Merge branch 'main' of https://github.com/Infisical/infisical

Add CLI support for SAML SSO
auto scope raw secrets GET with service token
2025-04-06 22:14:48 +00:00 · 2023-07-24 01:54:09 +07:00 · 2023-07-24 01:53:56 +07:00 · 2023-07-23 12:31:03 -04:00 · 2023-07-23 23:01:35 +07:00 · 2023-07-23 22:55:18 +07:00
1062 changed files with 46536 additions and 27043 deletions
--- a/.env.example
+++ b/.env.example
@ -47,11 +47,13 @@ CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
 CLIENT_ID_GITLAB=
+CLIENT_ID_BITBUCKET=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
 CLIENT_SECRET_GITLAB=
+CLIENT_SECRET_BITBUCKET=
 CLIENT_SLUG_VERCEL=

 # Sentry (optional) for monitoring errors
@ -61,13 +63,6 @@ SENTRY_DSN=
 # Ignore - Not applicable for self-hosted version
 POSTHOG_HOST=
 POSTHOG_PROJECT_API_KEY=
-STRIPE_SECRET_KEY=
-STRIPE_PUBLISHABLE_KEY=
-STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_STARTER=
-STRIPE_PRODUCT_TEAM=
-STRIPE_PRODUCT_PRO=
-NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=

 CLIENT_ID_GOOGLE=
 CLIENT_SECRET_GOOGLE=
--- a/.github/images/Deploy
+++ b/.github/images/Deploy
--- a/.github/images/deploy-to-aws.png
+++ b/.github/images/deploy-to-aws.png
--- a/.github/values.yaml
+++ b/.github/values.yaml
@ -1,3 +1,10 @@
+# secretScanningGitApp:
+#   enabled: false
+#   deploymentAnnotations:
+#     secrets.infisical.com/auto-reload: "true"
+#   image:
+#     repository: infisical/staging_deployment_secret-scanning-git-app
+    
 frontend:
  enabled: true
  name: frontend
@ -6,7 +13,7 @@ frontend:
    secrets.infisical.com/auto-reload: "true"
  replicaCount: 2
  image:
-    repository: infisical/frontend
+    repository: infisical/staging_deployment_frontend
    tag: "latest"
    pullPolicy: Always
  kubeSecretRef: managed-secret-frontend
@ -25,7 +32,7 @@ backend:
    secrets.infisical.com/auto-reload: "true"
  replicaCount: 2
  image:
-    repository: infisical/backend
+    repository: infisical/staging_deployment_backend
    tag: "latest"
    pullPolicy: Always
  kubeSecretRef: managed-backend-secret
@ -51,8 +58,8 @@ mongodbConnection:

 ingress:
  enabled: true
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
+  # annotations:
+  #   kubernetes.io/ingress.class: "nginx"
    # cert-manager.io/issuer: letsencrypt-nginx
  hostName: gamma.infisical.com ## <- Replace with your own domain
  frontend:
--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@ -0,0 +1,118 @@
+name: Release production images (frontend, backend)
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"
+
+jobs:
+  backend-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          load: true
+          context: backend
+          tags: infisical/backend:test
+      - name: ⏻ Spawn backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
+      - name: 🧪 Test backend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-backend-test
+      - name: ⏻ Shut down backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml down
+      - name: 🏗️ Build backend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: backend
+          tags: |
+            infisical/backend:${{ steps.commit.outputs.short }}
+            infisical/backend:latest
+            infisical/backend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+
+  frontend-image:
+    name: Build frontend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build frontend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          load: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          project: 64mmf0n610
+          context: frontend
+          tags: infisical/frontend:test
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+      - name: ⏻ Spawn frontend container
+        run: |
+          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+      - name: 🧪 Test frontend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-frontend-test
+      - name: ⏻ Shut down frontend container
+        run: |
+          docker stop infisical-frontend-test
+      - name: 🏗️ Build frontend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          push: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          context: frontend
+          tags: |
+            infisical/frontend:${{ steps.commit.outputs.short }}
+            infisical/frontend:latest
+            infisical/frontend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
--- a/.github/workflows/build-staging-img.yml
+++ b/.github/workflows/build-staging-img.yml
@ -1,17 +1,11 @@
 name: Build, Publish and Deploy to Gamma
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
+on: [workflow_dispatch]

 jobs:
  backend-image:
    name: Build backend image
    runs-on: ubuntu-latest
    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - name: 📦 Install dependencies to test all dependencies
@ -57,18 +51,14 @@ jobs:
          push: true
          context: backend
          tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
+            infisical/staging_deployment_backend:${{ steps.commit.outputs.short }}
+            infisical/staging_deployment_backend:latest
          platforms: linux/amd64,linux/arm64

  frontend-image:
    name: Build frontend image
    runs-on: ubuntu-latest
    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - name: Save commit hashes for tag
@ -90,12 +80,12 @@ jobs:
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          project: 64mmf0n610
          context: frontend
-          tags: infisical/frontend:test
+          tags: infisical/staging_deployment_frontend:test
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
      - name: ⏻ Spawn frontend container
        run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+          docker run -d --rm --name infisical-frontend-test infisical/staging_deployment_frontend:test
      - name: 🧪 Test frontend image
        run: |
          ./.github/resources/healthcheck.sh infisical-frontend-test
@ -110,9 +100,8 @@ jobs:
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          context: frontend
          tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
+            infisical/staging_deployment_frontend:${{ steps.commit.outputs.short }}
+            infisical/staging_deployment_frontend:latest
          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
@ -146,7 +135,7 @@ jobs:
      - name: Download helm values to file and upgrade gamma deploy
        run: |
          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
+          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --wait --install
          if [[ $(helm status infisical) == *"FAILED"* ]]; then
            echo "Helm upgrade failed"
            exit 1
--- a/.github/workflows/release-standalone-docker-img.yml
+++ b/.github/workflows/release-standalone-docker-img.yml
@ -1,11 +1,17 @@
 name: Release standalone docker image
-on: [workflow_dispatch]
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"

 jobs:
  infisical-standalone:
    name: Build infisical standalone image
    runs-on: ubuntu-latest
    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
        with:
@ -64,5 +70,6 @@ jobs:
          tags: |
            infisical/infisical:latest
            infisical/infisical:${{ steps.commit.outputs.short }}
+            infisical/infisical:${{ steps.extract_version.outputs.version }}
          platforms: linux/amd64,linux/arm64
          file: Dockerfile.standalone-infisical
--- a/.github/workflows/release_docker_k8_operator.yaml
+++ b/.github/workflows/release_docker_k8_operator.yaml
@ -1,10 +1,16 @@
-name: Release Docker image for K8 operator 
-on: [workflow_dispatch]
+name: Release Docker image for K8 operator
+on:
+  push:
+    tags:
+      - "infisical-k8-operator/v*.*.*"

 jobs:
  release:
    runs-on: ubuntu-latest
    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
      - uses: actions/checkout@v2

      - name: 🔧 Set up QEMU
@ -26,4 +32,6 @@ jobs:
          context: k8-operator
          push: true
          platforms: linux/amd64,linux/arm64
-          tags: infisical/kubernetes-operator:latest
+          tags: |
+            infisical/kubernetes-operator:latest
+            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
--- a/.gitignore
+++ b/.gitignore
@ -2,6 +2,7 @@
 node_modules
 .env
 .env.dev
+.env.gamma
 .env.prod
 .env.infisical

--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,3 @@
+{
+	"workbench.editor.wrapTabs": true
+}
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -25,6 +25,8 @@ ARG POSTHOG_HOST
 ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID

 # Build
 RUN npm run build
@ -42,6 +44,9 @@ VOLUME /app/.next/cache/images
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID

 COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public
--- a/README.md
+++ b/README.md
@ -3,17 +3,26 @@
  <img width="300" src="/img/logoname-white.svg#gh-dark-mode-only" alt="infisical">
 </h1>
 <p align="center">
-  <p align="center">Open-source, end-to-end encrypted platform to manage secrets and configs across your team and infrastructure.</p>
+  <p align="center"><b>Open-source, end-to-end encrypted secret management platform</b>: distribute secrets/configs across your team/infrastructure and prevent secret leaks.</p>
 </p>

 <h4 align="center">
-  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">Slack</a> |
+  <a href="https://infisical.com/slack">Slack</a> |
  <a href="https://infisical.com/">Infisical Cloud</a> |
  <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
  <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
  <a href="https://www.infisical.com">Website</a>
 </h4>

+<p align="center">
+  <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2">
+    <img src=".github/images/deploy-to-aws.png" width="137" />
+  </a>
+  <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean">
+     <img width="200" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/>
+  </a>
+</p>
+
 <h4 align="center">
  <a href="https://github.com/Infisical/infisical/blob/main/LICENSE">
    <img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="Infisical is released under the MIT license." />
@ -25,9 +34,9 @@
    <img src="https://img.shields.io/github/commit-activity/m/infisical/infisical" alt="git commit activity" />
  </a>
  <a href="https://cloudsmith.io/~infisical/repos/">
-    <img src="https://img.shields.io/badge/Downloads-240.2k-orange" alt="Cloudsmith downloads" />
+    <img src="https://img.shields.io/badge/Downloads-395.8k-orange" alt="Cloudsmith downloads" />
  </a>
-  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">
+  <a href="https://infisical.com/slack">
    <img src="https://img.shields.io/badge/chat-on%20Slack-blueviolet" alt="Slack community channel" />
  </a>
  <a href="https://twitter.com/infisical">
@ -54,24 +63,18 @@ We're on a mission to make secret management more accessible to everyone, not ju
 -   **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery]()** to version every secret and project state
 -   **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project
 -   **Role-based Access Controls** per environment
-   [**Simple on-premise deployments** to AWS and Digital Ocean](https://infisical.com/docs/self-hosting/overview)
-   [**Secret Scanning**](https://infisical.com/docs/cli/scanning-overview)
+-   [**Simple on-premise deployments** to AWS, Digital Ocean, and more](https://infisical.com/docs/self-hosting/overview)
+-   [**Secret Scanning and Leak Prevention**](https://infisical.com/docs/cli/scanning-overview)

 And much more.

 ## Getting started

-Check out the [Quickstart](https://infisical.com/docs/getting-started/introduction) Guides
+Check out the [Quickstart Guides](https://infisical.com/docs/getting-started/introduction)

-### Use Infisical Cloud
-
-The fastest and most reliable way to get started with Infisical is signing up for free to [Infisical Cloud](https://app.infisical.com/login).
-
-### Deploy Infisical on premise
-
-<a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace"><img src=".github/images/do-k8-install-btn.png" width="200"/></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-aws-button.png" width="150" width="300" /></a>
-
-View all [deployment options](https://infisical.com/docs/self-hosting/overview)
+| Use Infisical Cloud | Deploy Infisical on premise |
+| --- | ----------- |
+| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-to-aws.png" width="150" width="300" /></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean"> <img width="217" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/> </a> <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |

 ### Run Infisical locally

@ -92,7 +95,7 @@ git clone https://github.com/Infisical/infisical && cd infisical && copy .env.ex
 Create an account at `http://localhost:80`

 ### Scan and prevent secret leaks 
-On top managing secrets with Infisical, you can also scan for over 140+ secret types in your files, directories and git repositories. 
+On top managing secrets with Infisical, you can also [scan for over 140+ secret types]() in your files, directories and git repositories. 

 To scan your full git history, run:

@ -111,7 +114,11 @@ Lean about Infisical's code scanning feature [here](https://infisical.com/docs/c

 ## Open-source vs. paid

-This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license in the future. 
+This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license. 
+
+If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our webiste](https://infisical.com/) or [book a meeting with us](https://cal.com/vmatsiiako/infisical-demo): 
+
+<a href="https://cal.com/vmatsiiako/infisical-demo"><img alt="Schedule a meeting" src="https://cal.com/book-with-cal-dark.svg" /></a>

 ## Security

@ -127,16 +134,16 @@ Whether it's big or small, we love contributions. Check out our guide to see how

 Not sure where to get started? You can:

-   [Book a free, non-pressure pairing sessions with one of our teammates](mailto:tony@infisical.com?subject=Pairing%20session&body=I'd%20like%20to%20do%20a%20pairing%20session!)!
-   Join our <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">Slack</a>, and ask us any questions there.
+-   [Book a free, non-pressure pairing session / code walkthrough with one of our teammates](https://cal.com/tony-infisical/30-min-meeting-contributing)!
+-   Join our <a href="https://infisical.com/slack">Slack</a>, and ask us any questions there.

 ## Resources

 - [Docs](https://infisical.com/docs/documentation/getting-started/introduction) for comprehensive documentation and guides
- [Slack](https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg) for discussion with the community and Infisical team.
+- [Slack](https://infisical.com/slack) for discussion with the community and Infisical team.
 - [GitHub](https://github.com/Infisical/infisical) for code, issues, and pull requests
 - [Twitter](https://twitter.com/infisical) for fast news
- [YouTube](https://www.youtube.com/@infisical5306) for videos on secret management
+- [YouTube](https://www.youtube.com/@infisical_os) for videos on secret management
 - [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates
 - [Roadmap](https://www.notion.so/infisical/be2d2585a6694e40889b03aef96ea36b?v=5b19a8127d1a4060b54769567a8785fa) for planned features

--- a/backend/.eslintrc
+++ b/backend/.eslintrc
@ -1,12 +1,40 @@
 {
  "parser": "@typescript-eslint/parser",
-  "plugins": ["@typescript-eslint"],
+  "plugins": [
+    "@typescript-eslint",
+    "unused-imports"
+  ],
  "extends": [
    "eslint:recommended",
    "plugin:@typescript-eslint/eslint-recommended",
    "plugin:@typescript-eslint/recommended"
  ],
  "rules": {
-    "no-console": 2
+    "no-empty-function": "off",
+    "@typescript-eslint/no-empty-function": "off",
+    "no-console": 2,
+    "quotes": [
+      "error",
+      "double",
+      {
+        "avoidEscape": true
+      }
+    ],
+    "comma-dangle": [
+      "error",
+      "only-multiline"
+    ],
+    "@typescript-eslint/no-unused-vars": "off",
+    "unused-imports/no-unused-imports": "error",
+    "unused-imports/no-unused-vars": [
+      "warn",
+      {
+        "vars": "all",
+        "varsIgnorePattern": "^_",
+        "args": "after-used",
+        "argsIgnorePattern": "^_"
+      }
+    ],
+    "sort-imports": 1
  }
-}
+}
--- a/backend/.prettierrc
+++ b/backend/.prettierrc
@ -0,0 +1,7 @@
+{
+  "singleQuote": false,
+  "printWidth": 100,
+  "trailingComma": "none",
+  "tabWidth": 2,
+  "semi": true
+}
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -19,6 +19,10 @@ RUN npm ci --only-production

 COPY --from=build /app .

+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.8.1
+
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
  CMD node healthcheck.js

--- a/backend/environment.d.ts
+++ b/backend/environment.d.ts
@ -14,7 +14,7 @@ declare global {
 			JWT_SIGNUP_LIFETIME: string;
 			JWT_SIGNUP_SECRET: string;
      MONGO_URL: string;
-      NODE_ENV: 'development' | 'staging' | 'testing' | 'production';
+      NODE_ENV: "development" | "staging" | "testing" | "production";
      VERBOSE_ERROR_OUTPUT: string;
      LOKI_HOST: string;
      CLIENT_ID_HEROKU: string;
@ -39,12 +39,6 @@ declare global {
      SMTP_PASSWORD: string;
      SMTP_FROM_ADDRESS: string;
      SMTP_FROM_NAME: string;
-      STRIPE_PRODUCT_STARTER: string;
-      STRIPE_PRODUCT_TEAM: string;
-      STRIPE_PRODUCT_PRO: string;
-      STRIPE_PUBLISHABLE_KEY: string;
-      STRIPE_SECRET_KEY: string;
-      STRIPE_WEBHOOK_SECRET: string;
      TELEMETRY_ENABLED: string;
      LICENSE_KEY: string;
    }
--- a/backend/jest.config.ts
+++ b/backend/jest.config.ts
@ -1,9 +1,9 @@
 export default {
-  preset: 'ts-jest',
-  testEnvironment: 'node',
-  collectCoverageFrom: ['src/*.{js,ts}', '!**/node_modules/**'],
-  modulePaths: ['<rootDir>/src'],
-  testMatch: ['<rootDir>/tests/**/*.test.ts'],
-  setupFiles: ['<rootDir>/test-resources/env-vars.js'],
-  setupFilesAfterEnv: ['<rootDir>/tests/setupTests.ts']
+  preset: "ts-jest",
+  testEnvironment: "node",
+  collectCoverageFrom: ["src/*.{js,ts}", "!**/node_modules/**"],
+  modulePaths: ["<rootDir>/src"],
+  testMatch: ["<rootDir>/tests/**/*.test.ts"],
+  setupFiles: ["<rootDir>/test-resources/env-vars.js"],
+  setupFilesAfterEnv: ["<rootDir>/tests/setupTests.ts"],
 };
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -2,19 +2,18 @@
  "dependencies": {
    "@aws-sdk/client-secrets-manager": "^3.319.0",
    "@godaddy/terminus": "^4.12.0",
+    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/rest": "^19.0.5",
    "@sentry/node": "^7.49.0",
    "@sentry/tracing": "^7.48.0",
    "@types/crypto-js": "^4.1.1",
    "@types/libsodium-wrappers": "^0.7.10",
    "argon2": "^0.30.3",
-    "await-to-js": "^3.0.0",
    "aws-sdk": "^2.1364.0",
    "axios": "^1.3.5",
    "axios-retry": "^3.4.0",
    "bcrypt": "^5.1.0",
    "bigint-conversion": "^2.4.0",
-    "builder-pattern": "^2.2.0",
    "cookie-parser": "^1.4.6",
    "cors": "^2.8.5",
    "crypto-js": "^4.1.1",
@ -38,10 +37,10 @@
    "passport": "^0.6.0",
    "passport-google-oauth20": "^2.0.0",
    "posthog-node": "^2.6.0",
+    "probot": "^12.3.1",
    "query-string": "^7.1.3",
    "rate-limit-mongo": "^2.3.2",
    "rimraf": "^3.0.2",
-    "stripe": "^10.7.0",
    "swagger-autogen": "^2.22.0",
    "swagger-ui-express": "^4.6.2",
    "tweetnacl": "^1.0.3",
@ -92,6 +91,7 @@
    "@types/node": "^18.11.3",
    "@types/nodemailer": "^6.4.6",
    "@types/passport": "^1.0.12",
+    "@types/picomatch": "^2.3.0",
    "@types/supertest": "^2.0.12",
    "@types/swagger-jsdoc": "^6.0.1",
    "@types/swagger-ui-express": "^4.1.3",
@ -99,11 +99,13 @@
    "@typescript-eslint/parser": "^5.40.1",
    "cross-env": "^7.0.3",
    "eslint": "^8.26.0",
+    "eslint-plugin-unused-imports": "^2.0.0",
    "install": "^0.13.0",
    "jest": "^29.3.1",
    "jest-junit": "^15.0.0",
    "nodemon": "^2.0.19",
    "npm": "^8.19.3",
+    "smee-client": "^1.2.3",
    "supertest": "^6.3.3",
    "ts-jest": "^29.0.3",
    "ts-node": "^10.9.1"
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -1,93 +1,92 @@
-import InfisicalClient from 'infisical-node';
+import InfisicalClient from "infisical-node";

 export const client = new InfisicalClient({
-  token: process.env.INFISICAL_TOKEN!
+  token: process.env.INFISICAL_TOKEN!,
 });

-export const getPort = async () => (await client.getSecret('PORT')).secretValue || 4000;
+export const getPort = async () => (await client.getSecret("PORT")).secretValue || 4000;
 export const getEncryptionKey = async () => {
-  const secretValue = (await client.getSecret('ENCRYPTION_KEY')).secretValue;
-  return secretValue === '' ? undefined : secretValue;
+  const secretValue = (await client.getSecret("ENCRYPTION_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
 }
 export const getRootEncryptionKey = async () => {
-  const secretValue = (await client.getSecret('ROOT_ENCRYPTION_KEY')).secretValue; 
-  return secretValue === '' ? undefined : secretValue;
+  const secretValue = (await client.getSecret("ROOT_ENCRYPTION_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
 }
-export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue === 'true'
-export const getSaltRounds = async () => parseInt((await client.getSecret('SALT_ROUNDS')).secretValue) || 10;
-export const getJwtAuthLifetime = async () => (await client.getSecret('JWT_AUTH_LIFETIME')).secretValue || '10d';
-export const getJwtAuthSecret = async () => (await client.getSecret('JWT_AUTH_SECRET')).secretValue;
-export const getJwtMfaLifetime = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
-export const getJwtMfaSecret = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
-export const getJwtRefreshLifetime = async () => (await client.getSecret('JWT_REFRESH_LIFETIME')).secretValue || '90d';
-export const getJwtRefreshSecret = async () => (await client.getSecret('JWT_REFRESH_SECRET')).secretValue;
-export const getJwtServiceSecret = async () => (await client.getSecret('JWT_SERVICE_SECRET')).secretValue;
-export const getJwtSignupLifetime = async () => (await client.getSecret('JWT_SIGNUP_LIFETIME')).secretValue || '15m';
-export const getJwtProviderAuthSecret = async () => (await client.getSecret('JWT_PROVIDER_AUTH_SECRET')).secretValue;
-export const getJwtProviderAuthLifetime = async () => (await client.getSecret('JWT_PROVIDER_AUTH_LIFETIME')).secretValue || '15m';
-export const getJwtSignupSecret = async () => (await client.getSecret('JWT_SIGNUP_SECRET')).secretValue;
-export const getMongoURL = async () => (await client.getSecret('MONGO_URL')).secretValue;
-export const getNodeEnv = async () => (await client.getSecret('NODE_ENV')).secretValue || 'production';
-export const getVerboseErrorOutput = async () => (await client.getSecret('VERBOSE_ERROR_OUTPUT')).secretValue === 'true' && true;
-export const getLokiHost = async () => (await client.getSecret('LOKI_HOST')).secretValue;
-export const getClientIdAzure = async () => (await client.getSecret('CLIENT_ID_AZURE')).secretValue;
-export const getClientIdHeroku = async () => (await client.getSecret('CLIENT_ID_HEROKU')).secretValue;
-export const getClientIdVercel = async () => (await client.getSecret('CLIENT_ID_VERCEL')).secretValue;
-export const getClientIdNetlify = async () => (await client.getSecret('CLIENT_ID_NETLIFY')).secretValue;
-export const getClientIdGitHub = async () => (await client.getSecret('CLIENT_ID_GITHUB')).secretValue;
-export const getClientIdGitLab = async () => (await client.getSecret('CLIENT_ID_GITLAB')).secretValue;
-export const getClientIdGoogle = async () => (await client.getSecret('CLIENT_ID_GOOGLE')).secretValue;
-export const getClientSecretAzure = async () => (await client.getSecret('CLIENT_SECRET_AZURE')).secretValue;
-export const getClientSecretHeroku = async () => (await client.getSecret('CLIENT_SECRET_HEROKU')).secretValue;
-export const getClientSecretVercel = async () => (await client.getSecret('CLIENT_SECRET_VERCEL')).secretValue;
-export const getClientSecretNetlify = async () => (await client.getSecret('CLIENT_SECRET_NETLIFY')).secretValue;
-export const getClientSecretGitHub = async () => (await client.getSecret('CLIENT_SECRET_GITHUB')).secretValue;
-export const getClientSecretGitLab = async () => (await client.getSecret('CLIENT_SECRET_GITLAB')).secretValue;
-export const getClientSecretGoogle = async () => (await client.getSecret('CLIENT_SECRET_GOOGLE')).secretValue;
-export const getClientSlugVercel = async () => (await client.getSecret('CLIENT_SLUG_VERCEL')).secretValue;
-export const getPostHogHost = async () => (await client.getSecret('POSTHOG_HOST')).secretValue || 'https://app.posthog.com';
-export const getPostHogProjectApiKey = async () => (await client.getSecret('POSTHOG_PROJECT_API_KEY')).secretValue || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-export const getSentryDSN = async () => (await client.getSecret('SENTRY_DSN')).secretValue;
-export const getSiteURL = async () => (await client.getSecret('SITE_URL')).secretValue;
-export const getSmtpHost = async () => (await client.getSecret('SMTP_HOST')).secretValue;
-export const getSmtpSecure = async () => (await client.getSecret('SMTP_SECURE')).secretValue === 'true' || false;
-export const getSmtpPort = async () => parseInt((await client.getSecret('SMTP_PORT')).secretValue) || 587;
-export const getSmtpUsername = async () => (await client.getSecret('SMTP_USERNAME')).secretValue;
-export const getSmtpPassword = async () => (await client.getSecret('SMTP_PASSWORD')).secretValue;
-export const getSmtpFromAddress = async () => (await client.getSecret('SMTP_FROM_ADDRESS')).secretValue;
-export const getSmtpFromName = async () => (await client.getSecret('SMTP_FROM_NAME')).secretValue || 'Infisical';
+export const getInviteOnlySignup = async () => (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true"
+export const getSaltRounds = async () => parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
+export const getJwtAuthLifetime = async () => (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
+export const getJwtAuthSecret = async () => (await client.getSecret("JWT_AUTH_SECRET")).secretValue;
+export const getJwtMfaLifetime = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
+export const getJwtMfaSecret = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
+export const getJwtRefreshLifetime = async () => (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
+export const getJwtRefreshSecret = async () => (await client.getSecret("JWT_REFRESH_SECRET")).secretValue;
+export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue;
+export const getJwtSignupLifetime = async () => (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
+export const getJwtProviderAuthSecret = async () => (await client.getSecret("JWT_PROVIDER_AUTH_SECRET")).secretValue;
+export const getJwtProviderAuthLifetime = async () => (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
+export const getJwtSignupSecret = async () => (await client.getSecret("JWT_SIGNUP_SECRET")).secretValue;
+export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue;
+export const getNodeEnv = async () => (await client.getSecret("NODE_ENV")).secretValue || "production";
+export const getVerboseErrorOutput = async () => (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
+export const getLokiHost = async () => (await client.getSecret("LOKI_HOST")).secretValue;
+export const getClientIdAzure = async () => (await client.getSecret("CLIENT_ID_AZURE")).secretValue;
+export const getClientIdHeroku = async () => (await client.getSecret("CLIENT_ID_HEROKU")).secretValue;
+export const getClientIdVercel = async () => (await client.getSecret("CLIENT_ID_VERCEL")).secretValue;
+export const getClientIdNetlify = async () => (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
+export const getClientIdGitHub = async () => (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
+export const getClientIdGitLab = async () => (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
+export const getClientIdGoogle = async () => (await client.getSecret("CLIENT_ID_GOOGLE")).secretValue;
+export const getClientIdBitBucket = async () => (await client.getSecret("CLIENT_ID_BITBUCKET")).secretValue;
+export const getClientSecretAzure = async () => (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
+export const getClientSecretHeroku = async () => (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
+export const getClientSecretVercel = async () => (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
+export const getClientSecretNetlify = async () => (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
+export const getClientSecretGitHub = async () => (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
+export const getClientSecretGitLab = async () => (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
+export const getClientSecretGoogle = async () => (await client.getSecret("CLIENT_SECRET_GOOGLE")).secretValue;
+export const getClientSecretBitBucket = async () => (await client.getSecret("CLIENT_SECRET_BITBUCKET")).secretValue;
+export const getClientSlugVercel = async () => (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
+export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
+export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
+export const getSentryDSN = async () => (await client.getSecret("SENTRY_DSN")).secretValue;
+export const getSiteURL = async () => (await client.getSecret("SITE_URL")).secretValue;
+export const getSmtpHost = async () => (await client.getSecret("SMTP_HOST")).secretValue;
+export const getSmtpSecure = async () => (await client.getSecret("SMTP_SECURE")).secretValue === "true" || false;
+export const getSmtpPort = async () => parseInt((await client.getSecret("SMTP_PORT")).secretValue) || 587;
+export const getSmtpUsername = async () => (await client.getSecret("SMTP_USERNAME")).secretValue;
+export const getSmtpPassword = async () => (await client.getSecret("SMTP_PASSWORD")).secretValue;
+export const getSmtpFromAddress = async () => (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
+export const getSmtpFromName = async () => (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";
+
+export const getSecretScanningWebhookProxy = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_PROXY")).secretValue;
+export const getSecretScanningWebhookSecret = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_SECRET")).secretValue;
+export const getSecretScanningGitAppId = async () => (await client.getSecret("SECRET_SCANNING_GIT_APP_ID")).secretValue;
+export const getSecretScanningPrivateKey = async () => (await client.getSecret("SECRET_SCANNING_PRIVATE_KEY")).secretValue;

 export const getLicenseKey = async () => {
-  const secretValue = (await client.getSecret('LICENSE_KEY')).secretValue;
-  return secretValue === '' ? undefined : secretValue;
+  const secretValue = (await client.getSecret("LICENSE_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
 }
 export const getLicenseServerKey = async () => {
-  const secretValue = (await client.getSecret('LICENSE_SERVER_KEY')).secretValue;
-  return secretValue === '' ? undefined : secretValue;
+  const secretValue = (await client.getSecret("LICENSE_SERVER_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
 }
-export const getLicenseServerUrl = async () => (await client.getSecret('LICENSE_SERVER_URL')).secretValue || 'https://portal.infisical.com';
+export const getLicenseServerUrl = async () => (await client.getSecret("LICENSE_SERVER_URL")).secretValue || "https://portal.infisical.com";

-// TODO: deprecate from here
-export const getStripeProductStarter = async () => (await client.getSecret('STRIPE_PRODUCT_STARTER')).secretValue;
-export const getStripeProductPro = async () => (await client.getSecret('STRIPE_PRODUCT_PRO')).secretValue;
-export const getStripeProductTeam = async () => (await client.getSecret('STRIPE_PRODUCT_TEAM')).secretValue;
-export const getStripePublishableKey = async () => (await client.getSecret('STRIPE_PUBLISHABLE_KEY')).secretValue;
-export const getStripeSecretKey = async () => (await client.getSecret('STRIPE_SECRET_KEY')).secretValue;
-export const getStripeWebhookSecret = async () => (await client.getSecret('STRIPE_WEBHOOK_SECRET')).secretValue;
-
-export const getTelemetryEnabled = async () => (await client.getSecret('TELEMETRY_ENABLED')).secretValue !== 'false' && true;
-export const getLoopsApiKey = async () => (await client.getSecret('LOOPS_API_KEY')).secretValue;
-export const getSmtpConfigured = async () => (await client.getSecret('SMTP_HOST')).secretValue == '' || (await client.getSecret('SMTP_HOST')).secretValue == undefined ? false : true
+export const getTelemetryEnabled = async () => (await client.getSecret("TELEMETRY_ENABLED")).secretValue !== "false" && true;
+export const getLoopsApiKey = async () => (await client.getSecret("LOOPS_API_KEY")).secretValue;
+export const getSmtpConfigured = async () => (await client.getSecret("SMTP_HOST")).secretValue == "" || (await client.getSecret("SMTP_HOST")).secretValue == undefined ? false : true
 export const getHttpsEnabled = async () => {
  if ((await getNodeEnv()) != "production") {
    // no https for anything other than prod
    return false
  }

-  if ((await client.getSecret('HTTPS_ENABLED')).secretValue == undefined || (await client.getSecret('HTTPS_ENABLED')).secretValue == "") {
+  if ((await client.getSecret("HTTPS_ENABLED")).secretValue == undefined || (await client.getSecret("HTTPS_ENABLED")).secretValue == "") {
    // default when no value present
    return true
  }

-  return (await client.getSecret('HTTPS_ENABLED')).secretValue === 'true' && true
-}
+  return (await client.getSecret("HTTPS_ENABLED")).secretValue === "true" && true
+}
--- a/backend/src/config/request.ts
+++ b/backend/src/config/request.ts
@ -1,16 +1,16 @@
-import axios from 'axios';
-import axiosRetry from 'axios-retry';
+import axios from "axios";
+import axiosRetry from "axios-retry";
 import {
-  getLicenseServerKeyAuthToken,
-  setLicenseServerKeyAuthToken,
  getLicenseKeyAuthToken,
-  setLicenseKeyAuthToken
-} from './storage';
+  getLicenseServerKeyAuthToken,
+  setLicenseKeyAuthToken,
+  setLicenseServerKeyAuthToken,
+} from "./storage";
 import {
  getLicenseKey,
  getLicenseServerKey, 
-  getLicenseServerUrl
-} from './index';
+  getLicenseServerUrl,
+} from "./index";

 // should have JWT to interact with the license server
 export const licenseServerKeyRequest = axios.create();
@ -35,8 +35,8 @@ export const refreshLicenseServerKeyToken = async () => {
    `${licenseServerUrl}/api/auth/v1/license-server-login`, {},
    {
      headers: {
-        'X-API-KEY': licenseServerKey
-      }
+        "X-API-KEY": licenseServerKey,
+      },
    }
  );

@ -53,8 +53,8 @@ export const refreshLicenseKeyToken = async () => {
    `${licenseServerUrl}/api/auth/v1/license-login`, {},
    {
      headers: {
-        'X-API-KEY': licenseKey
-      }
+        "X-API-KEY": licenseKey,
+      },
    }
  );

@ -86,7 +86,7 @@ licenseServerKeyRequest.interceptors.response.use((response) => {
    // refresh
    const token = await refreshLicenseServerKeyToken();            
    
-    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    axios.defaults.headers.common["Authorization"] = "Bearer " + token;
    return licenseServerKeyRequest(originalRequest);
  }

@ -116,7 +116,7 @@ licenseKeyRequest.interceptors.response.use((response) => {
    // refresh
    const token = await refreshLicenseKeyToken();            
    
-    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    axios.defaults.headers.common["Authorization"] = "Bearer " + token;
    return licenseKeyRequest(originalRequest);
  }

--- a/backend/src/config/storage.ts
+++ b/backend/src/config/storage.ts
@ -5,7 +5,7 @@ const MemoryLicenseServerKeyTokenStorage = () => {
      setToken: (token: string) => {
        authToken = token;
      },
-      getToken: () => authToken
+      getToken: () => authToken,
    };
 };

@ -16,7 +16,7 @@ const MemoryLicenseKeyTokenStorage = () => {
      setToken: (token: string) => {
        authToken = token;
      },
-      getToken: () => authToken
+      getToken: () => authToken,
    };
 };

--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -1,36 +1,36 @@
-import { Request, Response } from 'express';
-import fs from 'fs';
-import path from 'path';
-import jwt from 'jsonwebtoken';
-import * as bigintConversion from 'bigint-conversion';
+import { Request, Response } from "express";
+import fs from "fs";
+import path from "path";
+import jwt from "jsonwebtoken";
+import * as bigintConversion from "bigint-conversion";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const jsrp = require('jsrp');
+const jsrp = require("jsrp");
 import { 
-  User, 
-  LoginSRPDetail,
-  TokenVersion
-} from '../../models';
-import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
+  LoginSRPDetail, 
+  TokenVersion,
+  User,
+} from "../../models";
+import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth";
+import { checkUserDevice } from "../../helpers/user";
 import {
  ACTION_LOGIN,
  ACTION_LOGOUT,
-  AUTH_MODE_JWT
-} from '../../variables';
+  AUTH_MODE_JWT,
+} from "../../variables";
 import { 
  BadRequestError,
-  UnauthorizedRequestError
-} from '../../utils/errors';
-import { EELogService } from '../../ee/services';
-import { getChannelFromUserAgent } from '../../utils/posthog';
+  UnauthorizedRequestError,
+} from "../../utils/errors";
+import { EELogService } from "../../ee/services";
+import { getChannelFromUserAgent } from "../../utils/posthog";
 import {
-  getJwtRefreshSecret,
+  getHttpsEnabled,
  getJwtAuthLifetime,
  getJwtAuthSecret,
-  getHttpsEnabled
-} from '../../config';
+  getJwtRefreshSecret,
+} from "../../config";

-declare module 'jsonwebtoken' {
+declare module "jsonwebtoken" {
  export interface UserIDJwtPayload extends jwt.JwtPayload {
    userId: string;
    refreshVersion?: number;
@ -46,20 +46,20 @@ declare module 'jsonwebtoken' {
 export const login1 = async (req: Request, res: Response) => {
  const {
    email,
-    clientPublicKey
+    clientPublicKey,
  }: { email: string; clientPublicKey: string } = req.body;

  const user = await User.findOne({
-    email
-  }).select('+salt +verifier');
+    email,
+  }).select("+salt +verifier");

-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");

  const server = new jsrp.server();
  server.init(
    {
      salt: user.salt,
-      verifier: user.verifier
+      verifier: user.verifier,
    },
    async () => {
      // generate server-side public key
@ -73,7 +73,7 @@ export const login1 = async (req: Request, res: Response) => {

      return res.status(200).send({
        serverPublicKey,
-        salt: user.salt
+        salt: user.salt,
      });
    }
  );
@ -89,10 +89,10 @@ export const login1 = async (req: Request, res: Response) => {
 export const login2 = async (req: Request, res: Response) => {
  const { email, clientProof } = req.body;
  const user = await User.findOne({
-    email
-  }).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
+    email,
+  }).select("+salt +verifier +publicKey +encryptedPrivateKey +iv +tag");

-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");

  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })

@ -105,7 +105,7 @@ export const login2 = async (req: Request, res: Response) => {
    {
      salt: user.salt,
      verifier: user.verifier,
-      b: loginSRPDetailFromDB.serverBInt
+      b: loginSRPDetailFromDB.serverBInt,
    },
    async () => {
      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
@ -117,33 +117,33 @@ export const login2 = async (req: Request, res: Response) => {
        await checkUserDevice({
          user,
          ip: req.realIP,
-          userAgent: req.headers['user-agent'] ?? ''
+          userAgent: req.headers["user-agent"] ?? "",
        });

        const tokens = await issueAuthTokens({ 
          userId: user._id,
          ip: req.realIP,
-          userAgent: req.headers['user-agent'] ?? ''
+          userAgent: req.headers["user-agent"] ?? "",
        });

        // store (refresh) token in httpOnly cookie
-        res.cookie('jid', tokens.refreshToken, {
+        res.cookie("jid", tokens.refreshToken, {
          httpOnly: true,
-          path: '/',
-          sameSite: 'strict',
-          secure: await getHttpsEnabled()
+          path: "/",
+          sameSite: "strict",
+          secure: await getHttpsEnabled(),
        });

        const loginAction = await EELogService.createAction({
          name: ACTION_LOGIN,
-          userId: user._id
+          userId: user._id,
        });

        loginAction && await EELogService.createLog({
          userId: user._id,
          actions: [loginAction],
-          channel: getChannelFromUserAgent(req.headers['user-agent']),
-          ipAddress: req.realIP
+          channel: getChannelFromUserAgent(req.headers["user-agent"]),
+          ipAddress: req.realIP,
        });

        // return (access) token in response
@ -152,12 +152,12 @@ export const login2 = async (req: Request, res: Response) => {
          publicKey: user.publicKey,
          encryptedPrivateKey: user.encryptedPrivateKey,
          iv: user.iv,
-          tag: user.tag
+          tag: user.tag,
        });
      }

      return res.status(400).send({
-        message: 'Failed to authenticate. Try again?'
+        message: "Failed to authenticate. Try again?",
      });
    }
  );
@ -175,51 +175,51 @@ export const logout = async (req: Request, res: Response) => {
  }

  // clear httpOnly cookie
-  res.cookie('jid', '', {
+  res.cookie("jid", "", {
    httpOnly: true,
-    path: '/',
-    sameSite: 'strict',
-    secure: (await getHttpsEnabled()) as boolean
+    path: "/",
+    sameSite: "strict",
+    secure: (await getHttpsEnabled()) as boolean,
  });

  const logoutAction = await EELogService.createAction({
    name: ACTION_LOGOUT,
-    userId: req.user._id
+    userId: req.user._id,
  });

  logoutAction && await EELogService.createLog({
    userId: req.user._id,
    actions: [logoutAction],
-    channel: getChannelFromUserAgent(req.headers['user-agent']),
-    ipAddress: req.realIP
+    channel: getChannelFromUserAgent(req.headers["user-agent"]),
+    ipAddress: req.realIP,
  });

  return res.status(200).send({
-    message: 'Successfully logged out.'
+    message: "Successfully logged out.",
  });
 };

 export const getCommonPasswords = async (req: Request, res: Response) => {
  const commonPasswords = fs.readFileSync(
-		path.resolve(__dirname, '../../data/' + 'common_passwords.txt'),
-		'utf8'
-	).split('\n');	
+		path.resolve(__dirname, "../../data/" + "common_passwords.txt"),
+		"utf8"
+	).split("\n");	

  return res.status(200).send(commonPasswords);
 }

 export const revokeAllSessions = async (req: Request, res: Response) => {
  await TokenVersion.updateMany({
-    user: req.user._id
+    user: req.user._id,
  }, {
    $inc: {
      refreshVersion: 1,
-      accessVersion: 1
-    }
+      accessVersion: 1,
+    },
  });

  return res.status(200).send({
-    message: 'Successfully revoked all sessions.'
+    message: "Successfully revoked all sessions.",
  }); 
 }

@ -231,7 +231,7 @@ export const revokeAllSessions = async (req: Request, res: Response) => {
 */
 export const checkAuth = async (req: Request, res: Response) => {
  return res.status(200).send({
-    message: 'Authenticated'
+    message: "Authenticated",
  });
 }

@ -244,44 +244,44 @@ export const checkAuth = async (req: Request, res: Response) => {
 export const getNewToken = async (req: Request, res: Response) => {
  const refreshToken = req.cookies.jid;

-  if (!refreshToken) {
-    throw new Error('Failed to find refresh token in request cookies');
-  }
+  if (!refreshToken) throw BadRequestError({
+    message: "Failed to find refresh token in request cookies"
+  });

  const decodedToken = <jwt.UserIDJwtPayload>(
    jwt.verify(refreshToken, await getJwtRefreshSecret())
  );

  const user = await User.findOne({
-    _id: decodedToken.userId
-  }).select('+publicKey +refreshVersion +accessVersion');
+    _id: decodedToken.userId,
+  }).select("+publicKey +refreshVersion +accessVersion");

-  if (!user) throw new Error('Failed to authenticate unfound user');
+  if (!user) throw new Error("Failed to authenticate unfound user");
  if (!user?.publicKey)
-    throw new Error('Failed to authenticate not fully set up account');
+    throw new Error("Failed to authenticate not fully set up account");
  
  const tokenVersion = await TokenVersion.findById(decodedToken.tokenVersionId);

  if (!tokenVersion) throw UnauthorizedRequestError({
-    message: 'Failed to validate refresh token'
+    message: "Failed to validate refresh token",
  });

  if (decodedToken.refreshVersion !== tokenVersion.refreshVersion) throw BadRequestError({
-    message: 'Failed to validate refresh token'
+    message: "Failed to validate refresh token",
  });

  const token = createToken({
    payload: {
      userId: decodedToken.userId,
      tokenVersionId: tokenVersion._id.toString(),
-      accessVersion: tokenVersion.refreshVersion
+      accessVersion: tokenVersion.refreshVersion,
    },
    expiresIn: await getJwtAuthLifetime(),
-    secret: await getJwtAuthSecret()
+    secret: await getJwtAuthSecret(),
  });

  return res.status(200).send({
-    token
+    token,
  });
 };

--- a/backend/src/controllers/v1/botController.ts
+++ b/backend/src/controllers/v1/botController.ts
@ -1,7 +1,7 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { Bot, BotKey } from '../../models';
-import { createBot } from '../../helpers/bot';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Bot, BotKey } from "../../models";
+import { createBot } from "../../helpers/bot";

 interface BotKey {
    encryptedKey: string;
@ -19,20 +19,20 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
  const { workspaceId } = req.params;

  let bot = await Bot.findOne({
-      workspace: workspaceId
+      workspace: workspaceId,
  });
  
  if (!bot) {
      // case: bot doesn't exist for workspace with id [workspaceId]
      // -> create a new bot and return it
      bot = await createBot({
-          name: 'Infisical Bot',
-          workspaceId: new Types.ObjectId(workspaceId)
+          name: "Infisical Bot",
+          workspaceId: new Types.ObjectId(workspaceId),
      });
  }
    
  return res.status(200).send({
-      bot
+      bot,
  });
 };

@ -49,40 +49,40 @@ export const setBotActiveState = async (req: Request, res: Response) => {
        // bot state set to active -> share workspace key with bot
        if (!botKey?.encryptedKey || !botKey?.nonce) {
            return res.status(400).send({
-                message: 'Failed to set bot state to active - missing bot key'
+                message: "Failed to set bot state to active - missing bot key",
            });
        }
        
        await BotKey.findOneAndUpdate({
-            workspace: req.bot.workspace
+            workspace: req.bot.workspace,
        }, {
            encryptedKey: botKey.encryptedKey,
            nonce: botKey.nonce,
            sender: req.user._id,
            bot: req.bot._id,
-            workspace: req.bot.workspace
+            workspace: req.bot.workspace,
        }, {
            upsert: true,
-            new: true
+            new: true,
        });
    } else {
        // case: bot state set to inactive -> delete bot's workspace key
        await BotKey.deleteOne({
-            bot: req.bot._id
+            bot: req.bot._id,
        });
    }

-    let bot = await Bot.findOneAndUpdate({
-        _id: req.bot._id
+    const bot = await Bot.findOneAndUpdate({
+        _id: req.bot._id,
    }, {
-        isActive
+        isActive,
    }, {
-        new: true
+        new: true,
    });
    
-    if (!bot) throw new Error('Failed to update bot active state');
+    if (!bot) throw new Error("Failed to update bot active state");
    
    return res.status(200).send({
-        bot
+        bot,
    });
 };
--- a/backend/src/controllers/v1/index.ts
+++ b/backend/src/controllers/v1/index.ts
@ -1,35 +1,39 @@
-import * as authController from './authController';
-import * as botController from './botController';
-import * as integrationAuthController from './integrationAuthController';
-import * as integrationController from './integrationController';
-import * as keyController from './keyController';
-import * as membershipController from './membershipController';
-import * as membershipOrgController from './membershipOrgController';
-import * as organizationController from './organizationController';
-import * as passwordController from './passwordController';
-import * as secretController from './secretController';
-import * as serviceTokenController from './serviceTokenController';
-import * as signupController from './signupController';
-import * as stripeController from './stripeController';
-import * as userActionController from './userActionController';
-import * as userController from './userController';
-import * as workspaceController from './workspaceController';
+import * as authController from "./authController";
+import * as botController from "./botController";
+import * as integrationAuthController from "./integrationAuthController";
+import * as integrationController from "./integrationController";
+import * as keyController from "./keyController";
+import * as membershipController from "./membershipController";
+import * as membershipOrgController from "./membershipOrgController";
+import * as organizationController from "./organizationController";
+import * as passwordController from "./passwordController";
+import * as secretController from "./secretController";
+import * as serviceTokenController from "./serviceTokenController";
+import * as signupController from "./signupController";
+import * as userActionController from "./userActionController";
+import * as userController from "./userController";
+import * as workspaceController from "./workspaceController";
+import * as secretScanningController from "./secretScanningController";
+import * as webhookController from "./webhookController";
+import * as secretImportController from "./secretImportController";

 export {
-	authController,
-	botController,
-	integrationAuthController,
-	integrationController,
-	keyController,
-	membershipController,
-	membershipOrgController,
-	organizationController,
-	passwordController,
-	secretController,
-	serviceTokenController,
-	signupController,
-	stripeController,
-	userActionController,
-	userController,
-	workspaceController
+  authController,
+  botController,
+  integrationAuthController,
+  integrationController,
+  keyController,
+  membershipController,
+  membershipOrgController,
+  organizationController,
+  passwordController,
+  secretController,
+  serviceTokenController,
+  signupController,
+  userActionController,
+  userController,
+  workspaceController,
+  secretScanningController,
+  webhookController,
+  secretImportController
 };
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -1,21 +1,18 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { standardRequest } from "../../config/request";
+import { getApps, getTeams, revokeAccess } from "../../integrations";
+import { Bot, IntegrationAuth } from "../../models";
+import { IntegrationService } from "../../services";
 import {
-	IntegrationAuth,
-	Bot 
-} from '../../models';
-import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
-import { IntegrationService } from '../../services';
-import {
-	getApps, 
-	getTeams,
-	revokeAccess 
-} from '../../integrations';
-import {
-	INTEGRATION_VERCEL_API_URL,
-	INTEGRATION_RAILWAY_API_URL
-} from '../../variables';
-import { standardRequest } from '../../config/request';
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  INTEGRATION_BITBUCKET_API_URL,
+  INTEGRATION_RAILWAY_API_URL,
+  INTEGRATION_SET,
+  INTEGRATION_VERCEL_API_URL,
+  getIntegrationOptions as getIntegrationOptionsFunc
+} from "../../variables";

 /***
 * Return integration authorization with id [integrationAuthId]
@ -23,22 +20,23 @@ import { standardRequest } from '../../config/request';
 export const getIntegrationAuth = async (req: Request, res: Response) => {
  const { integrationAuthId } = req.params;
  const integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-  
-  if (!integrationAuth) return res.status(400).send({
-    message: 'Failed to find integration authorization'
-  });

-	return res.status(200).send({
-		integrationAuth
-	});
-}
+  if (!integrationAuth)
+    return res.status(400).send({
+      message: "Failed to find integration authorization"
+    });
+
+  return res.status(200).send({
+    integrationAuth
+  });
+};

 export const getIntegrationOptions = async (req: Request, res: Response) => {
-	const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
+  const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();

-	return res.status(200).send({
-		integrationOptions: INTEGRATION_OPTIONS,
-	});
+  return res.status(200).send({
+    integrationOptions: INTEGRATION_OPTIONS
+  });
 };

 /**
@ -47,26 +45,22 @@ export const getIntegrationOptions = async (req: Request, res: Response) => {
 * @param res
 * @returns
 */
-export const oAuthExchange = async (
-	req: Request,
-	res: Response
-) => {
+export const oAuthExchange = async (req: Request, res: Response) => {
  const { workspaceId, code, integration } = req.body;
-  if (!INTEGRATION_SET.has(integration))
-    throw new Error('Failed to validate integration');
-  
+  if (!INTEGRATION_SET.has(integration)) throw new Error("Failed to validate integration");
+
  const environments = req.membership.workspace?.environments || [];
-  if(environments.length === 0){
-    throw new Error("Failed to get environments")
+  if (environments.length === 0) {
+    throw new Error("Failed to get environments");
  }

  const integrationAuth = await IntegrationService.handleOAuthExchange({
    workspaceId,
    integration,
    code,
-    environment: environments[0].slug,
+    environment: environments[0].slug
  });
-  
+
  return res.status(200).send({
    integrationAuth
  });
@ -75,69 +69,70 @@ export const oAuthExchange = async (
 /**
 * Save integration access token and (optionally) access id as part of integration
 * [integration] for workspace with id [workspaceId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
 */
-export const saveIntegrationAccessToken = async (
-  req: Request,
-  res: Response
-) => {
-	// TODO: refactor
-	// TODO: check if access token is valid for each integration
+export const saveIntegrationAccessToken = async (req: Request, res: Response) => {
+  // TODO: refactor
+  // TODO: check if access token is valid for each integration

-	let integrationAuth;
-	const {
-		workspaceId,
-		accessId,
-		accessToken,
-		url,
-		namespace,
-		integration
-	}: {
-		workspaceId: string;
-		accessId: string | null;
-		accessToken: string;
-		url: string;
-		namespace: string;
-		integration: string;
-	} = req.body;
+  let integrationAuth;
+  const {
+    workspaceId,
+    accessId,
+    accessToken,
+    url,
+    namespace,
+    integration
+  }: {
+    workspaceId: string;
+    accessId: string | null;
+    accessToken: string;
+    url: string;
+    namespace: string;
+    integration: string;
+  } = req.body;

-	const bot = await Bot.findOne({
-		workspace: new Types.ObjectId(workspaceId),
-		isActive: true
-	});
-      
-    if (!bot) throw new Error('Bot must be enabled to save integration access token');
+  const bot = await Bot.findOne({
+    workspace: new Types.ObjectId(workspaceId),
+    isActive: true
+  });

-  	integrationAuth = await IntegrationAuth.findOneAndUpdate({
-		workspace: new Types.ObjectId(workspaceId),
-		integration
-    }, {
-		workspace: new Types.ObjectId(workspaceId),
-		integration,
-		url,
-		namespace,
-		algorithm: ALGORITHM_AES_256_GCM,
-		keyEncoding: ENCODING_SCHEME_UTF8
-  	}, {
-		new: true,
-		upsert: true
-    });
-  
-	// encrypt and save integration access details
-	integrationAuth = await IntegrationService.setIntegrationAuthAccess({
-		integrationAuthId: integrationAuth._id.toString(),
-		accessId,
-		accessToken,
-		accessExpiresAt: undefined
-	});
-  
-  	if (!integrationAuth) throw new Error('Failed to save integration access token');
-	
-	return res.status(200).send({
-		integrationAuth
-	});
-}
+  if (!bot) throw new Error("Bot must be enabled to save integration access token");
+
+  integrationAuth = await IntegrationAuth.findOneAndUpdate(
+    {
+      workspace: new Types.ObjectId(workspaceId),
+      integration
+    },
+    {
+      workspace: new Types.ObjectId(workspaceId),
+      integration,
+      url,
+      namespace,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
+    },
+    {
+      new: true,
+      upsert: true
+    }
+  );
+
+  // encrypt and save integration access details
+  integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+    integrationAuthId: integrationAuth._id.toString(),
+    accessId,
+    accessToken,
+    accessExpiresAt: undefined
+  });
+
+  if (!integrationAuth) throw new Error("Failed to save integration access token");
+
+  return res.status(200).send({
+    integrationAuth
+  });
+};

 /**
 * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
@ -147,107 +142,110 @@ export const saveIntegrationAccessToken = async (
 */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
  const teamId = req.query.teamId as string;
-  
+  const workspaceSlug = req.query.workspaceSlug as string;
+
  const apps = await getApps({
    integrationAuth: req.integrationAuth,
    accessToken: req.accessToken,
-    ...teamId && { teamId }
+    accessId: req.accessId,
+    ...(teamId && { teamId }),
+    ...(workspaceSlug && { workspaceSlug })
  });

-	return res.status(200).send({
-		apps
-	});
+  return res.status(200).send({
+    apps
+  });
 };

 /**
 * Return list of teams allowed for integration with integration authorization id [integrationAuthId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
-	const teams = await getTeams({
-		integrationAuth: req.integrationAuth,
-		accessToken: req.accessToken
-	});
-	
-	return res.status(200).send({
-		teams
-	});
-}
+  const teams = await getTeams({
+    integrationAuth: req.integrationAuth,
+    accessToken: req.accessToken
+  });
+
+  return res.status(200).send({
+    teams
+  });
+};

 /**
 * Return list of available Vercel (preview) branches for Vercel project with
 * id [appId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
 */
 export const getIntegrationAuthVercelBranches = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface VercelBranch {
-		ref: string;
-		lastCommit: string;
-		isProtected: boolean;
-	}
+  const appId = req.query.appId as string;

-	const params = new URLSearchParams({
-		projectId: appId,
-		...(req.integrationAuth.teamId ? {
-			teamId: req.integrationAuth.teamId
-		} : {})
-	});
+  interface VercelBranch {
+    ref: string;
+    lastCommit: string;
+    isProtected: boolean;
+  }

-	let branches: string[] = [];
-	
-	if (appId && appId !== '') {
-		const { data }: { data: VercelBranch[] } = await standardRequest.get(
-			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
-			{
-				params,
-				headers: {
-					Authorization: `Bearer ${req.accessToken}`,
-					'Accept-Encoding': 'application/json'
-				}
-			}
-		);
-		
-		branches = data.map((b) => b.ref);
-	}
+  const params = new URLSearchParams({
+    projectId: appId,
+    ...(req.integrationAuth.teamId
+      ? {
+          teamId: req.integrationAuth.teamId
+        }
+      : {})
+  });

-	return res.status(200).send({
-		branches
-	});
-}
+  let branches: string[] = [];
+
+  if (appId && appId !== "") {
+    const { data }: { data: VercelBranch[] } = await standardRequest.get(
+      `${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
+      {
+        params,
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
+      }
+    );
+
+    branches = data.map((b) => b.ref);
+  }
+
+  return res.status(200).send({
+    branches
+  });
+};

 /**
 * Return list of Railway environments for Railway project with
 * id [appId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
 */
 export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface RailwayEnvironment {
-		node: {
-			id: string;
-			name: string;
-			isEphemeral: boolean;
-		}
-	}
-	
-	interface Environment {
-		environmentId: string;
-		name: string;
-	}
-	
-	let environments: Environment[] = [];
+  const appId = req.query.appId as string;

-	if (appId && appId !== '') {
-		const query = `
+  interface RailwayEnvironment {
+    node: {
+      id: string;
+      name: string;
+      isEphemeral: boolean;
+    };
+  }
+
+  interface Environment {
+    environmentId: string;
+    name: string;
+  }
+
+  let environments: Environment[] = [];
+
+  if (appId && appId !== "") {
+    const query = `
 			query GetEnvironments($projectId: String!, $after: String, $before: String, $first: Int, $isEphemeral: Boolean, $last: Int) {
 				environments(projectId: $projectId, after: $after, before: $before, first: $first, isEphemeral: $isEphemeral, last: $last) {
 				edges {
@ -260,59 +258,68 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
 				}
 			}
 			`;
-		
-		const variables = {
-			projectId: appId
-		}
-		
-		const { data: { data: { environments: { edges } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
-			query,
-			variables,
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
-			},
-		});
-		
-		environments = edges.map((e: RailwayEnvironment) => {
-			return ({
-				name: e.node.name,
-				environmentId: e.node.id
-			});
-		});
-	}
-	
-	return res.status(200).send({
-		environments
-	});
-}
+
+    const variables = {
+      projectId: appId
+    };
+
+    const {
+      data: {
+        data: {
+          environments: { edges }
+        }
+      }
+    } = await standardRequest.post(
+      INTEGRATION_RAILWAY_API_URL,
+      {
+        query,
+        variables
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
+
+    environments = edges.map((e: RailwayEnvironment) => {
+      return {
+        name: e.node.name,
+        environmentId: e.node.id
+      };
+    });
+  }
+
+  return res.status(200).send({
+    environments
+  });
+};

 /**
 * Return list of Railway services for Railway project with id
 * [appId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
 */
 export const getIntegrationAuthRailwayServices = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface RailwayService {
-		node: {
-			id: string;
-			name: string;
-		}
-	}
-	
-	interface Service {
-		name: string;
-		serviceId: string;
-	}
-	
-	let services: Service[] = [];
-	
-	const query = `
+  const appId = req.query.appId as string;
+
+  interface RailwayService {
+    node: {
+      id: string;
+      name: string;
+    };
+  }
+
+  interface Service {
+    name: string;
+    serviceId: string;
+  }
+
+  let services: Service[] = [];
+
+  const query = `
      query project($id: String!) {
        project(id: $id) {
          createdAt
@ -340,31 +347,103 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
      }
    `;

-	if (appId && appId !== '') {
-		const variables = {
-			id: appId
-		}
-		
-		const { data: { data: { project: { services: { edges } } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
-			query,
-			variables
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
-			},
-		});
-		
-		services = edges.map((e: RailwayService) => ({
-			name: e.node.name,
-			serviceId: e.node.id
-		}));
-	}
-	
-	return res.status(200).send({
-		services
-	});
-}
+  if (appId && appId !== "") {
+    const variables = {
+      id: appId
+    };
+
+    const {
+      data: {
+        data: {
+          project: {
+            services: { edges }
+          }
+        }
+      }
+    } = await standardRequest.post(
+      INTEGRATION_RAILWAY_API_URL,
+      {
+        query,
+        variables
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
+
+    services = edges.map((e: RailwayService) => ({
+      name: e.node.name,
+      serviceId: e.node.id
+    }));
+  }
+
+  return res.status(200).send({
+    services
+  });
+};
+
+/**
+ * Return list of workspaces allowed for Bitbucket integration
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getIntegrationAuthBitBucketWorkspaces = async (req: Request, res: Response) => {
+  
+  interface WorkspaceResponse {
+    size: number;
+    page: number;
+    pageLen: number;
+    next: string;
+    previous: string;
+    values: Array<Workspace>;
+  }
+
+  interface Workspace {
+    type: string;
+    uuid: string;
+    name: string;
+    slug: string;
+    is_private: boolean;
+    created_on: string;
+    updated_on: string;
+  }
+
+  const workspaces: Workspace[] = [];
+  let hasNextPage = true;
+  let workspaceUrl = `${INTEGRATION_BITBUCKET_API_URL}/2.0/workspaces`
+
+  while (hasNextPage) {
+    const { data }: { data: WorkspaceResponse } = await standardRequest.get(
+      workspaceUrl,
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
+      }
+    );
+    
+    if (data?.values.length > 0) {
+      data.values.forEach((workspace) => {
+        workspaces.push(workspace)
+      })
+    }
+
+    if (data.next) {
+      workspaceUrl = data.next
+    } else {
+      hasNextPage = false
+    }
+  }
+
+  return res.status(200).send({
+    workspaces
+  });
+};

 /**
 * Delete integration authorization with id [integrationAuthId]
@ -375,10 +454,10 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
  const integrationAuth = await revokeAccess({
    integrationAuth: req.integrationAuth,
-    accessToken: req.accessToken,
+    accessToken: req.accessToken
  });

  return res.status(200).send({
-    integrationAuth,
+    integrationAuth
  });
 };
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -1,10 +1,11 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { 
-	Integration
-} from '../../models';
-import { EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Integration } from "../../models";
+import { EventService } from "../../services";
+import { eventStartIntegration } from "../../events";
+import Folder from "../../models/folder";
+import { getFolderByPath } from "../../services/FolderService";
+import { BadRequestError } from "../../utils/errors";

 /**
 * Create/initialize an (empty) integration for integration authorization
@ -25,9 +26,24 @@ export const createIntegration = async (req: Request, res: Response) => {
    targetServiceId,
    owner,
    path,
-    region
+    region,
+    secretPath
  } = req.body;
-  
+
+  const folders = await Folder.findOne({
+    workspace: req.integrationAuth.workspace._id,
+    environment: sourceEnvironment
+  });
+
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw BadRequestError({
+        message: "Path for service token does not exist"
+      });
+    }
+  }
+
  // TODO: validate [sourceEnvironment] and [targetEnvironment]

  // initialize new integration after saving integration access token
@ -44,14 +60,15 @@ export const createIntegration = async (req: Request, res: Response) => {
    owner,
    path,
    region,
+    secretPath,
    integration: req.integrationAuth.integration,
    integrationAuth: new Types.ObjectId(integrationAuthId)
  }).save();
-  
+
  if (integration) {
    // trigger event - push secrets
    EventService.handleEvent({
-      event: eventPushSecrets({
+      event: eventStartIntegration({
        workspaceId: integration.workspace,
        environment: sourceEnvironment
      })
@ -59,7 +76,7 @@ export const createIntegration = async (req: Request, res: Response) => {
  }

  return res.status(200).send({
-    integration,
+    integration
  });
 };

@ -70,7 +87,6 @@ export const createIntegration = async (req: Request, res: Response) => {
 * @returns
 */
 export const updateIntegration = async (req: Request, res: Response) => {
-
  // TODO: add integration-specific validation to ensure that each
  // integration has the correct fields populated in [Integration]

@ -81,11 +97,26 @@ export const updateIntegration = async (req: Request, res: Response) => {
    appId,
    targetEnvironment,
    owner, // github-specific integration param
+    secretPath
  } = req.body;

+  const folders = await Folder.findOne({
+    workspace: req.integration.workspace,
+    environment
+  });
+
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw BadRequestError({
+        message: "Path for service token does not exist"
+      });
+    }
+  }
+
  const integration = await Integration.findOneAndUpdate(
    {
-      _id: req.integration._id,
+      _id: req.integration._id
    },
    {
      environment,
@ -94,24 +125,25 @@ export const updateIntegration = async (req: Request, res: Response) => {
      appId,
      targetEnvironment,
      owner,
+      secretPath
    },
    {
-      new: true,
+      new: true
    }
  );

  if (integration) {
    // trigger event - push secrets
    EventService.handleEvent({
-      event: eventPushSecrets({
+      event: eventStartIntegration({
        workspaceId: integration.workspace,
        environment
-      }),
+      })
    });
  }

  return res.status(200).send({
-    integration,
+    integration
  });
 };

@ -126,12 +158,12 @@ export const deleteIntegration = async (req: Request, res: Response) => {
  const { integrationId } = req.params;

  const integration = await Integration.findOneAndDelete({
-    _id: integrationId,
+    _id: integrationId
  });

  if (!integration) throw new Error("Failed to find integration");

  return res.status(200).send({
-    integration,
+    integration
  });
 };
--- a/backend/src/controllers/v1/keyController.ts
+++ b/backend/src/controllers/v1/keyController.ts
@ -1,6 +1,6 @@
-import { Request, Response } from 'express';
-import { Key } from '../../models';
-import { findMembership } from '../../helpers/membership';
+import { Request, Response } from "express";
+import { Key } from "../../models";
+import { findMembership } from "../../helpers/membership";

 /**
 * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
@ -16,11 +16,11 @@ export const uploadKey = async (req: Request, res: Response) => {
  // validate membership of receiver
  const receiverMembership = await findMembership({
    user: key.userId,
-    workspace: workspaceId
+    workspace: workspaceId,
  });

  if (!receiverMembership) {
-    throw new Error('Failed receiver membership validation for workspace');
+    throw new Error("Failed receiver membership validation for workspace");
  }

  await new Key({
@ -28,11 +28,11 @@ export const uploadKey = async (req: Request, res: Response) => {
    nonce: key.nonce,
    sender: req.user._id,
    receiver: key.userId,
-    workspace: workspaceId
+    workspace: workspaceId,
  }).save();

 	return res.status(200).send({
-		message: 'Successfully uploaded key to workspace'
+		message: "Successfully uploaded key to workspace",
 	});
 };

@ -48,16 +48,16 @@ export const getLatestKey = async (req: Request, res: Response) => {
  // get latest key
  const latestKey = await Key.find({
    workspace: workspaceId,
-    receiver: req.user._id
+    receiver: req.user._id,
  })
    .sort({ createdAt: -1 })
    .limit(1)
-    .populate('sender', '+publicKey');
+    .populate("sender", "+publicKey");

 	const resObj: any = {};

 	if (latestKey.length > 0) {
-		resObj['latestKey'] = latestKey[0];
+		resObj["latestKey"] = latestKey[0];
 	}

 	return res.status(200).send(resObj);
--- a/backend/src/controllers/v1/membershipController.ts
+++ b/backend/src/controllers/v1/membershipController.ts
@ -1,12 +1,9 @@
-import { Request, Response } from 'express';
-import { Membership, MembershipOrg, User, Key } from '../../models';
-import {
-	findMembership,
-	deleteMembership as deleteMember
-} from '../../helpers/membership';
-import { sendMail } from '../../helpers/nodemailer';
-import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
-import { getSiteURL } from '../../config';
+import { Request, Response } from "express";
+import { Key, Membership, MembershipOrg, User } from "../../models";
+import { deleteMembership as deleteMember, findMembership } from "../../helpers/membership";
+import { sendMail } from "../../helpers/nodemailer";
+import { ACCEPTED, ADMIN, MEMBER } from "../../variables";
+import { getSiteURL } from "../../config";

 /**
 * Check that user is a member of workspace with id [workspaceId]
@ -23,12 +20,12 @@ export const validateMembership = async (req: Request, res: Response) => {
  });

  if (!membership) {
-    throw new Error('Failed to validate membership');
+    throw new Error("Failed to validate membership");
  }

-	return res.status(200).send({
-		message: 'Workspace membership confirmed'
-	});
+  return res.status(200).send({
+    message: "Workspace membership confirmed"
+  });
 };

 /**
@ -43,12 +40,10 @@ export const deleteMembership = async (req: Request, res: Response) => {
  // check if membership to delete exists
  const membershipToDelete = await Membership.findOne({
    _id: membershipId
-  }).populate('user');
+  }).populate("user");

  if (!membershipToDelete) {
-    throw new Error(
-      "Failed to delete workspace membership that doesn't exist"
-    );
+    throw new Error("Failed to delete workspace membership that doesn't exist");
  }

  // check if user is a member and admin of the workspace
@ -59,12 +54,12 @@ export const deleteMembership = async (req: Request, res: Response) => {
  });

  if (!membership) {
-    throw new Error('Failed to validate workspace membership');
+    throw new Error("Failed to validate workspace membership");
  }

  if (membership.role !== ADMIN) {
    // user is not an admin member of the workspace
-    throw new Error('Insufficient role for deleting workspace membership');
+    throw new Error("Insufficient role for deleting workspace membership");
  }

  // delete workspace membership
@ -72,9 +67,9 @@ export const deleteMembership = async (req: Request, res: Response) => {
    membershipId: membershipToDelete._id.toString()
  });

-	return res.status(200).send({
-		deletedMembership
-	});
+  return res.status(200).send({
+    deletedMembership
+  });
 };

 /**
@ -88,7 +83,7 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
  const { role } = req.body;

  if (![ADMIN, MEMBER].includes(role)) {
-    throw new Error('Failed to validate role');
+    throw new Error("Failed to validate role");
  }

  // validate target membership
@ -97,7 +92,7 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
  });

  if (!membershipToChangeRole) {
-    throw new Error('Failed to find membership to change role');
+    throw new Error("Failed to find membership to change role");
  }

  // check if user is a member and admin of target membership's
@ -108,20 +103,20 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
  });

  if (!membership) {
-    throw new Error('Failed to validate membership');
+    throw new Error("Failed to validate membership");
  }

  if (membership.role !== ADMIN) {
    // user is not an admin member of the workspace
-    throw new Error('Insufficient role for changing member roles');
+    throw new Error("Insufficient role for changing member roles");
  }

  membershipToChangeRole.role = role;
  await membershipToChangeRole.save();

-	return res.status(200).send({
-		membership: membershipToChangeRole
-	});
+  return res.status(200).send({
+    membership: membershipToChangeRole
+  });
 };

 /**
@ -136,10 +131,9 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {

  const invitee = await User.findOne({
    email
-  }).select('+publicKey');
+  }).select("+publicKey");

-  if (!invitee || !invitee?.publicKey)
-    throw new Error('Failed to validate invitee');
+  if (!invitee || !invitee?.publicKey) throw new Error("Failed to validate invitee");

  // validate invitee's workspace membership - ensure member isn't
  // already a member of the workspace
@ -148,8 +142,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
    workspace: workspaceId
  });

-  if (inviteeMembership)
-    throw new Error('Failed to add existing member of workspace');
+  if (inviteeMembership) throw new Error("Failed to add existing member of workspace");

  // validate invitee's organization membership - ensure that only
  // (accepted) organization members can be added to the workspace
@ -159,8 +152,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
    status: ACCEPTED
  });

-  if (!membershipOrg)
-    throw new Error("Failed to validate invitee's organization membership");
+  if (!membershipOrg) throw new Error("Failed to validate invitee's organization membership");

  // get latest key
  const latestKey = await Key.findOne({
@ -168,29 +160,29 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
    receiver: req.user._id
  })
    .sort({ createdAt: -1 })
-    .populate('sender', '+publicKey');
+    .populate("sender", "+publicKey");

  // create new workspace membership
-  const m = await new Membership({
+  await new Membership({
    user: invitee._id,
    workspace: workspaceId,
    role: MEMBER
  }).save();

  await sendMail({
-    template: 'workspaceInvitation.handlebars',
-    subjectLine: 'Infisical workspace invitation',
+    template: "workspaceInvitation.handlebars",
+    subjectLine: "Infisical workspace invitation",
    recipients: [invitee.email],
    substitutions: {
      inviterFirstName: req.user.firstName,
      inviterEmail: req.user.email,
      workspaceName: req.membership.workspace.name,
-      callback_url: (await getSiteURL()) + '/login'
+      callback_url: (await getSiteURL()) + "/login"
    }
  });

-	return res.status(200).send({
-		invitee,
-		latestKey
-	});
+  return res.status(200).send({
+    invitee,
+    latestKey
+  });
 };
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -1,15 +1,28 @@
-import { Types } from 'mongoose';
-import { Request, Response } from 'express';
-import { MembershipOrg, Organization, User } from '../../models';
-import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
-import { createToken } from '../../helpers/auth';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { EELicenseService } from '../../ee/services';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
-import { validateUserEmail } from '../../validation';
+import { Types } from "mongoose";
+import { Request, Response } from "express";
+import { MembershipOrg, Organization, User } from "../../models";
+import { SSOConfig } from "../../ee/models";
+import { deleteMembershipOrg as deleteMemberFromOrg } from "../../helpers/membershipOrg";
+import { createToken } from "../../helpers/auth";
+import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
+import { sendMail } from "../../helpers/nodemailer";
+import { TokenService } from "../../services";
+import { EELicenseService } from "../../ee/services";
+import {
+  ACCEPTED,
+  ADMIN,
+  INVITED,
+  MEMBER,
+  OWNER,
+  TOKEN_EMAIL_ORG_INVITATION
+} from "../../variables";
+import {
+  getJwtSignupLifetime,
+  getJwtSignupSecret,
+  getSiteURL,
+  getSmtpConfigured
+} from "../../config";
+import { validateUserEmail } from "../../validation";

 /**
 * Delete organization membership with id [membershipOrgId] from organization
@ -17,18 +30,16 @@ import { validateUserEmail } from '../../validation';
 * @param res
 * @returns
 */
-export const deleteMembershipOrg = async (req: Request, res: Response) => {
+export const deleteMembershipOrg = async (req: Request, _res: Response) => {
  const { membershipOrgId } = req.params;

  // check if organization membership to delete exists
  const membershipOrgToDelete = await MembershipOrg.findOne({
    _id: membershipOrgId
-  }).populate('user');
+  }).populate("user");

  if (!membershipOrgToDelete) {
-    throw new Error(
-      "Failed to delete organization membership that doesn't exist"
-    );
+    throw new Error("Failed to delete organization membership that doesn't exist");
  }

  // check if user is a member and admin of the organization
@ -39,16 +50,16 @@ export const deleteMembershipOrg = async (req: Request, res: Response) => {
  });

  if (!membershipOrg) {
-    throw new Error('Failed to validate organization membership');
+    throw new Error("Failed to validate organization membership");
  }

  if (membershipOrg.role !== OWNER && membershipOrg.role !== ADMIN) {
    // user is not an admin member of the organization
-    throw new Error('Insufficient role for deleting organization membership');
+    throw new Error("Insufficient role for deleting organization membership");
  }

  // delete organization membership
-  const deletedMembershipOrg = await deleteMemberFromOrg({
+  await deleteMemberFromOrg({
    membershipOrgId: membershipOrgToDelete._id.toString()
  });

@ -56,7 +67,7 @@ export const deleteMembershipOrg = async (req: Request, res: Response) => {
    organizationId: membershipOrg.organization.toString()
  });

-	return membershipOrgToDelete;
+  return membershipOrgToDelete;
 };

 /**
@ -66,14 +77,14 @@ export const deleteMembershipOrg = async (req: Request, res: Response) => {
 * @returns
 */
 export const changeMembershipOrgRole = async (req: Request, res: Response) => {
-	// change role for (target) organization membership with id
-	// [membershipOrgId]
+  // change role for (target) organization membership with id
+  // [membershipOrgId]

-	let membershipToChangeRole;
+  let membershipToChangeRole;

-	return res.status(200).send({
-		membershipOrg: membershipToChangeRole
-	});
+  return res.status(200).send({
+    membershipOrg: membershipToChangeRole
+  });
 };

 /**
@ -84,7 +95,7 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 * @returns
 */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
-	let invitee, inviteeMembershipOrg, completeInviteLink;
+  let inviteeMembershipOrg, completeInviteLink;
  const { organizationId, inviteeEmail } = req.body;
  const host = req.headers.host;
  const siteUrl = `${req.protocol}://${host}`;
@ -96,25 +107,38 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
  });

  if (!membershipOrg) {
-    throw new Error('Failed to validate organization membership');
+    throw new Error("Failed to validate organization membership");
  }
+
+  const plan = await EELicenseService.getPlan(organizationId);
  
-  const plan = await EELicenseService.getOrganizationPlan(organizationId);
-  
+  const ssoConfig = await SSOConfig.findOne({
+    organization: new Types.ObjectId(organizationId)
+  });
+
+  if (ssoConfig && ssoConfig.isActive) {
+    // case: SAML SSO is enabled for the organization
+    return res.status(400).send({
+      message:
+        "Failed to invite member due to SAML SSO configured for organization"
+    }); 
+  }
+
  if (plan.memberLimit !== null) {
    // case: limit imposed on number of members allowed
-    
+
    if (plan.membersUsed >= plan.memberLimit) {
      // case: number of members used exceeds the number of members allowed
      return res.status(400).send({
-        message: 'Failed to invite member due to member limit reached. Upgrade plan to invite more members.'
+        message:
+          "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
      });
    }
  }

-  invitee = await User.findOne({
+  const invitee = await User.findOne({
    email: inviteeEmail
-  }).select('+publicKey');
+  }).select("+publicKey");

  if (invitee) {
    // case: invitee is an existing user
@ -125,13 +149,10 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
    });

    if (inviteeMembershipOrg && inviteeMembershipOrg.status === ACCEPTED) {
-      throw new Error(
-        'Failed to invite an existing member of the organization'
-      );
+      throw new Error("Failed to invite an existing member of the organization");
    }

    if (!inviteeMembershipOrg) {
-      
      await new MembershipOrg({
        user: invitee,
        inviteEmail: inviteeEmail,
@ -149,7 +170,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {

    if (!inviteeMembershipOrg) {
      // case: invitee has never been invited before
-      
+
      // validate that email is not disposable
      validateUserEmail(inviteeEmail);

@ -165,7 +186,6 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
  const organization = await Organization.findOne({ _id: organizationId });

  if (organization) {
-
    const token = await TokenService.createToken({
      type: TOKEN_EMAIL_ORG_INVITATION,
      email: inviteeEmail,
@ -173,8 +193,8 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
    });

    await sendMail({
-      template: 'organizationInvitation.handlebars',
-      subjectLine: 'Infisical organization invitation',
+      template: "organizationInvitation.handlebars",
+      subjectLine: "Infisical organization invitation",
      recipients: [inviteeEmail],
      substitutions: {
        inviterFirstName: req.user.firstName,
@ -183,21 +203,23 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
        email: inviteeEmail,
        organizationId: organization._id.toString(),
        token,
-        callback_url: (await getSiteURL()) + '/signupinvite'
+        callback_url: (await getSiteURL()) + "/signupinvite"
      }
    });

    if (!(await getSmtpConfigured())) {
-      completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`
+      completeInviteLink = `${
+        siteUrl + "/signupinvite"
+      }?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`;
    }
  }

  await updateSubscriptionOrgQuantity({ organizationId });

-	return res.status(200).send({
-		message: `Sent an invite link to ${req.body.inviteeEmail}`,
-		completeInviteLink
-	});
+  return res.status(200).send({
+    message: `Sent an invite link to ${req.body.inviteeEmail}`,
+    completeInviteLink
+  });
 };

 /**
@ -208,14 +230,10 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 * @returns
 */
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
-	let user;
-  const {
-    email,
-    organizationId,
-    code
-  } = req.body;
+  let user;
+  const { email, organizationId, code } = req.body;

-  user = await User.findOne({ email }).select('+publicKey');
+  user = await User.findOne({ email }).select("+publicKey");

  const membershipOrg = await MembershipOrg.findOne({
    inviteEmail: email,
@ -223,8 +241,7 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
    organization: new Types.ObjectId(organizationId)
  });

-  if (!membershipOrg)
-    throw new Error('Failed to find any invitations for email');
+  if (!membershipOrg) throw new Error("Failed to find any invitations for email");

  await TokenService.validateToken({
    type: TOKEN_EMAIL_ORG_INVITATION,
@ -238,14 +255,14 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
    // membership can be approved and redirected to login/dashboard
    membershipOrg.status = ACCEPTED;
    await membershipOrg.save();
-    
+
    await updateSubscriptionOrgQuantity({
      organizationId
    });

    return res.status(200).send({
-      message: 'Successfully verified email',
-      user,
+      message: "Successfully verified email",
+      user
    });
  }

@ -265,9 +282,9 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
    secret: await getJwtSignupSecret()
  });

-	return res.status(200).send({
-		message: 'Successfully verified email',
-		user,
-		token
-	});
+  return res.status(200).send({
+    message: "Successfully verified email",
+    user,
+    token
+  });
 };
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -1,28 +1,27 @@
-import { Request, Response } from 'express';
-import Stripe from 'stripe';
+import { Request, Response } from "express";
 import {
+	IncidentContactOrg,
 	Membership,
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg
-} from '../../models';
-import { createOrganization as create } from '../../helpers/organization';
-import { addMembershipsOrg } from '../../helpers/membershipOrg';
-import { OWNER, ACCEPTED } from '../../variables';
-import _ from 'lodash';
-import { getStripeSecretKey, getSiteURL } from '../../config';
+} from "../../models";
+import { createOrganization as create } from "../../helpers/organization";
+import { addMembershipsOrg } from "../../helpers/membershipOrg";
+import { ACCEPTED, OWNER } from "../../variables";
+import { getLicenseServerUrl, getSiteURL } from "../../config";
+import { licenseServerKeyRequest } from "../../config/request";

 export const getOrganizations = async (req: Request, res: Response) => {
  const organizations = (
    await MembershipOrg.find({
      user: req.user._id,
-      status: ACCEPTED
-    }).populate('organization')
+      status: ACCEPTED,
+    }).populate("organization")
  ).map((m) => m.organization);

 	return res.status(200).send({
-		organizations
+		organizations,
 	});
 };

@ -37,24 +36,24 @@ export const createOrganization = async (req: Request, res: Response) => {
  const { organizationName } = req.body;

  if (organizationName.length < 1) {
-    throw new Error('Organization names must be at least 1-character long');
+    throw new Error("Organization names must be at least 1-character long");
  }

  // create organization and add user as member
  const organization = await create({
    email: req.user.email,
-    name: organizationName
+    name: organizationName,
  });

  await addMembershipsOrg({
    userIds: [req.user._id.toString()],
    organizationId: organization._id.toString(),
    roles: [OWNER],
-    statuses: [ACCEPTED]
+    statuses: [ACCEPTED],
  });

 	return res.status(200).send({
-		organization
+		organization,
 	});
 };

@ -67,7 +66,7 @@ export const createOrganization = async (req: Request, res: Response) => {
 export const getOrganization = async (req: Request, res: Response) => {
 	const organization = req.organization
 	return res.status(200).send({
-		organization
+		organization,
 	});
 };

@ -81,11 +80,11 @@ export const getOrganizationMembers = async (req: Request, res: Response) => {
  const { organizationId } = req.params;

  const users = await MembershipOrg.find({
-    organization: organizationId
-  }).populate('user', '+publicKey');
+    organization: organizationId,
+  }).populate("user", "+publicKey");

 	return res.status(200).send({
-		users
+		users,
 	});
 };

@ -105,23 +104,23 @@ export const getOrganizationWorkspaces = async (
    (
      await Workspace.find(
        {
-          organization: organizationId
+          organization: organizationId,
        },
-        '_id'
+        "_id"
      )
    ).map((w) => w._id.toString())
  );

  const workspaces = (
    await Membership.find({
-      user: req.user._id
-    }).populate('workspace')
+      user: req.user._id,
+    }).populate("workspace")
  )
    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
    .map((m) => m.workspace);

 	return res.status(200).send({
-		workspaces
+		workspaces,
 	});
 };

@ -137,19 +136,19 @@ export const changeOrganizationName = async (req: Request, res: Response) => {

  const organization = await Organization.findOneAndUpdate(
    {
-      _id: organizationId
+      _id: organizationId,
    },
    {
-      name
+      name,
    },
    {
-      new: true
+      new: true,
    }
  );

 	return res.status(200).send({
-		message: 'Successfully changed organization name',
-		organization
+		message: "Successfully changed organization name",
+		organization,
 	});
 };

@ -166,11 +165,11 @@ export const getOrganizationIncidentContacts = async (
  const { organizationId } = req.params;

  const incidentContactsOrg = await IncidentContactOrg.find({
-    organization: organizationId
+    organization: organizationId,
  });

 	return res.status(200).send({
-		incidentContactsOrg
+		incidentContactsOrg,
 	});
 };

@ -194,7 +193,7 @@ export const addOrganizationIncidentContact = async (
  );

 	return res.status(200).send({
-		incidentContactOrg
+		incidentContactOrg,
 	});
 };

@ -213,17 +212,17 @@ export const deleteOrganizationIncidentContact = async (

  const incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
    email,
-    organization: organizationId
+    organization: organizationId,
  });

 	return res.status(200).send({
-		message: 'Successfully deleted organization incident contact',
-		incidentContactOrg
+		message: "Successfully deleted organization incident contact",
+		incidentContactOrg,
 	});
 };

 /**
- * Redirect user to (stripe) billing portal or add card page depending on
+ * Redirect user to billing portal or add card page depending on
 * if there is a card on file
 * @param req
 * @param res
@ -233,34 +232,32 @@ export const createOrganizationPortalSession = async (
 	req: Request,
 	res: Response
 ) => {
-	let session;
-  const stripe = new Stripe(await getStripeSecretKey(), {
-    apiVersion: '2022-08-01'
-  });
-
-  // check if there is a payment method on file
-  const paymentMethods = await stripe.paymentMethods.list({
-    customer: req.organization.customerId,
-    type: 'card'
-  });
+  const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
+    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+  );
  
-  if (paymentMethods.data.length < 1) {
-    // case: no payment method on file
-    session = await stripe.checkout.sessions.create({
-      customer: req.organization.customerId,
-      mode: 'setup',
-      payment_method_types: ['card'],
-      success_url: (await getSiteURL()) + '/dashboard',
-      cancel_url: (await getSiteURL()) + '/dashboard'
-    });
+  if (pmtMethods.length < 1) {
+    // case: organization has no payment method on file
+    // -> redirect to add payment method portal 
+    const { data: { url } } = await licenseServerKeyRequest.post(
+      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+      {
+        success_url: (await getSiteURL()) + "/dashboard",
+        cancel_url: (await getSiteURL()) + "/dashboard"
+      }
+    );
+    return res.status(200).send({ url });
  } else {
-    session = await stripe.billingPortal.sessions.create({
-      customer: req.organization.customerId,
-      return_url: (await getSiteURL()) + '/dashboard'
-    });
+    // case: organization has payment method on file
+    // -> redirect to billing portal
+    const { data: { url } } = await licenseServerKeyRequest.post(
+      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/billing-portal`,
+      {
+        return_url: (await getSiteURL()) + "/dashboard"
+      }
+    );
+    return res.status(200).send({ url });
  }
-
-  return res.status(200).send({ url: session.url });
 };

 /**
@ -273,16 +270,8 @@ export const getOrganizationSubscriptions = async (
 	req: Request,
 	res: Response
 ) => {
-  const stripe = new Stripe(await getStripeSecretKey(), {
-    apiVersion: '2022-08-01'
-  });
-  
-  const subscriptions = await stripe.subscriptions.list({
-    customer: req.organization.customerId
-  });
-
 	return res.status(200).send({
-		subscriptions
+		subscriptions: []
 	});
 };

@ -302,16 +291,16 @@ export const getOrganizationMembersAndTheirWorkspaces = async (
 	const workspacesSet = (
 			await Workspace.find(
 				{
-					organization: organizationId
+					organization: organizationId,
 				},
-				'_id'
+				"_id"
 			)
 		).map((w) => w._id.toString());

 	const memberships = (
 		await Membership.find({
-			workspace: { $in: workspacesSet }
-		}).populate('workspace')
+			workspace: { $in: workspacesSet },
+		}).populate("workspace")
 	);
 	const userToWorkspaceIds: any = {};

--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -1,85 +1,77 @@
-import { Request, Response } from 'express';
+import { Request, Response } from "express";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const jsrp = require('jsrp');
-import * as bigintConversion from 'bigint-conversion';
-import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
+const jsrp = require("jsrp");
+import * as bigintConversion from "bigint-conversion";
+import { BackupPrivateKey, LoginSRPDetail, User } from "../../models";
+import { clearTokens, createToken, sendMail } from "../../helpers";
+import { TokenService } from "../../services";
+import { AUTH_MODE_JWT, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
+import { BadRequestError } from "../../utils/errors";
 import {
-	createToken,
-	sendMail,
-	clearTokens
-} from '../../helpers';
-import { TokenService } from '../../services';
-import { 
-	TOKEN_EMAIL_PASSWORD_RESET,
-	AUTH_MODE_JWT
-} from '../../variables';
-import { BadRequestError } from '../../utils/errors';
-import { 
-	getSiteURL, 
-	getJwtSignupLifetime, 
-	getJwtSignupSecret,
-	getHttpsEnabled
-} from '../../config';
+  getHttpsEnabled,
+  getJwtSignupLifetime,
+  getJwtSignupSecret,
+  getSiteURL
+} from "../../config";

 /**
- * Password reset step 1: Send email verification link to email [email] 
+ * Password reset step 1: Send email verification link to email [email]
 * for account recovery.
 * @param req
 * @param res
 * @returns
 */
 export const emailPasswordReset = async (req: Request, res: Response) => {
-	let email: string;
-  email = req.body.email;
+  const email: string = req.body.email;

-  const user = await User.findOne({ email }).select('+publicKey');
+  const user = await User.findOne({ email }).select("+publicKey");
  if (!user || !user?.publicKey) {
    // case: user has already completed account

-    return res.status(403).send({
+    return res.status(200).send({
      message: "If an account exists with this email, a password reset link has been sent"
    });
  }
-  
+
  const token = await TokenService.createToken({
    type: TOKEN_EMAIL_PASSWORD_RESET,
    email
  });
-  
+
  await sendMail({
-    template: 'passwordReset.handlebars',
-    subjectLine: 'Infisical password reset',
+    template: "passwordReset.handlebars",
+    subjectLine: "Infisical password reset",
    recipients: [email],
    substitutions: {
      email,
      token,
-      callback_url: (await getSiteURL()) + '/password-reset'
+      callback_url: (await getSiteURL()) + "/password-reset"
    }
  });

-	return res.status(200).send({
-		message:"If an account exists with this email, a password reset link has been sent" 
-	});
-}
+  return res.status(200).send({
+    message: "If an account exists with this email, a password reset link has been sent"
+  });
+};

 /**
 * Password reset step 2: Verify email verification link sent to email [email]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const emailPasswordResetVerify = async (req: Request, res: Response) => {
  const { email, code } = req.body;

-  const user = await User.findOne({ email }).select('+publicKey');
+  const user = await User.findOne({ email }).select("+publicKey");
  if (!user || !user?.publicKey) {
-    // case: user doesn't exist with email [email] or 
+    // case: user doesn't exist with email [email] or
    // hasn't even completed their account
    return res.status(403).send({
-      error: 'Failed email verification for password reset'
+      error: "Failed email verification for password reset"
    });
  }
-  
+
  await TokenService.validateToken({
    type: TOKEN_EMAIL_PASSWORD_RESET,
    email,
@ -95,12 +87,12 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
    secret: await getJwtSignupSecret()
  });

-	return res.status(200).send({
-		message: 'Successfully verified email',
-		user,
-		token
-	});
-}
+  return res.status(200).send({
+    message: "Successfully verified email",
+    user,
+    token
+  });
+};

 /**
 * Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
@ -109,14 +101,14 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 * @returns
 */
 export const srp1 = async (req: Request, res: Response) => {
-	// return salt, serverPublicKey as part of first step of SRP protocol
-	
+  // return salt, serverPublicKey as part of first step of SRP protocol
+
  const { clientPublicKey } = req.body;
  const user = await User.findOne({
    email: req.user.email
-  }).select('+salt +verifier');
+  }).select("+salt +verifier");

-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");

  const server = new jsrp.server();
  server.init(
@ -128,11 +120,15 @@ export const srp1 = async (req: Request, res: Response) => {
      // generate server-side public key
      const serverPublicKey = server.getPublicKey();

-      await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
-        email: req.user.email,
-        clientPublicKey: clientPublicKey,
-        serverBInt: bigintConversion.bigintToBuf(server.bInt),
-      }, { upsert: true, returnNewDocument: false })
+      await LoginSRPDetail.findOneAndReplace(
+        { email: req.user.email },
+        {
+          email: req.user.email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt)
+        },
+        { upsert: true, returnNewDocument: false }
+      );

      return res.status(200).send({
        serverPublicKey,
@ -140,8 +136,7 @@ export const srp1 = async (req: Request, res: Response) => {
      });
    }
  );
-}
-
+};

 /**
 * Change account SRP authentication information for user
@ -152,8 +147,8 @@ export const srp1 = async (req: Request, res: Response) => {
 * @returns
 */
 export const changePassword = async (req: Request, res: Response) => {
-  const { 
-    clientProof, 
+  const {
+    clientProof,
    protectedKey,
    protectedKeyIV,
    protectedKeyTag,
@ -166,14 +161,18 @@ export const changePassword = async (req: Request, res: Response) => {

  const user = await User.findOne({
    email: req.user.email
-  }).select('+salt +verifier');
+  }).select("+salt +verifier");

-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");

-  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email });

  if (!loginSRPDetailFromDB) {
-    return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+    return BadRequestError(
+      Error(
+        "It looks like some details from the first login are not found. Please try login one again"
+      )
+    );
  }

  const server = new jsrp.server();
@ -207,27 +206,31 @@ export const changePassword = async (req: Request, res: Response) => {
            new: true
          }
        );
-      
-        if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User && req.authData.tokenVersionId) {
-          await clearTokens(req.authData.tokenVersionId)
+
+        if (
+          req.authData.authMode === AUTH_MODE_JWT &&
+          req.authData.authPayload instanceof User &&
+          req.authData.tokenVersionId
+        ) {
+          await clearTokens(req.authData.tokenVersionId);
        }

        // clear httpOnly cookie
-        
-        res.cookie('jid', '', {
+
+        res.cookie("jid", "", {
          httpOnly: true,
-          path: '/',
-          sameSite: 'strict',
+          path: "/",
+          sameSite: "strict",
          secure: (await getHttpsEnabled()) as boolean
        });

        return res.status(200).send({
-          message: 'Successfully changed password'
+          message: "Successfully changed password"
        });
      }

      return res.status(400).send({
-        error: 'Failed to change password. Try again?'
+        error: "Failed to change password. Try again?"
      });
    }
  );
@ -240,22 +243,25 @@ export const changePassword = async (req: Request, res: Response) => {
 * @returns
 */
 export const createBackupPrivateKey = async (req: Request, res: Response) => {
-	// create/change backup private key
-	// requires verifying [clientProof] as part of second step of SRP protocol
-	// as initiated in /srp1
+  // create/change backup private key
+  // requires verifying [clientProof] as part of second step of SRP protocol
+  // as initiated in /srp1

-  const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
-    req.body;
+  const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } = req.body;
  const user = await User.findOne({
    email: req.user.email
-  }).select('+salt +verifier');
+  }).select("+salt +verifier");

-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");

-  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email });

  if (!loginSRPDetailFromDB) {
-    return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+    return BadRequestError(
+      Error(
+        "It looks like some details from the first login are not found. Please try login one again"
+      )
+    );
  }

  const server = new jsrp.server();
@ -266,9 +272,7 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
      b: loginSRPDetailFromDB.serverBInt
    },
    async () => {
-      server.setClientPublicKey(
-        loginSRPDetailFromDB.clientPublicKey
-      );
+      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);

      // compare server and client shared keys
      if (server.checkClientProof(clientProof)) {
@ -285,17 +289,17 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
            verifier
          },
          { upsert: true, new: true }
-        ).select('+user, encryptedPrivateKey');
+        ).select("+user, encryptedPrivateKey");

        // issue tokens
        return res.status(200).send({
-          message: 'Successfully updated backup private key',
+          message: "Successfully updated backup private key",
          backupPrivateKey
        });
      }

      return res.status(400).send({
-        message: 'Failed to update backup private key'
+        message: "Failed to update backup private key"
      });
    }
  );
@ -303,21 +307,21 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {

 /**
 * Return backup private key for user
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const getBackupPrivateKey = async (req: Request, res: Response) => {
  const backupPrivateKey = await BackupPrivateKey.findOne({
    user: req.user._id
-  }).select('+encryptedPrivateKey +iv +tag');
+  }).select("+encryptedPrivateKey +iv +tag");

-  if (!backupPrivateKey) throw new Error('Failed to find backup private key');
+  if (!backupPrivateKey) throw new Error("Failed to find backup private key");

-	return res.status(200).send({
-		backupPrivateKey
-	});
-}
+  return res.status(200).send({
+    backupPrivateKey
+  });
+};

 export const resetPassword = async (req: Request, res: Response) => {
  const {
@ -328,7 +332,7 @@ export const resetPassword = async (req: Request, res: Response) => {
    encryptedPrivateKeyIV,
    encryptedPrivateKeyTag,
    salt,
-    verifier,
+    verifier
  } = req.body;

  await User.findByIdAndUpdate(
@ -337,7 +341,7 @@ export const resetPassword = async (req: Request, res: Response) => {
      encryptionVersion: 2,
      protectedKey,
      protectedKeyIV,
-      protectedKeyTag,	
+      protectedKeyTag,
      encryptedPrivateKey,
      iv: encryptedPrivateKeyIV,
      tag: encryptedPrivateKeyTag,
@ -349,7 +353,7 @@ export const resetPassword = async (req: Request, res: Response) => {
    }
  );

-	return res.status(200).send({
-		message: 'Successfully reset password'
-	});
-}
+  return res.status(200).send({
+    message: "Successfully reset password"
+  });
+};
--- a/backend/src/controllers/v1/secretController.ts
+++ b/backend/src/controllers/v1/secretController.ts
@ -1,30 +1,30 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { Key, Secret } from '../../models';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Key } from "../../models";
 import {
-	v1PushSecrets as push,
-	pullSecrets as pull,
-	reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { eventPushSecrets } from '../../events';
-import { EventService } from '../../services';
-import { TelemetryService } from '../../services';
+  pullSecrets as pull,
+  v1PushSecrets as push,
+  reformatPullSecrets
+} from "../../helpers/secret";
+import { pushKeys } from "../../helpers/key";
+import { eventPushSecrets } from "../../events";
+import { EventService } from "../../services";
+import { TelemetryService } from "../../services";

 interface PushSecret {
-	ciphertextKey: string;
-	ivKey: string;
-	tagKey: string;
-	hashKey: string;
-	ciphertextValue: string;
-	ivValue: string;
-	tagValue: string;
-	hashValue: string;
-	ciphertextComment: string;
-	ivComment: string;
-	tagComment: string;
-	hashComment: string;
-	type: 'shared' | 'personal';
+  ciphertextKey: string;
+  ivKey: string;
+  tagKey: string;
+  hashKey: string;
+  ciphertextValue: string;
+  ivValue: string;
+  tagValue: string;
+  hashValue: string;
+  ciphertextComment: string;
+  ivComment: string;
+  tagComment: string;
+  hashComment: string;
+  type: "shared" | "personal";
 }

 /**
@ -35,7 +35,7 @@ interface PushSecret {
 * @returns
 */
 export const pushSecrets = async (req: Request, res: Response) => {
-	// upload (encrypted) secrets to workspace with id [workspaceId]
+  // upload (encrypted) secrets to workspace with id [workspaceId]
  const postHogClient = await TelemetryService.getPostHogClient();
  let { secrets }: { secrets: PushSecret[] } = req.body;
  const { keys, environment, channel } = req.body;
@ -44,13 +44,11 @@ export const pushSecrets = async (req: Request, res: Response) => {
  // validate environment
  const workspaceEnvs = req.membership.workspace.environments;
  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-    throw new Error('Failed to validate environment');
+    throw new Error("Failed to validate environment");
  }

  // sanitize secrets
-  secrets = secrets.filter(
-    (s: PushSecret) => s.ciphertextKey !== '' && s.ciphertextValue !== ''
-  );
+  secrets = secrets.filter((s: PushSecret) => s.ciphertextKey !== "" && s.ciphertextValue !== "");

  await push({
    userId: req.user._id,
@ -64,17 +62,16 @@ export const pushSecrets = async (req: Request, res: Response) => {
    workspaceId,
    keys
  });
-  
-  
+
  if (postHogClient) {
    postHogClient.capture({
-      event: 'secrets pushed',
+      event: "secrets pushed",
      distinctId: req.user.email,
      properties: {
        numberOfSecrets: secrets.length,
        environment,
        workspaceId,
-        channel: channel ? channel : 'cli'
+        channel: channel ? channel : "cli"
      }
    });
  }
@ -83,13 +80,14 @@ export const pushSecrets = async (req: Request, res: Response) => {
  EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
-      environment
+      environment,
+      secretPath: "/"
    })
  });

-	return res.status(200).send({
-		message: 'Successfully uploaded workspace secrets'
-	});
+  return res.status(200).send({
+    message: "Successfully uploaded workspace secrets"
+  });
 };

 /**
@ -100,57 +98,56 @@ export const pushSecrets = async (req: Request, res: Response) => {
 * @returns
 */
 export const pullSecrets = async (req: Request, res: Response) => {
-	let secrets;
-	let key;
+  let secrets;

-	const postHogClient = await TelemetryService.getPostHogClient();
-	const environment: string = req.query.environment as string;
-	const channel: string = req.query.channel as string;
-	const { workspaceId } = req.params;
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const environment: string = req.query.environment as string;
+  const channel: string = req.query.channel as string;
+  const { workspaceId } = req.params;

-	// validate environment
-	const workspaceEnvs = req.membership.workspace.environments;
-	if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-		throw new Error('Failed to validate environment');
-	}
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error("Failed to validate environment");
+  }

-	secrets = await pull({
-		userId: req.user._id.toString(),
-		workspaceId,
-		environment,
-		channel: channel ? channel : 'cli',
-		ipAddress: req.realIP
-	});
+  secrets = await pull({
+    userId: req.user._id.toString(),
+    workspaceId,
+    environment,
+    channel: channel ? channel : "cli",
+    ipAddress: req.realIP
+  });

-	key = await Key.findOne({
-		workspace: workspaceId,
-		receiver: req.user._id
-	})
-		.sort({ createdAt: -1 })
-		.populate('sender', '+publicKey');
-	
-	if (channel !== 'cli') {
-		secrets = reformatPullSecrets({ secrets });
-	}
+  const key = await Key.findOne({
+    workspace: workspaceId,
+    receiver: req.user._id
+  })
+    .sort({ createdAt: -1 })
+    .populate("sender", "+publicKey");

-	if (postHogClient) {
-		// capture secrets pushed event in production
-		postHogClient.capture({
-			distinctId: req.user.email,
-			event: 'secrets pulled',
-			properties: {
-				numberOfSecrets: secrets.length,
-				environment,
-				workspaceId,
-				channel: channel ? channel : 'cli'
-			}
-		});
-	}
+  if (channel !== "cli") {
+    secrets = reformatPullSecrets({ secrets });
+  }

-	return res.status(200).send({
-		secrets,
-		key
-	});
+  if (postHogClient) {
+    // capture secrets pushed event in production
+    postHogClient.capture({
+      distinctId: req.user.email,
+      event: "secrets pulled",
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : "cli"
+      }
+    });
+  }
+
+  return res.status(200).send({
+    secrets,
+    key
+  });
 };

 /**
@ -162,54 +159,51 @@ export const pullSecrets = async (req: Request, res: Response) => {
 * @returns
 */
 export const pullSecretsServiceToken = async (req: Request, res: Response) => {
-	let secrets;
-	let key;
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const environment: string = req.query.environment as string;
+  const channel: string = req.query.channel as string;
+  const { workspaceId } = req.params;

-	const postHogClient = await TelemetryService.getPostHogClient();
-	const environment: string = req.query.environment as string;
-	const channel: string = req.query.channel as string;
-	const { workspaceId } = req.params;
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error("Failed to validate environment");
+  }

-	// validate environment
-	const workspaceEnvs = req.membership.workspace.environments;
-	if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-		throw new Error('Failed to validate environment');
-	}
+  const secrets = await pull({
+    userId: req.serviceToken.user._id.toString(),
+    workspaceId,
+    environment,
+    channel: "cli",
+    ipAddress: req.realIP
+  });

-	secrets = await pull({
-		userId: req.serviceToken.user._id.toString(),
-		workspaceId,
-		environment,
-		channel: 'cli',
-		ipAddress: req.realIP
-	});
+  const key = {
+    encryptedKey: req.serviceToken.encryptedKey,
+    nonce: req.serviceToken.nonce,
+    sender: {
+      publicKey: req.serviceToken.publicKey
+    },
+    receiver: req.serviceToken.user,
+    workspace: req.serviceToken.workspace
+  };

-	key = {
-		encryptedKey: req.serviceToken.encryptedKey,
-		nonce: req.serviceToken.nonce,
-		sender: {
-			publicKey: req.serviceToken.publicKey
-		},
-		receiver: req.serviceToken.user,
-		workspace: req.serviceToken.workspace
-	};
+  if (postHogClient) {
+    // capture secrets pulled event in production
+    postHogClient.capture({
+      distinctId: req.serviceToken.user.email,
+      event: "secrets pulled",
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : "cli"
+      }
+    });
+  }

-	if (postHogClient) {
-		// capture secrets pulled event in production
-		postHogClient.capture({
-			distinctId: req.serviceToken.user.email,
-			event: 'secrets pulled',
-			properties: {
-				numberOfSecrets: secrets.length,
-				environment,
-				workspaceId,
-				channel: channel ? channel : 'cli'
-			}
-		});
-	}
-
-	return res.status(200).send({
-		secrets: reformatPullSecrets({ secrets }),
-		key
-	});
+  return res.status(200).send({
+    secrets: reformatPullSecrets({ secrets }),
+    key
+  });
 };
--- a/backend/src/controllers/v1/secretImportController.ts
+++ b/backend/src/controllers/v1/secretImportController.ts
@ -0,0 +1,117 @@
+import { Request, Response } from "express";
+import { validateMembership } from "../../helpers";
+import SecretImport from "../../models/secretImports";
+import { getAllImportedSecrets } from "../../services/SecretImportService";
+import { BadRequestError } from "../../utils/errors";
+import { ADMIN, MEMBER } from "../../variables";
+
+export const createSecretImport = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderId, secretImport } = req.body;
+  const importSecDoc = await SecretImport.findOne({
+    workspace: workspaceId,
+    environment,
+    folderId
+  });
+
+  if (!importSecDoc) {
+    const doc = new SecretImport({
+      workspace: workspaceId,
+      environment,
+      folderId,
+      imports: [{ environment: secretImport.environment, secretPath: secretImport.secretPath }]
+    });
+    await doc.save();
+    return res.status(200).json({ message: "successfully created secret import" });
+  }
+
+  const doesImportExist = importSecDoc.imports.find(
+    (el) => el.environment === secretImport.environment && el.secretPath === secretImport.secretPath
+  );
+  if (doesImportExist) {
+    throw BadRequestError({ message: "Secret import already exist" });
+  }
+
+  importSecDoc.imports.push({
+    environment: secretImport.environment,
+    secretPath: secretImport.secretPath
+  });
+  await importSecDoc.save();
+  return res.status(200).json({ message: "successfully created secret import" });
+};
+
+// to keep the ordering, you must pass all the imports in here not the only updated one
+// this is because the order decide which import gets overriden
+export const updateSecretImport = async (req: Request, res: Response) => {
+  const { id } = req.params;
+  const { secretImports } = req.body;
+  const importSecDoc = await SecretImport.findById(id);
+  if (!importSecDoc) {
+    throw BadRequestError({ message: "Import not found" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: importSecDoc.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  importSecDoc.imports = secretImports;
+  await importSecDoc.save();
+  return res.status(200).json({ message: "successfully updated secret import" });
+};
+
+export const deleteSecretImport = async (req: Request, res: Response) => {
+  const { id } = req.params;
+  const { secretImportEnv, secretImportPath } = req.body;
+  const importSecDoc = await SecretImport.findById(id);
+  if (!importSecDoc) {
+    throw BadRequestError({ message: "Import not found" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: importSecDoc.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+  importSecDoc.imports = importSecDoc.imports.filter(
+    ({ environment, secretPath }) =>
+      !(environment === secretImportEnv && secretPath === secretImportPath)
+  );
+  await importSecDoc.save();
+  return res.status(200).json({ message: "successfully delete secret import" });
+};
+
+export const getSecretImports = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderId } = req.query;
+  const importSecDoc = await SecretImport.findOne({
+    workspace: workspaceId,
+    environment,
+    folderId
+  });
+
+  if (!importSecDoc) {
+    return res.status(200).json({ secretImport: {} });
+  }
+
+  return res.status(200).json({ secretImport: importSecDoc });
+};
+
+export const getAllSecretsFromImport = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderId } = req.query as {
+    workspaceId: string;
+    environment: string;
+    folderId: string;
+  };
+  const importSecDoc = await SecretImport.findOne({
+    workspace: workspaceId,
+    environment,
+    folderId
+  });
+
+  if (!importSecDoc) {
+    return res.status(200).json({ secrets: {} });
+  }
+
+  const secrets = await getAllImportedSecrets(workspaceId, environment, folderId);
+  return res.status(200).json({ secrets });
+};
--- a/backend/src/controllers/v1/secretScanningController.ts
+++ b/backend/src/controllers/v1/secretScanningController.ts
@ -0,0 +1,91 @@
+import { Request, Response } from "express";
+import GitAppInstallationSession from "../../models/gitAppInstallationSession";
+import crypto from "crypto";
+import { Types } from "mongoose";
+import { UnauthorizedRequestError } from "../../utils/errors";
+import GitAppOrganizationInstallation from "../../models/gitAppOrganizationInstallation";
+import { MembershipOrg } from "../../models";
+import GitRisks, { STATUS_RESOLVED_FALSE_POSITIVE, STATUS_RESOLVED_NOT_REVOKED, STATUS_RESOLVED_REVOKED } from "../../models/gitRisks";
+
+export const createInstallationSession = async (req: Request, res: Response) => {
+  const sessionId = crypto.randomBytes(16).toString("hex");
+  await GitAppInstallationSession.findByIdAndUpdate(
+    req.organization,
+    {
+      organization: new Types.ObjectId(req.organization),
+      sessionId: sessionId,
+      user: new Types.ObjectId(req.user._id)
+    },
+    { upsert: true }
+  ).lean();
+
+  res.send({
+    sessionId: sessionId
+  })
+}
+
+export const linkInstallationToOrganization = async (req: Request, res: Response) => {
+  const { installationId, sessionId } = req.body
+
+  const installationSession = await GitAppInstallationSession.findOneAndDelete({ sessionId: sessionId })
+  if (!installationSession) {
+    throw UnauthorizedRequestError()
+  }
+
+  const userMembership = await MembershipOrg.find({ user: req.user._id, organization: installationSession.organization })
+  if (!userMembership) {
+    throw UnauthorizedRequestError()
+  }
+
+  const installationLink = await GitAppOrganizationInstallation.findOneAndUpdate({
+    organizationId: installationSession.organization,
+  }, {
+    installationId: installationId,
+    organizationId: installationSession.organization,
+    user: installationSession.user
+  }, {
+    upsert: true
+  }).lean()
+
+  res.json(installationLink)
+}
+
+export const getCurrentOrganizationInstallationStatus = async (req: Request, res: Response) => {
+  const { organizationId } = req.params
+  try {
+    const appInstallation = await GitAppOrganizationInstallation.findOne({ organizationId: organizationId }).lean()
+    if (!appInstallation) {
+      res.json({
+        appInstallationComplete: false
+      })
+    }
+
+    res.json({
+      appInstallationComplete: true
+    })
+  } catch {
+    res.json({
+      appInstallationComplete: false
+    })
+  }
+}
+
+export const getRisksForOrganization = async (req: Request, res: Response) => {
+  const { organizationId } = req.params
+  const risks = await GitRisks.find({ organization: organizationId }).sort({ createdAt: -1 }).lean()
+  res.json({
+    risks: risks
+  })
+}
+
+export const updateRisksStatus = async (req: Request, res: Response) => {
+  const { riskId } = req.params
+  const { status } = req.body
+  const isRiskResolved = status == STATUS_RESOLVED_FALSE_POSITIVE || status == STATUS_RESOLVED_REVOKED || status == STATUS_RESOLVED_NOT_REVOKED ? true : false
+  const risk = await GitRisks.findByIdAndUpdate(riskId, {
+    status: status,
+    isResolved: isRiskResolved
+  }).lean()
+
+  res.json(risk)
+}
--- a/backend/src/controllers/v1/secretsFolderController.ts
+++ b/backend/src/controllers/v1/secretsFolderController.ts
@ -5,12 +5,13 @@ import { BadRequestError } from "../../utils/errors";
 import {
  appendFolder,
  deleteFolderById,
-  getAllFolderIds,
-  searchByFolderIdWithDir,
-  searchByFolderId,
-  validateFolderName,
  generateFolderId,
+  getAllFolderIds,
+  getFolderByPath,
  getParentFromFolderId,
+  searchByFolderId,
+  searchByFolderIdWithDir,
+  validateFolderName,
 } from "../../services/FolderService";
 import { ADMIN, MEMBER } from "../../variables";
 import { validateMembership } from "../../helpers/membership";
@ -177,11 +178,13 @@ export const deleteFolder = async (req: Request, res: Response) => {

 // TODO: validate workspace
 export const getFolders = async (req: Request, res: Response) => {
-  const { workspaceId, environment, parentFolderId } = req.query as {
-    workspaceId: string;
-    environment: string;
-    parentFolderId?: string;
-  };
+  const { workspaceId, environment, parentFolderId, parentFolderPath } =
+    req.query as {
+      workspaceId: string;
+      environment: string;
+      parentFolderId?: string;
+      parentFolderPath?: string;
+    };

  const folders = await Folder.findOne({ workspace: workspaceId, environment });
  if (!folders) {
@ -196,6 +199,20 @@ export const getFolders = async (req: Request, res: Response) => {
    acceptedRoles: [ADMIN, MEMBER],
  });

+  // if instead of parentFolderId given a path like /folder1/folder2
+  if (parentFolderPath) {
+    const folder = getFolderByPath(folders.nodes, parentFolderPath);
+    if (!folder) {
+      res.send({ folders: [], dir: [] });
+      return;
+    }
+    // dir is not needed at present as this is only used in overview section of secrets
+    res.send({
+      folders: folder.children.map(({ id, name }) => ({ id, name })),
+      dir: [{ name: folder.name, id: folder.id }],
+    });
+  }
+
  if (!parentFolderId) {
    const rootFolders = folders.nodes.children.map(({ id, name }) => ({
      id,
--- a/backend/src/controllers/v1/serviceTokenController.ts
+++ b/backend/src/controllers/v1/serviceTokenController.ts
@ -1,7 +1,7 @@
-import { Request, Response } from 'express';
-import { ServiceToken } from '../../models';
-import { createToken } from '../../helpers/auth';
-import { getJwtServiceSecret } from '../../config';
+import { Request, Response } from "express";
+import { ServiceToken } from "../../models";
+import { createToken } from "../../helpers/auth";
+import { getJwtServiceSecret } from "../../config";

 /**
 * Return service token on request
@ -11,7 +11,7 @@ import { getJwtServiceSecret } from '../../config';
 */
 export const getServiceToken = async (req: Request, res: Response) => {
 	return res.status(200).send({
-		serviceToken: req.serviceToken
+		serviceToken: req.serviceToken,
 	});
 };

@ -31,13 +31,13 @@ export const createServiceToken = async (req: Request, res: Response) => {
 			expiresIn,
 			publicKey,
 			encryptedKey,
-			nonce
+			nonce,
 		} = req.body;

 		// validate environment
 		const workspaceEnvs = req.membership.workspace.environments;
 		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
+			throw new Error("Failed to validate environment");
 		}

 		// compute access token expiration date
@ -52,24 +52,24 @@ export const createServiceToken = async (req: Request, res: Response) => {
 			expiresAt,
 			publicKey,
 			encryptedKey,
-			nonce
+			nonce,
 		}).save();

 		token = createToken({
 			payload: {
 				serviceTokenId: serviceToken._id.toString(),
-				workspaceId
+				workspaceId,
 			},
 			expiresIn: expiresIn,
-			secret: await getJwtServiceSecret()
+			secret: await getJwtServiceSecret(),
 		});
 	} catch (err) {
 		return res.status(400).send({
-			message: 'Failed to create service token'
+			message: "Failed to create service token",
 		});
 	}

 	return res.status(200).send({
-		token
+		token,
 	});
 };
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -1,13 +1,15 @@
-import { Request, Response } from 'express';
-import { User } from '../../models';
+import { Request, Response } from "express";
+import { User } from "../../models";
+import { checkEmailVerification, sendEmailVerification } from "../../helpers/signup";
+import { createToken } from "../../helpers/auth";
+import { BadRequestError } from "../../utils/errors";
 import {
-	sendEmailVerification,
-	checkEmailVerification,
-} from '../../helpers/signup';
-import { createToken } from '../../helpers/auth';
-import { BadRequestError } from '../../utils/errors';
-import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
-import { validateUserEmail } from '../../validation';
+  getInviteOnlySignup,
+  getJwtSignupLifetime,
+  getJwtSignupSecret,
+  getSmtpConfigured
+} from "../../config";
+import { validateUserEmail } from "../../validation";

 /**
 * Signup step 1: Initialize account for user under email [email] and send a verification code
@ -17,27 +19,26 @@ import { validateUserEmail } from '../../validation';
 * @returns
 */
 export const beginEmailSignup = async (req: Request, res: Response) => {
-	let email: string;
-  email = req.body.email;
-  
+  const email: string = req.body.email;
+
  // validate that email is not disposable
  validateUserEmail(email);

-  const user = await User.findOne({ email }).select('+publicKey');
+  const user = await User.findOne({ email }).select("+publicKey");
  if (user && user?.publicKey) {
    // case: user has already completed account

    return res.status(403).send({
-      error: 'Failed to send email verification code for complete account'
+      error: "Failed to send email verification code for complete account"
    });
  }

  // send send verification email
  await sendEmailVerification({ email });

-	return res.status(200).send({
-		message: `Sent an email verification code to ${email}`
-	});
+  return res.status(200).send({
+    message: `Sent an email verification code to ${email}`
+  });
 };

 /**
@ -48,23 +49,25 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 * @returns
 */
 export const verifyEmailSignup = async (req: Request, res: Response) => {
-	let user, token;
+  let user;
  const { email, code } = req.body;

  // initialize user account
-  user = await User.findOne({ email }).select('+publicKey');
+  user = await User.findOne({ email }).select("+publicKey");
  if (user && user?.publicKey) {
    // case: user has already completed account
    return res.status(403).send({
-      error: 'Failed email verification for complete user'
+      error: "Failed email verification for complete user"
    });
  }

  if (await getInviteOnlySignup()) {
    // Only one user can create an account without being invited. The rest need to be invited in order to make an account
-    const userCount = await User.countDocuments({})
+    const userCount = await User.countDocuments({});
    if (userCount != 0) {
-      throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+      throw BadRequestError({
+        message: "New user sign ups are not allowed at this time. You must be invited to sign up."
+      });
    }
  }

@ -83,7 +86,7 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
  }

  // generate temporary signup token
-  token = createToken({
+  const token = createToken({
    payload: {
      userId: user._id.toString()
    },
@ -91,9 +94,9 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
    secret: await getJwtSignupSecret()
  });

-	return res.status(200).send({
-		message: 'Successfuly verified email',
-		user,
-		token
-	});
+  return res.status(200).send({
+    message: "Successfuly verified email",
+    user,
+    token
+  });
 };
--- a/backend/src/controllers/v1/stripeController.ts
+++ b/backend/src/controllers/v1/stripeController.ts
@ -1,31 +0,0 @@
-import { Request, Response } from 'express';
-import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
-
-/**
- * Handle service provisioning/un-provisioning via Stripe
- * @param req
- * @param res
- * @returns
- */
-export const handleWebhook = async (req: Request, res: Response) => {
-  // check request for valid stripe signature
-  const stripe = new Stripe(await getStripeSecretKey(), {
-    apiVersion: '2022-08-01'
-  });
-
-  const sig = req.headers['stripe-signature'] as string;
-  const event = stripe.webhooks.constructEvent(
-    req.body,
-    sig,
-    await getStripeWebhookSecret()
-  );
-
-	switch (event.type) {
-		case '':
-			break;
-		default:
-	}
-
-	return res.json({ received: true });
-};
--- a/backend/src/controllers/v1/userActionController.ts
+++ b/backend/src/controllers/v1/userActionController.ts
@ -1,5 +1,5 @@
-import { Request, Response } from 'express';
-import { UserAction } from '../../models';
+import { Request, Response } from "express";
+import { UserAction } from "../../models";

 /**
 * Add user action [action]
@ -15,18 +15,18 @@ export const addUserAction = async (req: Request, res: Response) => {
  const userAction = await UserAction.findOneAndUpdate(
    {
      user: req.user._id,
-      action
+      action,
    },
    { user: req.user._id, action },
    {
      new: true,
-      upsert: true
+      upsert: true,
    }
  );

 	return res.status(200).send({
-		message: 'Successfully recorded user action',
-		userAction
+		message: "Successfully recorded user action",
+		userAction,
 	});
 };

@ -42,10 +42,10 @@ export const getUserAction = async (req: Request, res: Response) => {

  const userAction = await UserAction.findOne({
    user: req.user._id,
-    action
+    action,
  });

 	return res.status(200).send({
-		userAction
+		userAction,
 	});
 };
--- a/backend/src/controllers/v1/userController.ts
+++ b/backend/src/controllers/v1/userController.ts
@ -1,4 +1,4 @@
-import { Request, Response } from 'express';
+import { Request, Response } from "express";

 /**
 * Return user on request
@ -8,6 +8,6 @@ import { Request, Response } from 'express';
 */
 export const getUser = async (req: Request, res: Response) => {
 	return res.status(200).send({
-		user: req.user
+		user: req.user,
 	});
 };
--- a/backend/src/controllers/v1/webhookController.ts
+++ b/backend/src/controllers/v1/webhookController.ts
@ -0,0 +1,140 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { client, getRootEncryptionKey } from "../../config";
+import { validateMembership } from "../../helpers";
+import Webhook from "../../models/webhooks";
+import { getWebhookPayload, triggerWebhookRequest } from "../../services/WebhookService";
+import { BadRequestError } from "../../utils/errors";
+import { ADMIN, ALGORITHM_AES_256_GCM, ENCODING_SCHEME_BASE64, MEMBER } from "../../variables";
+
+export const createWebhook = async (req: Request, res: Response) => {
+  const { webhookUrl, webhookSecretKey, environment, workspaceId, secretPath } = req.body;
+  const webhook = new Webhook({
+    workspace: workspaceId,
+    environment,
+    secretPath,
+    url: webhookUrl,
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_BASE64
+  });
+
+  if (webhookSecretKey) {
+    const rootEncryptionKey = await getRootEncryptionKey();
+    const { ciphertext, iv, tag } = client.encryptSymmetric(webhookSecretKey, rootEncryptionKey);
+    webhook.iv = iv;
+    webhook.tag = tag;
+    webhook.encryptedSecretKey = ciphertext;
+  }
+
+  await webhook.save();
+
+  return res.status(200).send({
+    webhook,
+    message: "successfully created webhook"
+  });
+};
+
+export const updateWebhook = async (req: Request, res: Response) => {
+  const { webhookId } = req.params;
+  const { isDisabled } = req.body;
+  const webhook = await Webhook.findById(webhookId);
+  if (!webhook) {
+    throw BadRequestError({ message: "Webhook not found!!" });
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: webhook.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  if (typeof isDisabled !== undefined) {
+    webhook.isDisabled = isDisabled;
+  }
+  await webhook.save();
+
+  return res.status(200).send({
+    webhook,
+    message: "successfully updated webhook"
+  });
+};
+
+export const deleteWebhook = async (req: Request, res: Response) => {
+  const { webhookId } = req.params;
+  const webhook = await Webhook.findById(webhookId);
+  if (!webhook) {
+    throw BadRequestError({ message: "Webhook not found!!" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: webhook.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+  await webhook.remove();
+
+  return res.status(200).send({
+    message: "successfully removed webhook"
+  });
+};
+
+export const testWebhook = async (req: Request, res: Response) => {
+  const { webhookId } = req.params;
+  const webhook = await Webhook.findById(webhookId);
+  if (!webhook) {
+    throw BadRequestError({ message: "Webhook not found!!" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: webhook.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  try {
+    await triggerWebhookRequest(
+      webhook,
+      getWebhookPayload(
+        "test",
+        webhook.workspace.toString(),
+        webhook.environment,
+        webhook.secretPath
+      )
+    );
+    await Webhook.findByIdAndUpdate(webhookId, {
+      lastStatus: "success",
+      lastRunErrorMessage: null
+    });
+  } catch (err) {
+    await Webhook.findByIdAndUpdate(webhookId, {
+      lastStatus: "failed",
+      lastRunErrorMessage: (err as Error).message
+    });
+    return res.status(400).send({
+      message: "Failed to receive response",
+      error: (err as Error).message
+    });
+  }
+
+  return res.status(200).send({
+    message: "Successfully received response"
+  });
+};
+
+export const listWebhooks = async (req: Request, res: Response) => {
+  const { environment, workspaceId, secretPath } = req.query;
+
+  const optionalFilters: Record<string, string> = {};
+  if (environment) optionalFilters.environment = environment as string;
+  if (secretPath) optionalFilters.secretPath = secretPath as string;
+
+  const webhooks = await Webhook.find({
+    workspace: new Types.ObjectId(workspaceId as string),
+    ...optionalFilters
+  });
+
+  return res.status(200).send({
+    webhooks
+  });
+};
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -1,19 +1,18 @@
 import { Request, Response } from "express";
 import {
-  Workspace,
-  Membership,
-  MembershipOrg,
+  IUser,
  Integration,
  IntegrationAuth,
-  IUser,
+  Membership,
+  MembershipOrg,
  ServiceToken,
-  ServiceTokenData,
+  Workspace,
 } from "../../models";
 import {
  createWorkspace as create,
  deleteWorkspace as deleteWork,
 } from "../../helpers/workspace";
-import { EELicenseService } from '../../ee/services';
+import { EELicenseService } from "../../ee/services";
 import { addMemberships } from "../../helpers/membership";
 import { ADMIN } from "../../variables";

@ -116,14 +115,14 @@ export const createWorkspace = async (req: Request, res: Response) => {
    throw new Error("Failed to validate organization membership");
  }

-  const plan = await EELicenseService.getOrganizationPlan(organizationId);
+  const plan = await EELicenseService.getPlan(organizationId);
  
  if (plan.workspaceLimit !== null) {
    // case: limit imposed on number of workspaces allowed
    if (plan.workspacesUsed >= plan.workspaceLimit) {
      // case: number of workspaces used exceeds the number of workspaces allowed
      return res.status(400).send({
-        message: 'Failed to create workspace due to plan limit reached. Upgrade plan to add more workspaces.'
+        message: "Failed to create workspace due to plan limit reached. Upgrade plan to add more workspaces.",
      });
    }
  }
--- a/backend/src/controllers/v2/apiKeyDataController.ts
+++ b/backend/src/controllers/v2/apiKeyDataController.ts
@ -1,74 +0,0 @@
-import { Request, Response } from 'express';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    APIKeyData
-} from '../../models';
-import { getSaltRounds } from '../../config';
-
-/**
- * Return API key data for user with id [req.user_id]
- * @param req
- * @param res 
- * @returns 
- */
-export const getAPIKeyData = async (req: Request, res: Response) => {
-    const apiKeyData = await APIKeyData.find({
-        user: req.user._id
-    });
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}
-
-/**
- * Create new API key data for user with id [req.user._id]
- * @param req 
- * @param res 
- */
-export const createAPIKeyData = async (req: Request, res: Response) => {
-    const { name, expiresIn } = req.body;
-    
-    const secret = crypto.randomBytes(16).toString('hex');
-    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-    
-    const expiresAt = new Date();
-    expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-    
-    let apiKeyData = await new APIKeyData({
-        name,
-        lastUsed: new Date(),
-        expiresAt,
-        user: req.user._id,
-        secretHash
-    }).save();
-    
-    // return api key data without sensitive data
-    // FIX: fix this any
-    apiKeyData = await APIKeyData.findById(apiKeyData._id) as any
-    
-    if (!apiKeyData) throw new Error('Failed to find API key data');
-    
-    const apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
-            
-    return res.status(200).send({
-        apiKey,
-        apiKeyData
-    });
-}
-
-/**
- * Delete API key data with id [apiKeyDataId].
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteAPIKeyData = async (req: Request, res: Response) => {
-    const { apiKeyDataId } = req.params;
-    const apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}
--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@ -1,27 +1,27 @@
 /* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as bigintConversion from 'bigint-conversion';
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { issueAuthTokens, createToken } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { EELogService } from '../../ee/services';
-import { BadRequestError, InternalServerError } from '../../utils/errors';
+import { Request, Response } from "express";
+import jwt from "jsonwebtoken";
+import * as bigintConversion from "bigint-conversion";
+const jsrp = require("jsrp");
+import { LoginSRPDetail, User } from "../../models";
+import { createToken, issueAuthTokens } from "../../helpers/auth";
+import { checkUserDevice } from "../../helpers/user";
+import { sendMail } from "../../helpers/nodemailer";
+import { TokenService } from "../../services";
+import { EELogService } from "../../ee/services";
+import { BadRequestError, InternalServerError } from "../../utils/errors";
 import {
+  ACTION_LOGIN,
  TOKEN_EMAIL_MFA,
-  ACTION_LOGIN
-} from '../../variables';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+} from "../../variables";
+import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
 import {
+  getHttpsEnabled,
  getJwtMfaLifetime,
  getJwtMfaSecret,
-  getHttpsEnabled
-} from '../../config';
+} from "../../config";

-declare module 'jsonwebtoken' {
+declare module "jsonwebtoken" {
  export interface UserIDJwtPayload extends jwt.JwtPayload {
    userId: string;
  }
@ -36,20 +36,20 @@ declare module 'jsonwebtoken' {
 export const login1 = async (req: Request, res: Response) => {
  const {
    email,
-    clientPublicKey
+    clientPublicKey,
  }: { email: string; clientPublicKey: string } = req.body;

  const user = await User.findOne({
-    email
-  }).select('+salt +verifier');
+    email,
+  }).select("+salt +verifier");

-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");

  const server = new jsrp.server();
  server.init(
    {
      salt: user.salt,
-      verifier: user.verifier
+      verifier: user.verifier,
    },
    async () => {
      // generate server-side public key
@ -63,7 +63,7 @@ export const login1 = async (req: Request, res: Response) => {

      return res.status(200).send({
        serverPublicKey,
-        salt: user.salt
+        salt: user.salt,
      });
    }
  );
@ -78,14 +78,14 @@ export const login1 = async (req: Request, res: Response) => {
 * @returns
 */
 export const login2 = async (req: Request, res: Response) => {
-  if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+  if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });

  const { email, clientProof } = req.body;
  const user = await User.findOne({
-    email
-  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices');
+    email,
+  }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");

-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");

  const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })

@ -98,7 +98,7 @@ export const login2 = async (req: Request, res: Response) => {
    {
      salt: user.salt,
      verifier: user.verifier,
-      b: loginSRPDetail.serverBInt
+      b: loginSRPDetail.serverBInt,
    },
    async () => {
      server.setClientPublicKey(loginSRPDetail.clientPublicKey);
@ -111,52 +111,52 @@ export const login2 = async (req: Request, res: Response) => {
          // generate temporary MFA token
          const token = createToken({
            payload: {
-              userId: user._id.toString()
+              userId: user._id.toString(),
            },
            expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret()
+            secret: await getJwtMfaSecret(),
          });

          const code = await TokenService.createToken({
            type: TOKEN_EMAIL_MFA,
-            email
+            email,
          });

          // send MFA code [code] to [email]
          await sendMail({
-            template: 'emailMfa.handlebars',
-            subjectLine: 'Infisical MFA code',
+            template: "emailMfa.handlebars",
+            subjectLine: "Infisical MFA code",
            recipients: [email],
            substitutions: {
-              code
-            }
+              code,
+            },
          });

          return res.status(200).send({
            mfaEnabled: true,
-            token
+            token,
          });
        }

        await checkUserDevice({
          user,
          ip: req.realIP,
-          userAgent: req.headers['user-agent'] ?? ''
+          userAgent: req.headers["user-agent"] ?? "",
        });

        // issue tokens
        const tokens = await issueAuthTokens({ 
          userId: user._id,
          ip: req.realIP,
-          userAgent: req.headers['user-agent'] ?? ''
+          userAgent: req.headers["user-agent"] ?? "",
        });

        // store (refresh) token in httpOnly cookie
-        res.cookie('jid', tokens.refreshToken, {
+        res.cookie("jid", tokens.refreshToken, {
          httpOnly: true,
-          path: '/',
-          sameSite: 'strict',
-          secure: await getHttpsEnabled()
+          path: "/",
+          sameSite: "strict",
+          secure: await getHttpsEnabled(),
        });

        // case: user does not have MFA enabled
@ -182,7 +182,7 @@ export const login2 = async (req: Request, res: Response) => {
          publicKey: user.publicKey,
          encryptedPrivateKey: user.encryptedPrivateKey,
          iv: user.iv,
-          tag: user.tag
+          tag: user.tag,
        }

        if (
@ -197,21 +197,21 @@ export const login2 = async (req: Request, res: Response) => {

        const loginAction = await EELogService.createAction({
          name: ACTION_LOGIN,
-          userId: user._id
+          userId: user._id,
        });

        loginAction && await EELogService.createLog({
          userId: user._id,
          actions: [loginAction],
-          channel: getChannelFromUserAgent(req.headers['user-agent']),
-          ipAddress: req.ip
+          channel: getChannelFromUserAgent(req.headers["user-agent"]),
+          ipAddress: req.ip,
        });

        return res.status(200).send(response);
      }

      return res.status(400).send({
-        message: 'Failed to authenticate. Try again?'
+        message: "Failed to authenticate. Try again?",
      });
    }
  );
@ -227,21 +227,21 @@ export const sendMfaToken = async (req: Request, res: Response) => {

  const code = await TokenService.createToken({
    type: TOKEN_EMAIL_MFA,
-    email
+    email,
  });

  // send MFA code [code] to [email]
  await sendMail({
-    template: 'emailMfa.handlebars',
-    subjectLine: 'Infisical MFA code',
+    template: "emailMfa.handlebars",
+    subjectLine: "Infisical MFA code",
    recipients: [email],
    substitutions: {
-      code
-    }
+      code,
+    },
  });

  return res.status(200).send({
-    message: 'Successfully sent new MFA code'
+    message: "Successfully sent new MFA code",
  });
 }

@ -257,36 +257,36 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
  await TokenService.validateToken({
    type: TOKEN_EMAIL_MFA,
    email,
-    token: mfaToken
+    token: mfaToken,
  });

  const user = await User.findOne({
-    email
-  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices');
+    email,
+  }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");

-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");

  await LoginSRPDetail.deleteOne({ userId: user.id })

  await checkUserDevice({
    user,
    ip: req.realIP,
-    userAgent: req.headers['user-agent'] ?? ''
+    userAgent: req.headers["user-agent"] ?? "",
  });

  // issue tokens
  const tokens = await issueAuthTokens({ 
    userId: user._id,
    ip: req.realIP,
-    userAgent: req.headers['user-agent'] ?? ''
+    userAgent: req.headers["user-agent"] ?? "",
  });

  // store (refresh) token in httpOnly cookie
-  res.cookie('jid', tokens.refreshToken, {
+  res.cookie("jid", tokens.refreshToken, {
    httpOnly: true,
-    path: '/',
-    sameSite: 'strict',
-    secure: await getHttpsEnabled()
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled(),
  });

  interface VerifyMfaTokenRes {
@ -319,7 +319,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
    publicKey: user.publicKey as string,
    encryptedPrivateKey: user.encryptedPrivateKey as string,
    iv: user.iv as string,
-    tag: user.tag as string
+    tag: user.tag as string,
  }

  if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
@ -330,14 +330,14 @@ export const verifyMfaToken = async (req: Request, res: Response) => {

  const loginAction = await EELogService.createAction({
    name: ACTION_LOGIN,
-    userId: user._id
+    userId: user._id,
  });

  loginAction && await EELogService.createLog({
    userId: user._id,
    actions: [loginAction],
-    channel: getChannelFromUserAgent(req.headers['user-agent']),
-    ipAddress: req.realIP
+    channel: getChannelFromUserAgent(req.headers["user-agent"]),
+    ipAddress: req.realIP,
  });

  return res.status(200).send(resObj);
--- a/backend/src/controllers/v2/environmentController.ts
+++ b/backend/src/controllers/v2/environmentController.ts
@ -1,16 +1,17 @@
-import { Request, Response } from 'express';
+import { Request, Response } from "express";
 import {
+  Integration,
+  Membership,
  Secret,
  ServiceToken,
-  Workspace,
-  Integration,
  ServiceTokenData,
-  Membership,
-} from '../../models';
-import { SecretVersion } from '../../ee/models';
-import { BadRequestError } from '../../utils/errors';
-import _ from 'lodash';
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
+  Workspace,
+} from "../../models";
+import { SecretVersion } from "../../ee/models";
+import { EELicenseService } from "../../ee/services";
+import { BadRequestError, WorkspaceNotFoundError } from "../../utils/errors";
+import _ from "lodash";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";

 /**
 * Create new workspace environment named [environmentName] under workspace with id
@ -22,16 +23,33 @@ export const createWorkspaceEnvironment = async (
  req: Request,
  res: Response
 ) => {
+
  const { workspaceId } = req.params;
  const { environmentName, environmentSlug } = req.body;
  const workspace = await Workspace.findById(workspaceId).exec();
+
+  if (!workspace) throw WorkspaceNotFoundError();
+
+  const plan = await EELicenseService.getPlan(workspace.organization.toString());
+
+  if (plan.environmentLimit !== null) {
+    // case: limit imposed on number of environments allowed
+    if (workspace.environments.length >= plan.environmentLimit) {
+      // case: number of environments used exceeds the number of environments allowed
+
+      return res.status(400).send({
+        message: "Failed to create environment due to environment limit reached. Upgrade plan to create more environments.",
+      });
+    }
+  }
+
  if (
    !workspace ||
    workspace?.environments.find(
      ({ name, slug }) => slug === environmentSlug || environmentName === name
    )
  ) {
-    throw new Error('Failed to create workspace environment');
+    throw new Error("Failed to create workspace environment");
  }

  workspace?.environments.push({
@ -40,8 +58,10 @@ export const createWorkspaceEnvironment = async (
  });
  await workspace.save();

+  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
+
  return res.status(200).send({
-    message: 'Successfully created new environment',
+    message: "Successfully created new environment",
    workspace: workspaceId,
    environment: {
      name: environmentName,
@ -65,13 +85,13 @@ export const renameWorkspaceEnvironment = async (
  const { environmentName, environmentSlug, oldEnvironmentSlug } = req.body;
  // user should pass both new slug and env name
  if (!environmentSlug || !environmentName) {
-    throw new Error('Invalid environment given.');
+    throw new Error("Invalid environment given.");
  }

  // atomic update the env to avoid conflict
  const workspace = await Workspace.findById(workspaceId).exec();
  if (!workspace) {
-    throw new Error('Failed to create workspace environment');
+    throw new Error("Failed to create workspace environment");
  }

  const isEnvExist = workspace.environments.some(
@ -80,14 +100,14 @@ export const renameWorkspaceEnvironment = async (
      (name === environmentName || slug === environmentSlug)
  );
  if (isEnvExist) {
-    throw new Error('Invalid environment given');
+    throw new Error("Invalid environment given");
  }

  const envIndex = workspace?.environments.findIndex(
    ({ slug }) => slug === oldEnvironmentSlug
  );
  if (envIndex === -1) {
-    throw new Error('Invalid environment given');
+    throw new Error("Invalid environment given");
  }

  workspace.environments[envIndex].name = environmentName;
@ -117,7 +137,7 @@ export const renameWorkspaceEnvironment = async (
  await Membership.updateMany(
    {
      workspace: workspaceId,
-      "deniedPermissions.environmentSlug": oldEnvironmentSlug
+      "deniedPermissions.environmentSlug": oldEnvironmentSlug,
    },
    { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
    { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
@ -125,7 +145,7 @@ export const renameWorkspaceEnvironment = async (


  return res.status(200).send({
-    message: 'Successfully update environment',
+    message: "Successfully update environment",
    workspace: workspaceId,
    environment: {
      name: environmentName,
@ -149,14 +169,14 @@ export const deleteWorkspaceEnvironment = async (
  // atomic update the env to avoid conflict
  const workspace = await Workspace.findById(workspaceId).exec();
  if (!workspace) {
-    throw new Error('Failed to create workspace environment');
+    throw new Error("Failed to create workspace environment");
  }

  const envIndex = workspace?.environments.findIndex(
    ({ slug }) => slug === environmentSlug
  );
  if (envIndex === -1) {
-    throw new Error('Invalid environment given');
+    throw new Error("Invalid environment given");
  }

  workspace.environments.splice(envIndex, 1);
@ -171,14 +191,21 @@ export const deleteWorkspaceEnvironment = async (
    workspace: workspaceId,
    environment: environmentSlug,
  });
-  await ServiceToken.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-  await ServiceTokenData.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
+
+  // await ServiceToken.deleteMany({
+  //   workspace: workspaceId,
+  //   environment: environmentSlug,
+  // });
+
+  const result = await ServiceTokenData.updateMany(
+    { workspace: workspaceId },
+    { $pull: { scopes: { environment: environmentSlug } } }
+  );
+
+  if (result.modifiedCount > 0) {
+    await ServiceTokenData.deleteMany({ workspace: workspaceId, scopes: { $size: 0 } });
+  }
+
  await Integration.deleteMany({
    workspace: workspaceId,
    environment: environmentSlug,
@ -186,10 +213,12 @@ export const deleteWorkspaceEnvironment = async (
  await Membership.updateMany(
    { workspace: workspaceId },
    { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
-  )
+  );
+
+  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);

  return res.status(200).send({
-    message: 'Successfully deleted environment',
+    message: "Successfully deleted environment",
    workspace: workspaceId,
    environment: environmentSlug,
  });
@ -203,7 +232,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
  const { workspaceId } = req.params;
  const workspacesUserIsMemberOf = await Membership.findOne({
    workspace: workspaceId,
-    user: req.user
+    user: req.user,
  })

  if (!workspacesUserIsMemberOf) {
@ -227,7 +256,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
        name: environment.name,
        slug: environment.slug,
        isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked
+        isReadDenied: isReadBlocked,
      })
    }
  })
--- a/backend/src/controllers/v2/index.ts
+++ b/backend/src/controllers/v2/index.ts
@ -1,15 +1,14 @@
-import * as authController from './authController';
-import * as signupController from './signupController';
-import * as usersController from './usersController';
-import * as organizationsController from './organizationsController';
-import * as workspaceController from './workspaceController';
-import * as serviceTokenDataController from './serviceTokenDataController';
-import * as apiKeyDataController from './apiKeyDataController';
-import * as secretController from './secretController';
-import * as secretsController from './secretsController';
-import * as serviceAccountsController from './serviceAccountsController';
-import * as environmentController from './environmentController';
-import * as tagController from './tagController';
+import * as authController from "./authController";
+import * as signupController from "./signupController";
+import * as usersController from "./usersController";
+import * as organizationsController from "./organizationsController";
+import * as workspaceController from "./workspaceController";
+import * as serviceTokenDataController from "./serviceTokenDataController";
+import * as secretController from "./secretController";
+import * as secretsController from "./secretsController";
+import * as serviceAccountsController from "./serviceAccountsController";
+import * as environmentController from "./environmentController";
+import * as tagController from "./tagController";

 export {
    authController,
@ -18,10 +17,9 @@ export {
    organizationsController,
    workspaceController,
    serviceTokenDataController,
-    apiKeyDataController,
    secretController,
    secretsController,
    serviceAccountsController,
    environmentController,
-    tagController
+    tagController,
 }
--- a/backend/src/controllers/v2/organizationsController.ts
+++ b/backend/src/controllers/v2/organizationsController.ts
@ -1,13 +1,13 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
 import { 
-    MembershipOrg,
    Membership,
+    MembershipOrg,
+    ServiceAccount,
    Workspace,
-    ServiceAccount
-} from '../../models';
-import { deleteMembershipOrg } from '../../helpers/membershipOrg';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+} from "../../models";
+import { deleteMembershipOrg } from "../../helpers/membershipOrg";
+import { updateSubscriptionOrgQuantity } from "../../helpers/organization";

 /**
 * Return memberships for organization with id [organizationId]
@ -51,11 +51,11 @@ export const getOrganizationMemberships = async (req: Request, res: Response) =>
    const { organizationId } = req.params;

 		const memberships = await MembershipOrg.find({
-			organization: organizationId
-		}).populate('user', '+publicKey');
+			organization: organizationId,
+		}).populate("user", "+publicKey");
    
    return res.status(200).send({
-        memberships
+        memberships,
    });
 }

@ -124,14 +124,14 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
    const membership = await MembershipOrg.findByIdAndUpdate(
        membershipId,
        {
-            role
+            role,
        }, {
-            new: true
+            new: true,
        }
    );
    
    return res.status(200).send({
-        membership
+        membership,
    });
 }

@ -182,15 +182,15 @@ export const deleteOrganizationMembership = async (req: Request, res: Response)
    
    // delete organization membership
    const membership = await deleteMembershipOrg({
-        membershipOrgId: membershipId
+        membershipOrgId: membershipId,
    });

    await updateSubscriptionOrgQuantity({
-			organizationId: membership.organization.toString()
+			organizationId: membership.organization.toString(),
 		});

    return res.status(200).send({
-        membership
+        membership,
    });
 }

@ -240,23 +240,23 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
        (
            await Workspace.find(
                {
-                    organization: organizationId
+                    organization: organizationId,
                },
-                '_id'
+                "_id"
            )
        ).map((w) => w._id.toString())
    );

    const workspaces = (
        await Membership.find({
-            user: req.user._id
-        }).populate('workspace')
+            user: req.user._id,
+        }).populate("workspace")
    )
    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
    .map((m) => m.workspace);

 return res.status(200).send({
-        workspaces
+        workspaces,
    });
 }

@ -269,10 +269,10 @@ export const getOrganizationServiceAccounts = async (req: Request, res: Response
    const { organizationId } = req.params;
    
    const serviceAccounts = await ServiceAccount.find({
-        organization: new Types.ObjectId(organizationId)
+        organization: new Types.ObjectId(organizationId),
    });
    
    return res.status(200).send({
-        serviceAccounts
+        serviceAccounts,
    });
 }
--- a/backend/src/controllers/v2/secretController.ts
+++ b/backend/src/controllers/v2/secretController.ts
@ -1,25 +1,37 @@
-import to from "await-to-js";
 import { Request, Response } from "express";
 import mongoose, { Types } from "mongoose";
 import Secret, { ISecret } from "../../models/secret";
-import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret";
+import {
+  CreateSecretRequestBody,
+  ModifySecretRequestBody,
+  SanitizedSecretForCreate,
+  SanitizedSecretModify
+} from "../../types/secret";
 const { ValidationError } = mongoose.Error;
-import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
-import { AnyBulkWriteOperation } from 'mongodb';
-import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { TelemetryService } from '../../services';
+import {
+  ValidationError as RouteValidationError,
+  UnauthorizedRequestError
+} from "../../utils/errors";
+import { AnyBulkWriteOperation } from "mongodb";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  SECRET_PERSONAL,
+  SECRET_SHARED
+} from "../../variables";
+import { TelemetryService } from "../../services";
 import { User } from "../../models";
-import { AccountNotFoundError } from '../../utils/errors';
+import { AccountNotFoundError } from "../../utils/errors";

 /**
 * Create secret for workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
 */
 export const createSecret = async (req: Request, res: Response) => {
  const postHogClient = await TelemetryService.getPostHogClient();
  const secretToCreate: CreateSecretRequestBody = req.body.secret;
-  const { workspaceId, environment } = req.params
+  const { workspaceId, environment } = req.params;
  const sanitizedSecret: SanitizedSecretForCreate = {
    secretKeyCiphertext: secretToCreate.secretKeyCiphertext,
    secretKeyIV: secretToCreate.secretKeyIV,
@ -39,45 +51,41 @@ export const createSecret = async (req: Request, res: Response) => {
    user: new Types.ObjectId(req.user._id),
    algorithm: ALGORITHM_AES_256_GCM,
    keyEncoding: ENCODING_SCHEME_UTF8
-  }
+  };

-
-  const [error, secret] = await to(Secret.create(sanitizedSecret).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: error.message, stack: error.stack })
-  }
+  const secret = await new Secret(sanitizedSecret).save();

  if (postHogClient) {
    postHogClient.capture({
-      event: 'secrets added',
+      event: "secrets added",
      distinctId: req.user.email,
      properties: {
        numberOfSecrets: 1,
        workspaceId,
        environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
      }
    });
  }

  res.status(200).send({
    secret
-  })
-}
+  });
+};

 /**
- * Create many secrets for workspace wiht id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
+ * Create many secrets for workspace with id [workspaceId] and environment [environment]
+ * @param req
+ * @param res
 */
 export const createSecrets = async (req: Request, res: Response) => {
  const postHogClient = await TelemetryService.getPostHogClient();
  const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
-  const { workspaceId, environment } = req.params
-  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
+  const { workspaceId, environment } = req.params;
+  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = [];

-  secretsToCreate.forEach(rawSecret => {
+  secretsToCreate.forEach((rawSecret) => {
    const safeUpdateFields: SanitizedSecretForCreate = {
      secretKeyCiphertext: rawSecret.secretKeyCiphertext,
      secretKeyIV: rawSecret.secretKeyIV,
@ -97,140 +105,129 @@ export const createSecrets = async (req: Request, res: Response) => {
      user: new Types.ObjectId(req.user._id),
      algorithm: ALGORITHM_AES_256_GCM,
      keyEncoding: ENCODING_SCHEME_UTF8
-    }
+    };

-    sanitizedSecretesToCreate.push(safeUpdateFields)
-  })
+    sanitizedSecretesToCreate.push(safeUpdateFields);
+  });

-  const [bulkCreateError, secrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
-  if (bulkCreateError) {
-    if (bulkCreateError instanceof ValidationError) {
-      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
-    }
-
-    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
-  }
+  const secrets = await Secret.insertMany(sanitizedSecretesToCreate);

  if (postHogClient) {
    postHogClient.capture({
-      event: 'secrets added',
+      event: "secrets added",
      distinctId: req.user.email,
      properties: {
        numberOfSecrets: (secretsToCreate ?? []).length,
        workspaceId,
        environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
      }
    });
  }

  res.status(200).send({
    secrets
-  })
-}
+  });
+};

 /**
 * Delete secrets in workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
 */
 export const deleteSecrets = async (req: Request, res: Response) => {
  const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
-  const secretIdsToDelete: string[] = req.body.secretIds
+  const { workspaceId, environmentName } = req.params;
+  const secretIdsToDelete: string[] = req.body.secretIds;

-  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanDeleteError) {
-    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
-  }
+  const secretIdsUserCanDelete = await Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 });

-  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
-  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
+  const secretsUserCanDeleteSet: Set<string> = new Set(
+    secretIdsUserCanDelete.map((objectId) => objectId._id.toString())
+  );
+  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = [];

  let numSecretsDeleted = 0;
-  secretIdsToDelete.forEach(secretIdToDelete => {
+  secretIdsToDelete.forEach((secretIdToDelete) => {
    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
-      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
-      deleteOperationsToPerform.push(deleteOperation)
+      const deleteOperation = {
+        deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
+      };
+      deleteOperationsToPerform.push(deleteOperation);
      numSecretsDeleted++;
    } else {
-      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
+      throw RouteValidationError({
+        message: "You cannot delete secrets that you do not have access to"
+      });
    }
-  })
+  });

-  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
-  if (bulkDeleteError) {
-    if (bulkDeleteError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
-    }
-    throw InternalServerError()
-  }
+  await Secret.bulkWrite(deleteOperationsToPerform);

  if (postHogClient) {
    postHogClient.capture({
-      event: 'secrets deleted',
+      event: "secrets deleted",
      distinctId: req.user.email,
      properties: {
        numberOfSecrets: numSecretsDeleted,
        environment: environmentName,
        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
      }
    });
  }

-  res.status(200).send()
-}
+  res.status(200).send();
+};

 /**
 * Delete secret with id [secretId]
- * @param req 
+ * @param req
 * @param res
 */
 export const deleteSecret = async (req: Request, res: Response) => {
  const postHogClient = await TelemetryService.getPostHogClient();
-  await Secret.findByIdAndDelete(req._secret._id)
+  await Secret.findByIdAndDelete(req._secret._id);

  if (postHogClient) {
    postHogClient.capture({
-      event: 'secrets deleted',
+      event: "secrets deleted",
      distinctId: req.user.email,
      properties: {
        numberOfSecrets: 1,
        workspaceId: req._secret.workspace.toString(),
        environment: req._secret.environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
      }
    });
  }

  res.status(200).send({
    secret: req._secret
-  })
-}
+  });
+};

 /**
 * Update secrets for workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const updateSecrets = async (req: Request, res: Response) => {
  const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
+  const { workspaceId, environmentName } = req.params;
  const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
-  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanModifyError) {
-    throw InternalServerError({ message: "Unable to fetch secrets you own" })
-  }
+  const secretIdsUserCanModify = await Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 });

-  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
-  const updateOperationsToPerform: any = []
+  const secretsUserCanModifySet: Set<string> = new Set(
+    secretIdsUserCanModify.map((objectId) => objectId._id.toString())
+  );
+  const updateOperationsToPerform: any = [];

-  secretsModificationsRequested.forEach(userModifiedSecret => {
+  secretsModificationsRequested.forEach((userModifiedSecret) => {
    if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
      const sanitizedSecret: SanitizedSecretModify = {
        secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
@ -244,57 +241,54 @@ export const updateSecrets = async (req: Request, res: Response) => {
        secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
        secretCommentIV: userModifiedSecret.secretCommentIV,
        secretCommentTag: userModifiedSecret.secretCommentTag,
-        secretCommentHash: userModifiedSecret.secretCommentHash,
-      }
+        secretCommentHash: userModifiedSecret.secretCommentHash
+      };

-      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
-      updateOperationsToPerform.push(updateOperation)
+      const updateOperation = {
+        updateOne: {
+          filter: { _id: userModifiedSecret._id, workspace: workspaceId },
+          update: { $inc: { version: 1 }, $set: sanitizedSecret }
+        }
+      };
+      updateOperationsToPerform.push(updateOperation);
    } else {
-      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
+      throw UnauthorizedRequestError({
+        message: "You do not have permission to modify one or more of the requested secrets"
+      });
    }
-  })
+  });

-  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
-  if (bulkModificationInfoError) {
-    if (bulkModificationInfoError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
-    }
-
-    throw InternalServerError()
-  }
+  await Secret.bulkWrite(updateOperationsToPerform);

  if (postHogClient) {
    postHogClient.capture({
-      event: 'secrets modified',
+      event: "secrets modified",
      distinctId: req.user.email,
      properties: {
        numberOfSecrets: (secretsModificationsRequested ?? []).length,
        environment: environmentName,
        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
      }
    });
  }

-  return res.status(200).send()
-}
+  return res.status(200).send();
+};

 /**
 * Update a secret within workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const updateSecret = async (req: Request, res: Response) => {
  const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
+  const { workspaceId, environmentName } = req.params;
  const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;

-  const [secretIdUserCanModifyError, secretIdUserCanModify] = await to(Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdUserCanModifyError && !secretIdUserCanModify) {
-    throw BadRequestError()
-  }
+  await Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 });

  const sanitizedSecret: SanitizedSecretModify = {
    secretKeyCiphertext: secretModificationsRequested.secretKeyCiphertext,
@ -308,45 +302,55 @@ export const updateSecret = async (req: Request, res: Response) => {
    secretCommentCiphertext: secretModificationsRequested.secretCommentCiphertext,
    secretCommentIV: secretModificationsRequested.secretCommentIV,
    secretCommentTag: secretModificationsRequested.secretCommentTag,
-    secretCommentHash: secretModificationsRequested.secretCommentHash,
-  }
+    secretCommentHash: secretModificationsRequested.secretCommentHash
+  };

-  const [error, singleModificationUpdate] = await to(Secret.updateOne({ _id: secretModificationsRequested._id, workspace: workspaceId }, { $inc: { version: 1 }, $set: sanitizedSecret }).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: error.stack })
-  }
+  const singleModificationUpdate = await Secret.updateOne(
+    { _id: secretModificationsRequested._id, workspace: workspaceId },
+    { $inc: { version: 1 }, $set: sanitizedSecret }
+  )
+  .catch((error) => {
+    if (error instanceof ValidationError) {
+      throw RouteValidationError({
+        message: "Unable to apply modifications, please try again",
+        stack: error.stack
+      });
+    }
+
+    throw error;
+  });

  if (postHogClient) {
    postHogClient.capture({
-      event: 'secrets modified',
+      event: "secrets modified",
      distinctId: req.user.email,
      properties: {
        numberOfSecrets: 1,
        environment: environmentName,
        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
      }
    });
  }

-  return res.status(200).send(singleModificationUpdate)
-}
+  return res.status(200).send(singleModificationUpdate);
+};

 /**
 * Return secrets for workspace with id [workspaceId], environment [environment] and user
 * with id [req.user._id]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const getSecrets = async (req: Request, res: Response) => {
  const postHogClient = await TelemetryService.getPostHogClient();
  const { environment } = req.query;
  const { workspaceId } = req.params;

-  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-  let userEmail: string | undefined = undefined // used for posthog 
+  let userId: Types.ObjectId | undefined = undefined; // used for getting personal secrets for user
+  let userEmail: string | undefined = undefined; // used for posthog
  if (req.user) {
    userId = req.user._id;
    userEmail = req.user.email;
@ -354,47 +358,47 @@ export const getSecrets = async (req: Request, res: Response) => {

  if (req.serviceTokenData) {
    userId = req.serviceTokenData.user;
-    
-    const user = await User.findById(req.serviceTokenData.user, 'email');
+
+    const user = await User.findById(req.serviceTokenData.user, "email");
    if (!user) throw AccountNotFoundError();
    userEmail = user.email;
  }

-  const [err, secrets] = await to(Secret.find(
-    {
-      workspace: workspaceId,
-      environment,
-      $or: [{ user: userId }, { user: { $exists: false } }],
-      type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-    }
-  ).then())
-
-  if (err) {
-    throw RouteValidationError({ message: "Failed to get secrets, please try again", stack: err.stack })
-  }
+  const secrets = await Secret.find({
+    workspace: workspaceId,
+    environment,
+    $or: [{ user: userId }, { user: { $exists: false } }],
+    type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+  })
+  .catch((err) => {
+    throw RouteValidationError({
+      message: "Failed to get secrets, please try again",
+      stack: err.stack
+    });
+  })

  if (postHogClient) {
    postHogClient.capture({
-      event: 'secrets pulled',
+      event: "secrets pulled",
      distinctId: userEmail,
      properties: {
        numberOfSecrets: (secrets ?? []).length,
        environment,
        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
      }
    });
  }

-  return res.json(secrets)
-}
+  return res.json(secrets);
+};

 /**
 * Return secret with id [secretId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const getSecret = async (req: Request, res: Response) => {
  // if (postHogClient) {
@ -414,4 +418,4 @@ export const getSecret = async (req: Request, res: Response) => {
  return res.status(200).send({
    secret: req._secret
  });
-}
+};
--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
@ -3,35 +3,39 @@ import { Request, Response } from "express";
 import { ISecret, Secret, ServiceTokenData } from "../../models";
 import { IAction, SecretVersion } from "../../ee/models";
 import {
-  SECRET_PERSONAL,
  ACTION_ADD_SECRETS,
+  ACTION_DELETE_SECRETS,
  ACTION_READ_SECRETS,
  ACTION_UPDATE_SECRETS,
-  ACTION_DELETE_SECRETS,
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
+  SECRET_PERSONAL
 } from "../../variables";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { EventService } from "../../services";
 import { eventPushSecrets } from "../../events";
-import { EESecretService, EELogService } from "../../ee/services";
-import { TelemetryService, SecretService } from "../../services";
+import { EELogService, EESecretService } from "../../ee/services";
+import { SecretService, TelemetryService } from "../../services";
 import { getChannelFromUserAgent } from "../../utils/posthog";
 import { PERMISSION_WRITE_SECRETS } from "../../variables";
 import {
  userHasNoAbility,
  userHasWorkspaceAccess,
-  userHasWriteOnlyAbility,
+  userHasWriteOnlyAbility
 } from "../../ee/helpers/checkMembershipPermissions";
 import Tag from "../../models/tag";
 import _ from "lodash";
-import { BatchSecretRequest, BatchSecret } from "../../types/secret";
+import { BatchSecret, BatchSecretRequest } from "../../types/secret";
 import Folder from "../../models/folder";
 import {
  getFolderByPath,
  getFolderIdFromServiceToken,
  searchByFolderId,
+  searchByFolderIdWithDir
 } from "../../services/FolderService";
+import { isValidScope } from "../../helpers/secrets";
+import path from "path";
+import { getAllImportedSecrets } from "../../services/SecretImportService";

 /**
 * Peform a batch of any specified CUD secret operations
@ -46,14 +50,13 @@ export const batchSecrets = async (req: Request, res: Response) => {
  const {
    workspaceId,
    environment,
-    requests,
-    secretPath,
+    requests
  }: {
    workspaceId: string;
    environment: string;
    requests: BatchSecretRequest[];
-    secretPath: string;
  } = req.body;
+  let secretPath = req.body.secretPath as string;
  let folderId = req.body.folderId as string;

  const createSecrets: BatchSecret[] = [];
@ -63,31 +66,31 @@ export const batchSecrets = async (req: Request, res: Response) => {

  // get secret blind index salt
  const salt = await SecretService.getSecretBlindIndexSalt({
-    workspaceId: new Types.ObjectId(workspaceId),
+    workspaceId: new Types.ObjectId(workspaceId)
  });

  const folders = await Folder.findOne({ workspace: workspaceId, environment });
-  if (folders && folderId !== "root") {
-    const folder = searchByFolderId(folders.nodes, folderId as string);
-    if (!folder) throw BadRequestError({ message: "Folder not found" });
-  }

  if (req.authData.authPayload instanceof ServiceTokenData) {
-    const { secretPath: serviceTkScopedSecretPath } = req.authData.authPayload;
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, secretPath);
+
    // in service token when not giving secretpath folderid must be root
    // this is to avoid giving folderid when service tokens are used
-    if (
-      (!secretPath && folderId !== "root") ||
-      (secretPath && secretPath !== serviceTkScopedSecretPath)
-    ) {
+    if ((!secretPath && folderId !== "root") || (secretPath && !isValidScopeAccess)) {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
  }
+
  if (secretPath) {
-    folderId = await getFolderIdFromServiceToken(
-      workspaceId,
-      environment,
-      secretPath
+    folderId = await getFolderIdFromServiceToken(workspaceId, environment, secretPath);
+  }
+
+  if (folders && folderId !== "root") {
+    const folder = searchByFolderIdWithDir(folders.nodes, folderId as string);
+    if (!folder?.folder) throw BadRequestError({ message: "Folder not found" });
+    secretPath = path.join(
+      "/",
+      ...folder.dir.map(({ name }) => name).filter((name) => name !== "root")
    );
  }

@ -97,12 +100,10 @@ export const batchSecrets = async (req: Request, res: Response) => {
    let secretBlindIndex = "";
    switch (request.method) {
      case "POST":
-        secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt(
-          {
-            secretName: request.secret.secretName,
-            salt,
-          }
-        );
+        secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+          secretName: request.secret.secretName,
+          salt
+        });

        createSecrets.push({
          ...request.secret,
@ -113,16 +114,14 @@ export const batchSecrets = async (req: Request, res: Response) => {
          folder: folderId,
          secretBlindIndex,
          algorithm: ALGORITHM_AES_256_GCM,
-          keyEncoding: ENCODING_SCHEME_UTF8,
+          keyEncoding: ENCODING_SCHEME_UTF8
        });
        break;
      case "PATCH":
-        secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt(
-          {
-            secretName: request.secret.secretName,
-            salt,
-          }
-        );
+        secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+          secretName: request.secret.secretName,
+          salt
+        });

        updateSecrets.push({
          ...request.secret,
@ -130,7 +129,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
          secretBlindIndex,
          folder: folderId,
          algorithm: ALGORITHM_AES_256_GCM,
-          keyEncoding: ENCODING_SCHEME_UTF8,
+          keyEncoding: ENCODING_SCHEME_UTF8
        });
        break;
      case "DELETE":
@ -150,9 +149,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
          ...n._doc,
          _id: new Types.ObjectId(),
          secret: n._id,
-          isDeleted: false,
+          isDeleted: false
        };
-      }),
+      })
    });

    const addAction = (await EELogService.createAction({
@ -161,7 +160,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
      serviceAccountId: req.serviceAccount?._id,
      serviceTokenDataId: req.serviceTokenData?._id,
      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: createdSecrets.map((n) => n._id),
+      secretIds: createdSecrets.map((n) => n._id)
    })) as IAction;
    actions.push(addAction);

@ -175,8 +174,8 @@ export const batchSecrets = async (req: Request, res: Response) => {
          workspaceId,
          folderId,
          channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
      });
    }
  }
@ -195,7 +194,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
    listedSecretsObj = req.secrets.reduce(
      (obj: any, secret: ISecret) => ({
        ...obj,
-        [secret._id.toString()]: secret,
+        [secret._id.toString()]: secret
      }),
      {}
    );
@ -204,16 +203,16 @@ export const batchSecrets = async (req: Request, res: Response) => {
      updateOne: {
        filter: {
          _id: new Types.ObjectId(u._id),
-          workspace: new Types.ObjectId(workspaceId),
+          workspace: new Types.ObjectId(workspaceId)
        },
        update: {
          $inc: {
-            version: 1,
+            version: 1
          },
          ...u,
-          _id: new Types.ObjectId(u._id),
-        },
-      },
+          _id: new Types.ObjectId(u._id)
+        }
+      }
    }));

    await Secret.bulkWrite(updateOperations);
@ -240,25 +239,25 @@ export const batchSecrets = async (req: Request, res: Response) => {
          algorithm: ALGORITHM_AES_256_GCM,
          keyEncoding: ENCODING_SCHEME_UTF8,
          tags: u.tags,
-          folder: u.folder,
+          folder: u.folder
        })
    );

    await EESecretService.addSecretVersions({
-      secretVersions,
+      secretVersions
    });

    updatedSecrets = await Secret.find({
      _id: {
-        $in: updateSecrets.map((u) => new Types.ObjectId(u._id)),
-      },
+        $in: updateSecrets.map((u) => new Types.ObjectId(u._id))
+      }
    });

    const updateAction = (await EELogService.createAction({
      name: ACTION_UPDATE_SECRETS,
      userId: req.user._id,
      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: updatedSecrets.map((u) => u._id),
+      secretIds: updatedSecrets.map((u) => u._id)
    })) as IAction;
    actions.push(updateAction);

@ -272,8 +271,8 @@ export const batchSecrets = async (req: Request, res: Response) => {
          workspaceId,
          folderId,
          channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
      });
    }
  }
@ -282,19 +281,19 @@ export const batchSecrets = async (req: Request, res: Response) => {
  if (deleteSecrets.length > 0) {
    await Secret.deleteMany({
      _id: {
-        $in: deleteSecrets,
-      },
+        $in: deleteSecrets
+      }
    });

    await EESecretService.markDeletedSecretVersions({
-      secretIds: deleteSecrets,
+      secretIds: deleteSecrets
    });

    const deleteAction = (await EELogService.createAction({
      name: ACTION_DELETE_SECRETS,
      userId: req.user._id,
      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: deleteSecrets,
+      secretIds: deleteSecrets
    })) as IAction;
    actions.push(deleteAction);

@ -307,8 +306,8 @@ export const batchSecrets = async (req: Request, res: Response) => {
          environment,
          workspaceId,
          channel: channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
      });
    }
  }
@ -320,7 +319,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
      workspaceId: new Types.ObjectId(workspaceId),
      actions,
      channel,
-      ipAddress: req.realIP,
+      ipAddress: req.realIP
    });
  }

@ -328,14 +327,17 @@ export const batchSecrets = async (req: Request, res: Response) => {
  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
-    }),
+      environment,
+      // root condition else this will be filled according to the path or folderid
+      secretPath: secretPath || "/"
+    })
  });

  // (EE) take a secret snapshot
  await EESecretService.takeSecretSnapshot({
    workspaceId: new Types.ObjectId(workspaceId),
    environment,
-    folderId,
+    folderId
  });

  const resObj: { [key: string]: ISecret[] | string[] } = {};
@ -418,7 +420,7 @@ export const createSecrets = async (req: Request, res: Response) => {
  const {
    workspaceId,
    environment,
-    secretPath,
+    secretPath
  }: {
    workspaceId: string;
    environment: string;
@ -435,8 +437,7 @@ export const createSecrets = async (req: Request, res: Response) => {
    );
    if (!hasAccess) {
      throw UnauthorizedRequestError({
-        message:
-          "You do not have the necessary permission(s) perform this action",
+        message: "You do not have the necessary permission(s) perform this action"
      });
    }
  }
@ -449,28 +450,27 @@ export const createSecrets = async (req: Request, res: Response) => {
    // case: create 1 secret
    listOfSecretsToCreate = [req.body.secrets];
  }
+
  if (req.authData.authPayload instanceof ServiceTokenData) {
-    const { secretPath: serviceTkScopedSecretPath } = req.authData.authPayload;
+    const isValidScopeAccess = isValidScope(
+      req.authData.authPayload,
+      environment,
+      secretPath || "/"
+    );
+
    // in service token when not giving secretpath folderid must be root
    // this is to avoid giving folderid when service tokens are used
-    if (
-      (!secretPath && folderId !== "root") ||
-      (secretPath && secretPath !== serviceTkScopedSecretPath)
-    ) {
+    if ((!secretPath && folderId !== "root") || (secretPath && !isValidScopeAccess)) {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
  }
  if (secretPath) {
-    folderId = await getFolderIdFromServiceToken(
-      workspaceId,
-      environment,
-      secretPath
-    );
+    folderId = await getFolderIdFromServiceToken(workspaceId, environment, secretPath);
  }

  // get secret blind index salt
  const salt = await SecretService.getSecretBlindIndexSalt({
-    workspaceId: new Types.ObjectId(workspaceId),
+    workspaceId: new Types.ObjectId(workspaceId)
  });

  type secretsToCreateType = {
@ -502,15 +502,14 @@ export const createSecrets = async (req: Request, res: Response) => {
        secretCommentCiphertext,
        secretCommentIV,
        secretCommentTag,
-        tags,
+        tags
      }: secretsToCreateType) => {
        let secretBlindIndex;
        if (secretName) {
-          secretBlindIndex =
-            await SecretService.generateSecretBlindIndexWithSalt({
-              secretName,
-              salt,
-            });
+          secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+            secretName,
+            salt
+          });
        }

        return {
@ -532,22 +531,24 @@ export const createSecrets = async (req: Request, res: Response) => {
          secretCommentTag,
          algorithm: ALGORITHM_AES_256_GCM,
          keyEncoding: ENCODING_SCHEME_UTF8,
-          tags,
+          tags
        };
      }
    )
  );

-  const newlyCreatedSecrets: ISecret[] = (
-    await Secret.insertMany(secretsToInsert)
-  ).map((insertedSecret) => insertedSecret.toObject());
+  const newlyCreatedSecrets: ISecret[] = (await Secret.insertMany(secretsToInsert)).map(
+    (insertedSecret) => insertedSecret.toObject()
+  );

  setTimeout(async () => {
    // trigger event - push secrets
    await EventService.handleEvent({
      event: eventPushSecrets({
        workspaceId: new Types.ObjectId(workspaceId),
-      }),
+        environment,
+        secretPath: secretPath || "/"
+      })
    });
  }, 5000);

@ -567,7 +568,7 @@ export const createSecrets = async (req: Request, res: Response) => {
        secretKeyTag,
        secretValueCiphertext,
        secretValueIV,
-        secretValueTag,
+        secretValueTag
      }) =>
        new SecretVersion({
          secret: _id,
@ -586,9 +587,9 @@ export const createSecrets = async (req: Request, res: Response) => {
          secretValueTag,
          folder: folderId,
          algorithm: ALGORITHM_AES_256_GCM,
-          keyEncoding: ENCODING_SCHEME_UTF8,
+          keyEncoding: ENCODING_SCHEME_UTF8
        })
-    ),
+    )
  });

  const addAction = await EELogService.createAction({
@ -597,7 +598,7 @@ export const createSecrets = async (req: Request, res: Response) => {
    serviceAccountId: req.serviceAccount?._id,
    serviceTokenDataId: req.serviceTokenData?._id,
    workspaceId: new Types.ObjectId(workspaceId),
-    secretIds: newlyCreatedSecrets.map((n) => n._id),
+    secretIds: newlyCreatedSecrets.map((n) => n._id)
  });

  // (EE) create (audit) log
@ -609,14 +610,14 @@ export const createSecrets = async (req: Request, res: Response) => {
      workspaceId: new Types.ObjectId(workspaceId),
      actions: [addAction],
      channel,
-      ipAddress: req.realIP,
+      ipAddress: req.realIP
    }));

  // (EE) take a secret snapshot
  await EESecretService.takeSecretSnapshot({
    workspaceId: new Types.ObjectId(workspaceId),
    environment,
-    folderId,
+    folderId
  });

  const postHogClient = await TelemetryService.getPostHogClient();
@ -624,7 +625,7 @@ export const createSecrets = async (req: Request, res: Response) => {
    postHogClient.capture({
      event: "secrets added",
      distinctId: await TelemetryService.getDistinctId({
-        authData: req.authData,
+        authData: req.authData
      }),
      properties: {
        numberOfSecrets: listOfSecretsToCreate.length,
@ -632,13 +633,13 @@ export const createSecrets = async (req: Request, res: Response) => {
        workspaceId,
        channel: channel,
        folderId,
-        userAgent: req.headers?.["user-agent"],
-      },
+        userAgent: req.headers?.["user-agent"]
+      }
    });
  }

  return res.status(200).send({
-    secrets: newlyCreatedSecrets,
+    secrets: newlyCreatedSecrets
  });
 };

@ -690,40 +691,44 @@ export const getSecrets = async (req: Request, res: Response) => {
    }   
    */

-  const { tagSlugs, secretPath } = req.query;
+  const { tagSlugs, secretPath, include_imports } = req.query;
  let { folderId } = req.query;
  const workspaceId = req.query.workspaceId as string;
  const environment = req.query.environment as string;

  const folders = await Folder.findOne({ workspace: workspaceId, environment });
-  if (
-    (!folders && folderId && folderId !== "root") ||
-    (!folders && secretPath)
-  ) {
-    throw BadRequestError({ message: "Folder not found" });
+  if ((!folders && folderId && folderId !== "root") || (!folders && secretPath)) {
+    res.send({ secrets: [] });
+    return;
  }
  if (folders && folderId !== "root") {
    const folder = searchByFolderId(folders.nodes, folderId as string);
-    if (!folder) throw BadRequestError({ message: "Folder not found" });
+    if (!folder) {
+      res.send({ secrets: [] });
+      return;
+    }
  }

  if (req.authData.authPayload instanceof ServiceTokenData) {
-    const { secretPath: serviceTkScopedSecretPath } = req.authData.authPayload;
+    const isValidScopeAccess = isValidScope(
+      req.authData.authPayload,
+      environment,
+      (secretPath as string) || "/"
+    );
+
    // in service token when not giving secretpath folderid must be root
    // this is to avoid giving folderid when service tokens are used
-    if (
-      (!secretPath && folderId !== "root") ||
-      (secretPath && secretPath !== serviceTkScopedSecretPath)
-    ) {
+    if ((!secretPath && folderId !== "root") || (secretPath && !isValidScopeAccess)) {
      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
    }
  }

  if (folders && secretPath) {
-    if (!folders) throw BadRequestError({ message: "Folder not found" });
+    // avoid throwing error and send empty list
    const folder = getFolderByPath(folders.nodes, secretPath as string);
    if (!folder) {
-      throw BadRequestError({ message: "Secret path not found" });
+      res.send({ secrets: [] });
+      return;
    }
    folderId = folder.id;
  }
@ -733,8 +738,7 @@ export const getSecrets = async (req: Request, res: Response) => {

  // query tags table to get all tags ids for the tag names for the given workspace
  let tagIds = [];
-  const tagNamesList =
-    typeof tagSlugs === "string" && tagSlugs !== "" ? tagSlugs.split(",") : [];
+  const tagNamesList = typeof tagSlugs === "string" && tagSlugs !== "" ? tagSlugs.split(",") : [];
  if (tagNamesList != undefined && tagNamesList.length != 0) {
    const workspaceFromDB = await Tag.find({ workspace: workspaceId });
    tagIds = _.map(tagNamesList, (tagName: string) => {
@ -757,8 +761,7 @@ export const getSecrets = async (req: Request, res: Response) => {
    );
    if (hasNoAccess) {
      throw UnauthorizedRequestError({
-        message:
-          "You do not have the necessary permission(s) perform this action",
+        message: "You do not have the necessary permission(s) perform this action"
      });
    }

@ -768,8 +771,8 @@ export const getSecrets = async (req: Request, res: Response) => {
      folder: folderId,
      $or: [
        { user: req.user._id }, // personal secrets for this user
-        { user: { $exists: false } }, // shared secrets from workspace
-      ],
+        { user: { $exists: false } } // shared secrets from workspace
+      ]
    };

    if (tagIds.length > 0) {
@ -796,8 +799,8 @@ export const getSecrets = async (req: Request, res: Response) => {
      environment,
      $or: [
        { user: userId }, // personal secrets for this user
-        { user: { $exists: false } }, // shared secrets from workspace
-      ],
+        { user: { $exists: false } } // shared secrets from workspace
+      ]
    };

    if (tagIds.length > 0) {
@ -815,7 +818,7 @@ export const getSecrets = async (req: Request, res: Response) => {
      workspace: workspaceId,
      environment,
      folder: folderId,
-      user: { $exists: false }, // shared secrets only from workspace
+      user: { $exists: false } // shared secrets only from workspace
    };

    if (tagIds.length > 0) {
@ -825,6 +828,12 @@ export const getSecrets = async (req: Request, res: Response) => {
    secrets = await Secret.find(secretQuery).populate("tags");
  }

+  // TODO(akhilmhdh) - secret-imp change this to org type
+  let importedSecrets: any[] = [];
+  if (include_imports) {
+    importedSecrets = await getAllImportedSecrets(workspaceId, environment, folderId as string);
+  }
+
  const channel = getChannelFromUserAgent(req.headers["user-agent"]);

  const readAction = await EELogService.createAction({
@ -833,7 +842,7 @@ export const getSecrets = async (req: Request, res: Response) => {
    serviceAccountId: req.serviceAccount?._id,
    serviceTokenDataId: req.serviceTokenData?._id,
    workspaceId: new Types.ObjectId(workspaceId as string),
-    secretIds: secrets.map((n: any) => n._id),
+    secretIds: secrets.map((n: any) => n._id)
  });

  readAction &&
@ -844,7 +853,7 @@ export const getSecrets = async (req: Request, res: Response) => {
      workspaceId: new Types.ObjectId(workspaceId as string),
      actions: [readAction],
      channel,
-      ipAddress: req.realIP,
+      ipAddress: req.realIP
    }));

  const postHogClient = await TelemetryService.getPostHogClient();
@ -852,7 +861,7 @@ export const getSecrets = async (req: Request, res: Response) => {
    postHogClient.capture({
      event: "secrets pulled",
      distinctId: await TelemetryService.getDistinctId({
-        authData: req.authData,
+        authData: req.authData
      }),
      properties: {
        numberOfSecrets: secrets.length,
@ -860,13 +869,14 @@ export const getSecrets = async (req: Request, res: Response) => {
        workspaceId,
        channel,
        folderId,
-        userAgent: req.headers?.["user-agent"],
-      },
+        userAgent: req.headers?.["user-agent"]
+      }
    });
  }

  return res.status(200).send({
    secrets,
+    ...(include_imports && { imports: importedSecrets })
  });
 };

@ -920,9 +930,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
        }
    }
    */
-  const channel = req.headers?.["user-agent"]?.toLowerCase().includes("mozilla")
-    ? "web"
-    : "cli";
+  const channel = req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli";

  interface PatchSecret {
    id: string;
@ -938,51 +946,47 @@ export const updateSecrets = async (req: Request, res: Response) => {
    tags: string[];
  }

-  const updateOperationsToPerform = req.body.secrets.map(
-    (secret: PatchSecret) => {
-      const {
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext,
-        secretCommentIV,
-        secretCommentTag,
-        tags,
-      } = secret;
+  const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
+    const {
+      secretKeyCiphertext,
+      secretKeyIV,
+      secretKeyTag,
+      secretValueCiphertext,
+      secretValueIV,
+      secretValueTag,
+      secretCommentCiphertext,
+      secretCommentIV,
+      secretCommentTag,
+      tags
+    } = secret;

-      return {
-        updateOne: {
-          filter: { _id: new Types.ObjectId(secret.id) },
-          update: {
-            $inc: {
-              version: 1,
-            },
-            secretKeyCiphertext,
-            secretKeyIV,
-            secretKeyTag,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag,
-            algorithm: ALGORITHM_AES_256_GCM,
-            keyEncoding: ENCODING_SCHEME_UTF8,
-            tags,
-            ...(secretCommentCiphertext !== undefined &&
-            secretCommentIV &&
-            secretCommentTag
-              ? {
-                  secretCommentCiphertext,
-                  secretCommentIV,
-                  secretCommentTag,
-                }
-              : {}),
+    return {
+      updateOne: {
+        filter: { _id: new Types.ObjectId(secret.id) },
+        update: {
+          $inc: {
+            version: 1
          },
-        },
-      };
-    }
-  );
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          algorithm: ALGORITHM_AES_256_GCM,
+          keyEncoding: ENCODING_SCHEME_UTF8,
+          tags,
+          ...(secretCommentCiphertext !== undefined && secretCommentIV && secretCommentTag
+            ? {
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag
+              }
+            : {})
+        }
+      }
+    };
+  });

  await Secret.bulkWrite(updateOperationsToPerform);

@ -1004,7 +1008,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
        secretCommentCiphertext,
        secretCommentIV,
        secretCommentTag,
-        tags,
+        tags
      } = secretModificationsBySecretId[secret._id.toString()];

      return {
@ -1013,9 +1017,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
        workspace: secret.workspace,
        type: secret.type,
        environment: secret.environment,
-        secretKeyCiphertext: secretKeyCiphertext
-          ? secretKeyCiphertext
-          : secret.secretKeyCiphertext,
+        secretKeyCiphertext: secretKeyCiphertext ? secretKeyCiphertext : secret.secretKeyCiphertext,
        secretKeyIV: secretKeyIV ? secretKeyIV : secret.secretKeyIV,
        secretKeyTag: secretKeyTag ? secretKeyTag : secret.secretKeyTag,
        secretValueCiphertext: secretValueCiphertext
@ -1026,17 +1028,13 @@ export const updateSecrets = async (req: Request, res: Response) => {
        secretCommentCiphertext: secretCommentCiphertext
          ? secretCommentCiphertext
          : secret.secretCommentCiphertext,
-        secretCommentIV: secretCommentIV
-          ? secretCommentIV
-          : secret.secretCommentIV,
-        secretCommentTag: secretCommentTag
-          ? secretCommentTag
-          : secret.secretCommentTag,
+        secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
+        secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
        tags: tags ? tags : secret.tags,
        algorithm: ALGORITHM_AES_256_GCM,
-        keyEncoding: ENCODING_SCHEME_UTF8,
+        keyEncoding: ENCODING_SCHEME_UTF8
      };
-    }),
+    })
  };

  await EESecretService.addSecretVersions(secretVersions);
@ -1054,13 +1052,16 @@ export const updateSecrets = async (req: Request, res: Response) => {

  Object.keys(workspaceSecretObj).forEach(async (key) => {
    // trigger event - push secrets
-    setTimeout(async () => {
-      await EventService.handleEvent({
-        event: eventPushSecrets({
-          workspaceId: new Types.ObjectId(key),
-        }),
-      });
-    }, 10000);
+    // This route is not used anymore thus keep it commented out as it does not expose environment
+    // it will end up creating a lot of requests from the server
+    // setTimeout(async () => {
+    //   await EventService.handleEvent({
+    //     event: eventPushSecrets({
+    //       workspaceId: new Types.ObjectId(key),
+    //       environment,
+    //     })
+    //   });
+    // }, 10000);

    const updateAction = await EELogService.createAction({
      name: ACTION_UPDATE_SECRETS,
@ -1068,7 +1069,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
      serviceAccountId: req.serviceAccount?._id,
      serviceTokenDataId: req.serviceTokenData?._id,
      workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id),
+      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
    });

    // (EE) create (audit) log
@ -1080,7 +1081,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
        workspaceId: new Types.ObjectId(key),
        actions: [updateAction],
        channel,
-        ipAddress: req.realIP,
+        ipAddress: req.realIP
      }));

    // (EE) take a secret snapshot
@ -1096,15 +1097,15 @@ export const updateSecrets = async (req: Request, res: Response) => {
      postHogClient.capture({
        event: "secrets modified",
        distinctId: await TelemetryService.getDistinctId({
-          authData: req.authData,
+          authData: req.authData
        }),
        properties: {
          numberOfSecrets: workspaceSecretObj[key].length,
          environment: workspaceSecretObj[key][0].environment,
          workspaceId: key,
          channel: channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
      });
    }
  });
@ -1112,9 +1113,9 @@ export const updateSecrets = async (req: Request, res: Response) => {
  return res.status(200).send({
    secrets: await Secret.find({
      _id: {
-        $in: req.secrets.map((secret: ISecret) => secret._id),
-      },
-    }),
+        $in: req.secrets.map((secret: ISecret) => secret._id)
+      }
+    })
  });
 };

@ -1174,12 +1175,12 @@ export const deleteSecrets = async (req: Request, res: Response) => {

  await Secret.deleteMany({
    _id: {
-      $in: toDelete,
-    },
+      $in: toDelete
+    }
  });

  await EESecretService.markDeletedSecretVersions({
-    secretIds: toDelete,
+    secretIds: toDelete
  });

  // group secrets into workspaces so deleted secrets can
@ -1195,18 +1196,20 @@ export const deleteSecrets = async (req: Request, res: Response) => {

  Object.keys(workspaceSecretObj).forEach(async (key) => {
    // trigger event - push secrets
-    await EventService.handleEvent({
-      event: eventPushSecrets({
-        workspaceId: new Types.ObjectId(key),
-      }),
-    });
+    // DEPRECIATED(akhilmhdh): as this would cause server to send so many request
+    // and this route is not used anymore thus like snapshot keeping it commented out
+    // await EventService.handleEvent({
+    //   event: eventPushSecrets({
+    //     workspaceId: new Types.ObjectId(key)
+    //   })
+    // });
    const deleteAction = await EELogService.createAction({
      name: ACTION_DELETE_SECRETS,
      userId: req.user?._id,
      serviceAccountId: req.serviceAccount?._id,
      serviceTokenDataId: req.serviceTokenData?._id,
      workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id),
+      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
    });

    // (EE) create (audit) log
@ -1218,7 +1221,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
        workspaceId: new Types.ObjectId(key),
        actions: [deleteAction],
        channel,
-        ipAddress: req.realIP,
+        ipAddress: req.realIP
      }));

    // (EE) take a secret snapshot
@ -1232,20 +1235,20 @@ export const deleteSecrets = async (req: Request, res: Response) => {
      postHogClient.capture({
        event: "secrets deleted",
        distinctId: await TelemetryService.getDistinctId({
-          authData: req.authData,
+          authData: req.authData
        }),
        properties: {
          numberOfSecrets: workspaceSecretObj[key].length,
          environment: workspaceSecretObj[key][0].environment,
          workspaceId: key,
          channel: channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
      });
    }
  });

  return res.status(200).send({
-    secrets: req.secrets,
+    secrets: req.secrets
  });
 };
--- a/backend/src/controllers/v2/serviceAccountsController.ts
+++ b/backend/src/controllers/v2/serviceAccountsController.ts
@ -1,18 +1,18 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
 import { 
    ServiceAccount,
    ServiceAccountKey,
    ServiceAccountOrganizationPermission,
-    ServiceAccountWorkspacePermission
-} from '../../models';
+    ServiceAccountWorkspacePermission,
+} from "../../models";
 import {
-    CreateServiceAccountDto
-} from '../../interfaces/serviceAccounts/dto';
-import { BadRequestError, ServiceAccountNotFoundError } from '../../utils/errors';
-import { getSaltRounds } from '../../config';
+    CreateServiceAccountDto,
+} from "../../interfaces/serviceAccounts/dto";
+import { BadRequestError, ServiceAccountNotFoundError } from "../../utils/errors";
+import { getSaltRounds } from "../../config";

 /**
 * Return service account tied to the request (service account) client
@ -23,11 +23,11 @@ export const getCurrentServiceAccount = async (req: Request, res: Response) => {
    const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
    
    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
    }
    
    return res.status(200).send({
-        serviceAccount
+        serviceAccount,
    });
 }

@ -42,11 +42,11 @@ export const getServiceAccountById = async (req: Request, res: Response) => {
    const serviceAccount = await ServiceAccount.findById(serviceAccountId);
    
    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
    }
    
    return res.status(200).send({
-        serviceAccount
+        serviceAccount,
    });
 }

@ -71,7 +71,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {
        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
    }

-    const secret = crypto.randomBytes(16).toString('base64');
+    const secret = crypto.randomBytes(16).toString("base64");
    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
    
    // create service account
@ -82,7 +82,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {
        publicKey,
        lastUsed: new Date(),
        expiresAt,
-        secretHash
+        secretHash,
    }).save();
    
    const serviceAccountObj = serviceAccount.toObject();
@ -91,14 +91,14 @@ export const createServiceAccount = async (req: Request, res: Response) => {

    // provision default org-level permission for service account
    await new ServiceAccountOrganizationPermission({
-        serviceAccount: serviceAccount._id
+        serviceAccount: serviceAccount._id,
    }).save();
    
-    const secretId = Buffer.from(serviceAccount._id.toString(), 'hex').toString('base64');
+    const secretId = Buffer.from(serviceAccount._id.toString(), "hex").toString("base64");

    return res.status(200).send({
        serviceAccountAccessKey: `sa.${secretId}.${secret}`,
-        serviceAccount: serviceAccountObj
+        serviceAccount: serviceAccountObj,
    });
 }

@ -114,18 +114,18 @@ export const changeServiceAccountName = async (req: Request, res: Response) => {
    
    const serviceAccount = await ServiceAccount.findOneAndUpdate(
        {
-            _id: new Types.ObjectId(serviceAccountId)
+            _id: new Types.ObjectId(serviceAccountId),
        },
        {
-            name
+            name,
        },
        {
-            new: true
+            new: true,
        }
    );
    
    return res.status(200).send({
-        serviceAccount
+        serviceAccount,
    });
 }

@ -140,7 +140,7 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
    const {
        workspaceId,
        encryptedKey,
-        nonce
+        nonce,
    } = req.body;
    
    const serviceAccountKey = await new ServiceAccountKey({
@ -148,7 +148,7 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
        nonce,
        sender: req.user._id,
        serviceAccount: req.serviceAccount._d,
-        workspace: new Types.ObjectId(workspaceId)
+        workspace: new Types.ObjectId(workspaceId),
    }).save();

    return serviceAccountKey;
@ -161,11 +161,11 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
 */
 export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
    const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
-        serviceAccount: req.serviceAccount._id
-    }).populate('workspace');
+        serviceAccount: req.serviceAccount._id,
+    }).populate("workspace");
    
    return res.status(200).send({
-        serviceAccountWorkspacePermissions
+        serviceAccountWorkspacePermissions,
    });
 }

@ -182,34 +182,34 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
        read = false,
        write = false,
        encryptedKey,
-        nonce
+        nonce,
    } = req.body;
    
    if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
        return res.status(400).send({
-            message: 'Failed to validate workspace environment'
+            message: "Failed to validate workspace environment",
        });
    }
    
    const existingPermission = await ServiceAccountWorkspacePermission.findOne({
        serviceAccount: new Types.ObjectId(serviceAccountId),
        workspace: new Types.ObjectId(workspaceId),
-        environment
+        environment,
    });
    
-    if (existingPermission) throw BadRequestError({ message: 'Failed to add workspace permission to service account due to already-existing ' });
+    if (existingPermission) throw BadRequestError({ message: "Failed to add workspace permission to service account due to already-existing " });

    const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
        serviceAccount: new Types.ObjectId(serviceAccountId),
        workspace: new Types.ObjectId(workspaceId),
        environment,
        read,
-        write
+        write,
    }).save();
    
    const existingServiceAccountKey = await ServiceAccountKey.findOne({
        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId) 
+        workspace: new Types.ObjectId(workspaceId), 
    });
    
    if (!existingServiceAccountKey) {
@ -218,12 +218,12 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
            nonce,
            sender: req.user._id,
            serviceAccount: new Types.ObjectId(serviceAccountId),
-            workspace: new Types.ObjectId(workspaceId)
+            workspace: new Types.ObjectId(workspaceId),
        }).save();
    }

    return res.status(200).send({
-        serviceAccountWorkspacePermission
+        serviceAccountWorkspacePermission,
    });
 }

@ -240,19 +240,19 @@ export const deleteServiceAccountWorkspacePermission = async (req: Request, res:
        const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
        const count = await ServiceAccountWorkspacePermission.countDocuments({
            serviceAccount,
-            workspace
+            workspace,
        });
        
        if (count === 0) {
            await ServiceAccountKey.findOneAndDelete({
                serviceAccount,
-                workspace
+                workspace,
            });
        }
    }

    return res.status(200).send({
-        serviceAccountWorkspacePermission
+        serviceAccountWorkspacePermission,
    });
 }

@ -269,20 +269,20 @@ export const deleteServiceAccount = async (req: Request, res: Response) => {

    if (serviceAccount) {
        await ServiceAccountKey.deleteMany({
-            serviceAccount: serviceAccount._id
+            serviceAccount: serviceAccount._id,
        });

        await ServiceAccountOrganizationPermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
+            serviceAccount: new Types.ObjectId(serviceAccountId),
        });

        await ServiceAccountWorkspacePermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
+            serviceAccount: new Types.ObjectId(serviceAccountId),
        });
    }

    return res.status(200).send({
-        serviceAccount
+        serviceAccount,
    });
 }

@ -297,10 +297,10 @@ export const getServiceAccountKeys = async (req: Request, res: Response) => {
    
    const serviceAccountKeys = await ServiceAccountKey.find({
        serviceAccount: req.serviceAccount._id,
-        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {})
+        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {}),
    });
    
    return res.status(200).send({
-        serviceAccountKeys
+        serviceAccountKeys,
    });
 }
--- a/backend/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend/src/controllers/v2/serviceTokenDataController.ts
@ -1,18 +1,10 @@
 import { Request, Response } from "express";
 import crypto from "crypto";
 import bcrypt from "bcrypt";
-import { User, ServiceAccount, ServiceTokenData } from "../../models";
-import { userHasWorkspaceAccess } from "../../ee/helpers/checkMembershipPermissions";
-import {
-  PERMISSION_READ_SECRETS,
-  AUTH_MODE_JWT,
-  AUTH_MODE_SERVICE_ACCOUNT,
-  AUTH_MODE_SERVICE_TOKEN,
-} from "../../variables";
+import { ServiceAccount, ServiceTokenData, User } from "../../models";
+import { AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT } from "../../variables";
 import { getSaltRounds } from "../../config";
 import { BadRequestError } from "../../utils/errors";
-import Folder from "../../models/folder";
-import { getFolderByPath } from "../../services/FolderService";

 /**
 * Return service token data associated with service token on request
@ -49,14 +41,13 @@ export const getServiceTokenData = async (req: Request, res: Response) => {

  if (!(req.authData.authPayload instanceof ServiceTokenData))
    throw BadRequestError({
-      message: "Failed accepted client validation for service token data",
+      message: "Failed accepted client validation for service token data"
    });

-  const serviceTokenData = await ServiceTokenData.findById(
-    req.authData.authPayload._id
-  )
+  const serviceTokenData = await ServiceTokenData.findById(req.authData.authPayload._id)
    .select("+encryptedKey +iv +tag")
-    .populate("user");
+    .populate("user")
+    .lean();

  return res.status(200).json(serviceTokenData);
 };
@ -71,29 +62,7 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
 export const createServiceTokenData = async (req: Request, res: Response) => {
  let serviceTokenData;

-  const {
-    name,
-    workspaceId,
-    environment,
-    encryptedKey,
-    iv,
-    tag,
-    expiresIn,
-    secretPath,
-    permissions,
-  } = req.body;
-
-  const folders = await Folder.findOne({
-    workspace: workspaceId,
-    environment,
-  });
-
-  if (folders) {
-    const folder = getFolderByPath(folders.nodes, secretPath);
-    if (folder == undefined) {
-      throw BadRequestError({ message: "Path for service token does not exist" })
-    }
-  }
+  const { name, workspaceId, encryptedKey, iv, tag, expiresIn, permissions, scopes } = req.body;

  const secret = crypto.randomBytes(16).toString("hex");
  const secretHash = await bcrypt.hash(secret, await getSaltRounds());
@ -106,10 +75,7 @@ export const createServiceTokenData = async (req: Request, res: Response) => {

  let user, serviceAccount;

-  if (
-    req.authData.authMode === AUTH_MODE_JWT &&
-    req.authData.authPayload instanceof User
-  ) {
+  if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
    user = req.authData.authPayload._id;
  }

@ -123,17 +89,16 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
  serviceTokenData = await new ServiceTokenData({
    name,
    workspace: workspaceId,
-    environment,
    user,
    serviceAccount,
+    scopes,
    lastUsed: new Date(),
    expiresAt,
    secretHash,
    encryptedKey,
    iv,
    tag,
-    secretPath,
-    permissions,
+    permissions
  }).save();

  // return service token data without sensitive data
@ -145,7 +110,7 @@ export const createServiceTokenData = async (req: Request, res: Response) => {

  return res.status(200).send({
    serviceToken,
-    serviceTokenData,
+    serviceTokenData
  });
 };

@ -158,11 +123,9 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
 export const deleteServiceTokenData = async (req: Request, res: Response) => {
  const { serviceTokenDataId } = req.params;

-  const serviceTokenData = await ServiceTokenData.findByIdAndDelete(
-    serviceTokenDataId
-  );
+  const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);

  return res.status(200).send({
-    serviceTokenData,
+    serviceTokenData
  });
 };
--- a/backend/src/controllers/v2/signupController.ts
+++ b/backend/src/controllers/v2/signupController.ts
@ -1,14 +1,14 @@
-import { Request, Response } from 'express';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
+import { Request, Response } from "express";
+import { MembershipOrg, User } from "../../models";
+import { completeAccount } from "../../helpers/user";
 import {
-	initializeDefaultOrg
-} from '../../helpers/signup';
-import { issueAuthTokens } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import { standardRequest } from '../../config/request';
-import { getLoopsApiKey, getHttpsEnabled } from '../../config';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+	initializeDefaultOrg,
+} from "../../helpers/signup";
+import { issueAuthTokens } from "../../helpers/auth";
+import { ACCEPTED, INVITED } from "../../variables";
+import { standardRequest } from "../../config/request";
+import { getHttpsEnabled, getLoopsApiKey } from "../../config";
+import { updateSubscriptionOrgQuantity } from "../../helpers/organization";

 /**
 * Complete setting up user by adding their personal and auth information as part of the
@ -18,7 +18,7 @@ import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 * @returns
 */
 export const completeAccountSignup = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
+	let user;
  const {
    email,
    firstName,
@ -32,7 +32,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
    encryptedPrivateKeyTag,
    salt,
    verifier,
-    organizationName
+    organizationName,
  }: {
    email: string;
    firstName: string;
@ -56,7 +56,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
    // case 1: user doesn't exist.
    // case 2: user has already completed account
    return res.status(403).send({
-      error: 'Failed to complete account for complete user'
+      error: "Failed to complete account for complete user",
    });
  }

@ -74,28 +74,28 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
    encryptedPrivateKeyIV,
    encryptedPrivateKeyTag,
    salt,
-    verifier
+    verifier,
  });

  if (!user)
-    throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+    throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null

  // initialize default organization and workspace
  await initializeDefaultOrg({
    organizationName,
-    user
+    user,
  });

  // update organization membership statuses that are
  // invited to completed with user attached
  const membershipsToUpdate = await MembershipOrg.find({
    inviteEmail: email,
-    status: INVITED
+    status: INVITED,
  });
  
  membershipsToUpdate.forEach(async (membership) => {
    await updateSubscriptionOrgQuantity({
-      organizationId: membership.organization.toString()
+      organizationId: membership.organization.toString(),
    });
  });

@ -104,11 +104,11 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
  await MembershipOrg.updateMany(
    {
      inviteEmail: email,
-      status: INVITED
+      status: INVITED,
    },
    {
      user,
-      status: ACCEPTED
+      status: ACCEPTED,
    }
  );

@ -116,10 +116,10 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
  const tokens = await issueAuthTokens({
    userId: user._id,
    ip: req.realIP,
-    userAgent: req.headers['user-agent'] ?? ''
+    userAgent: req.headers["user-agent"] ?? "",
  });

-  token = tokens.token;
+  const token = tokens.token;

  // sending a welcome email to new users
  if (await getLoopsApiKey()) {
@ -127,27 +127,27 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
      "email": email,
      "eventName": "Sign Up",
      "firstName": firstName,
-      "lastName": lastName
+      "lastName": lastName,
    }, {
      headers: {
        "Accept": "application/json",
-        "Authorization": "Bearer " + (await getLoopsApiKey())
+        "Authorization": "Bearer " + (await getLoopsApiKey()),
      },
    });
  }

  // store (refresh) token in httpOnly cookie
-  res.cookie('jid', tokens.refreshToken, {
+  res.cookie("jid", tokens.refreshToken, {
    httpOnly: true,
-    path: '/',
-    sameSite: 'strict',
-    secure: await getHttpsEnabled()
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled(),
  });

 	return res.status(200).send({
-		message: 'Successfully set up account',
+		message: "Successfully set up account",
 		user,
-		token
+		token,
 	});
 };

@ -159,7 +159,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 * @returns
 */
 export const completeAccountInvite = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
+	let user;
  const {
    email,
    firstName,
@ -172,7 +172,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
    encryptedPrivateKeyIV,
    encryptedPrivateKeyTag,
    salt,
-    verifier
+    verifier,
  } = req.body;

  // get user
@ -182,16 +182,16 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
    // case 1: user doesn't exist.
    // case 2: user has already completed account
    return res.status(403).send({
-      error: 'Failed to complete account for complete user'
+      error: "Failed to complete account for complete user",
    });
  }

  const membershipOrg = await MembershipOrg.findOne({
    inviteEmail: email,
-    status: INVITED
+    status: INVITED,
  });

-  if (!membershipOrg) throw new Error('Failed to find invitations for email');
+  if (!membershipOrg) throw new Error("Failed to find invitations for email");

  // complete setting up user's account
  user = await completeAccount({
@ -207,33 +207,33 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
    encryptedPrivateKeyIV,
    encryptedPrivateKeyTag,
    salt,
-    verifier
+    verifier,
  });

  if (!user)
-    throw new Error('Failed to complete account for non-existent user');
+    throw new Error("Failed to complete account for non-existent user");
  
  // update organization membership statuses that are
  // invited to completed with user attached
  const membershipsToUpdate = await MembershipOrg.find({
    inviteEmail: email,
-    status: INVITED
+    status: INVITED,
  });
  
  membershipsToUpdate.forEach(async (membership) => {
    await updateSubscriptionOrgQuantity({
-      organizationId: membership.organization.toString()
+      organizationId: membership.organization.toString(),
    });
  });

  await MembershipOrg.updateMany(
    {
      inviteEmail: email,
-      status: INVITED
+      status: INVITED,
    },
    {
      user,
-      status: ACCEPTED
+      status: ACCEPTED,
    }
  );

@ -241,22 +241,22 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
  const tokens = await issueAuthTokens({
    userId: user._id,
    ip: req.realIP,
-    userAgent: req.headers['user-agent'] ?? ''
+    userAgent: req.headers["user-agent"] ?? "",
  });

-  token = tokens.token;
+  const token = tokens.token;

  // store (refresh) token in httpOnly cookie
-  res.cookie('jid', tokens.refreshToken, {
+  res.cookie("jid", tokens.refreshToken, {
    httpOnly: true,
-    path: '/',
-    sameSite: 'strict',
-    secure: await getHttpsEnabled()
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled(),
  });

 	return res.status(200).send({
-		message: 'Successfully set up account',
+		message: "Successfully set up account",
 		user,
-		token
+		token,
 	});
 };
--- a/backend/src/controllers/v2/tagController.ts
+++ b/backend/src/controllers/v2/tagController.ts
@ -1,71 +1,59 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import {
-	Membership, Secret,
-} from '../../models';
-import Tag, { ITag } from '../../models/tag';
-import { Builder } from "builder-pattern"
-import to from 'await-to-js';
-import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
-import { MongoError } from 'mongodb';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Membership, Secret } from "../../models";
+import Tag from "../../models/tag";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";

 export const createWorkspaceTag = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const { name, slug } = req.body
-	const sanitizedTagToCreate = Builder<ITag>()
-		.name(name)
-		.workspace(new Types.ObjectId(workspaceId))
-		.slug(slug)
-		.user(new Types.ObjectId(req.user._id))
-		.build();
-
-	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
-
-	if (err) {
-		if ((err as MongoError).code === 11000) {
-			throw BadRequestError({ message: "Tags must be unique in a workspace" })
-		}
-
-		throw err
-	}
-
-	res.json(createdTag)
-}
+  const { workspaceId } = req.params;
+  const { name, slug } = req.body;
+  
+  const tagToCreate = {
+      name,
+      workspace: new Types.ObjectId(workspaceId),
+      slug,
+      user: new Types.ObjectId(req.user._id),
+    };
+  
+  const createdTag = await new Tag(tagToCreate).save();
+  
+  res.json(createdTag);
+};

 export const deleteWorkspaceTag = async (req: Request, res: Response) => {
-	const { tagId } = req.params
+  const { tagId } = req.params;

-	const tagFromDB = await Tag.findById(tagId)
-	if (!tagFromDB) {
-		throw BadRequestError()
-	}
+  const tagFromDB = await Tag.findById(tagId);
+  if (!tagFromDB) {
+    throw BadRequestError();
+  }

-	// can only delete if the request user is one that belongs to the same workspace as the tag
-	const membership = await Membership.findOne({
-		user: req.user,
-		workspace: tagFromDB.workspace
-	});
+  // can only delete if the request user is one that belongs to the same workspace as the tag
+  const membership = await Membership.findOne({
+    user: req.user,
+    workspace: tagFromDB.workspace
+  });

-	if (!membership) {
-		UnauthorizedRequestError({ message: 'Failed to validate membership' });
-	}
+  if (!membership) {
+    UnauthorizedRequestError({ message: "Failed to validate membership" });
+  }

-	const result = await Tag.findByIdAndDelete(tagId);
+  const result = await Tag.findByIdAndDelete(tagId);

-	// remove the tag from secrets
-	await Secret.updateMany(
-		{ tags: { $in: [tagId] } },
-		{ $pull: { tags: tagId } }
-	);
+  // remove the tag from secrets
+  await Secret.updateMany({ tags: { $in: [tagId] } }, { $pull: { tags: tagId } });

-	res.json(result);
-}
+  res.json(result);
+};

 export const getWorkspaceTags = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const workspaceTags = await Tag.find({ workspace: workspaceId })
-	return res.json({
-		workspaceTags
-	})
-}
+  const { workspaceId } = req.params;
+  
+  const workspaceTags = await Tag.find({ 
+    workspace: new Types.ObjectId(workspaceId) 
+  });
+  
+  return res.json({
+    workspaceTags
+  });
+};
--- a/backend/src/controllers/v2/usersController.ts
+++ b/backend/src/controllers/v2/usersController.ts
@ -1,8 +1,15 @@
-import { Request, Response } from 'express';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
 import {
-    User,
-    MembershipOrg
-} from '../../models';
+    APIKeyData,
+    AuthProvider,
+    MembershipOrg,
+    TokenVersion,
+    User
+} from "../../models";
+import { getSaltRounds } from "../../config";

 /**
 * Return the current user.
@ -38,10 +45,10 @@ export const getMe = async (req: Request, res: Response) => {
    */
    const user = await User
        .findById(req.user._id)
-        .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
+        .select("+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag");
    
    return res.status(200).send({
-        user
+        user,
    });
 }

@ -60,7 +67,7 @@ export const updateMyMfaEnabled = async (req: Request, res: Response) => {
    if (isMfaEnabled) { 
        // TODO: adapt this route/controller 
        // to work for different forms of MFA
-        req.user.mfaMethods = ['email'];
+        req.user.mfaMethods = ["email"];
    } else {
        req.user.mfaMethods = [];
    }
@ -69,6 +76,67 @@ export const updateMyMfaEnabled = async (req: Request, res: Response) => {
    
    const user = req.user;
    
+    return res.status(200).send({
+        user,
+    });
+}
+
+/**
+ * Update name of the current user to [firstName, lastName].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateName = async (req: Request, res: Response) => {
+    const { 
+        firstName, 
+        lastName 
+    }: { 
+        firstName: string; 
+        lastName: string; 
+    } = req.body;
+    
+    const user = await User.findByIdAndUpdate(
+        req.user._id.toString(),
+        {
+            firstName,
+            lastName: lastName ?? ""
+        },
+        {
+            new: true
+        }
+    );
+    
+    return res.status(200).send({
+        user,
+    });
+}
+
+/**
+ * Update auth provider of the current user to [authProvider]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateAuthProvider = async (req: Request, res: Response) => {
+    const {
+        authProvider
+    } = req.body;
+    
+    if (req.user?.authProvider === AuthProvider.OKTA_SAML) return res.status(400).send({
+        message: "Failed to update user authentication method because SAML SSO is enforced"
+    });
+
+    const user = await User.findByIdAndUpdate(
+        req.user._id.toString(),
+        {
+            authProvider
+        },
+        {
+            new: true
+        }
+    );
+
    return res.status(200).send({
        user
    });
@ -109,11 +177,114 @@ export const getMyOrganizations = async (req: Request, res: Response) => {
    */
  const organizations = (
    await MembershipOrg.find({
-      user: req.user._id
-    }).populate('organization')
+      user: req.user._id,
+    }).populate("organization")
  ).map((m) => m.organization);

 	return res.status(200).send({
-		organizations
+		organizations,
 	});
 }
+
+/**
+ * Return API keys belonging to current user.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMyAPIKeys = async (req: Request, res: Response) => {
+    const apiKeyData = await APIKeyData.find({
+		user: req.user._id,
+	});
+
+	return res.status(200).send(apiKeyData);
+}
+
+/**
+ * Create new API key for current user.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createAPIKey = async (req: Request, res: Response) => {
+	const { name, expiresIn } = req.body;
+
+	const secret = crypto.randomBytes(16).toString("hex");
+	const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+
+	const expiresAt = new Date();
+	expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+
+	let apiKeyData = await new APIKeyData({
+		name,
+		lastUsed: new Date(),
+		expiresAt,
+		user: req.user._id,
+		secretHash,
+	}).save();
+
+	// return api key data without sensitive data
+	apiKeyData = (await APIKeyData.findById(apiKeyData._id)) as any;
+
+	if (!apiKeyData) throw new Error("Failed to find API key data");
+
+	const apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
+
+	return res.status(200).send({
+		apiKey,
+		apiKeyData,
+	});
+}
+
+/**
+ * Delete API key with id [apiKeyDataId] belonging to current user
+ * @param req 
+ * @param res 
+ */
+export const deleteAPIKey = async (req: Request, res: Response) => {
+    const { apiKeyDataId } = req.params;
+
+    const apiKeyData = await APIKeyData.findOneAndDelete({
+        _id: new Types.ObjectId(apiKeyDataId),
+        user: req.user._id
+    });
+
+	return res.status(200).send({
+		apiKeyData
+	});
+}
+
+/**
+ * Return active sessions (TokenVersion) belonging to user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMySessions = async (req: Request, res: Response) => {
+    const tokenVersions = await TokenVersion.find({
+        user: req.user._id
+    });
+    
+    return res.status(200).send(tokenVersions);
+}
+
+/**
+ * Revoke all active sessions belong to user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteMySessions = async (req: Request, res: Response) => {
+    await TokenVersion.updateMany({
+        user: req.user._id,
+    }, {
+        $inc: {
+            refreshVersion: 1,
+            accessVersion: 1,
+        },
+    });
+
+    return res.status(200).send({
+        message: "Successfully revoked all sessions"
+    });
+}
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -1,40 +1,29 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Key, Membership, ServiceTokenData, Workspace } from "../../models";
 import {
-	Workspace,
-	Secret,
-	Membership,
-	MembershipOrg,
-	Integration,
-	IntegrationAuth,
-	Key,
-	IUser,
-	ServiceToken,
-	ServiceTokenData
-} from '../../models';
-import {
-	v2PushSecrets as push,
-	pullSecrets as pull,
-	reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { TelemetryService, EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
+  pullSecrets as pull,
+  v2PushSecrets as push,
+  reformatPullSecrets
+} from "../../helpers/secret";
+import { pushKeys } from "../../helpers/key";
+import { EventService, TelemetryService } from "../../services";
+import { eventPushSecrets } from "../../events";

 interface V2PushSecret {
-	type: string; // personal or shared
-	secretKeyCiphertext: string;
-	secretKeyIV: string;
-	secretKeyTag: string;
-	secretKeyHash: string;
-	secretValueCiphertext: string;
-	secretValueIV: string;
-	secretValueTag: string;
-	secretValueHash: string;
-	secretCommentCiphertext?: string;
-	secretCommentIV?: string;
-	secretCommentTag?: string;
-	secretCommentHash?: string;
+  type: string; // personal or shared
+  secretKeyCiphertext: string;
+  secretKeyIV: string;
+  secretKeyTag: string;
+  secretKeyHash: string;
+  secretValueCiphertext: string;
+  secretValueIV: string;
+  secretValueTag: string;
+  secretValueHash: string;
+  secretCommentCiphertext?: string;
+  secretCommentIV?: string;
+  secretCommentTag?: string;
+  secretCommentHash?: string;
 }

 /**
@ -45,7 +34,7 @@ interface V2PushSecret {
 * @returns
 */
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
-	// upload (encrypted) secrets to workspace with id [workspaceId]
+  // upload (encrypted) secrets to workspace with id [workspaceId]
  const postHogClient = await TelemetryService.getPostHogClient();
  let { secrets }: { secrets: V2PushSecret[] } = req.body;
  const { keys, environment, channel } = req.body;
@ -54,12 +43,12 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
  // validate environment
  const workspaceEnvs = req.membership.workspace.environments;
  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-    throw new Error('Failed to validate environment');
+    throw new Error("Failed to validate environment");
  }

  // sanitize secrets
  secrets = secrets.filter(
-    (s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
+    (s: V2PushSecret) => s.secretKeyCiphertext !== "" && s.secretValueCiphertext !== ""
  );

  await push({
@ -67,7 +56,7 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
    workspaceId,
    environment,
    secrets,
-    channel: channel ? channel : 'cli',
+    channel: channel ? channel : "cli",
    ipAddress: req.realIP
  });

@ -79,13 +68,13 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {

  if (postHogClient) {
    postHogClient.capture({
-      event: 'secrets pushed',
+      event: "secrets pushed",
      distinctId: req.user.email,
      properties: {
        numberOfSecrets: secrets.length,
        environment,
        workspaceId,
-        channel: channel ? channel : 'cli'
+        channel: channel ? channel : "cli"
      }
    });
  }
@ -94,13 +83,14 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
  EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
-      environment
+      environment,
+      secretPath: "/"
    })
  });

-	return res.status(200).send({
-		message: 'Successfully uploaded workspace secrets'
-	});
+  return res.status(200).send({
+    message: "Successfully uploaded workspace secrets"
+  });
 };

 /**
@ -111,7 +101,7 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 * @returns
 */
 export const pullSecrets = async (req: Request, res: Response) => {
-	let secrets;
+  let secrets;
  const postHogClient = await TelemetryService.getPostHogClient();
  const environment: string = req.query.environment as string;
  const channel: string = req.query.channel as string;
@ -126,18 +116,18 @@ export const pullSecrets = async (req: Request, res: Response) => {
  // validate environment
  const workspaceEnvs = req.membership.workspace.environments;
  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-    throw new Error('Failed to validate environment');
+    throw new Error("Failed to validate environment");
  }

  secrets = await pull({
    userId,
    workspaceId,
    environment,
-    channel: channel ? channel : 'cli',
+    channel: channel ? channel : "cli",
    ipAddress: req.realIP
  });

-  if (channel !== 'cli') {
+  if (channel !== "cli") {
    secrets = reformatPullSecrets({ secrets });
  }

@ -145,23 +135,23 @@ export const pullSecrets = async (req: Request, res: Response) => {
    // capture secrets pushed event in production
    postHogClient.capture({
      distinctId: req.user.email,
-      event: 'secrets pulled',
+      event: "secrets pulled",
      properties: {
        numberOfSecrets: secrets.length,
        environment,
        workspaceId,
-        channel: channel ? channel : 'cli'
+        channel: channel ? channel : "cli"
      }
    });
  }

-	return res.status(200).send({
-		secrets
-	});
+  return res.status(200).send({
+    secrets
+  });
 };

 export const getWorkspaceKey = async (req: Request, res: Response) => {
-	/* 
+  /* 
    #swagger.summary = 'Return encrypted project key'
    #swagger.description = 'Return encrypted project key'
    
@ -189,43 +179,37 @@ export const getWorkspaceKey = async (req: Request, res: Response) => {
        }
    }   
    */
-	let key;
  const { workspaceId } = req.params;

-  key = await Key.findOne({
+  const key = await Key.findOne({
    workspace: workspaceId,
    receiver: req.user._id
-  }).populate('sender', '+publicKey');
+  }).populate("sender", "+publicKey");

-  if (!key) throw new Error('Failed to find workspace key');
+  if (!key) throw new Error("Failed to find workspace key");

-	return res.status(200).json(key);
-}
-export const getWorkspaceServiceTokenData = async (
-	req: Request,
-	res: Response
-) => {
+  return res.status(200).json(key);
+};
+export const getWorkspaceServiceTokenData = async (req: Request, res: Response) => {
  const { workspaceId } = req.params;

-  const serviceTokenData = await ServiceTokenData
-    .find({
-      workspace: workspaceId
-    })
-    .select('+encryptedKey +iv +tag');
+  const serviceTokenData = await ServiceTokenData.find({
+    workspace: workspaceId
+  }).select("+encryptedKey +iv +tag");

-	return res.status(200).send({
-		serviceTokenData
-	});
-}
+  return res.status(200).send({
+    serviceTokenData
+  });
+};

 /**
 * Return memberships for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-	/* 
+  /* 
    #swagger.summary = 'Return project memberships'
    #swagger.description = 'Return project memberships'
    
@ -262,21 +246,21 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {

  const memberships = await Membership.find({
    workspace: workspaceId
-  }).populate('user', '+publicKey');
+  }).populate("user", "+publicKey");

-	return res.status(200).send({
-		memberships
-	});
-}
+  return res.status(200).send({
+    memberships
+  });
+};

 /**
 * Update role of membership with id [membershipId] to role [role]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const updateWorkspaceMembership = async (req: Request, res: Response) => {
-	/* 
+  /* 
    #swagger.summary = 'Update project membership'
    #swagger.description = 'Update project membership'
    
@ -329,33 +313,32 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
        }
    }   
    */
-  const {
-    membershipId
-  } = req.params;
+  const { membershipId } = req.params;
  const { role } = req.body;
-  
+
  const membership = await Membership.findByIdAndUpdate(
    membershipId,
    {
      role
-    }, {
+    },
+    {
      new: true
    }
  );

-	return res.status(200).send({
-		membership
-	}); 
-}
+  return res.status(200).send({
+    membership
+  });
+};

 /**
 * Delete workspace membership with id [membershipId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const deleteWorkspaceMembership = async (req: Request, res: Response) => {
-	/* 
+  /* 
    #swagger.summary = 'Delete project membership'
    #swagger.description = 'Delete project membership'
    
@ -391,23 +374,21 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
        }
    }   
    */
-  const { 
-    membershipId
-  } = req.params;
-  
+  const { membershipId } = req.params;
+
  const membership = await Membership.findByIdAndDelete(membershipId);
-  
-  if (!membership) throw new Error('Failed to delete workspace membership');
-  
+
+  if (!membership) throw new Error("Failed to delete workspace membership");
+
  await Key.deleteMany({
    receiver: membership.user,
    workspace: membership.workspace
  });
-	
-	return res.status(200).send({
-		membership
-	});
-}
+
+  return res.status(200).send({
+    membership
+  });
+};

 /**
 * Change autoCapitilzation Rule of workspace
@ -431,8 +412,8 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
    }
  );

-	return res.status(200).send({
-		message: 'Successfully changed autoCapitalization setting',
-		workspace
-	});
+  return res.status(200).send({
+    message: "Successfully changed autoCapitalization setting",
+    workspace
+  });
 };
--- a/backend/src/controllers/v3/authController.ts
+++ b/backend/src/controllers/v3/authController.ts
@ -1,29 +1,29 @@
 /* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
-import * as bigintConversion from 'bigint-conversion';
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { issueAuthTokens, createToken, validateProviderAuthToken } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { EELogService } from '../../ee/services';
-import { BadRequestError, InternalServerError } from '../../utils/errors';
+import { Request, Response } from "express";
+import jwt from "jsonwebtoken";
+import * as Sentry from "@sentry/node";
+import * as bigintConversion from "bigint-conversion";
+const jsrp = require("jsrp");
+import { LoginSRPDetail, User } from "../../models";
+import { createToken, issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
+import { checkUserDevice } from "../../helpers/user";
+import { sendMail } from "../../helpers/nodemailer";
+import { TokenService } from "../../services";
+import { EELogService } from "../../ee/services";
+import { BadRequestError, InternalServerError } from "../../utils/errors";
 import {
+    ACTION_LOGIN,
    TOKEN_EMAIL_MFA,
-    ACTION_LOGIN
-} from '../../variables';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+} from "../../variables";
+import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
 import {
+    getHttpsEnabled,
    getJwtMfaLifetime,
    getJwtMfaSecret,
-    getHttpsEnabled,
-} from '../../config';
-import { AuthProvider } from '../../models/user';
+} from "../../config";
+import { AuthProvider } from "../../models/user";

-declare module 'jsonwebtoken' {
+declare module "jsonwebtoken" {
    export interface ProviderAuthJwtPayload extends jwt.JwtPayload {
        userId: string;
        email: string;
@ -43,7 +43,7 @@ export const login1 = async (req: Request, res: Response) => {
        const {
            email,
            providerAuthToken,
-            clientPublicKey
+            clientPublicKey,
        }: {
            email: string;
            clientPublicKey: string,
@ -52,11 +52,11 @@ export const login1 = async (req: Request, res: Response) => {

        const user = await User.findOne({
            email,
-        }).select('+salt +verifier');
+        }).select("+salt +verifier");

-        if (!user) throw new Error('Failed to find user');
+        if (!user) throw new Error("Failed to find user");

-        if (user.authProvider) {
+        if (user.authProvider && user.authProvider !== AuthProvider.EMAIL) {
            await validateProviderAuthToken({
                email,
                user,
@ -68,13 +68,13 @@ export const login1 = async (req: Request, res: Response) => {
        server.init(
            {
                salt: user.salt,
-                verifier: user.verifier
+                verifier: user.verifier,
            },
            async () => {
                // generate server-side public key
                const serverPublicKey = server.getPublicKey();
                await LoginSRPDetail.findOneAndReplace({
-                    email: email
+                    email: email,
                }, {
                    email,
                    userId: user.id,
@ -84,7 +84,7 @@ export const login1 = async (req: Request, res: Response) => {

                return res.status(200).send({
                    serverPublicKey,
-                    salt: user.salt
+                    salt: user.salt,
                });
            }
        );
@ -92,7 +92,7 @@ export const login1 = async (req: Request, res: Response) => {
        Sentry.setUser(null);
        Sentry.captureException(err);
        return res.status(400).send({
-            message: 'Failed to start authentication process'
+            message: "Failed to start authentication process",
        });
    }
 };
@ -107,17 +107,17 @@ export const login1 = async (req: Request, res: Response) => {
 export const login2 = async (req: Request, res: Response) => {
    try {

-        if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+        if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });

        const { email, clientProof, providerAuthToken } = req.body;

        const user = await User.findOne({
            email,
-        }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices');
+        }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");

-        if (!user) throw new Error('Failed to find user');
+        if (!user) throw new Error("Failed to find user");

-        if (user.authProvider) {
+        if (user.authProvider && user.authProvider !== AuthProvider.EMAIL) {
            await validateProviderAuthToken({
                email,
                user,
@ -136,7 +136,7 @@ export const login2 = async (req: Request, res: Response) => {
            {
                salt: user.salt,
                verifier: user.verifier,
-                b: loginSRPDetail.serverBInt
+                b: loginSRPDetail.serverBInt,
            },
            async () => {
                server.setClientPublicKey(loginSRPDetail.clientPublicKey);
@ -150,52 +150,52 @@ export const login2 = async (req: Request, res: Response) => {
                        // generate temporary MFA token
                        const token = createToken({
                            payload: {
-                                userId: user._id.toString()
+                                userId: user._id.toString(),
                            },
                            expiresIn: await getJwtMfaLifetime(),
-                            secret: await getJwtMfaSecret()
+                            secret: await getJwtMfaSecret(),
                        });

                        const code = await TokenService.createToken({
                            type: TOKEN_EMAIL_MFA,
-                            email
+                            email,
                        });

                        // send MFA code [code] to [email]
                        await sendMail({
-                            template: 'emailMfa.handlebars',
-                            subjectLine: 'Infisical MFA code',
+                            template: "emailMfa.handlebars",
+                            subjectLine: "Infisical MFA code",
                            recipients: [user.email],
                            substitutions: {
-                                code
-                            }
+                                code,
+                            },
                        });

                        return res.status(200).send({
                            mfaEnabled: true,
-                            token
+                            token,
                        });
                    }

                    await checkUserDevice({
                        user,
                        ip: req.realIP,
-                        userAgent: req.headers['user-agent'] ?? ''
+                        userAgent: req.headers["user-agent"] ?? "",
                    });

                    // issue tokens
                    const tokens = await issueAuthTokens({ 
                        userId: user._id,
                        ip: req.realIP,
-                        userAgent: req.headers['user-agent'] ?? ''
+                        userAgent: req.headers["user-agent"] ?? "",
                    });

                    // store (refresh) token in httpOnly cookie
-                    res.cookie('jid', tokens.refreshToken, {
+                    res.cookie("jid", tokens.refreshToken, {
                        httpOnly: true,
-                        path: '/',
-                        sameSite: 'strict',
-                        secure: await getHttpsEnabled()
+                        path: "/",
+                        sameSite: "strict",
+                        secure: await getHttpsEnabled(),
                    });

                    // case: user does not have MFA enablgged
@ -221,7 +221,7 @@ export const login2 = async (req: Request, res: Response) => {
                        publicKey: user.publicKey,
                        encryptedPrivateKey: user.encryptedPrivateKey,
                        iv: user.iv,
-                        tag: user.tag
+                        tag: user.tag,
                    }

                    if (
@ -236,21 +236,21 @@ export const login2 = async (req: Request, res: Response) => {

                    const loginAction = await EELogService.createAction({
                        name: ACTION_LOGIN,
-                        userId: user._id
+                        userId: user._id,
                    });

                    loginAction && await EELogService.createLog({
                        userId: user._id,
                        actions: [loginAction],
-                        channel: getChannelFromUserAgent(req.headers['user-agent']),
-                        ipAddress: req.realIP
+                        channel: getChannelFromUserAgent(req.headers["user-agent"]),
+                        ipAddress: req.realIP,
                    });

                    return res.status(200).send(response);
                }

                return res.status(400).send({
-                    message: 'Failed to authenticate. Try again?'
+                    message: "Failed to authenticate. Try again?",
                });
            }
        );
@ -258,7 +258,7 @@ export const login2 = async (req: Request, res: Response) => {
        Sentry.setUser(null);
        Sentry.captureException(err);
        return res.status(400).send({
-            message: 'Failed to authenticate. Try again?'
+            message: "Failed to authenticate. Try again?",
        });
    }
 };
--- a/backend/src/controllers/v3/index.ts
+++ b/backend/src/controllers/v3/index.ts
@ -1,7 +1,7 @@
-import * as secretsController from './secretsController';
-import * as workspacesController from './workspacesController';
-import * as authController from './authController';
-import * as signupController from './signupController';
+import * as secretsController from "./secretsController";
+import * as workspacesController from "./workspacesController";
+import * as authController from "./authController";
+import * as signupController from "./signupController";

 export {
    authController,
--- a/backend/src/controllers/v3/secretsController.ts
+++ b/backend/src/controllers/v3/secretsController.ts
@ -1,7 +1,279 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
-import { SecretService, EventService } from "../../services";
+import { EventService, SecretService } from "../../services";
 import { eventPushSecrets } from "../../events";
+import { BotService } from "../../services";
+import { containsGlobPatterns, repackageSecretToRaw } from "../../helpers/secrets";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
+import { getAllImportedSecrets } from "../../services/SecretImportService";
+import Folder from "../../models/folder";
+import { getFolderByPath } from "../../services/FolderService";
+import { BadRequestError } from "../../utils/errors";
+import { IServiceTokenData } from "../../models";
+import { requireWorkspaceAuth } from "../../middleware";
+import { ADMIN, MEMBER, PERMISSION_READ_SECRETS } from "../../variables";
+
+/**
+ * Return secrets for workspace with id [workspaceId] and environment
+ * [environment] in plaintext
+ * @param req
+ * @param res
+ */
+export const getSecretsRaw = async (req: Request, res: Response) => {
+  let workspaceId = req.query.workspaceId as string;
+  let environment = req.query.environment as string;
+  let secretPath = req.query.secretPath as string;
+  const includeImports = req.query.include_imports as string;
+
+  // if the service token has single scope, it will get all secrets for that scope by default 
+  const serviceTokenDetails: IServiceTokenData = req?.serviceTokenData
+  if (serviceTokenDetails) {
+    if (serviceTokenDetails.scopes.length == 1 && !containsGlobPatterns(serviceTokenDetails.scopes[0].secretPath)) {
+      const scope = serviceTokenDetails.scopes[0]
+      secretPath = scope.secretPath
+      environment = scope.environment
+      workspaceId = serviceTokenDetails.workspace.toString()
+    } else {
+      requireWorkspaceAuth({
+        acceptedRoles: [ADMIN, MEMBER],
+        locationWorkspaceId: "query",
+        locationEnvironment: "query",
+        requiredPermissions: [PERMISSION_READ_SECRETS],
+        requireBlindIndicesEnabled: true,
+        requireE2EEOff: true
+      })
+    }
+  }
+
+  const secrets = await SecretService.getSecrets({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    secretPath,
+    authData: req.authData
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  if (includeImports) {
+    const folders = await Folder.findOne({ workspace: workspaceId, environment });
+    let folderId = "root";
+    // if folder exist get it and replace folderid with new one
+    if (folders) {
+      const folder = getFolderByPath(folders.nodes, secretPath as string);
+      if (!folder) {
+        throw BadRequestError({ message: "Folder not found" });
+      }
+      folderId = folder.id;
+    }
+    const importedSecrets = await getAllImportedSecrets(workspaceId, environment, folderId);
+    return res.status(200).send({
+      secrets: secrets.map((secret) =>
+        repackageSecretToRaw({
+          secret,
+          key
+        })
+      ),
+      imports: importedSecrets.map((el) => ({
+        ...el,
+        secrets: el.secrets.map((secret) => repackageSecretToRaw({ secret, key }))
+      }))
+    });
+  }
+
+  return res.status(200).send({
+    secrets: secrets.map((secret) => {
+      const rep = repackageSecretToRaw({
+        secret,
+        key
+      });
+      return rep;
+    })
+  });
+};
+
+/**
+ * Return secret with name [secretName] in plaintext
+ * @param req
+ * @param res
+ */
+export const getSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const type = req.query.type as "shared" | "personal" | undefined;
+
+  const secret = await SecretService.getSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    secretPath,
+    authData: req.authData
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
+
+/**
+ * Create secret with name [secretName] in plaintext
+ * @param req
+ * @param res
+ */
+export const createSecretRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const { workspaceId, environment, type, secretValue, secretComment, secretPath = "/" } = req.body;
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretName,
+    key
+  });
+
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key
+  });
+
+  const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretComment,
+    key
+  });
+
+  const secret = await SecretService.createSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    authData: req.authData,
+    secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+    secretKeyIV: secretKeyEncrypted.iv,
+    secretKeyTag: secretKeyEncrypted.tag,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath,
+    secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+    secretCommentIV: secretCommentEncrypted.iv,
+    secretCommentTag: secretCommentEncrypted.tag
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
+  const secretWithoutBlindIndex = secret.toObject();
+  delete secretWithoutBlindIndex.secretBlindIndex;
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret: secretWithoutBlindIndex,
+      key
+    })
+  });
+};
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const updateSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const { workspaceId, environment, type, secretValue, secretPath = "/" } = req.body;
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key
+  });
+
+  const secret = await SecretService.updateSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
+
+/**
+ * Delete secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const { workspaceId, environment, type, secretPath = "/" } = req.body;
+
+  const { secret } = await SecretService.deleteSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretPath
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};

 /**
 * Get secrets for workspace with id [workspaceId] and environment
@ -13,21 +285,40 @@ export const getSecrets = async (req: Request, res: Response) => {
  const workspaceId = req.query.workspaceId as string;
  const environment = req.query.environment as string;
  const secretPath = req.query.secretPath as string;
+  const includeImports = req.query.include_imports as string;

  const secrets = await SecretService.getSecrets({
    workspaceId: new Types.ObjectId(workspaceId),
    environment,
    secretPath,
-    authData: req.authData,
+    authData: req.authData
  });

+  if (includeImports) {
+    const folders = await Folder.findOne({ workspace: workspaceId, environment });
+    let folderId = "root";
+    // if folder exist get it and replace folderid with new one
+    if (folders) {
+      const folder = getFolderByPath(folders.nodes, secretPath as string);
+      if (!folder) {
+        throw BadRequestError({ message: "Folder not found" });
+      }
+      folderId = folder.id;
+    }
+    const importedSecrets = await getAllImportedSecrets(workspaceId, environment, folderId);
+    return res.status(200).send({
+      secrets,
+      imports: importedSecrets
+    });
+  }
+
  return res.status(200).send({
-    secrets,
+    secrets
  });
 };

 /**
- * Get secret with name [secretName]
+ * Return secret with name [secretName]
 * @param req
 * @param res
 */
@ -44,11 +335,11 @@ export const getSecretByName = async (req: Request, res: Response) => {
    environment,
    type,
    secretPath,
-    authData: req.authData,
+    authData: req.authData
  });

  return res.status(200).send({
-    secret,
+    secret
  });
 };

@ -72,7 +363,7 @@ export const createSecret = async (req: Request, res: Response) => {
    secretCommentCiphertext,
    secretCommentIV,
    secretCommentTag,
-    secretPath = "/",
+    secretPath = "/"
  } = req.body;

  const secret = await SecretService.createSecret({
@ -88,27 +379,24 @@ export const createSecret = async (req: Request, res: Response) => {
    secretValueIV,
    secretValueTag,
    secretPath,
-    ...(secretCommentCiphertext && secretCommentIV && secretCommentTag
-      ? {
-          secretCommentCiphertext,
-          secretCommentIV,
-          secretCommentTag,
-        }
-      : {}),
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag
  });

  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath
+    })
  });

  const secretWithoutBlindIndex = secret.toObject();
  delete secretWithoutBlindIndex.secretBlindIndex;

  return res.status(200).send({
-    secret: secretWithoutBlindIndex,
+    secret: secretWithoutBlindIndex
  });
 };

@ -126,7 +414,7 @@ export const updateSecretByName = async (req: Request, res: Response) => {
    secretValueCiphertext,
    secretValueIV,
    secretValueTag,
-    secretPath = "/",
+    secretPath = "/"
  } = req.body;

  const secret = await SecretService.updateSecret({
@ -138,18 +426,19 @@ export const updateSecretByName = async (req: Request, res: Response) => {
    secretValueCiphertext,
    secretValueIV,
    secretValueTag,
-    secretPath,
+    secretPath
  });

  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath
+    })
  });

  return res.status(200).send({
-    secret,
+    secret
  });
 };

@ -168,17 +457,18 @@ export const deleteSecretByName = async (req: Request, res: Response) => {
    environment,
    type,
    authData: req.authData,
-    secretPath,
+    secretPath
  });

  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath
+    })
  });

  return res.status(200).send({
-    secret,
+    secret
  });
 };
--- a/backend/src/controllers/v3/signupController.ts
+++ b/backend/src/controllers/v3/signupController.ts
@ -1,17 +1,18 @@
-import jwt from 'jsonwebtoken';
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
+import jwt from "jsonwebtoken";
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import { MembershipOrg, User } from "../../models";
+import { completeAccount } from "../../helpers/user";
 import {
-	initializeDefaultOrg
-} from '../../helpers/signup';
-import { issueAuthTokens, validateProviderAuthToken } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import { standardRequest } from '../../config/request';
-import { getLoopsApiKey, getHttpsEnabled, getJwtSignupSecret } from '../../config';
-import { BadRequestError } from '../../utils/errors';
-import { TelemetryService } from '../../services';
+	initializeDefaultOrg,
+} from "../../helpers/signup";
+import { issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
+import { ACCEPTED, INVITED } from "../../variables";
+import { standardRequest } from "../../config/request";
+import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import { TelemetryService } from "../../services";
+import { AuthProvider } from "../../models";

 /**
 * Complete setting up user by adding their personal and auth information as part of the
@ -63,7 +64,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			// case 1: user doesn't exist.
 			// case 2: user has already completed account
 			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
+				error: "Failed to complete account for complete user",
 			});
 		}

@ -74,16 +75,16 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 				user,
 			});
 		} else {
-			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers["authorization"]?.split(" ", 2) ?? [null, null]
 			if (AUTH_TOKEN_TYPE === null) {
-				throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
+				throw BadRequestError({ message: "Missing Authorization Header in the request header." });
 			}
-			if (AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') {
+			if (AUTH_TOKEN_TYPE.toLowerCase() !== "bearer") {
 				throw BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` })
 			}
 			if (AUTH_TOKEN_VALUE === null) {
 				throw BadRequestError({
-					message: 'Missing Authorization Body in the request header',
+					message: "Missing Authorization Body in the request header",
 				})
 			}

@ -110,28 +111,30 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			encryptedPrivateKeyIV,
 			encryptedPrivateKeyTag,
 			salt,
-			verifier
+			verifier,
 		});

 		if (!user)
-			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+			throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null

-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user
-		});
+		if (user.authProvider !== AuthProvider.OKTA_SAML) {
+			// initialize default organization and workspace
+			await initializeDefaultOrg({
+				organizationName,
+				user,
+			});
+		}

 		// update organization membership statuses that are
 		// invited to completed with user attached
 		await MembershipOrg.updateMany(
 			{
 				inviteEmail: email,
-				status: INVITED
+				status: INVITED,
 			},
 			{
 				user,
-				status: ACCEPTED
+				status: ACCEPTED,
 			}
 		);

@ -139,7 +142,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		const tokens = await issueAuthTokens({
 			userId: user._id,
 			ip: req.realIP,
-			userAgent: req.headers['user-agent'] ?? ''
+			userAgent: req.headers["user-agent"] ?? "",
 		});

 		token = tokens.token;
@ -150,45 +153,45 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 				"email": email,
 				"eventName": "Sign Up",
 				"firstName": firstName,
-				"lastName": lastName
+				"lastName": lastName,
 			}, {
 				headers: {
 					"Accept": "application/json",
-					"Authorization": "Bearer " + (await getLoopsApiKey())
+					"Authorization": "Bearer " + (await getLoopsApiKey()),
 				},
 			});
 		}

 		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
+		res.cookie("jid", tokens.refreshToken, {
 			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: await getHttpsEnabled()
+			path: "/",
+			sameSite: "strict",
+			secure: await getHttpsEnabled(),
 		});

 		const postHogClient = await TelemetryService.getPostHogClient();
 		if (postHogClient) {
 			postHogClient.capture({
-				event: 'User Signed Up',
+				event: "User Signed Up",
 				distinctId: email,
 				properties: {
 					email,
-					attributionSource
-				}
+					...(attributionSource ? { attributionSource } : {})
+				},
 			});
 		}
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
-			message: 'Failed to complete account setup'
+			message: "Failed to complete account setup",
 		});
 	}

 	return res.status(200).send({
-		message: 'Successfully set up account',
+		message: "Successfully set up account",
 		user,
-		token
+		token,
 	});
 };
--- a/backend/src/controllers/v3/workspacesController.ts
+++ b/backend/src/controllers/v3/workspacesController.ts
@ -1,7 +1,7 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { Secret } from '../../models';
-import { SecretService } from'../../services';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Secret } from "../../models";
+import { SecretService } from"../../services";

 /**
 * Return whether or not all secrets in workspace with id [workspaceId]
@ -16,8 +16,8 @@ export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response)
    const secretsWithoutBlindIndex = await Secret.countDocuments({
        workspace: new Types.ObjectId(workspaceId),
        secretBlindIndex: {
-            $exists: false
-        }
+            $exists: false,
+        },
    });

    return res.status(200).send(secretsWithoutBlindIndex === 0);
@ -30,11 +30,11 @@ export const getWorkspaceSecrets = async (req: Request, res: Response) => {
    const { workspaceId } = req.params;

    const secrets = await Secret.find({
-        workspace: new Types.ObjectId (workspaceId)
+        workspace: new Types.ObjectId (workspaceId),
    });
    
    return res.status(200).send({
-        secrets
+        secrets,
    });
 }

@ -51,14 +51,14 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {

    const { workspaceId } = req.params;
    const { 
-        secretsToUpdate 
+        secretsToUpdate, 
    }: {
        secretsToUpdate: SecretToUpdate[];
    } = req.body;

    // get secret blind index salt
    const salt = await SecretService.getSecretBlindIndexSalt({
-        workspaceId: new Types.ObjectId(workspaceId)
+        workspaceId: new Types.ObjectId(workspaceId),
    });

    // update secret blind indices
@ -66,18 +66,18 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
        secretsToUpdate.map(async (secretToUpdate: SecretToUpdate) => {
            const secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
                secretName: secretToUpdate.secretName,
-                salt
+                salt,
            });
    
            return ({
                updateOne: {
                    filter: {
-                        _id: new Types.ObjectId(secretToUpdate._id)
+                        _id: new Types.ObjectId(secretToUpdate._id),
                    },
                    update: {
-                        secretBlindIndex
-                    }
-                }
+                        secretBlindIndex,
+                    },
+                },
            });
        })
    );
@ -85,6 +85,6 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
    await Secret.bulkWrite(operations);

    return res.status(200).send({
-        message: 'Successfully named workspace secrets'
+        message: "Successfully named workspace secrets",
    });
 }
--- a/backend/src/ee/controllers/v1/actionController.ts
+++ b/backend/src/ee/controllers/v1/actionController.ts
@ -1,6 +1,6 @@
-import { Request, Response } from 'express';
-import { Action, SecretVersion } from '../../models';
-import { ActionNotFoundError } from '../../../utils/errors';
+import { Request, Response } from "express";
+import { Action } from "../../models";
+import { ActionNotFoundError } from "../../../utils/errors";

 export const getAction = async (req: Request, res: Response) => {
    let action;
@ -10,21 +10,21 @@ export const getAction = async (req: Request, res: Response) => {
        action = await Action
            .findById(actionId)
            .populate([
-                'payload.secretVersions.oldSecretVersion',
-                'payload.secretVersions.newSecretVersion'
+                "payload.secretVersions.oldSecretVersion",
+                "payload.secretVersions.newSecretVersion",
            ]);
        
        if (!action) throw ActionNotFoundError({
-            message: 'Failed to find action'
+            message: "Failed to find action",
        });

    } catch (err) {
        throw ActionNotFoundError({
-            message: 'Failed to find action'
+            message: "Failed to find action",
        });
    }
    
    return res.status(200).send({
-        action
+        action,
    });
 }
--- a/backend/src/ee/controllers/v1/cloudProductsController.ts
+++ b/backend/src/ee/controllers/v1/cloudProductsController.ts
@ -1,7 +1,7 @@
-import { Request, Response } from 'express';
-import { EELicenseService } from '../../services';
-import { getLicenseServerUrl } from '../../../config';
-import { licenseServerKeyRequest } from '../../../config/request';
+import { Request, Response } from "express";
+import { EELicenseService } from "../../services";
+import { getLicenseServerUrl } from "../../../config";
+import { licenseServerKeyRequest } from "../../../config/request";

 /**
 * Return available cloud product information.
@ -11,9 +11,9 @@ import { licenseServerKeyRequest } from '../../../config/request';
 * @returns 
 */
 export const getCloudProducts = async (req: Request, res: Response) => {
-    const billingCycle = req.query['billing-cycle'] as string;
+    const billingCycle = req.query["billing-cycle"] as string;

-    if (EELicenseService.instanceType === 'cloud') {
+    if (EELicenseService.instanceType === "cloud") {
        const { data } = await licenseServerKeyRequest.get(
            `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
        ); 
@ -23,6 +23,6 @@ export const getCloudProducts = async (req: Request, res: Response) => {
    
    return res.status(200).send({
        head: [],
-        rows: []
+        rows: [],
    });
 }
--- a/backend/src/ee/controllers/v1/index.ts
+++ b/backend/src/ee/controllers/v1/index.ts
@ -1,19 +1,19 @@
-import * as stripeController from './stripeController';
-import * as secretController from './secretController';
-import * as secretSnapshotController from './secretSnapshotController';
-import * as organizationsController from './organizationsController';
-import * as workspaceController from './workspaceController';
-import * as actionController from './actionController';
-import * as membershipController from './membershipController';
-import * as cloudProductsController from './cloudProductsController';
+import * as secretController from "./secretController";
+import * as secretSnapshotController from "./secretSnapshotController";
+import * as organizationsController from "./organizationsController";
+import * as ssoController from "./ssoController";
+import * as workspaceController from "./workspaceController";
+import * as actionController from "./actionController";
+import * as membershipController from "./membershipController";
+import * as cloudProductsController from "./cloudProductsController";

 export {
-    stripeController,
    secretController,
    secretSnapshotController,
    organizationsController,
+    ssoController,
    workspaceController,
    actionController,
    membershipController,
-    cloudProductsController
+    cloudProductsController,
 }
--- a/backend/src/ee/controllers/v1/membershipController.ts
+++ b/backend/src/ee/controllers/v1/membershipController.ts
@ -3,8 +3,7 @@ import { Membership, Workspace } from "../../../models";
 import { IMembershipPermission } from "../../../models/membership";
 import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
 import { ADMIN, MEMBER } from "../../../variables/organization";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../../variables';
-import { Builder } from "builder-pattern"
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../../variables";
 import _ from "lodash";

 export const denyMembershipPermissions = async (req: Request, res: Response) => {
@ -15,10 +14,10 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
      throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
    }

-    return Builder<IMembershipPermission>()
-      .environmentSlug(permission.environmentSlug)
-      .ability(permission.ability)
-      .build();
+    return {
+      environmentSlug: permission.environmentSlug,
+      ability: permission.ability
+    }
  })

  const sanitizedMembershipPermissionsUnique = _.uniqWith(sanitizedMembershipPermissions, _.isEqual)
@ -39,7 +38,7 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
    throw BadRequestError({ message: "Something went wrong when locating the related workspace" })
  }

-  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, 'slug')));
+  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, "slug")));

  sanitizedMembershipPermissionsUnique.forEach(permission => {
    if (!uniqueEnvironmentSlugs.has(permission.environmentSlug)) {
@ -59,6 +58,6 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
  }

  res.send({
-    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions
+    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions,
  })
 }
--- a/backend/src/ee/controllers/v1/organizationsController.ts
+++ b/backend/src/ee/controllers/v1/organizationsController.ts
@ -1,15 +1,26 @@
-import { Request, Response } from 'express';
-import { getLicenseServerUrl } from '../../../config';
-import { licenseServerKeyRequest } from '../../../config/request';
-import { EELicenseService } from '../../services';
+import { Request, Response } from "express";
+import { getLicenseServerUrl } from "../../../config";
+import { licenseServerKeyRequest } from "../../../config/request";
+import { EELicenseService } from "../../services";
+
+export const getOrganizationPlansTable = async (req: Request, res: Response) => {
+    const billingCycle = req.query.billingCycle as string;
+    
+    const { data } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+    ); 
+
+    return res.status(200).send(data); 
+}

 /**
- * Return the organization's current plan and allowed feature set
+ * Return the organization current plan's feature set
 */
 export const getOrganizationPlan = async (req: Request, res: Response) => {
    const { organizationId } = req.params;
+    const workspaceId = req.query.workspaceId as string;

-    const plan = await EELicenseService.getOrganizationPlan(organizationId);
+    const plan = await EELicenseService.getPlan(organizationId, workspaceId);

    return res.status(200).send({
        plan,
@ -17,26 +28,82 @@ export const getOrganizationPlan = async (req: Request, res: Response) => {
 }

 /**
- * Update the organization plan to product with id [productId]
+ * Return checkout url for pro trial
 * @param req 
 * @param res 
 * @returns 
 */
-export const updateOrganizationPlan = async (req: Request, res: Response) => {
-    const {
-        productId
-    } = req.body;
+export const startOrganizationTrial = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+    const { success_url } = req.body;

-    const { data  } = await licenseServerKeyRequest.patch(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan`,
+    const { data: { url } } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/session/trial`,
        {
-            productId
+            success_url
        }
    ); 
    
+    EELicenseService.delPlan(organizationId);
+    
+    return res.status(200).send({
+        url
+    });
+}
+
+/**
+ * Return the organization's current plan's billing info
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getOrganizationPlanBillingInfo = async (req: Request, res: Response) => {
+    const { data } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan/billing`
+    ); 
+    
    return res.status(200).send(data);
 }

+/**
+ * Return the organization's current plan's feature table
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getOrganizationPlanTable = async (req: Request, res: Response) => {
+    const { data } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan/table`
+    ); 
+
+    return res.status(200).send(data);
+}
+
+export const getOrganizationBillingDetails = async (req: Request, res: Response) => {
+    const { data  } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details`
+    ); 
+
+    return res.status(200).send(data);
+}
+
+export const updateOrganizationBillingDetails = async (req: Request, res: Response) => {
+    const {
+        name,
+        email
+    } = req.body;
+
+    const { data } = await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details`,
+        {
+            ...(name ? { name } : {}),
+            ...(email ? { email } : {})
+        }
+    ); 
+
+    return res.status(200).send(data); 
+}
+
 /**
 * Return the organization's payment methods on file
 */
@ -45,30 +112,28 @@ export const getOrganizationPmtMethods = async (req: Request, res: Response) =>
        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`
    );

-    return res.status(200).send({
-        pmtMethods
-    }); 
+    return res.status(200).send(pmtMethods); 
 }

 /**
- * Return a Stripe session URL to add payment method for organization
+ * Return URL to add payment method for organization
 */
 export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
    const {
        success_url,
-        cancel_url
+        cancel_url,
    } = req.body;
    
    const { data: { url } } = await licenseServerKeyRequest.post(
        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
        {
            success_url,
-            cancel_url
+            cancel_url,
        }
    );
    
    return res.status(200).send({
-        url
+        url,
    }); 
 }

@ -80,4 +145,65 @@ export const deleteOrganizationPmtMethod = async (req: Request, res: Response) =
    );
        
    return res.status(200).send(data);
+}
+
+/**
+ * Return the organization's tax ids on file
+ */
+export const getOrganizationTaxIds = async (req: Request, res: Response) => {
+    const { data: { tax_ids } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids`
+    );
+
+    return res.status(200).send(tax_ids); 
+}
+
+/**
+ * Add tax id to organization
+ */
+export const addOrganizationTaxId = async (req: Request, res: Response) => {
+    const {
+        type,
+        value
+    } = req.body;
+
+    const { data } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids`,
+        {
+            type,
+            value
+        }
+    );
+
+    return res.status(200).send(data); 
+}
+
+/**
+ * Delete tax id with id [taxId] from organization tax ids on file
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
+    const { taxId } = req.params;
+
+    const { data } = await licenseServerKeyRequest.delete(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids/${taxId}`,
+    );
+        
+    return res.status(200).send(data); 
+}
+
+/**
+ * Return organization's invoices on file
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getOrganizationInvoices = async (req: Request, res: Response) => {
+    const { data: { invoices } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/invoices`
+    );
+
+    return res.status(200).send(invoices); 
 }
--- a/backend/src/ee/controllers/v1/secretController.ts
+++ b/backend/src/ee/controllers/v1/secretController.ts
@ -54,23 +54,20 @@ export const getSecretVersions = async (req: Request, res: Response) => {
        }
    }   
    */
-  const { secretId, workspaceId, environment, folderId } = req.params;
+  const { secretId } = req.params;

  const offset: number = parseInt(req.query.offset as string);
  const limit: number = parseInt(req.query.limit as string);

  const secretVersions = await SecretVersion.find({
-    secret: secretId,
-    workspace: workspaceId,
-    environment,
-    folder: folderId,
+    secret: secretId
  })
    .sort({ createdAt: -1 })
    .skip(offset)
    .limit(limit);

  return res.status(200).send({
-    secretVersions,
+    secretVersions
  });
 };

@ -135,7 +132,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
  // validate secret version
  const oldSecretVersion = await SecretVersion.findOne({
    secret: secretId,
-    version,
+    version
  }).select("+secretBlindIndex");

  if (!oldSecretVersion) throw new Error("Failed to find secret version");
@ -154,7 +151,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
    secretValueTag,
    algorithm,
    folder,
-    keyEncoding,
+    keyEncoding
  } = oldSecretVersion;

  // update secret
@ -162,7 +159,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
    secretId,
    {
      $inc: {
-        version: 1,
+        version: 1
      },
      workspace,
      type,
@ -177,10 +174,10 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
      secretValueTag,
      folderId: folder,
      algorithm,
-      keyEncoding,
+      keyEncoding
    },
    {
-      new: true,
+      new: true
    }
  );

@ -204,17 +201,17 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
    secretValueTag,
    folder,
    algorithm,
-    keyEncoding,
+    keyEncoding
  }).save();

  // take secret snapshot
  await EESecretService.takeSecretSnapshot({
    workspaceId: secret.workspace,
    environment,
-    folderId: folder,
+    folderId: folder
  });

  return res.status(200).send({
-    secret,
+    secret
  });
 };
--- a/backend/src/ee/controllers/v1/secretSnapshotController.ts
+++ b/backend/src/ee/controllers/v1/secretSnapshotController.ts
@ -17,11 +17,11 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {
  const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId)
    .lean()
    .populate<{ secretVersions: ISecretVersion[] }>({
-      path: 'secretVersions',
+      path: "secretVersions",
      populate: {
-        path: 'tags',
-        model: 'Tag'
-      }
+        path: "tags",
+        model: "Tag",
+      },
    })
    .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
  
--- a/backend/src/ee/controllers/v1/ssoController.ts
+++ b/backend/src/ee/controllers/v1/ssoController.ts
@ -0,0 +1,267 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { BotOrgService } from "../../../services";
+import { SSOConfig } from "../../models";
+import { 
+    MembershipOrg,
+    User
+} from "../../../models";
+import { getSSOConfigHelper } from "../../helpers/organizations";
+import { client } from "../../../config";
+import { ResourceNotFoundError } from "../../../utils/errors";
+import { getSiteURL } from "../../../config";
+import { EELicenseService } from "../../services";
+
+/**
+ * Redirect user to appropriate SSO endpoint after successful authentication
+ * to finish inputting their master key for logging in or signing up
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const redirectSSO = async (req: Request, res: Response) => {
+    if (req.isUserCompleted) {
+      return res.redirect(`${await getSiteURL()}/login/sso?token=${encodeURIComponent(req.providerAuthToken)}`);
+    }
+    
+    return res.redirect(`${await getSiteURL()}/signup/sso?token=${encodeURIComponent(req.providerAuthToken)}`);
+}
+
+/**
+ * Return organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSSOConfig = async (req: Request, res: Response) => {
+    const organizationId = req.query.organizationId as string;
+    
+    const data = await getSSOConfigHelper({
+        organizationId: new Types.ObjectId(organizationId)
+    });
+
+    return res.status(200).send(data);
+}
+
+/**
+ * Update organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSSOConfig = async (req: Request, res: Response) => {
+    const {
+        organizationId,
+        authProvider,
+        isActive,
+        entryPoint,
+        issuer,
+        cert,
+        audience
+    } = req.body;
+
+    const plan = await EELicenseService.getPlan(organizationId);
+    
+    if (!plan.samlSSO) return res.status(400).send({
+        message: "Failed to update SAML SSO configuration due to plan restriction. Upgrade plan to update SSO configuration."
+    });
+    
+    interface PatchUpdate {
+        authProvider?: string;
+        isActive?: boolean;
+        encryptedEntryPoint?: string;
+        entryPointIV?: string;
+        entryPointTag?: string;
+        encryptedIssuer?: string;
+        issuerIV?: string;
+        issuerTag?: string;
+        encryptedCert?: string;
+        certIV?: string;
+        certTag?: string;
+        encryptedAudience?: string;
+        audienceIV?: string;
+        audienceTag?: string;
+    }
+    
+    const update: PatchUpdate = {};
+    
+    if (authProvider) {
+        update.authProvider = authProvider;
+    }
+    
+    if (isActive !== undefined) {
+        update.isActive = isActive;
+    }
+    
+    const key = await BotOrgService.getSymmetricKey(
+        new Types.ObjectId(organizationId)
+    );
+    
+    if (entryPoint) {
+        const {
+            ciphertext: encryptedEntryPoint,
+            iv: entryPointIV,
+            tag: entryPointTag
+        } = client.encryptSymmetric(entryPoint, key);
+        
+        update.encryptedEntryPoint = encryptedEntryPoint;
+        update.entryPointIV = entryPointIV;
+        update.entryPointTag = entryPointTag;
+    }
+
+    if (issuer) {
+        const {
+            ciphertext: encryptedIssuer,
+            iv: issuerIV,
+            tag: issuerTag
+        } = client.encryptSymmetric(issuer, key);
+        
+        update.encryptedIssuer = encryptedIssuer;
+        update.issuerIV = issuerIV;
+        update.issuerTag = issuerTag;
+    }
+
+    if (cert) {
+        const {
+            ciphertext: encryptedCert,
+            iv: certIV,
+            tag: certTag
+        } = client.encryptSymmetric(cert, key);
+        
+        update.encryptedCert = encryptedCert;
+        update.certIV = certIV;
+        update.certTag = certTag;
+    }
+
+    if (audience) {
+        const {
+            ciphertext: encryptedAudience,
+            iv: audienceIV,
+            tag: audienceTag
+        } = client.encryptSymmetric(audience, key);
+        
+        update.encryptedAudience = encryptedAudience;
+        update.audienceIV = audienceIV;
+        update.audienceTag = audienceTag;
+    }
+    
+    const ssoConfig = await SSOConfig.findOneAndUpdate(
+        {
+            organization: new Types.ObjectId(organizationId)
+        },
+        update,
+        {
+            new: true
+        }
+    );
+    
+    if (!ssoConfig) throw ResourceNotFoundError({
+        message: "Failed to find SSO config to update"
+    });
+    
+    if (update.isActive !== undefined) {
+        const membershipOrgs = await MembershipOrg.find({
+            organization: new Types.ObjectId(organizationId)
+        }).select("user");
+        
+        if (update.isActive) {
+            await User.updateMany(
+                {
+                    _id: {
+                        $in: membershipOrgs.map((membershipOrg) => membershipOrg.user)
+                    }
+                },
+                {
+                    authProvider: ssoConfig.authProvider
+                }
+            );
+        } else {
+            await User.updateMany(
+                {
+                    _id: {
+                        $in: membershipOrgs.map((membershipOrg) => membershipOrg.user)
+                    }
+                },
+                {
+                    $unset: {
+                        authProvider: 1
+                    }
+                }
+            );
+        }
+    }
+    
+    return res.status(200).send(ssoConfig);
+}
+
+/**
+ * Create organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createSSOConfig = async (req: Request, res: Response) => {
+    const {
+        organizationId,
+        authProvider,
+        isActive,
+        entryPoint,
+        issuer,
+        cert,
+        audience
+    } = req.body;
+
+    const plan = await EELicenseService.getPlan(organizationId);
+    
+    if (!plan.samlSSO) return res.status(400).send({
+        message: "Failed to create SAML SSO configuration due to plan restriction. Upgrade plan to add SSO configuration."
+    });
+    
+    const key = await BotOrgService.getSymmetricKey(
+        new Types.ObjectId(organizationId)
+    );
+
+    const {
+        ciphertext: encryptedEntryPoint,
+        iv: entryPointIV,
+        tag: entryPointTag
+    } = client.encryptSymmetric(entryPoint, key);
+
+    const {
+        ciphertext: encryptedIssuer,
+        iv: issuerIV,
+        tag: issuerTag
+    } = client.encryptSymmetric(issuer, key);
+
+    const {
+        ciphertext: encryptedCert,
+        iv: certIV,
+        tag: certTag
+    } = client.encryptSymmetric(cert, key);
+
+    const {
+        ciphertext: encryptedAudience,
+        iv: audienceIV,
+        tag: audienceTag
+    } = client.encryptSymmetric(audience, key);
+    
+    const ssoConfig = await new SSOConfig({
+        organization: new Types.ObjectId(organizationId),
+        authProvider,
+        isActive,
+        encryptedEntryPoint,
+        entryPointIV,
+        entryPointTag,
+        encryptedIssuer,
+        issuerIV,
+        issuerTag,
+        encryptedCert,
+        certIV,
+        certTag,
+        encryptedAudience,
+        audienceIV,
+        audienceTag
+    }).save();
+
+    return res.status(200).send(ssoConfig);
+}
--- a/backend/src/ee/controllers/v1/stripeController.ts
+++ b/backend/src/ee/controllers/v1/stripeController.ts
@ -1,31 +0,0 @@
-import { Request, Response } from 'express';
-import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
-
-/**
- * Handle service provisioning/un-provisioning via Stripe
- * @param req
- * @param res
- * @returns
- */
-export const handleWebhook = async (req: Request, res: Response) => {
-  const stripe = new Stripe(await getStripeSecretKey(), {
-    apiVersion: '2022-08-01'
-  });
-
-  // check request for valid stripe signature
-  const sig = req.headers['stripe-signature'] as string;
-  const event = stripe.webhooks.constructEvent(
-    req.body,
-    sig,
-    await getStripeWebhookSecret()
-  );
-
-	switch (event.type) {
-		case '':
-			break;
-		default:
-	}
-
-	return res.json({ received: true });
-};
--- a/backend/src/ee/controllers/v1/workspaceController.ts
+++ b/backend/src/ee/controllers/v1/workspaceController.ts
@ -2,11 +2,11 @@ import { Request, Response } from "express";
 import { PipelineStage, Types } from "mongoose";
 import { Secret } from "../../../models";
 import {
-  SecretSnapshot,
-  Log,
-  SecretVersion,
-  ISecretVersion,
  FolderVersion,
+  ISecretVersion,
+  Log,
+  SecretSnapshot,
+  SecretVersion,
  TFolderRootVersionSchema,
 } from "../../models";
 import { EESecretService } from "../../services";
--- a/backend/src/ee/helpers/action.ts
+++ b/backend/src/ee/helpers/action.ts
@ -1,17 +1,17 @@
-import { Types } from 'mongoose';
-import { Action } from '../models';
+import { Types } from "mongoose";
+import { Action } from "../models";
 import { 
+    getLatestNSecretSecretVersionIds,
    getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-} from '../helpers/secretVersion';
+} from "../helpers/secretVersion";
 import { 
+    ACTION_ADD_SECRETS,
+    ACTION_DELETE_SECRETS,
    ACTION_LOGIN,
    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS,
    ACTION_UPDATE_SECRETS,
-} from '../../variables';
+} from "../../variables";

 /**
 * Create an (audit) action for updating secrets
@ -26,7 +26,7 @@ const createActionUpdateSecret = async ({
    serviceAccountId,
    serviceTokenDataId,
    workspaceId,
-    secretIds
+    secretIds,
 }: {
    name: string;
    userId?: Types.ObjectId;
@ -37,11 +37,11 @@ const createActionUpdateSecret = async ({
 }) => {
    const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
            secretIds,
-            n: 2
+            n: 2,
        }))
        .map((s) => ({
            oldSecretVersion: s.versions[0]._id,
-            newSecretVersion: s.versions[1]._id
+            newSecretVersion: s.versions[1]._id,
        }));
    
    const action = await new Action({
@ -51,8 +51,8 @@ const createActionUpdateSecret = async ({
        serviceTokenData: serviceTokenDataId,
        workspace: workspaceId,
        payload: {
-            secretVersions: latestSecretVersions
-        }
+            secretVersions: latestSecretVersions,
+        },
    }).save();
    
    return action;
@ -72,7 +72,7 @@ const createActionSecret = async ({
    serviceAccountId,
    serviceTokenDataId,
    workspaceId,
-    secretIds
+    secretIds,
 }: {
    name: string;
    userId?: Types.ObjectId;
@ -84,10 +84,10 @@ const createActionSecret = async ({
    // case: action is adding, deleting, or reading secrets
    // -> add new secret versions
    const latestSecretVersions = (await getLatestSecretVersionIds({
-        secretIds
+        secretIds,
    }))
    .map((s) => ({
-        newSecretVersion: s.versionId
+        newSecretVersion: s.versionId,
    }));
    
   const action = await new Action({
@ -97,8 +97,8 @@ const createActionSecret = async ({
        serviceTokenData: serviceTokenDataId,
        workspace: workspaceId,
        payload: {
-            secretVersions: latestSecretVersions
-        }
+            secretVersions: latestSecretVersions,
+        },
    }).save(); 
    
    return action;
@ -116,7 +116,7 @@ const createActionClient = ({
    name,
    userId,
    serviceAccountId,
-    serviceTokenDataId
+    serviceTokenDataId,
 }: {
    name: string;
    userId?: Types.ObjectId;
@ -127,7 +127,7 @@ const createActionClient = ({
        name,
        user: userId,
        serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId
+        serviceTokenData: serviceTokenDataId,
    }).save();

    return action; 
@ -162,27 +162,27 @@ const createActionHelper = async ({
        case ACTION_LOGOUT:
            action = await createActionClient({
                name,
-                userId
+                userId,
            });
            break;
        case ACTION_ADD_SECRETS:
        case ACTION_READ_SECRETS:
        case ACTION_DELETE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
            action = await createActionSecret({
                name,
                userId,
                workspaceId,
-                secretIds
+                secretIds,
            });
            break;
        case ACTION_UPDATE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
            action = await createActionUpdateSecret({
                name,
                userId,
                workspaceId,
-                secretIds
+                secretIds,
            });
            break;
    }
@ -191,5 +191,5 @@ const createActionHelper = async ({
 }

 export { 
-    createActionHelper
+    createActionHelper,
 };
--- a/backend/src/ee/helpers/checkMembershipPermissions.ts
+++ b/backend/src/ee/helpers/checkMembershipPermissions.ts
@ -1,7 +1,7 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import _ from "lodash";
 import { Membership } from "../../models";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";

 export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string, action: any) => {
  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
--- a/backend/src/ee/helpers/log.ts
+++ b/backend/src/ee/helpers/log.ts
@ -1,8 +1,8 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import { 
+    IAction,
    Log,
-    IAction
-} from '../models';
+} from "../models";

 /**
 * Create an (audit) log
@ -21,7 +21,7 @@ const createLogHelper = async ({
    workspaceId,
    actions,
    channel,
-    ipAddress
+    ipAddress,
 }: {
    userId?: Types.ObjectId;
    serviceAccountId?: Types.ObjectId;
@ -39,12 +39,12 @@ const createLogHelper = async ({
        actionNames: actions.map((a) => a.name),
        actions,
        channel,
-        ipAddress
+        ipAddress,
    }).save();

    return log;
 }

 export {
-    createLogHelper
+    createLogHelper,
 }
--- a/backend/src/ee/helpers/organizations.ts
+++ b/backend/src/ee/helpers/organizations.ts
@ -0,0 +1,72 @@
+import { Types } from "mongoose";
+import {
+    SSOConfig
+} from "../models";
+import {
+    BotOrgService
+} from "../../services";
+import { client } from "../../config";
+import { ValidationError } from "../../utils/errors";
+
+export const getSSOConfigHelper = async ({
+    organizationId,
+    ssoConfigId
+}: {
+    organizationId?: Types.ObjectId;
+    ssoConfigId?: Types.ObjectId;
+}) => {
+    
+    if (!organizationId && !ssoConfigId) throw ValidationError({
+        message: "Getting SSO data requires either id of organization or SSO data"
+    });
+    
+    const ssoConfig = await SSOConfig.findOne({
+        ...(organizationId ? { organization: organizationId } : {}),
+        ...(ssoConfigId ? { _id: ssoConfigId } : {})
+    });
+    
+    if (!ssoConfig) throw new Error("Failed to find organization SSO data");
+    
+    const key = await BotOrgService.getSymmetricKey(
+        ssoConfig.organization
+    );
+    
+    const entryPoint = client.decryptSymmetric(
+        ssoConfig.encryptedEntryPoint,
+        key,
+        ssoConfig.entryPointIV,
+        ssoConfig.entryPointTag
+    );
+
+    const issuer = client.decryptSymmetric(
+        ssoConfig.encryptedIssuer,
+        key,
+        ssoConfig.issuerIV,
+        ssoConfig.issuerTag
+    );
+
+    const cert = client.decryptSymmetric(
+        ssoConfig.encryptedCert,
+        key,
+        ssoConfig.certIV,
+        ssoConfig.certTag
+    );
+
+    const audience = client.decryptSymmetric(
+        ssoConfig.encryptedAudience,
+        key,
+        ssoConfig.audienceIV,
+        ssoConfig.audienceTag
+    );
+    
+    return ({
+        _id: ssoConfig._id,
+        organization: ssoConfig.organization,
+        authProvider: ssoConfig.authProvider,
+        isActive: ssoConfig.isActive,
+        entryPoint,
+        issuer,
+        cert,
+        audience
+    });
+}
--- a/backend/src/ee/helpers/secret.ts
+++ b/backend/src/ee/helpers/secret.ts
@ -1,10 +1,10 @@
 import { Types } from "mongoose";
-import { Secret, ISecret } from "../../models";
+import { Secret } from "../../models";
 import {
+  FolderVersion,
+  ISecretVersion,
  SecretSnapshot,
  SecretVersion,
-  ISecretVersion,
-  FolderVersion,
 } from "../models";

 /**
--- a/backend/src/ee/middleware/index.ts
+++ b/backend/src/ee/middleware/index.ts
@ -1,7 +1,5 @@
-import requireLicenseAuth from './requireLicenseAuth';
-import requireSecretSnapshotAuth from './requireSecretSnapshotAuth';
+import requireSecretSnapshotAuth from "./requireSecretSnapshotAuth";

 export {
-    requireLicenseAuth,
-    requireSecretSnapshotAuth
+    requireSecretSnapshotAuth,
 }
--- a/backend/src/ee/middleware/requireLicenseAuth.ts
+++ b/backend/src/ee/middleware/requireLicenseAuth.ts
@ -1,23 +0,0 @@
-import { Request, Response, NextFunction } from 'express';
-
-/**
- * Validate if organization hosting meets license requirements to 
- * access a license-specific route.
- * @param {Object} obj
- * @param {String[]} obj.acceptedTiers
- */
-const requireLicenseAuth = ({
-    acceptedTiers
-}: {
-    acceptedTiers: string[];
-}) => {
-    return async (req: Request, res: Response, next: NextFunction) => {
-        try {
-
-        } catch (err) {
-
-        }
-    }
-}
-
-export default requireLicenseAuth;
--- a/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
+++ b/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
@ -1,9 +1,9 @@
-import { Request, Response, NextFunction } from 'express';
-import { UnauthorizedRequestError, SecretSnapshotNotFoundError } from '../../utils/errors';
-import { SecretSnapshot } from '../models';
+import { NextFunction, Request, Response } from "express";
+import { SecretSnapshotNotFoundError } from "../../utils/errors";
+import { SecretSnapshot } from "../models";
 import {
-    validateMembership
-} from '../../helpers/membership';
+    validateMembership,
+} from "../../helpers/membership";

 /**
 * Validate if user on request has proper membership for secret snapshot
@ -15,7 +15,7 @@ import {
 const requireSecretSnapshotAuth = ({
    acceptedRoles,
 }: {
-    acceptedRoles: Array<'admin' | 'member'>;
+    acceptedRoles: Array<"admin" | "member">;
 }) => {
    return async (req: Request, res: Response, next: NextFunction) => {
        const { secretSnapshotId } = req.params;
@ -24,14 +24,14 @@ const requireSecretSnapshotAuth = ({
        
        if (!secretSnapshot) {
            return next(SecretSnapshotNotFoundError({
-                message: 'Failed to find secret snapshot'
+                message: "Failed to find secret snapshot",
            }));
        }
        
        await validateMembership({
            userId: req.user._id,
            workspaceId: secretSnapshot.workspace,
-            acceptedRoles
+            acceptedRoles,
        });
        
        req.secretSnapshot = secretSnapshot as any;
--- a/backend/src/ee/models/action.ts
+++ b/backend/src/ee/models/action.ts
@ -1,12 +1,12 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, Types, model } from "mongoose";
 import {
+    ACTION_ADD_SECRETS,
+    ACTION_DELETE_SECRETS,
    ACTION_LOGIN,
    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
+    ACTION_UPDATE_SECRETS,
+} from "../../variables";

 export interface IAction {
    name: string;
@ -30,42 +30,42 @@ const actionSchema = new Schema<IAction>(
                ACTION_ADD_SECRETS,
                ACTION_UPDATE_SECRETS,
                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
-            ]
+                ACTION_DELETE_SECRETS,
+            ],
        },
        user: {
            type: Schema.Types.ObjectId,
-            ref: 'User'
+            ref: "User",
        },
        serviceAccount: {
            type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
+            ref: "ServiceAccount",
        },
        serviceTokenData: {
            type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
+            ref: "ServiceTokenData",
        },
        workspace: {
            type: Schema.Types.ObjectId,
-            ref: 'Workspace'
+            ref: "Workspace",
        },
        payload: {
            secretVersions: [{
                oldSecretVersion: {
                    type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
+                    ref: "SecretVersion",
                },
                newSecretVersion: {
                    type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
-                }
-            }]
-        }
+                    ref: "SecretVersion",
+                },
+            }],
+        },
    }, {
-        timestamps: true
+        timestamps: true,
    }
 );

-const Action = model<IAction>('Action', actionSchema);
+const Action = model<IAction>("Action", actionSchema);

 export default Action;
--- a/backend/src/ee/models/folderVersion.ts
+++ b/backend/src/ee/models/folderVersion.ts
@ -1,4 +1,4 @@
-import { model, Schema, Types } from "mongoose";
+import { Schema, Types, model } from "mongoose";

 export type TFolderRootVersionSchema = {
  _id: Types.ObjectId;
--- a/backend/src/ee/models/index.ts
+++ b/backend/src/ee/models/index.ts
@ -3,6 +3,7 @@ import SecretVersion, { ISecretVersion } from "./secretVersion";
 import FolderVersion, { TFolderRootVersionSchema } from "./folderVersion";
 import Log, { ILog } from "./log";
 import Action, { IAction } from "./action";
+import SSOConfig, { ISSOConfig } from "./ssoConfig";

 export {
  SecretSnapshot,
@ -15,4 +16,6 @@ export {
  ILog,
  Action,
  IAction,
+  SSOConfig,
+  ISSOConfig
 };
--- a/backend/src/ee/models/log.ts
+++ b/backend/src/ee/models/log.ts
@ -1,12 +1,12 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, Types, model } from "mongoose";
 import {
+    ACTION_ADD_SECRETS,
+    ACTION_DELETE_SECRETS,
    ACTION_LOGIN,
    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
+    ACTION_UPDATE_SECRETS,
+} from "../../variables";

 export interface ILog {
    _id: Types.ObjectId;
@ -24,19 +24,19 @@ const logSchema = new Schema<ILog>(
    {
        user: {
            type: Schema.Types.ObjectId,
-            ref: 'User'
+            ref: "User",
        },
        serviceAccount: {
            type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
+            ref: "ServiceAccount",
        },
        serviceTokenData: {
            type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
+            ref: "ServiceTokenData",
        },
        workspace: {
            type: Schema.Types.ObjectId,
-            ref: 'Workspace'
+            ref: "Workspace",
        },
        actionNames: {
            type: [String],
@ -46,28 +46,29 @@ const logSchema = new Schema<ILog>(
                ACTION_ADD_SECRETS,
                ACTION_UPDATE_SECRETS,
                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
+                ACTION_DELETE_SECRETS,
            ],
-            required: true
+            required: true,
        },
        actions: [{
            type: Schema.Types.ObjectId,
-            ref: 'Action',
-            required: true
+            ref: "Action",
+            required: true,
        }],
        channel: {
            type: String,
-            enum: ['web', 'cli', 'auto', 'k8-operator', 'other'],
-            required: true
+            enum: ["web", "cli", "auto", "k8-operator", "other"],
+            required: true,
        },
        ipAddress: {
-            type: String
-        }
-    }, {
-    timestamps: true
-}
+            type: String,
+        },
+    }, 
+    {
+        timestamps: true,
+    }
 );

-const Log = model<ILog>('Log', logSchema);
+const Log = model<ILog>("Log", logSchema);

 export default Log;
--- a/backend/src/ee/models/secretSnapshot.ts
+++ b/backend/src/ee/models/secretSnapshot.ts
@ -1,4 +1,4 @@
-import { Schema, model, Types } from "mongoose";
+import { Schema, Types, model } from "mongoose";

 export interface ISecretSnapshot {
  workspace: Types.ObjectId;
--- a/backend/src/ee/models/secretVersion.ts
+++ b/backend/src/ee/models/secretVersion.ts
@ -1,10 +1,10 @@
-import { Schema, model, Types } from "mongoose";
+import { Schema, Types, model } from "mongoose";
 import {
-  SECRET_SHARED,
-  SECRET_PERSONAL,
  ALGORITHM_AES_256_GCM,
-  ENCODING_SCHEME_UTF8,
  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8,
+  SECRET_PERSONAL,
+  SECRET_SHARED,
 } from "../../variables";

 export interface ISecretVersion {
@ -114,9 +114,9 @@ const secretVersionSchema = new Schema<ISecretVersion>(
      required: true,
    },
    tags: {
-      ref: 'Tag',
+      ref: "Tag",
      type: [Schema.Types.ObjectId],
-      default: []
+      default: [],
    },
  },
  {
--- a/backend/src/ee/models/ssoConfig.ts
+++ b/backend/src/ee/models/ssoConfig.ts
@ -0,0 +1,82 @@
+import { Schema, Types, model } from "mongoose";
+
+export interface ISSOConfig {
+    organization: Types.ObjectId;
+    authProvider: "okta-saml"
+    isActive: boolean;
+    encryptedEntryPoint: string;
+    entryPointIV: string;
+    entryPointTag: string;
+    encryptedIssuer: string;
+    issuerIV: string;
+    issuerTag: string;
+    encryptedCert: string;
+    certIV: string;
+    certTag: string;
+    encryptedAudience: string;
+    audienceIV: string;
+    audienceTag: string;
+}
+
+const ssoConfigSchema = new Schema<ISSOConfig>(
+    {
+        organization: {
+            type: Schema.Types.ObjectId,
+            ref: "Organization"
+        },
+        authProvider: {
+            type: String,
+            enum: [
+                "okta-saml"
+            ],
+            required: true
+        },
+        isActive: {
+            type: Boolean,
+            required: true
+        },
+        encryptedEntryPoint: {
+            type: String
+        },
+        entryPointIV: {
+            type: String
+        },
+        entryPointTag: {
+            type: String
+        },
+        encryptedIssuer: {
+            type: String
+        },
+        issuerIV: {
+            type: String
+        },
+        issuerTag: {
+            type: String
+        },
+        encryptedCert: {
+            type: String
+        },
+        certIV: {
+            type: String
+        },
+        certTag: {
+            type: String
+        },
+        encryptedAudience: {
+            type: String
+        },
+        audienceIV: {
+            type: String
+        },
+        audienceTag: {
+            type: String
+        }
+    },
+    {
+        timestamps: true
+    }
+);
+
+const SSOConfig = model<ISSOConfig>("SSOConfig", ssoConfigSchema);
+
+export default SSOConfig;
--- a/backend/src/ee/routes/v1/action.ts
+++ b/backend/src/ee/routes/v1/action.ts
@ -1,15 +1,15 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-    validateRequest
-} from '../../../middleware';
-import { param } from 'express-validator';
-import { actionController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { param } from "express-validator";
+import { actionController } from "../../controllers/v1";

 // TODO: put into action controller
 router.get(
-    '/:actionId',
-    param('actionId').exists().trim(),
+    "/:actionId",
+    param("actionId").exists().trim(),
    validateRequest,
    actionController.getAction
 );
--- a/backend/src/ee/routes/v1/cloudProducts.ts
+++ b/backend/src/ee/routes/v1/cloudProducts.ts
@ -1,18 +1,18 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
    requireAuth,
-    validateRequest
-} from '../../../middleware';
-import { query } from 'express-validator';
-import { cloudProductsController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { query } from "express-validator";
+import { cloudProductsController } from "../../controllers/v1";

 router.get(
-    '/',
+    "/",
    requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt", "apiKey"],
 	}),
-    query('billing-cycle').exists().isIn(['monthly', 'yearly']),
+    query("billing-cycle").exists().isIn(["monthly", "yearly"]),
    validateRequest,
    cloudProductsController.getCloudProducts 
 );
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,15 +1,17 @@
-import secret from './secret';
-import secretSnapshot from './secretSnapshot';
-import organizations from './organizations';
-import workspace from './workspace';
-import action from './action';
-import cloudProducts from './cloudProducts';
+import secret from "./secret";
+import secretSnapshot from "./secretSnapshot";
+import organizations from "./organizations";
+import sso from "./sso";
+import workspace from "./workspace";
+import action from "./action";
+import cloudProducts from "./cloudProducts";

 export {
    secret,
    secretSnapshot,
    organizations,
+    sso,
    workspace,
    action,
-    cloudProducts
+    cloudProducts,
 }
--- a/backend/src/ee/routes/v1/organizations.ts
+++ b/backend/src/ee/routes/v1/organizations.ts
@ -1,87 +1,223 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
    requireAuth,
    requireOrganizationAuth,
-    validateRequest
-} from '../../../middleware';
-import { param, body } from 'express-validator';
-import { organizationsController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { body, param, query } from "express-validator";
+import { organizationsController } from "../../controllers/v1";
 import {
-    OWNER, ADMIN, MEMBER, ACCEPTED
-} from '../../../variables';
+    ACCEPTED, ADMIN, MEMBER, OWNER,
+} from "../../../variables";

 router.get(
-    '/:organizationId/plan',
+    "/:organizationId/plans/table",
    requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
    }),
-    param('organizationId').exists().trim(),
+    param("organizationId").exists().trim(),
+    query("billingCycle").exists().isString().isIn(["monthly", "yearly"]),
+    validateRequest,
+    organizationsController.getOrganizationPlansTable
+);
+
+router.get(
+    "/:organizationId/plan",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    query("workspaceId").optional().isString(),
    validateRequest,
    organizationsController.getOrganizationPlan
 );

-router.patch(
-    '/:organizationId/plan',
+router.post(
+    "/:organizationId/session/trial",
    requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
    }),
-    param('organizationId').exists().trim(),
-    body('productId').exists().isString(),
+    param("organizationId").exists().trim(),
+    body("success_url").exists().trim(),
    validateRequest,
-    organizationsController.updateOrganizationPlan
+    organizationsController.startOrganizationTrial
 );

 router.get(
-    '/:organizationId/billing-details/payment-methods',
+    "/:organizationId/plan/billing",
    requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
    }),
-    param('organizationId').exists().trim(),
+    param("organizationId").exists().trim(),
+    query("workspaceId").optional().isString(),
+    validateRequest,
+    organizationsController.getOrganizationPlanBillingInfo
+);
+
+router.get(
+    "/:organizationId/plan/table",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    query("workspaceId").optional().isString(),
+    validateRequest,
+    organizationsController.getOrganizationPlanTable
+);
+
+router.get(
+    "/:organizationId/billing-details",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationBillingDetails
+);
+
+router.patch(
+    "/:organizationId/billing-details",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    body("email").optional().isString().trim(),
+    body("name").optional().isString().trim(),
+    validateRequest,
+    organizationsController.updateOrganizationBillingDetails
+);
+
+router.get(
+    "/:organizationId/billing-details/payment-methods",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
    validateRequest,
    organizationsController.getOrganizationPmtMethods
 );

 router.post(
-    '/:organizationId/billing-details/payment-methods',
+    "/:organizationId/billing-details/payment-methods",
    requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
    }),
-    param('organizationId').exists().trim(),
-    body('success_url').exists().isString(),
-    body('cancel_url').exists().isString(),
+    param("organizationId").exists().trim(),
+    body("success_url").exists().isString(),
+    body("cancel_url").exists().isString(),
    validateRequest,
    organizationsController.addOrganizationPmtMethod
 );

 router.delete(
-    '/:organizationId/billing-details/payment-methods/:pmtMethodId',
+    "/:organizationId/billing-details/payment-methods/:pmtMethodId",
    requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
    }),
-    param('organizationId').exists().trim(),
+    param("organizationId").exists().trim(),
+    param("pmtMethodId").exists().trim(),
    validateRequest,
    organizationsController.deleteOrganizationPmtMethod
 );

+router.get(
+    "/:organizationId/billing-details/tax-ids",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationTaxIds
+);
+
+router.post(
+    "/:organizationId/billing-details/tax-ids",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    body("type").exists().isString(),
+    body("value").exists().isString(),
+    validateRequest,
+    organizationsController.addOrganizationTaxId
+);
+
+router.delete(
+    "/:organizationId/billing-details/tax-ids/:taxId",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    param("taxId").exists().trim(),
+    validateRequest,
+    organizationsController.deleteOrganizationTaxId
+);
+
+router.get(
+    "/:organizationId/invoices",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationInvoices
+);
+
 export default router;
--- a/backend/src/ee/routes/v1/secret.ts
+++ b/backend/src/ee/routes/v1/secret.ts
@ -1,46 +1,46 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
    requireAuth,
 	requireSecretAuth,
-    validateRequest
-} from '../../../middleware';
-import { query, param, body } from 'express-validator';
-import { secretController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { body, param, query } from "express-validator";
+import { secretController } from "../../controllers/v1";
 import {
 	ADMIN, 
 	MEMBER,
 	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS
-} from '../../../variables';
+	PERMISSION_WRITE_SECRETS,
+} from "../../../variables";

 router.get(
-	'/:secretId/secret-versions',
+	"/:secretId/secret-versions",
 	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt", "apiKey"],
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS]
+		requiredPermissions: [PERMISSION_READ_SECRETS],
 	}),
-	param('secretId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
+	param("secretId").exists().trim(),
+	query("offset").exists().isInt(),
+	query("limit").exists().isInt(),
 	validateRequest,
 	secretController.getSecretVersions
 );

 router.post(
-	'/:secretId/secret-versions/rollback',
+	"/:secretId/secret-versions/rollback",
 	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt", "apiKey"],
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS]
+		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS],
 	}),
-	param('secretId').exists().trim(),
-	body('version').exists().isInt(),
+	param("secretId").exists().trim(),
+	body("version").exists().isInt(),
 	secretController.rollbackSecretVersion
 );

--- a/backend/src/ee/routes/v1/secretSnapshot.ts
+++ b/backend/src/ee/routes/v1/secretSnapshot.ts
@ -1,25 +1,25 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-    requireSecretSnapshotAuth
-} from '../../middleware';
+    requireSecretSnapshotAuth,
+} from "../../middleware";
 import {
    requireAuth,
-    validateRequest
-} from '../../../middleware';
-import { param } from 'express-validator';
-import { ADMIN, MEMBER } from '../../../variables';
-import { secretSnapshotController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { param } from "express-validator";
+import { ADMIN, MEMBER } from "../../../variables";
+import { secretSnapshotController } from "../../controllers/v1";

 router.get(
-    '/:secretSnapshotId',
+    "/:secretSnapshotId",
    requireAuth({
-		acceptedAuthModes: ['jwt']
+		acceptedAuthModes: ["jwt"],
 	}),
    requireSecretSnapshotAuth({
-        acceptedRoles: [ADMIN, MEMBER]
+        acceptedRoles: [ADMIN, MEMBER],
    }),
-    param('secretSnapshotId').exists().trim(),
+    param("secretSnapshotId").exists().trim(),
    validateRequest,
    secretSnapshotController.getSecretSnapshot
 );
--- a/backend/src/ee/routes/v1/sso.ts
+++ b/backend/src/ee/routes/v1/sso.ts
@ -0,0 +1,121 @@
+import express from "express";
+const router = express.Router();
+import passport from "passport";
+import {
+    requireAuth,
+    requireOrganizationAuth,
+    validateRequest,
+} from "../../../middleware";
+import { body, query } from "express-validator";
+import { ssoController } from "../../controllers/v1";
+import { authLimiter } from "../../../helpers/rateLimiter";
+import {
+    ACCEPTED,
+    ADMIN,
+    OWNER
+} from "../../../variables";
+
+router.get(
+  "/redirect/google",
+  authLimiter,
+  (req, res, next) => {
+    passport.authenticate("google", {
+      scope: ["profile", "email"],
+      session: false,
+      ...(req.query.callback_port ? {
+        state: req.query.callback_port as string
+      } : {})
+    })(req, res, next);
+  }
+);
+
+router.get(
+  "/google",
+  passport.authenticate("google", { 
+    failureRedirect: "/login/provider/error", 
+    session: false 
+  }),
+  ssoController.redirectSSO
+);
+
+router.get(
+  "/redirect/saml2/:ssoIdentifier",
+  authLimiter,
+  (req, res, next) => {
+    const options = {
+        failureRedirect: "/",
+        additionalParams: {
+          RelayState: req.query.callback_port ?? ""
+        },
+    };
+    passport.authenticate("saml", options)(req, res, next);
+  }
+);
+
+router.post("/saml2/:ssoIdentifier",
+  passport.authenticate("saml", { 
+    failureRedirect: "/login/provider/error", 
+    failureFlash: true, 
+    session: false
+  }),
+  ssoController.redirectSSO
+);
+
+router.get(
+    "/config",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+        locationOrganizationId: "query"
+    }),
+    query("organizationId").exists().trim(),
+    validateRequest,
+    ssoController.getSSOConfig
+);
+
+router.post(
+    "/config",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+        locationOrganizationId: "body"
+    }),
+    body("organizationId").exists().trim(),
+    body("authProvider").exists().isString(),
+    body("isActive").exists().isBoolean(),
+    body("entryPoint").exists().isString(),
+    body("issuer").exists().isString(),
+    body("cert").exists().isString(),
+    body("audience").exists().isString(),
+    validateRequest,
+    ssoController.createSSOConfig
+);
+
+router.patch(
+    "/config",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+        locationOrganizationId: "body"
+    }),
+    body("organizationId").exists().trim(),
+    body("authProvider").optional().isString(),
+    body("isActive").optional().isBoolean(),
+    body("entryPoint").optional().isString(),
+    body("issuer").optional().isString(),
+    body("cert").optional().isString(),
+    body("audience").optional().isString(),
+    validateRequest,
+    ssoController.updateSSOConfig
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/stripe.ts
+++ b/backend/src/ee/routes/v1/stripe.ts
@ -1,7 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import { stripeController } from '../../controllers/v1';
-
-router.post('/webhook', stripeController.handleWebhook);
-
-export default router;
--- a/backend/src/ee/routes/v1/workspace.ts
+++ b/backend/src/ee/routes/v1/workspace.ts
@ -5,7 +5,7 @@ import {
  requireWorkspaceAuth,
  validateRequest,
 } from "../../../middleware";
-import { param, query, body } from "express-validator";
+import { body, param, query } from "express-validator";
 import { ADMIN, MEMBER } from "../../../variables";
 import { workspaceController } from "../../controllers/v1";

--- a/backend/src/ee/services/EELicenseService.ts
+++ b/backend/src/ee/services/EELicenseService.ts
@ -1,34 +1,39 @@
-import * as Sentry from '@sentry/node';
-import NodeCache from 'node-cache';
+import * as Sentry from "@sentry/node";
+import NodeCache from "node-cache";
 import { 
    getLicenseKey,
    getLicenseServerKey,
-    getLicenseServerUrl
-} from '../../config';
+    getLicenseServerUrl,
+} from "../../config";
 import { 
    licenseKeyRequest,
    licenseServerKeyRequest,
+    refreshLicenseKeyToken,
    refreshLicenseServerKeyToken,
-    refreshLicenseKeyToken
-} from '../../config/request';
-import { Organization } from '../../models';
-import { OrganizationNotFoundError } from '../../utils/errors';
+} from "../../config/request";
+import { Organization } from "../../models";
+import { OrganizationNotFoundError } from "../../utils/errors";

 interface FeatureSet {
    _id: string | null;
-    slug: 'starter' | 'team' | 'pro' | 'enterprise' | null;
+    slug: "starter" | "team" | "pro" | "enterprise" | null;
    tier: number;
    workspaceLimit: number | null;
    workspacesUsed: number;
    memberLimit: number | null;
    membersUsed: number;
+    environmentLimit: number | null;
+    environmentsUsed: number;
    secretVersioning: boolean;
    pitRecovery: boolean;
    rbac: boolean;
    customRateLimits: boolean;
    customAlerts: boolean;
    auditLogs: boolean;
-    envLimit?: number | null;
+    samlSSO: boolean;
+    status: "incomplete" | "incomplete_expired" | "trialing" | "active" | "past_due" | "canceled" | "unpaid" | null;
+    trial_end: number | null;
+    has_used_trial: boolean;
 }

 /**
@ -41,7 +46,7 @@ class EELicenseService {
    
    private readonly _isLicenseValid: boolean; // TODO: deprecate

-    public instanceType: 'self-hosted' | 'enterprise-self-hosted' | 'cloud' = 'self-hosted';
+    public instanceType: "self-hosted" | "enterprise-self-hosted" | "cloud" = "self-hosted";

    public globalFeatureSet: FeatureSet = {
        _id: null,
@ -51,13 +56,18 @@ class EELicenseService {
        workspacesUsed: 0,
        memberLimit: null,
        membersUsed: 0,
+        environmentLimit: null,
+        environmentsUsed: 0,
        secretVersioning: true,
-        pitRecovery: true,
+        pitRecovery: false,
        rbac: true,
        customRateLimits: true,
        customAlerts: true,
        auditLogs: false,
-        envLimit: null
+        samlSSO: false,
+        status: null,
+        trial_end: null,
+        has_used_trial: true
    }

    public localFeatureSet: NodeCache;
@ -65,14 +75,14 @@ class EELicenseService {
    constructor() {
        this._isLicenseValid = true;
        this.localFeatureSet = new NodeCache({
-            stdTTL: 300
+            stdTTL: 60,
        });
    }
    
-    public async getOrganizationPlan(organizationId: string): Promise<FeatureSet> {
+    public async getPlan(organizationId: string, workspaceId?: string): Promise<FeatureSet> {
        try {
-            if (this.instanceType === 'cloud') {
-                const cachedPlan = this.localFeatureSet.get<FeatureSet>(organizationId);
+            if (this.instanceType === "cloud") {
+                const cachedPlan = this.localFeatureSet.get<FeatureSet>(`${organizationId}-${workspaceId ?? ""}`);
                if (cachedPlan) {
                    return cachedPlan;
                }
@ -80,12 +90,16 @@ class EELicenseService {
                const organization = await Organization.findById(organizationId);
                if (!organization) throw OrganizationNotFoundError();

-                const { data: { currentPlan } } = await licenseServerKeyRequest.get(
-                    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`
-                );
+                let url = `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`;
+                
+                if (workspaceId) {
+                    url += `?workspaceId=${workspaceId}`;
+                }
+
+                const { data: { currentPlan } } = await licenseServerKeyRequest.get(url);

                // cache fetched plan for organization
-                this.localFeatureSet.set(organizationId, currentPlan);
+                this.localFeatureSet.set(`${organizationId}-${workspaceId ?? ""}`, currentPlan);

                return currentPlan;
            }
@ -95,6 +109,19 @@ class EELicenseService {

        return this.globalFeatureSet;
    }
+    
+    public async refreshPlan(organizationId: string, workspaceId?: string) {
+        if (this.instanceType === "cloud") {
+            this.localFeatureSet.del(`${organizationId}-${workspaceId ?? ""}`);
+            await this.getPlan(organizationId, workspaceId);
+        }
+    }
+    
+    public async delPlan(organizationId: string) {
+        if (this.instanceType === "cloud") {
+            this.localFeatureSet.del(`${organizationId}-`);
+        }
+    }

    public async initGlobalFeatureSet() {
        const licenseServerKey = await getLicenseServerKey();
@ -106,7 +133,7 @@ class EELicenseService {
                const token = await refreshLicenseServerKeyToken()
                    
                if (token) {
-                    this.instanceType = 'cloud';
+                    this.instanceType = "cloud";
                }
                
                return;
@ -122,7 +149,7 @@ class EELicenseService {
                    );
                    
                    this.globalFeatureSet = currentPlan;
-                    this.instanceType = 'enterprise-self-hosted';
+                    this.instanceType = "enterprise-self-hosted";
                }
            }
        } catch (err) {
--- a/backend/src/ee/services/EELogService.ts
+++ b/backend/src/ee/services/EELogService.ts
@ -1,14 +1,14 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import { 
-    IAction
-} from '../models';
+    IAction,
+} from "../models";
 import {
-    createLogHelper
-} from '../helpers/log';
+    createLogHelper,
+} from "../helpers/log";
 import {
-    createActionHelper
-} from '../helpers/action';
-import EELicenseService from './EELicenseService';
+    createActionHelper,
+} from "../helpers/action";
+import EELicenseService from "./EELicenseService";

 /**
 * Class to handle Enterprise Edition log actions
@ -31,7 +31,7 @@ class EELogService {
        workspaceId,
        actions,
        channel,
-        ipAddress
+        ipAddress,
    }: {
        userId?: Types.ObjectId;
        serviceAccountId?: Types.ObjectId;
@ -49,7 +49,7 @@ class EELogService {
            workspaceId,
            actions,
            channel,
-            ipAddress
+            ipAddress,
        })
    }
    
@ -68,7 +68,7 @@ class EELogService {
        serviceAccountId,
        serviceTokenDataId,
        workspaceId,
-        secretIds
+        secretIds,
    }: {
        name: string;
        userId?: Types.ObjectId;
@ -83,7 +83,7 @@ class EELogService {
            serviceAccountId,
            serviceTokenDataId,
            workspaceId,
-            secretIds
+            secretIds,
        });
    }
 }
--- a/backend/src/ee/services/EESecretService.ts
+++ b/backend/src/ee/services/EESecretService.ts
@ -1,11 +1,11 @@
-import { Types } from 'mongoose';
-import { ISecretVersion } from '../models';
+import { Types } from "mongoose";
+import { ISecretVersion } from "../models";
 import {
-  takeSecretSnapshotHelper,
  addSecretVersionsHelper,
  markDeletedSecretVersionsHelper,
-} from '../helpers/secret';
-import EELicenseService from './EELicenseService';
+  takeSecretSnapshotHelper,
+} from "../helpers/secret";
+import EELicenseService from "./EELicenseService";

 /**
 * Class to handle Enterprise Edition secret actions
--- a/backend/src/ee/services/index.ts
+++ b/backend/src/ee/services/index.ts
@ -5,5 +5,5 @@ import EELogService from "./EELogService";
 export {
    EELicenseService,
    EESecretService,
-    EELogService
+    EELogService,
 }
--- a/backend/src/events/index.ts
+++ b/backend/src/events/index.ts
@ -1,5 +1,4 @@
-import { eventPushSecrets } from "./secret"
+import { eventPushSecrets } from "./secret";
+import { eventStartIntegration } from "./integration";

-export {
-    eventPushSecrets
-}
+export { eventPushSecrets, eventStartIntegration };
--- a/Show More
+++ b/Show More