allow inetgrations list fetch via UA

Update list-project-integrations.mdx
2025-07-25 14:07:47 +00:00 · 2024-04-12 10:06:16 -04:00 · 2024-04-11 23:52:25 -04:00 · 2024-04-11 20:49:31 -04:00 · 2024-04-11 20:20:22 -04:00 · 2024-04-12 02:15:23 +02:00
104 changed files with 1670 additions and 1422 deletions
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@@ -1,6 +1,7 @@
 ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
+ARG SAML_ORG_SLUG=saml-org-slug-default

 FROM  node:20-alpine AS base

@@ -35,6 +36,8 @@ ARG INTERCOM_ID
 ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ARG SAML_ORG_SLUG
+ENV NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG 

 # Build
 RUN npm run build
@@ -100,6 +103,9 @@ ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
 ARG INTERCOM_ID=intercom-id
 ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ARG SAML_ORG_SLUG
+ENV NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG \
+  BAKED_NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG

 WORKDIR / 

--- a/backend/e2e-test/routes/v1/secret-import.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-import.spec.ts
@@ -46,7 +46,7 @@ const deleteSecretImport = async (id: string) => {

 describe("Secret Import Router", async () => {
  test.each([
-    { importEnv: "dev", importPath: "/" }, // one in root
+    { importEnv: "prod", importPath: "/" }, // one in root
    { importEnv: "staging", importPath: "/" } // then create a deep one creating intermediate ones
  ])("Create secret import $importEnv with path $importPath", async ({ importPath, importEnv }) => {
    // check for default environments
@@ -66,7 +66,7 @@ describe("Secret Import Router", async () => {
  });

  test("Get secret imports", async () => {
-    const createdImport1 = await createSecretImport("/", "dev");
+    const createdImport1 = await createSecretImport("/", "prod");
    const createdImport2 = await createSecretImport("/", "staging");
    const res = await testServer.inject({
      method: "GET",
@@ -103,10 +103,10 @@ describe("Secret Import Router", async () => {
  });

  test("Update secret import position", async () => {
-    const devImportDetails = { path: "/", envSlug: "dev" };
+    const prodImportDetails = { path: "/", envSlug: "prod" };
    const stagingImportDetails = { path: "/", envSlug: "staging" };

-    const createdImport1 = await createSecretImport(devImportDetails.path, devImportDetails.envSlug);
+    const createdImport1 = await createSecretImport(prodImportDetails.path, prodImportDetails.envSlug);
    const createdImport2 = await createSecretImport(stagingImportDetails.path, stagingImportDetails.envSlug);

    const updateImportRes = await testServer.inject({
@@ -136,7 +136,7 @@ describe("Secret Import Router", async () => {
        position: 2,
        importEnv: expect.objectContaining({
          name: expect.any(String),
-          slug: expect.stringMatching(devImportDetails.envSlug),
+          slug: expect.stringMatching(prodImportDetails.envSlug),
          id: expect.any(String)
        })
      })
@@ -166,7 +166,7 @@ describe("Secret Import Router", async () => {
  });

  test("Delete secret import position", async () => {
-    const createdImport1 = await createSecretImport("/", "dev");
+    const createdImport1 = await createSecretImport("/", "prod");
    const createdImport2 = await createSecretImport("/", "staging");
    const deletedImport = await deleteSecretImport(createdImport1.id);
    // check for default environments
--- a/backend/scripts/create-backend-file.ts
+++ b/backend/scripts/create-backend-file.ts
@@ -103,11 +103,15 @@ export const ${dalName} = (db: TDbClient) => {
    `import { z } from "zod";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { readLimit } from "@app/server/config/rateLimiter";

 export const register${pascalCase}Router = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({}),
      response: {
--- a/backend/scripts/create-migration.ts
+++ b/backend/scripts/create-migration.ts
@@ -7,10 +7,10 @@ const prompt = promptSync({ sigint: true });

 const migrationName = prompt("Enter name for migration: ");

+// Remove spaces from migration name and replace with hyphens
+const formattedMigrationName = migrationName.replace(/\s+/g, "-");
+
 execSync(
-  `npx knex migrate:make --knexfile ${path.join(
-    __dirname,
-    "../src/db/knexfile.ts"
-  )} -x ts ${migrationName}`,
+  `npx knex migrate:make --knexfile ${path.join(__dirname, "../src/db/knexfile.ts")} -x ts ${formattedMigrationName}`,
  { stdio: "inherit" }
 );
--- a/backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts
+++ b/backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts
@@ -0,0 +1,111 @@
+import { Knex } from "knex";
+import { z } from "zod";
+
+import { TableName, TOrgMemberships } from "../schemas";
+
+const validateOrgMembership = (membershipToValidate: TOrgMemberships, firstMembership: TOrgMemberships) => {
+  const firstOrgId = firstMembership.orgId;
+  const firstUserId = firstMembership.userId;
+
+  if (membershipToValidate.id === firstMembership.id) {
+    return;
+  }
+
+  if (membershipToValidate.inviteEmail !== firstMembership.inviteEmail) {
+    throw new Error(`Invite emails are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.orgId !== firstMembership.orgId) {
+    throw new Error(`OrgIds are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.role !== firstMembership.role) {
+    throw new Error(`Roles are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.roleId !== firstMembership.roleId) {
+    throw new Error(`RoleIds are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.status !== firstMembership.status) {
+    throw new Error(`Statuses are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.userId !== firstMembership.userId) {
+    throw new Error(`UserIds are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+};
+
+export async function up(knex: Knex): Promise<void> {
+  const RowSchema = z.object({
+    userId: z.string(),
+    orgId: z.string(),
+    cnt: z.string()
+  });
+
+  // Transactional find and delete duplicate rows
+  await knex.transaction(async (tx) => {
+    const duplicateRows = await tx(TableName.OrgMembership)
+      .select("userId", "orgId") // Select the userId and orgId so we can group by them
+      .count("* as cnt") // Count the number of rows for each userId and orgId, so we can make sure there are more than 1 row (a duplicate)
+      .groupBy("userId", "orgId")
+      .havingRaw("count(*) > ?", [1]); // Using havingRaw for direct SQL expressions
+
+    // Parse the rows to ensure they are in the correct format, and for type safety
+    const parsedRows = RowSchema.array().parse(duplicateRows);
+
+    // For each of the duplicate rows, loop through and find the actual memberships to delete
+    for (const row of parsedRows) {
+      const count = Number(row.cnt);
+
+      // An extra check to ensure that the count is actually a number, and the number is greater than 2
+      if (typeof count !== "number" || count < 2) {
+        // eslint-disable-next-line no-continue
+        continue;
+      }
+
+      // Find all the organization memberships that have the same userId and orgId
+      // eslint-disable-next-line no-await-in-loop
+      const rowsToDelete = await tx(TableName.OrgMembership).where({
+        userId: row.userId,
+        orgId: row.orgId
+      });
+
+      // Ensure that all the rows have exactly the same value, except id, createdAt, updatedAt
+      for (const rowToDelete of rowsToDelete) {
+        validateOrgMembership(rowToDelete, rowsToDelete[0]);
+      }
+
+      // Find the row with the latest createdAt, which we will keep
+
+      let lowestCreatedAt: number | null = null;
+      let latestCreatedRow: TOrgMemberships | null = null;
+
+      for (const rowToDelete of rowsToDelete) {
+        if (lowestCreatedAt === null || rowToDelete.createdAt.getTime() < lowestCreatedAt) {
+          lowestCreatedAt = rowToDelete.createdAt.getTime();
+          latestCreatedRow = rowToDelete;
+        }
+      }
+      if (!latestCreatedRow) {
+        throw new Error("Failed to find last created membership");
+      }
+
+      // Filter out the latest row from the rows to delete
+      const membershipIdsToDelete = rowsToDelete.map((r) => r.id).filter((id) => id !== latestCreatedRow!.id);
+
+      // eslint-disable-next-line no-await-in-loop
+      const numberOfRowsDeleted = await tx(TableName.OrgMembership).whereIn("id", membershipIdsToDelete).delete();
+
+      // eslint-disable-next-line no-console
+      console.log(
+        `Deleted ${numberOfRowsDeleted} duplicate organization memberships for ${row.userId} and ${row.orgId}`
+      );
+    }
+  });
+
+  await knex.schema.alterTable(TableName.OrgMembership, (table) => {
+    table.unique(["userId", "orgId"]);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.OrgMembership, (table) => {
+    table.dropUnique(["userId", "orgId"]);
+  });
+}
--- a/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
@@ -5,14 +5,18 @@ import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
@@ -55,8 +59,11 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
  });

  server.route({
-    url: "/:leaseId",
    method: "DELETE",
+    url: "/:leaseId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
@@ -94,8 +101,11 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
  });

  server.route({
-    url: "/:leaseId/renew",
    method: "POST",
+    url: "/:leaseId/renew",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
@@ -146,6 +156,9 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
  server.route({
    url: "/:leaseId",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@@ -7,14 +7,18 @@ import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/pro
 import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
@@ -74,8 +78,11 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/:name",
    method: "PATCH",
+    url: "/:name",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
@@ -138,8 +145,11 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/:name",
    method: "DELETE",
+    url: "/:name",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
@@ -173,6 +183,9 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
  server.route({
    url: "/:name",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
@@ -207,6 +220,9 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
  server.route({
    url: "/",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
@@ -235,6 +251,9 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
  server.route({
    url: "/:name/leases",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@@ -9,13 +9,17 @@ import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/service
 import { ProjectPermissionSet } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/permanent",
    method: "POST",
+    url: "/permanent",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Create a permanent or a non expiry specific privilege for identity.",
      security: [
@@ -31,11 +35,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
          .min(1)
          .max(60)
          .trim()
-          .default(slugify(alphaNumericNanoId(12)))
          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
+          .optional()
          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
      }),
@@ -53,6 +57,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
        isTemporary: false,
        permissions: JSON.stringify(packRules(req.body.permissions))
      });
@@ -61,8 +66,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
  });

  server.route({
-    url: "/temporary",
    method: "POST",
+    url: "/temporary",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Create a temporary or a expiring specific privilege for identity.",
      security: [
@@ -78,11 +86,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
          .min(1)
          .max(60)
          .trim()
-          .default(slugify(alphaNumericNanoId(12)))
          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
+          .optional()
          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
        temporaryMode: z
@@ -111,6 +119,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
        isTemporary: true,
        permissions: JSON.stringify(packRules(req.body.permissions))
      });
@@ -119,8 +128,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
  });

  server.route({
-    url: "/",
    method: "PATCH",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Update a specific privilege of an identity.",
      security: [
@@ -188,8 +200,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
  });

  server.route({
-    url: "/",
    method: "DELETE",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Delete a specific privilege of an identity.",
      security: [
@@ -224,8 +239,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
  });

  server.route({
-    url: "/:privilegeSlug",
    method: "GET",
+    url: "/:privilegeSlug",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Retrieve details of a specific privilege by privilege slug.",
      security: [
@@ -261,8 +279,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
  });

  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "List of a specific privilege of an identity in a project.",
      security: [
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@@ -17,6 +17,7 @@ import { z } from "zod";
 import { LdapConfigsSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -97,8 +98,11 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "GET",
+    url: "/config",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      querystring: z.object({
@@ -130,8 +134,11 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "POST",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@@ -164,6 +171,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/config",
    method: "PATCH",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z
--- a/backend/src/ee/routes/v1/license-router.ts
+++ b/backend/src/ee/routes/v1/license-router.ts
@@ -3,13 +3,17 @@
 // TODO(akhilmhdh): Fix this when licence service gets it type
 import { z } from "zod";

+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:organizationId/plans/table",
    method: "GET",
+    url: "/:organizationId/plans/table",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({ billingCycle: z.enum(["monthly", "yearly"]) }),
      params: z.object({ organizationId: z.string().trim() }),
@@ -32,8 +36,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plan",
    method: "GET",
+    url: "/:organizationId/plan",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -54,8 +61,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plans",
    method: "GET",
+    url: "/:organizationId/plans",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      querystring: z.object({ workspaceId: z.string().trim().optional() }),
@@ -77,8 +87,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/session/trial",
    method: "POST",
+    url: "/:organizationId/session/trial",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({ success_url: z.string().trim() }),
@@ -103,6 +116,9 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/:organizationId/customer-portal-session",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -123,8 +139,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plan/billing",
    method: "GET",
+    url: "/:organizationId/plan/billing",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -145,8 +164,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plan/table",
    method: "GET",
+    url: "/:organizationId/plan/table",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -167,8 +189,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details",
    method: "GET",
+    url: "/:organizationId/billing-details",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -189,8 +214,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details",
    method: "PATCH",
+    url: "/:organizationId/billing-details",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({
@@ -217,8 +245,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/payment-methods",
    method: "GET",
+    url: "/:organizationId/billing-details/payment-methods",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -239,8 +270,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/payment-methods",
    method: "POST",
+    url: "/:organizationId/billing-details/payment-methods",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({
@@ -267,8 +301,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/payment-methods/:pmtMethodId",
    method: "DELETE",
+    url: "/:organizationId/billing-details/payment-methods/:pmtMethodId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@@ -293,8 +330,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/tax-ids",
    method: "GET",
+    url: "/:organizationId/billing-details/tax-ids",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@@ -317,8 +357,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/tax-ids",
    method: "POST",
+    url: "/:organizationId/billing-details/tax-ids",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@@ -347,8 +390,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/tax-ids/:taxId",
    method: "DELETE",
+    url: "/:organizationId/billing-details/tax-ids/:taxId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@@ -373,8 +419,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/invoices",
    method: "GET",
+    url: "/:organizationId/invoices",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@@ -397,8 +446,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/licenses",
    method: "GET",
+    url: "/:organizationId/licenses",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@@ -2,6 +2,7 @@ import slugify from "@sindresorhus/slugify";
 import { z } from "zod";

 import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -9,6 +10,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:organizationId/roles",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@@ -51,6 +55,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:organizationId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@@ -95,6 +102,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:organizationId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@@ -122,6 +132,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/roles",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@@ -151,6 +164,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/permissions",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -8,6 +9,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:projectId/roles",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@@ -41,6 +45,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:projectId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim(),
@@ -76,6 +83,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:projectId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim(),
@@ -104,6 +114,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:projectId/roles",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@@ -134,6 +147,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:projectId/permissions",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@@ -4,6 +4,7 @@ import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -11,6 +12,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:workspaceId/secret-snapshots",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return project secret snapshots ids",
      security: [
@@ -51,6 +55,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:workspaceId/secret-snapshots/count",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@@ -83,6 +90,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:workspaceId/audit-logs",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return audit logs",
      security: [
@@ -145,6 +155,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:workspaceId/audit-logs/filters/actors",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@@ -17,6 +17,7 @@ import { SamlProviders, TGetSamlCfgDTO } from "@app/ee/services/saml-config/saml
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -203,8 +204,11 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "GET",
+    url: "/config",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      querystring: z.object({
@@ -240,8 +244,11 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "POST",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@@ -270,8 +277,11 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "PATCH",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { ScimTokensSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -20,6 +21,9 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/scim-tokens",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@@ -51,6 +55,9 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/scim-tokens",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      querystring: z.object({
@@ -78,6 +85,9 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/scim-tokens/:scimTokenId",
    method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -9,6 +10,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z
        .object({
@@ -47,6 +51,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:sapId",
    method: "PATCH",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        sapId: z.string()
@@ -85,6 +92,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:sapId",
    method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        sapId: z.string()
@@ -111,6 +121,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim()
@@ -137,6 +150,9 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/board",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim(),
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@@ -10,13 +10,17 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApprovalStatus, RequestState } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretApprovalRequestRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim(),
@@ -62,8 +66,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
  });

  server.route({
-    url: "/count",
    method: "GET",
+    url: "/count",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim()
@@ -93,6 +100,9 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
  server.route({
    url: "/:id/merge",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        id: z.string()
@@ -117,8 +127,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
  });

  server.route({
-    url: "/:id/review",
    method: "POST",
+    url: "/:id/review",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        id: z.string()
@@ -147,8 +160,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
  });

  server.route({
-    url: "/:id/status",
    method: "POST",
+    url: "/:id/status",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        id: z.string()
@@ -203,8 +219,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
    .array()
    .optional();
  server.route({
-    url: "/:id",
    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        id: z.string()
--- a/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
@@ -1,12 +1,16 @@
 import { z } from "zod";

+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretRotationProviderRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId",
    method: "GET",
+    url: "/:workspaceId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
--- a/backend/src/ee/routes/v1/secret-rotation-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-router.ts
@@ -2,13 +2,17 @@ import { z } from "zod";

 import { SecretRotationOutputsSchema, SecretRotationsSchema, SecretsSchema } from "@app/db/schemas";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretRotationRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        workspaceId: z.string().trim(),
@@ -52,6 +56,9 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
  server.route({
    url: "/restart",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        id: z.string().trim()
@@ -86,6 +93,9 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
  server.route({
    url: "/",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim()
@@ -136,8 +146,11 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
  });

  server.route({
-    url: "/:id",
    method: "DELETE",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        id: z.string().trim()
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@@ -2,13 +2,17 @@ import { z } from "zod";

 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
 import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretScanningRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/create-installation-session/organization",
    method: "POST",
+    url: "/create-installation-session/organization",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -31,8 +35,11 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
  });

  server.route({
-    url: "/link-installation",
    method: "POST",
+    url: "/link-installation",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        installationId: z.string(),
@@ -56,8 +63,11 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
  });

  server.route({
-    url: "/installation-status/organization/:organizationId",
    method: "GET",
+    url: "/installation-status/organization/:organizationId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -80,6 +90,9 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
  server.route({
    url: "/organization/:organizationId/risks",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -100,8 +113,11 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
  });

  server.route({
-    url: "/organization/:organizationId/risks/:riskId/status",
    method: "POST",
+    url: "/organization/:organizationId/risks/:riskId/status",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim(), riskId: z.string().trim() }),
      body: z.object({ status: z.nativeEnum(SecretScanningRiskStatus) }),
--- a/backend/src/ee/routes/v1/secret-version-router.ts
+++ b/backend/src/ee/routes/v1/secret-version-router.ts
@@ -1,13 +1,17 @@
 import { z } from "zod";

 import { SecretVersionsSchema } from "@app/db/schemas";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretVersionRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:secretId/secret-versions",
    method: "GET",
+    url: "/:secretId/secret-versions",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        secretId: z.string()
--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { SecretSnapshotsSchema, SecretTagsSchema, SecretVersionsSchema } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -9,6 +10,9 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:secretSnapshotId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        secretSnapshotId: z.string().trim()
@@ -58,6 +62,9 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:secretSnapshotId/rollback",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Roll back project secrets to those captured in a secret snapshot version.",
      security: [
--- a/backend/src/ee/routes/v1/trusted-ip-router.ts
+++ b/backend/src/ee/routes/v1/trusted-ip-router.ts
@@ -2,13 +2,17 @@ import { z } from "zod";

 import { TrustedIpsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId/trusted-ips",
    method: "GET",
+    url: "/:workspaceId/trusted-ips",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@@ -33,8 +37,11 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/trusted-ips",
    method: "POST",
+    url: "/:workspaceId/trusted-ips",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@@ -78,8 +85,11 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/trusted-ips/:trustedIpId",
    method: "PATCH",
+    url: "/:workspaceId/trusted-ips/:trustedIpId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim(),
@@ -124,8 +134,11 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/trusted-ips/:trustedIpId",
    method: "DELETE",
+    url: "/:workspaceId/trusted-ips/:trustedIpId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim(),
--- a/backend/src/ee/routes/v1/user-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/user-additional-privilege-router.ts
@@ -6,6 +6,7 @@ import { ProjectUserAdditionalPrivilegeSchema } from "@app/db/schemas";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
 import { PROJECT_USER_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -13,6 +14,9 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
  server.route({
    url: "/permanent",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
@@ -21,11 +25,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
          .min(1)
          .max(60)
          .trim()
-          .default(slugify(alphaNumericNanoId(12)))
          .refine((v) => v.toLowerCase() === v, "Slug must be lowercase")
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
+          .optional()
          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
        permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions)
      }),
@@ -43,6 +47,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
        isTemporary: false,
        permissions: JSON.stringify(req.body.permissions)
      });
@@ -51,8 +56,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
  });

  server.route({
-    url: "/temporary",
    method: "POST",
+    url: "/temporary",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
@@ -61,11 +69,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
          .min(1)
          .max(60)
          .trim()
-          .default(`privilege-${slugify(alphaNumericNanoId(12))}`)
          .refine((v) => v.toLowerCase() === v, "Slug must be lowercase")
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
+          .optional()
          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
        permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
        temporaryMode: z
@@ -94,6 +102,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : `privilege-${slugify(alphaNumericNanoId(12))}`,
        isTemporary: true,
        permissions: JSON.stringify(req.body.permissions)
      });
@@ -102,8 +111,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
  });

  server.route({
-    url: "/:privilegeId",
    method: "PATCH",
+    url: "/:privilegeId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        privilegeId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.privilegeId)
@@ -156,8 +168,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
  });

  server.route({
-    url: "/:privilegeId",
    method: "DELETE",
+    url: "/:privilegeId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        privilegeId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.DELETE.privilegeId)
@@ -182,8 +197,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
  });

  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        projectMembershipId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.LIST.projectMembershipId)
@@ -208,8 +226,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
  });

  server.route({
-    url: "/:privilegeId",
    method: "GET",
+    url: "/:privilegeId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        privilegeId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.GET_BY_PRIVILEGEID.privilegeId)
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -141,6 +141,12 @@ export const PROJECTS = {
  },
  ROLLBACK_TO_SNAPSHOT: {
    secretSnapshotId: "The ID of the snapshot to rollback to."
+  },
+  LIST_INTEGRATION: {
+    workspaceId: "The ID of the project to list integrations for."
+  },
+  LIST_INTEGRATION_AUTHORIZATION: {
+    workspaceId: "The ID of the project to list integration auths for."
  }
 } as const;

@@ -502,11 +508,8 @@ export const INTEGRATION_AUTH = {
    url: "",
    namespace: "",
    refreshToken: "The refresh token for integration authorization."
-  },
-  LIST_AUTHORIZATION: {
-    workspaceId: "The ID of the project to list integration auths for."
  }
-};
+} as const;

 export const INTEGRATION = {
  CREATE: {
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -61,11 +61,11 @@ export type TQueueJobTypes = {
  };
  [QueueName.SecretWebhook]: {
    name: QueueJobs.SecWebhook;
-    payload: { projectId: string; environment: string; secretPath: string };
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
  };
  [QueueName.IntegrationSync]: {
    name: QueueJobs.IntegrationSync;
-    payload: { projectId: string; environment: string; secretPath: string };
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
  };
  [QueueName.SecretFullRepoScan]: {
    name: QueueJobs.SecretScan;
--- a/backend/src/server/config/rateLimiter.ts
+++ b/backend/src/server/config/rateLimiter.ts
@@ -18,6 +18,28 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
  };
 };

+// GET endpoints
+export const readLimit: RateLimitOptions = {
+  timeWindow: 60 * 1000,
+  max: 600,
+  keyGenerator: (req) => req.realIp
+};
+
+// POST, PATCH, PUT, DELETE endpoints
+export const writeLimit: RateLimitOptions = {
+  timeWindow: 60 * 1000,
+  max: 50,
+  keyGenerator: (req) => req.realIp
+};
+
+// special endpoints
+export const secretsLimit: RateLimitOptions = {
+  // secrets, folders, secret imports
+  timeWindow: 60 * 1000,
+  max: 600,
+  keyGenerator: (req) => req.realIp
+};
+
 export const authRateLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
  max: 60,
@@ -26,12 +48,13 @@ export const authRateLimit: RateLimitOptions = {

 export const inviteUserRateLimit: RateLimitOptions = {
  timeWindow: 60 * 1000,
-  max: 10,
+  max: 30,
  keyGenerator: (req) => req.realIp
 };

-export const passwordRateLimit: RateLimitOptions = {
+export const creationLimit: RateLimitOptions = {
+  // identity, project, org
  timeWindow: 60 * 1000,
-  max: 600,
+  max: 30,
  keyGenerator: (req) => req.realIp
 };
--- a/backend/src/server/plugins/secret-scanner.ts
+++ b/backend/src/server/plugins/secret-scanner.ts
@@ -4,6 +4,7 @@ import SmeeClient from "smee-client";

 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
+import { writeLimit } from "@app/server/config/rateLimiter";

 export const registerSecretScannerGhApp = async (server: FastifyZodProvider) => {
  const probotApp = (app: Probot) => {
@@ -49,6 +50,9 @@ export const registerSecretScannerGhApp = async (server: FastifyZodProvider) =>
    server.route({
      method: "POST",
      url: "/",
+      config: {
+        rateLimit: writeLimit
+      },
      handler: async (req, res) => {
        const eventName = req.headers["x-github-event"];
        const signatureSHA256 = req.headers["x-hub-signature-256"] as string;
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -49,6 +49,7 @@ import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { apiKeyDALFactory } from "@app/services/api-key/api-key-dal";
 import { apiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { authDALFactory } from "@app/services/auth/auth-dal";
@@ -398,7 +399,8 @@ export const registerRoutes = async (
    folderDAL,
    licenseService,
    projectUserMembershipRoleDAL,
-    identityProjectMembershipRoleDAL
+    identityProjectMembershipRoleDAL,
+    keyStore
  });

  const projectEnvService = projectEnvServiceFactory({
@@ -409,7 +411,12 @@ export const registerRoutes = async (
    folderDAL
  });

-  const projectRoleService = projectRoleServiceFactory({ permissionService, projectRoleDAL });
+  const projectRoleService = projectRoleServiceFactory({
+    permissionService,
+    projectRoleDAL,
+    projectUserMembershipRoleDAL,
+    identityProjectMembershipRoleDAL
+  });

  const snapshotService = secretSnapshotServiceFactory({
    permissionService,
@@ -438,14 +445,6 @@ export const registerRoutes = async (
    projectEnvDAL,
    snapshotService
  });
-  const secretImportService = secretImportServiceFactory({
-    projectEnvDAL,
-    folderDAL,
-    permissionService,
-    secretImportDAL,
-    projectDAL,
-    secretDAL
-  });
  const integrationAuthService = integrationAuthServiceFactory({
    integrationAuthDAL,
    integrationDAL,
@@ -473,6 +472,15 @@ export const registerRoutes = async (
    secretTagDAL,
    secretVersionTagDAL
  });
+  const secretImportService = secretImportServiceFactory({
+    projectEnvDAL,
+    folderDAL,
+    permissionService,
+    secretImportDAL,
+    projectDAL,
+    secretDAL,
+    secretQueueService
+  });
  const secretBlindIndexService = secretBlindIndexServiceFactory({
    permissionService,
    secretDAL,
@@ -670,8 +678,11 @@ export const registerRoutes = async (
  await server.register(injectAuditLogInfo);

  server.route({
-    url: "/api/status",
    method: "GET",
+    url: "/api/status",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@@ -3,6 +3,7 @@ import { z } from "zod";
 import { OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { UnauthorizedError } from "@app/lib/errors";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -11,8 +12,11 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

 export const registerAdminRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/config",
    method: "GET",
+    url: "/config",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
@@ -30,8 +34,11 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/config",
    method: "PATCH",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        allowSignUp: z.boolean().optional(),
@@ -55,8 +62,11 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/signup",
    method: "POST",
+    url: "/signup",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        email: z.string().email().trim(),
--- a/backend/src/server/routes/v1/auth-router.ts
+++ b/backend/src/server/routes/v1/auth-router.ts
@@ -3,7 +3,7 @@ import { z } from "zod";

 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { authRateLimit } from "@app/server/config/rateLimiter";
+import { authRateLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode, AuthModeRefreshJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";

@@ -38,8 +38,11 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/checkAuth",
    method: "POST",
+    url: "/checkAuth",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      response: {
        200: z.object({
@@ -52,8 +55,11 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/token",
    method: "POST",
+    url: "/token",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/bot-router.ts
+++ b/backend/src/server/routes/v1/bot-router.ts
@@ -1,13 +1,17 @@
 import { z } from "zod";

 import { ProjectBotsSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:projectId",
    method: "GET",
+    url: "/:projectId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@@ -38,8 +42,11 @@ export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:botId/active",
    method: "PATCH",
+    url: "/:botId/active",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        isActive: z.boolean(),
--- a/backend/src/server/routes/v1/identity-access-token-router.ts
+++ b/backend/src/server/routes/v1/identity-access-token-router.ts
@@ -1,11 +1,15 @@
 import { z } from "zod";

 import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
+import { writeLimit } from "@app/server/config/rateLimiter";

 export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/token/renew",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Renew access token",
      body: z.object({
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@@ -3,6 +3,7 @@ import { z } from "zod";
 import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { IDENTITIES } from "@app/lib/api-docs";
+import { creationLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -12,6 +13,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/",
+    config: {
+      rateLimit: creationLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Create identity",
@@ -71,6 +75,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Update identity",
@@ -121,6 +128,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Delete identity",
--- a/backend/src/server/routes/v1/identity-ua.ts
+++ b/backend/src/server/routes/v1/identity-ua.ts
@@ -3,6 +3,7 @@ import { z } from "zod";
 import { IdentityUaClientSecretsSchema, IdentityUniversalAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
@@ -22,8 +23,11 @@ export const sanitizedClientSecretSchema = IdentityUaClientSecretsSchema.pick({

 export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/universal-auth/login",
    method: "POST",
+    url: "/universal-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Login with Universal Auth",
      body: z.object({
@@ -66,8 +70,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId",
    method: "POST",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Attach Universal Auth configuration onto identity",
@@ -156,8 +163,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId",
    method: "PATCH",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Update Universal Auth configuration on identity",
@@ -239,8 +249,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId",
    method: "GET",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Retrieve Universal Auth configuration on identity",
@@ -283,8 +296,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId/client-secrets",
    method: "POST",
+    url: "/universal-auth/identities/:identityId/client-secrets",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Create Universal Auth Client Secret for identity",
@@ -335,8 +351,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId/client-secrets",
    method: "GET",
+    url: "/universal-auth/identities/:identityId/client-secrets",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "List Universal Auth Client Secrets for identity",
@@ -378,8 +397,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
    method: "POST",
+    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Revoke Universal Auth Client Secrets for identity",
--- a/backend/src/server/routes/v1/integration-auth-router.ts
+++ b/backend/src/server/routes/v1/integration-auth-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { INTEGRATION_AUTH } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -9,8 +10,11 @@ import { integrationAuthPubSchema } from "../sanitizedSchemas";

 export const registerIntegrationAuthRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/integration-options",
    method: "GET",
+    url: "/integration-options",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "List of integrations available.",
@@ -43,8 +47,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId",
    method: "GET",
+    url: "/:integrationAuthId",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Get details of an integration authorization by auth object id.",
@@ -75,8 +82,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/",
    method: "DELETE",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Remove all integration's auth object from the project.",
@@ -121,8 +131,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId",
    method: "DELETE",
+    url: "/:integrationAuthId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Remove an integration auth object by object id.",
@@ -165,8 +178,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/oauth-token",
    method: "POST",
+    url: "/oauth-token",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@@ -206,8 +222,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/access-token",
    method: "POST",
+    url: "/access-token",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Create the integration authentication object required for syncing secrets.",
@@ -256,8 +275,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/apps",
    method: "GET",
+    url: "/:integrationAuthId/apps",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -293,8 +315,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/teams",
    method: "GET",
+    url: "/:integrationAuthId/teams",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -324,8 +349,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/vercel/branches",
    method: "GET",
+    url: "/:integrationAuthId/vercel/branches",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -354,8 +382,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/checkly/groups",
    method: "GET",
+    url: "/:integrationAuthId/checkly/groups",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -384,8 +415,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/github/orgs",
    method: "GET",
+    url: "/:integrationAuthId/github/orgs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -412,8 +446,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/github/envs",
    method: "GET",
+    url: "/:integrationAuthId/github/envs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -446,8 +483,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/orgs",
    method: "GET",
+    url: "/:integrationAuthId/qovery/orgs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -472,8 +512,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/projects",
    method: "GET",
+    url: "/:integrationAuthId/qovery/projects",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -502,8 +545,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/environments",
    method: "GET",
+    url: "/:integrationAuthId/qovery/environments",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -532,8 +578,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/apps",
    method: "GET",
+    url: "/:integrationAuthId/qovery/apps",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -562,8 +611,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/containers",
    method: "GET",
+    url: "/:integrationAuthId/qovery/containers",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -592,8 +644,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/qovery/jobs",
    method: "GET",
+    url: "/:integrationAuthId/qovery/jobs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -622,8 +677,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/heroku/pipelines",
    method: "GET",
+    url: "/:integrationAuthId/heroku/pipelines",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -654,8 +712,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/railway/environments",
    method: "GET",
+    url: "/:integrationAuthId/railway/environments",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -684,8 +745,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/railway/services",
    method: "GET",
+    url: "/:integrationAuthId/railway/services",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -714,8 +778,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/bitbucket/workspaces",
    method: "GET",
+    url: "/:integrationAuthId/bitbucket/workspaces",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -750,8 +817,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/northflank/secret-groups",
    method: "GET",
+    url: "/:integrationAuthId/northflank/secret-groups",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -785,8 +855,11 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:integrationAuthId/teamcity/build-configs",
    method: "GET",
+    url: "/:integrationAuthId/teamcity/build-configs",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@@ -4,6 +4,7 @@ import { IntegrationsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { INTEGRATION } from "@app/lib/api-docs";
 import { removeTrailingSlash, shake } from "@app/lib/fn";
+import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -11,8 +12,11 @@ import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telem

 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Create an integration to sync secrets.",
      security: [
@@ -112,8 +116,11 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:integrationId",
    method: "PATCH",
+    url: "/:integrationId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Update an integration by integration id",
      security: [
@@ -159,8 +166,11 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:integrationId",
    method: "DELETE",
+    url: "/:integrationId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Remove an integration using the integration object ID",
      security: [
--- a/backend/src/server/routes/v1/invite-org-router.ts
+++ b/backend/src/server/routes/v1/invite-org-router.ts
@@ -56,6 +56,9 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/verify",
    method: "POST",
+    config: {
+      rateLimit: inviteUserRateLimit
+    },
    schema: {
      body: z.object({
        email: z.string().trim().email(),
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { IncidentContactsSchema, OrganizationsSchema, OrgMembershipsSchema, UsersSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -8,6 +9,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
@@ -25,6 +29,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@@ -50,6 +57,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/users",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@@ -87,6 +97,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:organizationId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({
@@ -128,6 +141,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/incidentContactOrg",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@@ -151,6 +167,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:organizationId/incidentContactOrg",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({ email: z.string().email().trim() }),
@@ -176,6 +195,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:organizationId/incidentContactOrg/:incidentContactId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim(), incidentContactId: z.string().trim() }),
      response: {
--- a/backend/src/server/routes/v1/password-router.ts
+++ b/backend/src/server/routes/v1/password-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";

 import { BackupPrivateKeySchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { passwordRateLimit } from "@app/server/config/rateLimiter";
+import { authRateLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { validateSignUpAuthorization } from "@app/services/auth/auth-fns";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -12,7 +12,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/srp1",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      body: z.object({
@@ -39,7 +39,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/change-password",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      body: z.object({
@@ -78,7 +78,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/email/password-reset",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      body: z.object({
@@ -103,7 +103,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/email/password-reset-verify",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      body: z.object({
@@ -133,7 +133,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/backup-private-key",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
@@ -168,7 +168,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    url: "/backup-private-key",
    config: {
-      rateLimit: passwordRateLimit
+      rateLimit: authRateLimit
    },
    schema: {
      response: {
@@ -190,6 +190,9 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/password-reset",
+    config: {
+      rateLimit: authRateLimit
+    },
    schema: {
      body: z.object({
        protectedKey: z.string().trim(),
--- a/backend/src/server/routes/v1/project-env-router.ts
+++ b/backend/src/server/routes/v1/project-env-router.ts
@@ -3,13 +3,17 @@ import { z } from "zod";
 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ENVIRONMENTS } from "@app/lib/api-docs";
+import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId/environments",
    method: "POST",
+    url: "/:workspaceId/environments",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Create environment",
      security: [
@@ -64,8 +68,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/environments/:id",
    method: "PATCH",
+    url: "/:workspaceId/environments/:id",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Update environment",
      security: [
@@ -128,8 +135,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/environments/:id",
    method: "DELETE",
+    url: "/:workspaceId/environments/:id",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Delete environment",
      security: [
--- a/backend/src/server/routes/v1/project-key-router.ts
+++ b/backend/src/server/routes/v1/project-key-router.ts
@@ -1,5 +1,6 @@
 import { z } from "zod";

+import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -7,6 +8,9 @@ export const registerProjectKeyRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/:workspaceId/key",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
--- a/backend/src/server/routes/v1/project-membership-router.ts
+++ b/backend/src/server/routes/v1/project-membership-router.ts
@@ -10,14 +10,18 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";

 export const registerProjectMembershipRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId/memberships",
    method: "GET",
+    url: "/:workspaceId/memberships",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return project user memberships",
      security: [
@@ -75,8 +79,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
  });

  server.route({
-    url: "/:workspaceId/memberships",
    method: "POST",
+    url: "/:workspaceId/memberships",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@@ -126,8 +133,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
  });

  server.route({
-    url: "/:workspaceId/memberships/:membershipId",
    method: "PATCH",
+    url: "/:workspaceId/memberships/:membershipId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Update project user membership",
      security: [
@@ -197,8 +207,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
  });

  server.route({
-    url: "/:workspaceId/memberships/:membershipId",
    method: "DELETE",
+    url: "/:workspaceId/memberships/:membershipId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Delete project user membership",
      security: [
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -7,7 +7,8 @@ import {
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
-import { INTEGRATION_AUTH, PROJECTS } from "@app/lib/api-docs";
+import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
@@ -24,8 +25,11 @@ const projectWithEnv = ProjectsSchema.merge(

 export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:workspaceId/keys",
    method: "GET",
+    url: "/:workspaceId/keys",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@@ -55,8 +59,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/users",
    method: "GET",
+    url: "/:workspaceId/users",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@@ -108,8 +115,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
@@ -125,8 +135,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId",
    method: "GET",
+    url: "/:workspaceId",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim().describe(PROJECTS.GET.workspaceId)
@@ -154,8 +167,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId",
    method: "DELETE",
+    url: "/:workspaceId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim().describe(PROJECTS.DELETE.workspaceId)
@@ -185,6 +201,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/:workspaceId/name",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@@ -217,8 +236,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId",
    method: "PATCH",
+    url: "/:workspaceId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim().describe(PROJECTS.UPDATE.workspaceId)
@@ -261,8 +283,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/auto-capitalization",
    method: "POST",
+    url: "/:workspaceId/auto-capitalization",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
@@ -295,11 +320,20 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/integrations",
    method: "GET",
+    url: "/:workspaceId/integrations",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
+      description: "List integrations for a project.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.LIST_INTEGRATION.workspaceId)
      }),
      response: {
        200: z.object({
@@ -315,7 +349,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const integrations = await server.services.integration.listIntegrationByProject({
        actorId: req.permission.id,
@@ -329,8 +363,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/authorizations",
    method: "GET",
+    url: "/:workspaceId/authorizations",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "List integration auth objects for a workspace.",
      security: [
@@ -339,7 +376,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim().describe(INTEGRATION_AUTH.LIST_AUTHORIZATION.workspaceId)
+        workspaceId: z.string().trim().describe(PROJECTS.LIST_INTEGRATION_AUTHORIZATION.workspaceId)
      }),
      response: {
        200: z.object({
@@ -361,8 +398,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:workspaceId/service-token-data",
    method: "GET",
+    url: "/:workspaceId/service-token-data",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        workspaceId: z.string().trim()
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@@ -4,6 +4,7 @@ import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { FOLDERS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -11,6 +12,9 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
  server.route({
    url: "/",
    method: "POST",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Create folders",
      security: [
@@ -65,6 +69,9 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
  server.route({
    url: "/:folderId",
    method: "PATCH",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Update folder",
      security: [
@@ -124,8 +131,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>

  // TODO(daniel): Expose this route in api reference and write docs for it.
  server.route({
-    url: "/:folderIdOrName",
    method: "DELETE",
+    url: "/:folderIdOrName",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Delete a folder",
      security: [
@@ -181,8 +191,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Get folders",
      security: [
--- a/backend/src/server/routes/v1/secret-import-router.ts
+++ b/backend/src/server/routes/v1/secret-import-router.ts
@@ -4,13 +4,17 @@ import { SecretImportsSchema, SecretsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SECRET_IMPORTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretImportRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Create secret imports",
      security: [
@@ -71,8 +75,11 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/:secretImportId",
    method: "PATCH",
+    url: "/:secretImportId",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Update secret imports",
      security: [
@@ -143,8 +150,11 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/:secretImportId",
    method: "DELETE",
+    url: "/:secretImportId",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Delete secret imports",
      security: [
@@ -204,8 +214,11 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Get secret imports",
      security: [
@@ -262,6 +275,9 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
  server.route({
    url: "/secrets",
    method: "GET",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim(),
--- a/backend/src/server/routes/v1/secret-tag-router.ts
+++ b/backend/src/server/routes/v1/secret-tag-router.ts
@@ -2,13 +2,17 @@ import { z } from "zod";

 import { SecretTagsSchema } from "@app/db/schemas";
 import { SECRET_TAGS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:projectId/tags",
    method: "GET",
+    url: "/:projectId/tags",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim().describe(SECRET_TAGS.LIST.projectId)
@@ -33,8 +37,11 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:projectId/tags",
    method: "POST",
+    url: "/:projectId/tags",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim().describe(SECRET_TAGS.CREATE.projectId)
@@ -65,8 +72,11 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:projectId/tags/:tagId",
    method: "DELETE",
+    url: "/:projectId/tags/:tagId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim().describe(SECRET_TAGS.DELETE.projectId),
--- a/backend/src/server/routes/v1/user-action-router.ts
+++ b/backend/src/server/routes/v1/user-action-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { UserActionsSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -8,6 +9,9 @@ export const registerUserActionRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        action: z.string().trim()
@@ -29,6 +33,9 @@ export const registerUserActionRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        action: z.string().trim()
--- a/backend/src/server/routes/v1/user-router.ts
+++ b/backend/src/server/routes/v1/user-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -8,6 +9,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/webhook-router.ts
+++ b/backend/src/server/routes/v1/webhook-router.ts
@@ -3,6 +3,7 @@ import { z } from "zod";
 import { WebhooksSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -27,6 +28,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@@ -75,6 +79,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:webhookId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -122,6 +129,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:webhookId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -159,6 +169,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:webhookId/test",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
@@ -186,6 +199,9 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      querystring: z.object({
--- a/backend/src/server/routes/v2/identity-org-router.ts
+++ b/backend/src/server/routes/v2/identity-org-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
 import { ORGANIZATIONS } from "@app/lib/api-docs";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -9,6 +10,9 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:orgId/identity-memberships",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Return organization identity memberships",
--- a/backend/src/server/routes/v2/identity-project-router.ts
+++ b/backend/src/server/routes/v2/identity-project-router.ts
@@ -8,6 +8,7 @@ import {
  ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@@ -16,6 +17,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
  server.route({
    method: "POST",
    url: "/:projectId/identity-memberships/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
@@ -48,6 +52,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
  server.route({
    method: "PATCH",
    url: "/:projectId/identity-memberships/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Update project identity memberships",
@@ -103,6 +110,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
  server.route({
    method: "DELETE",
    url: "/:projectId/identity-memberships/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Delete project identity memberships",
@@ -137,6 +147,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
  server.route({
    method: "GET",
    url: "/:projectId/identity-memberships",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Return project identity memberships",
--- a/backend/src/server/routes/v2/mfa-router.ts
+++ b/backend/src/server/routes/v2/mfa-router.ts
@@ -2,6 +2,7 @@ import jwt from "jsonwebtoken";
 import { z } from "zod";

 import { getConfig } from "@app/lib/config/env";
+import { writeLimit } from "@app/server/config/rateLimiter";
 import { AuthModeMfaJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";

 export const registerMfaRouter = async (server: FastifyZodProvider) => {
@@ -30,8 +31,11 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/mfa/send",
    method: "POST",
+    url: "/mfa/send",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      response: {
        200: z.object({
@@ -48,6 +52,9 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/mfa/verify",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        mfaToken: z.string().trim()
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { OrganizationsSchema, OrgMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
 import { ORGANIZATIONS } from "@app/lib/api-docs";
+import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";

@@ -9,6 +10,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/memberships",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return organization user memberships",
      security: [
@@ -55,6 +59,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/workspaces",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return projects in organization that user is part of",
      security: [
@@ -101,6 +108,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:organizationId/memberships/:membershipId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Update organization user memberships",
      security: [
@@ -141,6 +151,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:organizationId/memberships/:membershipId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Delete organization user memberships",
      security: [
@@ -177,6 +190,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/",
+    config: {
+      rateLimit: creationLimit
+    },
    schema: {
      body: z.object({
        name: z.string().trim()
@@ -204,6 +220,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:organizationId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
--- a/backend/src/server/routes/v2/project-membership-router.ts
+++ b/backend/src/server/routes/v2/project-membership-router.ts
@@ -3,6 +3,7 @@ import { z } from "zod";
 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { PROJECTS } from "@app/lib/api-docs";
+import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -10,6 +11,9 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
  server.route({
    method: "POST",
    url: "/:projectId/memberships",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
@@ -56,6 +60,9 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
  server.route({
    method: "DELETE",
    url: "/:projectId/memberships",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
--- a/backend/src/server/routes/v2/project-router.ts
+++ b/backend/src/server/routes/v2/project-router.ts
@@ -4,6 +4,7 @@ import { z } from "zod";
 import { ProjectKeysSchema, ProjectsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { PROJECTS } from "@app/lib/api-docs";
+import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -28,8 +29,11 @@ const slugSchema = z
 export const registerProjectRouter = async (server: FastifyZodProvider) => {
  /* Get project key */
  server.route({
-    url: "/:workspaceId/encrypted-key",
    method: "GET",
+    url: "/:workspaceId/encrypted-key",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return encrypted project key",
      security: [
@@ -77,8 +81,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {

  /* Start upgrade of a project */
  server.route({
-    url: "/:projectId/upgrade",
    method: "POST",
+    url: "/:projectId/upgrade",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@@ -107,6 +114,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/:projectId/upgrade/status",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@@ -135,6 +145,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/",
+    config: {
+      rateLimit: creationLimit
+    },
    schema: {
      body: z.object({
        projectName: z.string().trim().describe(PROJECTS.CREATE.projectName),
@@ -183,6 +196,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:slug",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        slug: slugSchema.describe("The slug of the project to delete.")
@@ -214,6 +230,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:slug",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        slug: slugSchema.describe("The slug of the project to get.")
@@ -244,6 +263,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:slug",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        slug: slugSchema.describe("The slug of the project to update.")
--- a/backend/src/server/routes/v2/service-token-router.ts
+++ b/backend/src/server/routes/v2/service-token-router.ts
@@ -3,6 +3,7 @@ import { z } from "zod";
 import { ServiceTokensSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -17,8 +18,11 @@ export const sanitizedServiceTokenSchema = ServiceTokensSchema.omit({

 export const registerServiceTokenRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    onRequest: verifyAuth([AuthMode.SERVICE_TOKEN]),
    schema: {
      description: "Return Infisical Token data",
@@ -69,8 +73,11 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/",
    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      body: z.object({
@@ -122,8 +129,11 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/:serviceTokenId",
    method: "DELETE",
+    url: "/:serviceTokenId",
+    config: {
+      rateLimit: writeLimit
+    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
      params: z.object({
--- a/backend/src/server/routes/v2/user-router.ts
+++ b/backend/src/server/routes/v2/user-router.ts
@@ -2,13 +2,17 @@ import { z } from "zod";

 import { AuthTokenSessionsSchema, OrganizationsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
 import { ApiKeysSchema } from "@app/db/schemas/api-keys";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMethod, AuthMode } from "@app/services/auth/auth-type";

 export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/me/mfa",
    method: "PATCH",
+    url: "/me/mfa",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        isMfaEnabled: z.boolean()
@@ -27,8 +31,11 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/me/name",
    method: "PATCH",
+    url: "/me/name",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        firstName: z.string().trim(),
@@ -48,8 +55,11 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/me/auth-methods",
    method: "PUT",
+    url: "/me/auth-methods",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        authMethods: z.nativeEnum(AuthMethod).array().min(1)
@@ -70,6 +80,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/me/organizations",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return organizations that current user is part of",
      security: [
@@ -93,6 +106,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/me/api-keys",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: ApiKeysSchema.omit({ secretHash: true }).array()
@@ -108,6 +124,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/me/api-keys",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      body: z.object({
        name: z.string().trim(),
@@ -130,6 +149,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/me/api-keys/:apiKeyDataId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        apiKeyDataId: z.string().trim()
@@ -150,6 +172,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/me/sessions",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: AuthTokenSessionsSchema.array()
@@ -165,6 +190,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/me/sessions",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      response: {
        200: z.object({
@@ -184,6 +212,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/me",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Retrieve the current user on the request",
      security: [
@@ -207,6 +238,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/me",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      response: {
        200: z.object({
--- a/backend/src/server/routes/v3/secret-blind-index-router.ts
+++ b/backend/src/server/routes/v3/secret-blind-index-router.ts
@@ -1,13 +1,17 @@
 import { z } from "zod";

 import { SecretsSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSecretBlindIndexRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:projectId/secrets/blind-index-status",
    method: "GET",
+    url: "/:projectId/secrets/blind-index-status",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@@ -30,8 +34,11 @@ export const registerSecretBlindIndexRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:projectId/secrets",
    method: "GET",
+    url: "/:projectId/secrets",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@@ -63,8 +70,11 @@ export const registerSecretBlindIndexRouter = async (server: FastifyZodProvider)
  });

  server.route({
-    url: "/:projectId/secrets/names",
    method: "POST",
+    url: "/:projectId/secrets/names",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@@ -13,6 +13,7 @@ import { CommitType } from "@app/ee/services/secret-approval-request/secret-appr
 import { RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { secretsLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -24,8 +25,11 @@ import { secretRawSchema } from "../sanitizedSchemas";

 export const registerSecretRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/tags/:secretName",
    method: "POST",
+    url: "/tags/:secretName",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Attach tags to a secret",
      security: [
@@ -83,8 +87,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/tags/:secretName",
    method: "DELETE",
+    url: "/tags/:secretName",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Detach tags from a secret",
      security: [
@@ -142,8 +149,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/raw",
    method: "GET",
+    url: "/raw",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "List secrets",
      security: [
@@ -261,8 +271,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/raw/:secretName",
    method: "GET",
+    url: "/raw/:secretName",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Get a secret by name",
      security: [
@@ -353,8 +366,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/raw/:secretName",
    method: "POST",
+    url: "/raw/:secretName",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Create secret",
      security: [
@@ -439,8 +455,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/raw/:secretName",
    method: "PATCH",
+    url: "/raw/:secretName",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Update secret",
      security: [
@@ -522,8 +541,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/raw/:secretName",
    method: "DELETE",
+    url: "/raw/:secretName",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      description: "Delete secret",
      security: [
@@ -599,8 +621,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      querystring: z.object({
        workspaceId: z.string().trim(),
@@ -711,8 +736,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:secretName",
    method: "GET",
+    url: "/:secretName",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      params: z.object({
        secretName: z.string().trim()
@@ -789,6 +817,9 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/:secretName",
    method: "POST",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      body: z.object({
        workspaceId: z.string().trim(),
@@ -955,8 +986,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:secretName",
    method: "PATCH",
+    url: "/:secretName",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      params: z.object({
        secretName: z.string()
@@ -1139,8 +1173,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:secretName",
    method: "DELETE",
+    url: "/:secretName",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      params: z.object({
        secretName: z.string()
@@ -1260,8 +1297,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/batch",
    method: "POST",
+    url: "/batch",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      body: z.object({
        workspaceId: z.string().trim(),
@@ -1383,8 +1423,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/batch",
    method: "PATCH",
+    url: "/batch",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      body: z.object({
        workspaceId: z.string().trim(),
@@ -1506,8 +1549,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/batch",
    method: "DELETE",
+    url: "/batch",
+    config: {
+      rateLimit: secretsLimit
+    },
    schema: {
      body: z.object({
        workspaceId: z.string().trim(),
--- a/backend/src/server/routes/v3/user-router.ts
+++ b/backend/src/server/routes/v3/user-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { ApiKeysSchema } from "@app/db/schemas/api-keys";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -8,6 +9,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/me/api-keys",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      response: {
        200: z.object({
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -153,7 +153,7 @@ export const authLoginServiceFactory = ({
      username: email
    });
    if (!userEnc || (userEnc && !userEnc.isAccepted)) {
-      throw new Error("Failed to find  user");
+      throw new Error("Failed to find user");
    }
    if (!userEnc.authMethods?.includes(AuthMethod.EMAIL)) {
      validateProviderAuthToken(providerAuthToken as string, email);
--- a/backend/src/services/auth/auth-password-service.ts
+++ b/backend/src/services/auth/auth-password-service.ts
@@ -192,7 +192,7 @@ export const authPaswordServiceFactory = ({
  }: TCreateBackupPrivateKeyDTO) => {
    const userEnc = await userDAL.findUserEncKeyByUserId(userId);
    if (!userEnc || (userEnc && !userEnc.isAccepted)) {
-      throw new Error("Failed to find  user");
+      throw new Error("Failed to find user");
    }

    if (!userEnc.clientPublicKey || !userEnc.serverPrivateKey) throw new Error("failed to create backup key");
@@ -239,7 +239,7 @@ export const authPaswordServiceFactory = ({
  const getBackupPrivateKeyOfUser = async (userId: string) => {
    const user = await userDAL.findUserEncKeyByUserId(userId);
    if (!user || (user && !user.isAccepted)) {
-      throw new Error("Failed to find  user");
+      throw new Error("Failed to find user");
    }
    const backupKey = await authDAL.getBackupPrivateKeyByUserId(userId);
    if (!backupKey) throw new Error("Failed to find user backup key");
--- a/backend/src/services/integration/integration-service.ts
+++ b/backend/src/services/integration/integration-service.ts
@@ -146,7 +146,27 @@ export const integrationServiceFactory = ({
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);

-    const deletedIntegration = await integrationDAL.deleteById(id);
+    const deletedIntegration = await integrationDAL.transaction(async (tx) => {
+      // delete integration
+      const deletedIntegrationResult = await integrationDAL.deleteById(id, tx);
+
+      // check if there are other integrations that share the same integration auth
+      const integrations = await integrationDAL.find(
+        {
+          integrationAuthId: integration.integrationAuthId
+        },
+        tx
+      );
+
+      if (integrations.length === 0) {
+        // no other integration shares the same integration auth
+        // -> delete the integration auth
+        await integrationAuthDAL.deleteById(integration.integrationAuthId, tx);
+      }
+
+      return deletedIntegrationResult;
+    });
+
    return { ...integration, ...deletedIntegration };
  };

--- a/backend/src/services/project-role/project-role-service.ts
+++ b/backend/src/services/project-role/project-role-service.ts
@@ -14,16 +14,25 @@ import {
 import { BadRequestError } from "@app/lib/errors";

 import { ActorAuthMethod, ActorType } from "../auth/auth-type";
+import { TIdentityProjectMembershipRoleDALFactory } from "../identity-project/identity-project-membership-role-dal";
+import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { TProjectRoleDALFactory } from "./project-role-dal";

 type TProjectRoleServiceFactoryDep = {
  projectRoleDAL: TProjectRoleDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getUserProjectPermission">;
+  identityProjectMembershipRoleDAL: TIdentityProjectMembershipRoleDALFactory;
+  projectUserMembershipRoleDAL: TProjectUserMembershipRoleDALFactory;
 };

 export type TProjectRoleServiceFactory = ReturnType<typeof projectRoleServiceFactory>;

-export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }: TProjectRoleServiceFactoryDep) => {
+export const projectRoleServiceFactory = ({
+  projectRoleDAL,
+  permissionService,
+  identityProjectMembershipRoleDAL,
+  projectUserMembershipRoleDAL
+}: TProjectRoleServiceFactoryDep) => {
  const createRole = async (
    actor: ActorType,
    actorId: string,
@@ -96,8 +105,25 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Role);
+
+    const identityRole = await identityProjectMembershipRoleDAL.findOne({ customRoleId: roleId });
+    const projectUserRole = await projectUserMembershipRoleDAL.findOne({ customRoleId: roleId });
+
+    if (identityRole) {
+      throw new BadRequestError({
+        message: "The role is assigned to one or more identities. Make sure to unassign them before deleting the role.",
+        name: "Delete role"
+      });
+    }
+    if (projectUserRole) {
+      throw new BadRequestError({
+        message: "The role is assigned to one or more users. Make sure to unassign them before deleting the role.",
+        name: "Delete role"
+      });
+    }
+
    const [deletedRole] = await projectRoleDAL.delete({ id: roleId, projectId });
-    if (!deletedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
+    if (!deletedRole) throw new BadRequestError({ message: "Role not found", name: "Delete role" });

    return deletedRole;
  };
--- a/backend/src/services/project/project-dal.ts
+++ b/backend/src/services/project/project-dal.ts
@@ -126,13 +126,11 @@ export const projectDALFactory = (db: TDbClient) => {

  const findProjectById = async (id: string) => {
    try {
-      const workspaces = await db(TableName.ProjectMembership)
+      const workspaces = await db(TableName.Project)
        .where(`${TableName.Project}.id`, id)
-        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
-        .join(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
+        .leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
        .select(
          selectAllTableCols(TableName.Project),
-          db.ref("id").withSchema(TableName.Project).as("_id"),
          db.ref("id").withSchema(TableName.Environment).as("envId"),
          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
          db.ref("name").withSchema(TableName.Environment).as("envName")
@@ -141,10 +139,11 @@ export const projectDALFactory = (db: TDbClient) => {
          { column: `${TableName.Project}.name`, order: "asc" },
          { column: `${TableName.Environment}.position`, order: "asc" }
        ]);
+
      const project = sqlNestRelationships({
        data: workspaces,
        key: "id",
-        parentMapper: ({ _id, ...el }) => ({ _id, ...ProjectsSchema.parse(el) }),
+        parentMapper: ({ ...el }) => ({ _id: el.id, ...ProjectsSchema.parse(el) }),
        childrenMapper: [
          {
            key: "envId",
@@ -174,14 +173,12 @@ export const projectDALFactory = (db: TDbClient) => {
        throw new BadRequestError({ message: "Organization ID is required when querying with slugs" });
      }

-      const projects = await db(TableName.ProjectMembership)
+      const projects = await db(TableName.Project)
        .where(`${TableName.Project}.slug`, slug)
        .where(`${TableName.Project}.orgId`, orgId)
-        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
-        .join(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
+        .leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
        .select(
          selectAllTableCols(TableName.Project),
-          db.ref("id").withSchema(TableName.Project).as("_id"),
          db.ref("id").withSchema(TableName.Environment).as("envId"),
          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
          db.ref("name").withSchema(TableName.Environment).as("envName")
@@ -194,7 +191,7 @@ export const projectDALFactory = (db: TDbClient) => {
      const project = sqlNestRelationships({
        data: projects,
        key: "id",
-        parentMapper: ({ _id, ...el }) => ({ _id, ...ProjectsSchema.parse(el) }),
+        parentMapper: ({ ...el }) => ({ _id: el.id, ...ProjectsSchema.parse(el) }),
        childrenMapper: [
          {
            key: "envId",
--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@@ -6,6 +6,7 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { createSecretBlindIndex } from "@app/lib/crypto";
@@ -65,6 +66,7 @@ type TProjectServiceFactoryDep = {
  orgService: Pick<TOrgServiceFactory, "addGhostUser">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  orgDAL: Pick<TOrgDALFactory, "findOne">;
+  keyStore: Pick<TKeyStoreFactory, "deleteItem">;
 };

 export type TProjectServiceFactory = ReturnType<typeof projectServiceFactory>;
@@ -86,7 +88,8 @@ export const projectServiceFactory = ({
  projectEnvDAL,
  licenseService,
  projectUserMembershipRoleDAL,
-  identityProjectMembershipRoleDAL
+  identityProjectMembershipRoleDAL,
+  keyStore
 }: TProjectServiceFactoryDep) => {
  /*
   * Create workspace. Make user the admin
@@ -323,6 +326,7 @@ export const projectServiceFactory = ({
      };
    });

+    await keyStore.deleteItem(`infisical-cloud-plan-${actorOrgId}`);
    return results;
  };

@@ -350,6 +354,7 @@ export const projectServiceFactory = ({
      return delProject;
    });

+    await keyStore.deleteItem(`infisical-cloud-plan-${actorOrgId}`);
    return deletedProject;
  };

--- a/backend/src/services/secret-folder/secret-folder-dal.ts
+++ b/backend/src/services/secret-folder/secret-folder-dal.ts
@@ -170,7 +170,8 @@ const sqlFindSecretPathByFolderId = (db: Knex, projectId: string, folderIds: str
          //  if the given folder id is root folder id then intial path is set as / instead of /root
          //  if not root folder the path here will be /<folder name>
          path: db.raw(`CONCAT('/', (CASE WHEN "parentId" is NULL THEN '' ELSE ${TableName.SecretFolder}.name END))`),
-          child: db.raw("NULL::uuid")
+          child: db.raw("NULL::uuid"),
+          environmentSlug: `${TableName.Environment}.slug`
        })
        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
        .where({ projectId })
@@ -190,14 +191,15 @@ const sqlFindSecretPathByFolderId = (db: Knex, projectId: string, folderIds: str
                  ELSE  CONCAT('/', secret_folders.name) 
                END, parent.path )`
                ),
-                child: db.raw("COALESCE(parent.child, parent.id)")
+                child: db.raw("COALESCE(parent.child, parent.id)"),
+                environmentSlug: "parent.environmentSlug"
              })
              .from(TableName.SecretFolder)
              .join("parent", "parent.parentId", `${TableName.SecretFolder}.id`)
        );
    })
    .select("*")
-    .from<TSecretFolders & { child: string | null; path: string }>("parent");
+    .from<TSecretFolders & { child: string | null; path: string; environmentSlug: string }>("parent");

 export type TSecretFolderDALFactory = ReturnType<typeof secretFolderDALFactory>;
 // never change this. If u do write a migration for it
@@ -257,10 +259,12 @@ export const secretFolderDALFactory = (db: TDbClient) => {
  const findSecretPathByFolderIds = async (projectId: string, folderIds: string[], tx?: Knex) => {
    try {
      const folders = await sqlFindSecretPathByFolderId(tx || db, projectId, folderIds);
+
      const rootFolders = groupBy(
        folders.filter(({ parentId }) => parentId === null),
        (i) => i.child || i.id // root condition then child and parent will null
      );
+
      return folderIds.map((folderId) => rootFolders[folderId]?.[0]);
    } catch (error) {
      throw new DatabaseError({ error, name: "Find by secret path" });
--- a/backend/src/services/secret-import/secret-import-dal.ts
+++ b/backend/src/services/secret-import/secret-import-dal.ts
@@ -49,7 +49,7 @@ export const secretImportDALFactory = (db: TDbClient) => {
    }
  };

-  const find = async (filter: Partial<TSecretImports>, tx?: Knex) => {
+  const find = async (filter: Partial<TSecretImports & { projectId: string }>, tx?: Knex) => {
    try {
      const docs = await (tx || db)(TableName.SecretImport)
        .where(filter)
--- a/backend/src/services/secret-import/secret-import-service.ts
+++ b/backend/src/services/secret-import/secret-import-service.ts
@@ -7,6 +7,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretDALFactory } from "../secret/secret-dal";
+import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "./secret-import-dal";
 import { fnSecretsFromImports } from "./secret-import-fns";
@@ -25,6 +26,7 @@ type TSecretImportServiceFactoryDep = {
  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
  projectEnvDAL: TProjectEnvDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  secretQueueService: Pick<TSecretQueueFactory, "syncSecrets">;
 };

 const ERR_SEC_IMP_NOT_FOUND = new BadRequestError({ message: "Secret import not found" });
@@ -37,7 +39,8 @@ export const secretImportServiceFactory = ({
  permissionService,
  folderDAL,
  projectDAL,
-  secretDAL
+  secretDAL,
+  secretQueueService
 }: TSecretImportServiceFactoryDep) => {
  const createImport = async ({
    environment,
@@ -77,10 +80,19 @@ export const secretImportServiceFactory = ({
    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
    if (!folder) throw new BadRequestError({ message: "Folder not found", name: "Create import" });

-    // TODO(akhilmhdh-pg): updated permission check add here
    const [importEnv] = await projectEnvDAL.findBySlugs(projectId, [data.environment]);
    if (!importEnv) throw new BadRequestError({ error: "Imported env not found", name: "Create import" });

+    const sourceFolder = await folderDAL.findBySecretPath(projectId, data.environment, data.path);
+    if (sourceFolder) {
+      const existingImport = await secretImportDAL.findOne({
+        folderId: sourceFolder.id,
+        importEnv: folder.environment.id,
+        importPath: path
+      });
+      if (existingImport) throw new BadRequestError({ message: "Cyclic import not allowed" });
+    }
+
    const secImport = await secretImportDAL.transaction(async (tx) => {
      const lastPos = await secretImportDAL.findLastImportPosition(folder.id, tx);
      return secretImportDAL.create(
@@ -94,6 +106,12 @@ export const secretImportServiceFactory = ({
      );
    });

+    await secretQueueService.syncSecrets({
+      secretPath: secImport.importPath,
+      projectId,
+      environment: importEnv.slug
+    });
+
    return { ...secImport, importEnv };
  };

@@ -131,6 +149,20 @@ export const secretImportServiceFactory = ({
      : await projectEnvDAL.findById(secImpDoc.importEnv);
    if (!importedEnv) throw new BadRequestError({ error: "Imported env not found", name: "Create import" });

+    const sourceFolder = await folderDAL.findBySecretPath(
+      projectId,
+      importedEnv.slug,
+      data.path || secImpDoc.importPath
+    );
+    if (sourceFolder) {
+      const existingImport = await secretImportDAL.findOne({
+        folderId: sourceFolder.id,
+        importEnv: folder.environment.id,
+        importPath: path
+      });
+      if (existingImport) throw new BadRequestError({ message: "Cyclic import not allowed" });
+    }
+
    const updatedSecImport = await secretImportDAL.transaction(async (tx) => {
      const secImp = await secretImportDAL.findOne({ folderId: folder.id, id });
      if (!secImp) throw ERR_SEC_IMP_NOT_FOUND;
@@ -185,6 +217,13 @@ export const secretImportServiceFactory = ({
      if (!importEnv) throw new BadRequestError({ error: "Imported env not found", name: "Create import" });
      return { ...doc, importEnv };
    });
+
+    await secretQueueService.syncSecrets({
+      secretPath: path,
+      projectId,
+      environment
+    });
+
    return secImport;
  };

--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@@ -3,7 +3,7 @@ import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
 import { BadRequestError } from "@app/lib/errors";
-import { isSamePath } from "@app/lib/fn";
+import { groupBy, isSamePath, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
@@ -23,7 +23,6 @@ import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
-import { fnSecretsFromImports } from "../secret-import/secret-import-fns";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TWebhookDALFactory } from "../webhook/webhook-dal";
 import { fnTriggerWebhook } from "../webhook/webhook-fns";
@@ -32,7 +31,6 @@ import { interpolateSecrets } from "./secret-fns";
 import { TCreateSecretReminderDTO, THandleReminderDTO, TRemoveSecretReminderDTO } from "./secret-types";

 export type TSecretQueueFactory = ReturnType<typeof secretQueueFactory>;
-
 type TSecretQueueFactoryDep = {
  queueService: TQueueServiceFactory;
  integrationDAL: Pick<TIntegrationDALFactory, "findByProjectIdV2" | "updateById">;
@@ -60,6 +58,8 @@ export type TGetSecrets = {
  environment: string;
 };

+const MAX_SYNC_SECRET_DEPTH = 5;
+
 export const secretQueueFactory = ({
  queueService,
  integrationDAL,
@@ -117,7 +117,10 @@ export const secretQueueFactory = ({
    });
  };

-  const syncSecrets = async (dto: TGetSecrets) => {
+  const syncSecrets = async (dto: TGetSecrets & { depth?: number }) => {
+    logger.info(
+      `syncSecrets: syncing project secrets where [projectId=${dto.projectId}]  [environment=${dto.environment}] [path=${dto.secretPath}]`
+    );
    await queueService.queue(QueueName.SecretWebhook, QueueJobs.SecWebhook, dto, {
      jobId: `secret-webhook-${dto.environment}-${dto.projectId}-${dto.secretPath}`,
      removeOnFail: { count: 5 },
@@ -227,62 +230,42 @@ export const secretQueueFactory = ({
    }
  };

-  const getIntegrationSecrets = async (dto: TGetSecrets & { folderId: string }, key: string) => {
+  type Content = Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }>;
+
+  /**
+   * Return the secrets in a given [folderId] including secrets from
+   * nested imported folders recursively.
+   */
+  const getIntegrationSecrets = async (dto: {
+    projectId: string;
+    environment: string;
+    folderId: string;
+    key: string;
+    depth: number;
+  }) => {
+    let content: Content = {};
+    if (dto.depth > MAX_SYNC_SECRET_DEPTH) {
+      logger.info(
+        `getIntegrationSecrets: secret depth exceeded for [projectId=${dto.projectId}] [folderId=${dto.folderId}] [depth=${dto.depth}]`
+      );
+      return content;
+    }
+
+    // process secrets in current folder
    const secrets = await secretDAL.findByFolderId(dto.folderId);
-
-    // get imported secrets
-    const secretImport = await secretImportDAL.find({ folderId: dto.folderId });
-    const importedSecrets = await fnSecretsFromImports({
-      allowedImports: secretImport,
-      secretDAL,
-      folderDAL
-    });
-
-    if (!secrets.length && !importedSecrets.length) return {};
-
-    const content: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }> = {};
-
-    importedSecrets.forEach(({ secrets: secs }) => {
-      secs.forEach((secret) => {
-        const secretKey = decryptSymmetric128BitHexKeyUTF8({
-          ciphertext: secret.secretKeyCiphertext,
-          iv: secret.secretKeyIV,
-          tag: secret.secretKeyTag,
-          key
-        });
-        const secretValue = decryptSymmetric128BitHexKeyUTF8({
-          ciphertext: secret.secretValueCiphertext,
-          iv: secret.secretValueIV,
-          tag: secret.secretValueTag,
-          key
-        });
-        content[secretKey] = { value: secretValue };
-        content[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
-
-        if (secret.secretCommentCiphertext && secret.secretCommentIV && secret.secretCommentTag) {
-          const commentValue = decryptSymmetric128BitHexKeyUTF8({
-            ciphertext: secret.secretCommentCiphertext,
-            iv: secret.secretCommentIV,
-            tag: secret.secretCommentTag,
-            key
-          });
-          content[secretKey].comment = commentValue;
-        }
-      });
-    });
    secrets.forEach((secret) => {
      const secretKey = decryptSymmetric128BitHexKeyUTF8({
        ciphertext: secret.secretKeyCiphertext,
        iv: secret.secretKeyIV,
        tag: secret.secretKeyTag,
-        key
+        key: dto.key
      });

      const secretValue = decryptSymmetric128BitHexKeyUTF8({
        ciphertext: secret.secretValueCiphertext,
        iv: secret.secretValueIV,
        tag: secret.secretValueTag,
-        key
+        key: dto.key
      });

      content[secretKey] = { value: secretValue };
@@ -292,38 +275,111 @@ export const secretQueueFactory = ({
          ciphertext: secret.secretCommentCiphertext,
          iv: secret.secretCommentIV,
          tag: secret.secretCommentTag,
-          key
+          key: dto.key
        });
        content[secretKey].comment = commentValue;
      }

      content[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
    });
+
    const expandSecrets = interpolateSecrets({
      projectId: dto.projectId,
-      secretEncKey: key,
+      secretEncKey: dto.key,
      folderDAL,
      secretDAL
    });
+
    await expandSecrets(content);
+
+    // check if current folder has any imports from other folders
+    const secretImport = await secretImportDAL.find({ folderId: dto.folderId });
+
+    // if no imports then return secrets in the current folder
+    if (!secretImport) return content;
+
+    const importedFolders = await folderDAL.findByManySecretPath(
+      secretImport.map(({ importEnv, importPath }) => ({
+        envId: importEnv.id,
+        secretPath: importPath
+      }))
+    );
+
+    for await (const folder of importedFolders) {
+      if (folder) {
+        // get secrets contained in each imported folder by recursively calling
+        // this function against the imported folder
+        const importedSecrets = await getIntegrationSecrets({
+          environment: dto.environment,
+          projectId: dto.projectId,
+          folderId: folder.id,
+          key: dto.key,
+          depth: dto.depth + 1
+        });
+
+        // add the imported secrets to the current folder secrets
+        content = { ...content, ...importedSecrets };
+      }
+    }
+
    return content;
  };

  queueService.start(QueueName.IntegrationSync, async (job) => {
-    const { environment, projectId, secretPath } = job.data;
+    const { environment, projectId, secretPath, depth = 1 } = job.data;
+
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder) {
-      logger.error("Secret path not found");
+      logger.error(new Error("Secret path not found"));
      return;
    }

-    const integrations = await integrationDAL.findByProjectIdV2(projectId, environment);
+    // start syncing all linked imports also
+    if (depth < MAX_SYNC_SECRET_DEPTH) {
+      // find all imports made with the given environment and secret path
+      const linkSourceDto = {
+        projectId,
+        importEnv: folder.environment.id,
+        importPath: secretPath
+      };
+      const imports = await secretImportDAL.find(linkSourceDto);
+
+      if (imports.length) {
+        // keep calling sync secret for all the imports made
+        const importedFolderIds = unique(imports, (i) => i.folderId).map(({ folderId }) => folderId);
+        const importedFolders = await folderDAL.findSecretPathByFolderIds(projectId, importedFolderIds);
+        const foldersGroupedById = groupBy(importedFolders, (i) => i.child || i.id);
+        await Promise.all(
+          imports
+            .filter(({ folderId }) => Boolean(foldersGroupedById[folderId][0].path))
+            .map(({ folderId }) => {
+              const syncDto = {
+                depth: depth + 1,
+                projectId,
+                secretPath: foldersGroupedById[folderId][0].path,
+                environment: foldersGroupedById[folderId][0].environmentSlug
+              };
+              logger.info(
+                `getIntegrationSecrets: Syncing secret due to link change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+              );
+              return syncSecrets(syncDto);
+            })
+        );
+      }
+    } else {
+      logger.info(`getIntegrationSecrets: Secret depth exceeded for [projectId=${projectId}] [folderId=${folder.id}]`);
+    }
+
+    const integrations = await integrationDAL.findByProjectIdV2(projectId, environment); // note: returns array of integrations + integration auths in this environment
    const toBeSyncedIntegrations = integrations.filter(
+      // note: sync only the integrations sourced from secretPath
      ({ secretPath: integrationSecPath, isActive }) => isActive && isSamePath(secretPath, integrationSecPath)
    );

    if (!integrations.length) return;
-    logger.info("Secret integration sync started", job.data, job.id);
+    logger.info(
+      `getIntegrationSecrets: secret integration sync started [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${job.data.depth}]`
+    );
    for (const integration of toBeSyncedIntegrations) {
      const integrationAuth = {
        ...integration.integrationAuth,
@@ -334,7 +390,13 @@ export const secretQueueFactory = ({

      const botKey = await projectBotService.getBotKey(projectId);
      const { accessToken, accessId } = await integrationAuthService.getIntegrationAccessToken(integrationAuth, botKey);
-      const secrets = await getIntegrationSecrets({ environment, projectId, secretPath, folderId: folder.id }, botKey);
+      const secrets = await getIntegrationSecrets({
+        environment,
+        projectId,
+        folderId: folder.id,
+        key: botKey,
+        depth: 1
+      });
      const suffixedSecrets: typeof secrets = {};
      const metadata = integration.metadata as Record<string, string>;
      if (metadata) {
@@ -362,7 +424,7 @@ export const secretQueueFactory = ({
      });
    }

-    logger.info("Secret integration sync ended", job.id);
+    logger.info("Secret integration sync ended: %s", job.id);
  });

  queueService.start(QueueName.SecretReminder, async ({ data }) => {
@@ -403,7 +465,7 @@ export const secretQueueFactory = ({
  });

  queueService.listen(QueueName.IntegrationSync, "failed", (job, err) => {
-    logger.error("Failed to sync integration", job?.data, err);
+    logger.error(err, "Failed to sync integration %s", job?.id);
  });

  queueService.start(QueueName.SecretWebhook, async (job) => {
@@ -411,7 +473,8 @@ export const secretQueueFactory = ({
  });

  return {
-    syncSecrets,
+    // depth is internal only field thus no need to make it available outside
+    syncSecrets: (dto: TGetSecrets) => syncSecrets(dto),
    syncIntegrations,
    addSecretReminder,
    removeSecretReminder,
--- a/docs/api-reference/endpoints/integrations/list-project-integrations.mdx
+++ b/docs/api-reference/endpoints/integrations/list-project-integrations.mdx
@@ -0,0 +1,4 @@
+---
+title: "List Project Integrations"
+openapi: "GET /api/v1/workspace/{workspaceId}/integrations"
+---
--- a/docs/api-reference/overview/examples/e2ee-disabled.mdx
+++ b/docs/api-reference/overview/examples/e2ee-disabled.mdx
@@ -1,180 +0,0 @@
---
-title: "E2EE Disabled"
---
-
-Using Infisical's API to read/write secrets with E2EE disabled allows you to create, update, and retrieve secrets
-in plaintext. Effectively, this means each such secret operation only requires 1 HTTP call.
-
-<AccordionGroup>
-    <Accordion title="Retrieve secrets">
-        Retrieve all secrets for an Infisical project and environment. 
-        <Tabs>
-            <Tab title="cURL">
-                ```bash
-                curl --location --request GET 'https://app.infisical.com/api/v3/secrets/raw?environment=environment&workspaceId=workspaceId' \
-                    --header 'Authorization: Bearer serviceToken'
-
-                ```
-            </Tab>
-        </Tabs>
-    ####
-    <Info>
-        When using a [service token](../../../documentation/platform/token) with access to a single environment and path, you don't need to provide request parameters because the server will automatically scope the request to the defined environment/secrets path of the service token used. 
-        For all other cases, request parameters are required.
-    </Info>
-    ####
-        <ParamField query="workspaceId" type="string" required>
-            The ID of the workspace
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The environment slug
-        </ParamField>
-        <ParamField query="secretPath" type="string" default="/" optional>
-            Path to secrets in workspace
-        </ParamField>
-    </Accordion>
-    <Accordion title="Create secret">
-        Create a secret in Infisical.
-
-        <Tabs>
-            <Tab title="cURL">
-                ```bash
-                curl --location --request POST 'https://app.infisical.com/api/v3/secrets/raw/secretName' \
-                    --header 'Authorization: Bearer serviceToken' \
-                    --header 'Content-Type: application/json' \
-                    --data-raw '{
-                        "workspaceId": "workspaceId",
-                        "environment": "environment",
-                        "type": "shared",
-                        "secretValue": "secretValue",
-                        "secretPath": "/"
-                    }'
-                ```
-            </Tab>
-        </Tabs>
-
-        <ParamField path="secretName" type="string" required>
-            Name of secret to create
-        </ParamField>
-        <ParamField body="workspaceId" type="string" required>
-            The ID of the workspace
-        </ParamField>
-        <ParamField body="environment" type="string" required>
-            The environment slug
-        </ParamField>
-        <ParamField body="secretValue" type="string" required>
-            Value of secret
-        </ParamField>
-        <ParamField body="secretComment" type="string" optional>
-            Comment of secret
-        </ParamField>
-        <ParamField body="secretPath" type="string" default="/" optional>
-            Path to secret in workspace
-        </ParamField>
-        <ParamField query="type" type="string" optional default="shared">
-            The type of the secret. Valid options are “shared” or “personal”
-        </ParamField>
-    </Accordion>
-    <Accordion title="Retrieve secret">
-        Retrieve a secret from Infisical.
-
-        <Tabs>
-            <Tab title="cURL">
-                ```bash
-                curl --location --request GET 'https://app.infisical.com/api/v3/secrets/raw/secretName?workspaceId=workspaceId&environment=environment' \
-                    --header 'Authorization: Bearer serviceToken'
-                ```
-            </Tab>
-        </Tabs>
-
-        <ParamField path="secretName" type="string" required>
-            Name of secret to retrieve
-        </ParamField>
-        <ParamField query="workspaceId" type="string" required>
-            The ID of the workspace
-        </ParamField>
-        <ParamField query="environment" type="string" required>
-            The environment slug
-        </ParamField>
-        <ParamField query="secretPath" type="string" default="/" optional>
-            Path to secrets in workspace
-        </ParamField>
-        <ParamField query="type" type="string" optional default="personal">
-            The type of the secret. Valid options are “shared” or “personal”
-        </ParamField>
-    </Accordion>
-    <Accordion title="Update secret">
-        Update an existing secret in Infisical.
-
-        <Tabs>
-            <Tab title="cURL">
-                ```bash
-                curl --location --request PATCH 'https://app.infisical.com/api/v3/secrets/raw/secretName' \
-                    --header 'Authorization: Bearer serviceToken' \
-                    --header 'Content-Type: application/json' \
-                    --data-raw '{
-                        "workspaceId": "workspaceId",
-                        "environment": "environment",
-                        "type": "shared",
-                        "secretValue": "secretValue",
-                        "secretPath": "/"
-                    }'
-                ```
-            </Tab>
-        </Tabs>
-
-        <ParamField path="secretName" type="string" required>
-            Name of secret to update
-        </ParamField>
-        <ParamField body="workspaceId" type="string" required>
-            The ID of the workspace
-        </ParamField>
-        <ParamField body="environment" type="string" required>
-            The environment slug
-        </ParamField>
-        <ParamField body="secretValue" type="string" required>
-            Value of secret
-        </ParamField>
-        <ParamField body="secretPath" type="string" default="/" optional>
-            Path to secret in workspace.
-        </ParamField>
-        <ParamField query="type" type="string" optional default="shared">
-            The type of the secret. Valid options are “shared” or “personal”
-        </ParamField>
-    </Accordion>
-    <Accordion title="Delete secret">
-        Delete a secret in Infisical.
-
-        <Tabs>
-            <Tab title="cURL">
-                ```bash
-            curl --location --request DELETE 'https://app.infisical.com/api/v3/secrets/raw/secretName' \
-                --header 'Authorization: Bearer serviceToken' \
-                --header 'Content-Type: application/json' \
-                --data-raw '{
-                    "workspaceId": "workspaceId",
-                    "environment": "environment",
-                    "type": "shared",
-                    "secretPath": "/"
-                }'
-                ```
-            </Tab>
-        </Tabs>
-
-        <ParamField path="secretName" type="string" required>
-            Name of secret to update
-        </ParamField>
-        <ParamField body="workspaceId" type="string" required>
-            The ID of the workspace
-        </ParamField>
-        <ParamField body="environment" type="string" required>
-            The environment slug
-        </ParamField>
-        <ParamField body="secretPath" type="string" default="/" optional>
-            Path to secret in workspace.
-        </ParamField>
-        <ParamField query="type" type="string" optional default="personal">
-            The type of the secret. Valid options are “shared” or “personal”
-    </ParamField>
-    </Accordion>
-</AccordionGroup>
--- a/docs/api-reference/overview/examples/e2ee-enabled.mdx
+++ b/docs/api-reference/overview/examples/e2ee-enabled.mdx
@@ -1,862 +0,0 @@
---
-title: "E2EE Enabled"
---
-
-<Note>
-    E2EE enabled mode only works with [Service Tokens](/documentation/platform/token) and cannot be used with [Identities](/documentation/platform/identities/overview).
-</Note>
-
-Using Infisical's API to read/write secrets with E2EE enabled allows you to create, update, and retrieve secrets
-but requires you to perform client-side encryption/decryption operations. For this reason, we recommend using one of the available
-SDKs instead.
-
-<AccordionGroup>
-    <Accordion title="Retrieve secrets">
-        <Tabs>
-  <Tab title="Javascript">
-   Retrieve all secrets for an Infisical project and environment.
-```js
-const crypto = require('crypto');
-const axios = require('axios');
-
-const BASE_URL = 'https://app.infisical.com';
-const ALGORITHM = 'aes-256-gcm';
-
-const decrypt = ({ ciphertext, iv, tag, secret}) => {
-	const decipher = crypto.createDecipheriv(
-		ALGORITHM,
-		secret,
-		Buffer.from(iv, 'base64')
-	);
-	decipher.setAuthTag(Buffer.from(tag, 'base64'));
-
-    let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
-    cleartext += decipher.final('utf8');
-
-    return cleartext;
-}
-
-const getSecrets = async () => {
-	const serviceToken = 'your_service_token';
-	const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
-
-    // 1. Get your Infisical Token data
-    const { data: serviceTokenData } = await axios.get(
-       `${BASE_URL}/api/v2/service-token`,
-        {
-            headers: {
-                Authorization: `Bearer ${serviceToken}`
-            }
-        }
-    );
-
-    // 2. Get secrets for your project and environment
-    const { data } = await axios.get(
-       `${BASE_URL}/api/v3/secrets?${new URLSearchParams({
-            environment: serviceTokenData.environment,
-            workspaceId: serviceTokenData.workspace
-        })}`,
-        {
-            headers: {
-                Authorization: `Bearer ${serviceToken}`
-            }
-        }
-    );
-
-    const encryptedSecrets = data.secrets;
-
-    // 3. Decrypt the (encrypted) project key with the key from your Infisical Token
-    const projectKey = decrypt({
-        ciphertext: serviceTokenData.encryptedKey,
-        iv: serviceTokenData.iv,
-        tag: serviceTokenData.tag,
-        secret: serviceTokenSecret
-    });
-
-	// 4. Decrypt the (encrypted) secrets
-    const secrets = encryptedSecrets.map((secret) => {
-        const secretKey = decrypt({
-          ciphertext: secret.secretKeyCiphertext,
-          iv: secret.secretKeyIV,
-          tag: secret.secretKeyTag,
-          secret: projectKey
-        });
-
-        const secretValue = decrypt({
-          ciphertext: secret.secretValueCiphertext,
-          iv: secret.secretValueIV,
-          tag: secret.secretValueTag,
-          secret: projectKey
-        });
-
-        return ({
-            secretKey,
-            secretValue
-        });
-    });
-
-    console.log('secrets: ', secrets);
-}
-
-getSecrets();
-
-```
-  </Tab>
-
-<Tab title="Python">
-```Python
-import requests
-import base64
-from Cryptodome.Cipher import AES
-
-
-BASE_URL = "http://app.infisical.com"
-
-
-def decrypt(ciphertext, iv, tag, secret):
-    secret = bytes(secret, "utf-8")
-    iv = base64.standard_b64decode(iv)
-    tag = base64.standard_b64decode(tag)
-    ciphertext = base64.standard_b64decode(ciphertext)
-
-    cipher = AES.new(secret, AES.MODE_GCM, iv)
-    cipher.update(tag)
-    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
-    return cleartext
-
-
-def get_secrets():
-    service_token = "your_service_token"
-    service_token_secret = service_token[service_token.rindex(".") + 1 :]
-
-    # 1. Get your Infisical Token data
-    service_token_data = requests.get(
-        f"{BASE_URL}/api/v2/service-token",
-        headers={"Authorization": f"Bearer {service_token}"},
-    ).json()
-
-    # 2. Get secrets for your project and environment
-    data = requests.get(
-        f"{BASE_URL}/api/v3/secrets",
-        params={
-            "environment": service_token_data["environment"],
-            "workspaceId": service_token_data["workspace"],
-        },
-        headers={"Authorization": f"Bearer {service_token}"},
-    ).json()
-
-    encrypted_secrets = data["secrets"]
-
-    # 3. Decrypt the (encrypted) project key with the key from your Infisical Token
-    project_key = decrypt(
-        ciphertext=service_token_data["encryptedKey"],
-        iv=service_token_data["iv"],
-        tag=service_token_data["tag"],
-        secret=service_token_secret,
-    )
-
-    # 4. Decrypt the (encrypted) secrets
-    secrets = []
-    for secret in encrypted_secrets:
-        secret_key = decrypt(
-            ciphertext=secret["secretKeyCiphertext"],
-            iv=secret["secretKeyIV"],
-            tag=secret["secretKeyTag"],
-            secret=project_key,
-        )
-
-        secret_value = decrypt(
-            ciphertext=secret["secretValueCiphertext"],
-            iv=secret["secretValueIV"],
-            tag=secret["secretValueTag"],
-            secret=project_key,
-        )
-
-        secrets.append(
-            {
-                "secret_key": secret_key,
-                "secret_value": secret_value,
-            }
-        )
-
-    print("secrets:", secrets)
-
-
-get_secrets()
-
-```
-</Tab>
-</Tabs>
-    </Accordion>
-    <Accordion title="Create secret">
-        <Tabs>
-<Tab title="Javascript">
-Create a secret in Infisical.
-```js
-const crypto = require('crypto');
-const axios = require('axios');
-const nacl = require('tweetnacl');
-
-const BASE_URL = 'https://app.infisical.com';
-const ALGORITHM = 'aes-256-gcm';
-const BLOCK_SIZE_BYTES = 16;
-
-const encrypt = ({ text, secret }) => {
-    const iv = crypto.randomBytes(BLOCK_SIZE_BYTES);
-    const cipher = crypto.createCipheriv(ALGORITHM, secret, iv);
-
-    let ciphertext = cipher.update(text, 'utf8', 'base64');
-    ciphertext += cipher.final('base64');
-    return {
-        ciphertext,
-        iv: iv.toString('base64'),
-        tag: cipher.getAuthTag().toString('base64')
-    };
-}
-
-const decrypt = ({ ciphertext, iv, tag, secret}) => {
-	const decipher = crypto.createDecipheriv(
-		ALGORITHM,
-		secret,
-		Buffer.from(iv, 'base64')
-	);
-	decipher.setAuthTag(Buffer.from(tag, 'base64'));
-
-	let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
-	cleartext += decipher.final('utf8');
-
-	return cleartext;
-}
-
-const createSecrets = async () => {
-    const serviceToken = '';
-    const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
-    
-    const secretType = 'shared'; // 'shared' or 'personal'
-    const secretKey = 'some_key';
-    const secretValue = 'some_value';
-    const secretComment = 'some_comment';
-
-    // 1. Get your Infisical Token data
-    const { data: serviceTokenData } = await axios.get(
-       `${BASE_URL}/api/v2/service-token`,
-        {
-            headers: {
-                Authorization: `Bearer ${serviceToken}`
-            }
-        }
-    );
-
-    // 2. Decrypt the (encrypted) project key with the key from your Infisical Token
-    const projectKey = decrypt({
-        ciphertext: serviceTokenData.encryptedKey,
-        iv: serviceTokenData.iv,
-        tag: serviceTokenData.tag,
-        secret: serviceTokenSecret
-    });
-    
-	// 3. Encrypt your secret with the project key
-    const {
-        ciphertext: secretKeyCiphertext,
-        iv: secretKeyIV,
-        tag: secretKeyTag
-    } = encrypt({
-        text: secretKey,
-        secret: projectKey
-    });
-
-    const {
-        ciphertext: secretValueCiphertext,
-        iv: secretValueIV,
-        tag: secretValueTag
-    } = encrypt({
-        text: secretValue,
-        secret: projectKey
-    });
-
-    const {
-        ciphertext: secretCommentCiphertext,
-        iv: secretCommentIV,
-        tag: secretCommentTag
-    } = encrypt({
-        text: secretComment,
-        secret: projectKey
-    });
-
-	// 4. Send (encrypted) secret to Infisical
-    await axios.post(
-        `${BASE_URL}/api/v3/secrets/${secretKey}`,
-        {
-            workspaceId: serviceTokenData.workspace,
-            environment: serviceTokenData.environment,
-            type: secretType,
-            secretKeyCiphertext,
-            secretKeyIV,
-            secretKeyTag,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag
-        },
-        {
-            headers: {
-                Authorization: `Bearer ${serviceToken}`
-            }
-        }
-    );
-}
-
-createSecrets();
-```
-</Tab>
-
-<Tab title="Python">
-```Python
-import base64
-import requests
-from Cryptodome.Cipher import AES
-from Cryptodome.Random import get_random_bytes
-
-
-BASE_URL = "https://app.infisical.com"
-BLOCK_SIZE_BYTES = 16
-
-
-def encrypt(text, secret):
-    iv = get_random_bytes(BLOCK_SIZE_BYTES)
-    secret = bytes(secret, "utf-8")
-    cipher = AES.new(secret, AES.MODE_GCM, iv)
-    ciphertext, tag = cipher.encrypt_and_digest(text.encode("utf-8"))
-    return {
-        "ciphertext": base64.standard_b64encode(ciphertext).decode("utf-8"),
-        "tag": base64.standard_b64encode(tag).decode("utf-8"),
-        "iv": base64.standard_b64encode(iv).decode("utf-8"),
-    }
-
-
-def decrypt(ciphertext, iv, tag, secret):
-    secret = bytes(secret, "utf-8")
-    iv = base64.standard_b64decode(iv)
-    tag = base64.standard_b64decode(tag)
-    ciphertext = base64.standard_b64decode(ciphertext)
-
-    cipher = AES.new(secret, AES.MODE_GCM, iv)
-    cipher.update(tag)
-    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
-    return cleartext
-
-
-def create_secrets():
-    service_token = "your_service_token"
-    service_token_secret = service_token[service_token.rindex(".") + 1 :]
-
-    secret_type = "shared"  # "shared or "personal"
-    secret_key = "some_key"
-    secret_value = "some_value"
-    secret_comment = "some_comment"
-
-    # 1. Get your Infisical Token data
-    service_token_data = requests.get(
-        f"{BASE_URL}/api/v2/service-token",
-        headers={"Authorization": f"Bearer {service_token}"},
-    ).json()
-
-    # 2. Decrypt the (encrypted) project key with the key from your Infisical Token
-    project_key = decrypt(
-        ciphertext=service_token_data["encryptedKey"],
-        iv=service_token_data["iv"],
-        tag=service_token_data["tag"],
-        secret=service_token_secret,
-    )
-
-    # 3. Encrypt your secret with the project key
-    encrypted_key_data = encrypt(text=secret_key, secret=project_key)
-    encrypted_value_data = encrypt(text=secret_value, secret=project_key)
-    encrypted_comment_data = encrypt(text=secret_comment, secret=project_key)
-
-    # 4. Send (encrypted) secret to Infisical
-    requests.post(
-        f"{BASE_URL}/api/v3/secrets/{secret_key}",
-        json={
-            "workspaceId": service_token_data["workspace"],
-            "environment": service_token_data["environment"],
-            "type": secret_type,
-            "secretKeyCiphertext": encrypted_key_data["ciphertext"],
-            "secretKeyIV": encrypted_key_data["iv"],
-            "secretKeyTag": encrypted_key_data["tag"],
-            "secretValueCiphertext": encrypted_value_data["ciphertext"],
-            "secretValueIV": encrypted_value_data["iv"],
-            "secretValueTag": encrypted_value_data["tag"],
-            "secretCommentCiphertext": encrypted_comment_data["ciphertext"],
-            "secretCommentIV": encrypted_comment_data["iv"],
-            "secretCommentTag": encrypted_comment_data["tag"]
-        },
-        headers={"Authorization": f"Bearer {service_token}"},
-    )
-
-
-create_secrets()
-
-```
-</Tab>
-</Tabs>
-    </Accordion>
-    <Accordion title="Retrieve secret">
-        <Tabs>
-  <Tab title="Javascript">
-  Retrieve a secret from Infisical.
-```js
-const crypto = require('crypto');
-const axios = require('axios');
-
-const BASE_URL = 'https://app.infisical.com';
-const ALGORITHM = 'aes-256-gcm';
-
-const decrypt = ({ ciphertext, iv, tag, secret}) => {
-	const decipher = crypto.createDecipheriv(
-		ALGORITHM,
-		secret,
-		Buffer.from(iv, 'base64')
-	);
-	decipher.setAuthTag(Buffer.from(tag, 'base64'));
-
-    let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
-    cleartext += decipher.final('utf8');
-
-    return cleartext;
-}
-
-const getSecret = async () => {
-	const serviceToken = 'your_service_token';
-	const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
-    
-    const secretType = 'shared' // 'shared' or 'personal'
-    const secretKey = 'some_key';
-
-    // 1. Get your Infisical Token data
-    const { data: serviceTokenData } = await axios.get(
-       `${BASE_URL}/api/v2/service-token`,
-        {
-            headers: {
-                Authorization: `Bearer ${serviceToken}`
-            }
-        }
-    );
-
-    // 2. Get the secret from your project and environment
-    const { data } = await axios.get(
-       `${BASE_URL}/api/v3/secrets/${secretKey}?${new URLSearchParams({
-            environment: serviceTokenData.environment,
-            workspaceId: serviceTokenData.workspace,
-            type: secretType // optional, defaults to 'shared'
-        })}`,
-        {
-            headers: {
-                Authorization: `Bearer ${serviceToken}`
-            }
-        }
-    );
-
-    const encryptedSecret = data.secret;
-
-    // 3. Decrypt the (encrypted) project key with the key from your Infisical Token
-    const projectKey = decrypt({
-        ciphertext: serviceTokenData.encryptedKey,
-        iv: serviceTokenData.iv,
-        tag: serviceTokenData.tag,
-        secret: serviceTokenSecret
-    });
-
-	// 4. Decrypt the (encrypted) secret value
-
-    const secretValue = decrypt({
-        ciphertext: encryptedSecret.secretValueCiphertext,
-        iv: encryptedSecret.secretValueIV,
-        tag: encryptedSecret.secretValueTag,
-        secret: projectKey
-    });
-
-    console.log('secret: ', ({
-        secretKey,
-        secretValue
-    }));
-}
-
-getSecret();
-
-```
-  </Tab>
-
-<Tab title="Python">
-```Python
-import requests
-import base64
-from Cryptodome.Cipher import AES
-
-
-BASE_URL = "http://app.infisical.com"
-
-
-def decrypt(ciphertext, iv, tag, secret):
-    secret = bytes(secret, "utf-8")
-    iv = base64.standard_b64decode(iv)
-    tag = base64.standard_b64decode(tag)
-    ciphertext = base64.standard_b64decode(ciphertext)
-
-    cipher = AES.new(secret, AES.MODE_GCM, iv)
-    cipher.update(tag)
-    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
-    return cleartext
-
-
-def get_secret():
-    service_token = "your_service_token"
-    service_token_secret = service_token[service_token.rindex(".") + 1 :]
-
-    secret_type = "shared" # "shared" or "personal"
-    secret_key = "some_key"
-
-    # 1. Get your Infisical Token data
-    service_token_data = requests.get(
-        f"{BASE_URL}/api/v2/service-token",
-        headers={"Authorization": f"Bearer {service_token}"},
-    ).json()
-
-    # 2. Get secret from your project and environment
-    data = requests.get(
-        f"{BASE_URL}/api/v3/secrets/{secret_key}",
-        params={
-            "environment": service_token_data["environment"],
-            "workspaceId": service_token_data["workspace"],
-            "type": secret_type # optional, defaults to "shared"
-        },
-        headers={"Authorization": f"Bearer {service_token}"},
-    ).json()
-
-    encrypted_secret = data["secret"]
-
-    # 3. Decrypt the (encrypted) project key with the key from your Infisical Token
-    project_key = decrypt(
-        ciphertext=service_token_data["encryptedKey"],
-        iv=service_token_data["iv"],
-        tag=service_token_data["tag"],
-        secret=service_token_secret,
-    )
-
-    # 4. Decrypt the (encrypted) secret value
-    secret_value = decrypt(
-        ciphertext=encrypted_secret["secretValueCiphertext"],
-        iv=encrypted_secret["secretValueIV"],
-        tag=encrypted_secret["secretValueTag"],
-        secret=project_key,
-    )
-
-    print("secret: ", {
-        "secret_key": secret_key,
-        "secret_value": secret_value
-    })
-
-
-get_secret()
-
-```
-</Tab>
-</Tabs>
-    </Accordion>
-    <Accordion title="Update secret">
-        <Tabs>
-<Tab title="Javascript">
-Update an existing secret in Infisical.
-```js
-const crypto = require('crypto');
-const axios = require('axios');
-
-const BASE_URL = 'https://app.infisical.com';
-const ALGORITHM = 'aes-256-gcm';
-const BLOCK_SIZE_BYTES = 16;
-
-const encrypt = ({ text, secret }) => {
-    const iv = crypto.randomBytes(BLOCK_SIZE_BYTES);
-    const cipher = crypto.createCipheriv(ALGORITHM, secret, iv);
-
-    let ciphertext = cipher.update(text, 'utf8', 'base64');
-    ciphertext += cipher.final('base64');
-    return {
-        ciphertext,
-        iv: iv.toString('base64'),
-        tag: cipher.getAuthTag().toString('base64')
-    };
-}
-
-const decrypt = ({ ciphertext, iv, tag, secret}) => {
-	const decipher = crypto.createDecipheriv(
-		ALGORITHM,
-		secret,
-		Buffer.from(iv, 'base64')
-	);
-	decipher.setAuthTag(Buffer.from(tag, 'base64'));
-
-	let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
-	cleartext += decipher.final('utf8');
-
-	return cleartext;
-}
-
-const updateSecrets = async () => {
-    const serviceToken = 'your_service_token';
-    const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
-    
-    const secretType = 'shared' // 'shared' or 'personal'
-    const secretKey = 'some_key';
-    const secretValue = 'updated_value';
-    const secretComment = 'updated_comment';
-
-    // 1. Get your Infisical Token data
-    const { data: serviceTokenData } = await axios.get(
-       `${BASE_URL}/api/v2/service-token`,
-        {
-            headers: {
-                Authorization: `Bearer ${serviceToken}`
-            }
-        }
-    );
-
-    // 2. Decrypt the (encrypted) project key with the key from your Infisical Token
-    const projectKey = decrypt({
-        ciphertext: serviceTokenData.encryptedKey,
-        iv: serviceTokenData.iv,
-        tag: serviceTokenData.tag,
-        secret: serviceTokenSecret
-    });
-    
-	// 3. Encrypt your updated secret with the project key
-    const {
-        ciphertext: secretKeyCiphertext,
-        iv: secretKeyIV,
-        tag: secretKeyTag
-    } = encrypt({
-        text: secretKey,
-        secret: projectKey
-    });
-
-    const {
-        ciphertext: secretValueCiphertext,
-        iv: secretValueIV,
-        tag: secretValueTag
-    } = encrypt({
-        text: secretValue,
-        secret: projectKey
-    });
-
-    const {
-        ciphertext: secretCommentCiphertext,
-        iv: secretCommentIV,
-        tag: secretCommentTag
-    } = encrypt({
-        text: secretComment,
-        secret: projectKey
-    });
-	
-	// 4. Send (encrypted) updated secret to Infisical
-    await axios.patch(
-        `${BASE_URL}/api/v3/secrets/${secretKey}`,
-        {
-            workspaceId: serviceTokenData.workspace,
-            environment: serviceTokenData.environment,
-            type: secretType,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag
-        },
-        {
-            headers: {
-                Authorization: `Bearer ${serviceToken}`
-            }
-        }
-    );
-}
-
-updateSecrets();
-```
-</Tab>
-
-<Tab title="Python">
-```Python
-import base64
-import requests
-from Cryptodome.Cipher import AES
-from Cryptodome.Random import get_random_bytes
-
-
-BASE_URL = "https://app.infisical.com"
-BLOCK_SIZE_BYTES = 16
-
-
-def encrypt(text, secret):
-    iv = get_random_bytes(BLOCK_SIZE_BYTES)
-    secret = bytes(secret, "utf-8")
-    cipher = AES.new(secret, AES.MODE_GCM, iv)
-    ciphertext, tag = cipher.encrypt_and_digest(text.encode("utf-8"))
-    return {
-        "ciphertext": base64.standard_b64encode(ciphertext).decode("utf-8"),
-        "tag": base64.standard_b64encode(tag).decode("utf-8"),
-        "iv": base64.standard_b64encode(iv).decode("utf-8"),
-    }
-
-
-def decrypt(ciphertext, iv, tag, secret):
-    secret = bytes(secret, "utf-8")
-    iv = base64.standard_b64decode(iv)
-    tag = base64.standard_b64decode(tag)
-    ciphertext = base64.standard_b64decode(ciphertext)
-
-    cipher = AES.new(secret, AES.MODE_GCM, iv)
-    cipher.update(tag)
-    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
-    return cleartext
-
-
-def update_secret():
-    service_token = "your_service_token"
-    service_token_secret = service_token[service_token.rindex(".") + 1 :]
-
-    secret_type = "shared" # "shared" or "personal"
-    secret_key = "some_key"
-    secret_value = "updated_value"
-    secret_comment = "updated_comment"
-
-    # 1. Get your Infisical Token data
-    service_token_data = requests.get(
-        f"{BASE_URL}/api/v2/service-token",
-        headers={"Authorization": f"Bearer {service_token}"},
-    ).json()
-
-    # 2. Decrypt the (encrypted) project key with the key from your Infisical Token
-    project_key = decrypt(
-        ciphertext=service_token_data["encryptedKey"],
-        iv=service_token_data["iv"],
-        tag=service_token_data["tag"],
-        secret=service_token_secret,
-    )
-
-    # 3. Encrypt your updated secret with the project key
-    encrypted_key_data = encrypt(text=secret_key, secret=project_key)
-    encrypted_value_data = encrypt(text=secret_value, secret=project_key)
-    encrypted_comment_data = encrypt(text=secret_comment, secret=project_key)
-
-    # 4. Send (encrypted) updated secret to Infisical
-    requests.patch(
-        f"{BASE_URL}/api/v3/secrets/{secret_key}",
-        json={
-            "workspaceId": service_token_data["workspace"],
-            "environment": service_token_data["environment"],
-            "type": secret_type,
-            "secretKeyCiphertext": encrypted_key_data["ciphertext"],
-            "secretKeyIV": encrypted_key_data["iv"],
-            "secretKeyTag": encrypted_key_data["tag"],
-            "secretValueCiphertext": encrypted_value_data["ciphertext"],
-            "secretValueIV": encrypted_value_data["iv"],
-            "secretValueTag": encrypted_value_data["tag"],
-            "secretCommentCiphertext": encrypted_comment_data["ciphertext"],
-            "secretCommentIV": encrypted_comment_data["iv"],
-            "secretCommentTag": encrypted_comment_data["tag"]
-        },
-        headers={"Authorization": f"Bearer {service_token}"},
-    )
-
-
-update_secret()
-
-```
-</Tab>
-</Tabs>
-    </Accordion>
-    <Accordion title="Delete secret">
-        <Tabs>
-  <Tab title="Javascript">
-  Delete a secret in Infisical.
-```js
-const axios = require('axios'); 
-const BASE_URL = 'https://app.infisical.com';
-
-const deleteSecrets = async () => {
-  const serviceToken = 'your_service_token';
-  const secretType = 'shared' // 'shared' or 'personal'
-  const secretKey = 'some_key'
-  
-  // 1. Get your Infisical Token data
-  const { data: serviceTokenData } = await axios.get(
-      `${BASE_URL}/api/v2/service-token`,
-      {
-          headers: {
-              Authorization: `Bearer ${serviceToken}`
-          }
-      }
-  );
-
-  // 2. Delete secret from Infisical
-  await axios.delete(
-    `${BASE_URL}/api/v3/secrets/${secretKey}`,
-    {
-      workspaceId: serviceTokenData.workspace,
-      environment: serviceTokenData.environment,
-      type: secretType
-    },
-    {
-      headers: {
-        Authorization: `Bearer ${serviceToken}`
-      },
-    }
-  );
-};
-
-deleteSecrets();
-```
-  </Tab>
-
-  <Tab title="Python">
-```Python
-import requests
-
-BASE_URL = "https://app.infisical.com"
-
-
-def delete_secrets():
-    service_token = "<your_service_token>"
-    secret_type = "shared" # "shared" or "personal"
-    secret_key = "some_key"
-
-    # 1. Get your Infisical Token data
-    service_token_data = requests.get(
-        f"{BASE_URL}/api/v2/service-token",
-        headers={"Authorization": f"Bearer {service_token}"},
-    ).json() 
-
-    # 2. Delete secret from Infisical
-    requests.delete(
-        f"{BASE_URL}/api/v2/secrets/{secret_key}",
-        json={
-            "workspaceId": service_token_data["workspace"],
-            "environment": service_token_data["environment"],
-            "type": secret_type
-        },
-        headers={"Authorization": f"Bearer {service_token}"},
-    )
-
-
-delete_secrets()
-
-```
-  </Tab>
-</Tabs>
-<Info>
-  If using an `API_KEY` to authenticate with the Infisical API, then you should include it in the `X_API_KEY` header.
-</Info>
-
-    </Accordion>
-</AccordionGroup>
--- a/docs/api-reference/overview/examples/integration.mdx
+++ b/docs/api-reference/overview/examples/integration.mdx
@@ -0,0 +1,90 @@
+---
+title: "Configure native integrations via API"
+description: "How to use Infisical API to sync secrets to external secret managers"
+---
+
+The Infisical API allows you to create programmatic integrations that connect with third-party secret managers to synchronize secrets from Infisical.
+
+This guide will primarily demonstrate the process using AWS Secret Store Manager (AWS SSM), but the steps are generally applicable to other secret management integrations.
+
+<Info>
+    For details on setting up AWS SSM synchronization and understanding its prerequisites, refer to the [AWS SSM integration setup documentation](../../../integrations/cloud/aws-secret-manager).
+</Info>
+
+<Steps>
+  <Step title="Authenticate with AWS SSM">
+     Authentication is required for all integrations. Use the [Integration Auth API](../../endpoints/integrations/create-auth) with the following parameters to authenticate.
+
+    <ParamField body="integration" type="string" initialValue="aws-secret-manager" required>
+        Set this parameter to **aws-secret-manager**.
+    </ParamField>
+    <ParamField body="workspaceId" type="string" required>
+        The Infisical project ID for the integration.
+    </ParamField>
+    <ParamField body="accessId" type="string" required>
+        The AWS IAM User Access ID.
+    </ParamField>
+    <ParamField body="accessToken" type="string" required>
+        The AWS IAM User Access Secret Key.
+    </ParamField>
+
+    ```bash Request
+    curl --request POST \
+        --url https://app.infisical.com/api/v1/integration-auth/access-token \
+        --header 'Authorization: <authorization>' \
+        --header 'Content-Type: application/json' \
+        --data '{
+        "workspaceId": "<workspaceid>",
+        "integration": "aws-secret-manager",
+        "accessId": "<aws iam user access id>",
+        "accessToken": "<aws iam user access secret key>"
+    }'
+    ```
+
+  </Step>
+  <Step title="Configure the Synchronization Setup">
+	Once authentication between AWS SSM and Infisical is established, you can configure the synchronization behavior. 
+	This involves specifying the source (environment and secret path in Infisical) and the destination in SSM to which the secrets will be synchronized.
+
+    Use the [integration API](../../endpoints/integrations/create) with the following parameters to configure the sync source and destination.
+
+    <ParamField body="integrationAuthId" type="string" required>
+        The ID of the integration authentication object used with AWS, obtained from the previous API response.
+    </ParamField>
+    <ParamField body="isActive" type="boolean">
+        Indicates whether the integration should be active or inactive.
+    </ParamField>
+    <ParamField body="app" type="string" required>
+        The secret name for saving in AWS SSM, which can be arbitrarily chosen.
+    </ParamField>
+    <ParamField body="region" type="string" required>
+        The AWS region where the SSM is located, e.g., `us-east-1`.
+    </ParamField>
+    <ParamField body="sourceEnvironment" type="string" required>
+        The Infisical environment slug from which secrets will be synchronized, e.g., `dev`.
+    </ParamField>
+    <ParamField body="secretPath" type="string" required>
+        The Infisical folder path from which secrets will be synchronized, e.g., `/some/path`. The root path is `/`.
+    </ParamField>
+
+    ```bash Request
+    curl --request POST \
+        --url https://app.infisical.com/api/v1/integration \
+        --header 'Authorization: <authorization>' \
+        --header 'Content-Type: application/json' \
+        --data '{
+        "integrationAuthId": "<integrationauthid>",
+        "sourceEnvironment": "<sourceenvironment>",
+        "secretPath": "<secret-path, default is '/' >",
+        "app": "<app>",
+        "region": "<aws-ssm-region>"
+    }'
+    ```
+
+  </Step>
+</Steps>
+
+<Check>
+Congratulations! You have successfully set up an integration to synchronize secrets from Infisical with AWS SSM.
+For more information, [view the integration API reference](../../endpoints/integrations).
+</Check>
--- a/docs/api-reference/overview/examples/note.mdx
+++ b/docs/api-reference/overview/examples/note.mdx
@@ -1,54 +0,0 @@
---
-title: "Note on E2EE"
---
-
-Each project in Infisical can have **End-to-End Encryption (E2EE)** enabled or disabled.
-
-By default, all projects have **E2EE** enabled which means the server is not able to decrypt any values because all secret encryption/decryption operations occur on the client-side; this can be (optionally) disabled. However, this has limitations around functionality and ease-of-use:
-
- You cannot make HTTP calls to Infisical to read/write secrets in plaintext.
- You cannot leverage non-E2EE features like native integrations and in-platform automations like dynamic secrets and secret rotation.
-
-<CardGroup cols={2}>
-    <Card
-        title="E2EE Disabled"
-        href="/api-reference/overview/examples/e2ee-disabled"
-        icon="shield-halved"
-        color="#3c8639"
-    >
-        Example read/write secrets without client-side encryption/decryption
-    </Card>
-    <Card 
-        href="/api-reference/overview/examples/e2ee-enabled" 
-        title="E2EE Enabled" 
-        icon="shield" 
-        color="#3775a9"
-    >
-        Example read/write secrets with client-side encryption/decryption
-    </Card>
-</CardGroup>
-
-## FAQ
-
-<AccordionGroup>
-  <Accordion title="Should I have E2EE enabled or disabled?">
-    We recommend starting with having **E2EE** enabled and disabling it if:
-    
-    - You're self-hosting Infisical, so having your instance of Infisical be able to read your secrets isn't an issue.
-    - You want an easier way to read/write secrets with Infisical.
-    - You need more power out of non-E2EE features such as secret rotation, dynamic secrets, etc.
-
-  </Accordion>
-  <Accordion title="How can I enable/disable E2EE?">
-    You can enable/disable E2EE for your project in Infisical in the Project Settings.
-  </Accordion>
-  <Accordion title="Is disabling E2EE secure?">
-    It is secure and in fact how most vendors in our industry are able to offer features like secret rotation. In this mode, secrets are encrypted at rest by
-    a series of keys, secured ultimately by a top-level `ROOT_ENCRYPTION_KEY` located on the server.
-
-    If you're concerned about Infisical Cloud's ability to read your secrets, then you may wish to
-    use it with **E2EE** enabled or self-host Infisical on your own infrastructure and disable E2EE there.
-
-    As an organization, we do not read any customer secrets without explicit permission; access to the `ROOT_ENCRYPTION_KEY` is restricted to one individual in the organization.
-  </Accordion>
-</AccordionGroup>
--- a/docs/documentation/getting-started/introduction.mdx
+++ b/docs/documentation/getting-started/introduction.mdx
@@ -38,7 +38,7 @@ Infisical helps developers achieve secure centralized secret management and prov
 - Simple secret management inside **[CI/CD pipelines](/integrations/cicd/githubactions)** and staging environments. 
 - Secure and compliant secret management practices in **[production environments](/sdks/overview)**. 
 - **Facilitated workflows** around [secret change management](/documentation/platform/pr-workflows), [access requests](/documentation/platform/access-controls/access-requests), [temporary access provisioning](/documentation/platform/access-controls/temporary-access), and more.
- **Improved security posture** thanks to [secret scanning](/cli/scanning-overview), [granular access control policies](/documentation/platform/access-controls/overview), [automated secret rotation](http://localhost:3000/documentation/platform/secret-rotation/overview), and [dynamic secrets](/documentation/platform/dynamic-secrets/overview) capabilities.
+- **Improved security posture** thanks to [secret scanning](/cli/scanning-overview), [granular access control policies](/documentation/platform/access-controls/overview), [automated secret rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview), and [dynamic secrets](/documentation/platform/dynamic-secrets/overview) capabilities.

 ## How does Infisical work? 

--- a/docs/documentation/platform/access-controls/access-requests.mdx
+++ b/docs/documentation/platform/access-controls/access-requests.mdx
@@ -3,11 +3,20 @@ title: "Access Requests"
 description: "Learn how to request access to sensitive resources in Infisical."
 ---

-In certain situations, developers need to expand their access to certain new project or a sensitive environment. For those use cases, it is helpful to utilize Infisical's **Access Requests** functionality. 
+In certain situations, developers need to expand their access to a certain new project or a sensitive environment. For those use cases, it is helpful to utilize Infisical's **Access Requests** functionality. 

 This functionality works in the following way: 
-1. A project administrator sets up a policy that assigns access managers to a certain sensitive folder or environment. 
-2. When a developer requests access to one of such sensitive resources, corresponding access managers get an email notification about it.
-3. An access manager can approve or deny the access request as well as specify the duration of access in the case of approval. 
-4. As soon as the request is approved, developer is able to access the sought resources. 
+1. A project administrator sets up a policy that assigns access managers (also known as eligible approvers) to a certain sensitive folder or environment. 
+![Create Access Request Policy Modal](/images/platform/access-controls/create-access-request-policy.png)
+![Access Request Policies](/images/platform/access-controls/access-request-policies.png)
+
+2. When a developer requests access to one of such sensitive resources, the request is visible in the dashboard, and the corresponding eligible approvers get an email notification about it.
+![Access Request Create](/images/platform/access-controls/request-access.png)
+![Access Request Dashboard](/images/platform/access-controls/access-requests-pending.png)
+
+3. An eligible approver can approve or reject the access request. 
+![Access Request Review](/images/platform/access-controls/review-access-request.png)
+
+4. As soon as the request is approved, developer is able to access the sought resources. 
+![Access Request Dashboard](/images/platform/access-controls/access-requests-completed.png)

--- a/docs/documentation/platform/token.mdx
+++ b/docs/documentation/platform/token.mdx
@@ -44,7 +44,7 @@ In the above screenshot, you can see that we are creating a token token with `re
 of the `/common` path within the development environment of the project; the token expires in 6 months and can be used from any IP address.

 <Note>
-For a deeper understanding of service tokens, it is recommended to read [this guide](http://localhost:3000/internals/service-tokens). 
+For a deeper understanding of service tokens, it is recommended to read [this guide](https://infisical.com/docs/internals/service-tokens). 
 </Note>

 **FAQ**
--- a/docs/images/platform/access-controls/access-request-policies.png
+++ b/docs/images/platform/access-controls/access-request-policies.png
--- a/docs/images/platform/access-controls/access-requests-completed.png
+++ b/docs/images/platform/access-controls/access-requests-completed.png
--- a/docs/images/platform/access-controls/access-requests-pending.png
+++ b/docs/images/platform/access-controls/access-requests-pending.png
--- a/docs/images/platform/access-controls/create-access-request-policy.png
+++ b/docs/images/platform/access-controls/create-access-request-policy.png
--- a/docs/images/platform/access-controls/request-access.png
+++ b/docs/images/platform/access-controls/request-access.png
--- a/docs/images/platform/access-controls/review-access-request.png
+++ b/docs/images/platform/access-controls/review-access-request.png
--- a/docs/images/self-hosting/configuration/email/ses-create-identity.png
+++ b/docs/images/self-hosting/configuration/email/ses-create-identity.png
--- a/docs/integrations/platforms/infisical-agent.mdx
+++ b/docs/integrations/platforms/infisical-agent.mdx
@@ -52,7 +52,7 @@ While specifying an authentication method is mandatory to start the agent, confi
 | `sinks[].config.path`        | The file path where the access token should be stored for each sink in the list. |
 | `templates[].source-path`    | The path to the template file that should be used to render secrets. |
 | `templates[].destination-path` | The path where the rendered secrets from the source template will be saved to. |
-| `templates[].config.polling-interval` | How frequently to check for secret changes. Default: `60s` (optional)  |
+| `templates[].config.polling-interval` | How frequently to check for secret changes. Default: `5 minutes` (optional)  |
 | `templates[].config.execute.command` | The command to execute when secret change is detected (optional) |
 | `templates[].config.execute.timeout` | How long in seconds to wait for command to execute before timing out (optional) |

--- a/docs/mint.json
+++ b/docs/mint.json
@@ -387,9 +387,7 @@
        {
          "group": "Examples",
          "pages": [
-            "api-reference/overview/examples/note",
-            "api-reference/overview/examples/e2ee-disabled",
-            "api-reference/overview/examples/e2ee-enabled"
+            "api-reference/overview/examples/integration"
          ]
        }
      ]
@@ -472,7 +470,7 @@
          ]
        },
        {
-          "group": "Secret tags",
+          "group": "Secret Tags",
          "pages": [
            "api-reference/endpoints/secret-tags/list",
            "api-reference/endpoints/secret-tags/create",
@@ -492,7 +490,7 @@
          ]
        },
        {
-          "group": "Secret imports",
+          "group": "Secret Imports",
          "pages": [
            "api-reference/endpoints/secret-imports/list",
            "api-reference/endpoints/secret-imports/create",
@@ -521,7 +519,8 @@
            "api-reference/endpoints/integrations/delete-auth-by-id",
            "api-reference/endpoints/integrations/create",
            "api-reference/endpoints/integrations/update",
-            "api-reference/endpoints/integrations/delete"
+            "api-reference/endpoints/integrations/delete",
+            "api-reference/endpoints/integrations/list-project-integrations"
          ]
        },
        {
--- a/docs/self-hosting/configuration/envars.mdx
+++ b/docs/self-hosting/configuration/envars.mdx
@@ -121,24 +121,35 @@ Without email configuration, Infisical's core functions like sign-up/login and s
 </Accordion>

 <Accordion title="AWS SES">
-  1. Create an account and [configure AWS SES](https://aws.amazon.com/premiumsupport/knowledge-center/ses-set-up-connect-smtp/) to send emails in the Amazon SES console.
-  2. Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials
+  <Steps>
+    <Step title="Create a verifed identity">
+      This will be used to verify the email you are sending from.
+      ![Create SES identity](../../images/self-hosting/configuration/email/ses-create-identity.png)
+      <Info>
+        If you AWS SES is under sandbox mode, you will only be able to send emails to verified identies. 
+      </Info>
+    </Step>
+    <Step title="Create an account and configure AWS SES">
+      Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials

-  ![opening AWS SES console](../../images/self-hosting/configuration/email/email-aws-ses-console.png)
+      ![opening AWS SES console](../../images/self-hosting/configuration/email/email-aws-ses-console.png)

-  ![creating AWS IAM SES user](../../images/self-hosting/configuration/email/email-aws-ses-user.png)
+      ![creating AWS IAM SES user](../../images/self-hosting/configuration/email/email-aws-ses-user.png)
+    </Step>
+    <Step title="Set up your SMTP environment variables">
+      With your AWS SES SMTP credentials, you can now set up your SMTP environment variables for your Infisical instance.

-  3. With your AWS SES SMTP credentials, you can now set up your SMTP environment variables:
-
-  ```
-  SMTP_HOST=email-smtp.ap-northeast-1.amazonaws.com # SMTP endpoint obtained from SMTP settings
-  SMTP_USERNAME=xxx # your SMTP username
-  SMTP_PASSWORD=xxx # your SMTP password
-  SMTP_PORT=587
-  SMTP_SECURE=true
-  SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
-  SMTP_FROM_NAME=Infisical
-  ```
+      ```
+      SMTP_HOST=email-smtp.ap-northeast-1.amazonaws.com # SMTP endpoint obtained from SMTP settings
+      SMTP_USERNAME=xxx # your SMTP username
+      SMTP_PASSWORD=xxx # your SMTP password
+      SMTP_PORT=587
+      SMTP_SECURE=false
+      SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
+      SMTP_FROM_NAME=Infisical
+      ```
+    </Step>
+  </Steps>

  <Info>
    Remember that you will need to restart Infisical for this to work properly.
@@ -335,6 +346,10 @@ To login into Infisical with OAuth providers such as Google, configure the assoc
  Requires enterprise license. Please contact team@infisical.com to get more information.
 </Accordion>

+<ParamField query="NEXT_PUBLIC_SAML_ORG_SLUG" type="string">
+  Configure SAML organization slug to automatically redirect all users of your Infisical instance to the identity provider.
+</ParamField>
+



--- a/docs/style.css
+++ b/docs/style.css
@@ -63,6 +63,30 @@
  border-color: #ebebeb;
 }

+#content-area .mt-8 .rounded-xl{
+  border-radius: 0;
+}
+
+#content-area .mt-8 .rounded-lg{
+  border-radius: 0;
+}
+
+#content-area .mt-6 .rounded-xl{
+  border-radius: 0;
+}
+
+#content-area .mt-6 .rounded-lg{
+  border-radius: 0;
+}
+
+#content-area .mt-6 .rounded-md{
+  border-radius: 0;
+}
+
+#content-area .mt-8 .rounded-md{
+  border-radius: 0;
+}
+
 #content-area div.my-4{
  border-radius: 0;
  border-width: 1px;
@@ -78,6 +102,10 @@
  border-radius: 0;
 }

+#content-area a {
+  border-radius: 0;
+}
+
 #content-area .not-prose {
  border-radius: 0;
 }
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -52,6 +52,9 @@ ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
 ARG INTERCOM_ID
 ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ARG SAML_ORG_SLUG
+ENV NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG \
+    BAKED_NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG
 ARG NEXT_INFISICAL_PLATFORM_VERSION
 ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION=$NEXT_INFISICAL_PLATFORM_VERSION 

--- a/frontend/scripts/initialize-standalone-build.sh
+++ b/frontend/scripts/initialize-standalone-build.sh
@@ -4,6 +4,8 @@ scripts/replace-standalone-build-variable.sh "$BAKED_NEXT_PUBLIC_POSTHOG_API_KEY

 scripts/replace-standalone-build-variable.sh "$BAKED_NEXT_PUBLIC_INTERCOM_ID" "$NEXT_PUBLIC_INTERCOM_ID"

+scripts/replace-standalone-build-variable.sh "$BAKED_NEXT_PUBLIC_SAML_ORG_SLUG" "$NEXT_PUBLIC_SAML_ORG_SLUG"
+
 if [ "$TELEMETRY_ENABLED" != "false" ]; then
    echo "Telemetry is enabled"
    scripts/set-standalone-build-telemetry.sh true
--- a/frontend/scripts/start.sh
+++ b/frontend/scripts/start.sh
@@ -4,6 +4,8 @@ scripts/replace-variable.sh "$BAKED_NEXT_PUBLIC_POSTHOG_API_KEY" "$NEXT_PUBLIC_P

 scripts/replace-variable.sh "$BAKED_NEXT_PUBLIC_INTERCOM_ID" "$NEXT_PUBLIC_INTERCOM_ID"

+scripts/replace-variable.sh "$BAKED_NEXT_SAML_ORG_SLUG" "$NEXT_PUBLIC_SAML_ORG_SLUG"
+
 if [ "$TELEMETRY_ENABLED" != "false" ]; then
    echo "Telemetry is enabled"
    scripts/set-telemetry.sh true
--- a/frontend/src/components/integrations/NoEnvironmentsBanner.tsx
+++ b/frontend/src/components/integrations/NoEnvironmentsBanner.tsx
@@ -0,0 +1,29 @@
+import { useRouter } from "next/router";
+
+import { Button } from "../v2";
+
+interface IProps {
+  projectId: string;
+}
+
+export const NoEnvironmentsBanner = ({ projectId }: IProps) => {
+  const router = useRouter();
+
+  return (
+    <div className="mt-4 flex w-full flex-row items-center rounded-md border border-primary-600/70  bg-primary/[.07] p-4 text-base text-white">
+      <div className="flex w-full flex-col text-sm">
+        <span className="mb-2 text-lg font-semibold">
+          No environments in your project was found
+        </span>
+        <p className="prose">
+          In order to use integrations, you need to create at least one environment in your project.
+        </p>
+      </div>
+      <div className="my-2">
+        <Button onClick={() => router.push(`/project/${projectId}/settings#environments`)}>
+          Add environments
+        </Button>
+      </div>
+    </div>
+  );
+};
--- a/frontend/src/pages/org/[id]/overview/index.tsx
+++ b/frontend/src/pages/org/[id]/overview/index.tsx
@@ -483,10 +483,10 @@ const OrganizationPage = withPermission(
    
    const addUsersToProject = useAddUserToWsNonE2EE();

-    const { data: updateClosed } = useGetUserAction("april_2024_db_update_closed");
+    const { data: updateClosed } = useGetUserAction("april_13_2024_db_update_closed");
    const registerUserAction = useRegisterUserAction();
    const closeUpdate = async () => {
-      await registerUserAction.mutateAsync("april_2024_db_update_closed");
+      await registerUserAction.mutateAsync("april_13_2024_db_update_closed");
    };

    const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
@@ -594,6 +594,7 @@ const OrganizationPage = withPermission(
          </div>
        )}
        <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-0 text-3xl">
+        {window.location.origin.includes("https://app.infisical.com") || window.location.origin.includes("http://localhost:8080") && (
        <div
            className={`${
              !updateClosed ? "block" : "hidden"
@@ -601,11 +602,11 @@ const OrganizationPage = withPermission(
          >
            <FontAwesomeIcon icon={faWarning} className="p-6 text-4xl text-primary" />
            <div className="text-sm">
-              <span className="text-lg font-semibold">Scheduled maintenance on April 6th 2024 </span>{" "}
+              <span className="text-lg font-semibold">Scheduled maintenance on April 13th 2024 </span>{" "}
              <br />
-              Infisical will undergo scheduled maintenance for approximately 1 hour on Saturday, April 6th, 11am EST. During these hours, read
+              Infisical will undergo scheduled maintenance for approximately 1 hour on Saturday, April 13th, 11am EST. During these hours, read
              operations will continue to function normally but no resources will be editable. 
-              No action is required on your end — your applications can continue to fetch secrets.
+              No action is required on your end — your applications will continue to fetch secrets.
              <br />
            </div>
            <button
@@ -616,7 +617,8 @@ const OrganizationPage = withPermission(
            >
              <FontAwesomeIcon icon={faXmark} />
            </button>
-          </div>
+          </div>)}
+          
          <p className="mr-4 font-semibold text-white">Projects</p>
          <div className="mt-6 flex w-full flex-row">
            <Input
--- a/frontend/src/views/IntegrationsPage/components/CloudIntegrationSection/CloudIntegrationSection.tsx
+++ b/frontend/src/views/IntegrationsPage/components/CloudIntegrationSection/CloudIntegrationSection.tsx
@@ -1,10 +1,17 @@
+import { useMemo } from "react";
 import { useTranslation } from "react-i18next";
 import { faCheck, faXmark } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";

+import { NoEnvironmentsBanner } from "@app/components/integrations/NoEnvironmentsBanner";
 import { createNotification } from "@app/components/notifications";
 import { DeleteActionModal, Skeleton, Tooltip } from "@app/components/v2";
-import { ProjectPermissionActions, ProjectPermissionSub, useProjectPermission } from "@app/context";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  useProjectPermission,
+  useWorkspace
+} from "@app/context";
 import { usePopUp } from "@app/hooks";
 import { IntegrationAuth, TCloudIntegration } from "@app/hooks/api/types";

@@ -31,18 +38,32 @@ export const CloudIntegrationSection = ({
    "deleteConfirmation"
  ] as const);
  const { permission } = useProjectPermission();
-  
+  const { currentWorkspace } = useWorkspace();

  const isEmpty = !isLoading && !cloudIntegrations?.length;

-  const sortedCloudIntegrations = cloudIntegrations.sort((a, b) => a.name.localeCompare(b.name));
+  const sortedCloudIntegrations = useMemo(() => {
+    const sortedIntegrations = cloudIntegrations.sort((a, b) => a.name.localeCompare(b.name));
+
+    if (currentWorkspace?.environments.length === 0) {
+      return sortedIntegrations.map((integration) => ({ ...integration, isAvailable: false }));
+    }
+
+    return sortedIntegrations;
+  }, [cloudIntegrations, currentWorkspace?.environments]);

  return (
    <div>
+      <div className="px-5">
+        {currentWorkspace?.environments.length === 0 && (
+          <NoEnvironmentsBanner projectId={currentWorkspace.id} />
+        )}
+      </div>
      <div className="m-4 mt-7 flex max-w-5xl flex-col items-start justify-between px-2 text-xl">
        <h1 className="text-3xl font-semibold">{t("integrations.cloud-integrations")}</h1>
        <p className="text-base text-gray-400">{t("integrations.click-to-start")}</p>
      </div>
+
      <div className="mx-6 grid grid-cols-2 gap-4 lg:grid-cols-3 2xl:grid-cols-4">
        {isLoading &&
          Array.from({ length: 12 }).map((_, index) => (
--- a/frontend/src/views/Login/components/InitialStep/InitialStep.tsx
+++ b/frontend/src/views/Login/components/InitialStep/InitialStep.tsx
@@ -1,4 +1,4 @@
-import { FormEvent, useState } from "react";
+import { FormEvent, useEffect, useState } from "react";
 import { useTranslation } from "react-i18next";
 import Link from "next/link";
 import { useRouter } from "next/router";
@@ -32,6 +32,18 @@ export const InitialStep = ({ setStep, email, setEmail, password, setPassword }:
  const { config } = useServerConfig();
  const queryParams = new URLSearchParams(window.location.search);

+  useEffect(() => {
+    if (process.env.NEXT_PUBLIC_SAML_ORG_SLUG && process.env.NEXT_PUBLIC_SAML_ORG_SLUG !== "saml-org-slug-default") {
+      const callbackPort = queryParams.get("callback_port");
+      window.open(
+        `/api/v1/sso/redirect/saml2/organizations/${process.env.NEXT_PUBLIC_SAML_ORG_SLUG}${
+          callbackPort ? `?callback_port=${callbackPort}` : ""
+        }`
+      );
+      window.close();
+    }
+  }, [])
+
  const handleLogin = async (e: FormEvent<HTMLFormElement>) => {
    e.preventDefault();
    try {
@@ -239,12 +251,12 @@ export const InitialStep = ({ setStep, email, setEmail, password, setPassword }:
        <div className="mt-6 flex flex-row text-sm text-bunker-400">
          <Link href="/signup">
            <span className="cursor-pointer duration-200 hover:text-bunker-200 hover:underline hover:decoration-primary-700 hover:underline-offset-4">
-              Don&apos;t have an acount yet? {t("login.create-account")}
+              Don&apos;t have an account yet? {t("login.create-account")}
            </span>
          </Link>
        </div>
      ) : (
-        <div />
+        <div className="mt-4" />
      )}
      <div className="mt-2 flex flex-row text-sm text-bunker-400">
        <Link href="/verify-email">
--- a/frontend/src/views/Org/MembersPage/MembersPage.tsx
+++ b/frontend/src/views/Org/MembersPage/MembersPage.tsx
@@ -23,9 +23,6 @@ export const MembersPage = withPermission(
              <Tab value={TabSections.Identities}>
                <div className="flex items-center">
                  <p>Machine Identities</p>
-                  <div className="ml-2 inline-block cursor-default rounded-md bg-yellow/20 px-1.5 pb-[0.03rem] pt-[0.04rem] text-sm text-yellow opacity-80 hover:opacity-100">
-                    New
-                  </div>
                </div>
              </Tab>
              <Tab value={TabSections.Roles}>Organization Roles</Tab>
--- a/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleTable.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleTable.tsx
@@ -31,7 +31,7 @@ export const OrgRoleTable = ({ onSelectRole }: Props) => {
  const [searchRoles, setSearchRoles] = useState("");
  const { currentOrg } = useOrganization();
  const orgId = currentOrg?.id || "";
-  
+
  const { popUp, handlePopUpOpen, handlePopUpClose } = usePopUp(["deleteRole"] as const);

  const { data: roles, isLoading: isRolesLoading } = useGetOrgRoles(orgId);
@@ -49,7 +49,7 @@ export const OrgRoleTable = ({ onSelectRole }: Props) => {
      handlePopUpClose("deleteRole");
    } catch (err) {
      console.log(err);
-      createNotification({ type: "error", text: "Failed to create role" });
+      createNotification({ type: "error", text: "Failed to delete role" });
    }
  };

--- a/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleList/ProjectRoleList.tsx
+++ b/frontend/src/views/Project/MembersPage/components/ProjectRoleListTab/components/ProjectRoleList/ProjectRoleList.tsx
@@ -29,7 +29,7 @@ type Props = {

 export const ProjectRoleList = ({ onSelectRole }: Props) => {
  const [searchRoles, setSearchRoles] = useState("");
-  
+
  const { popUp, handlePopUpOpen, handlePopUpClose } = usePopUp(["deleteRole"] as const);
  const { currentWorkspace } = useWorkspace();
  const workspaceId = currentWorkspace?.id || "";
@@ -50,7 +50,7 @@ export const ProjectRoleList = ({ onSelectRole }: Props) => {
      handlePopUpClose("deleteRole");
    } catch (err) {
      console.log(err);
-      createNotification({ type: "error", text: "Failed to create role" });
+      createNotification({ type: "error", text: "Failed to delete role" });
    }
  };

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Maidul Islam	e15c9e72c6	allow inetgrations list fetch via UA	2024-04-12 10:06:16 -04:00
vmatsiiako	cbb749e34a	Update list-project-integrations.mdx	2024-04-11 23:52:25 -04:00
Maidul Islam	9f23106c6c	Update list-project-integrations.mdx	2024-04-11 20:49:31 -04:00
Maidul Islam	1e7744b498	Merge pull request #1679 from Infisical/list-project-integrations-api Expose List integratiosn API	2024-04-11 20:20:22 -04:00
Daniel Hougaard	44c736facd	Fix: Updated descriptions	2024-04-12 02:15:23 +02:00
Daniel Hougaard	51928ddb47	Fix: OpenAPI doc descriptions structure	2024-04-12 02:15:11 +02:00
Daniel Hougaard	c7cded4af6	Merge pull request #1678 from Infisical/daniel/workspace-endpoint-fix FIx: Fetching workspaces with no environments	2024-04-12 01:54:06 +02:00
Daniel Hougaard	8b56e20b42	Fix: Removed icon	2024-04-12 01:49:59 +02:00
Daniel Hougaard	39c2c37cc0	Remove log	2024-04-12 01:49:28 +02:00
Daniel Hougaard	3131ae7dae	Feat: Disable integration creation when no environments are present on project	2024-04-12 01:46:19 +02:00
Daniel Hougaard	5315a67d74	Feat: Disable integration creation when no environments are present on project	2024-04-12 01:46:11 +02:00
Maidul Islam	79de7f9f5b	expose list integrations api	2024-04-11 19:41:55 -04:00
Daniel Hougaard	71ffed026d	FIx: Fetching workspaces with no environments	2024-04-12 00:52:22 +02:00
Vladyslav Matsiiako	ee98b15e2b	fix typo	2024-04-11 17:43:13 -05:00
Maidul Islam	945d81ad4b	update aws SES docs	2024-04-11 16:28:02 -04:00
Maidul Islam	d175256bb4	Merge pull request #1677 from Infisical/integration-auth-del-update Integration Auth deletion upon Integration deletion	2024-04-11 14:30:31 -04:00
Tuan Dang	ee0c79d018	Delete integration auth upon integration deletion if no other integrations share the same auth	2024-04-11 11:25:28 -07:00
Maidul Islam	d5d7564550	Merge pull request #1643 from akhilmhdh/feat/import-sync-secret fix(server): added sync secret for imports and added check for avoid cyclic import	2024-04-11 10:16:30 -04:00
Maidul Islam	0db682c5f0	remove depth from exceed message	2024-04-11 10:11:05 -04:00
Tuan Dang	a01a995585	Add comments to explain new getIntegrationSecrets	2024-04-11 10:11:05 -04:00
Tuan Dang	2ac785493a	Add comments to explain new getIntegrationSecrets	2024-04-10 21:52:33 -07:00
Tuan Dang	85489a81ff	Add resync on integration import creation/deletion and update forward/backward recursive logic for syncing dependent imports	2024-04-10 21:18:26 -07:00
Maidul Islam	7116c85f2c	remove note	2024-04-09 20:51:19 -04:00
Maidul Islam	31e4da0dd3	Merge pull request #1672 from JunedKhan101/main docs: fixed another broken link	2024-04-09 09:47:07 -07:00
Tuan Dang	f255d891ae	Merge remote-tracking branch 'origin' into feat/import-sync-secret	2024-04-09 08:40:10 -07:00
Juned Khan	4774469244	docs: fixed another broken link	2024-04-09 14:05:45 +05:30
Maidul Islam	e143a31e79	Merge pull request #1670 from JunedKhan101/main docs:fixed broken link	2024-04-08 17:45:51 -07:00
Maidul Islam	f6cc20b08b	remove link from docs	2024-04-08 12:00:11 -07:00
Maidul Islam	90e125454e	remove docs for e2ee	2024-04-08 11:58:48 -07:00
Maidul Islam	fbdf3dc9ce	Merge pull request #1647 from akhilmhdh/doc/integration-api-guide docs: added guide to setup integration with api	2024-04-08 11:56:19 -07:00
Maidul Islam	f333c905d9	revise generic integration docs	2024-04-08 11:55:38 -07:00
Maidul Islam	71e60df39a	Merge pull request #1659 from agilesyndrome/fix_universalAuth_operatorinstall fix: Run make kubectl-install	2024-04-08 10:18:00 -07:00
Maidul Islam	8b4d050d05	updated original value in replace script	2024-04-08 10:15:09 -07:00
Maidul Islam	3b4bb591a3	set default for NEXT_PUBLIC_SAML_ORG_SLUG	2024-04-08 09:25:37 -07:00
Maidul Islam	54f1a4416b	add default value	2024-04-08 09:06:42 -07:00
Maidul Islam	47e3f1b510	Merge pull request #1661 from Infisical/saml-auto-redirect add automatic SAML redirect	2024-04-08 08:22:04 -07:00
Juned Khan	5810b76027	docs:fixed broken link	2024-04-08 16:55:11 +05:30
Daniel Hougaard	246e6c64d1	Merge pull request #1668 from JunedKhan101/main removed extra whitespace from error message	2024-04-07 16:05:31 -07:00
Juned Khan	4e836c5dca	removed extra whitespace from error message	2024-04-07 17:41:39 +05:30
Maidul Islam	63a289c3be	add saml org clug to standalone	2024-04-06 11:58:50 -07:00
Maidul Islam	0a52bbd55d	add render once to use effect	2024-04-06 11:40:13 -07:00
Maidul Islam	593bdf74b8	patch notice	2024-04-06 10:57:08 -07:00
Maidul Islam	1f3742e619	update april_2024_db_update_closed	2024-04-06 10:39:21 -07:00
Maidul Islam	d6e5ac2133	maintenance postponed	2024-04-06 10:01:13 -07:00
Vladyslav Matsiiako	fea48518a3	removed new tag from identities	2024-04-05 19:01:54 -07:00
Vladyslav Matsiiako	94d509eb01	fixed search bar with folders	2024-04-05 18:37:12 -07:00
Vladyslav Matsiiako	055fd34c33	added baked env var	2024-04-05 17:25:25 -07:00
Vladyslav Matsiiako	74fefa9879	add automatic SAML redirect	2024-04-05 14:39:31 -07:00
Vladyslav Matsiiako	ff2c8d017f	add automatic SAML redirect	2024-04-05 14:29:50 -07:00
Daniel Hougaard	ba1f8f4564	Merge pull request #1660 from Infisical/fix/delete-role-error Fix: Error handling when deleting roles that are assigned to identities or users	2024-04-05 11:15:25 -07:00
Daniel Hougaard	e26df005c2	Fix: Typo	2024-04-05 11:11:32 -07:00
Daniel Hougaard	aca9b47f82	Fix: Typo	2024-04-05 11:11:26 -07:00
Daniel Hougaard	a16ce8899b	Fix: Check for identities and project users who has the selected role before deleting	2024-04-05 11:11:15 -07:00
Daniel Hougaard	b61511d100	Update index.ts	2024-04-05 11:10:54 -07:00
Vladyslav Matsiiako	a945bdfc4c	update docs style	2024-04-05 10:07:42 -07:00
Drew Easley	f6d7ec52c2	fix: Run make kubectl-install	2024-04-05 08:10:38 -04:00
Daniel Hougaard	3f6999b2e3	Merge pull request #1657 from Infisical/rate-limit Add new rate limits for API	2024-04-04 19:53:31 -07:00
Maidul Islam	9128461409	Merge pull request #1658 from Infisical/daniel/delete-duplicate-org-memberships-migration Feat: Delete duplicate memberships migration	2024-04-04 19:19:39 -07:00
Daniel Hougaard	893235c40f	Update 20240405000045_org-memberships-unique-constraint.ts	2024-04-04 18:43:32 -07:00
Tuan Dang	d3cdaa8449	Add new rate limits	2024-04-04 18:12:23 -07:00
BlackMagiq	e0f655ae30	Merge pull request #1656 from Infisical/fix/duplicate-org-memberships Fix: Duplicate organization memberships	2024-04-04 17:10:55 -07:00
Daniel Hougaard	93aeca3a38	Fix: Add unique constraint on orgId and userId	2024-04-04 17:04:23 -07:00
Daniel Hougaard	1edebdf8a5	Fix: Improve create migration script	2024-04-04 17:04:06 -07:00
BlackMagiq	1017707642	Merge pull request #1655 from Infisical/project-limit Remove plan cache upon create/delete project	2024-04-04 13:21:32 -07:00
Tuan Dang	5639306303	Remove plan cache upon create/delete project	2024-04-04 13:17:46 -07:00
BlackMagiq	72f50ec399	Merge pull request #1654 from Infisical/fix-additional-privilege-slug Move default slug init for users/identities out of fastify schema	2024-04-04 12:22:31 -07:00
Tuan Dang	effc7a3627	Move default slug init for users/identities out of fastify schema	2024-04-04 12:18:10 -07:00
Maidul Islam	510c91cef1	Update infisical-agent.mdx	2024-04-04 09:34:31 -07:00
Vladyslav Matsiiako	9be5d89fcf	added docs images	2024-04-03 22:55:47 -07:00
Vladyslav Matsiiako	94f4497903	update access request docs	2024-04-03 22:51:48 -07:00
Akhil Mohan	40bb9668fe	docs: added guide to setup integration with api	2024-04-03 01:12:30 +05:30
Akhil Mohan	abd62867eb	fix(server): resolved failing test in import	2024-04-02 13:55:26 +05:30
Akhil Mohan	179573a269	fix(server): added sync secret for imports and added check for avoiding cyclic import	2024-04-02 13:20:48 +05:30