Update E2EESection.tsx

Feat: Deprecate E2EE mode switching
give gha permission to update git token
2025-04-05 17:32:31 +00:00 · 2024-03-22 19:33:53 +01:00 · 2024-03-22 19:31:41 +01:00 · 2024-03-22 12:59:51 -04:00 · 2024-03-22 12:54:27 -04:00 · 2024-03-22 22:13:09 +05:30
473 changed files with 9835 additions and 5609 deletions
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -0,0 +1,118 @@
+name: Build, Publish and Deploy to Gamma
+on: [workflow_dispatch]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  infisical-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_FOR_ECR }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_FOR_ECR }}
+          aws-region: us-east-1
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          load: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: infisical/infisical:test
+      - name: 🏗️ Build backend and push to docker hub
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: |
+            infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            infisical/staging_infisical:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+    
+    
+  postgres-migration:
+    name: Run latest migration files
+    runs-on: ubuntu-latest
+    needs: [infisical-image]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.AWS_DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [postgres-migration]
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Configure AWS Credentials 
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::135906656851:role/github-action-deploy-prod
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+      - name: Render Amazon ECS task definition
+        id: render-web-container
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: infisical-prod-platform
+          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+          environment-variables: "LOG_LEVEL=info"
+      - name: Deploy to Amazon ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+          service: infisical-prod-platform
+          cluster: infisical-prod-platform
--- a/.github/workflows/build-staging-and-deploy.yml
+++ b/.github/workflows/build-staging-and-deploy.yml
@ -8,6 +8,15 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_FOR_ECR }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_FOR_ECR }}
+          aws-region: us-east-1
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
      - name: 📦 Install dependencies to test all dependencies
        run: npm ci --only-production
        working-directory: backend
@ -35,16 +44,7 @@ jobs:
          context: .
          file: Dockerfile.standalone-infisical
          tags: infisical/infisical:test
-      # - name: ⏻ Spawn backend container and dependencies
-      #   run: |
-      #     docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      # - name: 🧪 Test backend image
-      #   run: |
-      #     ./.github/resources/healthcheck.sh infisical-backend-test
-      # - name: ⏻ Shut down backend container and dependencies
-      #   run: |
-      #     docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
+      - name: 🏗️ Build backend and push to docker hub
        uses: depot/build-push-action@v1
        with:
          project: 64mmf0n610
@ -59,6 +59,8 @@ jobs:
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+    
+    
  postgres-migration:
    name: Run latest migration files
    runs-on: ubuntu-latest
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -118,9 +118,6 @@ WORKDIR /backend

 ENV TELEMETRY_ENABLED true

-HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
-  CMD node healthcheck.js
-
 EXPOSE 8080
 EXPOSE 443

--- a/README.md
+++ b/README.md
@ -10,7 +10,8 @@
  <a href="https://infisical.com/">Infisical Cloud</a> |
  <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
  <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
-  <a href="https://www.infisical.com">Website</a>
+  <a href="https://www.infisical.com">Website</a> |
+  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
 </h4>

 <p align="center">
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -10,7 +10,7 @@ import { seedData1 } from "@app/db/seed-data";
 import { initEnvConfig } from "@app/lib/config/env";
 import { initLogger } from "@app/lib/logger";
 import { main } from "@app/server/app";
-import { AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";

 import { mockQueue } from "./mocks/queue";
 import { mockSmtpServer } from "./mocks/smtp";
@ -52,6 +52,8 @@ export default {
          authTokenType: AuthTokenType.ACCESS_TOKEN,
          userId: seedData1.id,
          tokenVersionId: seedData1.token.id,
+          authMethod: AuthMethod.EMAIL,
+          organizationId: seedData1.organization.id,
          accessVersion: 1
        },
        cfg.AUTH_SECRET,
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -19,7 +19,7 @@ import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
@ -59,6 +59,7 @@ declare module "fastify" {
    // identity injection. depending on which kinda of token the information is filled in auth
    auth: TAuthMode;
    permission: {
+      authMethod: ActorAuthMethod;
      type: ActorType;
      id: string;
      orgId?: string;
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@ -122,6 +122,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        orgId: req.query.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      return ldap;
@ -151,6 +152,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        orgId: req.body.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
@ -184,6 +186,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        orgId: req.body.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
--- a/backend/src/ee/routes/v1/license-router.ts
+++ b/backend/src/ee/routes/v1/license-router.ts
@ -24,6 +24,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        billingCycle: req.query.billingCycle
      });
      return data;
@ -45,6 +46,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return { plan };
@ -66,6 +68,8 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.getOrgPlan({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -89,6 +93,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        success_url: req.body.success_url
      });
      return data;
@ -110,6 +115,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -131,6 +137,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -152,6 +159,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -173,6 +181,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -198,6 +207,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        name: req.body.name,
        email: req.body.email
@ -221,6 +231,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -246,6 +257,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        success_url: req.body.success_url,
        cancel_url: req.body.cancel_url
@ -271,6 +283,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.delOrgPmtMethods({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        pmtMethodId: req.params.pmtMethodId
@ -295,6 +308,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.getOrgTaxIds({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@ -322,6 +336,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.addOrgTaxId({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        type: req.body.type,
@ -348,6 +363,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.delOrgTaxId({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        taxId: req.params.taxId
@ -373,7 +389,8 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId
+        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod
      });
      return data;
    }
@ -396,6 +413,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@ -19,7 +19,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          .min(1)
          .trim()
          .refine(
-            (val) => Object.keys(OrgMembershipRole).includes(val),
+            (val) => !Object.keys(OrgMembershipRole).includes(val),
            "Please choose a different slug, the slug you have entered is reserved"
          )
          .refine((v) => slugify(v) === v, {
@ -41,6 +41,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -84,6 +85,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.params.organizationId,
        req.params.roleId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -110,6 +112,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.params.roleId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -138,6 +141,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
      const roles = await server.services.orgRole.listRoles(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { roles } };
@ -163,6 +167,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
      const { permissions, membership } = await server.services.orgRole.getUserPermission(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { permissions, membership };
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -31,6 +31,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.projectId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -65,6 +66,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.params.projectId,
        req.params.roleId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -92,6 +94,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.projectId,
        req.params.roleId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -121,6 +124,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.type,
        req.permission.id,
        req.params.projectId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { roles } };
@ -148,6 +152,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      const { permissions, membership } = await server.services.projectRole.getUserPermission(
        req.permission.id,
        req.params.projectId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { permissions, membership } };
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
+import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -19,13 +20,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.workspaceId)
      }),
      querystring: z.object({
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
-        offset: z.coerce.number().default(0),
-        limit: z.coerce.number().default(20)
+        environment: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(PROJECTS.GET_SNAPSHOTS.path),
+        offset: z.coerce.number().default(0).describe(PROJECTS.GET_SNAPSHOTS.offset),
+        limit: z.coerce.number().default(20).describe(PROJECTS.GET_SNAPSHOTS.limit)
      }),
      response: {
        200: z.object({
@ -37,6 +38,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const secretSnapshots = await server.services.snapshot.listSnapshots({
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
@ -68,6 +70,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const count = await server.services.snapshot.projectSecretSnapshotCount({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        environment: req.query.environment,
@ -89,16 +92,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
      }),
      querystring: z.object({
-        eventType: z.nativeEnum(EventType).optional(),
-        userAgentType: z.nativeEnum(UserAgentType).optional(),
-        startDate: z.string().datetime().optional(),
-        endDate: z.string().datetime().optional(),
-        offset: z.coerce.number().default(0),
-        limit: z.coerce.number().default(20),
-        actor: z.string().optional()
+        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
+        userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
+        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
+        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
+        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
+        limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
+        actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
      }),
      response: {
        200: z.object({
@ -129,6 +132,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const auditLogs = await server.services.auditLog.listProjectAuditLogs({
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        ...req.query,
        auditLogActor: req.query.actor,
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -231,6 +231,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.query.organizationId,
        type: "org"
      });
@ -259,6 +260,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      const saml = await server.services.saml.createSamlCfg({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId,
        ...req.body
@ -290,6 +292,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      const saml = await server.services.saml.updateSamlCfg({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId,
        ...req.body
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@ -39,6 +39,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        description: req.body.description,
        ttlDays: req.body.ttlDays
      });
@ -65,6 +66,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      const scimTokens = await server.services.scim.listScimTokens({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.query.organizationId
      });
@ -92,6 +94,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        scimTokenId: req.params.scimTokenId,
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });

--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@ -34,6 +34,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approval = await server.services.secretApprovalPolicy.createSecretApprovalPolicy({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body,
@ -72,6 +73,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approval = await server.services.secretApprovalPolicy.updateSecretApprovalPolicy({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        secretPolicyId: req.params.sapId
@ -98,6 +100,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approval = await server.services.secretApprovalPolicy.deleteSecretApprovalPolicy({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        secretPolicyId: req.params.sapId
      });
@ -123,6 +126,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approvals = await server.services.secretApprovalPolicy.getSecretApprovalPolicyByProjectId({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId
      });
@ -150,6 +154,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId,
        ...req.query
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -52,6 +52,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approvals = await server.services.secretApprovalRequest.getSecretApprovals({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
@ -81,6 +82,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approvals = await server.services.secretApprovalRequest.requestCount({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId
      });
@ -106,6 +108,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const { approval } = await server.services.secretApprovalRequest.mergeSecretApprovalRequest({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        approvalId: req.params.id
      });
@ -134,6 +137,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const review = await server.services.secretApprovalRequest.reviewApproval({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        approvalId: req.params.id,
        status: req.body.status
@ -163,6 +167,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approval = await server.services.secretApprovalRequest.updateApprovalStatus({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        approvalId: req.params.id,
        status: req.body.status
@ -271,6 +276,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approval = await server.services.secretApprovalRequest.getSecretApprovalDetails({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.id
      });
--- a/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
@ -30,6 +30,7 @@ export const registerSecretRotationProviderRouter = async (server: FastifyZodPro
      const providers = await server.services.secretRotation.getProviderTemplates({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
--- a/backend/src/ee/routes/v1/secret-rotation-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-router.ts
@ -39,6 +39,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
    handler: async (req) => {
      const secretRotation = await server.services.secretRotation.createRotation({
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        ...req.body,
@ -74,6 +75,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      const secretRotation = await server.services.secretRotation.restartById({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        rotationId: req.body.id
      });
@ -125,6 +127,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      const secretRotations = await server.services.secretRotation.getByProjectId({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId
      });
@ -158,6 +161,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      const secretRotation = await server.services.secretRotation.deleteById({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        rotationId: req.params.id
      });
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@ -22,6 +22,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const session = await server.services.secretScanning.createInstallationSession({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId
      });
@ -46,6 +47,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const { installatedApp } = await server.services.secretScanning.linkInstallationToOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
@ -67,6 +69,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const appInstallationCompleted = await server.services.secretScanning.getOrgInstallationStatus({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@ -88,6 +91,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const { risks } = await server.services.secretScanning.getRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@ -110,6 +114,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const { risk } = await server.services.secretScanning.updateRiskStatus({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        riskId: req.params.riskId,
--- a/backend/src/ee/routes/v1/secret-version-router.ts
+++ b/backend/src/ee/routes/v1/secret-version-router.ts
@ -27,6 +27,7 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
      const secretVersions = await server.services.secret.getSecretVersions({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        limit: req.query.limit,
        offset: req.query.offset,
--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { SecretSnapshotsSchema, SecretTagsSchema, SecretVersionsSchema } from "@app/db/schemas";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -46,6 +47,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
      const secretSnapshot = await server.services.snapshot.getSnapshotData({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretSnapshotId
      });
@ -65,7 +67,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretSnapshotId: z.string().trim()
+        secretSnapshotId: z.string().trim().describe(PROJECTS.ROLLBACK_TO_SNAPSHOT.secretSnapshotId)
      }),
      response: {
        200: z.object({
@ -78,6 +80,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
      const secretSnapshot = await server.services.snapshot.rollbackSnapshot({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretSnapshotId
      });
--- a/backend/src/ee/routes/v1/trusted-ip-router.ts
+++ b/backend/src/ee/routes/v1/trusted-ip-router.ts
@ -22,6 +22,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const trustedIps = await server.services.trustedIp.listIpsByProjectId({
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
@ -52,6 +53,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { trustedIp, project } = await server.services.trustedIp.addProjectIp({
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
@ -99,6 +101,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        trustedIpId: req.params.trustedIpId,
        ...req.body
@ -140,6 +143,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        trustedIpId: req.params.trustedIpId
      });
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -31,10 +31,17 @@ export const auditLogServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    projectId,
    auditLogActor
  }: TListProjectAuditLogDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    const auditLogs = await auditLogDAL.find({
      startDate,
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -55,6 +55,7 @@ export const ldapConfigServiceFactory = ({
    actorId,
    orgId,
    actorOrgId,
+    actorAuthMethod,
    isActive,
    url,
    bindDN,
@ -62,7 +63,7 @@ export const ldapConfigServiceFactory = ({
    searchBase,
    caCert
  }: TCreateLdapCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);

    const plan = await licenseService.getPlan(orgId);
@ -149,13 +150,14 @@ export const ldapConfigServiceFactory = ({
    orgId,
    actorOrgId,
    isActive,
+    actorAuthMethod,
    url,
    bindDN,
    bindPass,
    searchBase,
    caCert
  }: TUpdateLdapCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);

    const plan = await licenseService.getPlan(orgId);
@ -274,8 +276,14 @@ export const ldapConfigServiceFactory = ({
    };
  };

-  const getLdapCfgWithPermissionCheck = async ({ actor, actorId, orgId, actorOrgId }: TOrgPermission) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getLdapCfgWithPermissionCheck = async ({
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId
+  }: TOrgPermission) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
    return getLdapCfg({
      orgId
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@ -224,9 +224,10 @@ export const licenseServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    billingCycle
  }: TOrgPlansTableDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const { data } = await licenseServerCloudApi.request.get(
      `/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
@ -234,15 +235,22 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, projectId }: TOrgPlanDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const plan = await getPlan(orgId, projectId);
    return plan;
  };

-  const startOrgTrial = async ({ orgId, actorId, actor, actorOrgId, success_url }: TStartOrgTrialDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const startOrgTrial = async ({
+    orgId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    success_url
+  }: TStartOrgTrialDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);

@ -263,8 +271,14 @@ export const licenseServiceFactory = ({
    return { url };
  };

-  const createOrganizationPortalSession = async ({ orgId, actorId, actor, actorOrgId }: TCreateOrgPortalSession) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const createOrganizationPortalSession = async ({
+    orgId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TCreateOrgPortalSession) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);

@ -310,8 +324,8 @@ export const licenseServiceFactory = ({
    return { url };
  };

-  const getOrgBillingInfo = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgBillInfoDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgBillingInfo = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -327,8 +341,8 @@ export const licenseServiceFactory = ({
  };

  // returns org current plan feature table
-  const getOrgPlanTable = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgBillInfoDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgPlanTable = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -343,8 +357,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgBillingDetails = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgBillInfoDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgBillingDetails = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -364,11 +378,12 @@ export const licenseServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    orgId,
    name,
    email
  }: TUpdateOrgBillingDetailsDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -387,8 +402,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgPmtMethods = async ({ orgId, actor, actorId, actorOrgId }: TOrgPmtMethodsDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgPmtMethods = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgPmtMethodsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -410,11 +425,12 @@ export const licenseServiceFactory = ({
    orgId,
    actor,
    actorId,
+    actorAuthMethod,
    actorOrgId,
    success_url,
    cancel_url
  }: TAddOrgPmtMethodDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -435,8 +451,15 @@ export const licenseServiceFactory = ({
    return { url };
  };

-  const delOrgPmtMethods = async ({ actorId, actor, actorOrgId, orgId, pmtMethodId }: TDelOrgPmtMethodDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const delOrgPmtMethods = async ({
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId,
+    orgId,
+    pmtMethodId
+  }: TDelOrgPmtMethodDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -452,8 +475,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgTaxIds = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgTaxIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -470,8 +493,8 @@ export const licenseServiceFactory = ({
    return taxIds;
  };

-  const addOrgTaxId = async ({ actorId, actor, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const addOrgTaxId = async ({ actorId, actor, actorAuthMethod, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -491,8 +514,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const delOrgTaxId = async ({ orgId, actor, actorId, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const delOrgTaxId = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -508,8 +531,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, orgId }: TOrgInvoiceDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, actorAuthMethod, orgId }: TOrgInvoiceDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -525,8 +548,8 @@ export const licenseServiceFactory = ({
    return invoices;
  };

-  const getOrgLicenses = async ({ orgId, actor, actorId, actorOrgId }: TOrgLicensesDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgLicenses = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgLicensesDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@ -129,11 +129,18 @@ export const permissionDALFactory = (db: TDbClient) => {
          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
+        .join(
+          // Join the Project table to later select orgId
+          TableName.Project,
+          `${TableName.IdentityProjectMembership}.projectId`,
+          `${TableName.Project}.id`
+        )
        .where("identityId", identityId)
        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
        .select(
          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
+          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
          db.ref("role").withSchema(TableName.IdentityProjectMembership).as("oldRoleField"),
          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
@ -144,16 +151,16 @@ export const permissionDALFactory = (db: TDbClient) => {
      const permission = sqlNestRelationships({
        data: docs,
        key: "membershipId",
-        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, oldRoleField }) => ({
+        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, oldRoleField, orgId }) => ({
          id: membershipId,
          identityId,
          projectId,
          role: oldRoleField,
          createdAt: membershipCreatedAt,
          updatedAt: membershipUpdatedAt,
+          orgId,
          // just a prefilled value
-          orgAuthEnforced: false,
-          orgId: ""
+          orgAuthEnforced: false
        }),
        childrenMapper: [
          {
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@ -0,0 +1,23 @@
+import { TOrganizations } from "@app/db/schemas";
+import { UnauthorizedError } from "@app/lib/errors";
+import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
+
+function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
+  if (!actorAuthMethod) return false;
+
+  return [AuthMethod.AZURE_SAML, AuthMethod.OKTA_SAML, AuthMethod.JUMPCLOUD_SAML, AuthMethod.GOOGLE_SAML].includes(
+    actorAuthMethod
+  );
+}
+
+function validateOrgSAML(actorAuthMethod: ActorAuthMethod, isSamlEnforced: TOrganizations["authEnforced"]) {
+  if (actorAuthMethod === undefined) {
+    throw new UnauthorizedError({ name: "No auth method defined" });
+  }
+
+  if (isSamlEnforced && actorAuthMethod !== null && !isAuthMethodSaml(actorAuthMethod)) {
+    throw new UnauthorizedError({ name: "Cannot access org-scoped resource" });
+  }
+}
+
+export { isAuthMethodSaml, validateOrgSAML };
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@ -11,13 +11,15 @@ import {
 } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { TServiceTokenDALFactory } from "@app/services/service-token/service-token-dal";

 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
+import { validateOrgSAML } from "./permission-fns";
 import { TBuildProjectPermissionDTO } from "./permission-types";
 import {
  buildServiceTokenProjectPermission,
@ -32,6 +34,7 @@ type TPermissionServiceFactoryDep = {
  orgRoleDAL: Pick<TOrgRoleDALFactory, "findOne">;
  projectRoleDAL: Pick<TProjectRoleDALFactory, "findOne">;
  serviceTokenDAL: Pick<TServiceTokenDALFactory, "findById">;
+  projectDAL: Pick<TProjectDALFactory, "findById">;
  permissionDAL: TPermissionDALFactory;
 };

@ -41,7 +44,8 @@ export const permissionServiceFactory = ({
  permissionDAL,
  orgRoleDAL,
  projectRoleDAL,
-  serviceTokenDAL
+  serviceTokenDAL,
+  projectDAL
 }: TPermissionServiceFactoryDep) => {
  const buildOrgPermission = (role: string, permission?: unknown) => {
    switch (role) {
@ -98,16 +102,30 @@ export const permissionServiceFactory = ({

  /*
   * Get user permission in an organization
-   * */
-  const getUserOrgPermission = async (userId: string, orgId: string, userOrgId?: string) => {
+   */
+  const getUserOrgPermission = async (
+    userId: string,
+    orgId: string,
+    authMethod: ActorAuthMethod,
+    userOrgId?: string
+  ) => {
    const membership = await permissionDAL.getOrgPermission(userId, orgId);
    if (!membership) throw new UnauthorizedError({ name: "User not in org" });
    if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }
-    if (membership.orgAuthEnforced && membership.orgId !== userOrgId) {
-      throw new BadRequestError({ name: "Cannot access org-scoped resource" });
+
+    // If the org ID is API_KEY, the request is being made with an API Key.
+    // Since we can't scope API keys to an organization, we'll need to do an arbitrary check to see if the user is a member of the organization.
+
+    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
+    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
+    if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
+      throw new UnauthorizedError({ name: "You are not logged into this organization" });
    }
+
+    validateOrgSAML(authMethod, membership.orgAuthEnforced);
+
    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
  };

@ -120,10 +138,16 @@ export const permissionServiceFactory = ({
    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
  };

-  const getOrgPermission = async (type: ActorType, id: string, orgId: string, actorOrgId?: string) => {
+  const getOrgPermission = async (
+    type: ActorType,
+    id: string,
+    orgId: string,
+    authMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
    switch (type) {
      case ActorType.USER:
-        return getUserOrgPermission(id, orgId, actorOrgId);
+        return getUserOrgPermission(id, orgId, authMethod, actorOrgId);
      case ActorType.IDENTITY:
        return getIdentityOrgPermission(id, orgId);
      default:
@ -153,34 +177,39 @@ export const permissionServiceFactory = ({
  const getUserProjectPermission = async (
    userId: string,
    projectId: string,
+    authMethod: ActorAuthMethod,
    userOrgId?: string
  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
-    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
-    if (!userProjectPermission) throw new UnauthorizedError({ name: "User not in project" });
+    const membership = await permissionDAL.getProjectPermission(userId, projectId);
+    if (!membership) throw new UnauthorizedError({ name: "User not in project" });

-    if (
-      userProjectPermission.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)
-    ) {
+    if (membership.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }

-    if (userProjectPermission.orgAuthEnforced && userProjectPermission.orgId !== userOrgId) {
-      throw new BadRequestError({ name: "Cannot access org-scoped resource" });
+    // If the org ID is API_KEY, the request is being made with an API Key.
+    // Since we can't scope API keys to an organization, we'll need to do an arbitrary check to see if the user is a member of the organization.
+
+    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
+    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
+    if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
+      throw new UnauthorizedError({ name: "You are not logged into this organization" });
    }

+    validateOrgSAML(authMethod, membership.orgAuthEnforced);
+
    return {
-      permission: buildProjectPermission(userProjectPermission.roles),
-      membership: userProjectPermission,
+      permission: buildProjectPermission(membership.roles),
+      membership,
      hasRole: (role: string) =>
-        userProjectPermission.roles.findIndex(
-          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
-        ) !== -1
+        membership.roles.findIndex(({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug) !== -1
    };
  };

  const getIdentityProjectPermission = async (
    identityId: string,
-    projectId: string
+    projectId: string,
+    identityOrgId: string | undefined
  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
    if (!identityProjectPermission) throw new UnauthorizedError({ name: "Identity not in project" });
@ -193,6 +222,10 @@ export const permissionServiceFactory = ({
      throw new BadRequestError({ name: "Custom permission not found" });
    }

+    if (identityProjectPermission.orgId !== identityOrgId) {
+      throw new UnauthorizedError({ name: "You are not a member of this organization" });
+    }
+
    return {
      permission: buildProjectPermission(identityProjectPermission.roles),
      membership: identityProjectPermission,
@ -203,14 +236,32 @@ export const permissionServiceFactory = ({
    };
  };

-  const getServiceTokenProjectPermission = async (serviceTokenId: string, projectId: string) => {
+  const getServiceTokenProjectPermission = async (
+    serviceTokenId: string,
+    projectId: string,
+    actorOrgId: string | undefined
+  ) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
    if (!serviceToken) throw new BadRequestError({ message: "Service token not found" });

+    const serviceTokenProject = await projectDAL.findById(serviceToken.projectId);
+
+    if (!serviceTokenProject) throw new BadRequestError({ message: "Service token not linked to a project" });
+
+    if (serviceTokenProject.orgId !== actorOrgId) {
+      throw new UnauthorizedError({ message: "Service token not a part of this organization" });
+    }
+
    if (serviceToken.projectId !== projectId)
      throw new UnauthorizedError({
        message: "Failed to find service authorization for given project"
      });
+
+    if (serviceTokenProject.orgId !== actorOrgId)
+      throw new UnauthorizedError({
+        message: "Failed to find service authorization for given project"
+      });
+
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@ -238,15 +289,16 @@ export const permissionServiceFactory = ({
    type: T,
    id: string,
    projectId: string,
-    actorOrgId?: string
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
  ): Promise<TProjectPermissionRT<T>> => {
    switch (type) {
      case ActorType.USER:
-        return getUserProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getUserProjectPermission(id, projectId, actorAuthMethod, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      case ActorType.SERVICE:
-        return getServiceTokenProjectPermission(id, projectId) as Promise<TProjectPermissionRT<T>>;
+        return getServiceTokenProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      case ActorType.IDENTITY:
-        return getIdentityProjectPermission(id, projectId) as Promise<TProjectPermissionRT<T>>;
+        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      default:
        throw new UnauthorizedError({
          message: "Permission not defined",
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@ -55,6 +55,7 @@ export const samlConfigServiceFactory = ({
  const createSamlCfg = async ({
    cert,
    actor,
+    actorAuthMethod,
    actorOrgId,
    orgId,
    issuer,
@ -63,7 +64,7 @@ export const samlConfigServiceFactory = ({
    entryPoint,
    authProvider
  }: TCreateSamlCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Sso);

    const plan = await licenseService.getPlan(orgId);
@ -146,6 +147,7 @@ export const samlConfigServiceFactory = ({
    orgId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    cert,
    actorId,
    issuer,
@ -153,7 +155,7 @@ export const samlConfigServiceFactory = ({
    entryPoint,
    authProvider
  }: TUpdateSamlCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Sso);
    const plan = await licenseService.getPlan(orgId);
    if (!plan.samlSSO)
@ -238,6 +240,7 @@ export const samlConfigServiceFactory = ({
        dto.actor,
        dto.actorId,
        ssoConfig.orgId,
+        dto.actorAuthMethod,
        dto.actorOrgId
      );
      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Sso);
--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@ -1,5 +1,5 @@
 import { TOrgPermission } from "@app/lib/types";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";

 export enum SamlProviders {
  OKTA_SAML = "okta-saml",
@ -26,7 +26,14 @@ export type TUpdateSamlCfgDTO = Partial<{
  TOrgPermission;

 export type TGetSamlCfgDTO =
-  | { type: "org"; orgId: string; actor: ActorType; actorId: string; actorOrgId?: string }
+  | {
+      type: "org";
+      orgId: string;
+      actor: ActorType;
+      actorId: string;
+      actorAuthMethod: ActorAuthMethod;
+      actorOrgId: string | undefined;
+    }
  | {
      type: "orgSlug";
      orgSlug: string;
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@ -56,8 +56,16 @@ export const scimServiceFactory = ({
  permissionService,
  smtpService
 }: TScimServiceFactoryDep) => {
-  const createScimToken = async ({ actor, actorId, actorOrgId, orgId, description, ttlDays }: TCreateScimTokenDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const createScimToken = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    orgId,
+    description,
+    ttlDays
+  }: TCreateScimTokenDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Scim);

    const plan = await licenseService.getPlan(orgId);
@ -85,8 +93,8 @@ export const scimServiceFactory = ({
    return { scimToken };
  };

-  const listScimTokens = async ({ actor, actorId, actorOrgId, orgId }: TOrgPermission) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const listScimTokens = async ({ actor, actorId, actorOrgId, actorAuthMethod, orgId }: TOrgPermission) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Scim);

    const plan = await licenseService.getPlan(orgId);
@ -99,11 +107,17 @@ export const scimServiceFactory = ({
    return scimTokens;
  };

-  const deleteScimToken = async ({ scimTokenId, actor, actorId, actorOrgId }: TDeleteScimTokenDTO) => {
+  const deleteScimToken = async ({ scimTokenId, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteScimTokenDTO) => {
    let scimToken = await scimDAL.findById(scimTokenId);
    if (!scimToken) throw new BadRequestError({ message: "Failed to find SCIM token to delete" });

-    const { permission } = await permissionService.getOrgPermission(actor, actorId, scimToken.orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      scimToken.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Scim);

    const plan = await licenseService.getPlan(scimToken.orgId);
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@ -45,6 +45,7 @@ export const secretApprovalPolicyServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    approvals,
    approvers,
    projectId,
@ -54,7 +55,13 @@ export const secretApprovalPolicyServiceFactory = ({
    if (approvals > approvers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretApproval
@ -98,6 +105,7 @@ export const secretApprovalPolicyServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    approvals,
    secretPolicyId
  }: TUpdateSapDTO) => {
@ -108,6 +116,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actor,
      actorId,
      secretApprovalPolicy.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@ -152,7 +161,13 @@ export const secretApprovalPolicyServiceFactory = ({
    };
  };

-  const deleteSecretApprovalPolicy = async ({ secretPolicyId, actor, actorId, actorOrgId }: TDeleteSapDTO) => {
+  const deleteSecretApprovalPolicy = async ({
+    secretPolicyId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TDeleteSapDTO) => {
    const sapPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
    if (!sapPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });

@ -160,6 +175,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actor,
      actorId,
      sapPolicy.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
@ -171,8 +187,20 @@ export const secretApprovalPolicyServiceFactory = ({
    return sapPolicy;
  };

-  const getSecretApprovalPolicyByProjectId = async ({ actorId, actor, actorOrgId, projectId }: TListSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const getSecretApprovalPolicyByProjectId = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TListSapDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

    const sapPolicies = await secretApprovalPolicyDAL.find({ projectId });
@ -201,10 +229,17 @@ export const secretApprovalPolicyServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    environment,
    secretPath
  }: TGetBoardSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, { secretPath, environment })
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@ -82,13 +82,14 @@ export const secretApprovalRequestServiceFactory = ({
  secretVersionDAL,
  secretQueueService
 }: TSecretApprovalRequestServiceFactoryDep) => {
-  const requestCount = async ({ projectId, actor, actorId, actorOrgId }: TApprovalRequestCountDTO) => {
+  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

    const { membership } = await permissionService.getProjectPermission(
      actor as ActorType.USER,
      actorId,
      projectId,
+      actorAuthMethod,
      actorOrgId
    );

@ -100,6 +101,7 @@ export const secretApprovalRequestServiceFactory = ({
    projectId,
    actorId,
    actor,
+    actorAuthMethod,
    actorOrgId,
    status,
    environment,
@ -109,7 +111,13 @@ export const secretApprovalRequestServiceFactory = ({
  }: TListApprovalsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

-    const { membership } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { membership } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    const approvals = await secretApprovalRequestDAL.findByProjectId({
      projectId,
      committer,
@ -122,7 +130,13 @@ export const secretApprovalRequestServiceFactory = ({
    return approvals;
  };

-  const getSecretApprovalDetails = async ({ actor, actorId, actorOrgId, id }: TSecretApprovalDetailsDTO) => {
+  const getSecretApprovalDetails = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    id
+  }: TSecretApprovalDetailsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

    const secretApprovalRequest = await secretApprovalRequestDAL.findById(id);
@ -133,6 +147,7 @@ export const secretApprovalRequestServiceFactory = ({
      actor,
      actorId,
      secretApprovalRequest.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    if (
@ -150,7 +165,14 @@ export const secretApprovalRequestServiceFactory = ({
    return { ...secretApprovalRequest, secretPath: secretPath?.[0]?.path || "/", commits: secrets };
  };

-  const reviewApproval = async ({ approvalId, actor, status, actorId, actorOrgId }: TReviewRequestDTO) => {
+  const reviewApproval = async ({
+    approvalId,
+    actor,
+    status,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TReviewRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
@ -160,6 +182,7 @@ export const secretApprovalRequestServiceFactory = ({
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    if (
@ -192,7 +215,14 @@ export const secretApprovalRequestServiceFactory = ({
    return reviewStatus;
  };

-  const updateApprovalStatus = async ({ actorId, status, approvalId, actor, actorOrgId }: TStatusChangeDTO) => {
+  const updateApprovalStatus = async ({
+    actorId,
+    status,
+    approvalId,
+    actor,
+    actorOrgId,
+    actorAuthMethod
+  }: TStatusChangeDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
@ -202,6 +232,7 @@ export const secretApprovalRequestServiceFactory = ({
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    if (
@ -229,7 +260,8 @@ export const secretApprovalRequestServiceFactory = ({
    approvalId,
    actor,
    actorId,
-    actorOrgId
+    actorOrgId,
+    actorAuthMethod
  }: TMergeSecretApprovalRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
@ -240,8 +272,10 @@ export const secretApprovalRequestServiceFactory = ({
      ActorType.USER,
      actorId,
      projectId,
+      actorAuthMethod,
      actorOrgId
    );
+
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
@ -438,6 +472,7 @@ export const secretApprovalRequestServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    policy,
    projectId,
    secretPath,
@ -449,6 +484,7 @@ export const secretApprovalRequestServiceFactory = ({
      actor,
      actorId,
      projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts
@ -9,6 +9,7 @@ import jmespath from "jmespath";
 import knex from "knex";

 import { getConfig } from "@app/lib/config/env";
+import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { TAssignOp, TDbProviderClients, TDirectAssignOp, THttpProviderFunction } from "../templates/types";
@ -89,7 +90,7 @@ export const secretRotationDbFn = async ({
  const appCfg = getConfig();

  const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
-  if (host === "localhost" || host === "127.0.0.1" || appCfg.DB_CONNECTION_URI.includes(host))
+  if (host === "localhost" || host === "127.0.0.1" || getDbConnectionHost(appCfg.DB_CONNECTION_URI) === host)
    throw new Error("Invalid db host");

  const db = knex({
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@ -39,8 +39,20 @@ export const secretRotationServiceFactory = ({
  folderDAL,
  secretDAL
 }: TSecretRotationServiceFactoryDep) => {
-  const getProviderTemplates = async ({ actor, actorId, actorOrgId, projectId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const getProviderTemplates = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TProjectPermission) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);

    return {
@ -54,6 +66,7 @@ export const secretRotationServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    inputs,
    outputs,
    interval,
@ -61,7 +74,13 @@ export const secretRotationServiceFactory = ({
    secretPath,
    environment
  }: TCreateSecretRotationDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRotation
@ -139,14 +158,20 @@ export const secretRotationServiceFactory = ({
    return secretRotation;
  };

-  const getByProjectId = async ({ actorId, projectId, actor, actorOrgId }: TListByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const getByProjectId = async ({ actorId, projectId, actor, actorOrgId, actorAuthMethod }: TListByProjectIdDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
    const doc = await secretRotationDAL.find({ projectId });
    return doc;
  };

-  const restartById = async ({ actor, actorId, actorOrgId, rotationId }: TRestartDTO) => {
+  const restartById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TRestartDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
    if (!doc) throw new BadRequestError({ message: "Rotation not found" });

@ -157,18 +182,30 @@ export const secretRotationServiceFactory = ({
        message: "Failed to add secret rotation due to plan restriction. Upgrade plan to add secret rotation."
      });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, doc.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      doc.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
    await secretRotationQueue.removeFromQueue(doc.id, doc.interval);
    await secretRotationQueue.addToQueue(doc.id, doc.interval);
    return doc;
  };

-  const deleteById = async ({ actor, actorId, actorOrgId, rotationId }: TDeleteDTO) => {
+  const deleteById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TDeleteDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
    if (!doc) throw new BadRequestError({ message: "Rotation not found" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, doc.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      doc.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretRotation
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@ -39,8 +39,14 @@ export const secretScanningServiceFactory = ({
  permissionService,
  secretScanningQueue
 }: TSecretScanningServiceFactoryDep) => {
-  const createInstallationSession = async ({ actor, orgId, actorId, actorOrgId }: TInstallAppSessionDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const createInstallationSession = async ({
+    actor,
+    orgId,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TInstallAppSessionDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.SecretScanning);

    const sessionId = crypto.randomBytes(16).toString("hex");
@ -53,12 +59,19 @@ export const secretScanningServiceFactory = ({
    actorId,
    installationId,
    actor,
+    actorAuthMethod,
    actorOrgId
  }: TLinkInstallSessionDTO) => {
    const session = await gitAppInstallSessionDAL.findOne({ sessionId });
    if (!session) throw new UnauthorizedError({ message: "Session not found" });

-    const { permission } = await permissionService.getOrgPermission(actor, actorId, session.orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      session.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.SecretScanning);
    const installatedApp = await gitAppOrgDAL.transaction(async (tx) => {
      await gitAppInstallSessionDAL.deleteById(session.id, tx);
@ -89,23 +102,37 @@ export const secretScanningServiceFactory = ({
    return { installatedApp };
  };

-  const getOrgInstallationStatus = async ({ actorId, orgId, actor, actorOrgId }: TGetOrgInstallStatusDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgInstallationStatus = async ({
+    actorId,
+    orgId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TGetOrgInstallStatusDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);

    const appInstallation = await gitAppOrgDAL.findOne({ orgId });
    return Boolean(appInstallation);
  };

-  const getRisksByOrg = async ({ actor, orgId, actorId, actorOrgId }: TGetOrgRisksDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetOrgRisksDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
    const risks = await secretScanningDAL.find({ orgId }, { sort: [["createdAt", "desc"]] });
    return { risks };
  };

-  const updateRiskStatus = async ({ actorId, orgId, actor, actorOrgId, riskId, status }: TUpdateRiskStatusDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const updateRiskStatus = async ({
+    actorId,
+    orgId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    riskId,
+    status
+  }: TUpdateRiskStatusDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.SecretScanning);

    const isRiskResolved = Boolean(
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@ -59,9 +59,16 @@ export const secretSnapshotServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    path
  }: TProjectSnapshotCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
@ -77,11 +84,18 @@ export const secretSnapshotServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    path,
    limit = 20,
    offset = 0
  }: TProjectSnapshotListDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
@ -91,10 +105,16 @@ export const secretSnapshotServiceFactory = ({
    return snapshots;
  };

-  const getSnapshotData = async ({ actorId, actor, actorOrgId, id }: TGetSnapshotDataDTO) => {
+  const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
    const snapshot = await snapshotDAL.findSecretSnapshotDataById(id);
    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, snapshot.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      snapshot.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    return snapshot;
  };
@ -145,11 +165,23 @@ export const secretSnapshotServiceFactory = ({
    }
  };

-  const rollbackSnapshot = async ({ id: snapshotId, actor, actorId, actorOrgId }: TRollbackSnapshotDTO) => {
+  const rollbackSnapshot = async ({
+    id: snapshotId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TRollbackSnapshotDTO) => {
    const snapshot = await snapshotDAL.findById(snapshotId);
    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, snapshot.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      snapshot.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRollback
--- a/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
+++ b/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
@ -26,8 +26,14 @@ export const trustedIpServiceFactory = ({
  licenseService,
  projectDAL
 }: TTrustedIpServiceFactoryDep) => {
-  const listIpsByProjectId = async ({ projectId, actor, actorId, actorOrgId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const listIpsByProjectId = async ({ projectId, actor, actorId, actorAuthMethod, actorOrgId }: TProjectPermission) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
    const trustedIps = await trustedIpDAL.find({
      projectId
@ -38,13 +44,20 @@ export const trustedIpServiceFactory = ({
  const addProjectIp = async ({
    projectId,
    actorId,
+    actorAuthMethod,
    actor,
    actorOrgId,
    ipAddress: ip,
    comment,
    isActive
  }: TCreateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

    const project = await projectDAL.findById(projectId);
@ -78,11 +91,18 @@ export const trustedIpServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    ipAddress: ip,
    comment,
    trustedIpId
  }: TUpdateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

    const project = await projectDAL.findById(projectId);
@ -113,8 +133,21 @@ export const trustedIpServiceFactory = ({
    return { trustedIp, project }; // for audit log
  };

-  const deleteProjectIp = async ({ projectId, actorId, actor, actorOrgId, trustedIpId }: TDeleteIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const deleteProjectIp = async ({
+    projectId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    trustedIpId
+  }: TDeleteIpDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

    const project = await projectDAL.findById(projectId);
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -0,0 +1,287 @@
+export const IDENTITIES = {
+  CREATE: {
+    name: "The name of the identity to create.",
+    organizationId: "The organization ID to which the identity belongs.",
+    role: "The role of the identity. Possible values are 'no-access', 'member', and 'admin'."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update.",
+    name: "The new name of the identity.",
+    role: "The new role of the identity."
+  },
+  DELETE: {
+    identityId: "The ID of the identity to delete."
+  }
+} as const;
+
+export const UNIVERSAL_AUTH = {
+  LOGIN: {
+    clientId: "Your Machine Identity Client ID.",
+    clientSecret: "Your Machine Identity Client Secret."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    clientSecretTrustedIps:
+      "A list of IPs or CIDR ranges that the Client Secret can be used from together with the Client ID to get back an access token. You can use 0.0.0.0/0, to allow usage from any network address.",
+    accessTokenTrustedIps:
+      "A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.",
+    accessTokenTTL: "The lifetime for an access token in seconds. This value will be referenced at renewal time.",
+    accessTokenMaxTTL:
+      "The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.",
+    accessTokenNumUsesLimit:
+      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update.",
+    clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
+    accessTokenTrustedIps: "The new list of IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The new lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+  },
+  CREATE_CLIENT_SECRET: {
+    identityId: "The ID of the identity to create a client secret for.",
+    description: "The description of the client secret.",
+    numUsesLimit:
+      "The maximum number of times that the client secret can be used; a value of 0 implies infinite number of uses.",
+    ttl: "The lifetime for the client secret in seconds."
+  },
+  LIST_CLIENT_SECRETS: {
+    identityId: "The ID of the identity to list client secrets for."
+  },
+  REVOKE_CLIENT_SECRET: {
+    identityId: "The ID of the identity to revoke the client secret from.",
+    clientSecretId: "The ID of the client secret to revoke."
+  },
+  RENEW_ACCESS_TOKEN: {
+    accessToken: "The access token to renew."
+  }
+} as const;
+
+export const ORGANIZATIONS = {
+  LIST_USER_MEMBERSHIPS: {
+    organizationId: "The ID of the organization to get memberships from."
+  },
+  UPDATE_USER_MEMBERSHIP: {
+    organizationId: "The ID of the organization to update the membership for.",
+    membershipId: "The ID of the membership to update.",
+    role: "The new role of the membership."
+  },
+  DELETE_USER_MEMBERSHIP: {
+    organizationId: "The ID of the organization to delete the membership from.",
+    membershipId: "The ID of the membership to delete."
+  },
+  LIST_IDENTITY_MEMBERSHIPS: {
+    orgId: "The ID of the organization to get identity memberships from."
+  },
+  GET_PROJECTS: {
+    organizationId: "The ID of the organization to get projects from."
+  }
+} as const;
+
+export const PROJECTS = {
+  CREATE: {
+    organizationSlug: "The slug of the organization to create the project in.",
+    projectName: "The name of the project to create.",
+    slug: "An optional slug for the project."
+  },
+  DELETE: {
+    workspaceId: "The ID of the project to delete."
+  },
+  GET: {
+    workspaceId: "The ID of the project."
+  },
+  UPDATE: {
+    workspaceId: "The ID of the project to update.",
+    name: "The new name of the project.",
+    autoCapitalization: "Disable or enable auto-capitalization for the project."
+  },
+  INVITE_MEMBER: {
+    projectId: "The ID of the project to invite the member to.",
+    emails: "A list of organization member emails to invite to the project.",
+    usernames: "A list of usernames to invite to the project."
+  },
+  REMOVE_MEMBER: {
+    projectId: "The ID of the project to remove the member from.",
+    emails: "A list of organization member emails to remove from the project.",
+    usernames: "A list of usernames to remove from the project."
+  },
+  GET_USER_MEMBERSHIPS: {
+    workspaceId: "The ID of the project to get memberships from."
+  },
+  UPDATE_USER_MEMBERSHIP: {
+    workspaceId: "The ID of the project to update the membership for.",
+    membershipId: "The ID of the membership to update.",
+    roles: "A list of roles to update the membership to."
+  },
+  LIST_IDENTITY_MEMBERSHIPS: {
+    projectId: "The ID of the project to get identity memberships from."
+  },
+  UPDATE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to update the identity membership for.",
+    identityId: "The ID of the identity to update the membership for.",
+    roles: "A list of roles to update the membership to."
+  },
+  DELETE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to delete the identity membership from.",
+    identityId: "The ID of the identity to delete the membership from."
+  },
+  GET_KEY: {
+    workspaceId: "The ID of the project to get the key from."
+  },
+  GET_SNAPSHOTS: {
+    workspaceId: "The ID of the project to get snapshots from.",
+    environment: "The environment to get snapshots from.",
+    path: "The secret path to get snapshots from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th snapshot.",
+    limit: "The number of snapshots to return."
+  },
+  ROLLBACK_TO_SNAPSHOT: {
+    secretSnapshotId: "The ID of the snapshot to rollback to."
+  }
+} as const;
+
+export const ENVIRONMENTS = {
+  CREATE: {
+    workspaceId: "The ID of the project to create the environment in.",
+    name: "The name of the environment to create.",
+    slug: "The slug of the environment to create."
+  },
+  UPDATE: {
+    workspaceId: "The ID of the project to update the environment in.",
+    id: "The ID of the environment to update.",
+    name: "The new name of the environment.",
+    slug: "The new slug of the environment.",
+    position: "The new position of the environment. The lowest number will be displayed as the first environment."
+  },
+  DELETE: {
+    workspaceId: "The ID of the project to delete the environment from.",
+    id: "The ID of the environment to delete."
+  }
+} as const;
+
+export const FOLDERS = {
+  LIST: {
+    workspaceId: "The ID of the project to list folders from.",
+    environment: "The slug of the environment to list folders from.",
+    path: "The path to list folders from.",
+    directory: "The directory to list folders from. (Deprecated in favor of path)"
+  },
+  CREATE: {
+    workspaceId: "The ID of the project to create the folder in.",
+    environment: "The slug of the environment to create the folder in.",
+    name: "The name of the folder to create.",
+    path: "The path of the folder to create.",
+    directory: "The directory of the folder to create. (Deprecated in favor of path)"
+  },
+  UPDATE: {
+    folderId: "The ID of the folder to update.",
+    environment: "The slug of the environment where the folder is located.",
+    name: "The new name of the folder.",
+    path: "The path of the folder to update.",
+    directory: "The new directory of the folder to update. (Deprecated in favor of path)",
+    workspaceId: "The ID of the project where the folder is located."
+  },
+  DELETE: {
+    folderIdOrName: "The ID or name of the folder to delete.",
+    workspaceId: "The ID of the project to delete the folder from.",
+    environment: "The slug of the environment where the folder is located.",
+    directory: "The directory of the folder to delete. (Deprecated in favor of path)",
+    path: "The path of the folder to delete."
+  }
+} as const;
+
+export const RAW_SECRETS = {
+  LIST: {
+    workspaceId: "The ID of the project to list secrets from.",
+    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
+    environment: "The slug of the environment to list secrets from.",
+    secretPath: "The secret path to list secrets from.",
+    includeImports: "Weather to include imported secrets or not."
+  },
+  CREATE: {
+    secretName: "The name of the secret to create.",
+    environment: "The slug of the environment to create the secret in.",
+    secretComment: "Attach a comment to the secret.",
+    secretPath: "The path to create the secret in.",
+    secretValue: "The value of the secret to create.",
+    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
+    type: "The type of the secret to create.",
+    workspaceId: "The ID of the project to create the secret in."
+  },
+  GET: {
+    secretName: "The name of the secret to get.",
+    workspaceId: "The ID of the project to get the secret from.",
+    environment: "The slug of the environment to get the secret from.",
+    secretPath: "The path of the secret to get.",
+    version: "The version of the secret to get.",
+    type: "The type of the secret to get.",
+    includeImports: "Weather to include imported secrets or not."
+  },
+  UPDATE: {
+    secretName: "The name of the secret to update.",
+    environment: "The slug of the environment where the secret is located.",
+    secretPath: "The path of the secret to update",
+    secretValue: "The new value of the secret.",
+    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
+    type: "The type of the secret to update.",
+    workspaceId: "The ID of the project to update the secret in."
+  },
+  DELETE: {
+    secretName: "The name of the secret to delete.",
+    environment: "The slug of the environment where the secret is located.",
+    secretPath: "The path of the secret.",
+    type: "The type of the secret to delete.",
+    workspaceId: "The ID of the project where the secret is located."
+  }
+} as const;
+
+export const SECRET_IMPORTS = {
+  LIST: {
+    workspaceId: "The ID of the project to list secret imports from.",
+    environment: "The slug of the environment to list secret imports from.",
+    path: "The path to list secret imports from."
+  },
+  CREATE: {
+    environment: "The slug of the environment to import into.",
+    path: "The path to import into.",
+    workspaceId: "The ID of the project you are working in.",
+    import: {
+      environment: "The slug of the environment to import from.",
+      path: "The path to import from."
+    }
+  },
+  UPDATE: {
+    secretImportId: "The ID of the secret import to update.",
+    environment: "The slug of the environment where the secret import is located.",
+    import: {
+      environment: "The new environment slug to import from.",
+      path: "The new path to import from.",
+      position: "The new position of the secret import. The lowest number will be displayed as the first import."
+    },
+    path: "The path of the secret import to update.",
+    workspaceId: "The ID of the project where the secret import is located."
+  },
+  DELETE: {
+    workspaceId: "The ID of the project to delete the secret import from.",
+    secretImportId: "The ID of the secret import to delete.",
+    environment: "The slug of the environment where the secret import is located.",
+    path: "The path of the secret import to delete."
+  }
+} as const;
+
+export const AUDIT_LOGS = {
+  EXPORT: {
+    workspaceId: "The ID of the project to export audit logs from.",
+    eventType: "The type of the event to export.",
+    userAgentType: "Choose which consuming application to export audit logs for.",
+    startDate: "The date to start the export from.",
+    endDate: "The date to end the export at.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th audit log.",
+    limit: "The number of audit logs to return.",
+    actor: "The actor to filter the audit logs by."
+  }
+} as const;
--- a/backend/src/lib/api-docs/index.ts
+++ b/backend/src/lib/api-docs/index.ts
@ -0,0 +1 @@
+export * from "./constants";
--- a/backend/src/lib/knex/connection.ts
+++ b/backend/src/lib/knex/connection.ts
@ -0,0 +1,11 @@
+import { URL } from "url"; // Import the URL class
+
+export const getDbConnectionHost = (urlString: string) => {
+  try {
+    const url = new URL(urlString);
+    // Split hostname and port (if provided)
+    return url.hostname.split(":")[0];
+  } catch (error) {
+    return null;
+  }
+};
--- a/backend/src/lib/knex/index.ts
+++ b/backend/src/lib/knex/index.ts
@ -4,6 +4,7 @@ import { Tables } from "knex/types/tables";

 import { DatabaseError } from "../errors";

+export * from "./connection";
 export * from "./join";
 export * from "./select";

--- a/backend/src/lib/types/index.ts
+++ b/backend/src/lib/types/index.ts
@ -1,17 +1,19 @@
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";

 export type TOrgPermission = {
  actor: ActorType;
  actorId: string;
  orgId: string;
-  actorOrgId?: string;
+  actorAuthMethod: ActorAuthMethod;
+  actorOrgId: string | undefined;
 };

 export type TProjectPermission = {
  actor: ActorType;
  actorId: string;
  projectId: string;
-  actorOrgId?: string;
+  actorAuthMethod: ActorAuthMethod;
+  actorOrgId: string | undefined;
 };

 export type RequiredKeys<T> = {
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@ -6,42 +6,49 @@ import { TServiceTokens, TUsers } from "@app/db/schemas";
 import { TScimTokenJwtPayload } from "@app/ee/services/scim/scim-types";
 import { getConfig } from "@app/lib/config/env";
 import { UnauthorizedError } from "@app/lib/errors";
-import { ActorType, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
+import { ActorType, AuthMethod, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
 import { TIdentityAccessTokenJwtPayload } from "@app/services/identity-access-token/identity-access-token-types";

 export type TAuthMode =
  | {
-      orgId?: string;
      authMode: AuthMode.JWT;
      actor: ActorType.USER;
      userId: string;
      tokenVersionId: string; // the session id of token used
      user: TUsers;
+      orgId?: string;
+      authMethod: AuthMethod;
    }
  | {
      authMode: AuthMode.API_KEY;
+      authMethod: null;
      actor: ActorType.USER;
      userId: string;
      user: TUsers;
-      orgId?: string;
+      orgId: string;
    }
  | {
      authMode: AuthMode.SERVICE_TOKEN;
      serviceToken: TServiceTokens & { createdByEmail: string };
      actor: ActorType.SERVICE;
      serviceTokenId: string;
+      orgId: string;
+      authMethod: null;
    }
  | {
      authMode: AuthMode.IDENTITY_ACCESS_TOKEN;
      actor: ActorType.IDENTITY;
      identityId: string;
      identityName: string;
+      orgId: string;
+      authMethod: null;
    }
  | {
      authMode: AuthMode.SCIM_TOKEN;
      actor: ActorType.SCIM_CLIENT;
      scimTokenId: string;
      orgId: string;
+      authMethod: null;
    };

 const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
@ -50,6 +57,7 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
    return { authMode: AuthMode.API_KEY, token: apiKey, actor: ActorType.USER } as const;
  }
  const authHeader = req.headers?.authorization;
+
  if (!authHeader) return { authMode: null, token: null };

  const authTokenValue = authHeader.slice(7); // slice of after Bearer
@ -71,6 +79,7 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
        actor: ActorType.USER
      } as const;
    case AuthTokenType.API_KEY:
+      // throw new Error("API Key auth is no longer supported.");
      return { authMode: AuthMode.API_KEY, token: decodedToken, actor: ActorType.USER } as const;
    case AuthTokenType.IDENTITY_ACCESS_TOKEN:
      return {
@ -89,17 +98,30 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
  }
 };

+// ! Important: You can only 100% count on the `req.permission.orgId` field being present when the auth method is Identity Access Token (Machine Identity).
 export const injectIdentity = fp(async (server: FastifyZodProvider) => {
  server.decorateRequest("auth", null);
  server.addHook("onRequest", async (req) => {
    const appCfg = getConfig();
    const { authMode, token, actor } = await extractAuth(req, appCfg.AUTH_SECRET);
+
+    if (req.url.includes("/api/v3/auth/")) {
+      return;
+    }
    if (!authMode) return;

    switch (authMode) {
      case AuthMode.JWT: {
        const { user, tokenVersionId, orgId } = await server.services.authToken.fnValidateJwtIdentity(token);
-        req.auth = { authMode: AuthMode.JWT, user, userId: user.id, tokenVersionId, actor, orgId };
+        req.auth = {
+          authMode: AuthMode.JWT,
+          user,
+          userId: user.id,
+          tokenVersionId,
+          actor,
+          orgId,
+          authMethod: token.authMethod
+        };
        break;
      }
      case AuthMode.IDENTITY_ACCESS_TOKEN: {
@ -107,29 +129,40 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
        req.auth = {
          authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
          actor,
+          orgId: identity.orgId,
          identityId: identity.identityId,
-          identityName: identity.name
+          identityName: identity.name,
+          authMethod: null
        };
        break;
      }
      case AuthMode.SERVICE_TOKEN: {
        const serviceToken = await server.services.serviceToken.fnValidateServiceToken(token);
        req.auth = {
+          orgId: serviceToken.orgId,
          authMode: AuthMode.SERVICE_TOKEN as const,
          serviceToken,
          serviceTokenId: serviceToken.id,
-          actor
+          actor,
+          authMethod: null
        };
        break;
      }
      case AuthMode.API_KEY: {
        const user = await server.services.apiKey.fnValidateApiKey(token as string);
-        req.auth = { authMode: AuthMode.API_KEY as const, userId: user.id, actor, user };
+        req.auth = {
+          authMode: AuthMode.API_KEY as const,
+          userId: user.id,
+          actor,
+          user,
+          orgId: "API_KEY", // We set the orgId to an arbitrary value, since we can't link an API key to a specific org. We have to deprecate API keys soon!
+          authMethod: null
+        };
        break;
      }
      case AuthMode.SCIM_TOKEN: {
        const { orgId, scimTokenId } = await server.services.scim.fnValidateScimToken(token);
-        req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId };
+        req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId, authMethod: null };
        break;
      }
      default:
--- a/backend/src/server/plugins/auth/inject-permission.ts
+++ b/backend/src/server/plugins/auth/inject-permission.ts
@ -9,13 +9,33 @@ export const injectPermission = fp(async (server) => {
    if (!req.auth) return;

    if (req.auth.actor === ActorType.USER) {
-      req.permission = { type: ActorType.USER, id: req.auth.userId, orgId: req.auth?.orgId };
+      req.permission = {
+        type: ActorType.USER,
+        id: req.auth.userId,
+        orgId: req.auth.orgId, // if the req.auth.authMode is AuthMode.API_KEY, the orgId will be "API_KEY"
+        authMethod: req.auth.authMethod // if the req.auth.authMode is AuthMode.API_KEY, the authMethod will be null
+      };
    } else if (req.auth.actor === ActorType.IDENTITY) {
-      req.permission = { type: ActorType.IDENTITY, id: req.auth.identityId };
+      req.permission = {
+        type: ActorType.IDENTITY,
+        id: req.auth.identityId,
+        orgId: req.auth.orgId,
+        authMethod: null
+      };
    } else if (req.auth.actor === ActorType.SERVICE) {
-      req.permission = { type: ActorType.SERVICE, id: req.auth.serviceTokenId };
+      req.permission = {
+        type: ActorType.SERVICE,
+        id: req.auth.serviceTokenId,
+        orgId: req.auth.orgId,
+        authMethod: null
+      };
    } else if (req.auth.actor === ActorType.SCIM_CLIENT) {
-      req.permission = { type: ActorType.SCIM_CLIENT, id: req.auth.scimTokenId, orgId: req.auth.orgId };
+      req.permission = {
+        type: ActorType.SCIM_CLIENT,
+        id: req.auth.scimTokenId,
+        orgId: req.auth.orgId,
+        authMethod: null
+      };
    }
  });
 });
--- a/backend/src/server/plugins/auth/verify-auth.ts
+++ b/backend/src/server/plugins/auth/verify-auth.ts
@ -3,15 +3,26 @@ import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";
 import { UnauthorizedError } from "@app/lib/errors";
 import { AuthMode } from "@app/services/auth/auth-type";

+interface TAuthOptions {
+  requireOrg: boolean;
+}
+
 export const verifyAuth =
-  <T extends FastifyRequest>(authStrats: AuthMode[]) =>
+  <T extends FastifyRequest>(authStrategies: AuthMode[], options: TAuthOptions = { requireOrg: true }) =>
  (req: T, _res: FastifyReply, done: HookHandlerDoneFunction) => {
-    if (!Array.isArray(authStrats)) throw new Error("Auth strategy must be array");
+    if (!Array.isArray(authStrategies)) throw new Error("Auth strategy must be array");
    if (!req.auth) throw new UnauthorizedError({ name: "Unauthorized access", message: "Token missing" });

-    const isAccessAllowed = authStrats.some((strat) => strat === req.auth.authMode);
+    const isAccessAllowed = authStrategies.some((strategy) => strategy === req.auth.authMode);
    if (!isAccessAllowed) {
      throw new UnauthorizedError({ name: `${req.url} Unauthorized Access` });
    }
+
+    // New optional option. There are some routes which do not require an organization ID to be present on the request.
+    // An example of this is the /v1 auth routes.
+    if (req.auth.authMode === AuthMode.JWT && options.requireOrg === true && !req.permission.orgId) {
+      throw new UnauthorizedError({ name: `${req.url} Unauthorized Access, no organization found in request` });
+    }
+
    done();
  };
--- a/backend/src/server/plugins/swagger.ts
+++ b/backend/src/server/plugins/swagger.ts
@ -14,13 +14,13 @@ export const fastifySwagger = fp(async (fastify) => {
        version: "0.0.1"
      },
      servers: [
-        {
-          url: "http://localhost:8080",
-          description: "Local server"
-        },
        {
          url: "https://app.infisical.com",
          description: "Production server"
+        },
+        {
+          url: "http://localhost:8080",
+          description: "Local server"
        }
      ],
      components: {
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -201,7 +201,8 @@ export const registerRoutes = async (
    permissionDAL,
    orgRoleDAL,
    projectRoleDAL,
-    serviceTokenDAL
+    serviceTokenDAL,
+    projectDAL
  });
  const licenseService = licenseServiceFactory({ permissionService, orgDAL, licenseDAL, keyStore });
  const trustedIpService = trustedIpServiceFactory({
@ -266,7 +267,7 @@ export const registerRoutes = async (

  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
  const userService = userServiceFactory({ userDAL });
-  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService });
+  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL, tokenDAL: authTokenDAL });
  const passwordService = authPaswordServiceFactory({
    tokenService,
    smtpService,
@ -372,6 +373,7 @@ export const registerRoutes = async (
    projectKeyDAL,
    userDAL,
    projectEnvDAL,
+    orgDAL,
    orgService,
    projectMembershipDAL,
    folderDAL,
@ -517,7 +519,8 @@ export const registerRoutes = async (
    projectEnvDAL,
    serviceTokenDAL,
    userDAL,
-    permissionService
+    permissionService,
+    projectDAL
  });

  const identityService = identityServiceFactory({
@ -525,7 +528,10 @@ export const registerRoutes = async (
    identityDAL,
    identityOrgMembershipDAL
  });
-  const identityAccessTokenService = identityAccessTokenServiceFactory({ identityAccessTokenDAL });
+  const identityAccessTokenService = identityAccessTokenServiceFactory({
+    identityAccessTokenDAL,
+    identityOrgMembershipDAL
+  });
  const identityProjectService = identityProjectServiceFactory({
    permissionService,
    projectDAL,
--- a/backend/src/server/routes/v1/auth-router.ts
+++ b/backend/src/server/routes/v1/auth-router.ts
@ -21,7 +21,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
    handler: async (req, res) => {
      const appCfg = getConfig();
      if (req.auth.authMode === AuthMode.JWT) {
@ -85,6 +85,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {

      const token = jwt.sign(
        {
+          authMethod: decodedToken.authMethod,
          authTokenType: AuthTokenType.ACCESS_TOKEN,
          userId: decodedToken.userId,
          tokenVersionId: tokenVersion.id,
--- a/backend/src/server/routes/v1/bot-router.ts
+++ b/backend/src/server/routes/v1/bot-router.ts
@ -30,6 +30,7 @@ export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.projectId
      });
      return { bot };
@ -70,6 +71,7 @@ export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        botId: req.params.botId,
        botKey: req.body.botKey,
        isActive: req.body.isActive
--- a/backend/src/server/routes/v1/identity-access-token-router.ts
+++ b/backend/src/server/routes/v1/identity-access-token-router.ts
@ -1,5 +1,7 @@
 import { z } from "zod";

+import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
+
 export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/token/renew",
@ -7,7 +9,7 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
    schema: {
      description: "Renew access token",
      body: z.object({
-        accessToken: z.string().trim()
+        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.RENEW_ACCESS_TOKEN.accessToken)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { IDENTITIES } from "@app/lib/api-docs";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -20,9 +21,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
        }
      ],
      body: z.object({
-        name: z.string().trim(),
-        organizationId: z.string().trim(),
-        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess)
+        name: z.string().trim().describe(IDENTITIES.CREATE.name),
+        organizationId: z.string().trim().describe(IDENTITIES.CREATE.organizationId),
+        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(IDENTITIES.CREATE.role)
      }),
      response: {
        200: z.object({
@ -34,6 +35,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      const identity = await server.services.identity.createIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        orgId: req.body.organizationId
@ -78,11 +80,11 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(IDENTITIES.UPDATE.identityId)
      }),
      body: z.object({
-        name: z.string().trim().optional(),
-        role: z.string().trim().min(1).optional()
+        name: z.string().trim().optional().describe(IDENTITIES.UPDATE.name),
+        role: z.string().trim().min(1).optional().describe(IDENTITIES.UPDATE.role)
      }),
      response: {
        200: z.object({
@ -94,6 +96,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      const identity = await server.services.identity.updateIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.identityId,
        ...req.body
@ -127,7 +130,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(IDENTITIES.DELETE.identityId)
      }),
      response: {
        200: z.object({
@ -139,6 +142,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      const identity = await server.services.identity.deleteIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.identityId
      });
--- a/backend/src/server/routes/v1/identity-ua.ts
+++ b/backend/src/server/routes/v1/identity-ua.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentityUaClientSecretsSchema, IdentityUniversalAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
@ -26,8 +27,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    schema: {
      description: "Login with Universal Auth",
      body: z.object({
-        clientId: z.string().trim(),
-        clientSecret: z.string().trim()
+        clientId: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientId),
+        clientSecret: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientSecret)
      }),
      response: {
        200: z.object({
@ -76,7 +77,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(UNIVERSAL_AUTH.ATTACH.identityId)
      }),
      body: z.object({
        clientSecretTrustedIps: z
@ -85,14 +86,16 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
          })
          .array()
          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
        accessTokenTrustedIps: z
          .object({
            ipAddress: z.string().trim()
          })
          .array()
          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
        accessTokenTTL: z
          .number()
          .int()
@ -100,15 +103,22 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
          .refine((value) => value !== 0, {
            message: "accessTokenTTL must have a non zero number"
          })
-          .default(2592000),
+          .default(2592000)
+          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
        accessTokenMaxTTL: z
          .number()
          .int()
          .refine((value) => value !== 0, {
            message: "accessTokenMaxTTL must have a non zero number"
          })
-          .default(2592000), // 30 days
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+          .default(2592000)
+          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
+        accessTokenNumUsesLimit: z
+          .number()
+          .int()
+          .min(0)
+          .default(0)
+          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
      }),
      response: {
        200: z.object({
@ -121,6 +131,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        ...req.body,
        identityId: req.params.identityId
      });
@ -156,7 +167,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.UPDATE.identityId)
      }),
      body: z.object({
        clientSecretTrustedIps: z
@ -165,16 +176,23 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
          })
          .array()
          .min(1)
-          .optional(),
+          .optional()
+          .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
        accessTokenTrustedIps: z
          .object({
            ipAddress: z.string().trim()
          })
          .array()
          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+          .optional()
+          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
+        accessTokenTTL: z.number().int().min(0).optional().describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z
+          .number()
+          .int()
+          .min(0)
+          .optional()
+          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
        accessTokenMaxTTL: z
          .number()
          .int()
@ -182,6 +200,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
            message: "accessTokenMaxTTL must have a non zero number"
          })
          .optional()
+          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
      }),
      response: {
        200: z.object({
@ -194,6 +213,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        ...req.body,
        identityId: req.params.identityId
      });
@ -230,7 +250,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.RETRIEVE.identityId)
      }),
      response: {
        200: z.object({
@ -242,6 +262,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const identityUniversalAuth = await server.services.identityUa.getIdentityUa({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId
      });
@ -273,12 +294,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.identityId)
      }),
      body: z.object({
-        description: z.string().trim().default(""),
-        numUsesLimit: z.number().min(0).default(0),
-        ttl: z.number().min(0).default(0)
+        description: z.string().trim().default("").describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.description),
+        numUsesLimit: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.numUsesLimit),
+        ttl: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.ttl)
      }),
      response: {
        200: z.object({
@ -291,6 +312,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const { clientSecret, clientSecretData, orgId } = await server.services.identityUa.createUaClientSecret({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        ...req.body
@ -324,7 +346,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.LIST_CLIENT_SECRETS.identityId)
      }),
      response: {
        200: z.object({
@ -336,6 +358,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUaClientSecrets({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId
      });
@ -366,8 +389,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string(),
-        clientSecretId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.identityId),
+        clientSecretId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.clientSecretId)
      }),
      response: {
        200: z.object({
@ -379,6 +402,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const clientSecretData = await server.services.identityUa.revokeUaClientSecret({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        clientSecretId: req.params.clientSecretId
--- a/backend/src/server/routes/v1/integration-auth-router.ts
+++ b/backend/src/server/routes/v1/integration-auth-router.ts
@ -53,6 +53,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.getIntegrationAuth({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -80,6 +81,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        integration: req.query.integration,
        projectId: req.query.projectId
      });
@ -117,6 +119,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.deleteIntegrationAuthById({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -157,6 +160,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.oauthExchange({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body
@ -200,6 +204,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.saveIntegrationToken({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body
@ -247,6 +252,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const apps = await server.services.integrationAuth.getIntegrationApps({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        ...req.query
@ -278,6 +284,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const teams = await server.services.integrationAuth.getIntegrationAuthTeams({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -306,6 +313,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const branches = await server.services.integrationAuth.getVercelBranches({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@ -335,6 +343,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const groups = await server.services.integrationAuth.getChecklyGroups({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        accountId: req.query.accountId
@ -343,6 +352,68 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    }
  });

+  server.route({
+    url: "/:integrationAuthId/github/orgs",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        integrationAuthId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          orgs: z.object({ name: z.string(), orgId: z.string() }).array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const orgs = await server.services.integrationAuth.getGithubOrgs({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        id: req.params.integrationAuthId
+      });
+      if (!orgs) throw new Error("No organization found.");
+
+      return { orgs };
+    }
+  });
+
+  server.route({
+    url: "/:integrationAuthId/github/envs",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        integrationAuthId: z.string().trim()
+      }),
+      querystring: z.object({
+        repoOwner: z.string().trim(),
+        repoName: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          envs: z.object({ name: z.string(), envId: z.string() }).array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const envs = await server.services.integrationAuth.getGithubEnvs({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationAuthId,
+        actorAuthMethod: req.permission.authMethod,
+        repoName: req.query.repoName,
+        repoOwner: req.query.repoOwner
+      });
+      if (!envs) throw new Error("No organization found.");
+
+      return { envs };
+    }
+  });
+
  server.route({
    url: "/:integrationAuthId/qovery/orgs",
    method: "GET",
@ -361,6 +432,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const orgs = await server.services.integrationAuth.getQoveryOrgs({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -389,6 +461,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const projects = await server.services.integrationAuth.getQoveryProjects({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        orgId: req.query.orgId
@ -418,6 +491,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const environments = await server.services.integrationAuth.getQoveryEnvs({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        projectId: req.query.projectId
@ -447,6 +521,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const apps = await server.services.integrationAuth.getQoveryApps({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        environmentId: req.query.environmentId
@ -476,6 +551,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const containers = await server.services.integrationAuth.getQoveryContainers({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        environmentId: req.query.environmentId
@ -505,6 +581,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const jobs = await server.services.integrationAuth.getQoveryJobs({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        environmentId: req.query.environmentId
@ -537,6 +614,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const pipelines = await server.services.integrationAuth.getHerokuPipelines({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -565,6 +643,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const environments = await server.services.integrationAuth.getRailwayEnvironments({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@ -594,6 +673,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const services = await server.services.integrationAuth.getRailwayServices({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@ -630,6 +710,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const workspaces = await server.services.integrationAuth.getBitbucketWorkspaces({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -663,6 +744,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const secretGroups = await server.services.integrationAuth.getNorthFlankSecretGroups({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@ -697,6 +779,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const buildConfigs = await server.services.integrationAuth.getTeamcityBuildConfigs({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@ -33,6 +33,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
            secretPrefix: z.string().optional(),
            secretSuffix: z.string().optional(),
            initialSyncBehavior: z.string().optional(),
+            shouldAutoRedeploy: z.boolean().optional(),
            secretGCPLabel: z
              .object({
                labelName: z.string(),
@ -53,6 +54,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      const { integration, integrationAuth } = await server.services.integration.createIntegration({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
@ -123,6 +125,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      const integration = await server.services.integration.updateIntegration({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationId,
        ...req.body
@ -148,6 +151,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const integration = await server.services.integration.deleteIntegration({
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationId
--- a/backend/src/server/routes/v1/invite-org-router.ts
+++ b/backend/src/server/routes/v1/invite-org-router.ts
@ -29,6 +29,7 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
        orgId: req.body.organizationId,
        userId: req.permission.id,
        inviteeEmail: req.body.inviteeEmail,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });

--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@ -15,7 +15,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
    handler: async (req) => {
      const organizations = await server.services.org.findAllOrganizationOfUser(req.permission.id);
      return { organizations };
@ -40,6 +40,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const organization = await server.services.org.findOrganizationById(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { organization };
@ -76,6 +77,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const users = await server.services.org.findAllOrgMembers(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { users };
@ -111,6 +113,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        data: req.body
      });
@ -138,6 +141,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const incidentContactsOrg = await req.server.services.org.findIncidentContacts(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { incidentContactsOrg };
@ -162,6 +166,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.body.email,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { incidentContactsOrg };
@ -185,6 +190,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.params.incidentContactId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { incidentContactsOrg };
--- a/backend/src/server/routes/v1/project-env-router.ts
+++ b/backend/src/server/routes/v1/project-env-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ENVIRONMENTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -18,11 +19,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(ENVIRONMENTS.CREATE.workspaceId)
      }),
      body: z.object({
-        name: z.string().trim(),
-        slug: z.string().trim()
+        name: z.string().trim().describe(ENVIRONMENTS.CREATE.name),
+        slug: z.string().trim().describe(ENVIRONMENTS.CREATE.slug)
      }),
      response: {
        200: z.object({
@ -38,6 +39,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        ...req.body
      });
@ -73,13 +75,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim(),
-        id: z.string().trim()
+        workspaceId: z.string().trim().describe(ENVIRONMENTS.UPDATE.workspaceId),
+        id: z.string().trim().describe(ENVIRONMENTS.UPDATE.id)
      }),
      body: z.object({
-        slug: z.string().trim().optional(),
-        name: z.string().trim().optional(),
-        position: z.number().optional()
+        slug: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.slug),
+        name: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.name),
+        position: z.number().optional().describe(ENVIRONMENTS.UPDATE.position)
      }),
      response: {
        200: z.object({
@ -94,6 +96,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      const { environment, old } = await server.services.projectEnv.updateEnvironment({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        id: req.params.id,
@ -136,8 +139,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim(),
-        id: z.string().trim()
+        workspaceId: z.string().trim().describe(ENVIRONMENTS.DELETE.workspaceId),
+        id: z.string().trim().describe(ENVIRONMENTS.DELETE.id)
      }),
      response: {
        200: z.object({
@ -152,6 +155,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      const environment = await server.services.projectEnv.deleteEnvironment({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        id: req.params.id
--- a/backend/src/server/routes/v1/project-key-router.ts
+++ b/backend/src/server/routes/v1/project-key-router.ts
@ -30,6 +30,7 @@ export const registerProjectKeyRouter = async (server: FastifyZodProvider) => {
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        nonce: req.body.key.nonce,
        receiverId: req.body.key.userId,
--- a/backend/src/server/routes/v1/project-membership-router.ts
+++ b/backend/src/server/routes/v1/project-membership-router.ts
@ -9,6 +9,7 @@ import {
  UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@ -26,7 +27,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.GET_USER_MEMBERSHIPS.workspaceId)
      }),
      response: {
        200: z.object({
@ -65,6 +66,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const memberships = await server.services.projectMembership.getProjectMemberships({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
@ -101,6 +103,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const data = await server.services.projectMembership.addUsersToProject({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        members: req.body.members
@ -134,8 +137,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim(),
-        membershipId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.workspaceId),
+        membershipId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.membershipId)
      }),
      body: z.object({
        roles: z
@ -156,6 +159,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
          )
          .min(1)
          .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least long lived role is required")
+          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
      }),
      response: {
        200: z.object({
@ -168,6 +172,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const roles = await server.services.projectMembership.updateProjectMembership({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        membershipId: req.params.membershipId,
@ -217,6 +222,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const membership = await server.services.projectMembership.deleteProjectMembership({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        membershipId: req.params.membershipId
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@ -7,8 +7,10 @@ import {
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ProjectFilterType } from "@app/services/project/project-types";

 import { integrationAuthPubSchema } from "../sanitizedSchemas";
 import { sanitizedServiceTokenSchema } from "../v2/service-token-router";
@ -44,6 +46,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const publicKeys = await server.services.projectKey.getProjectPublicKeys({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
@ -96,6 +99,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const users = await server.services.projectMembership.getProjectMemberships({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        actorOrgId: req.permission.orgId
      });
@ -125,7 +129,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    schema: {
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.GET.workspaceId)
      }),
      response: {
        200: z.object({
@ -136,37 +140,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const workspace = await server.services.project.getAProject({
+        filter: {
+          type: ProjectFilterType.ID,
+          projectId: req.params.workspaceId
+        },
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId
-      });
-      return { workspace };
-    }
-  });
-
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z.object({
-        workspaceName: z.string().trim(),
-        organizationId: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          workspace: projectWithEnv
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const workspace = await server.services.project.createProject({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        orgId: req.body.organizationId,
-        actorOrgId: req.permission.orgId,
-        workspaceName: req.body.workspaceName
+        actorOrgId: req.permission.orgId
      });
      return { workspace };
    }
@ -177,7 +158,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    method: "DELETE",
    schema: {
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.DELETE.workspaceId)
      }),
      response: {
        200: z.object({
@ -188,10 +169,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const workspace = await server.services.project.deleteProject({
+        filter: {
+          type: ProjectFilterType.ID,
+          projectId: req.params.workspaceId
+        },
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId
+        actorOrgId: req.permission.orgId
      });
      return { workspace };
    }
@ -219,6 +204,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const workspace = await server.services.project.updateName({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        name: req.body.name
@ -235,11 +221,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    method: "PATCH",
    schema: {
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.UPDATE.workspaceId)
      }),
      body: z.object({
-        name: z.string().trim().max(64, { message: "Name must be 64 or fewer characters" }).optional(),
-        autoCapitalization: z.boolean().optional()
+        name: z
+          .string()
+          .trim()
+          .max(64, { message: "Name must be 64 or fewer characters" })
+          .optional()
+          .describe(PROJECTS.UPDATE.name),
+        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization)
      }),
      response: {
        200: z.object({
@ -247,17 +238,21 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const workspace = await server.services.project.updateProject({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId,
+        filter: {
+          type: ProjectFilterType.ID,
+          projectId: req.params.workspaceId
+        },
        update: {
          name: req.body.name,
          autoCapitalization: req.body.autoCapitalization
-        }
+        },
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId
      });
      return {
        workspace
@ -287,6 +282,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const workspace = await server.services.project.toggleAutoCapitalization({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        autoCapitalization: req.body.autoCapitalization
@ -323,6 +319,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const integrations = await server.services.integration.listIntegrationByProject({
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
@ -348,6 +345,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const authorizations = await server.services.integrationAuth.listIntegrationAuthByProjectId({
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
@ -373,6 +371,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const serviceTokenData = await server.services.serviceToken.getProjectServiceTokens({
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { FOLDERS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -19,12 +20,12 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        }
      ],
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        name: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
+        environment: z.string().trim().describe(FOLDERS.CREATE.environment),
+        name: z.string().trim().describe(FOLDERS.CREATE.name),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.directory)
      }),
      response: {
        200: z.object({
@ -38,6 +39,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const folder = await server.services.folder.createFolder({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@ -73,15 +75,15 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      ],
      params: z.object({
        // old way this was name
-        folderId: z.string()
+        folderId: z.string().describe(FOLDERS.UPDATE.folderId)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        name: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
+        environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
+        name: z.string().trim().describe(FOLDERS.UPDATE.name),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.directory)
      }),
      response: {
        200: z.object({
@ -95,6 +97,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const { folder, old } = await server.services.folder.updateFolder({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@ -119,6 +122,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
    }
  });

+  // TODO(daniel): Expose this route in api reference and write docs for it.
  server.route({
    url: "/:folderIdOrName",
    method: "DELETE",
@ -131,14 +135,14 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        folderIdOrName: z.string()
+        folderIdOrName: z.string().describe(FOLDERS.DELETE.folderIdOrName)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(FOLDERS.DELETE.workspaceId),
+        environment: z.string().trim().describe(FOLDERS.DELETE.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.path),
        // keep this here as cli need directory
-        directory: z.string().trim().default("/").transform(removeTrailingSlash)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.directory)
      }),
      response: {
        200: z.object({
@ -152,6 +156,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const folder = await server.services.folder.deleteFolder({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@ -187,11 +192,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        }
      ],
      querystring: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(FOLDERS.LIST.workspaceId),
+        environment: z.string().trim().describe(FOLDERS.LIST.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.directory)
      }),
      response: {
        200: z.object({
@ -205,6 +210,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const folders = await server.services.folder.getFolders({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId,
--- a/backend/src/server/routes/v1/secret-import-router.ts
+++ b/backend/src/server/routes/v1/secret-import-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { SecretImportsSchema, SecretsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SECRET_IMPORTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -19,12 +20,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
        }
      ],
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(SECRET_IMPORTS.CREATE.workspaceId),
+        environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.path),
        import: z.object({
-          environment: z.string().trim(),
-          path: z.string().trim().transform(removeTrailingSlash)
+          environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.import.environment),
+          path: z.string().trim().transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.import.path)
        })
      }),
      response: {
@ -43,6 +44,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImport = await server.services.secretImport.createImport({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@ -80,20 +82,21 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        secretImportId: z.string().trim()
+        secretImportId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.secretImportId)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.workspaceId),
+        environment: z.string().trim().describe(SECRET_IMPORTS.UPDATE.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.UPDATE.path),
        import: z.object({
-          environment: z.string().trim().optional(),
+          environment: z.string().trim().optional().describe(SECRET_IMPORTS.UPDATE.import.environment),
          path: z
            .string()
            .trim()
            .optional()
-            .transform((val) => (val ? removeTrailingSlash(val) : val)),
-          position: z.number().optional()
+            .transform((val) => (val ? removeTrailingSlash(val) : val))
+            .describe(SECRET_IMPORTS.UPDATE.import.path),
+          position: z.number().optional().describe(SECRET_IMPORTS.UPDATE.import.position)
        })
      }),
      response: {
@ -112,6 +115,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImport = await server.services.secretImport.updateImport({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretImportId,
        ...req.body,
@ -150,12 +154,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        secretImportId: z.string().trim()
+        secretImportId: z.string().trim().describe(SECRET_IMPORTS.DELETE.secretImportId)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash)
+        workspaceId: z.string().trim().describe(SECRET_IMPORTS.DELETE.workspaceId),
+        environment: z.string().trim().describe(SECRET_IMPORTS.DELETE.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.DELETE.path)
      }),
      response: {
        200: z.object({
@ -173,6 +177,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImport = await server.services.secretImport.deleteImport({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretImportId,
        ...req.body,
@ -210,9 +215,9 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
        }
      ],
      querystring: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash)
+        workspaceId: z.string().trim().describe(SECRET_IMPORTS.LIST.workspaceId),
+        environment: z.string().trim().describe(SECRET_IMPORTS.LIST.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.LIST.path)
      }),
      response: {
        200: z.object({
@ -232,6 +237,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImports = await server.services.secretImport.getImports({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
@ -285,6 +291,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const importedSecrets = await server.services.secretImport.getSecretsFromImports({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
--- a/backend/src/server/routes/v1/secret-tag-router.ts
+++ b/backend/src/server/routes/v1/secret-tag-router.ts
@ -23,6 +23,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      const workspaceTags = await server.services.secretTag.getProjectTags({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId
      });
@ -53,6 +54,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      const workspaceTag = await server.services.secretTag.createTag({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId,
        ...req.body
@ -80,6 +82,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
      const workspaceTag = await server.services.secretTag.deleteTag({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.tagId
      });
--- a/backend/src/server/routes/v1/user-router.ts
+++ b/backend/src/server/routes/v1/user-router.ts
@ -15,7 +15,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
    handler: async (req) => {
      const user = await server.services.user.getMe(req.permission.id);
      return { user };
--- a/backend/src/server/routes/v1/webhook-router.ts
+++ b/backend/src/server/routes/v1/webhook-router.ts
@ -47,6 +47,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhook = await server.services.webhook.createWebhook({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body
@ -93,6 +94,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhook = await server.services.webhook.updateWebhook({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.webhookId,
        isDisabled: req.body.isDisabled
@ -130,6 +132,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhook = await server.services.webhook.deleteWebhook({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.webhookId
      });
@ -172,6 +175,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhook = await server.services.webhook.testWebhook({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.webhookId
      });
@ -204,6 +208,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
      const webhooks = await server.services.webhook.listWebhooks({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
--- a/backend/src/server/routes/v2/identity-org-router.ts
+++ b/backend/src/server/routes/v2/identity-org-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -18,7 +19,7 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        orgId: z.string().trim()
+        orgId: z.string().trim().describe(ORGANIZATIONS.LIST_IDENTITY_MEMBERSHIPS.orgId)
      }),
      response: {
        200: z.object({
@ -41,6 +42,7 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
      const identityMemberships = await server.services.identity.listOrgIdentities({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.orgId
      });
--- a/backend/src/server/routes/v2/identity-project-router.ts
+++ b/backend/src/server/routes/v2/identity-project-router.ts
@ -7,6 +7,7 @@ import {
  ProjectMembershipRole,
  ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@ -34,6 +35,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
      const identityMembership = await server.services.identityProject.createProjectIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        projectId: req.params.projectId,
@ -55,8 +57,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
        }
      ],
      params: z.object({
-        projectId: z.string().trim(),
-        identityId: z.string().trim()
+        projectId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.identityId)
      }),
      body: z.object({
        roles: z
@ -76,6 +78,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
            ])
          )
          .min(1)
+          .describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.roles)
      }),
      response: {
        200: z.object({
@ -87,6 +90,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
      const roles = await server.services.identityProject.updateProjectIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        projectId: req.params.projectId,
@ -108,8 +112,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
        }
      ],
      params: z.object({
-        projectId: z.string().trim(),
-        identityId: z.string().trim()
+        projectId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.identityId)
      }),
      response: {
        200: z.object({
@ -121,6 +125,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
      const identityMembership = await server.services.identityProject.deleteProjectIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        projectId: req.params.projectId
@ -141,7 +146,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
        }
      ],
      params: z.object({
-        projectId: z.string().trim()
+        projectId: z.string().trim().describe(PROJECTS.LIST_IDENTITY_MEMBERSHIPS.projectId)
      }),
      response: {
        200: z.object({
@ -175,6 +180,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
      const identityMemberships = await server.services.identityProject.listProjectIdentities({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId
      });
--- a/backend/src/server/routes/v2/mfa-router.ts
+++ b/backend/src/server/routes/v2/mfa-router.ts
@ -68,11 +68,14 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req, res) => {
      const userAgent = req.headers["user-agent"];
+      const mfaJwtToken = req.headers.authorization?.replace("Bearer ", "");
      if (!userAgent) throw new Error("user agent header is required");
+      if (!mfaJwtToken) throw new Error("authorization header is required");
      const appCfg = getConfig();

      const { user, token } = await server.services.login.verifyMfaToken({
        userAgent,
+        mfaJwtToken,
        ip: req.realIp,
        userId: req.mfa.userId,
        orgId: req.mfa.orgId,
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { OrganizationsSchema, OrgMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
+import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";

@ -17,7 +18,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        organizationId: z.string().trim()
+        organizationId: z.string().trim().describe(ORGANIZATIONS.LIST_USER_MEMBERSHIPS.organizationId)
      }),
      response: {
        200: z.object({
@ -44,6 +45,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const users = await server.services.org.findAllOrgMembers(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { users };
@ -62,7 +64,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        organizationId: z.string().trim()
+        organizationId: z.string().trim().describe(ORGANIZATIONS.GET_PROJECTS.organizationId)
      }),
      response: {
        200: z.object({
@ -88,6 +90,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });

@ -106,9 +109,12 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
          apiKeyAuth: []
        }
      ],
-      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
+      params: z.object({
+        organizationId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.organizationId),
+        membershipId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.membershipId)
+      }),
      body: z.object({
-        role: z.string().trim()
+        role: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role)
      }),
      response: {
        200: z.object({
@ -123,6 +129,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const membership = await server.services.org.updateOrgMembership({
        userId: req.permission.id,
        role: req.body.role,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        membershipId: req.params.membershipId,
        actorOrgId: req.permission.orgId
@ -142,7 +149,10 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
          apiKeyAuth: []
        }
      ],
-      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
+      params: z.object({
+        organizationId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.organizationId),
+        membershipId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.membershipId)
+      }),
      response: {
        200: z.object({
          membership: OrgMembershipsSchema
@ -155,6 +165,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {

      const membership = await server.services.org.deleteOrgMembership({
        userId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        membershipId: req.params.membershipId,
        actorOrgId: req.permission.orgId
@ -176,7 +187,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY], { requireOrg: false }),
    handler: async (req) => {
      if (req.auth.actor !== ActorType.USER) return;

@ -210,6 +221,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const organization = await server.services.org.deleteOrganizationById(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { organization };
--- a/backend/src/server/routes/v2/project-membership-router.ts
+++ b/backend/src/server/routes/v2/project-membership-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -11,11 +12,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
    url: "/:projectId/memberships",
    schema: {
      params: z.object({
-        projectId: z.string().describe("The ID of the project.")
+        projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
      }),
      body: z.object({
-        emails: z.string().email().array().default([]).describe("Emails of the users to add to the project."),
-        usernames: z.string().array().default([]).describe("Usernames of the users to add to the project.")
+        emails: z.string().email().array().default([]).describe(PROJECTS.INVITE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECTS.INVITE_MEMBER.usernames)
      }),
      response: {
        200: z.object({
@ -27,7 +28,9 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
    handler: async (req) => {
      const memberships = await server.services.projectMembership.addUsersToProjectNonE2EE({
        projectId: req.params.projectId,
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
        emails: req.body.emails,
        usernames: req.body.usernames
@ -55,12 +58,12 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
    url: "/:projectId/memberships",
    schema: {
      params: z.object({
-        projectId: z.string().describe("The ID of the project.")
+        projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
      }),

      body: z.object({
-        emails: z.string().email().array().default([]).describe("Emails of the users to remove from the project."),
-        usernames: z.string().array().default([]).describe("Usernames of the users to remove from the project.")
+        emails: z.string().email().array().default([]).describe(PROJECTS.REMOVE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECTS.REMOVE_MEMBER.usernames)
      }),
      response: {
        200: z.object({
@ -73,6 +76,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const memberships = await server.services.projectMembership.deleteProjectMemberships({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId,
        emails: req.body.emails,
--- a/backend/src/server/routes/v2/project-router.ts
+++ b/backend/src/server/routes/v2/project-router.ts
@ -3,10 +3,12 @@ import { z } from "zod";

 import { ProjectKeysSchema, ProjectsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { PROJECTS } from "@app/lib/api-docs";
 import { authRateLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ProjectFilterType } from "@app/services/project/project-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

 const projectWithEnv = ProjectsSchema.merge(
@ -16,6 +18,14 @@ const projectWithEnv = ProjectsSchema.merge(
  })
 );

+const slugSchema = z
+  .string()
+  .min(5)
+  .max(36)
+  .refine((v) => slugify(v) === v, {
+    message: "Slug must be at least 5 character but no more than 36"
+  });
+
 export const registerProjectRouter = async (server: FastifyZodProvider) => {
  /* Get project key */
  server.route({
@ -29,7 +39,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.GET_KEY.workspaceId)
      }),
      response: {
        200: ProjectKeysSchema.merge(
@ -46,6 +56,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const key = await server.services.projectKey.getLatestProjectKey({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
@ -73,7 +84,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      params: z.object({
        projectId: z.string().trim()
      }),
-
      body: z.object({
        userPrivateKey: z.string().trim()
      }),
@ -81,11 +91,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: z.void()
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      await server.services.project.upgradeProject({
        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.projectId,
        userPrivateKey: req.body.userPrivateKey
      });
@ -106,9 +118,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const status = await server.services.project.getProjectUpgradeStatus({
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
        projectId: req.params.projectId,
        actor: req.permission.type,
        actorId: req.permission.id
@ -127,7 +141,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        projectName: z.string().trim(),
+        projectName: z.string().trim().describe(PROJECTS.CREATE.projectName),
        slug: z
          .string()
          .min(5)
@ -135,8 +149,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
-          .optional(),
-        organizationId: z.string().trim()
+          .optional()
+          .describe(PROJECTS.CREATE.slug)
      }),
      response: {
        200: z.object({
@ -144,12 +158,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const project = await server.services.project.createProject({
        actorId: req.permission.id,
        actor: req.permission.type,
-        orgId: req.body.organizationId,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        workspaceName: req.body.projectName,
        slug: req.body.slug
      });
@ -158,7 +173,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        event: PostHogEventTypes.ProjectCreated,
        distinctId: getTelemetryDistinctId(req),
        properties: {
-          orgId: req.body.organizationId,
+          orgId: project.orgId,
          name: project.name,
          ...req.auditLogInfo
        }
@ -167,4 +182,104 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      return { project };
    }
  });
+
+  /* Delete a project by slug */
+  server.route({
+    method: "DELETE",
+    url: "/:slug",
+    schema: {
+      params: z.object({
+        slug: slugSchema.describe("The slug of the project to delete.")
+      }),
+      response: {
+        200: ProjectsSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+
+    handler: async (req) => {
+      const project = await server.services.project.deleteProject({
+        filter: {
+          type: ProjectFilterType.SLUG,
+          slug: req.params.slug,
+          orgId: req.permission.orgId
+        },
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        actor: req.permission.type
+      });
+
+      return project;
+    }
+  });
+
+  /* Get a project by slug */
+  server.route({
+    method: "GET",
+    url: "/:slug",
+    schema: {
+      params: z.object({
+        slug: slugSchema.describe("The slug of the project to get.")
+      }),
+      response: {
+        200: projectWithEnv
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const project = await server.services.project.getAProject({
+        filter: {
+          slug: req.params.slug,
+          orgId: req.permission.orgId,
+          type: ProjectFilterType.SLUG
+        },
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type
+      });
+
+      return project;
+    }
+  });
+
+  /* Update a project by slug */
+  server.route({
+    method: "PATCH",
+    url: "/:slug",
+    schema: {
+      params: z.object({
+        slug: slugSchema.describe("The slug of the project to update.")
+      }),
+      body: z.object({
+        name: z.string().trim().optional().describe("The new name of the project."),
+        autoCapitalization: z.boolean().optional().describe("The new auto-capitalization setting.")
+      }),
+      response: {
+        200: ProjectsSchema
+      }
+    },
+
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const project = await server.services.project.updateProject({
+        filter: {
+          type: ProjectFilterType.SLUG,
+          slug: req.params.slug,
+          orgId: req.permission.orgId
+        },
+        update: {
+          name: req.body.name,
+          autoCapitalization: req.body.autoCapitalization
+        },
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId
+      });
+
+      return project;
+    }
+  });
 };
--- a/backend/src/server/routes/v2/service-token-router.ts
+++ b/backend/src/server/routes/v2/service-token-router.ts
@ -46,6 +46,8 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
    handler: async (req) => {
      const { serviceToken, user } = await server.services.serviceToken.getServiceToken({
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
        actor: req.permission.type
      });

@ -98,6 +100,7 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
      const { serviceToken, token } = await server.services.serviceToken.createServiceToken({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId
@ -136,6 +139,7 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
      const serviceTokenData = await server.services.serviceToken.deleteServiceToken({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.serviceTokenId
      });
--- a/backend/src/server/routes/v2/user-router.ts
+++ b/backend/src/server/routes/v2/user-router.ts
@ -60,7 +60,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    preHandler: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    preHandler: verifyAuth([AuthMode.JWT, AuthMode.API_KEY], { requireOrg: false }),
    handler: async (req) => {
      const user = await server.services.user.updateAuthMethods(req.permission.id, req.body.authMethods);
      return { user };
--- a/backend/src/server/routes/v3/login-router.ts
+++ b/backend/src/server/routes/v3/login-router.ts
@ -34,6 +34,42 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "POST",
+    url: "/select-organization",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      body: z.object({
+        organizationId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          token: z.string()
+        })
+      }
+    },
+    handler: async (req, res) => {
+      const cfg = getConfig();
+      const tokens = await server.services.login.selectOrganization({
+        userAgent: req.headers["user-agent"],
+        authJwtToken: req.headers.authorization,
+        organizationId: req.body.organizationId,
+        ipAddress: req.realIp
+      });
+
+      void res.setCookie("jid", tokens.refresh, {
+        httpOnly: true,
+        path: "/",
+        sameSite: "strict",
+        secure: cfg.HTTPS_ENABLED
+      });
+
+      return { token: tokens.access };
+    }
+  });
+
  server.route({
    method: "POST",
    url: "/login2",
--- a/backend/src/server/routes/v3/secret-blind-index-router.ts
+++ b/backend/src/server/routes/v3/secret-blind-index-router.ts
@ -20,6 +20,7 @@ export const registerSecretBlindIndexRouter = async (server: FastifyZodProvider)
    handler: async (req) => {
      const count = await server.services.secretBlindIndex.getSecretBlindIndexStatus({
        projectId: req.params.projectId,
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
@ -52,6 +53,7 @@ export const registerSecretBlindIndexRouter = async (server: FastifyZodProvider)
    handler: async (req) => {
      const secrets = await server.services.secretBlindIndex.getProjectSecrets({
        projectId: req.params.projectId,
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
@ -86,6 +88,7 @@ export const registerSecretBlindIndexRouter = async (server: FastifyZodProvider)
      await server.services.secretBlindIndex.updateProjectSecretName({
        projectId: req.params.projectId,
        secretsToUpdate: req.body.secretsToUpdate,
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@ -10,12 +10,14 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CommitType } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
+import { RAW_SECRETS } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
+import { ProjectFilterType } from "@app/services/project/project-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

 import { secretRawSchema } from "../sanitizedSchemas";
@ -33,13 +35,15 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      querystring: z.object({
-        workspaceId: z.string().trim().optional(),
-        environment: z.string().trim().optional(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceId),
+        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceSlug),
+        environment: z.string().trim().optional().describe(RAW_SECRETS.LIST.environment),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.LIST.secretPath),
        include_imports: z
          .enum(["true", "false"])
          .default("false")
          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.LIST.includeImports)
      }),
      response: {
        200: z.object({
@ -68,6 +72,22 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          environment = scope[0].environment;
          workspaceId = req.auth.serviceToken.projectId;
        }
+      } else if (req.permission.type === ActorType.IDENTITY && req.query.workspaceSlug && !workspaceId) {
+        const workspace = await server.services.project.getAProject({
+          filter: {
+            type: ProjectFilterType.SLUG,
+            orgId: req.permission.orgId,
+            slug: req.query.workspaceSlug
+          },
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actor: req.permission.type,
+          actorOrgId: req.permission.orgId
+        });
+
+        if (!workspace) throw new BadRequestError({ message: `No project found with slug ${req.query.workspaceSlug}` });
+
+        workspaceId = workspace.id;
      }

      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
@ -77,13 +97,14 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        environment,
+        actorAuthMethod: req.permission.authMethod,
        projectId: workspaceId,
        path: secretPath,
        includeImports: req.query.include_imports
      });

      await server.services.auditLog.createAuditLog({
-        projectId: req.query.workspaceId,
+        projectId: workspaceId,
        ...req.auditLogInfo,
        event: {
          type: EventType.GET_SECRETS,
@ -123,18 +144,19 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().trim()
+        secretName: z.string().trim().describe(RAW_SECRETS.GET.secretName)
      }),
      querystring: z.object({
-        workspaceId: z.string().trim().optional(),
-        environment: z.string().trim().optional(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        version: z.coerce.number().optional(),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
+        environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
+        version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.GET.type),
        include_imports: z
          .enum(["true", "false"])
          .default("false")
          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.GET.includeImports)
      }),
      response: {
        200: z.object({
@ -160,6 +182,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.getSecretByNameRaw({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        environment,
        projectId: workspaceId,
@ -213,16 +236,24 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().trim()
+        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
-        secretComment: z.string().trim().optional().default(""),
-        skipMultilineEncoding: z.boolean().optional(),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared)
+        workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
+        environment: z.string().trim().describe(RAW_SECRETS.CREATE.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(RAW_SECRETS.CREATE.secretPath),
+        secretValue: z
+          .string()
+          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
+          .describe(RAW_SECRETS.CREATE.secretValue),
+        secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
+        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type)
      }),
      response: {
        200: z.object({
@ -237,6 +268,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        environment: req.body.environment,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.body.workspaceId,
        secretPath: req.body.secretPath,
        secretName: req.params.secretName,
@ -290,15 +322,23 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().trim()
+        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        skipMultilineEncoding: z.boolean().optional(),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared)
+        workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
+        environment: z.string().trim().describe(RAW_SECRETS.UPDATE.environment),
+        secretValue: z
+          .string()
+          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
+          .describe(RAW_SECRETS.UPDATE.secretValue),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(RAW_SECRETS.UPDATE.secretPath),
+        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type)
      }),
      response: {
        200: z.object({
@ -312,6 +352,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        environment: req.body.environment,
        projectId: req.body.workspaceId,
        secretPath: req.body.secretPath,
@ -364,13 +405,18 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().trim()
+        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared)
+        workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
+        environment: z.string().trim().describe(RAW_SECRETS.DELETE.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(RAW_SECRETS.DELETE.secretPath),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.DELETE.type)
      }),
      response: {
        200: z.object({
@ -383,6 +429,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.deleteSecretRaw({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        environment: req.body.environment,
        projectId: req.body.workspaceId,
@ -478,6 +525,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const { secrets, imports } = await server.services.secret.getSecrets({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        environment: req.query.environment,
        projectId: req.query.workspaceId,
@ -564,6 +612,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.getSecretByName({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        environment: req.query.environment,
        projectId: req.query.workspaceId,
@ -666,6 +715,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      if (req.body.type !== SecretType.Personal && req.permission.type === ActorType.USER) {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
+          actorOrgId: req.permission.orgId,
+          actorAuthMethod: req.permission.authMethod,
          actor: req.permission.type,
          secretPath,
          environment,
@ -675,6 +726,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@ -718,6 +770,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.createSecret({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        type,
@ -842,6 +895,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@ -851,6 +905,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@ -896,6 +951,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.updateSecret({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        type,
@ -986,6 +1042,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@ -995,6 +1052,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@ -1028,6 +1086,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secret = await server.services.secret.deleteSecret({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        type,
@ -1110,6 +1169,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@ -1119,6 +1179,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@ -1148,6 +1209,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secrets = await server.services.secret.createManySecret({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        environment,
@ -1231,6 +1293,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@ -1240,6 +1303,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@ -1268,6 +1332,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secrets = await server.services.secret.updateManySecret({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: secretPath,
        environment,
@ -1340,6 +1405,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
          actorId: req.permission.id,
          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          secretPath,
          environment,
@ -1349,6 +1415,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          const approval = await server.services.secretApprovalRequest.generateSecretApprovalRequest({
            actorId: req.permission.id,
            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
            actorOrgId: req.permission.orgId,
            secretPath,
            environment,
@ -1376,6 +1443,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const secrets = await server.services.secret.deleteManySecret({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        path: req.body.secretPath,
        environment,
--- a/backend/src/server/routes/v3/signup-router.ts
+++ b/backend/src/server/routes/v3/signup-router.ts
@ -108,7 +108,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          message: z.string(),
          user: UsersSchema,
-          token: z.string()
+          token: z.string(),
+          organizationId: z.string().nullish()
        })
      }
    },
@ -124,12 +125,13 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        });
      }

-      const { user, accessToken, refreshToken } = await server.services.signup.completeEmailAccountSignup({
-        ...req.body,
-        ip: req.realIp,
-        userAgent,
-        authorization: req.headers.authorization as string
-      });
+      const { user, accessToken, refreshToken, organizationId } =
+        await server.services.signup.completeEmailAccountSignup({
+          ...req.body,
+          ip: req.realIp,
+          userAgent,
+          authorization: req.headers.authorization as string
+        });

      if (user.email) {
        void server.services.telemetry.sendLoopsEvent(user.email, user.firstName || "", user.lastName || "");
@ -152,7 +154,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        secure: appCfg.HTTPS_ENABLED
      });

-      return { message: "Successfully set up account", user, token: accessToken };
+      return { message: "Successfully set up account", user, token: accessToken, organizationId };
    }
  });

--- a/backend/src/services/auth/auth-fns.ts
+++ b/backend/src/services/auth/auth-fns.ts
@ -15,10 +15,10 @@ export const validateProviderAuthToken = (providerToken: string, username?: stri
  if (decodedToken.username !== username) throw new Error("Invalid auth credentials");

  if (decodedToken.organizationId) {
-    return { orgId: decodedToken.organizationId };
+    return { orgId: decodedToken.organizationId, authMethod: decodedToken.authMethod };
  }

-  return {};
+  return { authMethod: decodedToken.authMethod, orgId: null };
 };

 export const validateSignUpAuthorization = (token: string, userId: string, validate = true) => {
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@ -1,13 +1,16 @@
 import jwt from "jsonwebtoken";

 import { TUsers, UserDeviceSchema } from "@app/db/schemas";
+import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";

+import { TTokenDALFactory } from "../auth-token/auth-token-dal";
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
+import { TOrgDALFactory } from "../org/org-dal";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { validateProviderAuthToken } from "./auth-fns";
@ -17,16 +20,24 @@ import {
  TOauthLoginDTO,
  TVerifyMfaTokenDTO
 } from "./auth-login-type";
-import { AuthMethod, AuthTokenType } from "./auth-type";
+import { AuthMethod, AuthModeJwtTokenPayload, AuthModeMfaJwtTokenPayload, AuthTokenType } from "./auth-type";

 type TAuthLoginServiceFactoryDep = {
  userDAL: TUserDALFactory;
+  orgDAL: TOrgDALFactory;
  tokenService: TAuthTokenServiceFactory;
  smtpService: TSmtpService;
+  tokenDAL: TTokenDALFactory;
 };

 export type TAuthLoginFactory = ReturnType<typeof authLoginServiceFactory>;
-export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }: TAuthLoginServiceFactoryDep) => {
+export const authLoginServiceFactory = ({
+  userDAL,
+  tokenService,
+  smtpService,
+  orgDAL,
+  tokenDAL
+}: TAuthLoginServiceFactoryDep) => {
  /*
   * Private
   * Not exported. This is to update user device list
@ -83,12 +94,14 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    user,
    ip,
    userAgent,
-    organizationId
+    organizationId,
+    authMethod
  }: {
    user: TUsers;
    ip: string;
    userAgent: string;
-    organizationId?: string;
+    organizationId: string | undefined;
+    authMethod: AuthMethod;
  }) => {
    const cfg = getConfig();
    await updateUserDeviceSession(user, ip, userAgent);
@ -98,8 +111,10 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
      userId: user.id
    });
    if (!tokenSession) throw new Error("Failed to create token");
+
    const accessToken = jwt.sign(
      {
+        authMethod,
        authTokenType: AuthTokenType.ACCESS_TOKEN,
        userId: user.id,
        tokenVersionId: tokenSession.id,
@ -112,6 +127,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:

    const refreshToken = jwt.sign(
      {
+        authMethod,
        authTokenType: AuthTokenType.REFRESH_TOKEN,
        userId: user.id,
        tokenVersionId: tokenSession.id,
@ -158,9 +174,9 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
  const loginExchangeClientProof = async ({
    email,
    clientProof,
-    providerAuthToken,
    ip,
-    userAgent
+    userAgent,
+    providerAuthToken
  }: TLoginClientProofDTO) => {
    const userEnc = await userDAL.findUserEncKeyByUsername({
      username: email
@ -168,14 +184,16 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    if (!userEnc) throw new Error("Failed to find user");
    const cfg = getConfig();

-    let organizationId;
-    if (!userEnc.authMethods?.includes(AuthMethod.EMAIL)) {
-      const { orgId } = validateProviderAuthToken(providerAuthToken as string, email);
-      organizationId = orgId;
-    } else if (providerAuthToken) {
-      // SAML SSO
-      const { orgId } = validateProviderAuthToken(providerAuthToken, email);
-      organizationId = orgId;
+    let authMethod = AuthMethod.EMAIL;
+    let organizationId: string | undefined;
+
+    if (providerAuthToken) {
+      const decodedProviderToken = validateProviderAuthToken(providerAuthToken, email);
+
+      authMethod = decodedProviderToken.authMethod;
+      if (isAuthMethodSaml(authMethod) && decodedProviderToken.orgId) {
+        organizationId = decodedProviderToken.orgId;
+      }
    }

    if (!userEnc.serverPrivateKey || !userEnc.clientPublicKey) throw new Error("Failed to authenticate. Try again?");
@ -196,9 +214,9 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    if (userEnc.isMfaEnabled && userEnc.email) {
      const mfaToken = jwt.sign(
        {
+          authMethod,
          authTokenType: AuthTokenType.MFA_TOKEN,
-          userId: userEnc.userId,
-          organizationId
+          userId: userEnc.userId
        },
        cfg.AUTH_SECRET,
        {
@ -221,12 +239,60 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
      },
      ip,
      userAgent,
+      authMethod,
      organizationId
    });

    return { token, isMfaEnabled: false, user: userEnc } as const;
  };

+  const selectOrganization = async ({
+    userAgent,
+    authJwtToken,
+    ipAddress,
+    organizationId
+  }: {
+    userAgent: string | undefined;
+    authJwtToken: string | undefined;
+    ipAddress: string;
+    organizationId: string;
+  }) => {
+    const cfg = getConfig();
+
+    if (!authJwtToken) throw new UnauthorizedError({ name: "Authorization header is required" });
+    if (!userAgent) throw new UnauthorizedError({ name: "user agent header is required" });
+
+    // eslint-disable-next-line no-param-reassign
+    authJwtToken = authJwtToken.replace("Bearer ", ""); // remove bearer from token
+
+    // The decoded JWT token, which contains the auth method.
+    const decodedToken = jwt.verify(authJwtToken, cfg.AUTH_SECRET) as AuthModeJwtTokenPayload;
+    if (!decodedToken.authMethod) throw new UnauthorizedError({ name: "Auth method not found on existing token" });
+
+    const user = await userDAL.findUserEncKeyByUserId(decodedToken.userId);
+    if (!user) throw new BadRequestError({ message: "User not found", name: "Find user from token" });
+
+    // Check if the user actually has access to the specified organization.
+    const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
+    const hasOrganizationMembership = userOrgs.some((org) => org.id === organizationId);
+
+    if (!hasOrganizationMembership) {
+      throw new UnauthorizedError({ message: "User does not have access to the organization" });
+    }
+
+    await tokenDAL.incrementTokenSessionVersion(user.id, decodedToken.tokenVersionId);
+
+    const tokens = await generateUserTokens({
+      authMethod: decodedToken.authMethod,
+      user,
+      userAgent,
+      ip: ipAddress,
+      organizationId
+    });
+
+    return tokens;
+  };
+
  /*
   * Multi factor authentication re-send code, Get user id from token
   * saved in frontend
@ -244,12 +310,15 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
   * Multi factor authentication verification of code
   * Third step of login in which user completes with mfa
   * */
-  const verifyMfaToken = async ({ userId, mfaToken, ip, userAgent, orgId }: TVerifyMfaTokenDTO) => {
+  const verifyMfaToken = async ({ userId, mfaToken, mfaJwtToken, ip, userAgent, orgId }: TVerifyMfaTokenDTO) => {
    await tokenService.validateTokenForUser({
      type: TokenType.TOKEN_EMAIL_MFA,
      userId,
      code: mfaToken
    });
+
+    const decodedToken = jwt.verify(mfaJwtToken, getConfig().AUTH_SECRET) as AuthModeMfaJwtTokenPayload;
+
    const userEnc = await userDAL.findUserEncKeyByUserId(userId);
    if (!userEnc) throw new Error("Failed to authenticate user");

@ -260,7 +329,8 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
      },
      ip,
      userAgent,
-      organizationId: orgId
+      organizationId: orgId,
+      authMethod: decodedToken.authMethod
    });

    return { token, user: userEnc };
@ -339,6 +409,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    oauth2Login,
    resendMfaToken,
    verifyMfaToken,
+    selectOrganization,
    generateUserTokens
  };
 };
--- a/backend/src/services/auth/auth-login-type.ts
+++ b/backend/src/services/auth/auth-login-type.ts
@ -17,6 +17,7 @@ export type TLoginClientProofDTO = {
 export type TVerifyMfaTokenDTO = {
  userId: string;
  mfaToken: string;
+  mfaJwtToken: string;
  ip: string;
  userAgent: string;
  orgId?: string;
--- a/backend/src/services/auth/auth-signup-service.ts
+++ b/backend/src/services/auth/auth-signup-service.ts
@ -150,11 +150,15 @@ export const authSignupServiceFactory = ({
    });

    if (!organizationId) {
-      await orgService.createOrganization({
+      const newOrganization = await orgService.createOrganization({
        userId: user.id,
        userEmail: user.email ?? user.username,
        orgName: organizationName
      });
+
+      if (!newOrganization) throw new Error("Failed to create organization");
+
+      organizationId = newOrganization.id;
    }

    const updatedMembersips = await orgDAL.updateMembership(
@ -174,6 +178,7 @@ export const authSignupServiceFactory = ({

    const accessToken = jwt.sign(
      {
+        authMethod: AuthMethod.EMAIL,
        authTokenType: AuthTokenType.ACCESS_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
@ -186,6 +191,7 @@ export const authSignupServiceFactory = ({

    const refreshToken = jwt.sign(
      {
+        authMethod: AuthMethod.EMAIL,
        authTokenType: AuthTokenType.REFRESH_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
@ -196,7 +202,7 @@ export const authSignupServiceFactory = ({
      { expiresIn: appCfg.JWT_REFRESH_LIFETIME }
    );

-    return { user: updateduser.info, accessToken, refreshToken };
+    return { user: updateduser.info, accessToken, refreshToken, organizationId };
  };

  /*
@ -277,6 +283,7 @@ export const authSignupServiceFactory = ({

    const accessToken = jwt.sign(
      {
+        authMethod: AuthMethod.EMAIL,
        authTokenType: AuthTokenType.ACCESS_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
@ -288,6 +295,7 @@ export const authSignupServiceFactory = ({

    const refreshToken = jwt.sign(
      {
+        authMethod: AuthMethod.EMAIL,
        authTokenType: AuthTokenType.REFRESH_TOKEN,
        userId: updateduser.info.id,
        tokenVersionId: tokenSession.id,
--- a/backend/src/services/auth/auth-type.ts
+++ b/backend/src/services/auth/auth-type.ts
@ -6,6 +6,7 @@ export enum AuthMethod {
  OKTA_SAML = "okta-saml",
  AZURE_SAML = "azure-saml",
  JUMPCLOUD_SAML = "jumpcloud-saml",
+  GOOGLE_SAML = "google-saml",
  LDAP = "ldap"
 }

@ -38,8 +39,12 @@ export enum ActorType { // would extend to AWS, Azure, ...
  SCIM_CLIENT = "scimClient"
 }

+// This will be null unless the token-type is JWT
+export type ActorAuthMethod = AuthMethod | null;
+
 export type AuthModeJwtTokenPayload = {
  authTokenType: AuthTokenType.ACCESS_TOKEN;
+  authMethod: AuthMethod;
  userId: string;
  tokenVersionId: string;
  accessVersion: number;
@ -48,12 +53,15 @@ export type AuthModeJwtTokenPayload = {

 export type AuthModeMfaJwtTokenPayload = {
  authTokenType: AuthTokenType.MFA_TOKEN;
+  authMethod: AuthMethod;
  userId: string;
  organizationId?: string;
 };

 export type AuthModeRefreshJwtTokenPayload = {
+  // authMode
  authTokenType: AuthTokenType.REFRESH_TOKEN;
+  authMethod: AuthMethod;
  userId: string;
  tokenVersionId: string;
  refreshVersion: number;
@ -63,6 +71,8 @@ export type AuthModeRefreshJwtTokenPayload = {
 export type AuthModeProviderJwtTokenPayload = {
  authTokenType: AuthTokenType.PROVIDER_TOKEN;
  username: string;
+  authMethod: AuthMethod;
+  email: string;
  organizationId?: string;
 };

--- a/backend/src/services/identity-access-token/identity-access-token-service.ts
+++ b/backend/src/services/identity-access-token/identity-access-token-service.ts
@ -6,17 +6,20 @@ import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { checkIPAgainstBlocklist, TIp } from "@app/lib/ip";

 import { AuthTokenType } from "../auth/auth-type";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "./identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload, TRenewAccessTokenDTO } from "./identity-access-token-types";

 type TIdentityAccessTokenServiceFactoryDep = {
  identityAccessTokenDAL: TIdentityAccessTokenDALFactory;
+  identityOrgMembershipDAL: TIdentityOrgDALFactory;
 };

 export type TIdentityAccessTokenServiceFactory = ReturnType<typeof identityAccessTokenServiceFactory>;

 export const identityAccessTokenServiceFactory = ({
-  identityAccessTokenDAL
+  identityAccessTokenDAL,
+  identityOrgMembershipDAL
 }: TIdentityAccessTokenServiceFactoryDep) => {
  const validateAccessTokenExp = (identityAccessToken: TIdentityAccessTokens) => {
    const {
@ -117,8 +120,16 @@ export const identityAccessTokenServiceFactory = ({
      });
    }

+    const identityOrgMembership = await identityOrgMembershipDAL.findOne({
+      identityId: identityAccessToken.identityId
+    });
+
+    if (!identityOrgMembership) {
+      throw new UnauthorizedError({ message: "Identity does not belong to any organization" });
+    }
+
    validateAccessTokenExp(identityAccessToken);
-    return identityAccessToken;
+    return { ...identityAccessToken, orgId: identityOrgMembership.orgId };
  };

  return { renewAccessToken, fnValidateIdentityAccessToken };
--- a/backend/src/services/identity-project/identity-project-service.ts
+++ b/backend/src/services/identity-project/identity-project-service.ts
@ -49,10 +49,17 @@ export const identityProjectServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    projectId,
    role
  }: TCreateProjectIdentityDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Identity);

    const existingIdentity = await identityProjectDAL.findOne({ identityId, projectId });
@ -112,9 +119,16 @@ export const identityProjectServiceFactory = ({
    roles,
    actor,
    actorId,
+    actorAuthMethod,
    actorOrgId
  }: TUpdateProjectIdentityDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);

    const projectIdentity = await identityProjectDAL.findOne({ identityId, projectId });
@ -127,6 +141,7 @@ export const identityProjectServiceFactory = ({
      ActorType.IDENTITY,
      projectIdentity.identityId,
      projectIdentity.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
@ -185,6 +200,7 @@ export const identityProjectServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    projectId
  }: TDeleteProjectIdentityDTO) => {
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
@ -195,6 +211,7 @@ export const identityProjectServiceFactory = ({
      actor,
      actorId,
      identityProjectMembership.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Identity);
@ -202,6 +219,7 @@ export const identityProjectServiceFactory = ({
      ActorType.IDENTITY,
      identityId,
      identityProjectMembership.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
@ -212,8 +230,20 @@ export const identityProjectServiceFactory = ({
    return deletedIdentity;
  };

-  const listProjectIdentities = async ({ projectId, actor, actorId, actorOrgId }: TListProjectIdentityDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const listProjectIdentities = async ({
+    projectId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TListProjectIdentityDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);

    const identityMemberhips = await identityProjectDAL.findByProjectId(projectId);
--- a/backend/src/services/identity-ua/identity-ua-service.ts
+++ b/backend/src/services/identity-ua/identity-ua-service.ts
@ -144,6 +144,7 @@ export const identityUaServiceFactory = ({
    accessTokenTrustedIps,
    clientSecretTrustedIps,
    actorId,
+    actorAuthMethod,
    actor,
    actorOrgId
  }: TAttachUaDTO) => {
@ -162,6 +163,7 @@ export const identityUaServiceFactory = ({
      actor,
      actorId,
      identityMembershipOrg.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
@ -233,6 +235,7 @@ export const identityUaServiceFactory = ({
    accessTokenTrustedIps,
    clientSecretTrustedIps,
    actorId,
+    actorAuthMethod,
    actor,
    actorOrgId
  }: TUpdateUaDTO) => {
@ -256,6 +259,7 @@ export const identityUaServiceFactory = ({
      actor,
      actorId,
      identityMembershipOrg.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
@ -308,7 +312,7 @@ export const identityUaServiceFactory = ({
    return { ...updatedUaAuth, orgId: identityMembershipOrg.orgId };
  };

-  const getIdentityUa = async ({ identityId, actorId, actor, actorOrgId }: TGetUaDTO) => {
+  const getIdentityUa = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
@ -322,6 +326,7 @@ export const identityUaServiceFactory = ({
      actor,
      actorId,
      identityMembershipOrg.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
@ -334,6 +339,7 @@ export const identityUaServiceFactory = ({
    actorOrgId,
    identityId,
    ttl,
+    actorAuthMethod,
    description,
    numUsesLimit
  }: TCreateUaClientSecretDTO) => {
@ -347,6 +353,7 @@ export const identityUaServiceFactory = ({
      actor,
      actorId,
      identityMembershipOrg.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
@ -355,6 +362,7 @@ export const identityUaServiceFactory = ({
      ActorType.IDENTITY,
      identityMembershipOrg.identityId,
      identityMembershipOrg.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
@ -388,7 +396,13 @@ export const identityUaServiceFactory = ({
    };
  };

-  const getUaClientSecrets = async ({ actor, actorId, actorOrgId, identityId }: TGetUaClientSecretsDTO) => {
+  const getUaClientSecrets = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    identityId
+  }: TGetUaClientSecretsDTO) => {
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
@ -399,6 +413,7 @@ export const identityUaServiceFactory = ({
      actor,
      actorId,
      identityMembershipOrg.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
@ -407,6 +422,7 @@ export const identityUaServiceFactory = ({
      ActorType.IDENTITY,
      identityMembershipOrg.identityId,
      identityMembershipOrg.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
@ -431,6 +447,7 @@ export const identityUaServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    clientSecretId
  }: TRevokeUaClientSecretDTO) => {
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
@ -443,6 +460,7 @@ export const identityUaServiceFactory = ({
      actor,
      actorId,
      identityMembershipOrg.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
@ -451,6 +469,7 @@ export const identityUaServiceFactory = ({
      ActorType.IDENTITY,
      identityMembershipOrg.identityId,
      identityMembershipOrg.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
--- a/backend/src/services/identity/identity-service.ts
+++ b/backend/src/services/identity/identity-service.ts
@ -25,8 +25,16 @@ export const identityServiceFactory = ({
  identityOrgMembershipDAL,
  permissionService
 }: TIdentityServiceFactoryDep) => {
-  const createIdentity = async ({ name, role, actor, orgId, actorId, actorOrgId }: TCreateIdentityDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const createIdentity = async ({
+    name,
+    role,
+    actor,
+    orgId,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TCreateIdentityDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);

    const { permission: rolePermission, role: customRole } = await permissionService.getOrgPermissionByRole(
@ -54,7 +62,15 @@ export const identityServiceFactory = ({
    return identity;
  };

-  const updateIdentity = async ({ id, role, name, actor, actorId, actorOrgId }: TUpdateIdentityDTO) => {
+  const updateIdentity = async ({
+    id,
+    role,
+    name,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TUpdateIdentityDTO) => {
    const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
    if (!identityOrgMembership) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });

@ -62,6 +78,7 @@ export const identityServiceFactory = ({
      actor,
      actorId,
      identityOrgMembership.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
@ -70,6 +87,7 @@ export const identityServiceFactory = ({
      ActorType.IDENTITY,
      id,
      identityOrgMembership.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
@ -108,7 +126,7 @@ export const identityServiceFactory = ({
    return { ...identity, orgId: identityOrgMembership.orgId };
  };

-  const deleteIdentity = async ({ actorId, actor, actorOrgId, id }: TDeleteIdentityDTO) => {
+  const deleteIdentity = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TDeleteIdentityDTO) => {
    const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
    if (!identityOrgMembership) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });

@ -116,13 +134,16 @@ export const identityServiceFactory = ({
      actor,
      actorId,
      identityOrgMembership.orgId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
    const { permission: identityRolePermission } = await permissionService.getOrgPermission(
      ActorType.IDENTITY,
      id,
-      identityOrgMembership.orgId
+      identityOrgMembership.orgId,
+      actorAuthMethod,
+      actorOrgId
    );
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
    if (!hasRequiredPriviledges)
@ -132,8 +153,8 @@ export const identityServiceFactory = ({
    return { ...deletedIdentity, orgId: identityOrgMembership.orgId };
  };

-  const listOrgIdentities = async ({ orgId, actor, actorId, actorOrgId }: TOrgPermission) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const listOrgIdentities = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgPermission) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);

    const identityMemberhips = await identityOrgMembershipDAL.findByOrgId(orgId);
--- a/backend/src/services/integration-auth/integration-app-list.ts
+++ b/backend/src/services/integration-auth/integration-app-list.ts
@ -260,20 +260,44 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
 * Return list of services for Render integration
 */
 const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
-  const res = (
-    await request.get<{ service: { name: string; id: string } }[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        Accept: "application/json",
-        "Accept-Encoding": "application/json"
-      }
-    })
-  ).data;
+  const apps: Array<{ name: string; appId: string }> = [];
+  let hasMorePages = true;
+  const perPage = 100;
+  let cursor;

-  const apps = res.map((a) => ({
-    name: a.service.name,
-    appId: a.service.id
-  }));
+  interface RenderService {
+    cursor: string;
+    service: { name: string; id: string };
+  }
+
+  while (hasMorePages) {
+    const res: RenderService[] = (
+      await request.get<RenderService[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
+        params: new URLSearchParams({
+          ...(cursor ? { cursor: String(cursor) } : {}),
+          limit: String(perPage)
+        }),
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/json",
+          "Accept-Encoding": "application/json"
+        }
+      })
+    ).data;
+
+    res.forEach((a) => {
+      apps.push({
+        name: a.service.name,
+        appId: a.service.id
+      });
+    });
+
+    if (res.length < perPage) {
+      hasMorePages = false;
+    } else {
+      cursor = res[res.length - 1].cursor;
+    }
+  }

  return apps;
 };
--- a/backend/src/services/integration-auth/integration-auth-service.ts
+++ b/backend/src/services/integration-auth/integration-auth-service.ts
@ -1,4 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
+import { Octokit } from "@octokit/rest";

 import { SecretEncryptionAlgo, SecretKeyEncoding, TIntegrationAuths, TIntegrationAuthsInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@ -24,6 +25,8 @@ import {
  TIntegrationAuthAppsDTO,
  TIntegrationAuthBitbucketWorkspaceDTO,
  TIntegrationAuthChecklyGroupsDTO,
+  TIntegrationAuthGithubEnvsDTO,
+  TIntegrationAuthGithubOrgsDTO,
  TIntegrationAuthHerokuPipelinesDTO,
  TIntegrationAuthNorthflankSecretGroupDTO,
  TIntegrationAuthQoveryEnvironmentsDTO,
@ -61,14 +64,26 @@ export const integrationAuthServiceFactory = ({
  projectBotDAL,
  projectBotService
 }: TIntegrationAuthServiceFactoryDep) => {
-  const listIntegrationAuthByProjectId = async ({ actorId, actor, actorOrgId, projectId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const listIntegrationAuthByProjectId = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TProjectPermission) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const authorizations = await integrationAuthDAL.find({ projectId });
    return authorizations;
  };

-  const getIntegrationAuth = async ({ actor, id, actorId, actorOrgId }: TGetIntegrationAuthDTO) => {
+  const getIntegrationAuth = async ({ actor, id, actorId, actorAuthMethod, actorOrgId }: TGetIntegrationAuthDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -76,6 +91,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -87,6 +103,7 @@ export const integrationAuthServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    integration,
    url,
    code
@ -94,7 +111,13 @@ export const integrationAuthServiceFactory = ({
    if (!Object.values(Integrations).includes(integration as Integrations))
      throw new BadRequestError({ message: "Invalid integration" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);

    const bot = await projectBotDAL.findOne({ isActive: true, projectId });
@ -150,6 +173,7 @@ export const integrationAuthServiceFactory = ({
    url,
    actor,
    actorOrgId,
+    actorAuthMethod,
    accessId,
    namespace,
    accessToken
@ -157,7 +181,13 @@ export const integrationAuthServiceFactory = ({
    if (!Object.values(Integrations).includes(integration as Integrations))
      throw new BadRequestError({ message: "Invalid integration" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);

    const bot = await projectBotDAL.findOne({ isActive: true, projectId });
@ -274,6 +304,7 @@ export const integrationAuthServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    teamId,
    id,
    workspaceSlug
@ -285,6 +316,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -302,7 +334,13 @@ export const integrationAuthServiceFactory = ({
    return apps;
  };

-  const getIntegrationAuthTeams = async ({ actor, actorId, actorOrgId, id }: TIntegrationAuthTeamsDTO) => {
+  const getIntegrationAuthTeams = async ({
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    id
+  }: TIntegrationAuthTeamsDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -310,6 +348,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -324,7 +363,14 @@ export const integrationAuthServiceFactory = ({
    return teams;
  };

-  const getVercelBranches = async ({ appId, id, actor, actorId, actorOrgId }: TIntegrationAuthVercelBranchesDTO) => {
+  const getVercelBranches = async ({
+    appId,
+    id,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TIntegrationAuthVercelBranchesDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -332,6 +378,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -357,7 +404,14 @@ export const integrationAuthServiceFactory = ({
    return [];
  };

-  const getChecklyGroups = async ({ actorId, actor, actorOrgId, id, accountId }: TIntegrationAuthChecklyGroupsDTO) => {
+  const getChecklyGroups = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    id,
+    accountId
+  }: TIntegrationAuthChecklyGroupsDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -365,6 +419,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -383,7 +438,7 @@ export const integrationAuthServiceFactory = ({
    return [];
  };

-  const getQoveryOrgs = async ({ actorId, actor, actorOrgId, id }: TIntegrationAuthQoveryOrgsDTO) => {
+  const getGithubOrgs = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TIntegrationAuthGithubOrgsDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -391,6 +446,76 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+    const botKey = await projectBotService.getBotKey(integrationAuth.projectId);
+    const { accessToken } = await getIntegrationAccessToken(integrationAuth, botKey);
+
+    const octokit = new Octokit({
+      auth: accessToken
+    });
+
+    const { data } = await octokit.request("GET /user/orgs", {
+      headers: {
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    });
+    if (!data) return [];
+
+    return data.map(({ login: name, id: orgId }) => ({ name, orgId: String(orgId) }));
+  };
+
+  const getGithubEnvs = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    id,
+    repoOwner,
+    repoName
+  }: TIntegrationAuthGithubEnvsDTO) => {
+    const integrationAuth = await integrationAuthDAL.findById(id);
+    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integrationAuth.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+    const botKey = await projectBotService.getBotKey(integrationAuth.projectId);
+    const { accessToken } = await getIntegrationAccessToken(integrationAuth, botKey);
+
+    const octokit = new Octokit({
+      auth: accessToken
+    });
+
+    const {
+      data: { environments }
+    } = await octokit.request("GET /repos/{owner}/{repo}/environments", {
+      headers: {
+        "X-GitHub-Api-Version": "2022-11-28"
+      },
+      owner: repoOwner,
+      repo: repoName
+    });
+    if (!environments) return [];
+    return environments.map(({ id: envId, name }) => ({ name, envId: String(envId) }));
+  };
+
+  const getQoveryOrgs = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TIntegrationAuthQoveryOrgsDTO) => {
+    const integrationAuth = await integrationAuthDAL.findById(id);
+    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -409,7 +534,14 @@ export const integrationAuthServiceFactory = ({
    return data.results.map(({ name, id: orgId }) => ({ name, orgId }));
  };

-  const getQoveryProjects = async ({ actorId, actor, actorOrgId, id, orgId }: TIntegrationAuthQoveryProjectDTO) => {
+  const getQoveryProjects = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    id,
+    orgId
+  }: TIntegrationAuthQoveryProjectDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -417,6 +549,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -442,6 +575,7 @@ export const integrationAuthServiceFactory = ({
    id,
    actor,
    actorId,
+    actorAuthMethod,
    actorOrgId
  }: TIntegrationAuthQoveryEnvironmentsDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
@ -451,6 +585,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -476,7 +611,14 @@ export const integrationAuthServiceFactory = ({
    return [];
  };

-  const getQoveryApps = async ({ id, actor, actorId, actorOrgId, environmentId }: TIntegrationAuthQoveryScopesDTO) => {
+  const getQoveryApps = async ({
+    id,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    environmentId
+  }: TIntegrationAuthQoveryScopesDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -484,6 +626,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -513,6 +656,7 @@ export const integrationAuthServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    environmentId
  }: TIntegrationAuthQoveryScopesDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
@ -522,6 +666,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -546,7 +691,14 @@ export const integrationAuthServiceFactory = ({
    return [];
  };

-  const getQoveryJobs = async ({ id, actor, actorId, actorOrgId, environmentId }: TIntegrationAuthQoveryScopesDTO) => {
+  const getQoveryJobs = async ({
+    id,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    environmentId
+  }: TIntegrationAuthQoveryScopesDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -554,6 +706,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -578,7 +731,13 @@ export const integrationAuthServiceFactory = ({
    return [];
  };

-  const getHerokuPipelines = async ({ id, actor, actorId, actorOrgId }: TIntegrationAuthHerokuPipelinesDTO) => {
+  const getHerokuPipelines = async ({
+    id,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TIntegrationAuthHerokuPipelinesDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -586,6 +745,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -610,7 +770,14 @@ export const integrationAuthServiceFactory = ({
    }));
  };

-  const getRailwayEnvironments = async ({ id, actor, actorId, actorOrgId, appId }: TIntegrationAuthRailwayEnvDTO) => {
+  const getRailwayEnvironments = async ({
+    id,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    appId
+  }: TIntegrationAuthRailwayEnvDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -618,6 +785,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -670,7 +838,14 @@ export const integrationAuthServiceFactory = ({
    return [];
  };

-  const getRailwayServices = async ({ id, actor, actorId, actorOrgId, appId }: TIntegrationAuthRailwayServicesDTO) => {
+  const getRailwayServices = async ({
+    id,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    appId
+  }: TIntegrationAuthRailwayServicesDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -678,6 +853,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -737,7 +913,13 @@ export const integrationAuthServiceFactory = ({
    return [];
  };

-  const getBitbucketWorkspaces = async ({ actorId, actor, actorOrgId, id }: TIntegrationAuthBitbucketWorkspaceDTO) => {
+  const getBitbucketWorkspaces = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    id
+  }: TIntegrationAuthBitbucketWorkspaceDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -745,6 +927,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -756,9 +939,7 @@ export const integrationAuthServiceFactory = ({

    while (hasNextPage) {
      // eslint-disable-next-line
-      const { data }: { data: { values: TBitbucketWorkspace[]; next: string } } = await request.get(
-        workspaceUrl,
-        {
+      const { data }: { data: { values: TBitbucketWorkspace[]; next: string } } = await request.get(workspaceUrl, {
        headers: {
          Authorization: `Bearer ${accessToken}`,
          "Accept-Encoding": "application/json"
@ -785,6 +966,7 @@ export const integrationAuthServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    appId
  }: TIntegrationAuthNorthflankSecretGroupDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
@ -794,6 +976,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -851,6 +1034,7 @@ export const integrationAuthServiceFactory = ({
    id,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    actor
  }: TGetIntegrationAuthTeamCityBuildConfigDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
@ -860,6 +1044,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
@ -891,16 +1076,29 @@ export const integrationAuthServiceFactory = ({
    integration,
    actor,
    actorId,
+    actorAuthMethod,
    actorOrgId
  }: TDeleteIntegrationAuthsDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);

    const integrations = await integrationAuthDAL.delete({ integration, projectId });
    return integrations;
  };

-  const deleteIntegrationAuthById = async ({ id, actorId, actor, actorOrgId }: TDeleteIntegrationAuthByIdDTO) => {
+  const deleteIntegrationAuthById = async ({
+    id,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TDeleteIntegrationAuthByIdDTO) => {
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });

@ -908,6 +1106,7 @@ export const integrationAuthServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
@ -934,6 +1133,8 @@ export const integrationAuthServiceFactory = ({
    getIntegrationApps,
    getVercelBranches,
    getApps,
+    getGithubOrgs,
+    getGithubEnvs,
    getChecklyGroups,
    getQoveryApps,
    getQoveryEnvs,
--- a/backend/src/services/integration-auth/integration-auth-types.ts
+++ b/backend/src/services/integration-auth/integration-auth-types.ts
@ -44,6 +44,16 @@ export type TIntegrationAuthChecklyGroupsDTO = {
  accountId: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TIntegrationAuthGithubOrgsDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TIntegrationAuthGithubEnvsDTO = {
+  id: string;
+  repoName: string;
+  repoOwner: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TIntegrationAuthQoveryOrgsDTO = {
  id: string;
 } & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/integration-auth/integration-sync-secret.ts
+++ b/backend/src/services/integration-auth/integration-sync-secret.ts
@ -459,7 +459,7 @@ const syncSecretsAWSParameterStore = async ({

  const params = {
    Path: integration.path as string,
-    Recursive: true,
+    Recursive: false,
    WithDecryption: true
  };

@ -1110,98 +1110,176 @@ const syncSecretsGitHub = async ({
  interface GitHubRepoKey {
    key_id: string;
    key: string;
+    id?: number | undefined;
+    url?: string | undefined;
+    title?: string | undefined;
+    created_at?: string | undefined;
  }

  interface GitHubSecret {
    name: string;
    created_at: string;
    updated_at: string;
-  }
-
-  interface GitHubSecretRes {
-    [index: string]: GitHubSecret;
+    visibility?: "all" | "private" | "selected";
+    selected_repositories_url?: string | undefined;
  }

  const octokit = new Octokit({
    auth: accessToken
  });

-  // const user = (await octokit.request('GET /user', {})).data;
-  const repoPublicKey: GitHubRepoKey = (
-    await octokit.request("GET /repos/{owner}/{repo}/actions/secrets/public-key", {
-      owner: integration.owner as string,
-      repo: integration.app as string
-    })
-  ).data;
+  enum GithubScope {
+    Repo = "github-repo",
+    Org = "github-org",
+    Env = "github-env"
+  }
+
+  let repoPublicKey: GitHubRepoKey;
+
+  switch (integration.scope) {
+    case GithubScope.Org: {
+      const { data } = await octokit.request("GET /orgs/{org}/actions/secrets/public-key", {
+        org: integration.owner as string
+      });
+      repoPublicKey = data;
+      break;
+    }
+    case GithubScope.Env: {
+      const { data } = await octokit.request(
+        "GET /repositories/{repository_id}/environments/{environment_name}/secrets/public-key",
+        {
+          repository_id: Number(integration.appId),
+          environment_name: integration.targetEnvironmentId as string
+        }
+      );
+      repoPublicKey = data;
+      break;
+    }
+    default: {
+      const { data } = await octokit.request("GET /repos/{owner}/{repo}/actions/secrets/public-key", {
+        owner: integration.owner as string,
+        repo: integration.app as string
+      });
+      repoPublicKey = data;
+      break;
+    }
+  }

  // Get local copy of decrypted secrets. We cannot decrypt them as we dont have access to GH private key
-  let encryptedSecrets: GitHubSecretRes = (
-    await octokit.request("GET /repos/{owner}/{repo}/actions/secrets", {
-      owner: integration.owner as string,
-      repo: integration.app as string
-    })
-  ).data.secrets.reduce(
-    (obj, secret) => ({
-      ...obj,
-      [secret.name]: secret
-    }),
-    {}
-  );
+  let encryptedSecrets: GitHubSecret[];

-  encryptedSecrets = Object.keys(encryptedSecrets).reduce(
-    (
-      result: {
-        [key: string]: GitHubSecret;
-      },
-      key
-    ) => {
-      if (
-        (appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) &&
-        (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)
-      ) {
-        result[key] = encryptedSecrets[key];
-      }
-      return result;
-    },
-    {}
-  );
-
-  await Promise.all(
-    Object.keys(encryptedSecrets).map(async (key) => {
-      if (!(key in secrets)) {
-        return octokit.request("DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
+  switch (integration.scope) {
+    case GithubScope.Org: {
+      encryptedSecrets = (
+        await octokit.request("GET /orgs/{org}/actions/secrets", {
+          org: integration.owner as string
+        })
+      ).data.secrets;
+      break;
+    }
+    case GithubScope.Env: {
+      encryptedSecrets = (
+        await octokit.request("GET /repositories/{repository_id}/environments/{environment_name}/secrets", {
+          repository_id: Number(integration.appId),
+          environment_name: integration.targetEnvironmentId as string
+        })
+      ).data.secrets;
+      break;
+    }
+    default: {
+      encryptedSecrets = (
+        await octokit.request("GET /repos/{owner}/{repo}/actions/secrets", {
          owner: integration.owner as string,
-          repo: integration.app as string,
-          secret_name: key
-        });
+          repo: integration.app as string
+        })
+      ).data.secrets;
+      break;
+    }
+  }
+
+  for await (const encryptedSecret of encryptedSecrets) {
+    if (
+      !(encryptedSecret.name in secrets) &&
+      !(appendices?.prefix !== undefined && !encryptedSecret.name.startsWith(appendices?.prefix)) &&
+      !(appendices?.suffix !== undefined && !encryptedSecret.name.endsWith(appendices?.suffix))
+    ) {
+      switch (integration.scope) {
+        case GithubScope.Org: {
+          await octokit.request("DELETE /orgs/{org}/actions/secrets/{secret_name}", {
+            org: integration.owner as string,
+            secret_name: encryptedSecret.name
+          });
+          break;
+        }
+        case GithubScope.Env: {
+          await octokit.request(
+            "DELETE /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}",
+            {
+              repository_id: Number(integration.appId),
+              environment_name: integration.targetEnvironmentId as string,
+              secret_name: encryptedSecret.name
+            }
+          );
+          break;
+        }
+        default: {
+          await octokit.request("DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
+            owner: integration.owner as string,
+            repo: integration.app as string,
+            secret_name: encryptedSecret.name
+          });
+          break;
+        }
      }
-    })
-  );
+    }
+  }

-  await Promise.all(
-    Object.keys(secrets).map((key) => {
-      // let encryptedSecret;
-      return sodium.ready.then(async () => {
-        // convert secret & base64 key to Uint8Array.
-        const binkey = sodium.from_base64(repoPublicKey.key, sodium.base64_variants.ORIGINAL);
-        const binsec = sodium.from_string(secrets[key].value);
+  await sodium.ready.then(async () => {
+    for await (const key of Object.keys(secrets)) {
+      // convert secret & base64 key to Uint8Array.
+      const binkey = sodium.from_base64(repoPublicKey.key, sodium.base64_variants.ORIGINAL);
+      const binsec = sodium.from_string(secrets[key].value);

-        // encrypt secret using libsodium
-        const encBytes = sodium.crypto_box_seal(binsec, binkey);
+      // encrypt secret using libsodium
+      const encBytes = sodium.crypto_box_seal(binsec, binkey);

-        // convert encrypted Uint8Array to base64
-        const encryptedSecret = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
+      // convert encrypted Uint8Array to base64
+      const encryptedSecret = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);

-        await octokit.request("PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
-          owner: integration.owner as string,
-          repo: integration.app as string,
-          secret_name: key,
-          encrypted_value: encryptedSecret,
-          key_id: repoPublicKey.key_id
-        });
-      });
-    })
-  );
+      switch (integration.scope) {
+        case GithubScope.Org:
+          await octokit.request("PUT /orgs/{org}/actions/secrets/{secret_name}", {
+            org: integration.owner as string,
+            secret_name: key,
+            visibility: "all",
+            encrypted_value: encryptedSecret,
+            key_id: repoPublicKey.key_id
+          });
+          break;
+        case GithubScope.Env:
+          await octokit.request(
+            "PUT /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}",
+            {
+              repository_id: Number(integration.appId),
+              environment_name: integration.targetEnvironmentId as string,
+              secret_name: key,
+              encrypted_value: encryptedSecret,
+              key_id: repoPublicKey.key_id
+            }
+          );
+          break;
+        default:
+          await octokit.request("PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
+            owner: integration.owner as string,
+            repo: integration.app as string,
+            secret_name: key,
+            encrypted_value: encryptedSecret,
+            key_id: repoPublicKey.key_id
+          });
+          break;
+      }
+    }
+  });
 };

 /**
@ -1229,6 +1307,22 @@ const syncSecretsRender = async ({
      }
    }
  );
+
+  if (integration.metadata) {
+    const metadata = z.record(z.any()).parse(integration.metadata);
+    if (metadata.shouldAutoRedeploy === true) {
+      await request.post(
+        `${IntegrationUrls.RENDER_API_URL}/v1/services/${integration.appId}/deploys`,
+        {},
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json"
+          }
+        }
+      );
+    }
+  }
 };

 /**
--- a/backend/src/services/integration/integration-service.ts
+++ b/backend/src/services/integration/integration-service.ts
@ -42,6 +42,7 @@ export const integrationServiceFactory = ({
    metadata,
    secretPath,
    targetService,
+    actorAuthMethod,
    targetServiceId,
    integrationAuthId,
    sourceEnvironment,
@ -55,6 +56,7 @@ export const integrationServiceFactory = ({
      actor,
      actorId,
      integrationAuth.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
@ -93,6 +95,7 @@ export const integrationServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    targetEnvironment,
    app,
    id,
@ -109,6 +112,7 @@ export const integrationServiceFactory = ({
      actor,
      actorId,
      integration.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
@ -129,7 +133,7 @@ export const integrationServiceFactory = ({
    return updatedIntegration;
  };

-  const deleteIntegration = async ({ actorId, id, actor, actorOrgId }: TDeleteIntegrationDTO) => {
+  const deleteIntegration = async ({ actorId, id, actor, actorAuthMethod, actorOrgId }: TDeleteIntegrationDTO) => {
    const integration = await integrationDAL.findById(id);
    if (!integration) throw new BadRequestError({ message: "Integration auth not found" });

@ -137,6 +141,7 @@ export const integrationServiceFactory = ({
      actor,
      actorId,
      integration.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
@ -145,8 +150,20 @@ export const integrationServiceFactory = ({
    return { ...integration, ...deletedIntegration };
  };

-  const listIntegrationByProject = async ({ actor, actorId, actorOrgId, projectId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const listIntegrationByProject = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TProjectPermission) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

    const integrations = await integrationDAL.findByProjectId(projectId);
--- a/backend/src/services/org/org-role-service.ts
+++ b/backend/src/services/org/org-role-service.ts
@ -12,6 +12,7 @@ import {
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { BadRequestError } from "@app/lib/errors";

+import { ActorAuthMethod } from "../auth/auth-type";
 import { TOrgRoleDALFactory } from "./org-role-dal";

 type TOrgRoleServiceFactoryDep = {
@ -26,9 +27,10 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
    userId: string,
    orgId: string,
    data: Omit<TOrgRolesInsert, "orgId">,
-    actorOrgId?: string
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
  ) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Role);
    const existingRole = await orgRoleDAL.findOne({ slug: data.slug, orgId });
    if (existingRole) throw new BadRequestError({ name: "Create Role", message: "Duplicate role" });
@ -45,9 +47,10 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
    orgId: string,
    roleId: string,
    data: Omit<TOrgRolesUpdate, "orgId">,
-    actorOrgId?: string
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
  ) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Role);
    if (data?.slug) {
      const existingRole = await orgRoleDAL.findOne({ slug: data.slug, orgId });
@ -62,8 +65,14 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
    return updatedRole;
  };

-  const deleteRole = async (userId: string, orgId: string, roleId: string, actorOrgId?: string) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const deleteRole = async (
+    userId: string,
+    orgId: string,
+    roleId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Role);
    const [deletedRole] = await orgRoleDAL.delete({ id: roleId, orgId });
    if (!deletedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
@ -71,8 +80,13 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
    return deletedRole;
  };

-  const listRoles = async (userId: string, orgId: string, actorOrgId?: string) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const listRoles = async (
+    userId: string,
+    orgId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
    const customRoles = await orgRoleDAL.find({ orgId });
    const roles = [
@ -115,8 +129,18 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
    return roles;
  };

-  const getUserPermission = async (userId: string, orgId: string, actorOrgId?: string) => {
-    const { permission, membership } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const getUserPermission = async (
+    userId: string,
+    orgId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission, membership } = await permissionService.getUserOrgPermission(
+      userId,
+      orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
    return { permissions: packRules(permission.rules), membership };
  };

--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@ -18,7 +18,7 @@ import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { isDisposableEmail } from "@app/lib/validator";

-import { ActorType, AuthMethod, AuthTokenType } from "../auth/auth-type";
+import { ActorAuthMethod, ActorType, AuthMethod, AuthTokenType } from "../auth/auth-type";
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
 import { TProjectDALFactory } from "../project/project-dal";
@ -79,8 +79,13 @@ export const orgServiceFactory = ({
  /*
   * Get organization details by the organization id
   * */
-  const findOrganizationById = async (userId: string, orgId: string, actorOrgId?: string) => {
-    await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const findOrganizationById = async (
+    userId: string,
+    orgId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    const org = await orgDAL.findOrgById(orgId);
    if (!org) throw new BadRequestError({ name: "Org not found", message: "Organization not found" });
    return org;
@ -95,16 +100,28 @@ export const orgServiceFactory = ({
  /*
   * Get all workspace members
   * */
-  const findAllOrgMembers = async (userId: string, orgId: string, actorOrgId?: string) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const findAllOrgMembers = async (
+    userId: string,
+    orgId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);

    const members = await orgDAL.findAllOrgMembers(orgId);
    return members;
  };

-  const findOrgMembersByUsername = async ({ actor, actorId, orgId, emails }: TFindOrgMembersByEmailDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId);
+  const findOrgMembersByUsername = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    orgId,
+    emails
+  }: TFindOrgMembersByEmailDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);

    const members = await orgDAL.findOrgMembersByUsername(orgId, emails);
@ -112,8 +129,8 @@ export const orgServiceFactory = ({
    return members;
  };

-  const findAllWorkspaces = async ({ actor, actorId, actorOrgId, orgId }: TFindAllWorkspacesDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const findAllWorkspaces = async ({ actor, actorId, actorOrgId, actorAuthMethod, orgId }: TFindAllWorkspacesDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);

    const organizationWorkspaceIds = new Set((await projectDAL.find({ orgId })).map((workspace) => workspace.id));
@ -193,10 +210,11 @@ export const orgServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    orgId,
    data: { name, slug, authEnforced, scimEnabled }
  }: TUpdateOrgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);

    const plan = await licenseService.getPlan(orgId);
@ -309,8 +327,13 @@ export const orgServiceFactory = ({
  /*
   * Delete organization by id
   * */
-  const deleteOrganizationById = async (userId: string, orgId: string, actorOrgId?: string) => {
-    const { membership } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const deleteOrganizationById = async (
+    userId: string,
+    orgId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { membership } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    if ((membership.role as OrgMembershipRole) !== OrgMembershipRole.Admin)
      throw new UnauthorizedError({ name: "Delete org by id", message: "Not an admin" });

@ -324,8 +347,15 @@ export const orgServiceFactory = ({
   * Org membership management
   * Not another service because it has close ties with how an org works doesn't make sense to seperate them
   * */
-  const updateOrgMembership = async ({ role, orgId, userId, membershipId, actorOrgId }: TUpdateOrgMembershipDTO) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const updateOrgMembership = async ({
+    role,
+    orgId,
+    userId,
+    membershipId,
+    actorAuthMethod,
+    actorOrgId
+  }: TUpdateOrgMembershipDTO) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Member);

    const isCustomRole = !Object.values(OrgMembershipRole).includes(role as OrgMembershipRole);
@ -355,8 +385,14 @@ export const orgServiceFactory = ({
  /*
   * Invite user to organization
   */
-  const inviteUserToOrganization = async ({ orgId, userId, inviteeEmail, actorOrgId }: TInviteUserToOrgDTO) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const inviteUserToOrganization = async ({
+    orgId,
+    userId,
+    inviteeEmail,
+    actorAuthMethod,
+    actorOrgId
+  }: TInviteUserToOrgDTO) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Member);

    const org = await orgDAL.findOrgById(orgId);
@ -515,8 +551,14 @@ export const orgServiceFactory = ({
    return { token, user };
  };

-  const deleteOrgMembership = async ({ orgId, userId, membershipId, actorOrgId }: TDeleteOrgMembershipDTO) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const deleteOrgMembership = async ({
+    orgId,
+    userId,
+    membershipId,
+    actorAuthMethod,
+    actorOrgId
+  }: TDeleteOrgMembershipDTO) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Member);

    const deletedMembership = await orgDAL.transaction(async (tx) => {
@ -568,15 +610,26 @@ export const orgServiceFactory = ({
  /*
   * CRUD operations of incident contacts
   * */
-  const findIncidentContacts = async (userId: string, orgId: string, actorOrgId?: string) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const findIncidentContacts = async (
+    userId: string,
+    orgId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.IncidentAccount);
    const incidentContacts = await incidentContactDAL.findByOrgId(orgId);
    return incidentContacts;
  };

-  const createIncidentContact = async (userId: string, orgId: string, email: string, actorOrgId?: string) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const createIncidentContact = async (
+    userId: string,
+    orgId: string,
+    email: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.IncidentAccount);
    const doesIncidentContactExist = await incidentContactDAL.findOne(orgId, { email });
    if (doesIncidentContactExist) {
@ -590,8 +643,14 @@ export const orgServiceFactory = ({
    return incidentContact;
  };

-  const deleteIncidentContact = async (userId: string, orgId: string, id: string, actorOrgId?: string) => {
-    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
+  const deleteIncidentContact = async (
+    userId: string,
+    orgId: string,
+    id: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.IncidentAccount);

    const incidentContact = await incidentContactDAL.deleteById(id, orgId);
--- a/backend/src/services/org/org-types.ts
+++ b/backend/src/services/org/org-types.ts
@ -1,26 +1,29 @@
 import { TOrgPermission } from "@app/lib/types";

-import { ActorType } from "../auth/auth-type";
+import { ActorAuthMethod, ActorType } from "../auth/auth-type";

 export type TUpdateOrgMembershipDTO = {
  userId: string;
  orgId: string;
  membershipId: string;
  role: string;
-  actorOrgId?: string;
+  actorOrgId: string | undefined;
+  actorAuthMethod: ActorAuthMethod;
 };

 export type TDeleteOrgMembershipDTO = {
  userId: string;
  orgId: string;
  membershipId: string;
-  actorOrgId?: string;
+  actorOrgId: string | undefined;
+  actorAuthMethod: ActorAuthMethod;
 };

 export type TInviteUserToOrgDTO = {
  userId: string;
  orgId: string;
-  actorOrgId?: string;
+  actorOrgId: string | undefined;
+  actorAuthMethod: ActorAuthMethod;
  inviteeEmail: string;
 };

@ -32,7 +35,9 @@ export type TVerifyUserToOrgDTO = {

 export type TFindOrgMembersByEmailDTO = {
  actor: ActorType;
+  actorOrgId: string | undefined;
  actorId: string;
+  actorAuthMethod: ActorAuthMethod;
  orgId: string;
  emails: string[];
 };
@ -40,7 +45,8 @@ export type TFindOrgMembersByEmailDTO = {
 export type TFindAllWorkspacesDTO = {
  actor: ActorType;
  actorId: string;
-  actorOrgId?: string;
+  actorOrgId: string | undefined;
+  actorAuthMethod: ActorAuthMethod;
  orgId: string;
 };

--- a/backend/src/services/project-bot/project-bot-service.ts
+++ b/backend/src/services/project-bot/project-bot-service.ts
@ -37,10 +37,17 @@ export const projectBotServiceFactory = ({
    projectId,
    actorOrgId,
    privateKey,
+    actorAuthMethod,
    botKey,
    publicKey
  }: TFindBotByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

    const bot = await projectBotDAL.transaction(async (tx) => {
@ -88,11 +95,25 @@ export const projectBotServiceFactory = ({
    }
  };

-  const setBotActiveState = async ({ actor, botId, botKey, actorId, actorOrgId, isActive }: TSetActiveStateDTO) => {
+  const setBotActiveState = async ({
+    actor,
+    botId,
+    botKey,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    isActive
+  }: TSetActiveStateDTO) => {
    const bot = await projectBotDAL.findById(botId);
    if (!bot) throw new BadRequestError({ message: "Bot not found" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, bot.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      bot.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);

    const project = await projectBotDAL.findProjectByBotId(botId);
--- a/backend/src/services/project-env/project-env-service.ts
+++ b/backend/src/services/project-env/project-env-service.ts
@ -27,8 +27,22 @@ export const projectEnvServiceFactory = ({
  projectDAL,
  folderDAL
 }: TProjectEnvServiceFactoryDep) => {
-  const createEnvironment = async ({ projectId, actorId, actor, actorOrgId, name, slug }: TCreateEnvDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const createEnvironment = async ({
+    projectId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    name,
+    slug
+  }: TCreateEnvDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Environments);

    const envs = await projectEnvDAL.find({ projectId });
@ -65,11 +79,18 @@ export const projectEnvServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    name,
    id,
    position
  }: TUpdateEnvDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Environments);

    const oldEnv = await projectEnvDAL.findOne({ id, projectId });
@ -94,8 +115,14 @@ export const projectEnvServiceFactory = ({
    return { environment: env, old: oldEnv };
  };

-  const deleteEnvironment = async ({ projectId, actor, actorId, actorOrgId, id }: TDeleteEnvDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const deleteEnvironment = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod, id }: TDeleteEnvDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Environments);

    const env = await projectEnvDAL.transaction(async (tx) => {
--- a/backend/src/services/project-key/project-key-service.ts
+++ b/backend/src/services/project-key/project-key-service.ts
@ -26,11 +26,18 @@ export const projectKeyServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    projectId,
    nonce,
    encryptedKey
  }: TUploadProjectKeyDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);

    const receiverMembership = await projectMembershipDAL.findOne({
@ -46,14 +53,32 @@ export const projectKeyServiceFactory = ({
    await projectKeyDAL.create({ projectId, receiverId, encryptedKey, nonce, senderId: actorId });
  };

-  const getLatestProjectKey = async ({ actorId, projectId, actor, actorOrgId }: TGetLatestProjectKeyDTO) => {
-    await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const getLatestProjectKey = async ({
+    actorId,
+    projectId,
+    actor,
+    actorOrgId,
+    actorAuthMethod
+  }: TGetLatestProjectKeyDTO) => {
+    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
    const latestKey = await projectKeyDAL.findLatestProjectKey(actorId, projectId);
    return latestKey;
  };

-  const getProjectPublicKeys = async ({ actor, actorId, actorOrgId, projectId }: TGetLatestProjectKeyDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const getProjectPublicKeys = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TGetLatestProjectKeyDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
    return projectKeyDAL.findAllProjectUserPubKeys(projectId);
  };
--- a/backend/src/services/project-membership/project-membership-service.ts
+++ b/backend/src/services/project-membership/project-membership-service.ts
@ -67,8 +67,20 @@ export const projectMembershipServiceFactory = ({
  projectKeyDAL,
  licenseService
 }: TProjectMembershipServiceFactoryDep) => {
-  const getProjectMemberships = async ({ actorId, actor, actorOrgId, projectId }: TGetProjectMembershipDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const getProjectMemberships = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TGetProjectMembershipDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);

    return projectMembershipDAL.findAllProjectMembers(projectId);
@ -79,13 +91,20 @@ export const projectMembershipServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    members,
    sendEmails = true
  }: TAddUsersToWorkspaceDTO) => {
    const project = await projectDAL.findById(projectId);
    if (!project) throw new BadRequestError({ message: "Project not found" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
    const orgMembers = await orgDAL.findMembership({
      orgId: project.orgId,
@ -145,7 +164,9 @@ export const projectMembershipServiceFactory = ({
  const addUsersToProjectNonE2EE = async ({
    projectId,
    actorId,
+    actorAuthMethod,
    actor,
+    actorOrgId,
    emails,
    usernames,
    sendEmails = true
@ -157,7 +178,13 @@ export const projectMembershipServiceFactory = ({
      throw new BadRequestError({ message: "Please upgrade your project on your dashboard" });
    }

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);

    const usernamesAndEmails = [...emails, ...usernames];
@ -273,11 +300,18 @@ export const projectMembershipServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    projectId,
    membershipId,
    roles
  }: TUpdateProjectMembershipDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);

    const membershipUser = await userDAL.findUserByProjectMembershipId(membershipId);
@ -347,10 +381,17 @@ export const projectMembershipServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    projectId,
    membershipId
  }: TDeleteProjectMembershipOldDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);

    const member = await userDAL.findUserByProjectMembershipId(membershipId);
@ -374,11 +415,18 @@ export const projectMembershipServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    projectId,
    emails,
    usernames
  }: TDeleteProjectMembershipsDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);

    const project = await projectDAL.findById(projectId);
--- a/backend/src/services/project-role/project-role-service.ts
+++ b/backend/src/services/project-role/project-role-service.ts
@ -13,7 +13,7 @@ import {
 } from "@app/ee/services/permission/project-permission";
 import { BadRequestError } from "@app/lib/errors";

-import { ActorType } from "../auth/auth-type";
+import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 import { TProjectRoleDALFactory } from "./project-role-dal";

 type TProjectRoleServiceFactoryDep = {
@ -29,9 +29,16 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
    actorId: string,
    projectId: string,
    data: Omit<TProjectRolesInsert, "projectId">,
-    actorOrgId?: string
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
  ) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Role);
    const existingRole = await projectRoleDAL.findOne({ slug: data.slug, projectId });
    if (existingRole) throw new BadRequestError({ name: "Create Role", message: "Duplicate role" });
@ -49,9 +56,16 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
    projectId: string,
    roleId: string,
    data: Omit<TOrgRolesUpdate, "orgId">,
-    actorOrgId?: string
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
  ) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Role);
    if (data?.slug) {
      const existingRole = await projectRoleDAL.findOne({ slug: data.slug, projectId });
@ -71,9 +85,16 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
    actorId: string,
    projectId: string,
    roleId: string,
-    actorOrgId?: string
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
  ) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Role);
    const [deletedRole] = await projectRoleDAL.delete({ id: roleId, projectId });
    if (!deletedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
@ -81,8 +102,20 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
    return deletedRole;
  };

-  const listRoles = async (actor: ActorType, actorId: string, projectId: string, actorOrgId?: string) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const listRoles = async (
+    actor: ActorType,
+    actorId: string,
+    projectId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
    const customRoles = await projectRoleDAL.find({ projectId });
    const roles = [
@ -135,8 +168,18 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
    return roles;
  };

-  const getUserPermission = async (userId: string, projectId: string, actorOrgId?: string) => {
-    const { permission, membership } = await permissionService.getUserProjectPermission(userId, projectId, actorOrgId);
+  const getUserPermission = async (
+    userId: string,
+    projectId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission, membership } = await permissionService.getUserProjectPermission(
+      userId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    return { permissions: packRules(permission.rules), membership };
  };

--- a/backend/src/services/project/project-dal.ts
+++ b/backend/src/services/project/project-dal.ts
@ -5,6 +5,8 @@ import { ProjectsSchema, ProjectUpgradeStatus, ProjectVersion, TableName, TProje
 import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";

+import { Filter, ProjectFilterType } from "./project-types";
+
 export type TProjectDALFactory = ReturnType<typeof projectDALFactory>;

 export const projectDALFactory = (db: TDbClient) => {
@ -139,7 +141,7 @@ export const projectDALFactory = (db: TDbClient) => {
          { column: `${TableName.Project}.name`, order: "asc" },
          { column: `${TableName.Environment}.position`, order: "asc" }
        ]);
-      return sqlNestRelationships({
+      const project = sqlNestRelationships({
        data: workspaces,
        key: "id",
        parentMapper: ({ _id, ...el }) => ({ _id, ...ProjectsSchema.parse(el) }),
@ -155,11 +157,86 @@ export const projectDALFactory = (db: TDbClient) => {
          }
        ]
      })?.[0];
+
+      if (!project) {
+        throw new BadRequestError({ message: "Project not found" });
+      }
+
+      return project;
    } catch (error) {
      throw new DatabaseError({ error, name: "Find all projects" });
    }
  };

+  const findProjectBySlug = async (slug: string, orgId: string) => {
+    try {
+      const projects = await db(TableName.ProjectMembership)
+        .where(`${TableName.Project}.slug`, slug)
+        .where(`${TableName.Project}.orgId`, orgId)
+        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
+        .join(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
+        .select(
+          selectAllTableCols(TableName.Project),
+          db.ref("id").withSchema(TableName.Project).as("_id"),
+          db.ref("id").withSchema(TableName.Environment).as("envId"),
+          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
+          db.ref("name").withSchema(TableName.Environment).as("envName")
+        )
+        .orderBy([
+          { column: `${TableName.Project}.name`, order: "asc" },
+          { column: `${TableName.Environment}.position`, order: "asc" }
+        ]);
+
+      const project = sqlNestRelationships({
+        data: projects,
+        key: "id",
+        parentMapper: ({ _id, ...el }) => ({ _id, ...ProjectsSchema.parse(el) }),
+        childrenMapper: [
+          {
+            key: "envId",
+            label: "environments" as const,
+            mapper: ({ envId, envSlug, envName: name }) => ({
+              id: envId,
+              slug: envSlug,
+              name
+            })
+          }
+        ]
+      })?.[0];
+
+      if (!project) {
+        throw new BadRequestError({ message: "Project not found" });
+      }
+
+      return project;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find project by slug" });
+    }
+  };
+
+  const findProjectByFilter = async (filter: Filter) => {
+    try {
+      if (filter.type === ProjectFilterType.ID) {
+        return await findProjectById(filter.projectId);
+      }
+      if (filter.type === ProjectFilterType.SLUG) {
+        if (!filter.orgId) {
+          throw new BadRequestError({
+            message: "Organization ID is required when querying with slugs"
+          });
+        }
+
+        return await findProjectBySlug(filter.slug, filter.orgId);
+      }
+      throw new BadRequestError({ message: "Invalid filter type" });
+    } catch (error) {
+      if (error instanceof BadRequestError) {
+        throw error;
+      }
+      throw new DatabaseError({ error, name: `Failed to find project by ${filter.type}` });
+    }
+  };
+
  const checkProjectUpgradeStatus = async (projectId: string) => {
    const project = await projectOrm.findById(projectId);
    const upgradeInProgress =
@ -179,6 +256,8 @@ export const projectDALFactory = (db: TDbClient) => {
    findAllProjectsByIdentity,
    findProjectGhostUser,
    findProjectById,
+    findProjectByFilter,
+    findProjectBySlug,
    checkProjectUpgradeStatus
  };
 };
--- a/Show More
+++ b/Show More