
-			// case: user has already completed account
-			// membership can be approved and redirected to login/dashboard
-			membershipOrg.status = ACCEPTED;
-			await membershipOrg.save();
-
-			return res.status(200).send({
-				message: 'Successfully verified email',
-				user,
-			});
-		}
-
 		if (!user) {
 			// initialize user account
 			user = await new User({
@ -265,8 +250,8 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: await getJwtSignupLifetime(),
-			secret: await getJwtSignupSecret()
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
 		});
 	} catch (err) {
 		Sentry.setUser(null);
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -1,26 +1,46 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+	SITE_URL,
+	STRIPE_SECRET_KEY,
+	STRIPE_PRODUCT_STARTER,
+	STRIPE_PRODUCT_PRO,
+	STRIPE_PRODUCT_CARD_AUTH
+} from '../config';
 import Stripe from 'stripe';
+
+const stripe = new Stripe(STRIPE_SECRET_KEY, {
+	apiVersion: '2022-08-01'
+});
 import {
 	Membership,
 	MembershipOrg,
 	Organization,
 	Workspace,
 	IncidentContactOrg
-} from '../../models';
-import { createOrganization as create } from '../../helpers/organization';
-import { addMembershipsOrg } from '../../helpers/membershipOrg';
-import { OWNER, ACCEPTED } from '../../variables';
-import _ from 'lodash';
-import { getStripeSecretKey, getSiteURL } from '../../config';
+} from '../models';
+import { createOrganization as create } from '../helpers/organization';
+import { addMembershipsOrg } from '../helpers/membershipOrg';
+import { OWNER, ACCEPTED } from '../variables';

+const productToPriceMap = {
+	starter: STRIPE_PRODUCT_STARTER,
+	pro: STRIPE_PRODUCT_PRO,
+	cardAuth: STRIPE_PRODUCT_CARD_AUTH
+};
+
+/**
+ * Return organizations that user is part of
+ * @param req
+ * @param res
+ * @returns
+ */
 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
 	try {
 		organizations = (
 			await MembershipOrg.find({
-				user: req.user._id,
-				status: ACCEPTED
+				user: req.user._id
 			}).populate('organization')
 		).map((m) => m.organization);
 	} catch (err) {
@ -86,7 +106,7 @@ export const createOrganization = async (req: Request, res: Response) => {
 export const getOrganization = async (req: Request, res: Response) => {
 	let organization;
 	try {
-		organization = req.organization
+		organization = req.membershipOrg.organization;
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@ -318,29 +338,26 @@ export const createOrganizationPortalSession = async (
 ) => {
 	let session;
 	try {
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
 		// check if there is a payment method on file
 		const paymentMethods = await stripe.paymentMethods.list({
-			customer: req.organization.customerId,
+			customer: req.membershipOrg.organization.customerId,
 			type: 'card'
 		});
-		
+
 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
+			productToPriceMap['cardAuth'];
 			session = await stripe.checkout.sessions.create({
-				customer: req.organization.customerId,
+				customer: req.membershipOrg.organization.customerId,
 				mode: 'setup',
 				payment_method_types: ['card'],
-				success_url: (await getSiteURL()) + '/dashboard',
-				cancel_url: (await getSiteURL()) + '/dashboard'
+				success_url: SITE_URL + '/dashboard',
+				cancel_url: SITE_URL + '/dashboard'
 			});
 		} else {
 			session = await stripe.billingPortal.sessions.create({
-				customer: req.organization.customerId,
-				return_url: (await getSiteURL()) + '/dashboard'
+				customer: req.membershipOrg.organization.customerId,
+				return_url: SITE_URL + '/dashboard'
 			});
 		}

@ -366,12 +383,8 @@ export const getOrganizationSubscriptions = async (
 ) => {
 	let subscriptions;
 	try {
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-		
 		subscriptions = await stripe.subscriptions.list({
-			customer: req.organization.customerId
+			customer: req.membershipOrg.organization.customerId
 		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
@ -385,44 +398,3 @@ export const getOrganizationSubscriptions = async (
 		subscriptions
 	});
 };
-
-
-/**
- * Given a org id, return the projects each member of the org belongs to
- * @param req
- * @param res
- * @returns
- */
-export const getOrganizationMembersAndTheirWorkspaces = async (
-	req: Request,
-	res: Response
-) => {
-	const { organizationId } = req.params;
-
-	const workspacesSet = (
-			await Workspace.find(
-				{
-					organization: organizationId
-				},
-				'_id'
-			)
-		).map((w) => w._id.toString());
-
-	const memberships = (
-		await Membership.find({
-			workspace: { $in: workspacesSet }
-		}).populate('workspace')
-	);
-	const userToWorkspaceIds: any = {};
-
-	memberships.forEach(membership => {
-		const user = membership.user.toString();
-		if (userToWorkspaceIds[user]) {
-			userToWorkspaceIds[user].push(membership.workspace);
-		} else {
-			userToWorkspaceIds[user] = [membership.workspace];
-		}
-	});
-
-	return res.json(userToWorkspaceIds);
-};
--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -1,15 +1,15 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-// eslint-disable-next-line @typescript-eslint/no-var-requires
+import crypto from 'crypto';
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
-import { createToken } from '../../helpers/auth';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
-import { BadRequestError } from '../../utils/errors';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../config';
+import { User, Token, BackupPrivateKey } from '../models';
+import { checkEmailVerification } from '../helpers/signup';
+import { createToken } from '../helpers/auth';
+import { sendMail } from '../helpers/nodemailer';
+import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../config';
+
+const clientPublicKeys: any = {};

 /**
 * Password reset step 1: Send email verification link to email [email] 
@ -32,10 +32,17 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			});
 		}
 		
-		const token = await TokenService.createToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email
-		});
+		const token = crypto.randomBytes(16).toString('hex');
+
+		await Token.findOneAndUpdate(
+			{ email },
+			{
+				email,
+				token,
+				createdAt: new Date()
+			},
+			{ upsert: true, new: true }
+		);
 		
 		await sendMail({
 			template: 'passwordReset.handlebars',
@ -44,17 +51,18 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			substitutions: {
 				email,
 				token,
-				callback_url: (await getSiteURL()) + '/password-reset'
+				callback_url: SITE_URL + '/password-reset'
 			}
 		});
+		
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to send email for account recovery'
-		});
+		});	
 	}
-
+	
 	return res.status(200).send({
 		message: `Sent an email for account recovery to ${email}`
 	});
@ -70,7 +78,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 	let user, token;
 	try {
 		const { email, code } = req.body;
-
+		
 		user = await User.findOne({ email }).select('+publicKey');
 		if (!user || !user?.publicKey) {
 			// case: user doesn't exist with email [email] or 
@ -79,27 +87,26 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 				error: 'Failed email verification for password reset'
 			});
 		}
-		
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email,
-			token: code
-		});

+		await checkEmailVerification({
+			email,
+			code
+		});
+		
 		// generate temporary password-reset token
 		token = createToken({
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: await getJwtSignupLifetime(),
-			secret: await getJwtSignupSecret()
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
 		});
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed email verification for password reset'
-		});
+		});	
 	}

 	return res.status(200).send({
@ -122,7 +129,7 @@ export const srp1 = async (req: Request, res: Response) => {
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');
-
+		
 		if (!user) throw new Error('Failed to find user');

 		const server = new jsrp.server();
@ -131,15 +138,13 @@ export const srp1 = async (req: Request, res: Response) => {
 				salt: user.salt,
 				verifier: user.verifier
 			},
-			async () => {
+			() => {
 				// generate server-side public key
 				const serverPublicKey = server.getPublicKey();
-
-				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
-					email: req.user.email,
-					clientPublicKey: clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt),
-				}, { upsert: true, returnNewDocument: false })
+				clientPublicKeys[req.user.email] = {
+					clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt)
+				};

 				return res.status(200).send({
 					serverPublicKey,
@ -166,39 +171,25 @@ export const srp1 = async (req: Request, res: Response) => {
 */
 export const changePassword = async (req: Request, res: Response) => {
 	try {
-		const { 
-			clientProof, 
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		} = req.body;
-
+		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
+			req.body;
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');

 		if (!user) throw new Error('Failed to find user');

-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
-
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
-
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
+				b: clientPublicKeys[req.user.email].serverBInt
 			},
 			async () => {
-				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+				server.setClientPublicKey(
+					clientPublicKeys[req.user.email].clientPublicKey
+				);

 				// compare server and client shared keys
 				if (server.checkClientProof(clientProof)) {
@ -207,13 +198,9 @@ export const changePassword = async (req: Request, res: Response) => {
 					await User.findByIdAndUpdate(
 						req.user._id.toString(),
 						{
-							encryptionVersion: 2,
-							protectedKey,
-							protectedKeyIV,
-							protectedKeyTag,
 							encryptedPrivateKey,
-							iv: encryptedPrivateKeyIV,
-							tag: encryptedPrivateKeyTag,
+							iv,
+							tag,
 							salt,
 							verifier
 						},
@ -261,22 +248,16 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {

 		if (!user) throw new Error('Failed to find user');

-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
-
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
-
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
+				b: clientPublicKeys[req.user.email].serverBInt
 			},
 			async () => {
 				server.setClientPublicKey(
-					loginSRPDetailFromDB.clientPublicKey
+					clientPublicKeys[req.user.email].clientPublicKey
 				);

 				// compare server and client shared keys
@ -329,16 +310,16 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 		backupPrivateKey = await BackupPrivateKey.findOne({
 			user: req.user._id
 		}).select('+encryptedPrivateKey +iv +tag');
-
+		
 		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
+		Sentry.setUser({ email: req.user.email});
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
 		});
 	}
-
+	
 	return res.status(200).send({
 		backupPrivateKey
 	});
@ -347,12 +328,9 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 export const resetPassword = async (req: Request, res: Response) => {
 	try {
 		const {
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
 			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
+			iv,
+			tag,
 			salt,
 			verifier,
 		} = req.body;
@ -360,28 +338,24 @@ export const resetPassword = async (req: Request, res: Response) => {
 		await User.findByIdAndUpdate(
 			req.user._id.toString(),
 			{
-				encryptionVersion: 2,
-				protectedKey,
-				protectedKeyIV,
-				protectedKeyTag,	
 				encryptedPrivateKey,
-				iv: encryptedPrivateKeyIV,
-				tag: encryptedPrivateKeyTag,
+				iv,
+				tag,
 				salt,
 				verifier
 			},
 			{
 				new: true
 			}
-		);
+		);	
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
+		Sentry.setUser({ email: req.user.email});
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
-		});
+		});	
 	}
-
+	
 	return res.status(200).send({
 		message: 'Successfully reset password'
 	});
--- a/backend/src/controllers/v1/secretController.ts
+++ b/backend/src/controllers/v1/secretController.ts
@ -1,16 +1,16 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { Key, Secret } from '../../models';
+import { Key } from '../models';
 import {
-	v1PushSecrets as push,
+	pushSecrets as push,
 	pullSecrets as pull,
 	reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { eventPushSecrets } from '../../events';
-import { EventService } from '../../services';
-import { TelemetryService } from '../../services';
+} from '../helpers/secret';
+import { pushKeys } from '../helpers/key';
+import { eventPushSecrets } from '../events';
+import { EventService } from '../services';
+import { ENV_SET } from '../variables';
+import { postHogClient } from '../services';

 interface PushSecret {
 	ciphertextKey: string;
@ -21,10 +21,6 @@ interface PushSecret {
 	ivValue: string;
 	tagValue: string;
 	hashValue: string;
-	ciphertextComment: string;
-	ivComment: string;
-	tagComment: string;
-	hashComment: string;
 	type: 'shared' | 'personal';
 }

@ -39,14 +35,12 @@ export const pushSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]

 	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;

 		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		if (!ENV_SET.has(environment)) {
 			throw new Error('Failed to validate environment');
 		}

@ -85,8 +79,7 @@ export const pushSecrets = async (req: Request, res: Response) => {
 		// trigger event - push secrets
 		EventService.handleEvent({
 			event: eventPushSecrets({
-				workspaceId: new Types.ObjectId(workspaceId),
-				environment
+				workspaceId
 			})
 		});

@ -114,23 +107,19 @@ export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;

 		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		if (!ENV_SET.has(environment)) {
 			throw new Error('Failed to validate environment');
 		}

 		secrets = await pull({
 			userId: req.user._id.toString(),
 			workspaceId,
-			environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
+			environment
 		});

 		key = await Key.findOne({
@ -180,26 +169,25 @@ export const pullSecrets = async (req: Request, res: Response) => {
 * @returns
 */
 export const pullSecretsServiceToken = async (req: Request, res: Response) => {
+	// get (encrypted) secrets from workspace with id [workspaceId]
+	// service token route
+
 	let secrets;
 	let key;
 	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;

 		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		if (!ENV_SET.has(environment)) {
 			throw new Error('Failed to validate environment');
 		}

 		secrets = await pull({
 			userId: req.serviceToken.user._id.toString(),
 			workspaceId,
-			environment,
-			channel: 'cli',
-			ipAddress: req.ip
+			environment
 		});

 		key = {
@ -237,4 +225,4 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		secrets: reformatPullSecrets({ secrets }),
 		key
 	});
-};
+};
--- a/backend/src/controllers/v1/serviceTokenController.ts
+++ b/backend/src/controllers/v1/serviceTokenController.ts
@ -1,7 +1,8 @@
 import { Request, Response } from 'express';
-import { ServiceToken } from '../../models';
-import { createToken } from '../../helpers/auth';
-import { getJwtServiceSecret } from '../../config';
+import { ServiceToken } from '../models';
+import { createToken } from '../helpers/auth';
+import { ENV_SET } from '../variables';
+import { JWT_SERVICE_SECRET } from '../config';

 /**
 * Return service token on request
@ -10,6 +11,7 @@ import { getJwtServiceSecret } from '../../config';
 * @returns
 */
 export const getServiceToken = async (req: Request, res: Response) => {
+	// get service token
 	return res.status(200).send({
 		serviceToken: req.serviceToken
 	});
@ -35,8 +37,7 @@ export const createServiceToken = async (req: Request, res: Response) => {
 		} = req.body;

 		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		if (!ENV_SET.has(environment)) {
 			throw new Error('Failed to validate environment');
 		}

@ -57,11 +58,10 @@ export const createServiceToken = async (req: Request, res: Response) => {

 		token = createToken({
 			payload: {
-				serviceTokenId: serviceToken._id.toString(),
-				workspaceId
+				serviceTokenId: serviceToken._id.toString()
 			},
 			expiresIn: expiresIn,
-			secret: await getJwtServiceSecret()
+			secret: JWT_SERVICE_SECRET
 		});
 	} catch (err) {
 		return res.status(400).send({
@ -72,4 +72,4 @@ export const createServiceToken = async (req: Request, res: Response) => {
 	return res.status(200).send({
 		token
 	});
-};
+};
--- a/backend/src/controllers/v2/signupController.ts
+++ b/backend/src/controllers/v2/signupController.ts
@ -1,14 +1,107 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
+import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../config';
+import { User, MembershipOrg } from '../models';
+import { completeAccount } from '../helpers/user';
 import {
+	sendEmailVerification,
+	checkEmailVerification,
 	initializeDefaultOrg
-} from '../../helpers/signup';
-import { issueAuthTokens } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import request from '../../config/request';
-import { getLoopsApiKey, getHttpsEnabled } from '../../config';
+} from '../helpers/signup';
+import { issueTokens, createToken } from '../helpers/auth';
+import { INVITED, ACCEPTED } from '../variables';
+
+/**
+ * Signup step 1: Initialize account for user under email [email] and send a verification code
+ * to that email
+ * @param req
+ * @param res
+ * @returns
+ */
+export const beginEmailSignup = async (req: Request, res: Response) => {
+	let email: string;
+	try {
+		email = req.body.email;
+
+		const user = await User.findOne({ email }).select('+publicKey');
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+
+			return res.status(403).send({
+				error: 'Failed to send email verification code for complete account'
+			});
+		}
+
+		// send send verification email
+		await sendEmailVerification({ email });
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to send email verification code'
+		});
+	}
+
+	return res.status(200).send({
+		message: `Sent an email verification code to ${email}`
+	});
+};
+
+/**
+ * Signup step 2: Verify that code [code] was sent to email [email] and issue
+ * a temporary signup token for user to complete setting up their account
+ * @param req
+ * @param res
+ * @returns
+ */
+export const verifyEmailSignup = async (req: Request, res: Response) => {
+	let user, token;
+	try {
+		const { email, code } = req.body;
+
+		// initialize user account
+		user = await User.findOne({ email });
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+			return res.status(403).send({
+				error: 'Failed email verification for complete user'
+			});
+		}
+
+		// verify email
+		await checkEmailVerification({
+			email,
+			code
+		});
+
+		if (!user) {
+			user = await new User({
+				email
+			}).save();
+		}
+
+		// generate temporary signup token
+		token = createToken({
+			payload: {
+				userId: user._id.toString()
+			},
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed email verification'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfuly verified email',
+		user,
+		token
+	});
+};

 /**
 * Complete setting up user by adding their personal and auth information as part of the
@ -24,35 +117,18 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			email,
 			firstName,
 			lastName,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
+			iv,
+			tag,
 			salt,
 			verifier,
 			organizationName
-		}: {
-			email: string;
-			firstName: string;
-			lastName: string;
-			protectedKey: string;
-			protectedKeyIV: string;
-			protectedKeyTag: string;
-			publicKey: string;
-			encryptedPrivateKey: string;
-			encryptedPrivateKeyIV: string;
-			encryptedPrivateKeyTag: string;
-			salt: string;
-			verifier: string;
-			organizationName: string;
 		} = req.body;

 		// get user
 		user = await User.findOne({ email });
-
+		
 		if (!user || (user && user?.publicKey)) {
 			// case 1: user doesn't exist.
 			// case 2: user has already completed account
@ -66,14 +142,10 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			userId: user._id.toString(),
 			firstName,
 			lastName,
-			encryptionVersion: 2,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
+			iv,
+			tag,
 			salt,
 			verifier
 		});
@ -101,34 +173,12 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		);

 		// issue tokens
-		const tokens = await issueAuthTokens({
+		const tokens = await issueTokens({
 			userId: user._id.toString()
 		});

 		token = tokens.token;
-
-		// sending a welcome email to new users
-		if (await getLoopsApiKey()) {
-			await request.post("https://app.loops.so/api/v1/events/send", {
-				"email": email,
-				"eventName": "Sign Up",
-				"firstName": firstName,
-				"lastName": lastName
-			}, {
-				headers: {
-					"Accept": "application/json",
-					"Authorization": "Bearer " + (await getLoopsApiKey())
-				},
-			});
-		}
-
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: await getHttpsEnabled()
-		});
+		refreshToken = tokens.refreshToken;
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@ -140,10 +190,10 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 	return res.status(200).send({
 		message: 'Successfully set up account',
 		user,
-		token
+		token,
+		refreshToken
 	});
 };
-
 /**
 * Complete setting up user by adding their personal and auth information as part of the
 * invite flow
@ -158,13 +208,10 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			email,
 			firstName,
 			lastName,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
+			iv,
+			tag,
 			salt,
 			verifier
 		} = req.body;
@ -192,14 +239,10 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			userId: user._id.toString(),
 			firstName,
 			lastName,
-			encryptionVersion: 2,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
+			iv,
+			tag,
 			salt,
 			verifier
 		});
@ -221,19 +264,12 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 		);

 		// issue tokens
-		const tokens = await issueAuthTokens({
+		const tokens = await issueTokens({
 			userId: user._id.toString()
 		});

 		token = tokens.token;
-
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: await getHttpsEnabled()
-		});
+		refreshToken = tokens.refreshToken;
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@ -245,6 +281,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 	return res.status(200).send({
 		message: 'Successfully set up account',
 		user,
-		token
+		token,
+		refreshToken
 	});
-};
+};
--- a/backend/src/controllers/v1/stripeController.ts
+++ b/backend/src/controllers/v1/stripeController.ts
@ -1,7 +1,10 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
+import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../config';
+const stripe = new Stripe(STRIPE_SECRET_KEY, {
+	apiVersion: '2022-08-01'
+});

 /**
 * Handle service provisioning/un-provisioning via Stripe
@ -13,15 +16,11 @@ export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
 		// check request for valid stripe signature
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			await getStripeWebhookSecret()
+			STRIPE_WEBHOOK_SECRET // ?
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
--- a/backend/src/controllers/v1/userActionController.ts
+++ b/backend/src/controllers/v1/userActionController.ts
@ -1,6 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { UserAction } from '../../models';
+import { UserAction } from '../models';

 /**
 * Add user action [action]
--- a/backend/src/controllers/v1/userController.ts
+++ b/backend/src/controllers/v1/userController.ts
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -1,420 +0,0 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import {
-	IntegrationAuth,
-	Bot 
-} from '../../models';
-import { INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
-import { IntegrationService } from '../../services';
-import {
-	getApps, 
-	getTeams,
-	revokeAccess 
-} from '../../integrations';
-import {
-	INTEGRATION_VERCEL_API_URL,
-	INTEGRATION_RAILWAY_API_URL
-} from '../../variables';
-import request from '../../config/request';
-
-/***
- * Return integration authorization with id [integrationAuthId]
- */
-export const getIntegrationAuth = async (req: Request, res: Response) => {
-	let integrationAuth;
-	try {
-		const { integrationAuthId } = req.params;
-		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-		
-		if (!integrationAuth) return res.status(400).send({
-			message: 'Failed to find integration authorization'
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get integration authorization'
-		});	
-	}
-	
-	return res.status(200).send({
-		integrationAuth
-	});
-}
-
-export const getIntegrationOptions = async (req: Request, res: Response) => {
-	const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
-
-	return res.status(200).send({
-		integrationOptions: INTEGRATION_OPTIONS,
-	});
-};
-
-/**
- * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const oAuthExchange = async (
-	req: Request,
-	res: Response
-) => {
-	try {
-		const { workspaceId, code, integration } = req.body;
-		if (!INTEGRATION_SET.has(integration))
-			throw new Error('Failed to validate integration');
-		
-		const environments = req.membership.workspace?.environments || [];
-		if(environments.length === 0){
-			throw new Error("Failed to get environments")
-		}
-	
-		const integrationAuth = await IntegrationService.handleOAuthExchange({
-			workspaceId,
-			integration,
-			code,
-			environment: environments[0].slug,
-		});
-		
-		return res.status(200).send({
-			integrationAuth
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get OAuth2 code-token exchange'
-		});
-	}
-};
-
-/**
- * Save integration access token and (optionally) access id as part of integration
- * [integration] for workspace with id [workspaceId]
- * @param req 
- * @param res 
- */
-export const saveIntegrationAccessToken = async (
-  req: Request,
-  res: Response
-) => {
-	// TODO: refactor
-	// TODO: check if access token is valid for each integration
-
-	let integrationAuth;
-	try {
-		const {
-			workspaceId,
-			accessId,
-			accessToken,
-			integration
-		}: {
-			workspaceId: string;
-			accessId: string | null;
-			accessToken: string;
-			integration: string;
-		} = req.body;
-
-		const bot = await Bot.findOne({
-            workspace: new Types.ObjectId(workspaceId),
-            isActive: true
-        });
-        
-        if (!bot) throw new Error('Bot must be enabled to save integration access token');
-
-		integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            workspace: new Types.ObjectId(workspaceId),
-            integration
-        }, {
-            workspace: new Types.ObjectId(workspaceId),
-            integration
-		}, {
-            new: true,
-            upsert: true
-        });
-		
-		// encrypt and save integration access details
-		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
-			integrationAuthId: integrationAuth._id.toString(),
-			accessId,
-			accessToken,
-			accessExpiresAt: undefined
-		});
-		
-		if (!integrationAuth) throw new Error('Failed to save integration access token');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to save access token for integration'
-		});
-	}
-	
-	return res.status(200).send({
-		integrationAuth
-	});
-}
-
-/**
- * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
- * @param req
- * @param res
- * @returns
- */
-export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-	let apps;
-	try {
-		const teamId = req.query.teamId as string;
-		
-		apps = await getApps({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken,
-			...teamId && { teamId }
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to get integration authorization applications",
-		});
-	}
-
-	return res.status(200).send({
-		apps
-	});
-};
-
-/**
- * Return list of teams allowed for integration with integration authorization id [integrationAuthId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
-	const teams = await getTeams({
-		integrationAuth: req.integrationAuth,
-		accessToken: req.accessToken
-	});
-	
-	return res.status(200).send({
-		teams
-	});
-}
-
-/**
- * Return list of available Vercel (preview) branches for Vercel project with
- * id [appId]
- * @param req 
- * @param res 
- */
-export const getIntegrationAuthVercelBranches = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface VercelBranch {
-		ref: string;
-		lastCommit: string;
-		isProtected: boolean;
-	}
-
-	const params = new URLSearchParams({
-		projectId: appId,
-		...(req.integrationAuth.teamId ? {
-			teamId: req.integrationAuth.teamId
-		} : {})
-	});
-
-	let branches: string[] = [];
-	
-	if (appId && appId !== '') {
-		const { data }: { data: VercelBranch[] } = await request.get(
-			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
-			{
-				params,
-				headers: {
-					Authorization: `Bearer ${req.accessToken}`,
-					'Accept-Encoding': 'application/json'
-				}
-			}
-		);
-		
-		branches = data.map((b) => b.ref);
-	}
-
-	return res.status(200).send({
-		branches
-	});
-}
-
-/**
- * Return list of Railway environments for Railway project with
- * id [appId]
- * @param req 
- * @param res 
- */
-export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface RailwayEnvironment {
-		node: {
-			id: string;
-			name: string;
-			isEphemeral: boolean;
-		}
-	}
-	
-	interface Environment {
-		environmentId: string;
-		name: string;
-	}
-	
-	let environments: Environment[] = [];
-
-	if (appId && appId !== '') {
-		const query = `
-			query GetEnvironments($projectId: String!, $after: String, $before: String, $first: Int, $isEphemeral: Boolean, $last: Int) {
-				environments(projectId: $projectId, after: $after, before: $before, first: $first, isEphemeral: $isEphemeral, last: $last) {
-				edges {
-					node {
-					id
-					name
-					isEphemeral
-					}
-				}
-				}
-			}
-			`;
-		
-		const variables = {
-			projectId: appId
-		}
-		
-		const { data: { data: { environments: { edges } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
-			query,
-			variables,
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
-			},
-		});
-		
-		environments = edges.map((e: RailwayEnvironment) => {
-			return ({
-				name: e.node.name,
-				environmentId: e.node.id
-			});
-		});
-	}
-	
-	return res.status(200).send({
-		environments
-	});
-}
-
-/**
- * Return list of Railway services for Railway project with id
- * [appId]
- * @param req 
- * @param res 
- */
-export const getIntegrationAuthRailwayServices = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface RailwayService {
-		node: {
-			id: string;
-			name: string;
-		}
-	}
-	
-	interface Service {
-		name: string;
-		serviceId: string;
-	}
-	
-	let services: Service[] = [];
-	
-	const query = `
-      query project($id: String!) {
-        project(id: $id) {
-          createdAt
-          deletedAt
-          id
-          description
-          expiredAt
-          isPublic
-          isTempProject
-          isUpdatable
-          name
-          prDeploys
-          teamId
-          updatedAt
-          upstreamUrl
-		  services {
-			edges {
-				node {
-					id
-					name
-				}
-			}
-		  }
-        }
-      }
-    `;
-
-	if (appId && appId !== '') {
-		const variables = {
-			id: appId
-		}
-		
-		const { data: { data: { project: { services: { edges } } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
-			query,
-			variables
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
-			},
-		});
-		
-		services = edges.map((e: RailwayService) => ({
-			name: e.node.name,
-			serviceId: e.node.id
-		}));
-	}
-	
-	return res.status(200).send({
-		services
-	});
-}
-
-/**
- * Delete integration authorization with id [integrationAuthId]
- * @param req
- * @param res
- * @returns
- */
-export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-  let integrationAuth;
-  try {
-    integrationAuth = await revokeAccess({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration authorization",
-    });
-  }
-
-  return res.status(200).send({
-    integrationAuth,
-  });
-};
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -1,167 +0,0 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import { 
-	Integration
-} from '../../models';
-import { EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
-
-/**
- * Create/initialize an (empty) integration for integration authorization
- * @param req
- * @param res
- * @returns
- */
-export const createIntegration = async (req: Request, res: Response) => {
-	let integration;
-
-	try {
-		const {
-			integrationAuthId,
-			app,
-			appId,
-			isActive,
-			sourceEnvironment,
-			targetEnvironment,
-			targetEnvironmentId,
-      targetService,
-      targetServiceId,
-			owner,
-			path,
-			region
-		} = req.body;
-		
-		// TODO: validate [sourceEnvironment] and [targetEnvironment]
-
-		// initialize new integration after saving integration access token
-    integration = await new Integration({
-      workspace: req.integrationAuth.workspace._id,
-      environment: sourceEnvironment,
-      isActive,
-      app,
-			appId,
-			targetEnvironment,
-			targetEnvironmentId,
-      targetService,
-      targetServiceId,
-			owner,
-			path,
-			region,
-      integration: req.integrationAuth.integration,
-      integrationAuth: new Types.ObjectId(integrationAuthId)
-    }).save();
-		
-		if (integration) {
-			// trigger event - push secrets
-			EventService.handleEvent({
-				event: eventPushSecrets({
-					workspaceId: integration.workspace,
-          environment: sourceEnvironment
-				})
-			});
-		}
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create integration'
-		});
-	}
-
-  return res.status(200).send({
-    integration,
-  });
-};
-
-/**
- * Change environment or name of integration with id [integrationId]
- * @param req
- * @param res
- * @returns
- */
-export const updateIntegration = async (req: Request, res: Response) => {
-  let integration;
-
-  // TODO: add integration-specific validation to ensure that each
-  // integration has the correct fields populated in [Integration]
-
-  try {
-    const {
-      environment,
-      isActive,
-      app,
-      appId,
-      targetEnvironment,
-      owner, // github-specific integration param
-    } = req.body;
-
-    integration = await Integration.findOneAndUpdate(
-      {
-        _id: req.integration._id,
-      },
-      {
-        environment,
-        isActive,
-        app,
-        appId,
-        targetEnvironment,
-        owner,
-      },
-      {
-        new: true,
-      }
-    );
-
-    if (integration) {
-      // trigger event - push secrets
-      EventService.handleEvent({
-        event: eventPushSecrets({
-          workspaceId: integration.workspace,
-          environment
-        }),
-      });
-    }
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to update integration",
-    });
-  }
-
-  return res.status(200).send({
-    integration,
-  });
-};
-
-/**
- * Delete integration with id [integrationId] and deactivate bot if there are
- * no integrations left
- * @param req
- * @param res
- * @returns
- */
-export const deleteIntegration = async (req: Request, res: Response) => {
-  let integration;
-  try {
-    const { integrationId } = req.params;
-
-    integration = await Integration.findOneAndDelete({
-      _id: integrationId,
-    });
-
-    if (!integration) throw new Error("Failed to find integration");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration",
-    });
-  }
-
-  return res.status(200).send({
-    integration,
-  });
-};
--- a/backend/src/controllers/v1/secretsFolderController.ts
+++ b/backend/src/controllers/v1/secretsFolderController.ts
@ -1,107 +0,0 @@
-import { Request, Response } from 'express';
-import { Secret } from '../../models';
-import Folder from '../../models/folder';
-import { BadRequestError } from '../../utils/errors';
-import { ROOT_FOLDER_PATH, getFolderPath, getParentPath, normalizePath, validateFolderName } from '../../utils/folder';
-import { ADMIN, MEMBER } from '../../variables';
-import { validateMembership } from '../../helpers/membership';
-
-// TODO
-// verify workspace id/environment
-export const createFolder = async (req: Request, res: Response) => {
-  const { workspaceId, environment, folderName, parentFolderId } = req.body
-  if (!validateFolderName(folderName)) {
-    throw BadRequestError({ message: "Folder name cannot contain spaces. Only underscore and dashes" })
-  }
-
-  if (parentFolderId) {
-    const parentFolder = await Folder.find({ environment: environment, workspace: workspaceId, id: parentFolderId });
-    if (!parentFolder) {
-      throw BadRequestError({ message: "The parent folder doesn't exist" })
-    }
-  }
-
-  let completePath = await getFolderPath(parentFolderId)
-  if (completePath == ROOT_FOLDER_PATH) {
-    completePath = ""
-  }
-
-  const currentFolderPath = completePath + "/" + folderName // construct new path with current folder to be created
-  const normalizedCurrentPath = normalizePath(currentFolderPath)
-  const normalizedParentPath = getParentPath(normalizedCurrentPath)
-
-  const existingFolder = await Folder.findOne({
-    name: folderName,
-    workspace: workspaceId,
-    environment: environment,
-    parent: parentFolderId,
-    path: normalizedCurrentPath
-  });
-
-  if (existingFolder) {
-    return res.json(existingFolder)
-  }
-
-  const newFolder = new Folder({
-    name: folderName,
-    workspace: workspaceId,
-    environment: environment,
-    parent: parentFolderId,
-    path: normalizedCurrentPath,
-    parentPath: normalizedParentPath
-  });
-
-  await newFolder.save();
-
-  return res.json(newFolder)
-}
-
-export const deleteFolder = async (req: Request, res: Response) => {
-  const { folderId } = req.params
-  const queue: any[] = [folderId];
-
-  const folder = await Folder.findById(folderId);
-  if (!folder) {
-    throw BadRequestError({ message: "The folder doesn't exist" })
-  }
-
-  // check that user is a member of the workspace
-  await validateMembership({
-    userId: req.user._id.toString(),
-    workspaceId: folder.workspace as any,
-    acceptedRoles: [ADMIN, MEMBER]
-  });
-
-  while (queue.length > 0) {
-    const currentFolderId = queue.shift();
-
-    const childFolders = await Folder.find({ parent: currentFolderId });
-    for (const childFolder of childFolders) {
-      queue.push(childFolder._id);
-    }
-
-    await Secret.deleteMany({ folder: currentFolderId });
-
-    await Folder.deleteOne({ _id: currentFolderId });
-  }
-
-  res.send()
-}
-
-// TODO: validate workspace
-export const getFolderById = async (req: Request, res: Response) => {
-  const { folderId } = req.params
-
-  const folder = await Folder.findById(folderId);
-  if (!folder) {
-    throw BadRequestError({ message: "The folder doesn't exist" })
-  }
-  // check that user is a member of the workspace
-  await validateMembership({
-    userId: req.user._id.toString(),
-    workspaceId: folder.workspace as any,
-    acceptedRoles: [ADMIN, MEMBER]
-  });
-
-  res.send({ folder })
-}
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -1,112 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { User } from '../../models';
-import {
-	sendEmailVerification,
-	checkEmailVerification,
-} from '../../helpers/signup';
-import { createToken } from '../../helpers/auth';
-import { BadRequestError } from '../../utils/errors';
-import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
-
-/**
- * Signup step 1: Initialize account for user under email [email] and send a verification code
- * to that email
- * @param req
- * @param res
- * @returns
- */
-export const beginEmailSignup = async (req: Request, res: Response) => {
-	let email: string;
-	try {
-		email = req.body.email;
-
-		if (await getInviteOnlySignup()) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
-
-		const user = await User.findOne({ email }).select('+publicKey');
-		if (user && user?.publicKey) {
-			// case: user has already completed account
-
-			return res.status(403).send({
-				error: 'Failed to send email verification code for complete account'
-			});
-		}
-
-		// send send verification email
-		await sendEmailVerification({ email });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to send email verification code'
-		});
-	}
-
-	return res.status(200).send({
-		message: `Sent an email verification code to ${email}`
-	});
-};
-
-/**
- * Signup step 2: Verify that code [code] was sent to email [email] and issue
- * a temporary signup token for user to complete setting up their account
- * @param req
- * @param res
- * @returns
- */
-export const verifyEmailSignup = async (req: Request, res: Response) => {
-	let user, token;
-	try {
-		const { email, code } = req.body;
-
-		// initialize user account
-		user = await User.findOne({ email }).select('+publicKey');
-		if (user && user?.publicKey) {
-			// case: user has already completed account
-			return res.status(403).send({
-				error: 'Failed email verification for complete user'
-			});
-		}
-
-		// verify email
-		if (await getSmtpConfigured()) {
-			await checkEmailVerification({
-				email,
-				code
-			});
-		}
-
-		if (!user) {
-			user = await new User({
-				email
-			}).save();
-		}
-
-		// generate temporary signup token
-		token = createToken({
-			payload: {
-				userId: user._id.toString()
-			},
-			expiresIn: await getJwtSignupLifetime(),
-			secret: await getJwtSignupSecret()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed email verification'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfuly verified email',
-		user,
-		token
-	});
-};
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -1,335 +0,0 @@
-import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
-import {
-  Workspace,
-  Membership,
-  MembershipOrg,
-  Integration,
-  IntegrationAuth,
-  IUser,
-  ServiceToken,
-  ServiceTokenData,
-} from "../../models";
-import {
-  createWorkspace as create,
-  deleteWorkspace as deleteWork,
-} from "../../helpers/workspace";
-import { addMemberships } from "../../helpers/membership";
-import { ADMIN } from "../../variables";
-
-/**
- * Return public keys of members of workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-  let publicKeys;
-  try {
-    const { workspaceId } = req.params;
-
-    publicKeys = (
-      await Membership.find({
-        workspace: workspaceId,
-      }).populate<{ user: IUser }>("user", "publicKey")
-    ).map((member) => {
-      return {
-        publicKey: member.user.publicKey,
-        userId: member.user._id,
-      };
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace member public keys",
-    });
-  }
-
-  return res.status(200).send({
-    publicKeys,
-  });
-};
-
-/**
- * Return memberships for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-  let users;
-  try {
-    const { workspaceId } = req.params;
-
-    users = await Membership.find({
-      workspace: workspaceId,
-    }).populate("user", "+publicKey");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace members",
-    });
-  }
-
-  return res.status(200).send({
-    users,
-  });
-};
-
-/**
- * Return workspaces that user is part of
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaces = async (req: Request, res: Response) => {
-  let workspaces;
-  try {
-    workspaces = (
-      await Membership.find({
-        user: req.user._id,
-      }).populate("workspace")
-    ).map((m) => m.workspace);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspaces",
-    });
-  }
-
-  return res.status(200).send({
-    workspaces,
-  });
-};
-
-/**
- * Return workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
-
-    workspace = await Workspace.findOne({
-      _id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace",
-    });
-  }
-
-  return res.status(200).send({
-    workspace,
-  });
-};
-
-/**
- * Create new workspace named [workspaceName] under organization with id
- * [organizationId] and add user as admin
- * @param req
- * @param res
- * @returns
- */
-export const createWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceName, organizationId } = req.body;
-
-    // validate organization membership
-    const membershipOrg = await MembershipOrg.findOne({
-      user: req.user._id,
-      organization: organizationId,
-    });
-
-    if (!membershipOrg) {
-      throw new Error("Failed to validate organization membership");
-    }
-
-    if (workspaceName.length < 1) {
-      throw new Error("Workspace names must be at least 1-character long");
-    }
-
-    // create workspace and add user as member
-    workspace = await create({
-      name: workspaceName,
-      organizationId,
-    });
-
-    await addMemberships({
-      userIds: [req.user._id],
-      workspaceId: workspace._id.toString(),
-      roles: [ADMIN],
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to create workspace",
-    });
-  }
-
-  return res.status(200).send({
-    workspace,
-  });
-};
-
-/**
- * Delete workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const deleteWorkspace = async (req: Request, res: Response) => {
-  try {
-    const { workspaceId } = req.params;
-
-    // delete workspace
-    await deleteWork({
-      id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete workspace",
-    });
-  }
-
-  return res.status(200).send({
-    message: "Successfully deleted workspace",
-  });
-};
-
-/**
- * Change name of workspace with id [workspaceId] to [name]
- * @param req
- * @param res
- * @returns
- */
-export const changeWorkspaceName = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
-    const { name } = req.body;
-
-    workspace = await Workspace.findOneAndUpdate(
-      {
-        _id: workspaceId,
-      },
-      {
-        name,
-      },
-      {
-        new: true,
-      }
-    );
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to change workspace name",
-    });
-  }
-
-  return res.status(200).send({
-    message: "Successfully changed workspace name",
-    workspace,
-  });
-};
-
-/**
- * Return integrations for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-  let integrations;
-  try {
-    const { workspaceId } = req.params;
-
-    integrations = await Integration.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integrations",
-    });
-  }
-
-  return res.status(200).send({
-    integrations,
-  });
-};
-
-/**
- * Return (integration) authorizations for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaceIntegrationAuthorizations = async (
-  req: Request,
-  res: Response
-) => {
-  let authorizations;
-  try {
-    const { workspaceId } = req.params;
-
-    authorizations = await IntegrationAuth.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integration authorizations",
-    });
-  }
-
-  return res.status(200).send({
-    authorizations,
-  });
-};
-
-/**
- * Return service service tokens for workspace [workspaceId] belonging to user
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaceServiceTokens = async (
-  req: Request,
-  res: Response
-) => {
-  let serviceTokens;
-  try {
-    const { workspaceId } = req.params;
-    // ?? FIX.
-    serviceTokens = await ServiceToken.find({
-      user: req.user._id,
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace service tokens",
-    });
-  }
-
-  return res.status(200).send({
-    serviceTokens,
-  });
-};
--- a/backend/src/controllers/v2/apiKeyDataController.ts
+++ b/backend/src/controllers/v2/apiKeyDataController.ts
@ -1,104 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    APIKeyData
-} from '../../models';
-import { getSaltRounds } from '../../config';
-
-/**
- * Return API key data for user with id [req.user_id]
- * @param req
- * @param res 
- * @returns 
- */
-export const getAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        apiKeyData = await APIKeyData.find({
-            user: req.user._id
-        });
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to get API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}
-
-/**
- * Create new API key data for user with id [req.user._id]
- * @param req 
- * @param res 
- */
-export const createAPIKeyData = async (req: Request, res: Response) => {
-    let apiKey, apiKeyData;
-    try {
-        const { name, expiresIn } = req.body;
-        
-        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-        
-		const expiresAt = new Date();
-		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-        
-        apiKeyData = await new APIKeyData({
-            name,
-            lastUsed: new Date(),
-            expiresAt,
-            user: req.user._id,
-            secretHash
-        }).save();
-        
-        // return api key data without sensitive data
-        apiKeyData = await APIKeyData.findById(apiKeyData._id);
-        
-        if (!apiKeyData) throw new Error('Failed to find API key data');
-        
-        apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
-            
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKey,
-        apiKeyData
-    });
-}
-
-/**
- * Delete API key data with id [apiKeyDataId].
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        const { apiKeyDataId } = req.params;
-
-        apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
-        
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to delete API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}
--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@ -1,360 +0,0 @@
-/* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
-import * as bigintConversion from 'bigint-conversion';
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { issueAuthTokens, createToken } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { EELogService } from '../../ee/services';
-import { BadRequestError, InternalServerError } from '../../utils/errors';
-import {
-  TOKEN_EMAIL_MFA,
-  ACTION_LOGIN
-} from '../../variables';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
-import {
-  getJwtMfaLifetime,
-  getJwtMfaSecret,
-  getHttpsEnabled
-} from '../../config';
-
-declare module 'jsonwebtoken' {
-  export interface UserIDJwtPayload extends jwt.JwtPayload {
-    userId: string;
-  }
-}
-
-/**
- * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
- * @param req
- * @param res
- * @returns
- */
-export const login1 = async (req: Request, res: Response) => {
-  try {
-    const {
-      email,
-      clientPublicKey
-    }: { email: string; clientPublicKey: string } = req.body;
-
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
-
-    if (!user) throw new Error('Failed to find user');
-
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier
-      },
-      async () => {
-        // generate server-side public key
-        const serverPublicKey = server.getPublicKey();
-
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false });
-
-        return res.status(200).send({
-          serverPublicKey,
-          salt: user.salt
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
-};
-
-/**
- * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
- * private key
- * @param req
- * @param res
- * @returns
- */
-export const login2 = async (req: Request, res: Response) => {
-  try {
-
-    if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
-
-    const { email, clientProof } = req.body;
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
-
-    if (!user) throw new Error('Failed to find user');
-
-    const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
-
-    if (!loginSRPDetail) {
-      return BadRequestError(Error("Failed to find login details for SRP"))
-    }
-
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier,
-        b: loginSRPDetail.serverBInt
-      },
-      async () => {
-        server.setClientPublicKey(loginSRPDetail.clientPublicKey);
-
-        // compare server and client shared keys
-        if (server.checkClientProof(clientProof)) {
-
-          if (user.isMfaEnabled) {
-            // case: user has MFA enabled
-
-            // generate temporary MFA token
-            const token = createToken({
-              payload: {
-                userId: user._id.toString()
-              },
-              expiresIn: await getJwtMfaLifetime(),
-              secret: await getJwtMfaSecret()
-            });
-
-            const code = await TokenService.createToken({
-              type: TOKEN_EMAIL_MFA,
-              email
-            });
-
-            // send MFA code [code] to [email]
-            await sendMail({
-              template: 'emailMfa.handlebars',
-              subjectLine: 'Infisical MFA code',
-              recipients: [email],
-              substitutions: {
-                code
-              }
-            });
-
-            return res.status(200).send({
-              mfaEnabled: true,
-              token
-            });
-          }
-
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
-          });
-
-          // issue tokens
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
-
-          // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
-            httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: await getHttpsEnabled()
-          });
-
-          // case: user does not have MFA enablgged
-          // return (access) token in response
-
-          interface ResponseData {
-            mfaEnabled: boolean;
-            encryptionVersion: any;
-            protectedKey?: string;
-            protectedKeyIV?: string;
-            protectedKeyTag?: string;
-            token: string;
-            publicKey?: string;
-            encryptedPrivateKey?: string;
-            iv?: string;
-            tag?: string;
-          }
-
-          const response: ResponseData = {
-            mfaEnabled: false,
-            encryptionVersion: user.encryptionVersion,
-            token: tokens.token,
-            publicKey: user.publicKey,
-            encryptedPrivateKey: user.encryptedPrivateKey,
-            iv: user.iv,
-            tag: user.tag
-          }
-
-          if (
-            user?.protectedKey &&
-            user?.protectedKeyIV &&
-            user?.protectedKeyTag
-          ) {
-            response.protectedKey = user.protectedKey;
-            response.protectedKeyIV = user.protectedKeyIV
-            response.protectedKeyTag = user.protectedKeyTag;
-          }
-
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
-          });
-
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
-          });
-
-          return res.status(200).send(response);
-        }
-
-        return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
-};
-
-/**
- * Send MFA token to email [email]
- * @param req 
- * @param res 
- */
-export const sendMfaToken = async (req: Request, res: Response) => {
-  try {
-    const { email } = req.body;
-
-    const code = await TokenService.createToken({
-      type: TOKEN_EMAIL_MFA,
-      email
-    });
-
-    // send MFA code [code] to [email]
-    await sendMail({
-      template: 'emailMfa.handlebars',
-      subjectLine: 'Infisical MFA code',
-      recipients: [email],
-      substitutions: {
-        code
-      }
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to send MFA code'
-    });
-  }
-
-  return res.status(200).send({
-    message: 'Successfully sent new MFA code'
-  });
-}
-
-/**
- * Verify MFA token [mfaToken] and issue JWT and refresh tokens if the
- * MFA token [mfaToken] is valid
- * @param req 
- * @param res 
- */
-export const verifyMfaToken = async (req: Request, res: Response) => {
-  const { email, mfaToken } = req.body;
-
-  await TokenService.validateToken({
-    type: TOKEN_EMAIL_MFA,
-    email,
-    token: mfaToken
-  });
-
-  const user = await User.findOne({
-    email
-  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
-
-  if (!user) throw new Error('Failed to find user');
-
-  await checkUserDevice({
-    user,
-    ip: req.ip,
-    userAgent: req.headers['user-agent'] ?? ''
-  });
-
-  // issue tokens
-  const tokens = await issueAuthTokens({ userId: user._id.toString() });
-
-  // store (refresh) token in httpOnly cookie
-  res.cookie('jid', tokens.refreshToken, {
-    httpOnly: true,
-    path: '/',
-    sameSite: 'strict',
-    secure: await getHttpsEnabled()
-  });
-
-  interface VerifyMfaTokenRes {
-    encryptionVersion: number;
-    protectedKey?: string;
-    protectedKeyIV?: string;
-    protectedKeyTag?: string;
-    token: string;
-    publicKey: string;
-    encryptedPrivateKey: string;
-    iv: string;
-    tag: string;
-  }
-
-  interface VerifyMfaTokenRes {
-    encryptionVersion: number;
-    protectedKey?: string;
-    protectedKeyIV?: string;
-    protectedKeyTag?: string;
-    token: string;
-    publicKey: string;
-    encryptedPrivateKey: string;
-    iv: string;
-    tag: string;
-  }
-
-  const resObj: VerifyMfaTokenRes = {
-    encryptionVersion: user.encryptionVersion,
-    token: tokens.token,
-    publicKey: user.publicKey as string,
-    encryptedPrivateKey: user.encryptedPrivateKey as string,
-    iv: user.iv as string,
-    tag: user.tag as string
-  }
-
-  if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
-    resObj.protectedKey = user.protectedKey;
-    resObj.protectedKeyIV = user.protectedKeyIV;
-    resObj.protectedKeyTag = user.protectedKeyTag;
-  }
-
-  const loginAction = await EELogService.createAction({
-    name: ACTION_LOGIN,
-    userId: user._id
-  });
-
-  loginAction && await EELogService.createLog({
-    userId: user._id,
-    actions: [loginAction],
-    channel: getChannelFromUserAgent(req.headers['user-agent']),
-    ipAddress: req.ip
-  });
-
-  return res.status(200).send(resObj);
-}
--- a/backend/src/controllers/v2/environmentController.ts
+++ b/backend/src/controllers/v2/environmentController.ts
@ -1,262 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import {
-  Secret,
-  ServiceToken,
-  Workspace,
-  Integration,
-  ServiceTokenData,
-  Membership,
-} from '../../models';
-import { SecretVersion } from '../../ee/models';
-import { BadRequestError } from '../../utils/errors';
-import _ from 'lodash';
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
-
-/**
- * Create new workspace environment named [environmentName] under workspace with id
- * @param req
- * @param res
- * @returns
- */
-export const createWorkspaceEnvironment = async (
-  req: Request,
-  res: Response
-) => {
-  const { workspaceId } = req.params;
-  const { environmentName, environmentSlug } = req.body;
-  try {
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (
-      !workspace ||
-      workspace?.environments.find(
-        ({ name, slug }) => slug === environmentSlug || environmentName === name
-      )
-    ) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    workspace?.environments.push({
-      name: environmentName,
-      slug: environmentSlug.toLowerCase(),
-    });
-    await workspace.save();
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to create new workspace environment',
-    });
-  }
-
-  return res.status(200).send({
-    message: 'Successfully created new environment',
-    workspace: workspaceId,
-    environment: {
-      name: environmentName,
-      slug: environmentSlug,
-    },
-  });
-};
-
-/**
- * Rename workspace environment with new name and slug of a workspace with [workspaceId]
- * Old slug [oldEnvironmentSlug] must be provided
- * @param req
- * @param res
- * @returns
- */
-export const renameWorkspaceEnvironment = async (
-  req: Request,
-  res: Response
-) => {
-  const { workspaceId } = req.params;
-  const { environmentName, environmentSlug, oldEnvironmentSlug } = req.body;
-  try {
-    // user should pass both new slug and env name
-    if (!environmentSlug || !environmentName) {
-      throw new Error('Invalid environment given.');
-    }
-
-    // atomic update the env to avoid conflict
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (!workspace) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    const isEnvExist = workspace.environments.some(
-      ({ name, slug }) =>
-        slug !== oldEnvironmentSlug &&
-        (name === environmentName || slug === environmentSlug)
-    );
-    if (isEnvExist) {
-      throw new Error('Invalid environment given');
-    }
-
-    const envIndex = workspace?.environments.findIndex(
-      ({ slug }) => slug === oldEnvironmentSlug
-    );
-    if (envIndex === -1) {
-      throw new Error('Invalid environment given');
-    }
-
-    workspace.environments[envIndex].name = environmentName;
-    workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
-
-    await workspace.save();
-    await Secret.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await SecretVersion.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await ServiceToken.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await ServiceTokenData.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await Integration.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await Membership.updateMany(
-      {
-        workspace: workspaceId,
-        "deniedPermissions.environmentSlug": oldEnvironmentSlug
-      },
-      { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
-      { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
-    )
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to update workspace environment',
-    });
-  }
-
-  return res.status(200).send({
-    message: 'Successfully update environment',
-    workspace: workspaceId,
-    environment: {
-      name: environmentName,
-      slug: environmentSlug,
-    },
-  });
-};
-
-/**
- * Delete workspace environment by [environmentSlug] of workspace [workspaceId] and do the clean up
- * @param req
- * @param res
- * @returns
- */
-export const deleteWorkspaceEnvironment = async (
-  req: Request,
-  res: Response
-) => {
-  const { workspaceId } = req.params;
-  const { environmentSlug } = req.body;
-  try {
-    // atomic update the env to avoid conflict
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (!workspace) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    const envIndex = workspace?.environments.findIndex(
-      ({ slug }) => slug === environmentSlug
-    );
-    if (envIndex === -1) {
-      throw new Error('Invalid environment given');
-    }
-
-    workspace.environments.splice(envIndex, 1);
-    await workspace.save();
-
-    // clean up
-    await Secret.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await SecretVersion.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await ServiceToken.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await ServiceTokenData.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await Integration.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await Membership.updateMany(
-      { workspace: workspaceId },
-      { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
-    )
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to delete workspace environment',
-    });
-  }
-
-  return res.status(200).send({
-    message: 'Successfully deleted environment',
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-};
-
-
-export const getAllAccessibleEnvironmentsOfWorkspace = async (
-  req: Request,
-  res: Response
-) => {
-  const { workspaceId } = req.params;
-  const workspacesUserIsMemberOf = await Membership.findOne({
-    workspace: workspaceId,
-    user: req.user
-  })
-
-  if (!workspacesUserIsMemberOf) {
-    throw BadRequestError()
-  }
-
-  const accessibleEnvironments: any = []
-  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions
-
-  const relatedWorkspace = await Workspace.findById(workspaceId)
-  if (!relatedWorkspace) {
-    throw BadRequestError()
-  }
-  relatedWorkspace.environments.forEach(environment => {
-    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_READ_SECRETS })
-    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_WRITE_SECRETS })
-    if (isReadBlocked && isWriteBlocked) {
-      return
-    } else {
-      accessibleEnvironments.push({
-        name: environment.name,
-        slug: environment.slug,
-        isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked
-      })
-    }
-  })
-
-  res.json({ accessibleEnvironments })
-};
--- a/backend/src/controllers/v2/index.ts
+++ b/backend/src/controllers/v2/index.ts
@ -1,27 +0,0 @@
-import * as authController from './authController';
-import * as signupController from './signupController';
-import * as usersController from './usersController';
-import * as organizationsController from './organizationsController';
-import * as workspaceController from './workspaceController';
-import * as serviceTokenDataController from './serviceTokenDataController';
-import * as apiKeyDataController from './apiKeyDataController';
-import * as secretController from './secretController';
-import * as secretsController from './secretsController';
-import * as serviceAccountsController from './serviceAccountsController';
-import * as environmentController from './environmentController';
-import * as tagController from './tagController';
-
-export {
-    authController,
-    signupController,
-    usersController,
-    organizationsController,
-    workspaceController,
-    serviceTokenDataController,
-    apiKeyDataController,
-    secretController,
-    secretsController,
-    serviceAccountsController,
-    environmentController,
-    tagController
-}
--- a/backend/src/controllers/v2/organizationsController.ts
+++ b/backend/src/controllers/v2/organizationsController.ts
@ -1,306 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { 
-    MembershipOrg,
-    Membership,
-    Workspace,
-    ServiceAccount
-} from '../../models';
-import { deleteMembershipOrg } from '../../helpers/membershipOrg';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
-
-/**
- * Return memberships for organization with id [organizationId]
- * @param req 
- * @param res 
- */
-export const getOrganizationMemberships = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Return organization memberships'
-    #swagger.description = 'Return organization memberships'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['organizationId'] = {
-		"description": "ID of organization",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-						"memberships": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/MembershipOrg" 
-							},
-							"description": "Memberships of organization"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-    let memberships;
-    try {
-        const { organizationId } = req.params;
-
-		memberships = await MembershipOrg.find({
-			organization: organizationId
-		}).populate('user', '+publicKey');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization memberships'
-		});
-    }
-    
-    return res.status(200).send({
-        memberships
-    });
-}
-
-/**
- * Update role of membership with id [membershipId] to role [role]
- * @param req 
- * @param res 
- */
-export const updateOrganizationMembership = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Update organization membership'
-    #swagger.description = 'Update organization membership'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['organizationId'] = {
-		"description": "ID of organization",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['membershipId'] = {
-		"description": "ID of organization membership to update",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "role": {
-                    "type": "string",
-                    "description": "Role of organization membership - either owner, admin, or member",
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/MembershipOrg",
-							"description": "Updated organization membership"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-    let membership;
-    try {
-        const { membershipId } = req.params;
-        const { role } = req.body;
-        
-        membership = await MembershipOrg.findByIdAndUpdate(
-            membershipId,
-            {
-                role
-            }, {
-                new: true
-            }
-        );
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update organization membership'
-		});
-    }
-    
-    return res.status(200).send({
-        membership
-    });
-}
-
-/**
- * Delete organization membership with id [membershipId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteOrganizationMembership = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Delete organization membership'
-    #swagger.description = 'Delete organization membership'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['organizationId'] = {
-		"description": "ID of organization",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['membershipId'] = {
-		"description": "ID of organization membership to delete",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/MembershipOrg",
-							"description": "Deleted organization membership"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-    let membership;
-    try {
-        const { membershipId } = req.params;
-        
-        // delete organization membership
-        membership = await deleteMembershipOrg({
-            membershipOrgId: membershipId
-        });
-
-        await updateSubscriptionOrgQuantity({
-			organizationId: membership.organization.toString()
-		});
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization membership'
-		});	
-    }
-
-    return res.status(200).send({
-        membership
-    });
-}
-
-/**
- * Return workspaces for organization with id [organizationId] that user has
- * access to
- * @param req 
- * @param res 
- */
-export const getOrganizationWorkspaces = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Return projects in organization that user is part of'
-    #swagger.description = 'Return projects in organization that user is part of'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['organizationId'] = {
-		"description": "ID of organization",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-						"workspaces": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Project" 
-							},
-							"description": "Projects of organization"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-    const { organizationId } = req.params;
-
-    const workspacesSet = new Set(
-        (
-            await Workspace.find(
-                {
-                    organization: organizationId
-                },
-                '_id'
-            )
-        ).map((w) => w._id.toString())
-    );
-
-    const workspaces = (
-        await Membership.find({
-            user: req.user._id
-        }).populate('workspace')
-    )
-    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
-    .map((m) => m.workspace);
-
-return res.status(200).send({
-        workspaces
-    });
-}
-
-/**
- * Return service accounts for organization with id [organizationId]
- * @param req 
- * @param res 
- */
-export const getOrganizationServiceAccounts = async (req: Request, res: Response) => {
-    const { organizationId } = req.params;
-    
-    const serviceAccounts = await ServiceAccount.find({
-        organization: new Types.ObjectId(organizationId)
-    });
-    
-    return res.status(200).send({
-        serviceAccounts
-    });
-}
--- a/backend/src/controllers/v2/secretController.ts
+++ b/backend/src/controllers/v2/secretController.ts
@ -1,413 +0,0 @@
-import to from "await-to-js";
-import { Request, Response } from "express";
-import mongoose, { Types } from "mongoose";
-import Secret, { ISecret } from "../../models/secret";
-import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret";
-const { ValidationError } = mongoose.Error;
-import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
-import { AnyBulkWriteOperation } from 'mongodb';
-import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { TelemetryService } from '../../services';
-import { User } from "../../models";
-import { AccountNotFoundError } from '../../utils/errors';
-
-/**
- * Create secret for workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- */
-export const createSecret = async (req: Request, res: Response) => {
-  const postHogClient = await TelemetryService.getPostHogClient();
-  const secretToCreate: CreateSecretRequestBody = req.body.secret;
-  const { workspaceId, environment } = req.params
-  const sanitizedSecret: SanitizedSecretForCreate = {
-    secretKeyCiphertext: secretToCreate.secretKeyCiphertext,
-    secretKeyIV: secretToCreate.secretKeyIV,
-    secretKeyTag: secretToCreate.secretKeyTag,
-    secretKeyHash: secretToCreate.secretKeyHash,
-    secretValueCiphertext: secretToCreate.secretValueCiphertext,
-    secretValueIV: secretToCreate.secretValueIV,
-    secretValueTag: secretToCreate.secretValueTag,
-    secretValueHash: secretToCreate.secretValueHash,
-    secretCommentCiphertext: secretToCreate.secretCommentCiphertext,
-    secretCommentIV: secretToCreate.secretCommentIV,
-    secretCommentTag: secretToCreate.secretCommentTag,
-    secretCommentHash: secretToCreate.secretCommentHash,
-    workspace: new Types.ObjectId(workspaceId),
-    environment,
-    type: secretToCreate.type,
-    user: new Types.ObjectId(req.user._id)
-  }
-
-
-  const [error, secret] = await to(Secret.create(sanitizedSecret).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: error.message, stack: error.stack })
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets added',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: 1,
-        workspaceId,
-        environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  res.status(200).send({
-    secret
-  })
-}
-
-/**
- * Create many secrets for workspace wiht id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- */
-export const createSecrets = async (req: Request, res: Response) => {
-  const postHogClient = await TelemetryService.getPostHogClient();
-  const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
-  const { workspaceId, environment } = req.params
-  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
-
-  secretsToCreate.forEach(rawSecret => {
-    const safeUpdateFields: SanitizedSecretForCreate = {
-      secretKeyCiphertext: rawSecret.secretKeyCiphertext,
-      secretKeyIV: rawSecret.secretKeyIV,
-      secretKeyTag: rawSecret.secretKeyTag,
-      secretKeyHash: rawSecret.secretKeyHash,
-      secretValueCiphertext: rawSecret.secretValueCiphertext,
-      secretValueIV: rawSecret.secretValueIV,
-      secretValueTag: rawSecret.secretValueTag,
-      secretValueHash: rawSecret.secretValueHash,
-      secretCommentCiphertext: rawSecret.secretCommentCiphertext,
-      secretCommentIV: rawSecret.secretCommentIV,
-      secretCommentTag: rawSecret.secretCommentTag,
-      secretCommentHash: rawSecret.secretCommentHash,
-      workspace: new Types.ObjectId(workspaceId),
-      environment,
-      type: rawSecret.type,
-      user: new Types.ObjectId(req.user._id)
-    }
-
-    sanitizedSecretesToCreate.push(safeUpdateFields)
-  })
-
-  const [bulkCreateError, secrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
-  if (bulkCreateError) {
-    if (bulkCreateError instanceof ValidationError) {
-      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
-    }
-
-    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets added',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: (secretsToCreate ?? []).length,
-        workspaceId,
-        environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  res.status(200).send({
-    secrets
-  })
-}
-
-/**
- * Delete secrets in workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- */
-export const deleteSecrets = async (req: Request, res: Response) => {
-  const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
-  const secretIdsToDelete: string[] = req.body.secretIds
-
-  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanDeleteError) {
-    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
-  }
-
-  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
-  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
-
-  let numSecretsDeleted = 0;
-  secretIdsToDelete.forEach(secretIdToDelete => {
-    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
-      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
-      deleteOperationsToPerform.push(deleteOperation)
-      numSecretsDeleted++;
-    } else {
-      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
-    }
-  })
-
-  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
-  if (bulkDeleteError) {
-    if (bulkDeleteError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
-    }
-    throw InternalServerError()
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets deleted',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: numSecretsDeleted,
-        environment: environmentName,
-        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  res.status(200).send()
-}
-
-/**
- * Delete secret with id [secretId]
- * @param req 
- * @param res
- */
-export const deleteSecret = async (req: Request, res: Response) => {
-  const postHogClient = await TelemetryService.getPostHogClient();
-  await Secret.findByIdAndDelete(req._secret._id)
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets deleted',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: 1,
-        workspaceId: req._secret.workspace.toString(),
-        environment: req._secret.environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  res.status(200).send({
-    secret: req._secret
-  })
-}
-
-/**
- * Update secrets for workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateSecrets = async (req: Request, res: Response) => {
-  const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
-  const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
-  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanModifyError) {
-    throw InternalServerError({ message: "Unable to fetch secrets you own" })
-  }
-
-  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
-  const updateOperationsToPerform: any = []
-
-  secretsModificationsRequested.forEach(userModifiedSecret => {
-    if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
-      const sanitizedSecret: SanitizedSecretModify = {
-        secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
-        secretKeyIV: userModifiedSecret.secretKeyIV,
-        secretKeyTag: userModifiedSecret.secretKeyTag,
-        secretKeyHash: userModifiedSecret.secretKeyHash,
-        secretValueCiphertext: userModifiedSecret.secretValueCiphertext,
-        secretValueIV: userModifiedSecret.secretValueIV,
-        secretValueTag: userModifiedSecret.secretValueTag,
-        secretValueHash: userModifiedSecret.secretValueHash,
-        secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
-        secretCommentIV: userModifiedSecret.secretCommentIV,
-        secretCommentTag: userModifiedSecret.secretCommentTag,
-        secretCommentHash: userModifiedSecret.secretCommentHash,
-      }
-
-      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
-      updateOperationsToPerform.push(updateOperation)
-    } else {
-      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
-    }
-  })
-
-  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
-  if (bulkModificationInfoError) {
-    if (bulkModificationInfoError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
-    }
-
-    throw InternalServerError()
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets modified',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: (secretsModificationsRequested ?? []).length,
-        environment: environmentName,
-        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  return res.status(200).send()
-}
-
-/**
- * Update a secret within workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateSecret = async (req: Request, res: Response) => {
-  const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
-  const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
-
-  const [secretIdUserCanModifyError, secretIdUserCanModify] = await to(Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdUserCanModifyError && !secretIdUserCanModify) {
-    throw BadRequestError()
-  }
-
-  const sanitizedSecret: SanitizedSecretModify = {
-    secretKeyCiphertext: secretModificationsRequested.secretKeyCiphertext,
-    secretKeyIV: secretModificationsRequested.secretKeyIV,
-    secretKeyTag: secretModificationsRequested.secretKeyTag,
-    secretKeyHash: secretModificationsRequested.secretKeyHash,
-    secretValueCiphertext: secretModificationsRequested.secretValueCiphertext,
-    secretValueIV: secretModificationsRequested.secretValueIV,
-    secretValueTag: secretModificationsRequested.secretValueTag,
-    secretValueHash: secretModificationsRequested.secretValueHash,
-    secretCommentCiphertext: secretModificationsRequested.secretCommentCiphertext,
-    secretCommentIV: secretModificationsRequested.secretCommentIV,
-    secretCommentTag: secretModificationsRequested.secretCommentTag,
-    secretCommentHash: secretModificationsRequested.secretCommentHash,
-  }
-
-  const [error, singleModificationUpdate] = await to(Secret.updateOne({ _id: secretModificationsRequested._id, workspace: workspaceId }, { $inc: { version: 1 }, $set: sanitizedSecret }).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: error.stack })
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets modified',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: 1,
-        environment: environmentName,
-        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  return res.status(200).send(singleModificationUpdate)
-}
-
-/**
- * Return secrets for workspace with id [workspaceId], environment [environment] and user
- * with id [req.user._id]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getSecrets = async (req: Request, res: Response) => {
-  const postHogClient = await TelemetryService.getPostHogClient();
-  const { environment } = req.query;
-  const { workspaceId } = req.params;
-
-  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-  let userEmail: string | undefined = undefined // used for posthog 
-  if (req.user) {
-    userId = req.user._id;
-    userEmail = req.user.email;
-  }
-
-  if (req.serviceTokenData) {
-    userId = req.serviceTokenData.user;
-    
-    const user = await User.findById(req.serviceTokenData.user, 'email');
-    if (!user) throw AccountNotFoundError();
-    userEmail = user.email;
-  }
-
-  const [err, secrets] = await to(Secret.find(
-    {
-      workspace: workspaceId,
-      environment,
-      $or: [{ user: userId }, { user: { $exists: false } }],
-      type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-    }
-  ).then())
-
-  if (err) {
-    throw RouteValidationError({ message: "Failed to get secrets, please try again", stack: err.stack })
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets pulled',
-      distinctId: userEmail,
-      properties: {
-        numberOfSecrets: (secrets ?? []).length,
-        environment,
-        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  return res.json(secrets)
-}
-
-/**
- * Return secret with id [secretId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getSecret = async (req: Request, res: Response) => {
-  // if (postHogClient) {
-  //   postHogClient.capture({
-  //     event: 'secrets pulled',
-  //     distinctId: req.user.email,
-  //     properties: {
-  //       numberOfSecrets: 1,
-  //       workspaceId: req._secret.workspace.toString(),
-  //       environment: req._secret.environment,
-  //       channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-  //       userAgent: req.headers?.['user-agent']
-  //     }
-  //   });
-  // }
-
-  return res.status(200).send({
-    secret: req._secret
-  });
-}
--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
--- a/backend/src/controllers/v2/serviceAccountsController.ts
+++ b/backend/src/controllers/v2/serviceAccountsController.ts
@ -1,306 +0,0 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import { 
-    ServiceAccount,
-    ServiceAccountKey,
-    ServiceAccountOrganizationPermission,
-    ServiceAccountWorkspacePermission
-} from '../../models';
-import {
-    CreateServiceAccountDto
-} from '../../interfaces/serviceAccounts/dto';
-import { BadRequestError, ServiceAccountNotFoundError } from '../../utils/errors';
-import { getSaltRounds } from '../../config';
-
-/**
- * Return service account tied to the request (service account) client
- * @param req
- * @param res
- */
-export const getCurrentServiceAccount = async (req: Request, res: Response) => {
-    const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
-    
-    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
-    }
-    
-    return res.status(200).send({
-        serviceAccount
-    });
-}
-
-/**
- * Return service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const getServiceAccountById = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    
-    const serviceAccount = await ServiceAccount.findById(serviceAccountId);
-    
-    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
-    }
-    
-    return res.status(200).send({
-        serviceAccount
-    });
-}
-
-/**
- * Create a new service account under organization with id [organizationId]
- * that has access to workspaces [workspaces]
- * @param req 
- * @param res 
- * @returns
- */
-export const createServiceAccount = async (req: Request, res: Response) => {
-    const {
-        name,
-        organizationId,
-        publicKey,
-        expiresIn,
-    }: CreateServiceAccountDto = req.body;
-
-    let expiresAt;
-    if (expiresIn) {
-        expiresAt = new Date();
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-    }
-
-    const secret = crypto.randomBytes(16).toString('base64');
-    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-    
-    // create service account
-    const serviceAccount = await new ServiceAccount({
-        name,
-        organization: new Types.ObjectId(organizationId),
-        user: req.user,
-        publicKey,
-        lastUsed: new Date(),
-        expiresAt,
-        secretHash
-    }).save();
-    
-    const serviceAccountObj = serviceAccount.toObject();
-    
-    delete serviceAccountObj.secretHash;
-
-    // provision default org-level permission for service account
-    await new ServiceAccountOrganizationPermission({
-        serviceAccount: serviceAccount._id
-    }).save();
-    
-    const secretId = Buffer.from(serviceAccount._id.toString(), 'hex').toString('base64');
-
-    return res.status(200).send({
-        serviceAccountAccessKey: `sa.${secretId}.${secret}`,
-        serviceAccount: serviceAccountObj
-    });
-}
-
-/**
- * Change name of service account with id [serviceAccountId] to [name]
- * @param req 
- * @param res 
- * @returns 
- */
-export const changeServiceAccountName = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    const { name } = req.body;
-    
-    const serviceAccount = await ServiceAccount.findOneAndUpdate(
-        {
-            _id: new Types.ObjectId(serviceAccountId)
-        },
-        {
-            name
-        },
-        {
-            new: true
-        }
-    );
-    
-    return res.status(200).send({
-        serviceAccount
-    });
-}
-
-/**
- * Add a service account key to service account with id [serviceAccountId]
- * for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const addServiceAccountKey = async (req: Request, res: Response) => {
-    const {
-        workspaceId,
-        encryptedKey,
-        nonce
-    } = req.body;
-    
-    const serviceAccountKey = await new ServiceAccountKey({
-        encryptedKey,
-        nonce,
-        sender: req.user._id,
-        serviceAccount: req.serviceAccount._d,
-        workspace: new Types.ObjectId(workspaceId)
-    }).save();
-
-    return serviceAccountKey;
-}
-
-/**
- * Return workspace-level permission for service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
-    const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
-        serviceAccount: req.serviceAccount._id
-    }).populate('workspace');
-    
-    return res.status(200).send({
-        serviceAccountWorkspacePermissions
-    });
-}
-
-/**
- * Add a workspace permission to service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const addServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    const {
-        environment,
-        workspaceId,
-        read = false,
-        write = false,
-        encryptedKey,
-        nonce
-    } = req.body;
-    
-    if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
-        return res.status(400).send({
-            message: 'Failed to validate workspace environment'
-        });
-    }
-    
-    const existingPermission = await ServiceAccountWorkspacePermission.findOne({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-        environment
-    });
-    
-    if (existingPermission) throw BadRequestError({ message: 'Failed to add workspace permission to service account due to already-existing ' });
-
-    const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-        environment,
-        read,
-        write
-    }).save();
-    
-    const existingServiceAccountKey = await ServiceAccountKey.findOne({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId) 
-    });
-    
-    if (!existingServiceAccountKey) {
-        await new ServiceAccountKey({
-            encryptedKey,
-            nonce,
-            sender: req.user._id,
-            serviceAccount: new Types.ObjectId(serviceAccountId),
-            workspace: new Types.ObjectId(workspaceId)
-        }).save();
-    }
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermission
-    });
-}
-
-/**
- * Delete workspace permission from service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const deleteServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
-    const { serviceAccountWorkspacePermissionId } = req.params;
-    const serviceAccountWorkspacePermission = await ServiceAccountWorkspacePermission.findByIdAndDelete(serviceAccountWorkspacePermissionId);
-
-    if (serviceAccountWorkspacePermission) {
-        const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
-        const count = await ServiceAccountWorkspacePermission.countDocuments({
-            serviceAccount,
-            workspace
-        });
-        
-        if (count === 0) {
-            await ServiceAccountKey.findOneAndDelete({
-                serviceAccount,
-                workspace
-            });
-        }
-    }
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermission
-    });
-}
-
-/**
- * Delete service account with id [serviceAccountId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteServiceAccount = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-
-    const serviceAccount = await ServiceAccount.findByIdAndDelete(serviceAccountId);
-
-    if (serviceAccount) {
-        await ServiceAccountKey.deleteMany({
-            serviceAccount: serviceAccount._id
-        });
-
-        await ServiceAccountOrganizationPermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
-        });
-
-        await ServiceAccountWorkspacePermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
-        });
-    }
-
-    return res.status(200).send({
-        serviceAccount
-    });
-}
-
-/**
- * Return service account keys for service account with id [serviceAccountId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getServiceAccountKeys = async (req: Request, res: Response) => {
-    const workspaceId = req.query.workspaceId as string;
-    
-    const serviceAccountKeys = await ServiceAccountKey.find({
-        serviceAccount: req.serviceAccount._id,
-        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {})
-    });
-    
-    return res.status(200).send({
-        serviceAccountKeys
-    });
-}
--- a/backend/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend/src/controllers/v2/serviceTokenDataController.ts
@ -1,147 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    User,
-    ServiceAccount,
-    ServiceTokenData
-} from '../../models';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { 
-    PERMISSION_READ_SECRETS,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN
-} from '../../variables';
-import { getSaltRounds } from '../../config';
-import { BadRequestError } from '../../utils/errors';
-
-/**
- * Return service token data associated with service token on request
- * @param req 
- * @param res 
- * @returns 
- */
-export const getServiceTokenData = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Return Infisical Token data'
-    #swagger.description = 'Return Infisical Token data'
-    
-    #swagger.security = [{
-        "bearerAuth": []
-    }]
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-                        "serviceTokenData": {
-                            "type": "object",
-                            $ref: "#/components/schemas/ServiceTokenData",
-                            "description": "Details of service token"
-                        }
-					}
-                }
-            }           
-        }
-    }   
-    */
-
-    if (!(req.authData.authPayload instanceof ServiceTokenData)) throw BadRequestError({
-        message: 'Failed accepted client validation for service token data'
-    });
-
-    const serviceTokenData = await ServiceTokenData
-        .findById(req.authData.authPayload._id)
-        .select('+encryptedKey +iv +tag')
-        .populate('user');
-
-    return res.status(200).json(serviceTokenData);
-}
-
-/**
- * Create new service token data for workspace with id [workspaceId] and
- * environment [environment].
- * @param req 
- * @param res 
- * @returns 
- */
-export const createServiceTokenData = async (req: Request, res: Response) => {
-    let serviceTokenData;
-
-    const {
-        name,
-        workspaceId,
-        environment,
-        encryptedKey,
-        iv,
-        tag,
-        expiresIn,
-        permissions
-    } = req.body;
-
-    const secret = crypto.randomBytes(16).toString('hex');
-    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-
-    let expiresAt; 
-    if (expiresIn) {
-        expiresAt = new Date()
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-    }
-
-    let user, serviceAccount;
-    
-    if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
-        user = req.authData.authPayload._id;
-    }
-
-    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
-        serviceAccount = req.authData.authPayload._id;
-    }
-        
-    serviceTokenData = await new ServiceTokenData({
-        name,
-        workspace: workspaceId,
-        environment,
-        user,
-        serviceAccount,
-        lastUsed: new Date(),
-        expiresAt,
-        secretHash,
-        encryptedKey,
-        iv,
-        tag,
-        permissions
-    }).save();
-
-    // return service token data without sensitive data
-    serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
-
-    if (!serviceTokenData) throw new Error('Failed to find service token data');
-
-    const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
-
-    return res.status(200).send({
-        serviceToken,
-        serviceTokenData
-    });
-}
-
-/**
- * Delete service token data with id [serviceTokenDataId].
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    const { serviceTokenDataId } = req.params;
-
-    const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
-
-    return res.status(200).send({
-        serviceTokenData
-    });
-}
--- a/backend/src/controllers/v2/tagController.ts
+++ b/backend/src/controllers/v2/tagController.ts
@ -1,72 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Membership, Secret,
-} from '../../models';
-import Tag, { ITag } from '../../models/tag';
-import { Builder } from "builder-pattern"
-import to from 'await-to-js';
-import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
-import { MongoError } from 'mongodb';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-
-export const createWorkspaceTag = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const { name, slug } = req.body
-	const sanitizedTagToCreate = Builder<ITag>()
-		.name(name)
-		.workspace(new Types.ObjectId(workspaceId))
-		.slug(slug)
-		.user(new Types.ObjectId(req.user._id))
-		.build();
-
-	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
-
-	if (err) {
-		if ((err as MongoError).code === 11000) {
-			throw BadRequestError({ message: "Tags must be unique in a workspace" })
-		}
-
-		throw err
-	}
-
-	res.json(createdTag)
-}
-
-export const deleteWorkspaceTag = async (req: Request, res: Response) => {
-	const { tagId } = req.params
-
-	const tagFromDB = await Tag.findById(tagId)
-	if (!tagFromDB) {
-		throw BadRequestError()
-	}
-
-	// can only delete if the request user is one that belongs to the same workspace as the tag
-	const membership = await Membership.findOne({
-		user: req.user,
-		workspace: tagFromDB.workspace
-	});
-
-	if (!membership) {
-		UnauthorizedRequestError({ message: 'Failed to validate membership' });
-	}
-
-	const result = await Tag.findByIdAndDelete(tagId);
-
-	// remove the tag from secrets
-	await Secret.updateMany(
-		{ tags: { $in: [tagId] } },
-		{ $pull: { tags: tagId } }
-	);
-
-	res.json(result);
-}
-
-export const getWorkspaceTags = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const workspaceTags = await Tag.find({ workspace: workspaceId })
-	return res.json({
-		workspaceTags
-	})
-}
--- a/backend/src/controllers/v2/usersController.ts
+++ b/backend/src/controllers/v2/usersController.ts
@ -1,147 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import {
-    User,
-    MembershipOrg
-} from '../../models';
-
-/**
- * Return the current user.
- * @param req 
- * @param res 
- * @returns 
- */
-export const getMe = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = "Retrieve the current user on the request"
-    #swagger.description = "Retrieve the current user on the request"
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-                    "properties": {
-                        "user": {
-                            "type": "object",
-                            $ref: "#/components/schemas/CurrentUser",
-                            "description": "Current user on request"
-                        }
-                    }
-                }
-            }           
-        }
-    }   
-    */
-    let user;
-    try {
-        user = await User
-            .findById(req.user._id)
-            .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get current user'
-		});
-    }
-    
-    return res.status(200).send({
-        user
-    });
-}
-
-/**
- * Update the current user's MFA-enabled status [isMfaEnabled].
- * Note: Infisical currently only supports email-based 2FA only; this will expand to
- * include SMS and authenticator app modes of authentication in the future.
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateMyMfaEnabled = async (req: Request, res: Response) => {
-    let user;
-    try {
-        const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
-        req.user.isMfaEnabled = isMfaEnabled;
-        
-        if (isMfaEnabled) { 
-            // TODO: adapt this route/controller 
-            // to work for different forms of MFA
-            req.user.mfaMethods = ['email'];
-        } else {
-            req.user.mfaMethods = [];
-        }
-
-        await req.user.save();
-        
-        user = req.user;
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to update current user's MFA status"
-		}); 
-    }
-    
-    return res.status(200).send({
-        user
-    });
-}
-
-/**
- * Return organizations that the current user is part of.
- * @param req 
- * @param res 
- */
-export const getMyOrganizations = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Return organizations that current user is part of'
-    #swagger.description = 'Return organizations that current user is part of'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-						"organizations": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Organization" 
-							},
-							"description": "Organizations that user is part of"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let organizations;
-	try {
-		organizations = (
-			await MembershipOrg.find({
-				user: req.user._id
-			}).populate('organization')
-		).map((m) => m.organization);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to get current user's organizations"
-		});
-	}
-
-	return res.status(200).send({
-		organizations
-	});
-}
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -1,510 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Workspace,
-	Secret,
-	Membership,
-	MembershipOrg,
-	Integration,
-	IntegrationAuth,
-	Key,
-	IUser,
-	ServiceToken,
-	ServiceTokenData
-} from '../../models';
-import {
-	v2PushSecrets as push,
-	pullSecrets as pull,
-	reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { TelemetryService, EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
-
-interface V2PushSecret {
-	type: string; // personal or shared
-	secretKeyCiphertext: string;
-	secretKeyIV: string;
-	secretKeyTag: string;
-	secretKeyHash: string;
-	secretValueCiphertext: string;
-	secretValueIV: string;
-	secretValueTag: string;
-	secretValueHash: string;
-	secretCommentCiphertext?: string;
-	secretCommentIV?: string;
-	secretCommentTag?: string;
-	secretCommentHash?: string;
-}
-
-/**
- * Upload (encrypted) secrets to workspace with id [workspaceId]
- * for environment [environment]
- * @param req
- * @param res
- * @returns
- */
-export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
-	// upload (encrypted) secrets to workspace with id [workspaceId]
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		let { secrets }: { secrets: V2PushSecret[] } = req.body;
-		const { keys, environment, channel } = req.body;
-		const { workspaceId } = req.params;
-
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
-
-		// sanitize secrets
-		secrets = secrets.filter(
-			(s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
-		);
-
-		await push({
-			userId: req.user._id,
-			workspaceId,
-			environment,
-			secrets,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
-
-		await pushKeys({
-			userId: req.user._id,
-			workspaceId,
-			keys
-		});
-
-		if (postHogClient) {
-			postHogClient.capture({
-				event: 'secrets pushed',
-				distinctId: req.user.email,
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-
-		// trigger event - push secrets
-		EventService.handleEvent({
-			event: eventPushSecrets({
-				workspaceId: new Types.ObjectId(workspaceId),
-				environment
-			})
-		});
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload workspace secrets'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully uploaded workspace secrets'
-	});
-};
-
-/**
- * Return (encrypted) secrets for workspace with id [workspaceId]
- * for environment [environment]
- * @param req
- * @param res
- * @returns
- */
-export const pullSecrets = async (req: Request, res: Response) => {
-	let secrets;
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		const environment: string = req.query.environment as string;
-		const channel: string = req.query.channel as string;
-		const { workspaceId } = req.params;
-
-		let userId;
-		if (req.user) {
-			userId = req.user._id.toString();
-		} else if (req.serviceTokenData) {
-			userId = req.serviceTokenData.user.toString();
-		}
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
-
-		secrets = await pull({
-			userId,
-			workspaceId,
-			environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
-
-		if (channel !== 'cli') {
-			secrets = reformatPullSecrets({ secrets });
-		}
-
-		if (postHogClient) {
-			// capture secrets pushed event in production
-			postHogClient.capture({
-				distinctId: req.user.email,
-				event: 'secrets pulled',
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
-		});
-	}
-
-	return res.status(200).send({
-		secrets
-	});
-};
-
-export const getWorkspaceKey = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return encrypted project key'
-    #swagger.description = 'Return encrypted project key'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "array",
-                    "items": {
-                        $ref: "#/components/schemas/ProjectKey" 
-                    },
-                    "description": "Encrypted project key for the given project"
-                }
-            }           
-        }
-    }   
-    */
-	let key;
-	try {
-		const { workspaceId } = req.params;
-
-		key = await Key.findOne({
-			workspace: workspaceId,
-			receiver: req.user._id
-		}).populate('sender', '+publicKey');
-
-		if (!key) throw new Error('Failed to find workspace key');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace key'
-		});
-	}
-
-	return res.status(200).json(key);
-}
-export const getWorkspaceServiceTokenData = async (
-	req: Request,
-	res: Response
-) => {
-	let serviceTokenData;
-	try {
-		const { workspaceId } = req.params;
-
-		serviceTokenData = await ServiceTokenData
-			.find({
-				workspace: workspaceId
-			})
-			.select('+encryptedKey +iv +tag');
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace service token data'
-		});
-	}
-
-	return res.status(200).send({
-		serviceTokenData
-	});
-}
-
-/**
- * Return memberships for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return project memberships'
-    #swagger.description = 'Return project memberships'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-						"memberships": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Membership" 
-							},
-							"description": "Memberships of project"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let memberships;
-	try {
-		const { workspaceId } = req.params;
-
-		memberships = await Membership.find({
-			workspace: workspaceId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace memberships'
-		});
-	}
-
-	return res.status(200).send({
-		memberships
-	});
-}
-
-/**
- * Update role of membership with id [membershipId] to role [role]
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateWorkspaceMembership = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Update project membership'
-    #swagger.description = 'Update project membership'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['membershipId'] = {
-		"description": "ID of project membership to update",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "role": {
-                    "type": "string",
-                    "description": "Role of membership - either admin or member",
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/Membership",
-							"description": "Updated membership"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let membership;
-	try {
-		const {
-			membershipId
-		} = req.params;
-		const { role } = req.body;
-		
-		membership = await Membership.findByIdAndUpdate(
-			membershipId,
-			{
-				role
-			}, {
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update workspace membership'
-		});
-	}
-	
-	return res.status(200).send({
-		membership
-	}); 
-}
-
-/**
- * Delete workspace membership with id [membershipId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteWorkspaceMembership = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Delete project membership'
-    #swagger.description = 'Delete project membership'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['membershipId'] = {
-		"description": "ID of project membership to delete",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/Membership",
-							"description": "Deleted membership"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let membership;
-	try {
-		const { 
-			membershipId
-		} = req.params;
-		
-		membership = await Membership.findByIdAndDelete(membershipId);
-		
-		if (!membership) throw new Error('Failed to delete workspace membership');
-		
-		await Key.deleteMany({
-			receiver: membership.user,
-			workspace: membership.workspace
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete workspace membership'
-		});	
-	}
-	
-	return res.status(200).send({
-		membership
-	});
-}
-
-/**
- * Change autoCapitilzation Rule of workspace
- * @param req
- * @param res
- * @returns
- */
-export const toggleAutoCapitalization = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
-		const { autoCapitalization } = req.body;
-
-		workspace = await Workspace.findOneAndUpdate(
-			{
-				_id: workspaceId
-			},
-			{
-				autoCapitalization
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change autoCapitalization setting'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully changed autoCapitalization setting',
-		workspace
-	});
-};
--- a/backend/src/controllers/v3/index.ts
+++ b/backend/src/controllers/v3/index.ts
@ -1,7 +0,0 @@
-import * as secretsController from './secretsController';
-import * as workspacesController from './workspacesController';
-
-export {
-    secretsController,
-    workspacesController
-}
--- a/backend/src/controllers/v3/secretsController.ts
+++ b/backend/src/controllers/v3/secretsController.ts
@ -1,183 +0,0 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { 
-    SecretService, 
-    TelemetryService,
-    EventService
-} from '../../services';
-import { eventPushSecrets } from '../../events';
-import { getAuthDataPayloadIdObj } from '../../utils/auth';
-import { BadRequestError } from '../../utils/errors';
-
-/**
- * Get secrets for workspace with id [workspaceId] and environment
- * [environment]
- * @param req 
- * @param res 
- */
-export const getSecrets = async (req: Request, res: Response) => {
-    const workspaceId = req.query.workspaceId as string;
-    const environment = req.query.environment as string;
-
-    const secrets = await SecretService.getSecrets({
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        authData: req.authData
-    });
-
-    return res.status(200).send({
-        secrets
-    });
-}
-
-/**
- * Get secret with name [secretName]
- * @param req 
- * @param res 
- */
-export const getSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const workspaceId = req.query.workspaceId as string;
-    const environment = req.query.environment as string;
-    const type = req.query.type as 'shared' | 'personal' | undefined;
-
-    const secret = await SecretService.getSecret({
-        secretName,
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        type,
-        authData: req.authData
-    });
-    
-    return res.status(200).send({
-        secret
-    });
-}
-
-/**
- * Create secret with name [secretName]
- * @param req 
- * @param res 
- */
-export const createSecret = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const { 
-        workspaceId,
-        environment,
-        type,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext,
-        secretCommentIV,
-        secretCommentTag
-    } = req.body;
-    
-    const secret = await SecretService.createSecret({
-        secretName,
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        type,
-        authData: req.authData,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        ...((secretCommentCiphertext && secretCommentIV && secretCommentTag) ? {
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag
-        } : {})
-    });
-
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
-
-    const secretWithoutBlindIndex = secret.toObject();
-    delete secretWithoutBlindIndex.secretBlindIndex;
-    
-    return res.status(200).send({
-        secret: secretWithoutBlindIndex
-    });
-}
-
-/**
- * Update secret with name [secretName]
- * @param req
- * @param res 
- */
-export const updateSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const {
-        workspaceId,
-        environment,
-        type,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag
-    } = req.body;
-
-    const secret = await SecretService.updateSecret({
-        secretName,
-        workspaceId,
-        environment,
-        type,
-        authData: req.authData,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag
-    });
-    
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
-
-    return res.status(200).send({
-        secret
-    });
-}
-
-/**
- * Delete secret with name [secretName]
- * @param req 
- * @param res 
- */
-export const deleteSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const {
-        workspaceId,
-        environment,
-        type
-    } = req.body;
-    
-    const { secret, secrets } = await SecretService.deleteSecret({
-        secretName,
-        workspaceId,
-        environment,
-        type,
-        authData: req.authData
-    });
-
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
-
-    return res.status(200).send({
-        secret
-    });
-}
--- a/backend/src/controllers/v3/workspacesController.ts
+++ b/backend/src/controllers/v3/workspacesController.ts
@ -1,90 +0,0 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { Secret } from '../../models';
-import { SecretService } from'../../services';
-
-/**
- * Return whether or not all secrets in workspace with id [workspaceId]
- * are blind-indexed
- * @param req 
- * @param res 
- * @returns 
- */
-export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response) => {
-    const { workspaceId } = req.params;
-
-    const secretsWithoutBlindIndex = await Secret.countDocuments({
-        workspace: new Types.ObjectId(workspaceId),
-        secretBlindIndex: {
-            $exists: false
-        }
-    });
-
-    return res.status(200).send(secretsWithoutBlindIndex === 0);
-}
-
-/**
- * Get all secrets for workspace with id [workspaceId]
- */
-export const getWorkspaceSecrets = async (req: Request, res: Response) => {
-    const { workspaceId } = req.params;
-
-    const secrets = await Secret.find({
-        workspace: new Types.ObjectId (workspaceId)
-    });
-    
-    return res.status(200).send({
-        secrets
-    });
-}
-
-/**
- * Update blind indices for secrets in workspace with id [workspaceId]
- * @param req 
- * @param res 
- */
-export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
-    interface SecretToUpdate {
-        secretName: string;
-        _id: string;
-    }
-
-    const { workspaceId } = req.params;
-    const { 
-        secretsToUpdate 
-    }: {
-        secretsToUpdate: SecretToUpdate[];
-    } = req.body;
-
-    // get secret blind index salt
-    const salt = await SecretService.getSecretBlindIndexSalt({
-        workspaceId: new Types.ObjectId(workspaceId)
-    });
-
-    // update secret blind indices
-    const operations = await Promise.all(
-        secretsToUpdate.map(async (secretToUpdate: SecretToUpdate) => {
-            const secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
-                secretName: secretToUpdate.secretName,
-                salt
-            });
-    
-            return ({
-                updateOne: {
-                    filter: {
-                        _id: new Types.ObjectId(secretToUpdate._id)
-                    },
-                    update: {
-                        secretBlindIndex
-                    }
-                }
-            });
-        })
-    );
-
-    await Secret.bulkWrite(operations);
-
-    return res.status(200).send({
-        message: 'Successfully named workspace secrets'
-    });
-}
--- a/backend/src/controllers/workspaceController.ts
+++ b/backend/src/controllers/workspaceController.ts
@ -0,0 +1,337 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+	Workspace,
+	Membership,
+	MembershipOrg,
+	Integration,
+	IntegrationAuth,
+	IUser,
+	ServiceToken
+} from '../models';
+import {
+	createWorkspace as create,
+	deleteWorkspace as deleteWork
+} from '../helpers/workspace';
+import { addMemberships } from '../helpers/membership';
+import { ADMIN, COMPLETED, GRANTED } from '../variables';
+
+/**
+ * Return public keys of members of workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
+	let publicKeys;
+	try {
+		const { workspaceId } = req.params;
+
+		publicKeys = (
+			await Membership.find({
+				workspace: workspaceId
+			}).populate<{ user: IUser }>('user', 'publicKey')
+		)
+			.filter((m) => m.status === COMPLETED || m.status === GRANTED)
+			.map((member) => {
+				return {
+					publicKey: member.user.publicKey,
+					userId: member.user._id
+				};
+			});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace member public keys'
+		});
+	}
+
+	return res.status(200).send({
+		publicKeys
+	});
+};
+
+/**
+ * Return memberships for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceMemberships = async (req: Request, res: Response) => {
+	let users;
+	try {
+		const { workspaceId } = req.params;
+
+		users = await Membership.find({
+			workspace: workspaceId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace members'
+		});
+	}
+
+	return res.status(200).send({
+		users
+	});
+};
+
+/**
+ * Return workspaces that user is part of
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaces = async (req: Request, res: Response) => {
+	let workspaces;
+	try {
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		).map((m) => m.workspace);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspaces'
+		});
+	}
+
+	return res.status(200).send({
+		workspaces
+	});
+};
+
+/**
+ * Return workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspace = async (req: Request, res: Response) => {
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+
+		workspace = await Workspace.findOne({
+			_id: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace'
+		});
+	}
+
+	return res.status(200).send({
+		workspace
+	});
+};
+
+/**
+ * Create new workspace named [workspaceName] under organization with id
+ * [organizationId] and add user as admin
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createWorkspace = async (req: Request, res: Response) => {
+	let workspace;
+	try {
+		const { workspaceName, organizationId } = req.body;
+
+		// validate organization membership
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: organizationId
+		});
+
+		if (!membershipOrg) {
+			throw new Error('Failed to validate organization membership');
+		}
+
+		if (workspaceName.length < 1) {
+			throw new Error('Workspace names must be at least 1-character long');
+		}
+
+		// create workspace and add user as member
+		workspace = await create({
+			name: workspaceName,
+			organizationId
+		});
+
+		await addMemberships({
+			userIds: [req.user._id],
+			workspaceId: workspace._id.toString(),
+			roles: [ADMIN],
+			statuses: [GRANTED]
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create workspace'
+		});
+	}
+
+	return res.status(200).send({
+		workspace
+	});
+};
+
+/**
+ * Delete workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteWorkspace = async (req: Request, res: Response) => {
+	try {
+		const { workspaceId } = req.params;
+
+		// delete workspace
+		await deleteWork({
+			id: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete workspace'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully deleted workspace'
+	});
+};
+
+/**
+ * Change name of workspace with id [workspaceId] to [name]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const changeWorkspaceName = async (req: Request, res: Response) => {
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+		const { name } = req.body;
+
+		workspace = await Workspace.findOneAndUpdate(
+			{
+				_id: workspaceId
+			},
+			{
+				name
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change workspace name'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully changed workspace name',
+		workspace
+	});
+};
+
+/**
+ * Return integrations for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
+	let integrations;
+	try {
+		const { workspaceId } = req.params;
+
+		integrations = await Integration.find({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace integrations'
+		});
+	}
+
+	return res.status(200).send({
+		integrations
+	});
+};
+
+/**
+ * Return (integration) authorizations for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceIntegrationAuthorizations = async (
+	req: Request,
+	res: Response
+) => {
+	let authorizations;
+	try {
+		const { workspaceId } = req.params;
+
+		authorizations = await IntegrationAuth.find({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace integration authorizations'
+		});
+	}
+
+	return res.status(200).send({
+		authorizations
+	});
+};
+
+/**
+ * Return service service tokens for workspace [workspaceId] belonging to user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceServiceTokens = async (
+	req: Request,
+	res: Response
+) => {
+	let serviceTokens;
+	try {
+		const { workspaceId } = req.params;
+
+		serviceTokens = await ServiceToken.find({
+			user: req.user._id,
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace service tokens'
+		});
+	}
+	
+	return res.status(200).send({
+		serviceTokens
+	});
+}
--- a/backend/src/ee/controllers/index.ts
+++ b/backend/src/ee/controllers/index.ts
@ -0,0 +1,5 @@
+import * as stripeController from './stripeController';
+
+export {
+    stripeController
+}
--- a/backend/src/ee/controllers/v1/stripeController.ts
+++ b/backend/src/ee/controllers/v1/stripeController.ts
@ -1,7 +1,10 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
+import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../config';
+const stripe = new Stripe(STRIPE_SECRET_KEY, {
+	apiVersion: '2022-08-01'
+});

 /**
 * Handle service provisioning/un-provisioning via Stripe
@ -12,16 +15,12 @@ import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
 export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
 		// check request for valid stripe signature
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			await getStripeWebhookSecret()
+			STRIPE_WEBHOOK_SECRET // ?
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
--- a/backend/src/ee/controllers/v1/actionController.ts
+++ b/backend/src/ee/controllers/v1/actionController.ts
@ -1,31 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Action, SecretVersion } from '../../models';
-import { ActionNotFoundError } from '../../../utils/errors';
-
-export const getAction = async (req: Request, res: Response) => {
-    let action;
-    try {
-        const { actionId } = req.params;
-        
-        action = await Action
-            .findById(actionId)
-            .populate([
-                'payload.secretVersions.oldSecretVersion',
-                'payload.secretVersions.newSecretVersion'
-            ]);
-        
-        if (!action) throw ActionNotFoundError({
-            message: 'Failed to find action'
-        });
-
-    } catch (err) {
-        throw ActionNotFoundError({
-            message: 'Failed to find action'
-        });
-    }
-    
-    return res.status(200).send({
-        action
-    });
-}
--- a/backend/src/ee/controllers/v1/index.ts
+++ b/backend/src/ee/controllers/v1/index.ts
@ -1,15 +0,0 @@
-import * as stripeController from './stripeController';
-import * as secretController from './secretController';
-import * as secretSnapshotController from './secretSnapshotController';
-import * as workspaceController from './workspaceController';
-import * as actionController from './actionController';
-import * as membershipController from './membershipController';
-
-export {
-    stripeController,
-    secretController,
-    secretSnapshotController,
-    workspaceController,
-    actionController,
-    membershipController
-}
--- a/backend/src/ee/controllers/v1/membershipController.ts
+++ b/backend/src/ee/controllers/v1/membershipController.ts
@ -1,64 +0,0 @@
-import { Request, Response } from "express";
-import { Membership, Workspace } from "../../../models";
-import { IMembershipPermission } from "../../../models/membership";
-import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
-import { ADMIN, MEMBER } from "../../../variables/organization";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../../variables';
-import { Builder } from "builder-pattern"
-import _ from "lodash";
-
-export const denyMembershipPermissions = async (req: Request, res: Response) => {
-  const { membershipId } = req.params;
-  const { permissions } = req.body;
-  const sanitizedMembershipPermissions: IMembershipPermission[] = permissions.map((permission: IMembershipPermission) => {
-    if (!permission.ability || !permission.environmentSlug || ![PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS].includes(permission.ability)) {
-      throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
-    }
-
-    return Builder<IMembershipPermission>()
-      .environmentSlug(permission.environmentSlug)
-      .ability(permission.ability)
-      .build();
-  })
-
-  const sanitizedMembershipPermissionsUnique = _.uniqWith(sanitizedMembershipPermissions, _.isEqual)
-
-  const membershipToModify = await Membership.findById(membershipId)
-  if (!membershipToModify) {
-    throw BadRequestError({ message: "Unable to locate resource" })
-  }
-
-  // check if the user making the request is a admin of this project 
-  if (![ADMIN, MEMBER].includes(membershipToModify.role)) {
-    throw UnauthorizedRequestError()
-  }
-
-  // check if the requested slugs are indeed a part of this related workspace 
-  const relatedWorkspace = await Workspace.findById(membershipToModify.workspace)
-  if (!relatedWorkspace) {
-    throw BadRequestError({ message: "Something went wrong when locating the related workspace" })
-  }
-
-  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, 'slug')));
-
-  sanitizedMembershipPermissionsUnique.forEach(permission => {
-    if (!uniqueEnvironmentSlugs.has(permission.environmentSlug)) {
-      throw BadRequestError({ message: "Unknown environment slug reference" })
-    }
-  })
-
-  // update the permissions 
-  const updatedMembershipWithPermissions = await Membership.findByIdAndUpdate(
-    { _id: membershipToModify._id },
-    { $set: { deniedPermissions: sanitizedMembershipPermissionsUnique } },
-    { new: true }
-  )
-
-  if (!updatedMembershipWithPermissions) {
-    throw BadRequestError({ message: "The resource has been removed before it can be modified" })
-  }
-
-  res.send({
-    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions
-  })
-}
--- a/backend/src/ee/controllers/v1/secretController.ts
+++ b/backend/src/ee/controllers/v1/secretController.ts
@ -1,227 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Secret } from '../../../models';
-import { SecretVersion } from '../../models';
-import { EESecretService } from '../../services';
-
-/**
- * Return secret versions for secret with id [secretId]
- * @param req 
- * @param res 
- */
- export const getSecretVersions = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return secret versions'
-    #swagger.description = 'Return secret versions'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['secretId'] = {
-		"description": "ID of secret",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['offset'] = {
-		"description": "Number of versions to skip",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['limit'] = {
-		"description": "Maximum number of versions to return",
-		"required": false,
-		"type": "string"
-	}
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-                    "type": "object",
-					"properties": {
-						"secretVersions": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/SecretVersion" 
-							},
-							"description": "Secret versions"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let secretVersions;
-	try {
-		const { secretId } = req.params;
-
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretVersions = await SecretVersion.find({
-			secret: secretId
-		})
-		.sort({ createdAt: -1 })
-		.skip(offset)
-		.limit(limit);
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret versions'
-		});
-	}
-	
-	return res.status(200).send({
-		secretVersions
-	});
-}
-
-/**
- * Roll back secret with id [secretId] to version [version]
- * @param req 
- * @param res 
- * @returns 
- */
-export const rollbackSecretVersion = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Roll back secret to a version.'
-    #swagger.description = 'Roll back secret to a version.'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['secretId'] = {
-		"description": "ID of secret",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "version": {
-                    "type": "integer",
-                    "description": "Version of secret to roll back to"
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-                    "type": "object",
-					"properties": {
-						"secret": {
-							"type": "object",
-							$ref: "#/components/schemas/Secret",
-							"description": "Secret rolled back to"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let secret;
-	try {
-		const { secretId } = req.params;
-		const { version } = req.body;
-		
-		// validate secret version
-		const oldSecretVersion = await SecretVersion.findOne({
-			secret: secretId,
-			version
-		}).select('+secretBlindIndex')
-		
-		if (!oldSecretVersion) throw new Error('Failed to find secret version');
-		
-		const {
-			workspace,
-			type,
-			user,
-			environment,
-			secretBlindIndex,
-			secretKeyCiphertext,
-			secretKeyIV,
-			secretKeyTag,
-			secretValueCiphertext,
-			secretValueIV,
-			secretValueTag,
-		} = oldSecretVersion;
-		
-		// update secret
-		secret = await Secret.findByIdAndUpdate(
-			secretId,
-			{
-				$inc: {
-					version: 1
-				},
-				workspace,
-				type,
-				user,
-				environment,
-				...(secretBlindIndex ? { secretBlindIndex } : {}),
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-			},
-			{
-				new: true
-			}
-		);
-		
-		if (!secret) throw new Error('Failed to find and update secret');
-
-		// add new secret version
-		await new SecretVersion({
-			secret: secretId,
-			version: secret.version,
-			workspace,
-			type,
-			user,
-			environment,
-			isDeleted: false,
-			...(secretBlindIndex ? { secretBlindIndex } : {}),
-			secretKeyCiphertext,
-			secretKeyIV,
-			secretKeyTag,
-			secretValueCiphertext,
-			secretValueIV,
-			secretValueTag
-		}).save();
-		
-		// take secret snapshot
-		await EESecretService.takeSecretSnapshot({
-			workspaceId: secret.workspace
-		});
-		
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret version'
-		});
-	}
-	
-	return res.status(200).send({
-		secret
-	});
-}
--- a/backend/src/ee/controllers/v1/secretSnapshotController.ts
+++ b/backend/src/ee/controllers/v1/secretSnapshotController.ts
@ -1,33 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { SecretSnapshot } from '../../models';
-
-/**
- * Return secret snapshot with id [secretSnapshotId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getSecretSnapshot = async (req: Request, res: Response) => {
-    let secretSnapshot;
-    try {
-        const { secretSnapshotId } = req.params;
-
-        secretSnapshot = await SecretSnapshot
-            .findById(secretSnapshotId)
-            .populate('secretVersions');
-        
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
-
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshot'
-		});
-    }
-    
-    return res.status(200).send({
-        secretSnapshot
-    });
-}
--- a/backend/src/ee/controllers/v1/workspaceController.ts
+++ b/backend/src/ee/controllers/v1/workspaceController.ts
@ -1,442 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Secret
-} from '../../../models';
-import { 
-	SecretSnapshot,
-	Log,
-	SecretVersion,
-	ISecretVersion
-} from '../../models';
-import { EESecretService } from '../../services';
-import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
-
-/**
- * Return secret snapshots for workspace with id [workspaceId]
- * @param req 
- * @param res 
- */
- export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return project secret snapshot ids'
-    #swagger.description = 'Return project secret snapshots ids'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['offset'] = {
-		"description": "Number of secret snapshots to skip",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['limit'] = {
-		"description": "Maximum number of secret snapshots to return",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-					"type": "object",
-					"properties": {
-						"secretSnapshots": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/SecretSnapshot" 
-							},
-							"description": "Project secret snapshots"
-						}
-					}
-                }
-            }           
-        }
-    }
-    */
-	let secretSnapshots;
-	try {
-		const { workspaceId } = req.params;
-
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretSnapshots = await SecretSnapshot.find({
-			workspace: workspaceId
-		})
-		.sort({ createdAt: -1 })
-		.skip(offset)
-		.limit(limit);
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshots'
-		});
-	}
-	
-	return res.status(200).send({
-		secretSnapshots
-	});
-}
-
-/**
- * Return count of secret snapshots for workspace with id [workspaceId]
- * @param req 
- * @param res 
- */
-export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Response) => {
-	let count;
-	try {
-		const { workspaceId } = req.params;
-		count = await SecretSnapshot.countDocuments({
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to count number of secret snapshots'
-		});
-	}
-	
-	return res.status(200).send({
-		count
-	});
-}
-
-/**
- * Rollback secret snapshot with id [secretSnapshotId] to version [version]
- * @param req 
- * @param res 
- * @returns 
- */
-export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Roll back project secrets to those captured in a secret snapshot version.'
-    #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "version": {
-                    "type": "integer",
-                    "description": "Version of secret snapshot to roll back to",
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-                    "type": "object",
-					"properties": {
-						"secrets": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Secret" 
-							},
-							"description": "Secrets rolled back to"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	
-	let secrets;
-    try {	
-        const { workspaceId } = req.params;
-        const { version } = req.body;
-        
-		// validate secret snapshot
-		const secretSnapshot = await SecretSnapshot.findOne({
-			workspace: workspaceId,
-			version
-		}).populate<{ secretVersions: ISecretVersion[]}>({
-			path: 'secretVersions',
-			select: '+secretBlindIndex'
-		});
-        
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
-
-		// TODO: fix any
-		const oldSecretVersionsObj: any = secretSnapshot.secretVersions
-			.reduce((accumulator, s) => ({ 
-				...accumulator, 
-				[`${s.secret.toString()}`]: s 
-			}), {});	
-		
-		const latestSecretVersionIds = await getLatestSecretVersionIds({
-			secretIds: secretSnapshot.secretVersions.map((sv) => sv.secret)
-		});
-		
-		// TODO: fix any
-		const latestSecretVersions: any = (await SecretVersion.find({
-			_id: {
-				$in: latestSecretVersionIds.map((s) => s.versionId)
-			}
-		}, 'secret version'))
-		.reduce((accumulator, s) => ({ 
-			...accumulator, 
-			[`${s.secret.toString()}`]: s 
-		}), {});
-		
-		// delete existing secrets
-		await Secret.deleteMany({
-			workspace: workspaceId
-		});
-
-		// add secrets
-        secrets = await Secret.insertMany(
-			secretSnapshot.secretVersions.map((sv) => {
-				const secretId = sv.secret;
-				const {
-					workspace,
-					type,
-					user,
-					environment,
-					secretBlindIndex,
-					secretKeyCiphertext,
-					secretKeyIV,
-					secretKeyTag,
-					secretKeyHash,
-					secretValueCiphertext,
-					secretValueIV,
-					secretValueTag,
-					secretValueHash,
-					createdAt
-				} = oldSecretVersionsObj[secretId.toString()];
-				
-				return ({
-					_id: secretId,
-					version: latestSecretVersions[secretId.toString()].version + 1,
-					workspace,
-					type,
-					user,
-					environment,
-					secretBlindIndex: secretBlindIndex ?? undefined,
-					secretKeyCiphertext,
-					secretKeyIV,
-					secretKeyTag,
-					secretKeyHash,
-					secretValueCiphertext,
-					secretValueIV,
-					secretValueTag,
-					secretValueHash,
-					secretCommentCiphertext: '',
-					secretCommentIV: '',
-					secretCommentTag: '',
-					createdAt
-				});
-			})
-		);
-		
-		// add secret versions
-		const secretV = await SecretVersion.insertMany(
-			secrets.map(({
-				_id,
-				version,
-				workspace,
-				type,
-				user,
-				environment,
-				secretBlindIndex,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretKeyHash,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-				secretValueHash
-			}) => ({
-				_id: new Types.ObjectId(),
-				secret: _id,
-				version,
-				workspace,
-				type,
-				user,
-				environment,
-				isDeleted: false,
-				secretBlindIndex: secretBlindIndex ?? undefined,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretKeyHash,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-				secretValueHash
-			}))
-		);
-		
-		// update secret versions of restored secrets as not deleted
-		await SecretVersion.updateMany({
-			secret: {
-				$in: secretSnapshot.secretVersions.map((sv) => sv.secret)
-			}
-		}, {
-			isDeleted: false
-		});
-		
-        // take secret snapshot
-		await EESecretService.takeSecretSnapshot({
-			workspaceId: new Types.ObjectId(workspaceId)
-		});
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret snapshot'
-		}); 
-    }
-    
-	return res.status(200).send({
-		secrets
-	});
-}
-
-/**
- * Return (audit) logs for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getWorkspaceLogs = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return project (audit) logs'
-    #swagger.description = 'Return project (audit) logs'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['userId'] = {
-		"description": "ID of project member",
-		"required": false,
-		"type": "string"
-	} 
-
-	#swagger.parameters['offset'] = {
-		"description": "Number of logs to skip",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['limit'] = {
-		"description": "Maximum number of logs to return",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['sortBy'] = {
-		"description": "Order to sort the logs by",
-		"schema": {
-			"type": "string",
-			"@enum": ["oldest", "recent"]
-		},
-		"required": false
-	}
-
-	#swagger.parameters['actionNames'] = {
-		"description": "Names of log actions (comma-separated)",
-		"required": false,
-		"type": "string"
-	}
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-					"type": "object",
-					"properties": {
-						"logs": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Log" 
-							},
-							"description": "Project logs"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let logs
-	try {
-		const { workspaceId } = req.params;
-
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		const sortBy: string = req.query.sortBy as string;
-		const userId: string = req.query.userId as string;
-		const actionNames: string = req.query.actionNames as string;
-		
-		logs = await Log.find({
-			workspace: workspaceId,
-			...( userId ? { user: userId } : {}),
-			...( 
-				actionNames 
-				? { 
-					actionNames: {
-						$in: actionNames.split(',')
-					}
-				} : {}
-			)
-		})
-		.sort({ createdAt: sortBy === 'recent' ? -1 : 1 })
-		.skip(offset)
-		.limit(limit)
-		.populate('actions')
-		.populate('user serviceAccount serviceTokenData');
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace logs'
-		});
-	}
-	
-	return res.status(200).send({
-		logs
-	});
-}
--- a/backend/src/ee/helpers/action.ts
+++ b/backend/src/ee/helpers/action.ts
@ -1,195 +0,0 @@
-import { Types } from 'mongoose';
-import { Action } from '../models';
-import { 
-    getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-} from '../helpers/secretVersion';
-import { 
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from '../../variables';
-
-/**
- * Create an (audit) action for updating secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionUpdateSecret = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
-            secretIds,
-            n: 2
-        }))
-        .map((s) => ({
-            oldSecretVersion: s.versions[0]._id,
-            newSecretVersion: s.versions[1]._id
-        }));
-    
-    const action = await new Action({
-        name,
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-        workspace: workspaceId,
-        payload: {
-            secretVersions: latestSecretVersions
-        }
-    }).save();
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for creating, reading, and deleting
- * secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionSecret = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    // case: action is adding, deleting, or reading secrets
-    // -> add new secret versions
-    const latestSecretVersions = (await getLatestSecretVersionIds({
-        secretIds
-    }))
-    .map((s) => ({
-        newSecretVersion: s.versionId
-    }));
-    
-   const action = await new Action({
-        name,
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-        workspace: workspaceId,
-        payload: {
-            secretVersions: latestSecretVersions
-        }
-    }).save(); 
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for client with id [userId],
- * [serviceAccountId], or [serviceTokenDataId]
- * @param {Object} obj 
- * @param {String} obj.name - name of action
- * @param {String} obj.userId - id of user associated with action
- * @returns 
- */
-const createActionClient = ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-}) => {
-    const action = new Action({
-        name,
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId
-    }).save();
-
-    return action; 
-}
-
-/**
- * Create an (audit) action. 
- * @param {Object} obj
- * @param {Object} obj.name - name of action
- * @param {Types.ObjectId} obj.userId - id of user associated with action
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with action
- * @param {Types.ObjectId[]} obj.secretIds - ids of secrets associated with action
-*/
-const createActionHelper = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    secretIds?: Types.ObjectId[];
-}) => {
-    let action;
-    switch (name) {
-        case ACTION_LOGIN:
-        case ACTION_LOGOUT:
-            action = await createActionClient({
-                name,
-                userId
-            });
-            break;
-        case ACTION_ADD_SECRETS:
-        case ACTION_READ_SECRETS:
-        case ACTION_DELETE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-            action = await createActionSecret({
-                name,
-                userId,
-                workspaceId,
-                secretIds
-            });
-            break;
-        case ACTION_UPDATE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-            action = await createActionUpdateSecret({
-                name,
-                userId,
-                workspaceId,
-                secretIds
-            });
-            break;
-    }
-    
-    return action;
-}
-
-export { 
-    createActionHelper
-};
--- a/backend/src/ee/helpers/checkMembershipPermissions.ts
+++ b/backend/src/ee/helpers/checkMembershipPermissions.ts
@ -1,55 +0,0 @@
-import { Types } from 'mongoose';
-import _ from "lodash";
-import { Membership } from "../../models";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
-
-export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string, action: any) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return false
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: action });
-
-  if (isDisallowed) {
-    return false
-  }
-
-  return true
-}
-
-export const userHasWriteOnlyAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return false
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
-  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
-
-  // case: you have write only if read is blocked and write is not
-  if (isReadDisallowed && !isWriteDisallowed) {
-    return true
-  }
-
-  return false
-}
-
-export const userHasNoAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return true
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
-  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
-
-  if (isReadBlocked && isWriteDisallowed) {
-    return true
-  }
-
-  return false
-}
--- a/backend/src/ee/helpers/license.ts
+++ b/backend/src/ee/helpers/license.ts
@ -0,0 +1,21 @@
+
+/**
+ * @param {Object} obj
+ * @param {Object} obj.licenseKey - Infisical license key
+ */
+const checkLicenseKey = ({
+    licenseKey
+}: {
+    licenseKey: string
+}) => {
+    try {
+        // TODO
+
+    } catch (err) {
+
+    }
+}
+
+export {
+    checkLicenseKey
+}
--- a/backend/src/ee/helpers/log.ts
+++ b/backend/src/ee/helpers/log.ts
@ -1,50 +0,0 @@
-import { Types } from 'mongoose';
-import { 
-    Log,
-    IAction
-} from '../models';
-
-/**
- * Create an (audit) log
- * @param {Object} obj
- * @param {Types.ObjectId} obj.userId - id of user associated with the log
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the log
- * @param {IAction[]} obj.actions - actions to include in log
- * @param {String} obj.channel - channel (web/cli/auto) associated with the log
- * @param {String} obj.ipAddress - ip address associated with the log
- * @returns {Log} log - new audit log
- */
-const createLogHelper = async ({
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    actions,
-    channel,
-    ipAddress
-}: {
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    actions: IAction[];
-    channel: string;
-    ipAddress: string;
-}) => {
-    const log = await new Log({
-        user: userId,
-        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
-        workspace: workspaceId ?? undefined,
-        actionNames: actions.map((a) => a.name),
-        actions,
-        channel,
-        ipAddress
-    }).save();
-
-    return log;
-}
-
-export {
-    createLogHelper
-}
--- a/backend/src/ee/helpers/secret.ts
+++ b/backend/src/ee/helpers/secret.ts
@ -1,144 +0,0 @@
-import { Types } from "mongoose";
-import { Secret, ISecret } from "../../models";
-import { SecretSnapshot, SecretVersion, ISecretVersion } from "../models";
-
-/**
- * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
- * [workspaceId] under a new snapshot with incremented version under the
- * secretsnapshots collection.
- * @param {Object} obj
- * @param {String} obj.workspaceId
- * @returns {SecretSnapshot} secretSnapshot - new secret snapshot
- */
-const takeSecretSnapshotHelper = async ({
-  workspaceId,
-}: {
-  workspaceId: Types.ObjectId;
-}) => {
-  const secretIds = (
-    await Secret.find(
-      {
-        workspace: workspaceId,
-      },
-      "_id"
-    )
-  ).map((s) => s._id);
-
-  const latestSecretVersions = (
-    await SecretVersion.aggregate([
-      {
-        $match: {
-          secret: {
-            $in: secretIds,
-          },
-        },
-      },
-      {
-        $group: {
-          _id: "$secret",
-          version: { $max: "$version" },
-          versionId: { $max: "$_id" }, // secret version id
-        },
-      },
-      {
-        $sort: { version: -1 },
-      },
-    ]).exec()
-  ).map((s) => s.versionId);
-
-  const latestSecretSnapshot = await SecretSnapshot.findOne({
-    workspace: workspaceId,
-  }).sort({ version: -1 });
-
-  const secretSnapshot = await new SecretSnapshot({
-    workspace: workspaceId,
-    version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
-    secretVersions: latestSecretVersions,
-  }).save();
-
-  return secretSnapshot;
-};
-
-/**
- * Add secret versions [secretVersions] to the SecretVersion collection.
- * @param {Object} obj
- * @param {Object[]} obj.secretVersions
- * @returns {SecretVersion[]} newSecretVersions - new secret versions
- */
-const addSecretVersionsHelper = async ({
-  secretVersions,
-}: {
-  secretVersions: ISecretVersion[];
-}) => {
-  const newSecretVersions = await SecretVersion.insertMany(secretVersions);
-
-  return newSecretVersions;
-};
-
-const markDeletedSecretVersionsHelper = async ({
-  secretIds,
-}: {
-  secretIds: Types.ObjectId[];
-}) => {
-  await SecretVersion.updateMany(
-    {
-      secret: { $in: secretIds },
-    },
-    {
-      isDeleted: true,
-    },
-    {
-      new: true,
-    }
-  );
-};
-
-/**
- * Initialize secret versioning by setting previously unversioned
- * secrets to version 1 and begin populating secret versions.
- */
-const initSecretVersioningHelper = async () => {
-  await Secret.updateMany(
-    { version: { $exists: false } },
-    { $set: { version: 1 } }
-  );
-
-  const unversionedSecrets: ISecret[] = await Secret.aggregate([
-    {
-      $lookup: {
-        from: "secretversions",
-        localField: "_id",
-        foreignField: "secret",
-        as: "versions",
-      },
-    },
-    {
-      $match: {
-        versions: { $size: 0 },
-      },
-    },
-  ]);
-
-  if (unversionedSecrets.length > 0) {
-    await addSecretVersionsHelper({
-      secretVersions: unversionedSecrets.map(
-        (s, idx) =>
-          new SecretVersion({
-            ...s,
-            secret: s._id,
-            version: s.version ? s.version : 1,
-            isDeleted: false,
-            workspace: s.workspace,
-            environment: s.environment,
-          })
-      ),
-    });
-  }
-};
-
-export {
-  takeSecretSnapshotHelper,
-  addSecretVersionsHelper,
-  markDeletedSecretVersionsHelper,
-  initSecretVersioningHelper,
-};
--- a/backend/src/ee/helpers/secretVersion.ts
+++ b/backend/src/ee/helpers/secretVersion.ts
@ -1,92 +0,0 @@
-import { Types } from 'mongoose';
-import { SecretVersion } from '../models';
-
-/**
- * Return latest secret versions for secrets with ids [secretIds]
- * @param {Object} obj
- * @param {Object} obj.secretIds = ids of secrets to get latest versions for
- * @returns 
- */
-const getLatestSecretVersionIds = async ({
-    secretIds
-}: {
-    secretIds: Types.ObjectId[];
-}) => {
-    interface LatestSecretVersionId {
-        _id: Types.ObjectId;
-        version: number;
-        versionId: Types.ObjectId;
-    }
-    
-    const latestSecretVersionIds = (await SecretVersion.aggregate([
-        {
-            $match: { 
-                secret: { 
-                    $in: secretIds 
-                } 
-            }
-        },
-        {
-            $group: {
-                _id: '$secret',
-                version: { $max: '$version' },
-                versionId: { $max: '$_id' } // id of latest secret version
-            }
-        },
-        {
-            $sort: { version: -1 }
-        }
-        ])
-        .exec());
-    
-    return latestSecretVersionIds;
-}
-
-/**
- * Return latest [n] secret versions for secrets with ids [secretIds]
- * @param {Object} obj
- * @param {Object} obj.secretIds = ids of secrets to get latest versions for
- * @param {Number} obj.n - number of latest secret versions to return for each secret
- * @returns 
- */
-const getLatestNSecretSecretVersionIds = async ({
-    secretIds,
-    n
-}: {
-    secretIds: Types.ObjectId[];
-    n: number;
-}) => {
-    // TODO: optimize query
-    const latestNSecretVersions = (await SecretVersion.aggregate([
-        {
-            $match: {
-            secret: {
-                $in: secretIds,
-            },
-            },
-        },
-        {
-            $sort: { version: -1 },
-        },
-        {
-            $group: {
-            _id: "$secret",
-            versions: { $push: "$$ROOT" },
-            },
-        },
-        {
-            $project: {
-            _id: 0,
-            secret: "$_id",
-            versions: { $slice: ["$versions", n] },
-            },
-        }
-    ]));
-    
-    return latestNSecretVersions;
-}
-
-export {
-    getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-}
--- a/backend/src/ee/middleware/index.ts
+++ b/backend/src/ee/middleware/index.ts
@ -1,7 +0,0 @@
-import requireLicenseAuth from './requireLicenseAuth';
-import requireSecretSnapshotAuth from './requireSecretSnapshotAuth';
-
-export {
-    requireLicenseAuth,
-    requireSecretSnapshotAuth
-}
--- a/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
+++ b/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
@ -1,43 +0,0 @@
-import { Request, Response, NextFunction } from 'express';
-import { UnauthorizedRequestError, SecretSnapshotNotFoundError } from '../../utils/errors';
-import { SecretSnapshot } from '../models';
-import {
-    validateMembership
-} from '../../helpers/membership';
-
-/**
- * Validate if user on request has proper membership for secret snapshot
- * @param {Object} obj
- * @param {String[]} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
- * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
- */
-const requireSecretSnapshotAuth = ({
-    acceptedRoles,
-}: {
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-    return async (req: Request, res: Response, next: NextFunction) => {
-        const { secretSnapshotId } = req.params;
-        
-        const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
-        
-        if (!secretSnapshot) {
-            return next(SecretSnapshotNotFoundError({
-                message: 'Failed to find secret snapshot'
-            }));
-        }
-        
-        await validateMembership({
-            userId: req.user._id,
-            workspaceId: secretSnapshot.workspace,
-            acceptedRoles
-        });
-        
-        req.secretSnapshot = secretSnapshot as any;
-
-        next();
-    }
-}
-
-export default requireSecretSnapshotAuth;
--- a/backend/src/ee/models/action.ts
+++ b/backend/src/ee/models/action.ts
@ -1,71 +0,0 @@
-import { Schema, model, Types } from 'mongoose';
-import {
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
-
-export interface IAction {
-    name: string;
-    user?: Types.ObjectId,
-    serviceAccount?: Types.ObjectId,
-    serviceTokenData?: Types.ObjectId,
-    workspace?: Types.ObjectId,
-    payload?: {
-        secretVersions?: Types.ObjectId[]
-    }
-}
-
-const actionSchema = new Schema<IAction>(
-    {
-        name: {
-            type: String,
-            required: true,
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
-            ]
-        },
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: 'User'
-        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
-        },
-        serviceTokenData: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace'
-        },
-        payload: {
-            secretVersions: [{
-                oldSecretVersion: {
-                    type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
-                },
-                newSecretVersion: {
-                    type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
-                }
-            }]
-        }
-    }, {
-        timestamps: true
-    }
-);
-
-const Action = model<IAction>('Action', actionSchema);
-
-export default Action;
--- a/backend/src/ee/models/index.ts
+++ b/backend/src/ee/models/index.ts
@ -1,15 +0,0 @@
-import SecretSnapshot, { ISecretSnapshot } from './secretSnapshot';
-import SecretVersion, { ISecretVersion } from './secretVersion';
-import Log, { ILog } from './log';
-import Action, { IAction } from './action';
-
-export {
-    SecretSnapshot,
-    ISecretSnapshot,
-    SecretVersion,
-    ISecretVersion,
-    Log,
-    ILog,
-    Action,
-    IAction
-}
--- a/backend/src/ee/models/log.ts
+++ b/backend/src/ee/models/log.ts
@ -1,73 +0,0 @@
-import { Schema, model, Types } from 'mongoose';
-import {
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
-
-export interface ILog {
-    _id: Types.ObjectId;
-    user?: Types.ObjectId;
-    serviceAccount?: Types.ObjectId;
-    serviceTokenData?: Types.ObjectId;
-    workspace?: Types.ObjectId;
-    actionNames: string[];
-    actions: Types.ObjectId[];
-    channel: string;
-    ipAddress?: string;
-}
-
-const logSchema = new Schema<ILog>(
-    {
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: 'User'
-        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
-        },
-        serviceTokenData: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace'
-        },
-        actionNames: {
-            type: [String],
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
-            ],
-            required: true
-        },
-        actions: [{
-            type: Schema.Types.ObjectId,
-            ref: 'Action',
-            required: true
-        }],
-        channel: {
-            type: String,
-            enum: ['web', 'cli', 'auto', 'k8-operator', 'other'],
-            required: true
-        },
-        ipAddress: {
-            type: String
-        }
-    }, {
-    timestamps: true
-}
-);
-
-const Log = model<ILog>('Log', logSchema);
-
-export default Log;
--- a/backend/src/ee/models/secretSnapshot.ts
+++ b/backend/src/ee/models/secretSnapshot.ts
@ -1,33 +0,0 @@
-import { Schema, model, Types } from 'mongoose';
-
-export interface ISecretSnapshot {
-    workspace: Types.ObjectId;
-    version: number;
-    secretVersions: Types.ObjectId[];
-}
-
-const secretSnapshotSchema = new Schema<ISecretSnapshot>(
-    {
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace',
-            required: true
-        },
-        version: {
-            type: Number,
-            required: true
-        },
-        secretVersions: [{
-            type: Schema.Types.ObjectId,
-            ref: 'SecretVersion',
-            required: true
-        }]
-    },
-    {
-        timestamps: true
-    }
-);
-
-const SecretSnapshot = model<ISecretSnapshot>('SecretSnapshot', secretSnapshotSchema);
-
-export default SecretSnapshot;
--- a/backend/src/ee/models/secretVersion.ts
+++ b/backend/src/ee/models/secretVersion.ts
@ -1,97 +0,0 @@
-import { Schema, model, Types } from 'mongoose';
-import {
-	SECRET_SHARED,
-	SECRET_PERSONAL,
-} from '../../variables';
-
-export interface ISecretVersion {
-	_id: Types.ObjectId;
-	secret: Types.ObjectId;
-	version: number;
-	workspace: Types.ObjectId; // new
-	type: string; // new
-	user?: Types.ObjectId; // new
-	environment: string; // new
-	isDeleted: boolean;
-	secretBlindIndex?: string;
-	secretKeyCiphertext: string;
-	secretKeyIV: string;
-	secretKeyTag: string;
-	secretValueCiphertext: string;
-	secretValueIV: string;
-	secretValueTag: string;
-}
-
-const secretVersionSchema = new Schema<ISecretVersion>(
-	{
-		secret: { // could be deleted
-			type: Schema.Types.ObjectId,
-			ref: 'Secret',
-			required: true
-		},
-		version: {
-			type: Number,
-			default: 1,
-			required: true
-		},
-		workspace: {
-			type: Schema.Types.ObjectId,
-			ref: 'Workspace',
-			required: true
-		},
-		type: {
-			type: String,
-			enum: [SECRET_SHARED, SECRET_PERSONAL],
-			required: true
-		},
-		user: {
-			// user associated with the personal secret
-			type: Schema.Types.ObjectId,
-			ref: 'User'
-		},
-		environment: {
-			type: String,
-			required: true
-		},
-		isDeleted: { // consider removing field
-			type: Boolean,
-			default: false,
-			required: true
-		},
-		secretBlindIndex: {
-			type: String,
-			select: false
-		},
-		secretKeyCiphertext: {
-			type: String,
-			required: true
-		},
-		secretKeyIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretKeyTag: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueCiphertext: {
-			type: String,
-			required: true
-		},
-		secretValueIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueTag: {
-			type: String, // symmetric
-			required: true
-		}
-	},
-	{
-		timestamps: true
-	}
-);
-
-const SecretVersion = model<ISecretVersion>('SecretVersion', secretVersionSchema);
-
-export default SecretVersion;
--- a/backend/src/ee/routes/v1/stripe.ts
+++ b/backend/src/ee/routes/v1/stripe.ts
@ -1,6 +1,6 @@
 import express from 'express';
 const router = express.Router();
-import { stripeController } from '../../controllers/v1';
+import { stripeController } from '../controllers';

 router.post('/webhook', stripeController.handleWebhook);

--- a/backend/src/ee/routes/v1/action.ts
+++ b/backend/src/ee/routes/v1/action.ts
@ -1,17 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-    validateRequest
-} from '../../../middleware';
-import { param } from 'express-validator';
-import { actionController } from '../../controllers/v1';
-
-// TODO: put into action controller
-router.get(
-    '/:actionId',
-    param('actionId').exists().trim(),
-    validateRequest,
-    actionController.getAction
-);
-
-export default router;
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,11 +0,0 @@
-import secret from './secret';
-import secretSnapshot from './secretSnapshot';
-import workspace from './workspace';
-import action from './action';
-
-export {
-    secret,
-    secretSnapshot,
-    workspace,
-    action
-}
--- a/backend/src/ee/routes/v1/secret.ts
+++ b/backend/src/ee/routes/v1/secret.ts
@ -1,47 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-    requireAuth,
-	requireSecretAuth,
-    validateRequest
-} from '../../../middleware';
-import { query, param, body } from 'express-validator';
-import { secretController } from '../../controllers/v1';
-import {
-	ADMIN, 
-	MEMBER,
-	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS
-} from '../../../variables';
-
-router.get(
-	'/:secretId/secret-versions',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS]
-	}),
-	param('secretId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	validateRequest,
-	secretController.getSecretVersions
-);
-
-router.post(
-	'/:secretId/secret-versions/rollback',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS]
-	}),
-	param('secretId').exists().trim(),
-	body('version').exists().isInt(),
-	secretController.rollbackSecretVersion
-);
-
-export default router;
--- a/backend/src/ee/routes/v1/secretSnapshot.ts
+++ b/backend/src/ee/routes/v1/secretSnapshot.ts
@ -1,27 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-    requireSecretSnapshotAuth
-} from '../../middleware';
-import {
-    requireAuth,
-    validateRequest
-} from '../../../middleware';
-import { param, body } from 'express-validator';
-import { ADMIN, MEMBER } from '../../../variables';
-import { secretSnapshotController } from '../../controllers/v1';
-
-router.get(
-    '/:secretSnapshotId',
-    requireAuth({
-		acceptedAuthModes: ['jwt']
-	}),
-    requireSecretSnapshotAuth({
-        acceptedRoles: [ADMIN, MEMBER]
-    }),
-    param('secretSnapshotId').exists().trim(),
-    validateRequest,
-    secretSnapshotController.getSecretSnapshot
-);
-
-export default router;
--- a/backend/src/ee/routes/v1/workspace.ts
+++ b/backend/src/ee/routes/v1/workspace.ts
@ -1,76 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-	requireAuth,
-	requireWorkspaceAuth,
-	validateRequest
-} from '../../../middleware';
-import { param, query, body } from 'express-validator';
-import { ADMIN, MEMBER } from '../../../variables';
-import { workspaceController } from '../../controllers/v1';
-
-router.get(
-	'/:workspaceId/secret-snapshots',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
-	}),
-	param('workspaceId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	validateRequest,
-	workspaceController.getWorkspaceSecretSnapshots
-);
-
-router.get(
-	'/:workspaceId/secret-snapshots/count',
-	requireAuth({
-		acceptedAuthModes: ['jwt']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
-	}),
-	param('workspaceId').exists().trim(),
-	validateRequest,
-	workspaceController.getWorkspaceSecretSnapshotsCount
-);
-
-router.post(
-	'/:workspaceId/secret-snapshots/rollback',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
-	}),
-	param('workspaceId').exists().trim(),
-	body('version').exists().isInt(),
-	validateRequest,
-	workspaceController.rollbackWorkspaceSecretSnapshot
-);
-
-router.get(
-	'/:workspaceId/logs',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
-	}),
-	param('workspaceId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	query('sortBy'),
-	query('userId'),
-	query('actionNames'),
-	validateRequest,
-	workspaceController.getWorkspaceLogs
-);
-
-export default router;
--- a/backend/src/ee/services/EELicenseService.ts
+++ b/backend/src/ee/services/EELicenseService.ts
@ -1,17 +0,0 @@
-/**
- * Class to handle Enterprise Edition license actions
- */
-class EELicenseService {
-    
-    private readonly _isLicenseValid: boolean;
-    
-    constructor(licenseKey: string) {
-        this._isLicenseValid = true;
-    }
-
-    public get isLicenseValid(): boolean {
-        return this._isLicenseValid;
-    }
-}
-
-export default new EELicenseService('N/A');
--- a/backend/src/ee/services/EELogService.ts
+++ b/backend/src/ee/services/EELogService.ts
@ -1,91 +0,0 @@
-import { Types } from 'mongoose';
-import { 
-    IAction
-} from '../models';
-import {
-    createLogHelper
-} from '../helpers/log';
-import {
-    createActionHelper
-} from '../helpers/action';
-import EELicenseService from './EELicenseService';
-
-/**
- * Class to handle Enterprise Edition log actions
- */
-class EELogService {
-    /**
-     * Create an (audit) log
-     * @param {Object} obj
-     * @param {String} obj.userId - id of user associated with the log
-     * @param {String} obj.workspaceId - id of workspace associated with the log
-     * @param {Action} obj.actions - actions to include in log
-     * @param {String} obj.channel - channel (web/cli/auto) associated with the log
-     * @param {String} obj.ipAddress - ip address associated with the log
-     * @returns {Log} log - new audit log
-     */
-    static async createLog({
-        userId,
-        serviceAccountId,
-        serviceTokenDataId,
-        workspaceId,
-        actions,
-        channel,
-        ipAddress
-    }: {
-        userId?: Types.ObjectId;
-        serviceAccountId?: Types.ObjectId;
-        serviceTokenDataId?: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        actions: IAction[];
-        channel: string;
-        ipAddress: string;
-    }) {
-        if (!EELicenseService.isLicenseValid) return null;
-        return await createLogHelper({
-            userId,
-            serviceAccountId,
-            serviceTokenDataId,
-            workspaceId,
-            actions,
-            channel,
-            ipAddress
-        })
-    }
-    
-    /**
-     * Create an (audit) action
-     * @param {Object} obj
-     * @param {String} obj.name - name of action
-     * @param {Types.ObjectId} obj.userId - id of user associated with the action
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the action
-     * @param {ObjectId[]} obj.secretIds - ids of secrets associated with the action
-     * @returns {Action} action - new action
-     */
-    static async createAction({
-        name,
-        userId,
-        serviceAccountId,
-        serviceTokenDataId,
-        workspaceId,
-        secretIds
-    }: {
-        name: string;
-        userId?: Types.ObjectId;
-        serviceAccountId?: Types.ObjectId;
-        serviceTokenDataId?: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        secretIds?: Types.ObjectId[];
-    }) {
-        return await createActionHelper({
-            name,
-            userId,
-            serviceAccountId,
-            serviceTokenDataId,
-            workspaceId,
-            secretIds
-        });
-    }
-}
-
-export default EELogService;
--- a/backend/src/ee/services/EESecretService.ts
+++ b/backend/src/ee/services/EESecretService.ts
@ -1,78 +0,0 @@
-import { Types } from 'mongoose';
-import { ISecretVersion } from '../models';
-import { 
-    takeSecretSnapshotHelper,
-    addSecretVersionsHelper,
-    markDeletedSecretVersionsHelper,
-    initSecretVersioningHelper
-} from '../helpers/secret';
-import EELicenseService from './EELicenseService';
-
-/**
- * Class to handle Enterprise Edition secret actions
- */
-class EESecretService {
-    
-    /**
-     * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
-     * [workspaceId] under a new snapshot with incremented version under the
-     * SecretSnapshot collection.
-     * Requires a valid license key [licenseKey]
-     * @param {Object} obj
-     * @param {String} obj.workspaceId
-     * @returns {SecretSnapshot} secretSnapshot - new secret snpashot
-     */
-    static async takeSecretSnapshot({
-        workspaceId
-    }: {
-        workspaceId: Types.ObjectId;
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        return await takeSecretSnapshotHelper({ workspaceId });
-    }
-    
-    /**
-     * Add secret versions [secretVersions] to the SecretVersion collection.
-     * @param {Object} obj
-     * @param {Object[]} obj.secretVersions
-     * @returns {SecretVersion[]} newSecretVersions - new secret versions
-     */
-    static async addSecretVersions({
-        secretVersions
-    }: {
-        secretVersions: ISecretVersion[];
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        return await addSecretVersionsHelper({
-            secretVersions
-        });
-    }
-
-    /**
-     * Mark secret versions associated with secrets with ids [secretIds]
-     * as deleted.
-     * @param {Object} obj
-     * @param {ObjectId[]} obj.secretIds - secret ids
-     */
-    static async markDeletedSecretVersions({
-        secretIds
-    }: {
-        secretIds: Types.ObjectId[];
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        await markDeletedSecretVersionsHelper({
-            secretIds
-        });
-    }
-    
-    /**
-     * Initialize secret versioning by setting previously unversioned
-     * secrets to version 1 and begin populating secret versions.
-     */
-    static async initSecretVersioning() {
-        if (!EELicenseService.isLicenseValid) return; 
-        await initSecretVersioningHelper();
-    }
-}
-
-export default EESecretService;
--- a/backend/src/ee/services/index.ts
+++ b/backend/src/ee/services/index.ts
@ -1,9 +0,0 @@
-import EELicenseService from "./EELicenseService";
-import EESecretService from "./EESecretService";
-import EELogService from "./EELogService";
-
-export {
-    EELicenseService,
-    EESecretService,
-    EELogService
-}
--- a/backend/src/helpers/telemetry.ts
+++ b/backend/src/helpers/telemetry.ts
--- a/backend/src/events/secret.ts
+++ b/backend/src/events/secret.ts
@ -1,8 +1,4 @@
-import { Types } from 'mongoose';
-import { 
-    EVENT_PUSH_SECRETS, 
-    EVENT_PULL_SECRETS 
-} from '../variables';
+import { EVENT_PUSH_SECRETS } from '../variables';

 interface PushSecret {
 	ciphertextKey: string;
@ -24,34 +20,11 @@ interface PushSecret {
 */
 const eventPushSecrets = ({
    workspaceId,
-    environment
-}: {
-    workspaceId: Types.ObjectId;
-    environment?: string;
-}) => {
-    return ({
-        name: EVENT_PUSH_SECRETS,
-        workspaceId,
-        environment,
-        payload: {
-
-        }
-    });
-}
-
-/**
- * Return event for pulling secrets
- * @param {Object} obj
- * @param {String} obj.workspaceId - id of workspace to pull secrets from
- * @returns 
- */
-const eventPullSecrets = ({
-    workspaceId,
 }: {
    workspaceId: string;
 }) => {
    return ({
-        name: EVENT_PULL_SECRETS,
+        name: EVENT_PUSH_SECRETS,
        workspaceId,
        payload: {

--- a/backend/src/helpers/auth.ts
+++ b/backend/src/helpers/auth.ts
@ -1,251 +1,14 @@
-import { Types } from 'mongoose';
 import jwt from 'jsonwebtoken';
-import bcrypt from 'bcrypt';
+import * as Sentry from '@sentry/node';
 import {
-	IUser,
-	User,
-	ServiceTokenData,
-	ServiceAccount,
-	APIKeyData
+	User
 } from '../models';
 import {
-	AccountNotFoundError,
-	ServiceTokenDataNotFoundError,
-	ServiceAccountNotFoundError,
-	APIKeyDataNotFoundError,
-	UnauthorizedRequestError,
-	BadRequestError
-} from '../utils/errors';
-import {
-	getJwtAuthLifetime,
-	getJwtAuthSecret,
-	getJwtRefreshLifetime,
-	getJwtRefreshSecret
+	JWT_AUTH_LIFETIME,
+	JWT_AUTH_SECRET,
+	JWT_REFRESH_LIFETIME,
+	JWT_REFRESH_SECRET
 } from '../config';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-
-/**
- * 
- * @param {Object} obj
- * @param {Object} obj.headers - HTTP request headers object
- */
-const validateAuthMode = ({
-	headers,
-	acceptedAuthModes
-}: {
-	headers: { [key: string]: string | string[] | undefined },
-	acceptedAuthModes: string[]
-}) => {
-	// TODO: refactor middleware
-	const apiKey = headers['x-api-key'];
-	const authHeader = headers['authorization'];
-
-	let authMode, authTokenValue;
-	if (apiKey === undefined && authHeader === undefined) {
-		// case: no auth or X-API-KEY header present
-		throw BadRequestError({ message: 'Missing Authorization or X-API-KEY in request header.' });
-	}
-
-	if (typeof apiKey === 'string') {
-		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
-		authMode = AUTH_MODE_API_KEY;
-		authTokenValue = apiKey;
-	}
-
-	if (typeof authHeader === 'string') {
-		// case: treat request authentication type as via Authorization header (i.e. either JWT or service token)
-		const [tokenType, tokenValue] = <[string, string]>authHeader.split(' ', 2) ?? [null, null]
-		if (tokenType === null)
-			throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
-		if (tokenType.toLowerCase() !== 'bearer')
-			throw BadRequestError({ message: `The provided authentication type '${tokenType}' is not supported.` });
-		if (tokenValue === null)
-			throw BadRequestError({ message: 'Missing Authorization Body in the request header.' });
-
-		switch (tokenValue.split('.', 1)[0]) {
-			case 'st':
-				authMode = AUTH_MODE_SERVICE_TOKEN;
-				break;
-			case 'sa':
-				authMode = AUTH_MODE_SERVICE_ACCOUNT;
-				break;
-			default:
-				authMode = AUTH_MODE_JWT;
-		}
-
-		authTokenValue = tokenValue;
-	}
-
-	if (!authMode || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
-
-	if (!acceptedAuthModes.includes(authMode)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
-
-	return ({
-		authMode,
-		authTokenValue
-	});
-}
-
-/**
- * Return user payload corresponding to JWT token [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - JWT token value
- * @returns {User} user - user corresponding to JWT token
- */
-const getAuthUserPayload = async ({
-	authTokenValue
-}: {
-	authTokenValue: string;
-}) => {
-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(authTokenValue, await getJwtAuthSecret())
-	);
-
-	const user = await User.findOne({
-		_id: decodedToken.userId
-	}).select('+publicKey');
-
-	if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
-
-	if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
-
-	return user;
-}
-
-/**
- * Return service token data payload corresponding to service token [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - service token value
- * @returns {ServiceTokenData} serviceTokenData - service token data
- */
-const getAuthSTDPayload = async ({
-	authTokenValue
-}: {
-	authTokenValue: string;
-}) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
-
-	let serviceTokenData = await ServiceTokenData
-		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
-
-	if (!serviceTokenData) {
-		throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
-	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-		// case: service token expired
-		await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
-		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate expired service token'
-		});
-	}
-
-	const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
-	if (!isMatch) throw UnauthorizedRequestError({
-		message: 'Failed to authenticate service token'
-	});
-
-	serviceTokenData = await ServiceTokenData
-		.findOneAndUpdate({
-			_id: new Types.ObjectId(TOKEN_IDENTIFIER)
-		}, {
-			lastUsed: new Date()
-		}, {
-			new: true
-		})
-		.select('+encryptedKey +iv +tag');
-
-	if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
-
-	return serviceTokenData;
-}
-
-/**
- * Return service account access key payload
- * @param {Object} obj
- * @param {String} obj.authTokenValue - service account access token value
- * @returns {ServiceAccount} serviceAccount
- */
-const getAuthSAAKPayload = async ({
-	authTokenValue
-}: {
-	authTokenValue: string;
-}) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
-
-	const serviceAccount = await ServiceAccount.findById(
-		Buffer.from(TOKEN_IDENTIFIER, 'base64').toString('hex')
-	).select('+secretHash');
-
-	if (!serviceAccount) {
-		throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
-	}
-
-	const result = await bcrypt.compare(TOKEN_SECRET, serviceAccount.secretHash);
-	if (!result) throw UnauthorizedRequestError({
-		message: 'Failed to authenticate service account access key'
-	});
-
-	return serviceAccount;
-}
-
-/**
- * Return API key data payload corresponding to API key [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - API key value
- * @returns {APIKeyData} apiKeyData - API key data
- */
-const getAuthAPIKeyPayload = async ({
-	authTokenValue
-}: {
-	authTokenValue: string;
-}) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
-
-	let apiKeyData = await APIKeyData
-		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
-		.populate<{ user: IUser }>('user', '+publicKey');
-
-	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
-	} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
-		// case: API key expired
-		await APIKeyData.findByIdAndDelete(apiKeyData._id);
-		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate expired API key'
-		});
-	}
-
-	const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
-	if (!isMatch) throw UnauthorizedRequestError({
-		message: 'Failed to authenticate API key'
-	});
-
-	apiKeyData = await APIKeyData.findOneAndUpdate({
-		_id: new Types.ObjectId(TOKEN_IDENTIFIER)
-	}, {
-		lastUsed: new Date()
-	}, {
-		new: true
-	});
-
-	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
-	}
-
-	const user = await User.findById(apiKeyData.user).select('+publicKey');
-
-	if (!user) {
-		throw AccountNotFoundError({
-			message: 'Failed to find user'
-		});
-	}
-
-	return user;
-}

 /**
 * Return newly issued (JWT) auth and refresh tokens to user with id [userId]
@ -255,24 +18,31 @@ const getAuthAPIKeyPayload = async ({
 * @return {String} obj.token - issued JWT token
 * @return {String} obj.refreshToken - issued refresh token
 */
-const issueAuthTokens = async ({ userId }: { userId: string }) => {
+const issueTokens = async ({ userId }: { userId: string }) => {
+	let token: string;
+	let refreshToken: string;
+	try {
+		// issue tokens
+		token = createToken({
+			payload: {
+				userId
+			},
+			expiresIn: JWT_AUTH_LIFETIME,
+			secret: JWT_AUTH_SECRET
+		});

-	// issue tokens
-	const token = createToken({
-		payload: {
-			userId
-		},
-		expiresIn: await getJwtAuthLifetime(),
-		secret: await getJwtAuthSecret()
-	});
-
-	const refreshToken = createToken({
-		payload: {
-			userId
-		},
-		expiresIn: await getJwtRefreshLifetime(),
-		secret: await getJwtRefreshSecret()
-	});
+		refreshToken = createToken({
+			payload: {
+				userId
+			},
+			expiresIn: JWT_REFRESH_LIFETIME,
+			secret: JWT_REFRESH_SECRET
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to issue tokens');
+	}

 	return {
 		token,
@ -286,14 +56,19 @@ const issueAuthTokens = async ({ userId }: { userId: string }) => {
 * @param {String} obj.userId - id of user whose tokens are cleared.
 */
 const clearTokens = async ({ userId }: { userId: string }): Promise<void> => {
-	// increment refreshVersion on user by 1
-	User.findOneAndUpdate({
-		_id: userId
-	}, {
-		$inc: {
-			refreshVersion: 1
-		}
-	});
+	try {
+		// increment refreshVersion on user by 1
+		User.findOneAndUpdate({
+			_id: userId
+		}, {
+			$inc: {
+				refreshVersion: 1
+			}
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+	}
 };

 /**
@ -313,18 +88,15 @@ const createToken = ({
 	expiresIn: string | number;
 	secret: string;
 }) => {
-	return jwt.sign(payload, secret, {
-		expiresIn
-	});
+	try {
+		return jwt.sign(payload, secret, {
+			expiresIn
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to create a token');
+	}
 };

-export {
-	validateAuthMode,
-	getAuthUserPayload,
-	getAuthSTDPayload,
-	getAuthSAAKPayload,
-	getAuthAPIKeyPayload,
-	createToken,
-	issueAuthTokens,
-	clearTokens
-};
+export { createToken, issueTokens, clearTokens };
--- a/backend/src/helpers/bot.ts
+++ b/backend/src/helpers/bot.ts
@ -1,142 +1,59 @@
-import { Types } from "mongoose";
+import * as Sentry from '@sentry/node';
 import {
-  Bot,
-  BotKey,
-  Secret,
-  ISecret,
-  IUser,
-  User,
-  IServiceAccount,
-  ServiceAccount,
-  IServiceTokenData,
-  ServiceTokenData,
-} from "../models";
-import {
-  generateKeyPair,
-  encryptSymmetric,
-  decryptSymmetric,
-  decryptAsymmetric,
-} from "../utils/crypto";
-import {
-  SECRET_SHARED,
-  AUTH_MODE_JWT,
-  AUTH_MODE_SERVICE_ACCOUNT,
-  AUTH_MODE_SERVICE_TOKEN,
-  AUTH_MODE_API_KEY,
-} from "../variables";
-import { getEncryptionKey } from "../config";
-import { BotNotFoundError, UnauthorizedRequestError } from "../utils/errors";
-import { validateMembership } from "../helpers/membership";
-import { validateUserClientForWorkspace } from "../helpers/user";
-import { validateServiceAccountClientForWorkspace } from "../helpers/serviceAccount";
-
-/**
- * Validate authenticated clients for bot with id [botId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.botId - id of bot to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- */
-const validateClientForBot = async ({
-  authData,
-  botId,
-  acceptedRoles,
-}: {
-  authData: {
-    authMode: string;
-    authPayload: IUser | IServiceAccount | IServiceTokenData;
-  };
-  botId: Types.ObjectId;
-  acceptedRoles: Array<"admin" | "member">;
-}) => {
-  const bot = await Bot.findById(botId);
-
-  if (!bot) throw BotNotFoundError();
-
-  if (
-    authData.authMode === AUTH_MODE_JWT &&
-    authData.authPayload instanceof User
-  ) {
-    await validateUserClientForWorkspace({
-      user: authData.authPayload,
-      workspaceId: bot.workspace,
-      acceptedRoles,
-    });
-
-    return bot;
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_SERVICE_ACCOUNT &&
-    authData.authPayload instanceof ServiceAccount
-  ) {
-    await validateServiceAccountClientForWorkspace({
-      serviceAccount: authData.authPayload,
-      workspaceId: bot.workspace,
-    });
-
-    return bot;
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_SERVICE_TOKEN &&
-    authData.authPayload instanceof ServiceTokenData
-  ) {
-    throw UnauthorizedRequestError({
-      message: "Failed service token authorization for bot",
-    });
-  }
-
-  if (
-    authData.authMode === AUTH_MODE_API_KEY &&
-    authData.authPayload instanceof User
-  ) {
-    await validateUserClientForWorkspace({
-      user: authData.authPayload,
-      workspaceId: bot.workspace,
-      acceptedRoles,
-    });
-
-    return bot;
-  }
-
-  throw BotNotFoundError({
-    message: "Failed client authorization for bot",
-  });
-};
+    Bot,
+    BotKey,
+    Secret,
+    ISecret,
+    IUser
+} from '../models';
+import { 
+    generateKeyPair, 
+    encryptSymmetric,
+    decryptSymmetric,
+    decryptAsymmetric
+} from '../utils/crypto';
+import { decryptSecrets } from '../helpers/secret';
+import { ENCRYPTION_KEY } from '../config';
+import { SECRET_SHARED } from '../variables';

 /**
 * Create an inactive bot with name [name] for workspace with id [workspaceId]
- * @param {Object} obj
+ * @param {Object} obj 
 * @param {String} obj.name - name of bot
 * @param {String} obj.workspaceId - id of workspace that bot belongs to
 */
 const createBot = async ({
-  name,
-  workspaceId,
-}: {
-  name: string;
-  workspaceId: Types.ObjectId;
-}) => {
-  const { publicKey, privateKey } = generateKeyPair();
-  const { ciphertext, iv, tag } = encryptSymmetric({
-    plaintext: privateKey,
-    key: await getEncryptionKey(),
-  });
-
-  const bot = await new Bot({
    name,
-    workspace: workspaceId,
-    isActive: false,
-    publicKey,
-    encryptedPrivateKey: ciphertext,
-    iv,
-    tag,
-  }).save();
+    workspaceId,
+}: {
+    name: string;
+    workspaceId: string;
+}) => {
+    let bot;
+    try {
+        const { publicKey, privateKey } = generateKeyPair();
+        const { ciphertext, iv, tag } = encryptSymmetric({
+            plaintext: privateKey,
+            key: ENCRYPTION_KEY
+        });

-  return bot;
-};
+        bot = await new Bot({
+            name,
+            workspace: workspaceId,
+            isActive: false,
+            publicKey,
+            encryptedPrivateKey: ciphertext,
+            iv,
+            tag
+        }).save();
+    } catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to create bot');
+    }
+    
+    return bot;
+}

 /**
 * Return decrypted secrets for workspace with id [workspaceId]
@ -146,105 +63,125 @@ const createBot = async ({
 * @param {String} obj.environment - environment
 */
 const getSecretsHelper = async ({
-  workspaceId,
-  environment,
+    workspaceId,
+    environment
 }: {
-  workspaceId: Types.ObjectId;
-  environment: string;
+    workspaceId: string;
+    environment: string;
 }) => {
-  const content = {} as any;
-  const key = await getKey({ workspaceId: workspaceId.toString() });
-  const secrets = await Secret.find({
-    workspace: workspaceId,
-    environment,
-    type: SECRET_SHARED,
-  });
+    let content = {} as any;
+    try {
+        const key = await getKey({ workspaceId });
+        const secrets = await Secret.find({
+            workspaceId,
+            environment,
+            type: SECRET_SHARED
+        });
+        
+        secrets.forEach((secret: ISecret) => {
+            const secretKey = decryptSymmetric({
+                ciphertext: secret.secretKeyCiphertext,
+                iv: secret.secretKeyIV,
+                tag: secret.secretKeyTag,
+                key
+            });
+            
+            const secretValue = decryptSymmetric({
+                ciphertext: secret.secretValueCiphertext,
+                iv: secret.secretValueIV,
+                tag: secret.secretValueTag,
+                key
+            });

-  secrets.forEach((secret: ISecret) => {
-    const secretKey = decryptSymmetric({
-      ciphertext: secret.secretKeyCiphertext,
-      iv: secret.secretKeyIV,
-      tag: secret.secretKeyTag,
-      key,
-    });
+            content[secretKey] = secretValue;
+        });
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to get secrets');
+    }

-    const secretValue = decryptSymmetric({
-      ciphertext: secret.secretValueCiphertext,
-      iv: secret.secretValueIV,
-      tag: secret.secretValueTag,
-      key,
-    });
-
-    content[secretKey] = secretValue;
-  });
-
-  return content;
-};
+    return content;
+}

 /**
- * Return bot's copy of the workspace key for workspace
+ * Return bot's copy of the workspace key for workspace 
 * with id [workspaceId]
 * @param {Object} obj
 * @param {String} obj.workspaceId - id of workspace
 * @returns {String} key - decrypted workspace key
 */
 const getKey = async ({ workspaceId }: { workspaceId: string }) => {
-  const botKey = await BotKey.findOne({
-    workspace: workspaceId,
-  }).populate<{ sender: IUser }>("sender", "publicKey");
-
-  if (!botKey) throw new Error("Failed to find bot key");
-
-  const bot = await Bot.findOne({
-    workspace: workspaceId,
-  }).select("+encryptedPrivateKey +iv +tag");
-
-  if (!bot) throw new Error("Failed to find bot");
-  if (!bot.isActive) throw new Error("Bot is not active");
-
-  const privateKeyBot = decryptSymmetric({
-    ciphertext: bot.encryptedPrivateKey,
-    iv: bot.iv,
-    tag: bot.tag,
-    key: await getEncryptionKey(),
-  });
-
-  const key = decryptAsymmetric({
-    ciphertext: botKey.encryptedKey,
-    nonce: botKey.nonce,
-    publicKey: botKey.sender.publicKey as string,
-    privateKey: privateKeyBot,
-  });
-
-  return key;
-};
+    let key;
+    try {
+        const botKey = await BotKey.findOne({
+            workspace: workspaceId
+        }).populate<{ sender: IUser }>('sender', 'publicKey');
+        
+        if (!botKey) throw new Error('Failed to find bot key');
+        
+        const bot = await Bot.findOne({
+            workspace: workspaceId
+        }).select('+encryptedPrivateKey +iv +tag');
+        
+        if (!bot) throw new Error('Failed to find bot');
+        if (!bot.isActive) throw new Error('Bot is not active');
+        
+        const privateKeyBot = decryptSymmetric({
+            ciphertext: bot.encryptedPrivateKey,
+            iv: bot.iv,
+            tag: bot.tag,
+            key: ENCRYPTION_KEY
+        });
+        
+        key = decryptAsymmetric({
+            ciphertext: botKey.encryptedKey,
+            nonce: botKey.nonce,
+            publicKey: botKey.sender.publicKey as string,
+            privateKey: privateKeyBot
+        });
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to get workspace key');
+    }
+    
+    return key;
+}

 /**
 * Return symmetrically encrypted [plaintext] using the
- * key for workspace with id [workspaceId]
+ * key for workspace with id [workspaceId] 
 * @param {Object} obj1
 * @param {String} obj1.workspaceId - id of workspace
 * @param {String} obj1.plaintext - plaintext to encrypt
 */
 const encryptSymmetricHelper = async ({
-  workspaceId,
-  plaintext,
+    workspaceId,
+    plaintext
 }: {
-  workspaceId: Types.ObjectId;
-  plaintext: string;
+    workspaceId: string;
+    plaintext: string;
 }) => {
-  const key = await getKey({ workspaceId: workspaceId.toString() });
-  const { ciphertext, iv, tag } = encryptSymmetric({
-    plaintext,
-    key,
-  });
-
-  return {
-    ciphertext,
-    iv,
-    tag,
-  };
-};
+    
+    try {
+        const key = await getKey({ workspaceId });
+        const { ciphertext, iv, tag } = encryptSymmetric({
+            plaintext,
+            key
+        });
+        
+        return ({
+            ciphertext,
+            iv,
+            tag
+        });
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to perform symmetric encryption with bot');
+    }
+}
 /**
 * Return symmetrically decrypted [ciphertext] using the
 * key for workspace with id [workspaceId]
@ -255,31 +192,39 @@ const encryptSymmetricHelper = async ({
 * @param {String} obj.tag - tag
 */
 const decryptSymmetricHelper = async ({
-  workspaceId,
-  ciphertext,
-  iv,
-  tag,
-}: {
-  workspaceId: Types.ObjectId;
-  ciphertext: string;
-  iv: string;
-  tag: string;
-}) => {
-  const key = await getKey({ workspaceId: workspaceId.toString() });
-  const plaintext = decryptSymmetric({
+    workspaceId,
    ciphertext,
    iv,
-    tag,
-    key,
-  });
-
-  return plaintext;
-};
+    tag
+}: {
+    workspaceId: string;
+    ciphertext: string;
+    iv: string;
+    tag: string;
+}) => {
+    let plaintext;
+    try {
+        const key = await getKey({ workspaceId });
+        const plaintext = decryptSymmetric({
+            ciphertext,
+            iv,
+            tag,
+            key
+        });
+        
+        return plaintext;
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to perform symmetric decryption with bot');
+    }
+    
+    return plaintext;
+}

 export {
-  validateClientForBot,
-  createBot,
-  getSecretsHelper,
-  encryptSymmetricHelper,
-  decryptSymmetricHelper,
-};
+    createBot,
+    getSecretsHelper,
+    encryptSymmetricHelper,
+    decryptSymmetricHelper
+}
--- a/backend/src/helpers/database.ts
+++ b/backend/src/helpers/database.ts
@ -1,53 +0,0 @@
-import mongoose from 'mongoose';
-import { EESecretService } from '../ee/services';
-import { SecretService } from '../services';
-import { getLogger } from '../utils/logger';
-
-/**
- * Initialize database connection
- * @param {Object} obj
- * @param {String} obj.mongoURL - mongo connection string
- * @returns 
- */
-const initDatabaseHelper = async ({
-    mongoURL
-}: {
-    mongoURL: string;
-}) => {
-    try {
-        await mongoose.connect(mongoURL);
-    
-        // allow empty strings to pass the required validator
-        mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
-
-        (await getLogger("database")).info("Database connection established");
-        
-        await EESecretService.initSecretVersioning();
-        await SecretService.initSecretBlindIndexDataHelper();
-    } catch (err) {
-        (await getLogger("database")).error(`Unable to establish Database connection due to the error.\n${err}`);
-    }
-
-    return mongoose.connection;
-}
-
-/**
- * Close database conection
- */
-const closeDatabaseHelper = async () => {
-    return Promise.all([
-        new Promise((resolve) => {
-            if (mongoose.connection && mongoose.connection.readyState == 1) {
-            mongoose.connection.close()
-                .then(() => resolve('Database connection closed'));
-            } else {
-            resolve('Database connection already closed');
-            }
-        })
-    ]);
-}
-
-export {
-    initDatabaseHelper,
-    closeDatabaseHelper
-}
--- a/backend/src/helpers/event.ts
+++ b/backend/src/helpers/event.ts
@ -1,13 +1,12 @@
-import { Types } from "mongoose";
-import { Bot, IBot } from "../models";
-import { EVENT_PUSH_SECRETS } from "../variables";
-import { IntegrationService } from "../services";
+import { Bot, IBot } from '../models';
+import * as Sentry from '@sentry/node';
+import { EVENT_PUSH_SECRETS } from '../variables';
+import { IntegrationService } from '../services';

 interface Event {
-  name: string;
-  workspaceId: Types.ObjectId;
-  environment?: string;
-  payload: any;
+    name: string;
+    workspaceId: string;
+    payload: any;
 }

 /**
@ -18,25 +17,35 @@ interface Event {
 * @param {String} obj.event.workspaceId - id of workspace that event is part of
 * @param {Object} obj.event.payload - payload of event (depends on event)
 */
-const handleEventHelper = async ({ event }: { event: Event }) => {
-  const { workspaceId, environment } = event;
+const handleEventHelper = async ({
+    event
+}: {
+    event: Event;
+}) => {
+    const { workspaceId } = event;
+    
+    // TODO: moduralize bot check into separate function
+    const bot = await Bot.findOne({
+        workspace: workspaceId,
+        isActive: true
+    });
+    
+    if (!bot) return;
+    
+    try {
+        switch (event.name) {
+            case EVENT_PUSH_SECRETS:
+                IntegrationService.syncIntegrations({
+                    workspaceId
+                });
+                break;
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+    }
+}

-  // TODO: moduralize bot check into separate function
-  const bot = await Bot.findOne({
-    workspace: workspaceId,
-    isActive: true,
-  });
-
-  if (!bot) return;
-
-  switch (event.name) {
-    case EVENT_PUSH_SECRETS:
-      IntegrationService.syncIntegrations({
-        workspaceId,
-        environment,
-      });
-      break;
-  }
-};
-
-export { handleEventHelper };
+export {
+    handleEventHelper
+}
--- a/backend/src/helpers/integration.ts
+++ b/backend/src/helpers/integration.ts
@ -1,42 +1,19 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import {
    Bot,
    Integration,
+    IIntegration,
    IntegrationAuth,
-    IUser,
-    User,
-    IServiceAccount,
-    ServiceAccount,
-    IServiceTokenData,
-    ServiceTokenData
+    IIntegrationAuth
 } from '../models';
 import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
-import { BotService } from '../services';
+import { BotService, IntegrationService } from '../services';
 import {
-    AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY,
+    ENV_DEV,
+    EVENT_PUSH_SECRETS,
    INTEGRATION_VERCEL,
    INTEGRATION_NETLIFY
 } from '../variables';
-import { 
-    UnauthorizedRequestError,
-    IntegrationAuthNotFoundError,
-    IntegrationNotFoundError
-} from '../utils/errors';
-import RequestError from '../utils/requestError';
-import {
-    validateClientForIntegrationAuth 
-} from '../helpers/integrationAuth';
-import {
-    validateUserClientForWorkspace
-} from '../helpers/user';
-import {
-    validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-import { IntegrationService } from '../services';

 interface Update {
    workspace: string;
@ -45,84 +22,6 @@ interface Update {
    accountId?: string;
 }

-/**
- * Validate authenticated clients for integration with id [integrationId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.integrationId - id of integration to validate against
- * @param {String} obj.environment - (optional) environment in workspace to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
- const validateClientForIntegration = async ({
-    authData,
-    integrationId,
-    acceptedRoles
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-    integrationId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-    
-    const integration = await Integration.findById(integrationId);
-    if (!integration) throw IntegrationNotFoundError();
-
-    const integrationAuth = await IntegrationAuth
-        .findById(integration.integrationAuth)
-        .select(
-			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
-        );
-    
-    if (!integrationAuth) throw IntegrationAuthNotFoundError();
-
-    const accessToken = (await IntegrationService.getIntegrationAuthAccess({
-        integrationAuthId: integrationAuth._id
-    })).accessToken;
-
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integration.workspace,
-            acceptedRoles
-        });
-        
-        return ({ integration, accessToken });
-    }
-    
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: integration.workspace
-        });
-        
-        return ({ integration, accessToken });
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for integration'
-        });
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integration.workspace,
-            acceptedRoles
-        });
-        
-        return ({ integration, accessToken });
-    }
-    
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for integration'
-    });
-}
-
 /**
 * Perform OAuth2 code-token exchange for workspace with id [workspaceId] and integration
 * named [integration]
@ -133,19 +32,17 @@ interface Update {
 * @param {String} obj.workspaceId - id of workspace
 * @param {String} obj.integration - name of integration 
 * @param {String} obj.code - code
- * @returns {IntegrationAuth} integrationAuth - integration auth after OAuth2 code-token exchange
 */
 const handleOAuthExchangeHelper = async ({
    workspaceId,
    integration,
-    code,
-    environment
+    code
 }: {
    workspaceId: string;
    integration: string;
    code: string;
-    environment: string;
 }) => {
+    let action;
    let integrationAuth;
    try {
        const bot = await Bot.findOne({
@ -156,12 +53,12 @@ const handleOAuthExchangeHelper = async ({
        if (!bot) throw new Error('Bot must be enabled for OAuth2 code-token exchange');
        
        // exchange code for access and refresh tokens
-        const res = await exchangeCode({
+        let res = await exchangeCode({
            integration,
            code
        });
        
-        const update: Update = {
+        let update: Update = {
            workspace: workspaceId,
            integration
        }
@ -197,18 +94,25 @@ const handleOAuthExchangeHelper = async ({
            // set integration auth access token
            await setIntegrationAuthAccessHelper({
                integrationAuthId: integrationAuth._id.toString(),
-                accessId: null,
                accessToken: res.accessToken,
                accessExpiresAt: res.accessExpiresAt
            });
        }
+
+        // initialize new integration after exchange
+        await new Integration({
+            workspace: workspaceId,
+            environment: ENV_DEV,
+            isActive: false,
+            app: null,
+            integration,
+            integrationAuth: integrationAuth._id
+        }).save();
    } catch (err) {
        Sentry.setUser(null);
        Sentry.captureException(err);
        throw new Error('Failed to handle OAuth2 code-token exchange')
    }
-    
-    return integrationAuth;
 }
 /**
 * Sync/push environment variables in workspace with id [workspaceId] to
@ -217,19 +121,15 @@ const handleOAuthExchangeHelper = async ({
 * @param {Object} obj.workspaceId - id of workspace
 */
 const syncIntegrationsHelper = async ({
-    workspaceId,
-    environment
+    workspaceId
 }: {
-    workspaceId: Types.ObjectId;
-    environment?: string;
+    workspaceId: string;
 }) => {
    let integrations;
    try {
+
        integrations = await Integration.find({
            workspace: workspaceId,
-            ...(environment ? {
-                environment
-            } : {}),
            isActive: true,
            app: { $ne: null }
        });
@ -238,17 +138,17 @@ const syncIntegrationsHelper = async ({
        // to that integration
        for await (const integration of integrations) {
            // get workspace, environment (shared) secrets
-            const secrets = await BotService.getSecrets({ // issue here?
-                workspaceId: integration.workspace,
+            const secrets = await BotService.getSecrets({
+                workspaceId: integration.workspace.toString(),
                environment: integration.environment
            });
-
+            
            const integrationAuth = await IntegrationAuth.findById(integration.integrationAuth);
            if (!integrationAuth) throw new Error('Failed to find integration auth');
            
            // get integration auth access token
-            const access = await getIntegrationAuthAccessHelper({
-                integrationAuthId: integration.integrationAuth
+            const accessToken = await getIntegrationAuthAccessHelper({
+                integrationAuthId: integration.integrationAuth.toString()
            });

            // sync secrets to integration
@ -256,8 +156,7 @@ const syncIntegrationsHelper = async ({
                integration,
                integrationAuth,
                secrets,
-                accessId: access.accessId === undefined ? null : access.accessId,
-                accessToken: access.accessToken
+                accessToken
            });
        }
    } catch (err) {
@ -275,18 +174,17 @@ const syncIntegrationsHelper = async ({
 * @param {String} obj.integrationAuthId - id of integration auth
 * @param {String} refreshToken - decrypted refresh token
 */
- const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
+ const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
    let refreshToken;
-	
    try {
        const integrationAuth = await IntegrationAuth
            .findById(integrationAuthId)
            .select('+refreshCiphertext +refreshIV +refreshTag');

-        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
+        if (!integrationAuth) throw new Error('Failed to find integration auth');

        refreshToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace,
+            workspaceId: integrationAuth.workspace.toString(),
            ciphertext: integrationAuth.refreshCiphertext as string,
            iv: integrationAuth.refreshIV as string,
            tag: integrationAuth.refreshTag as string
@ -295,10 +193,7 @@ const syncIntegrationsHelper = async ({
    } catch (err) {
        Sentry.setUser(null);
 		Sentry.captureException(err);
-        if(err instanceof RequestError)
-            throw err
-        else
-            throw new Error('Failed to get integration refresh token');
+		throw new Error('Failed to get integration refresh token');
    }
    
    return refreshToken;
@ -312,18 +207,17 @@ const syncIntegrationsHelper = async ({
 * @param {String} obj.integrationAuthId - id of integration auth
 * @returns {String} accessToken - decrypted access token
 */
-const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
-    let accessId;
+const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
    let accessToken;
    try {
        const integrationAuth = await IntegrationAuth
            .findById(integrationAuthId)
-            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag');
+            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext');

-        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
+        if (!integrationAuth) throw new Error('Failed to find integration auth');

        accessToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace,
+            workspaceId: integrationAuth.workspace.toString(),
            ciphertext: integrationAuth.accessCiphertext as string,
            iv: integrationAuth.accessIV as string,
            tag: integrationAuth.accessTag as string
@ -337,34 +231,19 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
                // access token is expired
                const refreshToken = await getIntegrationAuthRefreshHelper({ integrationAuthId });
                accessToken = await exchangeRefresh({
-                    integrationAuth,
+                    integration: integrationAuth.integration,
                    refreshToken
                });
            }
        }
-        
-        if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
-            accessId = await BotService.decryptSymmetric({
-                workspaceId: integrationAuth.workspace,
-                ciphertext: integrationAuth.accessIdCiphertext as string,
-                iv: integrationAuth.accessIdIV as string,
-                tag: integrationAuth.accessIdTag as string
-            });
-        }

    } catch (err) {
        Sentry.setUser(null);
 		Sentry.captureException(err);
-        if(err instanceof RequestError)
-            throw err
-        else
-            throw new Error('Failed to get integration access token');
+		throw new Error('Failed to get integration access token');
    }
    
-    return ({
-        accessId,
-        accessToken
-    });
+    return accessToken;
 }

 /**
@ -391,7 +270,7 @@ const setIntegrationAuthRefreshHelper = async ({
        if (!integrationAuth) throw new Error('Failed to find integration auth');
        
        const obj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace,
+            workspaceId: integrationAuth.workspace.toString(),
            plaintext: refreshToken
        });
        
@ -414,9 +293,9 @@ const setIntegrationAuthRefreshHelper = async ({
 }

 /**
- * Encrypt access token [accessToken] and (optionally) access id [accessId]
- * using the bot's copy of the workspace key for workspace belonging to 
- * integration auth with id [integrationAuthId] and store it along with [accessExpiresAt]
+ * Encrypt access token [accessToken] using the bot's copy
+ * of the workspace key for workspace belonging to integration auth
+ * with id [integrationAuthId] and store it along with [accessExpiresAt]
 * @param {Object} obj
 * @param {String} obj.integrationAuthId - id of integration auth
 * @param {String} obj.accessToken - access token
@ -424,14 +303,12 @@ const setIntegrationAuthRefreshHelper = async ({
 */
 const setIntegrationAuthAccessHelper = async ({
    integrationAuthId,
-    accessId,
    accessToken,
    accessExpiresAt
 }: {
    integrationAuthId: string;
-    accessId: string | null;
    accessToken: string;
-    accessExpiresAt: Date | undefined;
+    accessExpiresAt: Date;
 }) => {
    let integrationAuth;
    try {
@ -439,28 +316,17 @@ const setIntegrationAuthAccessHelper = async ({
        
        if (!integrationAuth) throw new Error('Failed to find integration auth');
        
-        const encryptedAccessTokenObj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace,
+        const obj = await BotService.encryptSymmetric({
+            workspaceId: integrationAuth.workspace.toString(),
            plaintext: accessToken
        });
        
-        let encryptedAccessIdObj;
-        if (accessId) {
-            encryptedAccessIdObj = await BotService.encryptSymmetric({
-                workspaceId: integrationAuth.workspace,
-                plaintext: accessId
-            }); 
-        }
-        
        integrationAuth = await IntegrationAuth.findOneAndUpdate({
            _id: integrationAuthId
        }, {
-            accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
-            accessIdIV: encryptedAccessIdObj?.iv ?? undefined,
-            accessIdTag: encryptedAccessIdObj?.tag ?? undefined,
-            accessCiphertext: encryptedAccessTokenObj.ciphertext,
-            accessIV: encryptedAccessTokenObj.iv,
-            accessTag: encryptedAccessTokenObj.tag,
+            accessCiphertext: obj.ciphertext,
+            accessIV: obj.iv,
+            accessTag: obj.tag,
            accessExpiresAt
        }, {
            new: true
@ -475,11 +341,10 @@ const setIntegrationAuthAccessHelper = async ({
 }

 export {
-    validateClientForIntegration,
    handleOAuthExchangeHelper,
    syncIntegrationsHelper,
    getIntegrationAuthRefreshHelper,
    getIntegrationAuthAccessHelper,
    setIntegrationAuthRefreshHelper,
    setIntegrationAuthAccessHelper
-}
+}
--- a/backend/src/helpers/integrationAuth.ts
+++ b/backend/src/helpers/integrationAuth.ts
@ -1,108 +0,0 @@
-import { Types } from 'mongoose';
-import {
-    IntegrationAuth,
-    IUser,
-    User,
-    IServiceAccount,
-    ServiceAccount,
-    IServiceTokenData,
-    ServiceTokenData,
-    IWorkspace
-} from '../models';
-import { 
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN,
-    AUTH_MODE_API_KEY
-} from '../variables';
-import {
-    IntegrationAuthNotFoundError,
-    UnauthorizedRequestError
-} from '../utils/errors';
-import { IntegrationService } from '../services';
-import { validateUserClientForWorkspace } from '../helpers/user';
-import { validateServiceAccountClientForWorkspace } from '../helpers/serviceAccount';
-
-/**
- * Validate authenticated clients for integration authorization with id [integrationAuthId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.integrationAuthId - id of integration authorization to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
- const validateClientForIntegrationAuth = async ({
-    authData,
-    integrationAuthId,
-    acceptedRoles,
-    attachAccessToken
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-    integrationAuthId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-    attachAccessToken?: boolean;
-}) => {
-
-    const integrationAuth = await IntegrationAuth
-        .findById(integrationAuthId)
-        .populate<{ workspace: IWorkspace }>('workspace')
-        .select(
-			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
-        );
-    
-    if (!integrationAuth) throw IntegrationAuthNotFoundError();
-    
-    let accessToken;
-    if (attachAccessToken) {
-        accessToken = (await IntegrationService.getIntegrationAuthAccess({
-            integrationAuthId: integrationAuth._id
-        })).accessToken;
-    }
-    
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integrationAuth.workspace._id,
-            acceptedRoles
-        });
-
-        return ({ integrationAuth, accessToken });
-    }
-    
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: integrationAuth.workspace._id
-        });
-
-        return ({ integrationAuth, accessToken });
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for integration authorization'
-        });
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integrationAuth.workspace._id,
-            acceptedRoles
-        });
-
-        return ({ integrationAuth, accessToken });
-    }
-    
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for integration authorization'
-    });
-}
-
-export {
-    validateClientForIntegrationAuth
-};
--- a/Show More
+++ b/Show More