add exit after auth setting

Update various identities items

.goreleaser.yaml

@@ -108,7 +108,7 @@ brews:
       zsh_completion.install "completions/infisical.zsh" => "_infisical"
       fish_completion.install "completions/infisical.fish"
       man1.install "manpages/infisical.1.gz"
-  - name: 'infisical@{{.Version}}'
+  - name: "infisical@{{.Version}}"
     tap:
       owner: Infisical
       name: homebrew-get-cli
@@ -186,12 +186,14 @@ aurs:
       # man pages
       install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
 
-# dockers:
-#   - dockerfile: cli/docker/Dockerfile
-#     goos: linux
-#     goarch: amd64
-#     ids:
-#       - infisical
-#     image_templates:
-#       - "infisical/cli:{{ .Version }}"
-#       - "infisical/cli:latest"
+dockers:
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Version }}"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}"
+      - "infisical/cli:{{ .Major }}"
+      - "infisical/cli:latest"

README.md

@@ -129,7 +129,7 @@ Note that this security address should be used only for undisclosed vulnerabilit
 
 ## Contributing
 
-Whether it's big or small, we love contributions. Check out our guide to see how to [get started](https://infisical.com/docs/contributing/overview).
+Whether it's big or small, we love contributions. Check out our guide to see how to [get started](https://infisical.com/docs/contributing/getting-started).
 
 Not sure where to get started? You can:
 

backend/package-lock.json

@@ -60,7 +60,7 @@
         "pino": "^8.16.1",
         "pino-http": "^8.5.1",
         "posthog-node": "^2.6.0",
-        "probot": "^12.3.1",
+        "probot": "^12.3.3",
         "query-string": "^7.1.3",
         "rate-limit-mongo": "^2.3.2",
         "rimraf": "^3.0.2",
@@ -5991,9 +5991,9 @@
       }
     },
     "node_modules/@octokit/webhooks": {
-      "version": "9.26.0",
-      "resolved": "https://registry.npmjs.org/@octokit/webhooks/-/webhooks-9.26.0.tgz",
-      "integrity": "sha512-foZlsgrTDwAmD5j2Czn6ji10lbWjGDVsUxTIydjG9KTkAWKJrFapXJgO5SbGxRwfPd3OJdhK3nA2YPqVhxLXqA==",
+      "version": "9.26.3",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks/-/webhooks-9.26.3.tgz",
+      "integrity": "sha512-DLGk+gzeVq5oK89Bo601txYmyrelMQ7Fi5EnjHE0Xs8CWicy2xkmnJMKptKJrBJpstqbd/9oeDFi/Zj2pudBDQ==",
       "dependencies": {
         "@octokit/request-error": "^2.0.2",
         "@octokit/webhooks-methods": "^2.0.0",
@@ -16306,9 +16306,9 @@
       }
     },
     "node_modules/probot": {
-      "version": "12.3.1",
-      "resolved": "https://registry.npmjs.org/probot/-/probot-12.3.1.tgz",
-      "integrity": "sha512-ECSgycmAC0ILEK6cOa+x3QPufP5JybsuohOFCYr3glQU5SkbmypZJE/Sfio9mxAFHK5LCXveIDsfZCxf6ck4JA==",
+      "version": "12.3.3",
+      "resolved": "https://registry.npmjs.org/probot/-/probot-12.3.3.tgz",
+      "integrity": "sha512-cdtKd+xISzi8sw6++BYBXleRknCA6hqUMoHj/sJqQBrjbNxQLhfeFCq9O2d0Z4eShsy5YFRR3MWwDKJ9uAE0CA==",
       "dependencies": {
         "@octokit/core": "^3.2.4",
         "@octokit/plugin-enterprise-compatibility": "^1.2.8",
@@ -16317,7 +16317,7 @@
         "@octokit/plugin-retry": "^3.0.6",
         "@octokit/plugin-throttling": "^3.3.4",
         "@octokit/types": "^8.0.0",
-        "@octokit/webhooks": "^9.8.4",
+        "@octokit/webhooks": "^9.26.3",
         "@probot/get-private-key": "^1.1.0",
         "@probot/octokit-plugin-config": "^1.0.0",
         "@probot/pino": "^2.2.0",
@@ -23392,9 +23392,9 @@
       }
     },
     "@octokit/webhooks": {
-      "version": "9.26.0",
-      "resolved": "https://registry.npmjs.org/@octokit/webhooks/-/webhooks-9.26.0.tgz",
-      "integrity": "sha512-foZlsgrTDwAmD5j2Czn6ji10lbWjGDVsUxTIydjG9KTkAWKJrFapXJgO5SbGxRwfPd3OJdhK3nA2YPqVhxLXqA==",
+      "version": "9.26.3",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks/-/webhooks-9.26.3.tgz",
+      "integrity": "sha512-DLGk+gzeVq5oK89Bo601txYmyrelMQ7Fi5EnjHE0Xs8CWicy2xkmnJMKptKJrBJpstqbd/9oeDFi/Zj2pudBDQ==",
       "requires": {
         "@octokit/request-error": "^2.0.2",
         "@octokit/webhooks-methods": "^2.0.0",
@@ -31039,9 +31039,9 @@
       }
     },
     "probot": {
-      "version": "12.3.1",
-      "resolved": "https://registry.npmjs.org/probot/-/probot-12.3.1.tgz",
-      "integrity": "sha512-ECSgycmAC0ILEK6cOa+x3QPufP5JybsuohOFCYr3glQU5SkbmypZJE/Sfio9mxAFHK5LCXveIDsfZCxf6ck4JA==",
+      "version": "12.3.3",
+      "resolved": "https://registry.npmjs.org/probot/-/probot-12.3.3.tgz",
+      "integrity": "sha512-cdtKd+xISzi8sw6++BYBXleRknCA6hqUMoHj/sJqQBrjbNxQLhfeFCq9O2d0Z4eShsy5YFRR3MWwDKJ9uAE0CA==",
       "requires": {
         "@octokit/core": "^3.2.4",
         "@octokit/plugin-enterprise-compatibility": "^1.2.8",
@@ -31050,7 +31050,7 @@
         "@octokit/plugin-retry": "^3.0.6",
         "@octokit/plugin-throttling": "^3.3.4",
         "@octokit/types": "^8.0.0",
-        "@octokit/webhooks": "^9.8.4",
+        "@octokit/webhooks": "^9.26.3",
         "@probot/get-private-key": "^1.1.0",
         "@probot/octokit-plugin-config": "^1.0.0",
         "@probot/pino": "^2.2.0",

backend/package.json

@@ -51,7 +51,7 @@
     "pino": "^8.16.1",
     "pino-http": "^8.5.1",
     "posthog-node": "^2.6.0",
-    "probot": "^12.3.1",
+    "probot": "^12.3.3",
     "query-string": "^7.1.3",
     "rate-limit-mongo": "^2.3.2",
     "rimraf": "^3.0.2",

backend/spec.json

@@ -4962,7 +4962,8 @@
         },
         "security": [
           {
-            "apiKeyAuth": []
+            "apiKeyAuth": [],
+            "bearerAuth": []
           }
         ]
       }

backend/src/controllers/v1/secretImpsController.ts

@@ -111,11 +111,17 @@ export const createSecretImp = async (req: Request, res: Response) => {
       authData: req.authData,
       workspaceId: new Types.ObjectId(workspaceId)
     });
-    
+
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
     );
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment: secretImport.environment, secretPath: secretImport.secretPath })
+    );
+
   }
 
   const folders = await Folder.findOne({
@@ -323,7 +329,7 @@ export const updateSecretImport = async (req: Request, res: Response) => {
       authData: req.authData,
       workspaceId: importSecDoc.workspace
     });
-    
+
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Secrets, {
@@ -331,6 +337,13 @@ export const updateSecretImport = async (req: Request, res: Response) => {
         secretPath
       })
     );
+
+    secretImports.forEach(({ environment, secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    })
   }
 
   const orderBefore = importSecDoc.imports;
@@ -453,7 +466,7 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
       authData: req.authData,
       workspaceId: importSecDoc.workspace
     });
-    
+
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       subject(ProjectPermissionSub.Secrets, {
@@ -620,7 +633,7 @@ export const getAllSecretsFromImport = async (req: Request, res: Response) => {
       authData: req.authData,
       workspaceId: new Types.ObjectId(workspaceId)
     });
-    
+
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Secrets, {
@@ -677,7 +690,7 @@ export const getAllSecretsFromImport = async (req: Request, res: Response) => {
       authData: req.authData,
       workspaceId: importSecDoc.workspace
     });
-    
+
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Secrets, {

backend/src/controllers/v1/universalAuthController.ts

@@ -129,9 +129,14 @@ export const renewAccessToken = async (req: Request, res: Response) => {
         accessTokenTTL,
         accessTokenLastRenewedAt,
         accessTokenMaxTTL,
-        createdAt: accessTokenCreatedAt
+        createdAt: accessTokenCreatedAt,
+        accessTokenNumUses,
+        accessTokenNumUsesLimit
     } = identityAccessToken;
 
+    if (accessTokenNumUses >= accessTokenNumUsesLimit) {
+        throw BadRequestError({ message: "Unable to renew because access token number of uses limit reached" })
+    }
 
     // ttl check
     if (accessTokenTTL > 0) {

backend/src/controllers/v2/organizationsController.ts

@@ -1,9 +1,13 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { 
-  IdentityMembershipOrg,
-  Membership, 
+  IWorkspace,
+  Identity,
+  IdentityMembership,
+  IdentityMembershipOrg, 
+  Membership,
   MembershipOrg,
+  User,
   Workspace
 } from "../../models";
 import { Role } from "../../ee/models";
@@ -298,7 +302,8 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
     #swagger.description = 'Return projects in organization that user is part of'
     
     #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
     }]
 
 	#swagger.parameters['organizationId'] = {
@@ -326,6 +331,7 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
         }
     }   
     */
+  
   const {
     params: { organizationId }
   } = await validateRequest(reqValidator.GetOrgWorkspacesv2, req);
@@ -351,13 +357,27 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
     ).map((w) => w._id.toString())
   );
 
-  const workspaces = (
-    await Membership.find({
-      user: req.user._id
-    }).populate("workspace")
-  )
-    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
-    .map((m) => m.workspace);
+  let workspaces: IWorkspace[] = [];
+  
+  if (req.authData.authPayload instanceof Identity) {
+    workspaces = (
+      await IdentityMembership.find({
+        identity: req.authData.authPayload._id
+      }).populate<{ workspace: IWorkspace }>("workspace")
+    )
+      .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+      .map((m) => m.workspace);
+  }
+  
+  if (req.authData.authPayload instanceof User) {
+    workspaces = (
+      await Membership.find({
+        user: req.authData.authPayload._id
+      }).populate<{ workspace: IWorkspace }>("workspace")
+    )
+      .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+      .map((m) => m.workspace);
+  }
 
   return res.status(200).send({
     workspaces

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -13,7 +13,7 @@ import {
   ProjectPermissionSub,
   getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";
 import { Types } from "mongoose";
 
 /**
@@ -86,6 +86,14 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
     ProjectPermissionSub.ServiceTokens
   );
 
+  scopes.forEach(({ environment, secretPath }) => {
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: secretPath })
+    );
+  })
+
+
   const secret = crypto.randomBytes(16).toString("hex");
   const secretHash = await bcrypt.hash(secret, await getSaltRounds());
 

backend/src/ee/controllers/v1/secretApprovalRequestsController.ts

@@ -17,12 +17,12 @@ export const getSecretApprovalRequestCount = async (req: Request, res: Response)
   } = await validateRequest(reqValidator.getSecretApprovalRequestCount, req);
 
   if (!(req.authData.authPayload instanceof User)) return;
-  
+
   const membership = await Membership.findOne({
     user: req.authData.authPayload._id,
     workspace: new Types.ObjectId(workspaceId)
   });
-  
+
   if (!membership) throw UnauthorizedRequestError();
 
   const approvalRequestCount = await SecretApprovalRequest.aggregate([
@@ -73,12 +73,12 @@ export const getSecretApprovalRequests = async (req: Request, res: Response) =>
   } = await validateRequest(reqValidator.getSecretApprovalRequests, req);
 
   if (!(req.authData.authPayload instanceof User)) return;
-  
+
   const membership = await Membership.findOne({
     user: req.authData.authPayload._id,
     workspace: new Types.ObjectId(workspaceId)
   });
-  
+
   if (!membership) throw UnauthorizedRequestError();
 
   const query = {
@@ -168,13 +168,13 @@ export const getSecretApprovalRequestDetails = async (req: Request, res: Respons
     user: req.authData.authPayload._id,
     workspace: secretApprovalRequest.workspace
   });
-  
+
   if (!membership) throw UnauthorizedRequestError();
 
   // allow to fetch only if its admin or is the committer or approver
   if (
     membership.role !== "admin" &&
-    secretApprovalRequest.committer !== membership.id &&
+    !secretApprovalRequest.committer.equals(membership.id) &&
     !secretApprovalRequest.policy.approvers.find(
       (approverId) => approverId.toString() === membership._id.toString()
     )
@@ -215,7 +215,7 @@ export const updateSecretApprovalReviewStatus = async (req: Request, res: Respon
     user: req.authData.authPayload._id,
     workspace: secretApprovalRequest.workspace
   });
-  
+
   if (!membership) throw UnauthorizedRequestError();
 
   if (
@@ -257,7 +257,7 @@ export const mergeSecretApprovalRequest = async (req: Request, res: Response) =>
     user: req.authData.authPayload._id,
     workspace: secretApprovalRequest.workspace
   });
-  
+
   if (!membership) throw UnauthorizedRequestError();
 
   if (
@@ -307,7 +307,7 @@ export const updateSecretApprovalRequestStatus = async (req: Request, res: Respo
     user: req.authData.authPayload._id,
     workspace: secretApprovalRequest.workspace
   });
-  
+
   if (!membership) throw UnauthorizedRequestError();
 
   if (

backend/src/ee/models/auditLog/enums.ts

@@ -8,7 +8,10 @@ export enum UserAgentType {
   WEB = "web",
   CLI = "cli",
   K8_OPERATOR = "k8-operator",
-  OTHER = "other"
+  TERRAFORM = "terraform",
+  OTHER = "other",
+  PYTHON_SDK = "InfisicalPythonSDK",
+  NODE_SDK = "InfisicalNodeSDK"
 }
 
 export enum EventType {

backend/src/helpers/rateLimiter.ts

@@ -10,7 +10,7 @@ export const apiLimiter = rateLimit({
   //   errorHandler: console.error.bind(null, 'rate-limit-mongo')
   // }),
   windowMs: 60 * 1000,
-  max: 350,
+  max: 480,
   standardHeaders: true,
   legacyHeaders: false,
   skip: (request) => {
@@ -30,7 +30,7 @@ const authLimit = rateLimit({
   //   collectionName: "expressRateRecords-authLimit",
   // }),
   windowMs: 60 * 1000,
-  max: 100,
+  max: 300,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {
@@ -46,8 +46,8 @@ export const passwordLimiter = rateLimit({
   //   errorHandler: console.error.bind(null, 'rate-limit-mongo'),
   //   collectionName: "expressRateRecords-passwordLimiter",
   // }),
-  windowMs: 60 * 60 * 1000,
-  max: 10,
+  windowMs: 60 * 1000,
+  max: 300,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {

backend/src/utils/posthog.ts

@@ -7,8 +7,14 @@ export const getUserAgentType = function (userAgent: string | undefined) {
     return UserAgentType.CLI;
   } else if (userAgent == UserAgentType.K8_OPERATOR) {
     return UserAgentType.K8_OPERATOR;
+  } else if (userAgent == UserAgentType.TERRAFORM) {
+    return UserAgentType.TERRAFORM;
   } else if (userAgent.toLowerCase().includes("mozilla")) {
     return UserAgentType.WEB;
+  } else if (userAgent.includes(UserAgentType.NODE_SDK)) {
+    return UserAgentType.NODE_SDK;
+  } else if (userAgent.includes(UserAgentType.PYTHON_SDK)) {
+    return UserAgentType.PYTHON_SDK;
   } else {
     return UserAgentType.OTHER;
   }

backend/src/validation/serviceTokenData.ts

@@ -158,7 +158,7 @@ export const CreateServiceTokenV2 = z.object({
     encryptedKey: z.string().trim(),
     iv: z.string().trim(),
     tag: z.string().trim(),
-    expiresIn: z.number(),
+    expiresIn: z.number().nullable().optional(),
     permissions: z.enum(["read", "write"]).array()
   })
 });

cli/docker/Dockerfile

@@ -1,4 +0,0 @@
-FROM alpine
-RUN apk add --no-cache tini
-COPY infisical /bin/infisical
-ENTRYPOINT ["/sbin/tini", "--", "/bin/infisical"]

cli/docker/alpine

@@ -0,0 +1,9 @@
+FROM alpine
+RUN apk add --no-cache tini
+
+## Upgrade OpenSSL libraries to mitigate known vulnerabilities as the current Alpine image has not been patched yet.
+RUN apk update && apk upgrade --no-cache libcrypto3 libssl3
+
+
+COPY infisical /bin/infisical
+ENTRYPOINT ["/sbin/tini", "--", "/bin/infisical"]

cli/packages/api/api.go

@@ -474,6 +474,7 @@ func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Reques
 		SetBody(request).
 		SetQueryParam("workspaceId", request.WorkspaceId).
 		SetQueryParam("environment", request.Environment).
+		SetQueryParam("secretPath", request.SecretPath).
 		SetQueryParam("include_imports", "false").
 		Get(fmt.Sprintf("%v/v3/secrets/raw", config.INFISICAL_URL))
 

cli/packages/cmd/agent.go

@@ -37,7 +37,8 @@ type Config struct {
 }
 
 type InfisicalConfig struct {
-	Address string `yaml:"address"`
+	Address       string `yaml:"address"`
+	ExitAfterAuth bool   `yaml:"exit-after-auth"`
 }
 
 type AuthConfig struct {
@@ -219,10 +220,11 @@ type TokenManager struct {
 	newAccessTokenNotificationChan chan bool
 	removeClientSecretOnRead       bool
 	cachedClientSecret             string
+	exitAfterAuth                  bool
 }
 
-func NewTokenManager(fileDeposits []Sink, templates []Template, clientIdPath string, clientSecretPath string, newAccessTokenNotificationChan chan bool, removeClientSecretOnRead bool) *TokenManager {
-	return &TokenManager{filePaths: fileDeposits, templates: templates, clientIdPath: clientIdPath, clientSecretPath: clientSecretPath, newAccessTokenNotificationChan: newAccessTokenNotificationChan, removeClientSecretOnRead: removeClientSecretOnRead}
+func NewTokenManager(fileDeposits []Sink, templates []Template, clientIdPath string, clientSecretPath string, newAccessTokenNotificationChan chan bool, removeClientSecretOnRead bool, exitAfterAuth bool) *TokenManager {
+	return &TokenManager{filePaths: fileDeposits, templates: templates, clientIdPath: clientIdPath, clientSecretPath: clientSecretPath, newAccessTokenNotificationChan: newAccessTokenNotificationChan, removeClientSecretOnRead: removeClientSecretOnRead, exitAfterAuth: exitAfterAuth}
 }
 
 func (tm *TokenManager) SetToken(token string, accessTokenTTL time.Duration, accessTokenMaxTTL time.Duration) {
@@ -354,6 +356,11 @@ func (tm *TokenManager) ManageTokenLifecycle() {
 			}
 		}
 
+		if tm.exitAfterAuth {
+			time.Sleep(25 * time.Second)
+			os.Exit(0)
+		}
+
 		if accessTokenRefreshedTime.IsZero() {
 			accessTokenRefreshedTime = tm.accessTokenFetchedTime
 		} else {
@@ -471,7 +478,7 @@ var agentCmd = &cobra.Command{
 		signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
 
 		filePaths := agentConfig.Sinks
-		tm := NewTokenManager(filePaths, agentConfig.Templates, configUniversalAuthType.ClientIDPath, configUniversalAuthType.ClientSecretPath, tokenRefreshNotifier, configUniversalAuthType.RemoveClientSecretOnRead)
+		tm := NewTokenManager(filePaths, agentConfig.Templates, configUniversalAuthType.ClientIDPath, configUniversalAuthType.ClientSecretPath, tokenRefreshNotifier, configUniversalAuthType.RemoveClientSecretOnRead, agentConfig.Infisical.ExitAfterAuth)
 
 		go tm.ManageTokenLifecycle()
 		go tm.FetchSecrets()

cli/packages/cmd/export.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
-	"github.com/posthog/posthog-go"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
@@ -102,7 +101,7 @@ var exportCmd = &cobra.Command{
 
 		fmt.Print(output)
 
-		Telemetry.CaptureEvent("cli-command:export", posthog.NewProperties().Set("secretsCount", len(secrets)).Set("version", util.CLI_VERSION))
+		// Telemetry.CaptureEvent("cli-command:export", posthog.NewProperties().Set("secretsCount", len(secrets)).Set("version", util.CLI_VERSION))
 	},
 }
 

cli/packages/util/secrets.go

@@ -168,7 +168,7 @@ func GetPlainTextSecretsViaMachineIdentity(accessToken string, workspaceId strin
 		getSecretsRequest.SecretPath = secretsPath
 	}
 
-	rawSecrets, err := api.CallGetRawSecretsV3(httpClient, api.GetRawSecretsV3Request{WorkspaceId: workspaceId, SecretPath: environmentName, Environment: environmentName})
+	rawSecrets, err := api.CallGetRawSecretsV3(httpClient, api.GetRawSecretsV3Request{WorkspaceId: workspaceId, SecretPath: secretsPath, Environment: environmentName})
 	if err != nil {
 		return nil, err
 	}

docs/api-reference/endpoints/organizations/workspaces.mdx

@@ -1,10 +1,4 @@
 ---
 title: "Get Projects"
 openapi: "GET /api/v2/organizations/{organizationId}/workspaces"
----
-
-<Warning>
-    This endpoint will be deprecated in the near future in Q1/Q2 2024.
-
-    We recommend switching to using [identities](/documentation/platform/identities/overview).
-</Warning>
+---

docs/changelog/overview.mdx

@@ -6,6 +6,9 @@ The changelog below reflects new product developments and updates on a monthly b
 
 ## December 2023
 
+- Released [(machine) identities](https://infisical.com/docs/documentation/platform/identities/overview) and [universal auth](https://infisical.com/docs/documentation/platform/identities/universal-auth) features.
+- Created new cross-language SDKs for [Python](https://infisical.com/docs/sdks/languages/python), [Node](https://infisical.com/docs/sdks/languages/node), and [Java](https://infisical.com/docs/sdks/languages/java). 
+- Released first version of the [Infisical Agent](https://infisical.com/docs/infisical-agent/overview)
 - Added ability to [manage folders via CLI](https://infisical.com/docs/cli/commands/secrets).  
 
 ## November 2023

docs/contributing/getting-started/faq.mdx

@@ -6,7 +6,7 @@ description: "Frequently Asked Questions about contributing to Infisical"
 Frequently asked questions about contributing to Infisical can be found on this page. 
 If you can't find the answer you are looking for, please create an issue on our GitHub repository or join our Slack channel for additional support.
 
-<Accordion title="Error building backend (Alpine Linux CDN temporary error)">
+<Accordion title="Error building Infisical platform backend (Alpine Linux CDN temporary error)">
 The Alpine Linux CDN may be unavailable/down in your region infrequently (eg. there is an unplanned outage). One possible fix is to add a retry mechanism and a fallback mirrors array to the Dockerfile. You can also use this as an opportunity to pin the Alpine Linux version for Docker to use in case there are issues with the latest version. Ensure to use https for the mirrors.
 
 #### Make the following changes to the backend Dockerfile

docs/contributing/getting-started/overview.mdx

@@ -1,14 +1,30 @@
 ---
 title: "Overview"
-description: "We welcome any contributions to Infisical, big or small."
+description: "Contributing to the Infisical ecosystem."
 ---
 
 To set a strong foundation, this section outlines how we, the community and members of Infisical,
 should approach the development and contribution process.
 
+## Code-bases
+Infisical has two major code-bases. One for the platform code, and one for SDKs. The contribution process has some key differences between the two, so we've split the documentation into two sections:
+
+- The [Infisical Platform](https://github.com/Infisical/infisical), the Infisical platform itself.
+- The [Infisical SDK](https://github.com/Infisical/sdk), the official Infisical client SDKs.
+
+
+<CardGroup cols={2}>
+    <Card title="Infisical Platform" href="/contributing/platform/developing" icon="layer-group" color="#A1B659">
+        The Infisical platform is the core of the Infisical ecosystem.
+    </Card>
+    <Card href="/contributing/sdk/developing" title="Infisical SDK" icon="code" color="#A1B659">
+    The SDKs are the official Infisical client libraries, used by developers to easily interact with the Infisical platform.
+    </Card>
+</CardGroup>
+
 ## Community
 
-We are building an inclusive community, and this means adhering to the [Code of Conduct](/contributing/code-of-conduct).
+We are building an inclusive community, and this means adhering to the [Code of Conduct](/contributing/getting-started/code-of-conduct).
 
 ## Bugs and issues
 
@@ -29,8 +45,10 @@ If you're ever in doubt about whether or not a proposed feature aligns with Infi
 
 ## Writing and submitting code
 
-Anyone can contribute code to Infisical. To get started, check out the [local development guide](/contributing/developing), make your changes, and submit a pull request to the main repository
-adhering to the [pull request guide](/contributing/pull-requests).
+Anyone can contribute code to Infisical. To get started, check out the local development guides for each language.
+
+- Local development guide for Platform is [here](/contributing/platform/developing). 
+- Local development guide for SDK is [here](/contributing/sdk/developing).
 
 
 ## Licensing
@@ -38,3 +56,4 @@ adhering to the [pull request guide](/contributing/pull-requests).
 Most of Infisical's code is under the MIT license, though some paid feature restrictions are covered by a proprietary license.
 
 Any third party components incorporated into our code are licensed under the original license provided by the applicable component owner.
+

docs/contributing/getting-started/pull-requests.mdx

@@ -19,7 +19,7 @@ You should follow the automatically-generated PR template to fill in the PR desc
 
 Give a functional overview of how your feature works, including how the user can use the feature. Then share any technical details in an overview of how the PR works.
 
-As of `06-01-2023`, all PRs created after this date are required to attach a video of you performing the described functionality.
+As of `06-01-2023`, all PRs created after this date are required to attach a video of you performing the described functionality. 
 
 ### Bug Fix PRs
 
@@ -34,6 +34,8 @@ Once your PR is reviewed, one or two relevant members of the Infisical team shou
 - Vlad: Frontend, Web UI
 - Tony: Backend, SDKs, Security
 - Maidul: Backend, CI/CD, CLI, Kubernetes Operator
+- Daniel: Frontend, UI/UX, Backend, SDKs
+
 
 The team member(s) will start by enabling baseline checks to ensure that there are no leaked secrets, new dependencies are clear, and the frontend/backend services start up. Afterward, they will review your PR thoroughly by testing the code and leave any feedback or work in with you to revise the PR up to standard.
 

docs/contributing/platform/developing.mdx

@@ -1,6 +1,6 @@
 ---
 title: 'Local development'
-description: 'This guide will help you set up and run Infisical in local development.'
+description: 'This guide will help you set up and run the Infisical platform in local development.'
 ---
 
 ## Fork and clone the repo

docs/contributing/sdk/developing.mdx

@@ -0,0 +1,408 @@
+---
+title: "Local development"
+description: "This guide will help you contribute to the Infisical SDK."
+---
+
+## Fork and clone the repo
+
+[Fork](https://docs.github.com/en/get-started/quickstart/fork-a-repo) the [repository](https://github.com/Infisical/sdk) to your own GitHub account and then [clone](https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository) it to your local device.
+
+Once, you've done that, create a new branch:
+
+```console
+git checkout -b MY_BRANCH_NAME
+```
+
+## Set up environment variables
+
+Start by creating a .env file at the root of the Infisical directory then copy the contents of the file below into the .env file.
+
+<Accordion title=".env file content">
+  ```env 
+    # This is required for running tests locally.
+    # Rename this file to ".env" and fill in the values below.
+
+    # Please make sure that the machine identity has access to the project you are testing in.
+    # https://infisical.com/docs/documentation/platform/identities/universal-auth
+    INFISICAL_UNIVERSAL_CLIENT_ID=MACHINE_IDENTITY_CLIENT_ID
+    INFISICAL_UNIVERSAL_CLIENT_SECRET=MACHINE_IDENTITY_CLIENT_SECRET
+
+    # The ID of the Infisical project where we will create the test secrets.
+    # NOTE: The project must have a dev environment. (This is created by default when you create a project.)
+    INFISICAL_PROJECT_ID=INFISICAL_TEST_PROJECT_ID
+
+    # The Infisical site URL. If you are testing with a local Infisical instance, then this should be set to "http://localhost:8080".
+    INFISICAL_SITE_URL=https://app.infisical.com
+
+````
+</Accordion>
+
+<Warning>
+  The above values are required for running tests locally. Before opening a pull request, make sure to run `cargo test` to ensure that all tests pass.
+</Warning>
+
+
+## Guidelines
+
+### Predictable and consistent
+When adding new functionality (such as new functions), it's very important that the functionality is added to _all_ the SDK's. This is to ensure that the SDK's are predictable and consistent across all languages. If you are adding new functionality, please make sure to add it to all the SDK's.
+
+### Handling errors
+Error handling is very important when writing SDK's. We want to make sure that the SDK's are easy to use, and that the user gets a good understanding of what went wrong when something fails. When adding new functionality, please make sure to add proper error handling. [Read more about error handling here](#error-handling).
+
+### Tests
+If you add new functionality or modify existing functionality, please write tests thats properly cover the new functionality. You can run tests locally by running `cargo test` from the root directory. You must always run tests before opening a pull request.
+
+### Code style
+Please follow the default rust styling guide when writing code for the base SDK. [Read more about rust code style here](https://doc.rust-lang.org/nightly/style-guide/#the-default-rust-style).
+
+
+## Prerequisites for contributing
+
+### Understanding the terms
+
+In the guide we use some terms that might be unfamiliar to you. Here's a quick explanation of the terms we use:
+- **Base SDK**: The base SDK is the SDK that all other SDK's are built on top of. The base SDK is written in Rust, and is responsible for executing commands and parsing the input and output to and from JSON.
+- **Commands**: Commands are what's being sent from the target language to the command handler. The command handler uses the command to execute the corresponding function in the base SDK. Commands are in reality just a JSON string that tells the command handler what function to execute, and what input to use.
+- **Command handler**: The command handler is the part of the base SDK that takes care of executing commands. It also takes care of parsing the input and output to and from JSON.
+- **Target language**: The target language refers to the actual SDK code. For example, the [Node.js SDK](https://www.npmjs.com/package/@infisical/sdk) is a "target language", and so is the [Python SDK](https://pypi.org/project/infisical-python/).
+
+
+### Understanding the execution flow
+After the target language SDK is initiated, it uses language-specific bindings to interact with the base SDK.
+These bindings are instantiated, setting up the interface for command execution. A client within the command handler is created, which issues commands to the base SDK.
+When a command is executed, it is first validated. If valid, the command handler locates the corresponding command to perform. If the command executes successfully, the command handler returns the output to the target language SDK, where it is parsed and returned to the user.
+If the command handler fails to validate the input, an error will be returned to the target language SDK.
+
+
+<Frame caption="Execution flow diagram for the SDK from the target language to the base SDK. The execution flow is the same for all target languages.">
+  <img height="640" width="520" src="images/sdk-flow.png" />
+</Frame>
+
+
+
+### Rust knowledge
+
+Contributing to the SDK requires intermediate to advanced knowledge of Rust concepts such as lifetimes, traits, generics, and async/await _(futures)_, and more.
+
+### Rust setup
+The base SDK is written in rust. Therefore you must have rustc and cargo installed. You can install rustc and cargo by following the instructions [here](https://www.rust-lang.org/tools/install).
+
+You shouldn't have to use the rust cross compilation toolchain, as all compilation is done through a collection of Github Actions. However. If you need to test cross compilation, please do so with Github Actions.
+
+### Tests
+If you add new functionality or modify existing functionality, please write tests thats properly cover the new functionality. You can run tests locally by running `cargo test` from the root directory.
+
+### Language-specific crates
+The language-specific crates should ideally never have to be modified, as they are simply a wrapper for the `infisical-json` crate, which executes "commands" from the base SDK. If you need to create a new target-language specific crate, please try to create native bindings for the target language. Some languages don't have direct support for native bindings (Java as an example). In those cases we can use the C bindings (`crates/infisical-c`) in the target language.
+
+
+
+
+## Generate types
+Having almost seemless type safety from the base SDK to the target language is critical, as writing types for each language has a lot of drawbacks such as duplicated code, and lots of overhead trying to keep the types up-to-date and in sync across a large collection of languages. Therefore we decided to use [QuickType](https://quicktype.io/) and [Serde](https://serde.rs/) to help us generate types for each language. In our Rust base SDK (`crates/infisical`), we define all the inputs/outputs.
+
+If you are interested in reading about QuickType works under the hood, you can [read more here](http://blog.quicktype.io/under-the-hood/).
+
+This is an example of a type defined in Rust (both input and output). For this to become a generated type, you'll need to add it to our schema generator. More on that further down.
+```rust
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+#[derive(Serialize, Deserialize, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+// Input:
+pub struct CreateSecretOptions {
+  pub environment: String,                   // environment
+  pub secret_comment: Option<String>,        // secretComment
+  pub path: Option<String>,                  // secretPath
+  pub secret_value: String,                  // secretValue
+  pub skip_multiline_encoding: Option<bool>, // skipMultilineEncoding
+  pub r#type: Option<String>,                // shared / personal
+  pub project_id: String,                    // workspaceId
+  pub secret_name: String,                   // secretName (PASSED AS PARAMETER IN REQUEST)
+}
+
+// Output:
+#[derive(Serialize, Deserialize, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct CreateSecretResponse {
+  pub secret: Secret, // "Secret" is defined elsewhere.
+}
+````
+
+### Adding input types to the schema generator
+
+You will _only_ have to define outputs in our schema generator, then QuickType will take care of the rest behind the scenes. You can find the Rust crate that takes care of type generation here: `crates/sdk-schemas/src/main.rs`.
+
+Simply add the output _(also called response)_, to the `write_schema_for_response!` macro. This will let QuickType know that it should generate types for the given structs. The main function will look something like this:
+
+```rust
+fn main() -> Result<()> {
+    // Input types for new Client
+    write_schema_for!(infisical_json::client::ClientSettings);
+    // Input types for Client::run_command
+    write_schema_for!(infisical_json::command::Command);
+
+    // Output types for Client::run_command
+    // Only add structs which are direct results of SDK commands.
+    write_schema_for_response! {
+        infisical::manager::secrets::GetSecretResponse,
+        infisical::manager::secrets::ListSecretsResponse,
+        infisical::manager::secrets::UpdateSecretResponse,
+        infisical::manager::secrets::DeleteSecretResponse,
+        infisical::manager::secrets::CreateSecretResponse, // <-- This is the output from the above example!
+        infisical::auth::AccessTokenSuccessResponse
+    };
+
+    Ok(())
+}
+```
+
+### Generating the types for the target language
+
+Once you've added the output to the schema generator, you can generate the types for the target language by running the following command from the root directory:
+
+```console
+$ npm install
+$ npm run schemas
+```
+
+<Warning>If you change any of the structs defined in the base SDK, you will need to run this script to re-generate the types.</Warning>
+
+This command will run the `schemas.ts` file found in the `support/scripts` folder. If you are adding a new language, it's important that you add the language to the code.
+
+This is an example of how how we generate types for Node.js:
+
+```ts
+const ts = await quicktype({
+    inputData,
+    lang: "typescript",
+    rendererOptions: {}
+});
+await ensureDir("./languages/node/src/infisical_client");
+writeToFile("./languages/node/src/infisical_client/schemas.ts", ts.lines);
+```
+
+## Building bindings
+We've tried to streamline the building process as much as possible. So you shouldn't have to worry much about building bindings, as it should just be a few commands.
+
+### Node.js
+Building bindings for Node.js is very straight foward. The command below will generate NAPI bindings for Node.js, and move the bindings to the correct folder. We use [NAPI-RS](https://napi.rs/) to generate the bindings.
+
+```console
+$ cd languages/node
+$ npm run build
+```
+
+### Python
+To generate and use python bindings you will need to run the following commands.
+The Python SDK is located inside the crates folder. This is a limitation of the maturin tool, forcing us to structure the project in this way.
+
+```console
+$ pip install -U pip maturin
+$ cd crates/infisical-py
+$ python3 -m venv .venv
+$ source .venv/bin/activate
+$ maturin develop
+```
+
+<Warning>
+    After running the commands above, it's very important that you rename the generated .so file to `infisical_py.so`. After renaming it you also need to move it into the root of the `crates/infisical-py` folder.
+</Warning>
+
+### Java
+Java uses the C bindings to interact with the base SDK. To build and use the C bindings in Java, please follow the instructions below.
+
+```console
+$ cd crates/infisical-c
+$ cargo build --release
+$ cd ../../languages/java
+```
+<Warning>
+    After generating the C bindings, the generated .so or .dll has been created in the `/target` directory at the root of the project.
+    You have to manually move the generated file into the `languages/java/src/main/resources` directory.
+</Warning>
+
+## Error handling
+
+### Error handling in the base SDK
+
+The base SDK should never panic. If an error occurs, we should return a `Result` with an error message. We have a custom Result type defined in the `error.rs` file in the base SDK.
+
+All our errors are defined in an enum called `Error`. The `Error` enum is defined in the `error.rs` file in the base SDK. The `Error` enum is used in the `Result` type, which is used as the return type for all functions in the base SDK.
+
+```rust
+#[derive(Debug, Error)]
+pub enum Error {
+    // Secret not found
+    #[error("Secret with name '{}' not found.", .secret_name)]
+    SecretNotFound { secret_name: String },
+
+    // .. other errors
+
+    // Errors that are not specific to the base SDK.
+    #[error(transparent)]
+    Reqwest(#[from] reqwest::Error),
+    #[error(transparent)]
+    Serde(#[from] serde_json::Error),
+    #[error(transparent)]
+    Io(#[from] std::io::Error),
+}
+```
+
+### Returning an error
+
+You can find many examples of how we return errors in the SDK code. A relevant example is for creating secrets, which can be found in `crates/infisical/src/api/secrets/create_secret.rs`. When the error happened due to a request error to our API, we have an API error handler. This prevents duplicate code and keeps error handling consistent across the SDK. You can find the api error handler in the `error.rs` file.
+
+### Error handling in the target language SDK's.
+
+All data sent to the target language SDK has the same format. The format is an object with 3 fields: `success (boolean)`, `data (could be anything or nothing)`, and `errorMessage (string or null)`.
+
+The `success` field is used to determine if the request was successful or not. The `data` field is used to return data from the SDK. The `errorMessage` field is used to return an error message if the request was not successful.
+
+This means that if the success if false or if the error message is not null, something went wrong and we should throw an error on the target-language level, with the error message.
+
+## Command handler
+
+### What is the command handler
+
+The command handler (the `infisical-json` crate), takes care of executing commands sent from the target language. It also takes care of parsing the input and output to and from JSON. The command handler is the only part of the base SDK that should be aware of JSON. The rest of the base SDK should be completely unaware of JSON, and only work with the Rust structs defined in the base SDK.
+
+The command handler exposes a function called `run_command`, which is what we use in the target language to execute commands. The function takes a json string as input, and returns a json string as output. We use helper functions generated by QuickType to convert the input and output to and from JSON.
+
+### Creating new SDK methods
+
+Creating new commands is necessary when adding new methods to the SDK's. Defining a new command is a 3-step process in most cases.
+
+#### 1. Define the input and output structs
+
+Earlier in this guide, we defined the input and output structs for the `CreateSecret` command. We will use that as an example here as well.
+
+#### 2. Creating the method in the base SDK
+
+The first step is to create the method in the base SDK. This step will be different depending on what method you are adding. In this example we're going to assume you're adding a function for creating a new secret.
+
+After you created the function for creating the secret, you'll need need to add it to the ClientSecrets implementation. We do it this way to keep the code organized and easy to read. The ClientSecrets struct is located in the `crates/infisical/src/manager/secrets.rs` file.
+
+```rust
+pub struct ClientSecrets<'a> {
+    pub(crate) client: &'a mut crate::Client,
+}
+
+impl<'a> ClientSecrets<'a> {
+    pub async fn create(&mut self, input: &CreateSecretOptions) -> Result<CreateSecretResponse> {
+        create_secret(self.client, input).await // <-- This is the function you created!
+    }
+}
+
+impl<'a> Client {
+    pub fn secrets(&'a mut self) -> ClientSecrets<'a> {
+        ClientSecrets { client: self }
+    }
+}
+```
+
+#### 3. Define a new command
+
+We define new commands in the `crates/infisical-json/src/command.rs` file. The `Command` enum is what we use to define new commands.
+
+In the codesnippet below we define a new command called `CreateSecret`. The `CreateSecret` command takes a `CreateSecretOptions` struct as input. We don't have to define the output, because QuickType's converter helps us with figuring out the return type for each command.
+
+````rust
+```rust
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+#[derive(Serialize, Deserialize, JsonSchema, Debug)]
+#[serde(rename_all = "camelCase", deny_unknown_fields)]
+pub enum Command {
+    GetSecret(GetSecretOptions),
+    ListSecrets(ListSecretsOptions),
+    CreateSecret(CreateSecretOptions), // <-- The new command!
+    UpdateSecret(UpdateSecretOptions),
+    DeleteSecret(DeleteSecretOptions),
+}
+````
+
+#### 4. Add the command to the command handler
+
+After defining the command, we need to add it to the command handler itself. This takes place in the `crates/infisical-json/src/client.rs` file. The `run_command` function is what we use to execute commands.
+
+In the Client implementation we try to parse the JSON string into a `Command` enum. If the parsing is successful, we match the command and execute the corresponding function.
+
+```rust
+match cmd {
+    Command::GetSecret(req) => self.0.secrets().get(&req).await.into_string(),
+    Command::ListSecrets(req) => self.0.secrets().list(&req).await.into_string(),
+    Command::UpdateSecret(req) => self.0.secrets().update(&req).await.into_string(),
+    Command::DeleteSecret(req) => self.0.secrets().delete(&req).await.into_string(),
+
+    // This is the new command:
+    Command::CreateSecret(req) => self.0.secrets().create(&req).await.into_string(),
+}
+```
+
+#### 5. Implementing the new command in the target language SDK's
+
+We did it! We've now added a new command to the base SDK. The last step is to implement the new command in the target language SDK's. The process is a little different from language to language, but in this example we're going to assume that we're adding a new command to the Node.js SDK.
+
+First you'll need to generate the new type schemas, we added a new command, input struct, and output struct. [Read more about generating types here](#generating-the-types-for-the-target-language).
+
+Secondly you need to build the new node bindings so we can use the new functionality in the Node.js SDK. You can do this by running the following command from the `languages/node` directory:
+
+```console
+$ npm install
+$ npm run build
+```
+
+The build command will execute a build script in the `infisical-napi` crate, and move the generated bindings to the appropriate folder.
+
+After building the new bindings, you can access the new functionality in the Node.js SDK source.
+
+```ts
+// 'binding' is a js file that makes it easier to access the methods in the bindings. (it's auto generated when running npm run build)
+import * as rust from "../../binding";
+// We can import the newly generated types from the schemas.ts file. (Generated with QuickType!)
+import type { CreateSecretOptions, CreateSecretResponse } from "./schemas";
+// This is the QuickType converter that we use to create commands with! It takes care of all JSON parsing and serialization.
+import { Convert, ClientSettings } from "./schemas";
+
+export class InfisicalClient {
+    #client: rust.Client;
+
+    constructor(settings: ClientSettings) {
+        const settingsJson = settings == null ? null : Convert.clientSettingsToJson(settings);
+        this.#client = new rust.InfisicalClient(settingsJson);
+    }
+
+    // ... getSecret
+    // ... listSecrets
+    // ... updateSecret
+    // ... deleteSecret
+
+    async createSecret(options: CreateSecretOptions): Promise<CreateSecretResponse["secret"]> {
+        // The runCommand will return a JSON string, which we can parse into a CreateSecretResponse.
+        const command = await this.#client.runCommand(
+            Convert.commandToJson({
+                createSecret: options
+            })
+        );
+        const response = Convert.toResponseForCreateSecretResponse(command); // <-- This is the QuickType converter in action!
+
+        // If the response is not successful or the data is null, we throw an error.
+        if (!response.success || response.data == null) {
+            throw new Error(response.errorMessage ?? "Something went wrong");
+        }
+
+        // To make it easier to work with the response, we return the secret directly.
+        return response.data.secret;
+    }
+}
+```
+
+And that's it! We've now added a new command to the base SDK, and implemented it in the Node.js SDK. The process is very similar for all other languages, but the code will look a little different.
+
+## Conclusion
+
+The SDK has a lot of moving parts, and it can be a little overwhelming at first. But once you get the hang of it, it's actually quite simple. If you have any questions, feel free to reach out to us on [Slack](https://infisical.com/slack), or [open an issue](https://github.com/Infisical/sdk/issues) on GitHub.

docs/documentation/getting-started/sdks.mdx

@@ -13,7 +13,8 @@ Prerequisites:
 
 Follow the instructions for your language use the SDK for it:
 
-- [Node SDK](https://github.com/Infisical/infisical-node)
-- [Python SDK](https://github.com/Infisical/infisical-python)
+- [Node SDK](https://infisical.com/docs/sdks/languages/node)
+- [Python SDK](https://infisical.com/docs/sdks/languages/python)
+- [Java SDK](https://infisical.com/docs/sdks/languages/java)
 
 Missing a language? [Throw in a request](https://github.com/Infisical/infisical/issues).

docs/documentation/guides/nextjs-vercel.mdx

@@ -240,12 +240,6 @@ At this stage, you know how to use the Infisical-Vercel integration to sync prod
         
         Check out the [security guide](/security/overview).
     </Accordion>
-    <Accordion title="Is there way to retain end-to-end encryption for syncing production secrets to Vercel?">
-        Yes. You can also use the Infisical [Node SDK](https://github.com/Infisical/infisical-node) to fetch secrets back to your Next.js app
-        in both development and production.
-
-        Depending on how you use it, however, it may require certain pages to be server-side rendered.  
-    </Accordion>
 </AccordionGroup>
 
 See also:

docs/documentation/platform/identities/overview.mdx

@@ -4,8 +4,7 @@ description: "Programmatically interact with Infisical"
 ---
 
 <Note>
-  Currently, identities can only be used to make authenticated requests to the Infisical API and do not work with any clients such as [Node SDK](https://github.com/Infisical/infisical-node)
-  , [Python SDK](https://github.com/Infisical/infisical-python), CLI, K8s operator, Terraform Provider, etc.
+  Currently, identities can only be used to make authenticated requests to the Infisical API and SDKs. They do not work with clients such as CLI, K8s Operator, Terraform Provider, etc.
 
   We will be releasing compatibility with it across clients in the coming quarter.
 </Note>

docs/documentation/platform/secret-reference.mdx

@@ -12,8 +12,8 @@ This means that updating the value of a base secret propagates directly to other
     Currently, the secret referencing feature is only supported by the 
     [Infisical CLI](/cli/overview) and [native integrations](/integrations/overview).
 
-    We intend to add support for it to the [Node SDK](https://github.com/Infisical/infisical-node)
-    and [Python SDK](https://github.com/Infisical/infisical-python) this quarter.
+    We intend to add support for it to the [Node SDK](https://infisical.com/docs/sdks/languages/node), 
+    [Python SDK](https://infisical.com/docs/sdks/languages/python), and [Java SDK](https://infisical.com/docs/sdks/languages/java) this quarter.
 </Note>
 
 ![secret referencing](../../images/platform/secret-references-imports/secret-reference.png)

docs/documentation/platform/sso/azure.mdx

@@ -10,97 +10,97 @@ description: "Configure Azure SAML for Infisical SSO"
    then you should contact team@infisical.com to purchase an enterprise license to use it.
 </Info>
 
-1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
-   Next, copy the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** to use when configuring the Azure SAML application.
+<Steps>
+   <Step title="Prepare the SAML SSO configuration in Infisical">
+      In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
 
-![Azure SAML initial configuration](../../../images/sso/azure/init-config.png)
+      Next, copy the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** to use when configuring the Azure SAML application.
 
-2. In the Azure Portal, navigate to the Azure Active Directory and select **Enterprise applications**. On this screen, select
-   **+ New application**.
+      ![Azure SAML initial configuration](../../../images/sso/azure/init-config.png)
+   </Step>
+   <Step title="Create a SAML application in Azure">
+      In the Azure Portal, navigate to the Azure Active Directory and select **Enterprise applications**. On this screen, select **+ New application**.
 
-![Azure SAML enterprise applications](../../../images/sso/azure/enterprise-applications.png)
+      ![Azure SAML enterprise applications](../../../images/sso/azure/enterprise-applications.png)
 
-![Azure SAML new application](../../../images/sso/azure/new-application.png)
+      ![Azure SAML new application](../../../images/sso/azure/new-application.png)
+      
+      On the next screen, press the **+ Create your own application** button.
+      Give the application a unique name like Infisical; choose the "Integrate any other application you don't find in the gallery (Non-gallery)"
+      option and hit the **Create** button.
 
-2. On the next screen, press the **+ Create your own application** button.
-   Give the application a unique name like Infisical; choose the "Integrate any other application you don't find in the gallery (Non-gallery)"
-   option and hit the **Create** button.
+      ![Azure SAML create own application](../../../images/sso/azure/create-own-application.png)
 
-![Azure SAML create own application](../../../images/sso/azure/create-own-application.png)
+      On the application overview screen, select **Single sign-on** from the left sidebar. From there, select the **SAML** single sign-on method.
 
-3. On the application overview screen, select **Single sign-on** from the left sidebar. From there,
-   select the **SAML** single sign-on method.
+      ![Azure SAML sign on method](../../../images/sso/azure/sso-method.png)
 
-![Azure SAML sign on method](../../../images/sso/azure/sso-method.png)
+      Next, select **Edit** in the **Basic SAML Configuration** section and add/set the **Identifier (Entity ID)** to **Entity ID** and add/set the **Reply URL (Assertion Consumer Service URL)** to **ACS URL** from step 1.
 
-4. Next, select **Edit** in the **Basic SAML Configuration** section and add/set the **Identifier (Entity ID)**
-   to **Entity ID** and add/set the **Reply URL (Assertion Consumer Service URL)** to **ACS URL** from step 1.
+      ![Azure SAML edit basic configuration](../../../images/sso/azure/edit-basic-config.png)
 
-![Azure SAML edit basic configuration](../../../images/sso/azure/edit-basic-config.png)
+      ![Azure SAML edit basic configuration 2](../../../images/sso/azure/edit-basic-config-2.png)
 
-![Azure SAML edit basic configuration 2](../../../images/sso/azure/edit-basic-config-2.png)
+      <Note>
+      If you're self-hosting Infisical, then you will want to replace
+      `https://app.infisical.com` with your own domain.
+      </Note>
 
-<Note>
-  If you're self-hosting Infisical, then you will want to replace
-  `https://app.infisical.com` with your own domain.
-</Note>
+      Back in the **Set up Single Sign-On with SAML** screen, select **Edit** in the **Attributes & Claims** section and configure the following map:
 
-5. Back in the **Set up Single Sign-On with SAML** screen, select **Edit** in the **Attributes & Claims** section and configure the following map:
+      - `email -> user.userprinciplename`
+      - `firstName -> user.firstName`
+      - `lastName -> user.lastName`
 
-- `email -> user.userprinciplename`
-- `firstName -> user.firstName`
-- `lastName -> user.lastName`
+      ![Azure SAML edit attributes and claims](../../../images/sso/azure/edit-attributes-claims.png)
 
-![Azure SAML edit attributes and claims](../../../images/sso/azure/edit-attributes-claims.png)
+      ![Azure SAML edit attributes and claims 2](../../../images/sso/azure/edit-attributes-claims-2.png)
 
-![Azure SAML edit attributes and claims 2](../../../images/sso/azure/edit-attributes-claims-2.png)
+      Back in the **Set up Single Sign-On with SAML** screen, select **Edit** in the **SAML Certificates** section and set the **Signing Option** field to **Sign SAML response and assertion**.
 
-6. Back in the **Set up Single Sign-On with SAML** screen, select **Edit** in the **SAML Certificates** section and set the **Signing Option** field to **Sign SAML response and assertion**.
+      ![Azure SAML edit certificate](../../../images/sso/azure/edit-saml-certificate.png)
 
-![Azure SAML edit certificate](../../../images/sso/azure/edit-saml-certificate.png)
+      ![Azure SAML edit certificate signing option](../../../images/sso/azure/edit-saml-certificate-2.png)
+   </Step>
+   <Step title="Retrieve Identity Provider (IdP) Information from Okta">
+      In the **Set up Single Sign-On with SAML** screen, copy the **Login URL** and **SAML Certificate** to use when finishing configuring Azure SAML in Infisical.
 
-![Azure SAML edit certificate signing option](../../../images/sso/azure/edit-saml-certificate-2.png)
+      ![Azure SAML identity provider values 1](../../../images/sso/azure/idp-values.png)
 
-7. Get IdP values:
+      In the **Properties** screen, copy the **Application ID** to use when finishing configuring Azure SAML in Infisical.
 
-In the **Set up Single Sign-On with SAML** screen, copy the **Login URL** and **SAML Certificate** to use when finishing configuring Azure SAML in Infisical.
+      ![Azure SAML identity provider values 2](../../../images/sso/azure/idp-values-2.png)
+   </Step>
+   <Step title="Finish configuring SAML in Infisical">
+      Back in Infisical, set **Login URL**, **Azure Application ID**, and **SAML Certificate** from step 3. Once you've done that, press **Update** to complete the required configuration.
 
-![Azure SAML identity provider values 1](../../../images/sso/azure/idp-values.png)
+      ![Azure SAML paste identity provider values](../../../images/sso/azure/idp-values-3.png)
 
-In the **Properties** screen, copy the **Application ID** to use when finishing configuring Azure SAML in Infisical.
+      <Note>
+      When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
+      CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
+      of the text area respectively.
 
-![Azure SAML identity provider values 2](../../../images/sso/azure/idp-values-2.png)
+      Having trouble?, try copying the X509 certificate information from the Federation Metadata XML file in Azure.
 
-Back in Infisical, set **Login URL**, **Azure Application ID**, and **SAML Certificate** from above. Once you've done that, press **Update** to complete the required configuration.
+      </Note>
+   </Step>
+   <Step title="Assign users in Azure to the application">
+      Back in Azure, navigate to the **Users and groups** tab and select **+ Add user/group** to assign access to the login with SSO application on a user or group-level.
+      
+      ![Azure SAML assignment](../../../images/sso/azure/assignment.png)
+   </Step>   
+   <Step title="Enable SAML SSO in Infisical">
+      Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Azure.
 
-![Azure SAML paste identity provider values](../../../images/sso/azure/idp-values-3.png)
-
-<Note>
-When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
-  CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
-  of the text area respectively.
-
-Having trouble?, try copying the X509 certificate information from the Federation Metadata XML file in Azure.
-
-</Note>
-
-7. Assignments
-
-Back in Azure, navigate to the **Users and groups** tab and select **+ Add user/group** to assign access to the login with SSO application on a user or group-level.
-![Azure SAML assignment](../../../images/sso/azure/assignment.png)
-
-8. Return to Infisical and enable SAML SSO.
-
-Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Azure.
-
-![Azure SAML assignment](../../../images/sso/azure/enable-saml.png)
+      ![Azure SAML assignment](../../../images/sso/azure/enable-saml.png)
+   </Step>
+</Steps>
 
 <Note>
    If you're configuring SAML SSO on a self-hosted instance of Infisical, make sure to
-   set the `JWT_PROVIDER_AUTH_SECRET` and `SITE_URL` environment variable for it to work:
+   set the `AUTH_SECRET` and `SITE_URL` environment variable for it to work:
    
-   - `JWT_PROVIDER_AUTH_SECRET`: This is secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
+   - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
    - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
-</Note>
-
-
+</Note>

docs/documentation/platform/sso/github.mdx

@@ -5,38 +5,39 @@ description: "Configure GitHub SSO for Infisical"
 
 Using GitHub SSO on a self-hosted instance of Infisical requires configuring an OAuth2 application in GitHub and registering your instance with it.
 
-## Create an OAuth application in GitHub
+<Steps>
+  <Step title="Create an OAuth application in GitHub">
+    Navigate to your user Settings > Developer settings > OAuth Apps to create a new GitHub OAuth application.
 
-Navigate to your user Settings > Developer settings > OAuth Apps to create a new GitHub OAuth application.
+    ![GitHub settings](../../../images/sso/github/settings.png)
+    ![GitHub developer settings](../../../images/sso/github/dev-settings.png)
+    ![GitHub create new OAuth application](../../../images/sso/github/new-app.png)
 
-![GitHub settings](../../../images/sso/github/settings.png)
-![GitHub developer settings](../../../images/sso/github/dev-settings.png)
-![GitHub create new OAuth application](../../../images/sso/github/new-app.png)
+    Create the OAuth application. As part of the form, set the **Homepage URL** to your self-hosted domain `https://your-domain.com`
+    and the **Authorization callback URL** to `https://your-domain.com/api/v1/sso/github`.
 
-Create the OAuth application. As part of the form, set the **Homepage URL** to your self-hosted domain `https://your-domain.com`
-and the **Authorization callback URL** to `https://your-domain.com/api/v1/sso/github`.
+    ![GitHub create new OAuth application form](../../../images/sso/github/new-app-form.png)
 
-![GitHub create new OAuth application form](../../../images/sso/github/new-app-form.png)
+    <Note>
+        If you have a GitHub organization, you can create an OAuth application under it
+        in your organization Settings > Developer settings > OAuth Apps > New Org OAuth App.
+    </Note>
+  </Step>
+  <Step title="Add your OAuth application credentials to Infisical">
+    Obtain the **Client ID** and generate a new **Client Secret** for your GitHub OAuth application.
 
-<Note>
-    If you have a GitHub organization, you can create an OAuth application under it
-    in your organization Settings > Developer settings > OAuth Apps > New Org OAuth App.
-</Note>
+    ![GCP obtain OAuth2 credentials](../../../images/sso/github/credentials.png)
 
-## Add your OAuth application credentials to Infisical
+    Back in your Infisical instance, make sure to set the following environment variables:
 
-Obtain the **Client ID** and generate a new **Client Secret** for your GitHub OAuth application.
-
-![GCP obtain OAuth2 credentials](../../../images/sso/github/credentials.png)
-
-Back in your Infisical instance, make sure to set the following environment variables:
-
-- `CLIENT_ID_GITHUB_LOGIN`: The **Client ID** of your GitHub OAuth application.
-- `CLIENT_SECRET_GITHUB_LOGIN`: The **Client Secret** of your GitHub OAuth application.
-- `JWT_PROVIDER_AUTH_SECRET`: A secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
-- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
-   
-Once added, restart your Infisical instance and log in with GitHub.
+    - `CLIENT_ID_GITHUB_LOGIN`: The **Client ID** of your GitHub OAuth application.
+    - `CLIENT_SECRET_GITHUB_LOGIN`: The **Client Secret** of your GitHub OAuth application.
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
+    - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
+      
+    Once added, restart your Infisical instance and log in with GitHub.
+  </Step>
+</Steps>
 
 ## FAQ
 
@@ -45,7 +46,7 @@ Once added, restart your Infisical instance and log in with GitHub.
     It is likely that you have misconfigured your self-hosted instance of Infisical. You should:
 
     - Check that you have set the `CLIENT_ID_GITHUB_LOGIN`, `CLIENT_SECRET_GITHUB_LOGIN`, 
-    `JWT_PROVIDER_AUTH_SECRET`, and `SITE_URL` environment variables.
+    `AUTH_SECRET`, and `SITE_URL` environment variables.
     - Check that the **Authorization callback URL** specified in GitHub matches the `SITE_URL` environment variable.
     For example, if the former is `https://app.infisical.com/api/v1/sso/github` then the latter should be `https://app.infisical.com`.
   </Accordion>

docs/documentation/platform/sso/gitlab.mdx

@@ -5,38 +5,39 @@ description: "Configure GitLab SSO for Infisical"
 
 Using GitLab SSO on a self-hosted instance of Infisical requires configuring an OAuth application in GitLab and registering your instance with it.
 
-## Create an OAuth application in GitLab
+<Steps>
+  <Step title="Create an OAuth application in GitLab">
+    Navigate to your user Settings > Applications to create a new GitLab application.
 
-Navigate to your user Settings > Applications to create a new GitLab application.
+    ![sso gitlab config](/images/sso/gitlab/edit-profile.png) 
+    ![sso gitlab config](/images/sso/gitlab/new-app.png) 
 
-![sso gitlab config](/images/sso/gitlab/edit-profile.png) 
-![sso gitlab config](/images/sso/gitlab/new-app.png) 
+    Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/api/v1/sso/gitlab`.
+    Note that only `read_user` is required as part of the **Scopes** configuration.
 
-Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/api/v1/sso/gitlab`.
-Note that only `read_user` is required as part of the **Scopes** configuration.
+    ![sso gitlab config](/images/sso/gitlab/new-app-form.png) 
 
-![sso gitlab config](/images/sso/gitlab/new-app-form.png) 
+    <Note>
+        If you have a GitLab group, you can create an OAuth application under it
+        in your group Settings > Applications.
+    </Note>
+  </Step>
+  <Step title="Add your OAuth application credentials to Infisical">
+    Obtain the **Application ID** and **Secret** for your GitLab application.
 
-<Note>
-    If you have a GitLab group, you can create an OAuth application under it
-    in your group Settings > Applications.
-</Note>
+    ![sso gitlab config](/images/sso/gitlab/credentials.png) 
 
-## Add your OAuth application credentials to Infisical
+    Back in your Infisical instance, make sure to set the following environment variables:
 
-Obtain the **Application ID** and **Secret** for your GitLab application.
-
-![sso gitlab config](/images/sso/gitlab/credentials.png) 
-
-Back in your Infisical instance, make sure to set the following environment variables:
-
-- `CLIENT_ID_GITLAB_LOGIN`: The **Client ID** of your GitLab application.
-- `CLIENT_SECRET_GITLAB_LOGIN`: The **Secret** of your GitLab application.
-- (optional) `URL_GITLAB_LOGIN`: The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to `https://gitlab.com`.
-- `JWT_PROVIDER_AUTH_SECRET`: A secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
-- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
-   
-Once added, restart your Infisical instance and log in with GitLab.
+    - `CLIENT_ID_GITLAB_LOGIN`: The **Client ID** of your GitLab application.
+    - `CLIENT_SECRET_GITLAB_LOGIN`: The **Secret** of your GitLab application.
+    - (optional) `URL_GITLAB_LOGIN`: The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to `https://gitlab.com`.
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
+    - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
+      
+    Once added, restart your Infisical instance and log in with GitLab.
+  </Step>
+</Steps>
 
 ## FAQ
 
@@ -45,7 +46,7 @@ Once added, restart your Infisical instance and log in with GitLab.
     It is likely that you have misconfigured your self-hosted instance of Infisical. You should:
 
     - Check that you have set the `CLIENT_ID_GITLAB_LOGIN`, `CLIENT_SECRET_GITLAB_LOGIN`, 
-    `JWT_PROVIDER_AUTH_SECRET`, and `SITE_URL` environment variables.
+    `AUTH_SECRET`, and `SITE_URL` environment variables.
     - Check that the **Redirect URI** specified in GitLab matches the `SITE_URL` environment variable.
     For example, if the former is `https://app.infisical.com/api/v1/sso/gitlab` then the latter should be `https://app.infisical.com`.
   </Accordion>

docs/documentation/platform/sso/google.mdx

@@ -5,31 +5,32 @@ description: "Configure Google SSO for Infisical"
 
 Using Google SSO on a self-hosted instance of Infisical requires configuring an OAuth2 application in GCP and registering your instance with it.
 
-## Create an OAuth2 application in GCP
+<Steps>
+  <Step title="Create an OAuth2 application in GCP">
+    Navigate to your project API & Services > Credentials to create a new OAuth2 application.
+        
+    ![GCP API services](../../../images/sso/google/api-services.png)
+    ![GCP create new OAuth2 application](../../../images/sso/google/new-app.png)
 
-Navigate to your project API & Services > Credentials to create a new OAuth2 application.
-    
-![GCP API services](../../../images/sso/google/api-services.png)
-![GCP create new OAuth2 application](../../../images/sso/google/new-app.png)
+    Create the application. As part of the form, add to **Authorized redirect URIs**: `https://your-domain.com/api/v1/sso/google`.
 
-Create the application. As part of the form, add to **Authorized redirect URIs**: `https://your-domain.com/api/v1/sso/google`.
+    ![GCP create new OAuth2 application form](../../../images/sso/google/new-app-form.png)
+  </Step>
+  <Step title="Add your OAuth2 application credentials to Infisical">
+    Obtain the **Client ID** and **Client Secret** for your GCP OAuth2 application.
 
-![GCP create new OAuth2 application form](../../../images/sso/google/new-app-form.png)
+    ![GCP obtain OAuth2 credentials](../../../images/sso/google/credentials.png)
+      
+    Back in your Infisical instance, make sure to set the following environment variables:
 
-## Add your OAuth2 application credentials to Infisical
-   
-Obtain the **Client ID** and **Client Secret** for your GCP OAuth2 application.
-
-![GCP obtain OAuth2 credentials](../../../images/sso/google/credentials.png)
-   
-Back in your Infisical instance, make sure to set the following environment variables:
-
-- `CLIENT_ID_GOOGLE_LOGIN`: The **Client ID** of your GCP OAuth2 application.
-- `CLIENT_SECRET_GOOGLE_LOGIN`: The **Client Secret** of your GCP OAuth2 application.
-- `JWT_PROVIDER_AUTH_SECRET`: A secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
-- `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
-   
-Once added, restart your Infisical instance and log in with Google
+    - `CLIENT_ID_GOOGLE_LOGIN`: The **Client ID** of your GCP OAuth2 application.
+    - `CLIENT_SECRET_GOOGLE_LOGIN`: The **Client Secret** of your GCP OAuth2 application.
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
+    - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
+      
+    Once added, restart your Infisical instance and log in with Google
+  </Step>
+</Steps>
 
 ## FAQ
 
@@ -38,7 +39,7 @@ Once added, restart your Infisical instance and log in with Google
     It is likely that you have misconfigured your self-hosted instance of Infisical. You should:
 
     - Check that you have set the `CLIENT_ID_GOOGLE_LOGIN`, `CLIENT_SECRET_GOOGLE_LOGIN`, 
-    `JWT_PROVIDER_AUTH_SECRET`, and `SITE_URL` environment variables.
+    `AUTH_SECRET`, and `SITE_URL` environment variables.
     - Check that the **Authorized redirect URI** specified in GCP matches the `SITE_URL` environment variable.
     For example, if the former is `https://app.infisical.com/api/v1/sso/google` then the latter should be `https://app.infisical.com`.
   </Accordion>

docs/documentation/platform/sso/jumpcloud.mdx

@@ -10,73 +10,77 @@ description: "Configure JumpCloud SAML for Infisical SSO"
    then you should contact team@infisical.com to purchase an enterprise license to use it.
 </Info>
 
-1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
-   Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.
+<Steps>
+   <Step title="Prepare the SAML SSO configuration in Infisical">
+      In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
 
-![JumpCloud SAML initial configuration](../../../images/sso/jumpcloud/init-config.png)
+      Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.
 
-2. In the JumpCloud Admin Portal, navigate to User Authentication > SSO and create an application. If this is your first application, select **Get Started**;
-   if not, select **+Add New Application**
+      ![JumpCloud SAML initial configuration](../../../images/sso/jumpcloud/init-config.png)
+   </Step>
+   <Step title="Create a SAML application in JumpCloud">
+      2.1. In the JumpCloud Admin Portal, navigate to User Authentication > SSO and create an application. If this is your first application, select **Get Started**; if not, select **+Add New Application**
 
-![JumpCloud SAML new application](../../../images/sso/jumpcloud/new-application.png)
+      ![JumpCloud SAML new application](../../../images/sso/jumpcloud/new-application.png)
 
-3. Next, select **Custom SAML App** to open up the **New SSO** dialog.
+      2.2. Next, select **Custom SAML App** to open up the **New SSO** dialog.
 
-![JumpCloud custom SAML app](../../../images/sso/jumpcloud/custom-saml-app.png)
+      ![JumpCloud custom SAML app](../../../images/sso/jumpcloud/custom-saml-app.png)
 
-4. In the **General Info** tab, give the application a unique name like Infisical.
+      2.3. In the **General Info** tab, give the application a unique name like Infisical.
 
-![JumpCloud general info](../../../images/sso/jumpcloud/general-info.png)
+      ![JumpCloud general info](../../../images/sso/jumpcloud/general-info.png)
 
-5. In the **SSO** tab, set the **SP Entity ID** and **ACS URL** from step 1; set the **IdP Entity ID** to the same value as the **SP Entity ID**.
+      2.4. In the **SSO** tab, set the **SP Entity ID** and **ACS URL** from step 1; set the **IdP Entity ID** to the same value as the **SP Entity ID**.
 
-![JumpCloud edit basic config](../../../images/sso/jumpcloud/edit-basic-config.png)
+      ![JumpCloud edit basic config](../../../images/sso/jumpcloud/edit-basic-config.png)
 
-6. On the same tab, check the **Sign Assertion** checkbox and fill the **IDP URL** to something unique.
-   Copy the **IDP URL** to use when finishing configuring the JumpCloud SAML in Infisical.
+      2.5. On the same tab, check the **Sign Assertion** checkbox and fill the **IDP URL** to something unique.
+         Copy the **IDP URL** to use when finishing configuring the JumpCloud SAML in Infisical.
 
-![JumpCloud edit basic config 2](../../../images/sso/jumpcloud/edit-basic-config-2.png)
+      ![JumpCloud edit basic config 2](../../../images/sso/jumpcloud/edit-basic-config-2.png)
 
-7. On the same tab, in the **Attributes** section, configure the following map:
+      2.6. On the same tab, in the **Attributes** section, configure the following map:
 
-- `email -> email`
-- `firstName -> firstname`
-- `lastName -> lastname`
+      - `email -> email`
+      - `firstName -> firstname`
+      - `lastName -> lastname`
 
-![JumpCloud attribute statements](../../../images/sso/jumpcloud/attribute-statements.png)
+      ![JumpCloud attribute statements](../../../images/sso/jumpcloud/attribute-statements.png)
 
-Finally press activate to create the SAML application.
+      Finally press activate to create the SAML application.
 
-8. Next, select the newly created SAML application and select **Download certificate** under the **IDP Certificate Valid** dropdown
+      2.7. Next, select the newly created SAML application and select **Download certificate** under the **IDP Certificate Valid** dropdown
 
-![JumpCloud download certificate](../../../images/sso/jumpcloud/download-saml-certificate.png)
+      ![JumpCloud download certificate](../../../images/sso/jumpcloud/download-saml-certificate.png)
+   </Step>
+   <Step title="Finish configuring SAML in Infisical">
+      Back in Infisical, set the **IDP URL** from step 2.5 and the **IdP Entity ID** from step 2.4. Also, paste the certificate from the previous step.
 
-9. Back in Infisical, set the **IDP URL** from step 6 and the **IdP Entity ID** from step 5. Also, paste the certificate from the previous step.
+      ![JumpCloud IdP values](../../../images/sso/jumpcloud/idp-values.png)
 
-![JumpCloud IdP values](../../../images/sso/jumpcloud/idp-values.png)
+      <Note>
+         When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
+         CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
+         of the text area respectively.
+      </Note>
+   </Step>
+   <Step title="Assign users in JumpCloud to the application">
+      Back in JumpCloud, navigate to the **User Groups** tab and assign users to the newly created application.
 
-<Note>
-  When pasting the certificate into Infisical, you'll want to retain `-----BEGIN
-  CERTIFICATE-----` and `-----END CERTIFICATE-----` at the first and last line
-  of the text area respectively.
-</Note>
+      ![JumpCloud SAML assignment](../../../images/sso/jumpcloud/assignment.png)
+   </Step>
+   <Step title="Enable SAML SSO in Infisical">
+      Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via JumpCloud.
 
-10. Assignments
-
-Back in JumpCloud, navigate to the **User Groups** tab and assign users to the newly created application.
-
-![JumpCloud SAML assignment](../../../images/sso/jumpcloud/assignment.png)
-
-11. Return to Infisical and enable SAML SSO.
-
-Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via JumpCloud.
-
-![JumpCloud SAML assignment](../../../images/sso/jumpcloud/enable-saml.png)
+      ![JumpCloud SAML assignment](../../../images/sso/jumpcloud/enable-saml.png)
+   </Step>
+</Steps>
 
 <Note>
    If you're configuring SAML SSO on a self-hosted instance of Infisical, make sure to
-   set the `JWT_PROVIDER_AUTH_SECRET` and `SITE_URL` environment variable for it to work:
+   set the `AUTH_SECRET` and `SITE_URL` environment variable for it to work:
    
-   - `JWT_PROVIDER_AUTH_SECRET`: This is secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
+   - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
    - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
 </Note>

docs/documentation/platform/sso/okta.mdx

@@ -10,78 +10,80 @@ description: "Configure Okta SAML 2.0 for Infisical SSO"
    then you should contact team@infisical.com to purchase an enterprise license to use it.
 </Info>
 
-1. In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
-   Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
+<Steps>
+   <Step title="Prepare the SAML SSO configuration in Infisical">
+      In Infisical, head over to your organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      
+      Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
+      ![Okta SAML initial configuration](../../../images/sso/okta/init-config.png)
+   </Step>
+   <Step title="Create a SAML application in Okta">
+      In the Okta Admin Portal, select Applications > Applications from the navigation. On the Applications screen, select the **Create App Integration**
+      button.
 
-![Okta SAML initial configuration](../../../images/sso/okta/init-config.png)
+      ![SAML Okta create app integration](../../../images/sso/okta/create-app-integration.png)
+      
+      In the Create a New Application Integration dialog, select the **SAML 2.0** radio button:
 
-2. In the Okta Admin Portal, select Applications > Applications from the
-   navigation. On the Applications screen, select the **Create App Integration**
-   button.
+      ![SAML Okta create SAML 2.0 integration](../../../images/sso/okta/create-saml-app.png)
+      
+      On the General Settings screen, give the application a unique name like Infisical and select **Next**.
+      
+      ![SAML Okta create SAML 2.0 integration](../../../images/sso/okta/general-settings.png)
+      
+      On the Configure SAML screen, set the **Single sign-on URL** and **Audience URI (SP Entity ID)** from step 1.
 
-![SAML Okta create app integration](../../../images/sso/okta/create-app-integration.png)
+      ![SAML Okta configure IdP fields](../../../images/sso/okta/configure-saml.png)
+      
+      <Note>
+         If you're self-hosting Infisical, then you will want to replace
+         `https://app.infisical.com` with your own domain.
+      </Note>
+      
+      Also on the Configure SAML screen, configure the **Attribute Statements** to map:
 
-3. In the Create a New Application Integration dialog, select the **SAML 2.0** radio button:
+      - `id -> user.id`,
+      - `email -> user.email`,
+      - `firstName -> user.firstName`
+      - `lastName -> user.lastName`
 
-![SAML Okta create SAML 2.0 integration](../../../images/sso/okta/create-saml-app.png)
+      ![SAML Okta attribute statements](../../../images/sso/okta/attribute-statements.png)
 
-4. On the General Settings screen, give the application a unique name like Infisical and select **Next**.
+      Once configured, select **Next** to proceed to the Feedback screen and select **Finish**.
+   </Step>
+   <Step title="Retrieve Identity Provider (IdP) Information from Okta">
+      Once your application is created, select the **Sign On** tab for the app and select the **View Setup Instructions** button located on the right side of the screen:
 
-![SAML Okta create SAML 2.0 integration](../../../images/sso/okta/general-settings.png)
+      ![SAML Okta view setup instructions](../../../images/sso/okta/view-setup-instructions.png)
 
-5. On the Configure SAML screen, set the **Single sign-on URL** and **Audience URI (SP Entity ID)** from step 1.
+      Copy the **Identity Provider Single Sign-On URL**, the **Identity Provider Issuer**, and the **X.509 Certificate** to use when finishing configuring Okta SAML in Infisical.
 
-![SAML Okta configure IdP fields](../../../images/sso/okta/configure-saml.png)
+      ![SAML Okta IdP values](../../../images/sso/okta/idp-values.png)
+   </Step>
+   <Step title="Finish configuring SAML in Infisical">
+      Back in Infisical, set **Identity Provider Single Sign-On URL**, **Identity Provider Issuer**,
+      and **Certificate** to **X.509 Certificate** from step 3. Once you've done that, press **Update** to complete the required configuration.
 
-<Note>
-  If you're self-hosting Infisical, then you will want to replace
-  `https://app.infisical.com` with your own domain.
-</Note>
+      ![SAML Okta paste values into Infisical](../../../images/sso/okta/idp-values-2.png)
+   </Step>
+   <Step title="Assign users in Okta to the application">
+      Back in Okta, navigate to the **Assignments** tab and select **Assign**. You can assign access to the application on a user-by-user basis using the Assign to People option, or in-bulk using the Assign to Groups option.
 
-6. Also on the Configure SAML screen, configure the **Attribute Statements** to map:
+      ![SAML Okta assignment](../../../images/sso/okta/assignment.png)
 
-- `id -> user.id`,
-- `email -> user.email`,
-- `firstName -> user.firstName`
-- `lastName -> user.lastName`
+      At this point, you have configured everything you need within the context of the Okta Admin Portal.
+   </Step>
+   <Step title="Enable SAML SSO in Infisical">
+      Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Okta.
 
-![SAML Okta attribute statements](../../../images/sso/okta/attribute-statements.png)
-
-Once configured, select **Next** to proceed to the Feedback screen and select **Finish**.
-
-7. Get IdP values
-
-Once your application is created, select the **Sign On** tab for the app and select the **View Setup Instructions** button located on the right side of the screen:
-
-![SAML Okta view setup instructions](../../../images/sso/okta/view-setup-instructions.png)
-
-Copy the **Identity Provider Single Sign-On URL**, the **Identity Provider Issuer**, and the **X.509 Certificate** to use when finishing configuring Okta SAML in Infisical.
-
-![SAML Okta IdP values](../../../images/sso/okta/idp-values.png)
-
-Back in Infisical, set **Identity Provider Single Sign-On URL**, **Identity Provider Issuer**,
-and **Certificate** to **X.509 Certificate** from above. Once you've done that, press **Update** to complete the required configuration.
-
-![SAML Okta paste values into Infisical](../../../images/sso/okta/idp-values-2.png)
-
-8. Finally, navigate to the **Assignments** tab and select **Assign**
-
-You can assign access to the application on a user-by-user basis using the Assign to People option, or in-bulk using the Assign to Groups option.
-
-![SAML Okta assignment](../../../images/sso/okta/assignment.png)
-
-At this point, you have configured everything you need within the context of the Okta Admin Portal.
-
-9. Return to Infisical and enable SAML SSO.
-
-Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Okta.
-
-![SAML Okta assignment](../../../images/sso/okta/enable-saml.png)
+      ![SAML Okta assignment](../../../images/sso/okta/enable-saml.png)
+   </Step>
+</Steps>
 
 <Note>
    If you're configuring SAML SSO on a self-hosted instance of Infisical, make sure to
-   set the `JWT_PROVIDER_AUTH_SECRET` and `SITE_URL` environment variable for it to work:
+   set the `AUTH_SECRET` and `SITE_URL` environment variable for it to work:
    
-   - `JWT_PROVIDER_AUTH_SECRET`: This is secret key used for signing and verifying JWT. This could be a randomly-generated 256-bit hex string.
+   - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
    - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
 </Note>

docs/internals/components.mdx

@@ -25,6 +25,6 @@ The Web UI is the browser-based portal that connects to the Infisical API.
 
 Clients are any application or infrastructure that connecting to the Infisical API using one of the below methods:
 - Public API: Making API requests directly to the Infisical API.
-- Client SDK: A platform-specific library with method abstractions for working with secrets. Currently, there are two official SDKs: [Node SDK](https://github.com/Infisical/infisical-node) and [Python SDK](https://github.com/Infisical/infisical-python).
+- Client SDK: A platform-specific library with method abstractions for working with secrets. Currently, there are three official SDKs: [Node SDK](https://infisical.com/docs/sdks/languages/node), [Python SDK](https://infisical.com/docs/sdks/languages/python), and [Java SDK](https://infisical.com/docs/sdks/languages/java).
 - CLI: A terminal-based interface for interacting with the Infisical API.
 - Kubernetes Operator: This operator retrieves secrets from Infisical and securely store

docs/mint.json

@@ -159,10 +159,16 @@
           "pages": [
             "self-hosting/overview",
             "self-hosting/deployment-options/standalone-infisical",
+            "self-hosting/deployment-options/docker-compose",
             "self-hosting/deployment-options/kubernetes-helm",
             "self-hosting/deployment-options/aws-ec2",
-            "self-hosting/deployment-options/docker-compose",
-            "self-hosting/deployment-options/digital-ocean-marketplace"
+            "self-hosting/deployment-options/aws-lightsail",
+            "self-hosting/deployment-options/gcp-cloud-run",
+            "self-hosting/deployment-options/azure-app-services",
+            "self-hosting/deployment-options/azure-container-instances",
+            "self-hosting/deployment-options/digital-ocean-marketplace",
+            "self-hosting/deployment-options/fly.io",
+            "self-hosting/deployment-options/railway"
           ]
         },
         "self-hosting/configuration/envars",
@@ -442,13 +448,30 @@
       "pages": ["changelog/overview"]
     },
     {
-      "group": "Contributing",
+      "group": "",
       "pages": [
-        "contributing/overview",
-        "contributing/code-of-conduct",
-        "contributing/developing",
-        "contributing/pull-requests",
-        "contributing/faq"
+          {
+            "group": "Getting Started",
+            "pages": [
+              "contributing/getting-started/overview",
+              "contributing/getting-started/code-of-conduct",
+              "contributing/getting-started/pull-requests",
+              "contributing/getting-started/faq"
+    
+            ]
+          },
+        {
+          "group": "Contributing to platform",
+          "pages": [
+            "contributing/platform/developing"
+          ]
+        },
+        {
+            "group": "Contributing to SDK",
+            "pages": [
+              "contributing/sdk/developing"
+            ]
+          }
       ]
     }
   ],

docs/sdks/languages/go.mdx

@@ -5,5 +5,4 @@ icon: "golang"
 
 Coming soon.
 
-Follow this GitHub
-[issue](https://github.com/Infisical/infisical/issues/436) to stay updated.
+Star our GitHub repository to stay updated [cross-language SDK](https://github.com/Infisical/sdk) GitHub repository to stay updated.

docs/sdks/languages/java.mdx

@@ -3,7 +3,307 @@ title: "Java"
 icon: "java"
 ---
 
-Coming soon.
+If you're working with Java, the official [Infisical Java SDK](https://github.com/Infisical/sdk/tree/main/languages/java) package is the easiest way to fetch and work with secrets for your application.
 
-Follow this GitHub
-[issue](https://github.com/Infisical/infisical/issues/434) to stay updated.
+## Basic Usage
+
+```java
+package com.example.app;
+
+import com.infisical.sdk.InfisicalClient;
+import com.infisical.sdk.schema.*;
+
+public class Example {
+    public static void main(String[] args) {
+        // Create a new Infisical Client
+        ClientSettings settings = new ClientSettings();
+        settings.setClientID("MACHINE_IDENTITY_CLIENT_ID");
+        settings.setClientSecret("MACHINE_IDENTITY_CLIENT_SECRET");
+        settings.setCacheTTL(Long.valueOf(300)); // 300 seconds, 5 minutes
+
+        InfisicalClient client = new InfisicalClient(settings);
+
+        // Create the options for fetching the secret
+        GetSecretOptions options = new GetSecretOptions();
+        options.setSecretName("TEST");
+        options.setEnvironment("dev");
+        options.setProjectID("PROJECT_ID");
+
+        // Fetch the sercret with the provided options
+        GetSecretResponseSecret secret = client.getSecret(options);
+
+        // Print the value
+        System.out.println(secret.getSecretValue());
+
+        // Important to avoid memory leaks!
+        // If you intend to use the client throughout your entire application, you can omit this line.
+        client.close();
+    }
+}
+```
+
+This example demonstrates how to use the Infisical Java SDK in a Java application. The application retrieves a secret named `TEST` from the `dev` environment of the `PROJECT_ID` project.
+
+<Warning>
+    We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
+</Warning>
+
+# Installation
+
+The Infisical Java SDK is hosted on the GitHub Packages Apache Maven registry. Because of this you need to configure your environment properly so it's able to pull dependencies from the GitHub registry. Please check [this guide from GitHub](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry) on how to achieve this.
+
+Our package is [located here](https://github.com/Infisical/sdk/packages/2019741). Please follow the installation guide on the page.
+
+# Configuration
+
+Import the SDK and create a client instance with your [Machine Identity](/platform/identities/universal-auth).
+
+```java
+import com.infisical.sdk.InfisicalClient;
+import com.infisical.sdk.schema.*;
+
+public class App {
+    public static void main(String[] args) {
+
+        ClientSettings settings = new ClientSettings();
+        settings.setClientID("MACHINE_IDENTITY_CLIENT_ID");
+        settings.setClientSecret("MACHINE_IDENTITY_CLIENT_SECRET");
+
+        InfisicalClient client = new InfisicalClient(settings); // Your client!
+    }
+}
+```
+
+### ClientSettings methods
+
+<ParamField query="options" type="object">
+    <Expandable title="properties">
+        <ParamField query="setClientID()" type="string" optional>
+            Your machine identity client ID.
+        </ParamField>
+          <ParamField query="setClientSecret()" type="string" optional>
+            Your machine identity client secret.
+        </ParamField>
+
+         <ParamField query="setAccessToken()" type="string" optional>
+            An access token obtained from the machine identity login endpoint.
+        </ParamField>
+
+        <ParamField query="setCacheTTL()" type="number" default="300" optional>
+            Time-to-live (in seconds) for refreshing cached secrets.
+            If manually set to 0, caching will be disabled, this is not recommended.
+        </ParamField>
+
+        <ParamField query="setSiteURL()" type="string" default="https://app.infisical.com" optional>
+            Your self-hosted absolute site URL including the protocol (e.g. `https://app.infisical.com`)
+        </ParamField>
+    </Expandable>
+
+</ParamField>
+
+### Caching
+
+To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cacheTTL" option when creating the client.
+
+## Working with Secrets
+
+### client.listSecrets(options)
+
+```java
+ListSecretsOptions options = new ListSecretsOptions();
+options.setEnvironment("dev");
+options.setProjectID("PROJECT_ID");
+options.setPath("/foo/bar");
+options.setIncludeImports(false);
+
+SecretElement[] secrets = client.listSecrets(options);
+```
+
+Retrieve all secrets within the Infisical project and environment that client is connected to
+
+### Methods
+
+<ParamField query="Parameters" type="object">
+    <Expandable title="properties">
+        <ParamField query="setEnvironment()" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+
+        <ParamField query="setProjectID()" type="string">
+            The project ID where the secret lives in.
+        </ParamField>
+
+         <ParamField query="setPath()" type="string" optional>
+            The path from where secrets should be fetched from.
+        </ParamField>
+
+        <ParamField query="setAttachToProcessEnv()" type="boolean" default="false" optional>
+             Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `System.getenv("SECRET_NAME")`.
+        </ParamField>
+
+        <ParamField query="setIncludeImports()" type="boolean" default="false" optional>
+             Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
+        </ParamField>
+    </Expandable>
+
+</ParamField>
+
+### client.getSecret(options)
+
+```java
+GetSecretOptions options = new GetSecretOptions();
+options.setSecretName("TEST");
+options.setEnvironment("dev");
+options.setProjectID("PROJECT_ID");
+
+GetSecretResponseSecret secret = client.getSecret(options);
+
+String secretValue = secret.getSecretValue();
+```
+
+Retrieve a secret from Infisical.
+
+By default, `getSecret()` fetches and returns a shared secret.
+
+### Methods
+
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="setSecretName()" type="string" required>
+            The key of the secret to retrieve.
+        </ParamField>
+        <ParamField query="setProjectID()" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="setEnvironment()" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="setPath()" type="string" optional>
+            The path from where secret should be fetched from.
+        </ParamField>
+        <ParamField query="setType()" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
+</ParamField>
+
+### client.createSecret(options)
+
+```java
+CreateSecretOptions createOptions = new CreateSecretOptions();
+createOptions.setSecretName("NEW_SECRET");
+createOptions.setEnvironment("dev");
+createOptions.setProjectID("PROJECT_ID");
+createOptions.setSecretValue("SOME SECRET VALUE");
+createOptions.setPath("/"); // Default
+createOptions.setType("shared"); // Default
+
+CreateSecretResponseSecret newSecret = client.createSecret(createOptions);
+```
+
+Create a new secret in Infisical.
+
+### Methods
+
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="setSecretName()" type="string" required>
+            The key of the secret to create.
+        </ParamField>
+        <ParamField query="setSecretValue()" type="string" required>
+            The value of the secret.
+        </ParamField>
+        <ParamField query="setProjectID()" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="setEnvironment()" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="setPath()" type="string" optional>
+            The path from where secret should be created.
+        </ParamField>
+        <ParamField query="setType()" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
+</ParamField>
+
+### client.updateSecret(options)
+
+```java
+UpdateSecretOptions options = new UpdateSecretOptions();
+
+options.setSecretName("SECRET_TO_UPDATE");
+options.setSecretValue("NEW SECRET VALUE");
+options.setEnvironment("dev");
+options.setProjectID("PROJECT_ID");
+options.setPath("/"); // Default
+options.setType("shared"); // Default
+
+UpdateSecretResponseSecret updatedSecret = client.updateSecret(options);
+```
+
+Update an existing secret in Infisical.
+
+### Methods
+
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="setSecretName()" type="string" required>
+            The key of the secret to update.
+        </ParamField>
+        <ParamField query="setSecretValue()" type="string" required>
+            The new value of the secret.
+        </ParamField>
+        <ParamField query="setProjectID()" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="setEnvironment()" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="setPath()" type="string" optional>
+            The path from where secret should be updated.
+        </ParamField>
+        <ParamField query="setType()" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
+</ParamField>
+
+### client.deleteSecret(options)
+
+```java
+DeleteSecretOptions options = new DeleteSecretOptions();
+
+options.setSecretName("SECRET_TO_DELETE");
+options.setEnvironment("dev");
+options.setProjectID("PROJECT_ID");
+options.setPath("/"); // Default
+options.setType("shared"); // Default
+
+DeleteSecretResponseSecret deletedSecret = client.deleteSecret(options);
+```
+
+Delete a secret in Infisical.
+
+### Methods
+
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="setSecretName()" type="string">
+            The key of the secret to update.
+        </ParamField>
+        <ParamField query="setProjectID()" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="setEnvironment()" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="setPath()" type="string" optional>
+            The path from where secret should be deleted.
+        </ParamField>
+        <ParamField query="setType()" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
+</ParamField>

docs/sdks/languages/node.mdx

@@ -3,205 +3,315 @@ title: "Node"
 icon: "node"
 ---
 
-If you're working with Node.js, the official [infisical-node](https://github.com/Infisical/infisical-node) package is the easiest way to fetch and work with secrets for your application.
+If you're working with Node.js, the official [infisical-node](https://github.com/Infisical/sdk/tree/main/languages/node) package is the easiest way to fetch and work with secrets for your application.
 
 ## Basic Usage
 
 ```js
 import express from "express";
-import InfisicalClient from "infisical-node";
+
+import { InfisicalClient, LogLevel } from "@infisical/sdk";
+
 const app = express();
+
 const PORT = 3000;
 
 const client = new InfisicalClient({
-  token: "YOUR_INFISICAL_TOKEN"
+    clientId: "YOUR_CLIENT_ID",
+    clientSecret: "YOUR_CLIENT_SECRET",
+    logLevel: LogLevel.Error
 });
 
 app.get("/", async (req, res) => {
-  // access value
-  const name = await client.getSecret("NAME");
-  res.send(`Hello! My name is: ${name.secretValue}`);
+    // access value
+
+    const name = await client.getSecret({
+        environment: "dev",
+        projectId: "PROJECT_ID",
+        path: "/",
+        type: "shared",
+        secretName: "NAME"
+    });
+
+    res.send(`Hello! My name is: ${name.secretValue}`);
 });
 
 app.listen(PORT, async () => {
-  console.log(`App listening on port ${PORT}`);
+    // initialize client
+
+    console.log(`App listening on port ${port}`);
 });
 ```
 
 This example demonstrates how to use the Infisical Node SDK with an Express application. The application retrieves a secret named "NAME" and responds to requests with a greeting that includes the secret value.
 
 <Warning>
-  We do not recommend hardcoding your [Infisical
-  Token](/documentation/platform/token). Setting it as an environment
-  variable would be best.
+    We do not recommend hardcoding your [Machine Identity Tokens](/documentation/platform/identities/overview). Setting it as an environment variable
+    would be best.
 </Warning>
 
 ## Installation
 
-Run `npm` to add `infisical-node` to your project.
+Run `npm` to add `@infisical/sdk` to your project.
 
 ```console
-$ npm install infisical-node --save
+$ npm install @infisical/sdk
 ```
 
 ## Configuration
 
-Import the SDK and create a client instance with your [Infisical Token](/documentation/platform/token).
+Import the SDK and create a client instance with your [Machine Identity](/documentation/platform/identities/overview).
 
 <Tabs>
   <Tab title="ES6">
     ```js
-    import InfisicalClient from "infisical-node";
-    
+    import { InfisicalClient, LogLevel } from "@infisical/sdk";
+
     const client = new InfisicalClient({
-      token: "your_infisical_token"
+        clientId: "YOUR_CLIENT_ID",
+        clientSecret: "YOUR_CLIENT_SECRET",
+        logLevel: LogLevel.Error
     });
     ```
 
   </Tab>
   <Tab title="ES5">
     ```js
-    const InfisicalClient = require("infisical-node");
-    
+    const { InfisicalClient, LogLevel } = require("@infisical/sdk");
+
     const client = new InfisicalClient({
-      token: "your_infisical_token"
+        clientId: "YOUR_CLIENT_ID",
+        clientSecret: "YOUR_CLIENT_SECRET",
+        logLevel: LogLevel.Error
     });
     ````
-  </Tab>
 
+  </Tab>
 </Tabs>
 
 ### Parameters
 
 <ParamField query="options" type="object">
-  <Expandable title="properties">
-    <ParamField query="token" type="string" optional>
-      An [Infisical Token](/documentation/platform/token) scoped to a project
-      and environment
-    </ParamField>
-    <ParamField
-      query="siteURL"
-      type="string"
-      default="https://app.infisical.com"
-      optional
-    >
-      Your self-hosted absolute site URL including the protocol (e.g.
-      `https://app.infisical.com`)
-    </ParamField>
-    <ParamField query="cacheTTL" type="number" default="300" optional>
-      Time-to-live (in seconds) for refreshing cached secrets. Default: `300`.
-    </ParamField>
-    <ParamField query="debug" type="boolean" default="false" optional>
-      Whether or not debug mode is on
-    </ParamField>
-  </Expandable>
+    <Expandable title="properties">
+        <ParamField query="clientId" type="string" optional>
+            Your machine identity client ID.
+        </ParamField>
+          <ParamField query="clientSecret" type="string" optional>
+            Your machine identity client secret.
+        </ParamField>
+
+         <ParamField query="accessToken" type="string" optional>
+            An access token obtained from the machine identity login endpoint.
+        </ParamField>
+
+        <ParamField query="cacheTtl" type="number" default="300" optional>
+            Time-to-live (in seconds) for refreshing cached secrets.
+            If manually set to 0, caching will be disabled, this is not recommended.
+        </ParamField>
+
+        <ParamField query="siteUrl" type="string" default="https://app.infisical.com" optional>
+            Your self-hosted absolute site URL including the protocol (e.g. `https://app.infisical.com`)
+        </ParamField>
+        <ParamField query="logLevel" type="enum" default="Error" optional>
+            The level of logs you wish to log The logs are derived from Rust, as we have written our base SDK in Rust.
+        </ParamField>
+    </Expandable>
+
 </ParamField>
 
-## Caching
+### Caching
 
-The SDK caches every secret and updates it periodically based on the provided `cacheTTL`. For example, if `cacheTTL` of `300` is provided, then a secret will be refetched 5 minutes after the first fetch; if the fetch fails, the cached secret is returned.
-
-<Tip>
-  For optimal performance, we recommend creating a single instance of the Infisical client and exporting it to be used across your entire app to take advantage of caching benefits.
-</Tip>
+To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cacheTtl" option when creating the client.
 
 ## Working with Secrets
 
-### client.getAllSecrets()
+### client.listSecrets(options)
 
 ```js
-const secrets = await client.getAllSecrets();
+const secrets = await client.listSecrets({
+    environment: "dev",
+    projectId: "PROJECT_ID",
+    path: "/foo/bar/",
+    includeImports: false
+});
 ```
 
 Retrieve all secrets within the Infisical project and environment that client is connected to
 
-### client.getSecret(secretName, options)
+### Parameters
+
+<ParamField query="Parameters" type="object">
+    <Expandable title="properties">
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+          <ParamField query="projectId" type="string" required>
+            The project ID where the secret lives in. 
+        </ParamField>
+
+         <ParamField query="path" type="string" optional>
+            The path from where secrets should be fetched from.
+        </ParamField>
+
+        <ParamField query="attachToProcessEnv" type="boolean" default="false" optional>
+            Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `process.env["SECRET_NAME"]`.
+        </ParamField>
+
+        <ParamField query="includeImports" type="false" default="boolean" optional>
+             Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
+        </ParamField>
+    </Expandable>
+
+</ParamField>
+
+### client.getSecret(options)
 
 ```js
-const secret = await client.getSecret("API_KEY");
-const value = secret.secretValue; // get its value
+const secret = await client.getSecret({
+    environment: "dev",
+    projectId: "PROJECT_ID",
+    secretName: "API_KEY",
+    path: "/",
+    type: "shared"
+});
 ```
 
 Retrieve a secret from Infisical.
 
-By default, `getSecret()` fetches and returns a personal secret. If not found, it returns a shared secret, or tries to retrieve the value from `process.env`. If a secret is fetched, `getSecret()` caches it to reduce excessive calls and re-fetches periodically based on the `cacheTTL` option (default is `300` seconds) when initializing the client — for more information, see the caching section.
+By default, `getSecret()` fetches and returns a shared secret.
 
 ### Parameters
 
-<ParamField query="secretName" type="string" required>
-  The key of the secret to retrieve
-</ParamField>
-<ParamField query="options" type="object" optional>
-  <Expandable title="properties">
-    <ParamField query="type" type="string" default="personal" optional>
-      The type of the secret. Valid options are "shared" or "personal"
-    </ParamField>
-  </Expandable>
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="secretName" type="string" required>
+            The key of the secret to retrieve.
+        </ParamField>
+        <ParamField query="projectId" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="path" type="string" optional>
+            The path from where secret should be fetched from.
+        </ParamField>
+        <ParamField query="type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
 </ParamField>
 
-### client.createSecret(secretName, secretValue, options)
+### client.createSecret(options)
 
 ```js
-const newApiKey = await client.createSecret("API_KEY", "FOO");
+const newApiKey = await client.createSecret({
+    projectId: "PROJECT_ID",
+    environment: "dev",
+    secretName: "API_KEY",
+    secretValue: "SECRET VALUE",
+    path: "/",
+    type: "shared"
+});
 ```
 
 Create a new secret in Infisical.
 
-<ParamField query="secretName" type="string" required>
-  The key of the secret to create
-</ParamField>
-<ParamField query="secretName" type="string" required>
-  The value of the secret to create
-</ParamField>
-<ParamField query="options" type="object" default="object" optional>
-  <Expandable title="properties">
-    <ParamField query="type" type="string" default="shared" optional>
-      The type of the secret. Valid options are "shared" or "personal". A personal secret can only be created if a shared secret with the same name exists.
-    </ParamField>
-  </Expandable>
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="secretName" type="string" required>
+            The key of the secret to create.
+        </ParamField>
+        <ParamField query="secretValue" type="string" required>
+            The value of the secret.
+        </ParamField>
+        <ParamField query="projectId" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="path" type="string" optional>
+            The path from where secret should be created.
+        </ParamField>
+        <ParamField query="type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
 </ParamField>
 
-### client.updateSecret(secretName, secretValue, options)
+### client.updateSecret(options)
 
 ```js
-const updatedApiKey = await client.updateSecret("API_KEY", "BAR");
+const updatedApiKey = await client.updateSecret({
+    secretName: "API_KEY",
+    secretValue: "NEW SECRET VALUE",
+    projectId: "PROJECT_ID",
+    environment: "dev",
+    path: "/",
+    type: "shared"
+});
 ```
 
 Update an existing secret in Infisical.
 
 ### Parameters
 
-<ParamField query="secretName" type="string" required>
-  The key of the secret to update
-</ParamField>
-<ParamField query="secretName" type="string" required>
-  The new value of the secret
-</ParamField>
-<ParamField query="options" type="object" default="object" optional>
-  <Expandable title="properties">
-    <ParamField query="type" type="string" default="shared" optional>
-      The type of the secret. Valid options are "shared" or "personal"
-    </ParamField>
-  </Expandable>
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="secretName" type="string" required>
+            The key of the secret to update.
+        </ParamField>
+        <ParamField query="secretValue" type="string" required>
+            The new value of the secret.
+        </ParamField>
+        <ParamField query="projectId" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="path" type="string" optional>
+            The path from where secret should be updated.
+        </ParamField>
+        <ParamField query="type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
 </ParamField>
 
-### client.deleteSecret(secretName, options)
+### client.deleteSecret(options)
 
 ```js
-const deletedSecret = await client.deleteSecret("API_KEY");
+const deletedSecret = await client.deleteSecret({
+    secretName: "API_KEY",
+
+    environment: "dev",
+    projectId: "PROJECT_ID",
+    path: "/",
+
+    type: "shared"
+});
 ```
 
 Delete a secret in Infisical.
 
-<ParamField query="secretName" type="string" required>
-  The key of the secret to delete
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="secretName" type="string">
+            The key of the secret to update.
+        </ParamField>
+        <ParamField query="projectId" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="path" type="string" optional>
+            The path from where secret should be deleted.
+        </ParamField>
+        <ParamField query="type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
 </ParamField>
-<ParamField query="options" type="object" default="object" optional>
-  <Expandable title="properties">
-    <ParamField query="type" type="string" default="shared" optional>
-      The type of the secret. Valid options are "shared" or "personal". Note that deleting a shared secret also deletes all associated personal secrets.
-    </ParamField>
-  </Expandable>
-</ParamField>
-
-

docs/sdks/languages/php.mdx

@@ -5,4 +5,4 @@ icon: "php"
 
 Coming soon.
 
-Follow this GitHub [issue](https://github.com/Infisical/infisical/issues/531) to stay updated.
+Star our GitHub repository to stay updated [cross-language SDK](https://github.com/Infisical/sdk) GitHub repository to stay updated.

docs/sdks/languages/python.mdx

@@ -3,31 +3,38 @@ title: "Python"
 icon: "python"
 ---
 
-If you're working with Python, the official [infisical-python](https://github.com/Infisical/infisical-python) package is the easiest way to fetch and work with secrets for your application.
+If you're working with Python, the official [infisical-python](https://github.com/Infisical/sdk/edit/main/crates/infisical-py) package is the easiest way to fetch and work with secrets for your application.
 
 ## Basic Usage
 
 ```py
 from flask import Flask
-from infisical import InfisicalClient
+from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions
 
 app = Flask(__name__)
 
-client = InfisicalClient(token="your_infisical_token")
+client = InfisicalClient(ClientSettings(
+    client_id="MACHINE_IDENTITY_CLIENT_ID",
+    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
+))
 
 @app.route("/")
 def hello_world():
     # access value
-    name = client.get_secret("NAME")
+
+    name = client.getSecret(options=GetSecretOptions(
+       environment="dev",
+       project_id="PROJECT_ID",
+       secret_name="NAME"
+    ))
+
     return f"Hello! My name is: {name.secret_value}"
 ```
 
 This example demonstrates how to use the Infisical Python SDK with a Flask application. The application retrieves a secret named "NAME" and responds to requests with a greeting that includes the secret value.
 
 <Warning>
-  We do not recommend hardcoding your [Infisical
-  Token](/documentation/platform/token). Setting it as an environment
-  variable would be best.
+    We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
 </Warning>
 
 ## Installation
@@ -35,135 +42,244 @@ This example demonstrates how to use the Infisical Python SDK with a Flask appli
 Run `pip` to add `infisical-python` to your project
 
 ```console
-$ pip install infisical
+$ pip install infisical-python
 ```
 
 Note: You need Python 3.7+.
 
 ## Configuration
 
-Import the SDK and create a client instance with your [Infisical Token](/documentation/platform/token).
+Import the SDK and create a client instance with your [Machine Identity](/api-reference/overview/authentication).
 
 ```py
-from infisical import InfisicalClient
+from infisical_client import ClientSettings, InfisicalClient
 
-client = InfisicalClient(token="your_infisical_token")
+client = InfisicalClient(ClientSettings(
+    client_id="MACHINE_IDENTITY_CLIENT_ID",
+    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
+))
 ```
 
 ### Parameters
 
-    <ParamField query="token" type="string" optional>
-      An [Infisical Token](/documentation/platform/token) scoped to a project
-      and environment
-    </ParamField>
-    <ParamField
-      query="site_url"
-      type="string"
-      default="https://app.infisical.com"
-      optional
-    >
-      Your self-hosted absolute site URL including the protocol (e.g.
-      `https://app.infisical.com`)
-    </ParamField>
-    <ParamField query="cache_ttl" type="number" default="300" optional>
-      Time-to-live (in seconds) for refreshing cached secrets. Default: `300`.
-    </ParamField>
-    <ParamField query="debug" type="boolean" default="false" optional>
-      Whether or not debug mode is on
-    </ParamField>
+<ParamField query="options" type="object">
+    <Expandable title="properties">
+        <ParamField query="client_id" type="string" optional>
+            Your Infisical Client ID.
+        </ParamField>
+        <ParamField query="client_secret" type="string" optional>
+            Your Infisical Client Secret.
+        </ParamField>
+        <ParamField query="access_token" type="string" optional>
+            If you want to directly pass an access token obtained from the authentication endpoints, you can do so.
+        </ParamField>
 
-## Caching
+        <ParamField query="cache_ttl" type="number" default="300" optional>
+            Time-to-live (in seconds) for refreshing cached secrets.
+            If manually set to 0, caching will be disabled, this is not recommended.
+        </ParamField>
 
-The SDK caches every secret and updates it periodically based on the provided `cache_ttl`. For example, if `cache_ttl` of `300` is provided, then a secret will be refetched 5 minutes after the first fetch; if the fetch fails, the cached secret is returned.
 
-<Tip>
-  For optimal performance, we recommend creating a single instance of the Infisical client and exporting it to be used across your entire app to take advantage of caching benefits.
-</Tip>
+        <ParamField
+        query="site_url"
+        type="string"
+        default="https://app.infisical.com"
+        optional
+        >
+        Your self-hosted absolute site URL including the protocol (e.g.
+        `https://app.infisical.com`)
+        </ParamField>
+    </Expandable>
+
+</ParamField>
+
+### Caching
+
+To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it's first fetched. Each time it's fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the "cache_ttl" option when creating the client.
 
 ## Working with Secrets
 
-### client.get_all_secrets()
+### client.listSecrets(options)
 
 ```py
-secrets = client.get_all_secrets()
+client.listSecrets(options=ListSecretsOptions(
+    environment="dev",
+    project_id="PROJECT_ID"
+))
 ```
 
 Retrieve all secrets within the Infisical project and environment that client is connected to
 
-### client.get_secret(secret_name, options)
+### Parameters
+
+<ParamField query="Parameters" type="object">
+    <Expandable title="properties">
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+          <ParamField query="project_id" type="string" required>
+            The project ID where the secret lives in. 
+        </ParamField>
+
+         <ParamField query="path" type="string" optional>
+            The path from where secrets should be fetched from.
+        </ParamField>
+
+        <ParamField query="attach_to_process_env" type="boolean" default="false" optional>
+            Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `process.env["SECRET_NAME"]`.
+        </ParamField>
+
+        <ParamField query="include_imports" type="boolean" default="false" optional>
+             Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
+        </ParamField>
+    </Expandable>
+
+</ParamField>
+
+### client.getSecret(options)
 
 ```py
-secret = client.get_secret("API_KEY")
+secret = client.getSecret(options=GetSecretOptions(
+    environment="dev",
+    project_id="PROJECT_ID",
+    secret_name="API_KEY"
+))
 value = secret.secret_value # get its value
 ```
 
-By default, `get_secret()` fetches and returns a personal secret. If not found, it returns a shared secret, or tries to retrieve the value from `os.environ`. If a secret is fetched, `get_secret()` caches it to reduce excessive calls and re-fetches periodically based on the `cacheTTL` option (default is 300 seconds) when initializing the client — for more information, see the caching section.
+By default, `getSecret()` fetches and returns a shared secret. If not found, it returns a personal secret.
 
 ### Parameters
 
-<ParamField query="secret_name" type="string" required>
-  The key of the secret to retrieve
-</ParamField>
-<ParamField query="type" type="string" default="personal" optional>
-  The type of the secret. Valid options are "shared" or "personal"
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="secret_name" type="string" required>
+            The key of the secret to retrieve
+        </ParamField>
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="project_id" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="path" type="string" optional>
+            The path from where secret should be fetched from.
+        </ParamField>
+        <ParamField query="type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "personal".
+        </ParamField>
+        <ParamField query="include_imports" type="boolean" default="false" optional>
+            Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
+        </ParamField>
+    </Expandable>
 </ParamField>
 
-### client.create_secret(secret_name, secret_value, options)
+### client.createSecret(options)
 
 ```py
-new_api_key = client.create_secret("API_KEY", "FOO");
+api_key = client.createSecret(options=CreateSecretOptions(
+    secret_name="API_KEY",
+    secret_value="Some API Key",
+    environment="dev",
+    project_id="PROJECT_ID"
+))
 ```
 
 Create a new secret in Infisical.
 
 ### Parameters
 
-<ParamField query="secret_name" type="string" required>
-  The key of the secret to create
-</ParamField>
-<ParamField query="secret_value" type="string" required>
-  The value of the secret to create
-</ParamField>
-<ParamField query="type" type="string" default="shared" optional>
-  The type of the secret. Valid options are "shared" or "personal". A personal secret can only be created if a shared secret with the same name exists.
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="secret_name" type="string" required>
+            The key of the secret to create.
+        </ParamField>
+        <ParamField query="secret_value" type="string" required>
+            The value of the secret.
+        </ParamField>
+        <ParamField query="project_id" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="path" type="string" optional>
+            The path from where secret should be created.
+        </ParamField>
+        <ParamField query="type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
 </ParamField>
 
-### client.update_secret(secret_name, secret_value, options)
+### client.updateSecret(options)
 
 ```py
-updated_api_key = client.update_secret("API_KEY", "BAR");
+client.updateSecret(options=UpdateSecretOptions(
+    secret_name="API_KEY",
+    secret_value="NEW_VALUE",
+    environment="dev",
+    project_id="PROJECT_ID"
+))
 ```
 
 Update an existing secret in Infisical.
 
 ### Parameters
 
-<ParamField query="secret_name" type="string" required>
-  The key of the secret to update
-</ParamField>
-<ParamField query="secret_value" type="string" required>
-  The new value of the secret
-</ParamField>
-<ParamField query="type" type="string" default="shared" optional>
-  The type of the secret. Valid options are "shared" or "personal"
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="secret_name" type="string" required>
+            The key of the secret to update.
+        </ParamField>
+        <ParamField query="secret_value" type="string" required>
+            The new value of the secret.
+        </ParamField>
+        <ParamField query="project_id" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="path" type="string" optional>
+            The path from where secret should be updated.
+        </ParamField>
+        <ParamField query="type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
 </ParamField>
 
-### client.delete_secret(secret_name, options)
+### client.deleteSecret(options)
 
 ```py
-deleted_secret = client.delete_secret("API_KEY");
+client.deleteSecret(options=DeleteSecretOptions(
+    environment="dev",
+    project_id="PROJECT_ID",
+    secret_name="API_KEY"
+))
 ```
 
 Delete a secret in Infisical.
 
 ### Parameters
 
-<ParamField query="secret_name" type="string" required>
-  The key of the secret to delete
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="secret_name" type="string">
+            The key of the secret to update.
+        </ParamField>
+        <ParamField query="project_id" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="path" type="string" optional>
+            The path from where secret should be deleted.
+        </ParamField>
+        <ParamField query="type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
 </ParamField>
-<ParamField query="type" type="string" default="shared" optional>
-  The type of the secret. Valid options are "shared" or "personal"
-</ParamField>
-
-Follow this GitHub
-[issue](https://github.com/Infisical/infisical/issues/433) to stay updated.

docs/sdks/languages/ruby.mdx

@@ -5,5 +5,4 @@ icon: "gem"
 
 Coming soon.
 
-Follow this GitHub
-[issue](https://github.com/Infisical/infisical/issues/435) to stay updated.
+Star our GitHub repository to stay updated [cross-language SDK](https://github.com/Infisical/sdk) GitHub repository to stay updated.

docs/sdks/languages/rust.mdx

@@ -5,5 +5,4 @@ icon: "rust"
 
 Coming soon.
 
-Follow this GitHub
-[issue](https://github.com/Infisical/infisical/issues/437) to stay updated.
+Star our GitHub repository to stay updated [cross-language SDK](https://github.com/Infisical/sdk) GitHub repository to stay updated.

docs/sdks/overview.mdx

@@ -2,104 +2,52 @@
 title: "Introduction"
 ---
 
-From local development to production, Infisical SDKs provide the easiest way for your app to fetch back secrets from Infisical on demand. 
+From local development to production, Infisical SDKs provide the easiest way for your app to fetch back secrets from Infisical on demand.
 
-- Install and initialize a language-specific client SDK into your application
-- Provision the client scoped-access to a project and environment in Infisical
-- Fetch secrets on demand
+-   Install and initialize a language-specific client SDK into your application
+-   Provision the client scoped-access to a project and environment in Infisical
+-   Fetch secrets on demand
 
 <CardGroup cols={2}>
-  <Card
-    title="Node"
-    href="https://github.com/Infisical/infisical-node"
-    icon="node"
-    color="#68a063"
-  >
-    Manage secrets for your Node application on demand
-  </Card>
-  <Card 
-    href="https://github.com/Infisical/infisical-python" 
-    title="Python" 
-    icon="python" 
-    color="#4c8abe"
-    >
-    Manage secrets for your Python application on demand
-  </Card>
-  <Card 
-    href="/sdks/languages/java" 
-    title="Java" 
-    icon="java"
-    color="#e41f23"
->
-    Manage secrets for your Java application on demand
-  </Card>
-  <Card
-    href="/sdks/languages/ruby"
-    title="Ruby"
-    icon="gem"
-    color="#ac0d01"
-  >
-    Manage secrets for your Ruby application on demand
-  </Card>
-  <Card
-    href="/sdks/languages/go"
-    title="Golang"
-    icon="golang"
-    color="#00add8"
-  >
-    Manage secrets for your Go application on demand
-  </Card>
-  <Card
-    href="/sdks/languages/rust"
-    title="Rust"
-    icon="rust"
-    color="#cd412b"
-  >
-    Manage secrets for your Rust application on demand
-  </Card>
-  <Card
-    href="/sdks/languages/php"
-    title="PHP"
-    icon="php"
-    color="#787cb4"
-  >
-    Manage secrets for your PHP application on demand
-  </Card>
+    <Card title="Node" href="/sdks/languages/node" icon="node" color="#68a063">
+        Manage secrets for your Node application on demand
+    </Card>
+    <Card href="/sdks/languages/python" title="Python" icon="python" color="#4c8abe">
+        Manage secrets for your Python application on demand
+    </Card>
+    <Card href="/sdks/languages/java" title="Java" icon="java" color="#e41f23">
+        Manage secrets for your Java application on demand
+    </Card>
+    <Card href="/sdks/languages/ruby" title="Ruby" icon="gem" color="#ac0d01">
+        Manage secrets for your Ruby application on demand
+    </Card>
+    <Card href="/sdks/languages/go" title="Golang" icon="golang" color="#00add8">
+        Manage secrets for your Go application on demand
+    </Card>
+    <Card href="/sdks/languages/rust" title="Rust" icon="rust" color="#cd412b">
+        Manage secrets for your Rust application on demand
+    </Card>
+    <Card href="/sdks/languages/php" title="PHP" icon="php" color="#787cb4">
+        Manage secrets for your PHP application on demand
+    </Card>
 </CardGroup>
 
 ## FAQ
 
 <AccordionGroup>
-    <Accordion title="Are my secrets exposed in transit every time the SDK fetches them?">
-        No. Infisical uses end-to-end encryption which ensures that secrets are always encrypted in transit
-        and decrypted on the client side. In fact, not even the server can decrypt your secrets (unless 
-        that permission is explicitly granted from within the platform).
-
-        Check out the [security guide](/security/overview).
-    </Accordion>
     <Accordion title="Isn't it inefficient if my app makes a request every time it needs a secret?">
-        The client SDK caches every secret and implements a 5-minute waiting period before
-        re-requesting it. The waiting period can be controlled by setting the `cacheTTL` parameter at
-        the time of initializing the client.
+        The client SDK caches every secret and implements a 5-minute waiting period before re-requesting it. The waiting period can be controlled by
+        setting the `cacheTTL` parameter at the time of initializing the client.
+        
+        Note: The exact parameter name may differ depending on the language.
+    </Accordion>
+    <Accordion title="Can I attach the environment variables to my process environment?">
+        Yes you can! The client SDK provides a method to attach the secrets to your process environment. When using the `listSecrets()` method, you
+        can pass a `attachToProcessEnv` parameter, which tells the SDK to attach all the found secrets to your process environment.
+        
+        Note: The exact parameter name may differ depending on the language.
     </Accordion>
     <Accordion title="What if a request for a secret fails?">
-        The SDK caches every secret and falls back to the cached value if a request fails. If no cached
-        value ever-existed, the SDK falls back to whatever value is on `process.env`.
+        The SDK caches every secret and falls back to the cached value if a request fails. If no cached value is found, and the request fails, then the SDK throws an error.
     </Accordion>
-    <Accordion title="Can I still use process.env with the SDK?">
-        Yes. If no `token` parameter is passed in at the time of initializing the client or nothing is found when requesting for a secret,
-        then the SDK falls back to whatever value is on `process.env`.
-    </Accordion>
-    <Accordion title="What's the point if I still have to manage a token for the SDK?">
-        The token enables the SDK to authenticate with Infisical to fetch back your secrets.
-        Although the SDK requires you to pass in a token, it enables greater efficiency and security
-        than if you managed dozens of secrets yourself without it. Here're some benefits:
-
-        - You always pull in the right secrets because they're fetched on demand from a centralize source that is Infisical.
-        - You can use the Infisical which comes with tons of benefits like secret versioning, access controls, audit logs, etc.
-        - You now risk leaking one token that can be revoked instead of dozens of raw secrets.
-        
-        And much more.
-    </Accordion>
-    
-</AccordionGroup>
+</AccordionGroup>

docs/self-hosting/configuration/envars.mdx

@@ -18,15 +18,14 @@ Other environment variables are listed below to increase the functionality of yo
       Must be a random 32 byte base64 string. Can be generated with `openssl rand -base64 32`
     </ParamField>
 
-<ParamField query="MONGO_URL" type="string" default="none" required>
-  *TLS based connection string is not yet supported
-</ParamField>
+    <ParamField query="MONGO_URL" type="string" default="none" required>
+      Mongo connection string. *TLS based connection string is not yet supported
+    </ParamField>
 
-<ParamField query="REDIS_URL" type="string" default="none" required>
-  Redis connection string
-</ParamField>
-
-</Tab>
+    <ParamField query="REDIS_URL" type="string" default="none" required>
+      Redis connection string
+    </ParamField>
+  </Tab>
   <Tab title="Email service">
     <Info>When email service is not configured, Infisical will have limited functionality</Info>
 

docs/self-hosting/deployment-options/aws-lightsail.mdx

@@ -0,0 +1,66 @@
+---
+title: "AWS Lightsail"
+description: "Deploy Infisical with AWS Lightsail"
+---
+
+Prerequisites:
+- Have an account with [Amazon Web Services (AWS)](https://aws.amazon.com/)
+
+<Steps>
+    <Step title="Create a container service in AWS Lightsail">
+        1.1. In AWS, navigate to the **Lightsail** service and press **Create container service** under the **Containers** tab.
+        ![AWS Lightsail](/images/self-hosting/deployment-options/aws-lightsail/awsl-select-lightsail.png)
+        
+        ![AWS Lightsail create container service](/images/self-hosting/deployment-options/aws-lightsail/awsl-create-container-service.png)
+        
+        1.2. In the **Container service location** section, select the AWS region that's closest to your infrastructure. 
+        
+        Afterwards, in the **Container service capacity** section, set the power level and scale to fit your needs; you may opt for the default setting
+        and adjust accordingly in the future.
+        
+        ![AWS Lightsail container service capacity](/images/self-hosting/deployment-options/aws-lightsail/awsl-create-container-service-capacity.png)
+        
+        1.3. In the **Set up your first deployment** section, select the **Specify a custom deployment** option. Give the container a friendly name like **infisical** and fill in your intended [Infisical public Docker image](https://hub.docker.com/r/infisical/infisical) in the **Image** field; this will pull the image from Docker Hub.
+        
+        For example, in order to opt for Infisical `v0.43.4`, you would input: `infisical/infisical:v0.43.4`.
+        
+        ![AWS Lightsail container service deployment](/images/self-hosting/deployment-options/aws-lightsail/awsl-create-container-service-deployment.png)
+        
+        1.4. Running Infisical requires a few environment variables to be set for the container service.
+        At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
+        which you can read more about [here](/self-hosting/configuration/envars).
+        
+        In the **Environment variables** section, fill in the required environment variables.
+        
+        <Note>
+            To use more features like emailing and single sign-on, you can set additional configuration options [here](/self-hosting/configuration/envars).
+        </Note>
+        
+        Also, under the **Open ports** section, add an entry for port `8080` and protocol `HTTP` since Infisical listens on port `8080`.
+
+        ![AWS Lightsail container service environment variables](/images/self-hosting/deployment-options/aws-lightsail/awsl-create-container-service-envars.png)
+        
+        1.5. In the **Public endpoint** section, select the container from the previous steps from the dropdown; this will make the container accessible over the public internet.
+        
+        ![AWS Lightsail container service public endpoint](/images/self-hosting/deployment-options/aws-lightsail/awsl-create-container-service-public-endpoint.png)
+        
+        1.6. Finally, in the **Identify your service** section, give the container service a unique name like infisical and press **Create container service**.
+        
+        ![AWS Lightsail container service summary](/images/self-hosting/deployment-options/aws-lightsail/awsl-create-container-service-summary.png)
+    </Step>
+    <Step title="Navigate to your deployed instance of Infisical">
+        On the newly-created container service page, wait for the **Status** to turn to **Running** and check out the **Public domain** of the container service; you can access your instance of Infisical by this URL.
+        
+        ![AWS Lightsail container service overview](/images/self-hosting/deployment-options/aws-lightsail/awsl-container-service-overview.png)
+    </Step>
+</Steps>
+
+<AccordionGroup>
+  <Accordion title="Do you have any recommendations for deploying Infisical with AWS Lightsail?">
+    Yes, here are a few that come to mind:
+    - In step 1.3, we recommend pinning the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags)
+    instead of referring to the `latest` tag to avoid any unexpected version-to-version migration issues.
+  
+    We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
+  </Accordion>
+</AccordionGroup>

docs/self-hosting/deployment-options/azure-app-services.mdx

@@ -0,0 +1,71 @@
+---
+title: "Azure App Services"
+description: "Deploy Infisical with Azure App Service"
+---
+
+Prerequisites:
+    - Have an account with [Microsoft Azure](https://azure.microsoft.com/en-us)
+
+<Steps>
+    <Step title="Create a Web App in Azure App Services">
+        1.1. In Azure, navigate to the **App Services** solution and press **Create > Web App**.
+        
+        ![Azure app services](/images/self-hosting/deployment-options/azure-app-services/aas-select-app-services.png)
+        
+        ![Azure create app service](/images/self-hosting/deployment-options/azure-app-services/aas-create-app-service.png)
+        
+        1.2. In the **Basics** section, specify the **Subscription** and **Resource group** to manage the deployed resource.
+        
+        Also, give the container a friendly name like Infisical and specify a **Region** for it to be deployed to.
+        
+        ![Azure app service basics](/images/self-hosting/deployment-options/azure-app-services/aas-create-app-service-basics.png)
+        
+        1.3. In the **Docker** section, select the **Single Container** option under **Options** and specify **Docker Hub** as the image source
+        
+        Next, under the **Docker hub options** sub-section, select the **Public** option under **Access Type** and fill in your intended [Infisical public Docker image](https://hub.docker.com/r/infisical/infisical) in the **Image and tag** field; this will pull the image from Docker Hub.
+        
+        For example, in order to opt for Infisical `v0.43.4`, you would input: `infisical/infisical:v0.43.4`.
+        
+        ![Azure app service docker](/images/self-hosting/deployment-options/azure-app-services/aas-create-app-service-docker.png)
+        
+        1.4. Finally, in the **Review + create** section, double check the information from the previous steps and press **Create** to create the Azure app service.
+        
+        ![Azure app service review](/images/self-hosting/deployment-options/azure-app-services/aas-create-app-service-review.png)
+        
+        1.5. Next, wait a minute or two on the deployment overview page for the app to be created. Once the deployment is complete, press **Go to resource**
+        to head to the **App Service dashboard** for the newly-created app.
+
+        ![Azure app service deployment complete](/images/self-hosting/deployment-options/azure-app-services/aas-app-service-deployment-complete.png)
+        
+        1.6. Running Infisical requires a few environment variables to be set for the Azure app service.
+        At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
+        which you can read more about [here](/self-hosting/configuration/envars).
+
+        <Note>
+            To use more features like emailing and single sign-on, you can set additional configuration options [here](/self-hosting/configuration/envars).
+        </Note>
+        
+        Additionally, you must set the variable `WEBSITES_PORT=8080` since
+        Infisical listens on port `8080`.
+        
+        In the **Settings > Configuration** section of the newly-created app service, fill in the required environment variables.
+        
+        ![Azure app service deployment complete](/images/self-hosting/deployment-options/azure-app-services/aas-app-service-configuration.png)
+    </Step>
+    <Step title="Navigate to your deployed instance of Infisical">
+        In the **Overview** section, check out the **Default domain** for your instance of Infisical; you can visit the instance at this URL.
+
+        ![Azure app service deployment complete](/images/self-hosting/deployment-options/azure-app-services/aas-app-service-overview.png)
+    </Step>
+</Steps>
+
+<AccordionGroup>
+  <Accordion title="Do you have any recommendations for deploying Infisical with Azure App Services?">
+    Yes, here are a few that come to mind:
+    - In step 1.3, we recommend pinning the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags)
+    instead of referring to the `latest` tag to avoid any unexpected version-to-version migration issues.
+    - In step 1.2, we recommend selecting a **Region** option that is closest to your infrastructure/clients to reduce latency.
+  
+    We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
+  </Accordion>
+</AccordionGroup>

docs/self-hosting/deployment-options/azure-container-instances.mdx

@@ -0,0 +1,88 @@
+---
+title: "Azure Container Instances"
+description: "Deploy Infisical with Azure Container Instances"
+---
+
+Prerequisites:
+- Have an account with [Microsoft Azure](https://azure.microsoft.com/en-us)
+
+<Note>
+    This brief goes over how to deploy an instance of Infisical with Azure Container Instances without TLS/SSL configuration.
+
+    There are various options for enabling TLS/SSL with Azure Container Instances more suitable for production including:
+    - [Enabling a TLS endpoint in a sidecar container](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-ssl).
+    - [Enabling automatic HTTPS with Caddy in a sidecar container](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-automatic-ssl).
+    - Using Azure Function Proxies, Application Gateway, etc.
+
+    For a simpler deployment experience with complete TLS/SSL setup, you may try [deploying Infisical with Azure App Services](/self-hosting/deployment-options/azure-app-services).
+</Note>
+
+<Steps>
+    <Step title="Create a container instance in Azure Container Instances">
+        1.1. In Azure, navigate to the **Container Instances** solution and press **Create**.
+        
+        ![Azure container instance](/images/self-hosting/deployment-options/azure-container-instances/aci-select-container-instances.png)
+        
+        ![Azure create container instance](/images/self-hosting/deployment-options/azure-container-instances/aci-create-container-instance.png)
+        
+        1.2. In the **Basics** section, specify the **Subscription** and **Resource group** to manage the deployed resource.
+        
+        Also, give the container a friendly name like Infisical and specify a **Region** for it to be deployed to.
+
+        ![Azure container instance basics](/images/self-hosting/deployment-options/azure-container-instances/aci-create-container-instance-basics-1.png)
+        
+        Next, select the **Public** option under **Image type** and fill in your intended [Infisical public Docker image](https://hub.docker.com/r/infisical/infisical) in the **Image** field; this will pull the image from Docker Hub.
+        
+        For example, in order to opt for Infisical `v0.43.4`, you would input: `infisical/infisical:v0.43.4`.
+        
+        ![Azure container instance basics](/images/self-hosting/deployment-options/azure-container-instances/aci-create-container-instance-basics-2.png)
+        
+        <Note>
+            Depending on your use-case and requirements, you may find it helpful to further configure your Azure container instance.
+
+            For example, you may want to adjust the **Region** option to specify which region to deploy the container for your
+            instance of Infisical to minimize distance and therefore latency between the instance and your infrastructure.
+        </Note>
+        
+        1.3. In the **Networking** section, select the **Public** option under **Networking type**; this will make the container accessible over the public internet.
+        
+        Next, under the **Ports** section, add an entry for port `8080` and protocol `TCP` since Infisical listens on port `8080`.
+        
+        ![Azure container instance networking](/images/self-hosting/deployment-options/azure-container-instances/aci-create-container-instance-networking.png)
+        
+        1.4. Running Infisical requires a few environment variables to be set for the Azure container instance.
+        At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
+        which you can read more about [here](/self-hosting/configuration/envars).
+        
+        In the **Advanced** section, fill in the required environment variables.
+        
+        <Note>
+            To use more features like emailing and single sign-on, you can set additional configuration options [here](/self-hosting/configuration/envars).
+        </Note>
+        
+        ![Azure container instance advanced](/images/self-hosting/deployment-options/azure-container-instances/aci-create-container-instance-advanced.png)
+        
+        1.5. Finally, in the **Review + create** section, double check the information from the previous steps and press **Create** to create the Azure container instance.
+
+        ![Azure container instance review](/images/self-hosting/deployment-options/azure-container-instances/aci-create-container-instance-review.png)
+    </Step>
+    <Step title="Navigate to your deployed instance of Infisical">
+        Head to the **Overview** page of the newly-created container instance to view its **IP address (Public)**; you can access your instance of Infisical by this IP address under the port `:8080`. 
+        
+        For example, in the image below, the IP address of the sample deployed container instance is `4.255.87.109`; the instance would be accessible in the browser by heading to `4.255.87.109:8080`.
+
+        ![Azure container instance overview](/images/self-hosting/deployment-options/azure-container-instances/aci-container-instance-overview.png)
+    </Step>
+</Steps>
+
+<AccordionGroup>
+  <Accordion title="Do you have any recommendations for deploying Infisical with Azure Container Instances?">
+    Yes, here are a few that come to mind:
+    - In step 1.2, we recommend pinning the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags)
+    instead of referring to the `latest` tag to avoid any unexpected version-to-version migration issues.
+    - In step 1.2, we recommend selecting a **Region** option that is closest to your infrastructure/clients to reduce latency.
+    - Enable TLS/SSL with Azure Container Instances. There are various options for doing so including [enabling a TLS endpoint in a sidecar container](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-ssl), [enabling automatic HTTPS with Caddy in a sidecar container](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-automatic-ssl), and using Azure Function Proxies, Application Gateway, etc.
+  
+    We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
+  </Accordion>
+</AccordionGroup>

docs/self-hosting/deployment-options/docker-compose.mdx

@@ -1,51 +1,54 @@
 ---
 title: "Docker Compose"
-description: "Learn to install Infisical using our Docker Compose template"
+description: "Run Infisical with Docker Compose template"
 ---
 
-## Install Docker on your VM
+<Steps>
+  <Step title="Install Docker on your VM">
+    ```bash
+    # Example in ubuntu
+    apt-get update
+    apt-get upgrade
+    apt install docker-compose
+    ```
+  </Step>
+  <Step title="Download required files">
+    2.1. Run the command below to download the `.env` file template.
+    
+    ```bash
+    wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
+    ```
+    
+    2.2. Run the command below to download the docker compose template.
+    
+    ```bash
+    wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.yml
+    ```
+    
+    2.3. Run the command below to download the `nginx` config file.
+    
+    ```bash
+    mkdir nginx && wget -O ./nginx/default.conf https://raw.githubusercontent.com/Infisical/infisical/main/nginx/default.dev.conf
+    ```
+  
+  </Step>
+  <Step title="Update the .env file">
+    Running Infisical requires a few environment variables to be set.
+    At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL` which you can read more about [here](/self-hosting/configuration/envars).
 
-```bash
-# Example in ubuntu
-apt-get update
-apt-get upgrade
-apt install docker-compose
-```
+    Tweak the `.env` accordingly.
 
-## Download the required files
+    ```bash
+    nano .env
+    ```
+  </Step>
+  <Step title="Start Infisical">
+    Finally, run the command below to get Infisical up and running (in detached mode).
 
-```bash
-# Download env file template
-wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
+    ```bash
+    docker-compose -f docker-compose.yml up -d
+    ```
 
-# Download docker compose template
-wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.yml
-
-# Download nginx config
-mkdir nginx && wget -O ./nginx/default.conf https://raw.githubusercontent.com/Infisical/infisical/main/nginx/default.dev.conf
-```
-
-## Update .env file 
-Tweak the `.env` according to your preferences. Refer to the available [environment variables](/self-hosting/configuration/envars)
-
-```bash
-# update environment variables like mongo login
-nano .env
-```
-
-<Info>
-  Infisical assumes that you have configured HTTPS. If you didn't configure HTTPS, set `HTTPS_ENABLED` to `false` in the .env file to avoid frequent logouts.
-</Info>
-
-## Get the service up and running
-
-```bash
-# Start up services in detached mode
-docker-compose -f docker-compose.yml up -d
-```
-
-Your Infisical installation is complete and should be running on [http://localhost:80](http://localhost:80). Please note that the containers are not exposed to the internet and only bind to the localhost. It's up to you to configure a firewall, SSL certificates, and implement any additional security measures.
-
-<Info>
-Once installation is complete, you will have to create the first account. No default account is provided.
-</Info>
+    Your Infisical installation is complete and should be running on port `80` or `http://localhost:80`.
+  </Step>
+</Steps>

docs/self-hosting/deployment-options/fly.io.mdx

@@ -1,63 +1,108 @@
 ---
 title: "Fly.io"
-description: "Learn to install Infisical on Fly.io"
+description: "Deploy Infisical with Fly.io"
 ---
 
-**Prerequisites**
-- Familiar with Fly.io deployment 
-- Logged in via fly CLI
+Prerequisites:
+- Have an account with [Fly.io](https://fly.io/)
+- Have installed the [Fly.io CLI](https://fly.io/docs/hands-on/install-flyctl/)
 
-#### 1. Make a copy of the deployment config
-To begin, you'll to make a copy of the following file on your local machine
+<Steps>
+  <Step title="Create an app with Fly.io">
+    In your terminal, run the following command from the source directory of your project to create a new Fly.io app
+    with a `fly.toml` configuration file:
+    
+    ```
+    fly launch
+    ```
+  </Step>
+  <Step title="Edit the fly.toml configuration file">
+    Add a **build** section to the `fly.toml` file to specify the [Infisical public Docker image](https://hub.docker.com/r/infisical/infisical):
 
-```toml fly.toml 
-# fly.toml app configuration file generated for infisical on 2023-05-05T08:57:03-04:00
-#
-# See https://fly.io/docs/reference/configuration/ for information about how to use this file.
-#
+    ```
+    [build]                                                                         
+    image = "infisical/infisical:v0.43.4"
+    ```
 
-app = "infisical"
-primary_region = "iad"
+    Afterwards, your `fly.toml` file should look similar to:
 
-[build]
-  image = "infisical/infisical:latest"
+    ```
+    app = "infisical"
+    primary_region = "lax"
 
-[env]
-  ENCRYPTION_KEY = <>
-  JWT_AUTH_SECRET = <>
-  JWT_REFRESH_SECRET = <>
-  JWT_SERVICE_SECRET = <>
-  JWT_SIGNUP_SECRET = <>
-  MONGO_URL = <>
+    [http_service]
+    internal_port = 8080
+    force_https = true
+    auto_stop_machines = true
+    auto_start_machines = true
+    min_machines_running = 0
+    processes = ["app"]
 
-[http_service]
-  internal_port = 8080
+    [[vm]]
+    cpu_kind = "shared"
+    cpus = 1
+    memory_mb = 1024
 
-```
+    [build]
+    image = "infisical/infisical:v0.43.4"
+    ```
+    
+    <Note>
+      Depending on your use-case and requirements, you may find it helpful to further configure your `fly.toml` file
+      with options [here](https://fly.io/docs/reference/configuration/).
 
-#### 2. Add environment variables
+      For example, you may want to adjust the `primary-region` option to specify which [region](https://fly.io/docs/reference/regions/) to create the new machine for your
+      instance of Infisical to minimize distance and therefore latency between the instance and your infrastructure.
+    </Note>
+    
+  </Step>
+  <Step title="Set secrets for your Fly.io app">
+    Running Infisical requires a few environment variables to be set on the Fly.io machine.
+    At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
+    which you can read more about [here](/self-hosting/configuration/envars).
+    
+    For this step, we recommend setting the variables as Fly.io [app secrets](https://fly.io/docs/reference/secrets/) which 
+    are made available to the app as environment variables. You can set the variables either via the Fly.io CLI or project [dashboard](https://fly.io/dashboard).
+    
+    <Tabs>
+      <Tab title="CLI">
+        Run the following command (with each `VALUE` replaced) in the source directory of your project to set the required variables:
 
-Before we can deploy Infisical, we'll need to provide values for the keys under `[env]` config block. For each of the following keys
+        ```
+        flyctl secrets set ENCRYPTION_KEY=VALUE AUTH_SECRET=VALUE MONGO_URL=VALUE REDIS_URL=VALUE...
+        ```
+      </Tab>
+      <Tab title="Dashboard">
+        In Fly.io, head to your Project > Secrets and add the required variables.
 
-- `ENCRYPTION_KEY`
-- `JWT_AUTH_SECRET`
-- `JWT_REFRESH_SECRET`
-- `JWT_SERVICE_SECRET`
-- `JWT_SIGNUP_SECRET`
+        ![Fly.io deployment secrets](/images/self-hosting/deployment-options/flyio/flyio-secrets.png)
+      </Tab>
+    </Tabs>
+    
+    <Note>
+      To use more features like emailing and single sign-on, you can set additional configuration options [here](/self-hosting/configuration/envars).
+    </Note>
+  </Step>
+  <Step title="Deploy the Fly.io app">
+    Finally, run the following command in the source directory of your project to deploy your Infisical instance on Fly.io
+    with the updated `fly.toml` configuration file from step 2 and secrets from step 3:
 
-you will need to generate a random 16 byte hex string. This can can be generated with `openssl rand -hex 16`. 
+    ```
+    fly deploy
+    ```
+  </Step>
+</Steps>
 
+<AccordionGroup>
+  <Accordion title="Do you have any recommendations for deploying Infisical with Fly.io?">
+    Yes, here are a few that come to mind:
+    - In step 2, we recommend pinning the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags)
+    instead of referring to the `latest` tag to avoid any unexpected version-to-version migration issues.
+    - In step 2, we recommend selecting a `primary_region` option that is closest to your infrastructure/clients to reduce latency; a full list of regions supported by Fly.io can be found [here](https://fly.io/docs/reference/regions/).
+  
+    We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
+  </Accordion>
+</AccordionGroup>
 
-Lastly, the `MONGO_URL` environment variable requires a document database connection URL. 
-You can obtain this URL by creating a document database using services such as [MongoDB](https://www.mongodb.com/), [AWS DocumentDB](https://aws.amazon.com/documentdb/), and others.
-
-#### 3. Deploy
-
-Run `fly launch` in the directory where you have the local version of config from step 1 and follow the instructions. 
-Once done, your very own instance of Infisical should be up and running on Fly.io.
-
-Please note that this version of Infisical requires at least 250MB of memory to operate smoothly.
-
-<Info>
-Once installation is complete, you will have to create the first account. No default account is provided.
-</Info>
+Resources:
+- [Fly.io documentation](https://fly.io/docs/)

docs/self-hosting/deployment-options/gcp-cloud-run.mdx

@@ -0,0 +1,67 @@
+---
+title: "GCP Cloud Run"
+description: "Deploy Infisical with GCP Cloud Run"
+---
+
+Prerequisites:
+- Have an account with [Google Cloud Platform (GCP)](https://cloud.google.com/)
+
+<Steps>
+    <Step title="Create a project in GCP">
+        In GCP, create a new project and give it a friendly name like Infisical.
+
+        ![GCP create project](/images/self-hosting/deployment-options/gcp-cloud-run/gcp-cloud-run-create-project.png)
+
+        ![GCP create project](/images/self-hosting/deployment-options/gcp-cloud-run/gcp-cloud-run-create-project-2.png)
+    </Step>
+    <Step title="Create a service in GCP Cloud Run">
+        2.1. Inside the GCP project, navigate to the **Cloud Run** product and create a new service.
+        
+        ![GCP Cloud Run](/images/self-hosting/deployment-options/gcp-cloud-run/gcp-cloud-run-select-cloud-run.png)
+
+        ![GCP Cloud Run create service](/images/self-hosting/deployment-options/gcp-cloud-run/gcp-cloud-run-create-service.png)
+        
+        2.2. In the service creation form, select the **Deploy one revision from an existing container image** option and fill in your intended [Infisical public Docker image](https://hub.docker.com/r/infisical/infisical) in the container image URL.
+
+        For example, in order to opt for Infisical `v0.43.4`, you would input: `docker.io/infisical/infisical:v0.43.4`.
+        
+        ![GCP Cloud Run create service docker image specification](/images/self-hosting/deployment-options/gcp-cloud-run/gcp-cloud-run-create-service-docker-image.png)
+
+        2.3. Running Infisical requires a few environment variables to be set for the GCP Cloud Run service.
+        At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
+        which you can read more about [here](/self-hosting/configuration/envars).
+        
+        For this step, fill in the required environment variables in the Edit Container > Variables & Secrets > Environment variables section.
+        
+        <Note>
+            To use more features like emailing and single sign-on, you can set additional configuration options [here](/self-hosting/configuration/envars).
+        </Note>
+
+        ![GCP Cloud Run create service environment variable specification](/images/self-hosting/deployment-options/gcp-cloud-run/gcp-cloud-run-create-service-envars.png)
+
+        <Note>
+            Depending on your use-case and requirements, you may find it helpful to further configure your GCP Cloud Run service.
+
+            For example, you may want to adjust the **Region** option to specify which region to deploy the underlying container for your
+            instance of Infisical to minimize distance and therefore latency between the instance and your infrastructure.
+        </Note>
+
+        Finally, press **Create** to finish setting up the GCP Cloud Run service.
+    </Step>
+    <Step title="Navigate to your deployed instance of Infisical">
+        Head to the **Service details** of the newly-created service to view its URL; you can access your instance of Infisical by clicking on the URL.
+        
+        ![GCP Cloud Run service details](/images/self-hosting/deployment-options/gcp-cloud-run/gcp-cloud-run-service-details.png)
+    </Step>
+</Steps>
+
+<AccordionGroup>
+  <Accordion title="Do you have any recommendations for deploying Infisical with GCP Cloud Run?">
+    Yes, here are a few that come to mind:
+    - In step 2, we recommend pinning the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags)
+    instead of referring to the `latest` tag to avoid any unexpected version-to-version migration issues.
+    - In step 2, we recommend selecting a **Region** option that is closest to your infrastructure/clients to reduce latency.
+  
+    We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
+  </Accordion>
+</AccordionGroup>

docs/self-hosting/deployment-options/kubernetes-helm.mdx

@@ -161,4 +161,3 @@ Once installation is complete, you will have to create the first account. No def
 
 ## Related blogs
 - [Set up Infisical in a development cluster](https://iamunnip.hashnode.dev/infisical-open-source-secretops-kubernetes-setup)
-- [Set up Infisical in AKS using ArgoCD + Helm and integrate with an application using kustomize](https://mrdevops.medium.com/infisical-open-source-secretops-apply-it-using-gitops-approach-245f57fcd67e)

docs/self-hosting/deployment-options/railway.mdx

@@ -0,0 +1,61 @@
+---
+title: "Railway"
+description: "Deploy Infisical with Railway"
+---
+
+Prerequisites:
+- Have an account with [Railway](https://railway.app/)
+
+<Steps>
+    <Step title="Deploy the Infisical template with Railway">
+        1.1. In Railway, create a new project and select **Deploy a template > Infisical**.
+        
+        ![Railway create project](/images/self-hosting/deployment-options/railway/railway-create-project.png)
+
+        ![Railway deploy template](/images/self-hosting/deployment-options/railway/railway-deploy-template.png)
+
+        ![Railway deploy template infisical](/images/self-hosting/deployment-options/railway/railway-deploy-template-infisical.png)
+        
+        ![Railway template overview](/images/self-hosting/deployment-options/railway/railway-template-overview.png)
+
+        1.2. At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
+        which you can read more about [here](/self-hosting/configuration/envars).
+        
+        By default, the Infisical template on Railway pre-configures environment variables on each service in the deployment but requires you to supply two for the Redis and MongoDB services.
+        
+        On the MongoDB service, supply a value for the `MONGO_INITDB_ROOT_PASSWORD` variable.
+        
+        ![Railway template MongoDB configuration](/images/self-hosting/deployment-options/railway/railway-template-mongodb.png)
+        
+        On the Redis service, supply a value for the `REDIS_PASSWORD` variable.
+        
+        ![Railway template Redis configuration](/images/self-hosting/deployment-options/railway/railway-template-redis.png)
+        
+        ![Railway template Redis configuration](/images/self-hosting/deployment-options/railway/railway-template-redis.png)
+        
+        <Note>
+            To use more features like emailing and single sign-on, you can set additional configuration options on the Infisical service [here](/self-hosting/configuration/envars).
+        </Note>
+        
+        Finally, press **Deploy** to create the project and deploy the services within it.
+        
+        ![Railway template Infisical configuration](/images/self-hosting/deployment-options/railway/railway-template-infisical.png)
+        
+        ![Railway Infisical architecture](/images/self-hosting/deployment-options/railway/railway-infisical-architecture.png)
+    </Step>
+    <Step title="Navigate to your deployed instance of Infisical">
+        Head to the newly-created Infisical service to view its URL under Networking > Public Networking; you can access your instance of Infisical by clicking on the URL.
+        
+        ![Railway Infisical service](/images/self-hosting/deployment-options/railway/railway-infisical-service.png)
+    </Step>
+</Steps>
+
+<AccordionGroup>
+  <Accordion title="Do you have any recommendations for deploying Infisical with Railway?">
+    Yes, here are a few that come to mind:
+    - While the Infisical template on Railway uses the `latest` tag to get the latest version of Infisical, we recommend creating a Railway deployment that pins the Docker image to a specific [version of Infisical](https://hub.docker.com/r/infisical/infisical/tags) to avoid any unexpected version-to-version migration issues.
+    - We recommend selecting **Deployment region** options for your Railway service deployments to be closest to your infrastructure/clients to reduce latency.
+  
+    We're working on putting together a fuller list of deployment best practices as well as minimum resource configuration requirements for running Infisical so stay tuned!
+  </Accordion>
+</AccordionGroup>

docs/self-hosting/deployment-options/standalone-infisical.mdx

@@ -1,65 +1,49 @@
 ---
 title: "Docker"
-description: "Learn to install Infisical purely on docker"
+description: "Run Infisical with Docker"
 ---
 
-The Infisical standalone version combines all the essential components into a single container, making deployment and management more straightforward than other methods. 
+Prerequisites:
+- Basic knowledge of [Docker](https://www.docker.com/)
+- Have Docker installed on your system. If not, follow the installation guide [here](https://docs.docker.com/get-docker/).
 
-## Prerequisites
+<Steps>
+  <Step title="Pull the Infisical Docker image">
+    Run the following command in your terminal to pull the Infisical Docker image:
+    
+    ```
+    docker pull infisical/infisical:latest
+    ```
+  </Step>
+  <Step title="Start Infisical">
+    2.1. Running Infisical requires a few environment variables to be set.
+    At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
+    which you can read more about [here](/self-hosting/configuration/envars).
+    
+    Once you have added the required environment variables to your docker run command, execute it in your terminal to get Infisical up and running.
+    
+    For example:
 
-This guide assumes you have basic knowledge of Docker and have it installed on your system. If you don't have Docker installed, please follow the official installation guide [here](https://docs.docker.com/get-docker/).
+    ```bash
+    docker run -p 80:8080  \
+    -e ENCRYPTION_KEY=f40c9178624764ad85a6830b37ce239a \
+    -e AUTH_SECRET="q6LRi7c717a3DQ8JUxlWYkZpMhG4+RHLoFUVt3Bvo2U=" \
+    -e MONGO_URL="<>" \
+    infisical/infisical:latest
+    ```
+    
+    <Warning>
+      The above environment variable values are only to be used as an example and should not be used in production 
+    </Warning>
+    
+    2.2. Once the container is running, verify the installation by opening your web browser and navigating to `http://localhost:80`.
+  </Step>
+</Steps>
 
-#### System requirements
-To have a functional deployment, we recommended compute with **2GB of RAM** and **1 CPU**.
-However, depending on your usage, you may need to further scale up system resources to meet demand.
-
-## Pull the Infisical Docker image
-
-Open your terminal or command prompt and enter the following command to pull the Infisical Docker image:
-
-```
-docker pull infisical/infisical:latest
-```
-
-## Run with docker 
-To run Infisical, we'll need to configure the required configs listed below.
-Other configs can be found [here](../configuration/envars)
-
-<ParamField query="ENCRYPTION_KEY" type="string" default="none" required>
-  Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16`
-</ParamField>
-
-<ParamField query="AUTH_SECRET" type="string" default="none" required>
-  Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16`
-</ParamField>
-
-<ParamField query="MONGO_URL" type="string" default="none" required>
-  A MongoDB connection string. Can use any MongoDB PaaS such as Mongo Atlas, AWS Document DB, etc. 
-  *TLS based connection string is not yet supported
-</ParamField>
-
-<ParamField query="REDIS_URL" type="string" default="none">
-  Redis connection string. Only required if you plan to use web integrations or secret reminders.
-</ParamField>
-
-
-Once you have added the required environment variables to your docker run command, execute it in your terminal.
-
-```bash
-docker run -p 80:8080  \
--e ENCRYPTION_KEY=f40c9178624764ad85a6830b37ce239a \
--e AUTH_SECRET=5239fea3a4720c0e524f814a540e14a2 \
--e MONGO_URL="<>" \
-infisical/infisical:latest
-```
-
-<Warning>
-  The above environment variable values are only to be used as an example and should not be used in production 
-</Warning>
-
-## Verify the installation:
-Once the container is running, open a web browser and navigate to http://localhost:80. That's it! You have successfully installed the Infisical application using a single Docker image.
-
-<Info>
-Once installation is complete, you will have to create the first account. No default account is provided.
-</Info>
+<AccordionGroup>
+  <Accordion title="What are the system requirements for running Infisical?">
+    To have a functional deployment, we recommended compute with 2GB of RAM and 1 CPU.
+    
+    However, depending on your usage, you may need to further scale up system resources to meet demand.
+  </Accordion>
+</AccordionGroup>