Scaffolding LDAP MVP

Merge pull request #1304 from Infisical/add-project-config-flag-for-workspace
add project-config-dir flag for run command
2025-04-10 07:25:40 +00:00 · 2024-01-13 21:21:40 +07:00 · 2024-01-11 17:21:03 -05:00 · 2024-01-11 17:19:39 -05:00 · 2024-01-11 16:39:02 -05:00 · 2024-01-11 10:53:08 -08:00
307 changed files with 19272 additions and 3670 deletions
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -108,7 +108,7 @@ brews:
      zsh_completion.install "completions/infisical.zsh" => "_infisical"
      fish_completion.install "completions/infisical.fish"
      man1.install "manpages/infisical.1.gz"
-  - name: 'infisical@{{.Version}}'
+  - name: "infisical@{{.Version}}"
    tap:
      owner: Infisical
      name: homebrew-get-cli
@ -186,12 +186,14 @@ aurs:
      # man pages
      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"

-# dockers:
-#   - dockerfile: cli/docker/Dockerfile
-#     goos: linux
-#     goarch: amd64
-#     ids:
-#       - infisical
-#     image_templates:
-#       - "infisical/cli:{{ .Version }}"
-#       - "infisical/cli:latest"
+dockers:
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Version }}"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}"
+      - "infisical/cli:{{ .Major }}"
+      - "infisical/cli:latest"
--- a/README.md
+++ b/README.md
@ -129,7 +129,7 @@ Note that this security address should be used only for undisclosed vulnerabilit

 ## Contributing

-Whether it's big or small, we love contributions. Check out our guide to see how to [get started](https://infisical.com/docs/contributing/overview).
+Whether it's big or small, we love contributions. Check out our guide to see how to [get started](https://infisical.com/docs/contributing/getting-started).

 Not sure where to get started? You can:

--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -24,7 +24,7 @@
        "ajv": "^8.12.0",
        "argon2": "^0.30.3",
        "aws-sdk": "^2.1364.0",
-        "axios": "^1.3.5",
+        "axios": "^1.6.0",
        "axios-retry": "^3.4.0",
        "bcrypt": "^5.1.0",
        "bigint-conversion": "^2.4.0",
@ -56,11 +56,12 @@
        "passport-github": "^1.1.0",
        "passport-gitlab2": "^5.0.0",
        "passport-google-oauth20": "^2.0.0",
+        "passport-ldapauth": "^3.0.1",
        "pg": "^8.11.3",
        "pino": "^8.16.1",
        "pino-http": "^8.5.1",
        "posthog-node": "^2.6.0",
-        "probot": "^12.3.1",
+        "probot": "^12.3.3",
        "query-string": "^7.1.3",
        "rate-limit-mongo": "^2.3.2",
        "rimraf": "^3.0.2",
@ -5991,9 +5992,9 @@
      }
    },
    "node_modules/@octokit/webhooks": {
-      "version": "9.26.0",
-      "resolved": "https://registry.npmjs.org/@octokit/webhooks/-/webhooks-9.26.0.tgz",
-      "integrity": "sha512-foZlsgrTDwAmD5j2Czn6ji10lbWjGDVsUxTIydjG9KTkAWKJrFapXJgO5SbGxRwfPd3OJdhK3nA2YPqVhxLXqA==",
+      "version": "9.26.3",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks/-/webhooks-9.26.3.tgz",
+      "integrity": "sha512-DLGk+gzeVq5oK89Bo601txYmyrelMQ7Fi5EnjHE0Xs8CWicy2xkmnJMKptKJrBJpstqbd/9oeDFi/Zj2pudBDQ==",
      "dependencies": {
        "@octokit/request-error": "^2.0.2",
        "@octokit/webhooks-methods": "^2.0.0",
@ -7413,6 +7414,14 @@
        "@types/node": "*"
      }
    },
+    "node_modules/@types/ldapjs": {
+      "version": "2.2.5",
+      "resolved": "https://registry.npmjs.org/@types/ldapjs/-/ldapjs-2.2.5.tgz",
+      "integrity": "sha512-Lv/nD6QDCmcT+V1vaTRnEKE8UgOilVv5pHcQuzkU1LcRe4mbHHuUo/KHi0LKrpdHhQY8FJzryF38fcVdeUIrzg==",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
    "node_modules/@types/libsodium-wrappers": {
      "version": "0.7.10",
      "resolved": "https://registry.npmjs.org/@types/libsodium-wrappers/-/libsodium-wrappers-0.7.10.tgz",
@ -7965,6 +7974,11 @@
        "node": ">=6.5"
      }
    },
+    "node_modules/abstract-logging": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/abstract-logging/-/abstract-logging-2.0.1.tgz",
+      "integrity": "sha512-2BjRTZxTPvheOvGbBslFSYOUkr+SjPtOnrLP33f+VIWLzezQpZcqVg7ja3L4dBXmzzgwT+a029jRx5PCi3JuiA=="
+    },
    "node_modules/accepts": {
      "version": "1.3.8",
      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
@ -8263,11 +8277,18 @@
      "integrity": "sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==",
      "dev": true
    },
+    "node_modules/asn1": {
+      "version": "0.2.6",
+      "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz",
+      "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
+      "dependencies": {
+        "safer-buffer": "~2.1.0"
+      }
+    },
    "node_modules/assert-plus": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz",
      "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==",
-      "dev": true,
      "engines": {
        "node": ">=0.8"
      }
@ -8325,9 +8346,9 @@
      }
    },
    "node_modules/axios": {
-      "version": "1.6.2",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.2.tgz",
-      "integrity": "sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==",
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.0.tgz",
+      "integrity": "sha512-EZ1DYihju9pwVB+jg67ogm+Tmqc6JmhamRN6I4Zt8DfZu5lbcQGw3ozH9lFejSJgs/ibaef3A9PMXPLeefFGJg==",
      "dependencies": {
        "follow-redirects": "^1.15.0",
        "form-data": "^4.0.0",
@ -8434,6 +8455,17 @@
        "@babel/core": "^7.0.0"
      }
    },
+    "node_modules/backoff": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/backoff/-/backoff-2.5.0.tgz",
+      "integrity": "sha512-wC5ihrnUXmR2douXmXLCe5O3zg3GKIyvRi/hi58a/XyRxVI+3/yM0PYueQOZXPXQ9pxBislYkw+sF9b7C/RuMA==",
+      "dependencies": {
+        "precond": "0.2"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
    "node_modules/balanced-match": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
@ -8497,6 +8529,11 @@
        "node": ">= 10.0.0"
      }
    },
+    "node_modules/bcryptjs": {
+      "version": "2.4.3",
+      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz",
+      "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ=="
+    },
    "node_modules/before-after-hook": {
      "version": "2.2.3",
      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
@ -9120,8 +9157,7 @@
    "node_modules/core-util-is": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
-      "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==",
-      "dev": true
+      "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ=="
    },
    "node_modules/cors": {
      "version": "2.8.5",
@ -9976,7 +10012,6 @@
      "version": "1.3.0",
      "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz",
      "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==",
-      "dev": true,
      "engines": [
        "node >=0.6.0"
      ]
@ -11888,6 +11923,57 @@
        "node": ">=6"
      }
    },
+    "node_modules/ldap-filter": {
+      "version": "0.3.3",
+      "resolved": "https://registry.npmjs.org/ldap-filter/-/ldap-filter-0.3.3.tgz",
+      "integrity": "sha512-/tFkx5WIn4HuO+6w9lsfxq4FN3O+fDZeO9Mek8dCD8rTUpqzRa766BOBO7BcGkn3X86m5+cBm1/2S/Shzz7gMg==",
+      "dependencies": {
+        "assert-plus": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.8"
+      }
+    },
+    "node_modules/ldapauth-fork": {
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/ldapauth-fork/-/ldapauth-fork-5.0.5.tgz",
+      "integrity": "sha512-LWUk76+V4AOZbny/3HIPQtGPWZyA3SW2tRhsWIBi9imP22WJktKLHV1ofd8Jo/wY7Ve6vAT7FCI5mEn3blZTjw==",
+      "dependencies": {
+        "@types/ldapjs": "^2.2.2",
+        "bcryptjs": "^2.4.0",
+        "ldapjs": "^2.2.1",
+        "lru-cache": "^7.10.1"
+      },
+      "engines": {
+        "node": ">=0.8.0"
+      }
+    },
+    "node_modules/ldapauth-fork/node_modules/lru-cache": {
+      "version": "7.18.3",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-7.18.3.tgz",
+      "integrity": "sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/ldapjs": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/ldapjs/-/ldapjs-2.3.3.tgz",
+      "integrity": "sha512-75QiiLJV/PQqtpH+HGls44dXweviFwQ6SiIK27EqzKQ5jU/7UFrl2E5nLdQ3IYRBzJ/AVFJI66u0MZ0uofKYwg==",
+      "dependencies": {
+        "abstract-logging": "^2.0.0",
+        "asn1": "^0.2.4",
+        "assert-plus": "^1.0.0",
+        "backoff": "^2.5.0",
+        "ldap-filter": "^0.3.3",
+        "once": "^1.4.0",
+        "vasync": "^2.2.0",
+        "verror": "^1.8.1"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
    "node_modules/leven": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/leven/-/leven-3.1.0.tgz",
@ -15657,6 +15743,18 @@
        "node": ">= 0.4.0"
      }
    },
+    "node_modules/passport-ldapauth": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/passport-ldapauth/-/passport-ldapauth-3.0.1.tgz",
+      "integrity": "sha512-TRRx3BHi8GC8MfCT9wmghjde/EGeKjll7zqHRRfGRxXbLcaDce2OftbQrFG7/AWaeFhR6zpZHtBQ/IkINdLVjQ==",
+      "dependencies": {
+        "ldapauth-fork": "^5.0.1",
+        "passport-strategy": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.8.0"
+      }
+    },
    "node_modules/passport-oauth2": {
      "version": "1.7.0",
      "resolved": "https://registry.npmjs.org/passport-oauth2/-/passport-oauth2-1.7.0.tgz",
@ -16270,6 +16368,14 @@
        "form-data": "^4.0.0"
      }
    },
+    "node_modules/precond": {
+      "version": "0.2.3",
+      "resolved": "https://registry.npmjs.org/precond/-/precond-0.2.3.tgz",
+      "integrity": "sha512-QCYG84SgGyGzqJ/vlMsxeXd/pgL/I94ixdNFyh1PusWmTCyVfPJjZ1K1jvHtsbfnXQs2TSkEP2fR7QiMZAnKFQ==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
    "node_modules/prelude-ls": {
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
@ -16306,9 +16412,9 @@
      }
    },
    "node_modules/probot": {
-      "version": "12.3.1",
-      "resolved": "https://registry.npmjs.org/probot/-/probot-12.3.1.tgz",
-      "integrity": "sha512-ECSgycmAC0ILEK6cOa+x3QPufP5JybsuohOFCYr3glQU5SkbmypZJE/Sfio9mxAFHK5LCXveIDsfZCxf6ck4JA==",
+      "version": "12.3.3",
+      "resolved": "https://registry.npmjs.org/probot/-/probot-12.3.3.tgz",
+      "integrity": "sha512-cdtKd+xISzi8sw6++BYBXleRknCA6hqUMoHj/sJqQBrjbNxQLhfeFCq9O2d0Z4eShsy5YFRR3MWwDKJ9uAE0CA==",
      "dependencies": {
        "@octokit/core": "^3.2.4",
        "@octokit/plugin-enterprise-compatibility": "^1.2.8",
@ -16317,7 +16423,7 @@
        "@octokit/plugin-retry": "^3.0.6",
        "@octokit/plugin-throttling": "^3.3.4",
        "@octokit/types": "^8.0.0",
-        "@octokit/webhooks": "^9.8.4",
+        "@octokit/webhooks": "^9.26.3",
        "@probot/get-private-key": "^1.1.0",
        "@probot/octokit-plugin-config": "^1.0.0",
        "@probot/pino": "^2.2.0",
@ -18354,11 +18460,21 @@
        "node": ">= 0.8"
      }
    },
+    "node_modules/vasync": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/vasync/-/vasync-2.2.1.tgz",
+      "integrity": "sha512-Hq72JaTpcTFdWiNA4Y22Amej2GH3BFmBaKPPlDZ4/oC8HNn2ISHLkFrJU4Ds8R3jcUi7oo5Y9jcMHKjES+N9wQ==",
+      "engines": [
+        "node >=0.6.0"
+      ],
+      "dependencies": {
+        "verror": "1.10.0"
+      }
+    },
    "node_modules/verror": {
      "version": "1.10.0",
      "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz",
      "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==",
-      "dev": true,
      "engines": [
        "node >=0.6.0"
      ],
@ -23392,9 +23508,9 @@
      }
    },
    "@octokit/webhooks": {
-      "version": "9.26.0",
-      "resolved": "https://registry.npmjs.org/@octokit/webhooks/-/webhooks-9.26.0.tgz",
-      "integrity": "sha512-foZlsgrTDwAmD5j2Czn6ji10lbWjGDVsUxTIydjG9KTkAWKJrFapXJgO5SbGxRwfPd3OJdhK3nA2YPqVhxLXqA==",
+      "version": "9.26.3",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks/-/webhooks-9.26.3.tgz",
+      "integrity": "sha512-DLGk+gzeVq5oK89Bo601txYmyrelMQ7Fi5EnjHE0Xs8CWicy2xkmnJMKptKJrBJpstqbd/9oeDFi/Zj2pudBDQ==",
      "requires": {
        "@octokit/request-error": "^2.0.2",
        "@octokit/webhooks-methods": "^2.0.0",
@ -24541,6 +24657,14 @@
        "@types/node": "*"
      }
    },
+    "@types/ldapjs": {
+      "version": "2.2.5",
+      "resolved": "https://registry.npmjs.org/@types/ldapjs/-/ldapjs-2.2.5.tgz",
+      "integrity": "sha512-Lv/nD6QDCmcT+V1vaTRnEKE8UgOilVv5pHcQuzkU1LcRe4mbHHuUo/KHi0LKrpdHhQY8FJzryF38fcVdeUIrzg==",
+      "requires": {
+        "@types/node": "*"
+      }
+    },
    "@types/libsodium-wrappers": {
      "version": "0.7.10",
      "resolved": "https://registry.npmjs.org/@types/libsodium-wrappers/-/libsodium-wrappers-0.7.10.tgz",
@ -24984,6 +25108,11 @@
        "event-target-shim": "^5.0.0"
      }
    },
+    "abstract-logging": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/abstract-logging/-/abstract-logging-2.0.1.tgz",
+      "integrity": "sha512-2BjRTZxTPvheOvGbBslFSYOUkr+SjPtOnrLP33f+VIWLzezQpZcqVg7ja3L4dBXmzzgwT+a029jRx5PCi3JuiA=="
+    },
    "accepts": {
      "version": "1.3.8",
      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
@ -25204,11 +25333,18 @@
      "integrity": "sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==",
      "dev": true
    },
+    "asn1": {
+      "version": "0.2.6",
+      "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz",
+      "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
+      "requires": {
+        "safer-buffer": "~2.1.0"
+      }
+    },
    "assert-plus": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz",
-      "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==",
-      "dev": true
+      "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw=="
    },
    "asynckit": {
      "version": "0.4.0",
@ -25250,9 +25386,9 @@
      }
    },
    "axios": {
-      "version": "1.6.2",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.2.tgz",
-      "integrity": "sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==",
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.0.tgz",
+      "integrity": "sha512-EZ1DYihju9pwVB+jg67ogm+Tmqc6JmhamRN6I4Zt8DfZu5lbcQGw3ozH9lFejSJgs/ibaef3A9PMXPLeefFGJg==",
      "requires": {
        "follow-redirects": "^1.15.0",
        "form-data": "^4.0.0",
@ -25338,6 +25474,14 @@
        "babel-preset-current-node-syntax": "^1.0.0"
      }
    },
+    "backoff": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/backoff/-/backoff-2.5.0.tgz",
+      "integrity": "sha512-wC5ihrnUXmR2douXmXLCe5O3zg3GKIyvRi/hi58a/XyRxVI+3/yM0PYueQOZXPXQ9pxBislYkw+sF9b7C/RuMA==",
+      "requires": {
+        "precond": "0.2"
+      }
+    },
    "balanced-match": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
@ -25379,6 +25523,11 @@
        "node-addon-api": "^5.0.0"
      }
    },
+    "bcryptjs": {
+      "version": "2.4.3",
+      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz",
+      "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ=="
+    },
    "before-after-hook": {
      "version": "2.2.3",
      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
@ -25832,8 +25981,7 @@
    "core-util-is": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
-      "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==",
-      "dev": true
+      "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ=="
    },
    "cors": {
      "version": "2.8.5",
@ -26470,8 +26618,7 @@
    "extsprintf": {
      "version": "1.3.0",
      "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz",
-      "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==",
-      "dev": true
+      "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g=="
    },
    "fast-copy": {
      "version": "3.0.1",
@ -27897,6 +28044,47 @@
      "integrity": "sha512-eTIzlVOSUR+JxdDFepEYcBMtZ9Qqdef+rnzWdRZuMbOywu5tO2w2N7rqjoANZ5k9vywhL6Br1VRjUIgTQx4E8w==",
      "dev": true
    },
+    "ldap-filter": {
+      "version": "0.3.3",
+      "resolved": "https://registry.npmjs.org/ldap-filter/-/ldap-filter-0.3.3.tgz",
+      "integrity": "sha512-/tFkx5WIn4HuO+6w9lsfxq4FN3O+fDZeO9Mek8dCD8rTUpqzRa766BOBO7BcGkn3X86m5+cBm1/2S/Shzz7gMg==",
+      "requires": {
+        "assert-plus": "^1.0.0"
+      }
+    },
+    "ldapauth-fork": {
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/ldapauth-fork/-/ldapauth-fork-5.0.5.tgz",
+      "integrity": "sha512-LWUk76+V4AOZbny/3HIPQtGPWZyA3SW2tRhsWIBi9imP22WJktKLHV1ofd8Jo/wY7Ve6vAT7FCI5mEn3blZTjw==",
+      "requires": {
+        "@types/ldapjs": "^2.2.2",
+        "bcryptjs": "^2.4.0",
+        "ldapjs": "^2.2.1",
+        "lru-cache": "^7.10.1"
+      },
+      "dependencies": {
+        "lru-cache": {
+          "version": "7.18.3",
+          "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-7.18.3.tgz",
+          "integrity": "sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA=="
+        }
+      }
+    },
+    "ldapjs": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/ldapjs/-/ldapjs-2.3.3.tgz",
+      "integrity": "sha512-75QiiLJV/PQqtpH+HGls44dXweviFwQ6SiIK27EqzKQ5jU/7UFrl2E5nLdQ3IYRBzJ/AVFJI66u0MZ0uofKYwg==",
+      "requires": {
+        "abstract-logging": "^2.0.0",
+        "asn1": "^0.2.4",
+        "assert-plus": "^1.0.0",
+        "backoff": "^2.5.0",
+        "ldap-filter": "^0.3.3",
+        "once": "^1.4.0",
+        "vasync": "^2.2.0",
+        "verror": "^1.8.1"
+      }
+    },
    "leven": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/leven/-/leven-3.1.0.tgz",
@ -30574,6 +30762,15 @@
        "passport-oauth2": "1.x.x"
      }
    },
+    "passport-ldapauth": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/passport-ldapauth/-/passport-ldapauth-3.0.1.tgz",
+      "integrity": "sha512-TRRx3BHi8GC8MfCT9wmghjde/EGeKjll7zqHRRfGRxXbLcaDce2OftbQrFG7/AWaeFhR6zpZHtBQ/IkINdLVjQ==",
+      "requires": {
+        "ldapauth-fork": "^5.0.1",
+        "passport-strategy": "^1.0.0"
+      }
+    },
    "passport-oauth2": {
      "version": "1.7.0",
      "resolved": "https://registry.npmjs.org/passport-oauth2/-/passport-oauth2-1.7.0.tgz",
@ -31013,6 +31210,11 @@
        }
      }
    },
+    "precond": {
+      "version": "0.2.3",
+      "resolved": "https://registry.npmjs.org/precond/-/precond-0.2.3.tgz",
+      "integrity": "sha512-QCYG84SgGyGzqJ/vlMsxeXd/pgL/I94ixdNFyh1PusWmTCyVfPJjZ1K1jvHtsbfnXQs2TSkEP2fR7QiMZAnKFQ=="
+    },
    "prelude-ls": {
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
@ -31039,9 +31241,9 @@
      }
    },
    "probot": {
-      "version": "12.3.1",
-      "resolved": "https://registry.npmjs.org/probot/-/probot-12.3.1.tgz",
-      "integrity": "sha512-ECSgycmAC0ILEK6cOa+x3QPufP5JybsuohOFCYr3glQU5SkbmypZJE/Sfio9mxAFHK5LCXveIDsfZCxf6ck4JA==",
+      "version": "12.3.3",
+      "resolved": "https://registry.npmjs.org/probot/-/probot-12.3.3.tgz",
+      "integrity": "sha512-cdtKd+xISzi8sw6++BYBXleRknCA6hqUMoHj/sJqQBrjbNxQLhfeFCq9O2d0Z4eShsy5YFRR3MWwDKJ9uAE0CA==",
      "requires": {
        "@octokit/core": "^3.2.4",
        "@octokit/plugin-enterprise-compatibility": "^1.2.8",
@ -31050,7 +31252,7 @@
        "@octokit/plugin-retry": "^3.0.6",
        "@octokit/plugin-throttling": "^3.3.4",
        "@octokit/types": "^8.0.0",
-        "@octokit/webhooks": "^9.8.4",
+        "@octokit/webhooks": "^9.26.3",
        "@probot/get-private-key": "^1.1.0",
        "@probot/octokit-plugin-config": "^1.0.0",
        "@probot/pino": "^2.2.0",
@ -32635,11 +32837,18 @@
      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg=="
    },
+    "vasync": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/vasync/-/vasync-2.2.1.tgz",
+      "integrity": "sha512-Hq72JaTpcTFdWiNA4Y22Amej2GH3BFmBaKPPlDZ4/oC8HNn2ISHLkFrJU4Ds8R3jcUi7oo5Y9jcMHKjES+N9wQ==",
+      "requires": {
+        "verror": "1.10.0"
+      }
+    },
    "verror": {
      "version": "1.10.0",
      "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz",
      "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==",
-      "dev": true,
      "requires": {
        "assert-plus": "^1.0.0",
        "core-util-is": "1.0.2",
--- a/backend/package.json
+++ b/backend/package.json
@ -15,7 +15,7 @@
    "ajv": "^8.12.0",
    "argon2": "^0.30.3",
    "aws-sdk": "^2.1364.0",
-    "axios": "^1.3.5",
+    "axios": "^1.6.0",
    "axios-retry": "^3.4.0",
    "bcrypt": "^5.1.0",
    "bigint-conversion": "^2.4.0",
@ -47,11 +47,12 @@
    "passport-github": "^1.1.0",
    "passport-gitlab2": "^5.0.0",
    "passport-google-oauth20": "^2.0.0",
+    "passport-ldapauth": "^3.0.1",
    "pg": "^8.11.3",
    "pino": "^8.16.1",
    "pino-http": "^8.5.1",
    "posthog-node": "^2.6.0",
-    "probot": "^12.3.1",
+    "probot": "^12.3.3",
    "query-string": "^7.1.3",
    "rate-limit-mongo": "^2.3.2",
    "rimraf": "^3.0.2",
--- a/backend/spec.json
+++ b/backend/spec.json
--- a/backend/src/controllers/v1/index.ts
+++ b/backend/src/controllers/v1/index.ts
@ -1,5 +1,6 @@
 import * as authController from "./authController";
 import * as universalAuthController from "./universalAuthController";
+import * as ldapController from "./ldapController";
 import * as botController from "./botController";
 import * as integrationAuthController from "./integrationAuthController";
 import * as integrationController from "./integrationController";
@ -22,6 +23,7 @@ import * as adminController from "./adminController";
 export {
  authController,
  universalAuthController,
+  ldapController,
  botController,
  integrationAuthController,
  integrationController,
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -2,7 +2,7 @@ import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { standardRequest } from "../../config/request";
 import { getApps, getTeams, revokeAccess } from "../../integrations";
-import { Bot, IntegrationAuth, Workspace } from "../../models";
+import { Bot, IIntegrationAuth, Integration, IntegrationAuth, Workspace } from "../../models";
 import { EventType } from "../../ee/models";
 import { IntegrationService } from "../../services";
 import { EEAuditLogService } from "../../ee/services";
@ -130,7 +130,6 @@ export const oAuthExchange = async (req: Request, res: Response) => {
 export const saveIntegrationToken = async (req: Request, res: Response) => {
  // TODO: refactor
  // TODO: check if access token is valid for each integration
-  let integrationAuth;
  const {
    body: { workspaceId, integration, url, accessId, namespace, accessToken, refreshToken }
  } = await validateRequest(reqValidator.SaveIntegrationAccessTokenV1, req);
@ -152,31 +151,21 @@ export const saveIntegrationToken = async (req: Request, res: Response) => {

  if (!bot) throw new Error("Bot must be enabled to save integration access token");

-  integrationAuth = await IntegrationAuth.findOneAndUpdate(
-    {
-      workspace: new Types.ObjectId(workspaceId),
-      integration
-    },
-    {
-      workspace: new Types.ObjectId(workspaceId),
-      integration,
-      url,
-      namespace,
-      algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_UTF8,
-      ...(integration === INTEGRATION_GCP_SECRET_MANAGER
-        ? {
-            metadata: {
-              authMethod: "serviceAccount"
-            }
+  let integrationAuth = await new IntegrationAuth({
+    workspace: new Types.ObjectId(workspaceId),
+    integration,
+    url,
+    namespace,
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_UTF8,
+    ...(integration === INTEGRATION_GCP_SECRET_MANAGER
+      ? {
+          metadata: {
+            authMethod: "serviceAccount"
          }
-        : {})
-    },
-    {
-      new: true,
-      upsert: true
-    }
-  );
+        }
+      : {})
+  }).save();

  // encrypt and save integration access details
  if (refreshToken) {
@ -188,12 +177,12 @@ export const saveIntegrationToken = async (req: Request, res: Response) => {

  // encrypt and save integration access details
  if (accessId || accessToken) {
-    integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+    integrationAuth = (await IntegrationService.setIntegrationAuthAccess({
      integrationAuthId: integrationAuth._id.toString(),
      accessId,
      accessToken,
      accessExpiresAt: undefined
-    });
+    })) as IIntegrationAuth;
  }

  if (!integrationAuth) throw new Error("Failed to save integration access token");
@ -1208,13 +1197,64 @@ export const getIntegrationAuthTeamCityBuildConfigs = async (req: Request, res:
  });
 };

+/**
+ * Delete all integration authorizations and integrations for workspace with id [workspaceId]
+ * with integration name [integration]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteIntegrationAuths = async (req: Request, res: Response) => {
+  const {
+    query: { integration, workspaceId }
+  } = await validateRequest(reqValidator.DeleteIntegrationAuthsV1, req);
+
+  const { permission } = await getAuthDataProjectPermissions({
+    authData: req.authData,
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+  
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.Integrations
+  );
+  
+  const integrationAuths = await IntegrationAuth.deleteMany({
+    integration,
+    workspace: new Types.ObjectId(workspaceId)
+  });
+
+  const integrations = await Integration.deleteMany({
+    integration,
+    workspace: new Types.ObjectId(workspaceId)
+  });
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UNAUTHORIZE_INTEGRATION,
+      metadata: {
+        integration
+      }
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );
+
+  return res.status(200).send({
+    integrationAuths,
+    integrations
+  });
+}
+
 /**
 * Delete integration authorization with id [integrationAuthId]
 * @param req
 * @param res
 * @returns
 */
-export const deleteIntegrationAuth = async (req: Request, res: Response) => {
+export const deleteIntegrationAuthById = async (req: Request, res: Response) => {
  const {
    params: { integrationAuthId }
  } = await validateRequest(reqValidator.DeleteIntegrationAuthV1, req);
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -251,6 +251,21 @@ export const deleteIntegration = async (req: Request, res: Response) => {
  });

  if (!deletedIntegration) throw new Error("Failed to find integration");
+ 
+  const numOtherIntegrationsUsingSameAuth = await Integration.countDocuments({
+    integrationAuth: deletedIntegration.integrationAuth,
+    _id: {
+      $nin: [deletedIntegration._id]
+    }
+  });
+  
+  if (numOtherIntegrationsUsingSameAuth === 0) {
+    // no other integrations are using the same integration auth
+    // -> delete integration auth associated with the integration being deleted
+    await IntegrationAuth.deleteOne({
+      _id: deletedIntegration.integrationAuth
+    });
+  }

  await EEAuditLogService.createAuditLog(
    req.authData,
--- a/backend/src/controllers/v1/ldapController.ts
+++ b/backend/src/controllers/v1/ldapController.ts
@ -0,0 +1,233 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { client, getSiteURL } from "../../config";
+import * as reqValidator from "../../validation/ldap";
+import { validateRequest } from "../../helpers/validation";
+import { getLdapConfigHelper } from "../../ee/helpers/organizations";
+import {
+  OrgPermissionActions,
+  OrgPermissionSubjects,
+  getAuthDataOrgPermissions
+} from "../../ee/services/RoleService";
+import { ForbiddenError } from "@casl/ability";
+import { LDAPConfig } from "../../ee/models";
+import { BotOrgService } from "../../services";
+
+/**
+ * Return appropriate SSO endpoint after successful authentication with LDAP
+ * to finish inputting their master key for logging in or signing up
+ * @param req
+ * @param res 
+ * @returns 
+ */
+export const redirectLDAP = async (req: Request, res: Response) => {
+    let nextUrl;
+    if (req.isUserCompleted) {
+        nextUrl = `${await getSiteURL()}/login/sso?token=${encodeURIComponent(req.providerAuthToken)}`;
+    } else {
+        nextUrl = `${await getSiteURL()}/signup/sso?token=${encodeURIComponent(req.providerAuthToken)}`
+    }
+
+    return res.status(200).send({
+        nextUrl
+    });
+}
+
+/**
+ * Return organization LDAP configuration
+ * @param req 
+ * @param res 
+ */
+export const getLDAPConfig = async (req: Request, res: Response) => {
+    const  {
+        query: { organizationId }
+    } = await validateRequest(reqValidator.GetLdapConfigv1, req);
+    
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: new Types.ObjectId(organizationId)
+    });
+      
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Read,
+        OrgPermissionSubjects.Sso
+    );
+    
+    const data = await getLdapConfigHelper({
+        organizationId: new Types.ObjectId(organizationId)
+    });
+
+    return res.status(200).send(data);
+}
+
+/**
+ * Update organization LDAP configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateLDAPConfig = async (req: Request, res: Response) => {
+    const {
+        body: {
+            organizationId,
+            isActive,
+            url,
+            bindDN,
+            bindPass,
+            searchBase,
+            caCert
+        }
+    } = await validateRequest(reqValidator.UpdateLdapConfigv1, req);
+    
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: new Types.ObjectId(organizationId)
+    });
+    
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Edit,
+        OrgPermissionSubjects.Sso
+    );
+    
+    interface PatchUpdate {
+        isActive?: boolean;
+        url?: string;
+        encryptedBindDN?: string;
+        bindDNIV?: string;
+        bindDNTag?: string;
+        encryptedBindPass?: string;
+        bindPassIV?: string;
+        bindPassTag?: string;
+        searchBase?: string;
+        encryptedCACert?: string;
+        caCertIV?: string;
+        caCertTag?: string;
+    }
+    
+    const update: PatchUpdate = {};
+
+    if (url) {
+        update.url = url;
+    }
+
+    if (searchBase) {
+        update.searchBase = searchBase;
+    }
+    
+    if (isActive !== undefined) {
+        update.isActive = isActive;
+    }
+    
+    const key = await BotOrgService.getSymmetricKey(new Types.ObjectId(organizationId));
+
+    if (bindDN) {
+        const {
+            ciphertext: encryptedBindDN,
+            iv: bindDNIV,
+            tag: bindDNTag
+        } = client.encryptSymmetric(bindDN, key);
+        
+        update.encryptedBindDN = encryptedBindDN;
+        update.bindDNIV = bindDNIV;
+        update.bindDNTag = bindDNTag;
+    }
+
+    if (bindPass) {
+        const {
+            ciphertext: encryptedBindPass,
+            iv: bindPassIV,
+            tag: bindPassTag
+        } = client.encryptSymmetric(bindPass, key);
+        
+        update.encryptedBindPass = encryptedBindPass;
+        update.bindPassIV = bindPassIV;
+        update.bindPassTag = bindPassTag;
+    }
+    
+    if (caCert) {
+        const {
+            ciphertext: encryptedCACert,
+            iv: caCertIV,
+            tag: caCertTag
+        } = client.encryptSymmetric(caCert, key);
+        
+        update.encryptedCACert = encryptedCACert;
+        update.caCertIV = caCertIV;
+        update.caCertTag = caCertTag;
+    }
+
+    const ldapConfig = await LDAPConfig.findOneAndUpdate(
+        { organization: new Types.ObjectId(organizationId) },
+        update,
+        { new: true }
+    );
+
+    return res.status(200).send(ldapConfig);
+}
+
+/**
+ * Create organization LDAP configuration
+ * @param req 
+ * @param res 
+ */
+export const createLDAPConfig = async (req: Request, res: Response) => {
+    const {
+        body: {
+            organizationId,
+            isActive,
+            url,
+            bindDN,
+            bindPass,
+            searchBase,
+            caCert
+        }
+    } = await validateRequest(reqValidator.CreateLdapConfigv1, req);
+
+    const { permission } = await getAuthDataOrgPermissions({
+        authData: req.authData,
+        organizationId: new Types.ObjectId(organizationId)
+    });
+    
+    ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionActions.Create,
+        OrgPermissionSubjects.Sso
+    );
+    
+    const key = await BotOrgService.getSymmetricKey(new Types.ObjectId(organizationId));
+    
+    const {
+        ciphertext: encryptedBindDN,
+        iv: bindDNIV,
+        tag: bindDNTag
+    } = client.encryptSymmetric(bindDN, key);
+    
+    const {
+        ciphertext: encryptedBindPass,
+        iv: bindPassIV,
+        tag: bindPassTag
+    } = client.encryptSymmetric(bindPass, key);
+
+    const {
+        ciphertext: encryptedCACert,
+        iv: caCertIV,
+        tag: caCertTag
+    } = client.encryptSymmetric(caCert, key);
+    
+    const ldapConfig = await new LDAPConfig({
+        organization: new Types.ObjectId(organizationId),
+        isActive,
+        url,
+        encryptedBindDN,
+        bindDNIV,
+        bindDNTag,
+        encryptedBindPass,
+        bindPassIV,
+        bindPassTag,
+        searchBase,
+        encryptedCACert,
+        caCertIV,
+        caCertTag
+    }).save();
+
+    return res.status(200).send(ldapConfig);
+}
--- a/backend/src/controllers/v1/secretImpsController.ts
+++ b/backend/src/controllers/v1/secretImpsController.ts
@ -111,11 +111,17 @@ export const createSecretImp = async (req: Request, res: Response) => {
      authData: req.authData,
      workspaceId: new Types.ObjectId(workspaceId)
    });
-    
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath: directory })
    );
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment: secretImport.environment, secretPath: secretImport.secretPath })
+    );
+
  }

  const folders = await Folder.findOne({
@ -323,7 +329,7 @@ export const updateSecretImport = async (req: Request, res: Response) => {
      authData: req.authData,
      workspaceId: importSecDoc.workspace
    });
-    
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Secrets, {
@ -331,6 +337,13 @@ export const updateSecretImport = async (req: Request, res: Response) => {
        secretPath
      })
    );
+
+    secretImports.forEach(({ environment, secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    })
  }

  const orderBefore = importSecDoc.imports;
@ -453,7 +466,7 @@ export const deleteSecretImport = async (req: Request, res: Response) => {
      authData: req.authData,
      workspaceId: importSecDoc.workspace
    });
-    
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      subject(ProjectPermissionSub.Secrets, {
@ -620,7 +633,7 @@ export const getAllSecretsFromImport = async (req: Request, res: Response) => {
      authData: req.authData,
      workspaceId: new Types.ObjectId(workspaceId)
    });
-    
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, {
@ -677,7 +690,7 @@ export const getAllSecretsFromImport = async (req: Request, res: Response) => {
      authData: req.authData,
      workspaceId: importSecDoc.workspace
    });
-    
+
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, {
--- a/backend/src/controllers/v1/universalAuthController.ts
+++ b/backend/src/controllers/v1/universalAuthController.ts
@ -3,28 +3,28 @@ import { Types } from "mongoose";
 import jwt from "jsonwebtoken";
 import crypto from "crypto";
 import bcrypt from "bcrypt";
-import { 
-  IIdentity, 
-  IIdentityTrustedIp, 
-  IIdentityUniversalAuthClientSecret,
-  Identity,
-  IdentityAccessToken,
-  IdentityAuthMethod,
-  IdentityMembershipOrg,
-  IdentityUniversalAuth,
-  IdentityUniversalAuthClientSecret,
+import {
+    IIdentity,
+    IIdentityTrustedIp,
+    IIdentityUniversalAuthClientSecret,
+    Identity,
+    IdentityAccessToken,
+    IdentityAuthMethod,
+    IdentityMembershipOrg,
+    IdentityUniversalAuth,
+    IdentityUniversalAuthClientSecret,
 } from "../../models";
 import { createToken } from "../../helpers/auth";
 import { AuthTokenType } from "../../variables";
-import { 
-  BadRequestError, 
-  ForbiddenRequestError, 
-  ResourceNotFoundError,
-  UnauthorizedRequestError
+import {
+    BadRequestError,
+    ForbiddenRequestError,
+    ResourceNotFoundError,
+    UnauthorizedRequestError
 } from "../../utils/errors";
 import {
-  getAuthSecret,
-  getSaltRounds
+    getAuthSecret,
+    getSaltRounds
 } from "../../config";
 import { ActorType, EventType, IRole } from "../../ee/models";
 import { validateRequest } from "../../helpers/validation";
@ -32,12 +32,12 @@ import * as reqValidator from "../../validation/auth";
 import { checkIPAgainstBlocklist, extractIPDetails, isValidIpOrCidr } from "../../utils/ip";
 import { getUserAgentType } from "../../utils/posthog";
 import { EEAuditLogService, EELicenseService } from "../../ee/services";
-import { 
-  OrgPermissionActions, 
-  OrgPermissionSubjects, 
-  getAuthDataOrgPermissions, 
-  getOrgRolePermissions, 
-  isAtLeastAsPrivilegedOrg 
+import {
+    OrgPermissionActions,
+    OrgPermissionSubjects,
+    getAuthDataOrgPermissions,
+    getOrgRolePermissions,
+    isAtLeastAsPrivilegedOrg
 } from "../../ee/services/RoleService";
 import { ForbiddenError } from "@casl/ability";

@ -53,13 +53,59 @@ const packageUniversalAuthClientSecretData = (identityUniversalAuthClientSecret:
    createdAt: identityUniversalAuthClientSecret.createdAt,
    updatedAt: identityUniversalAuthClientSecret.updatedAt
 });
-  
+
 /**
 * Renews an access token by its TTL
 * @param req 
 * @param res 
 */
 export const renewAccessToken = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Renew access token'
+        #swagger.description = 'Renew access token'
+        
+        #swagger.requestBody = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "accessToken": {
+                                "type": "string",
+                                "description": "Access token to renew",
+                                "example": "..."
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "accessToken": {
+                                "type": "string",
+                                "description": "(Same) Access token after successful renewal"
+                            },
+                            "expiresIn": {
+                                "type": "number",
+                                "description": "TTL of access token in seconds"
+                            },
+                            "tokenType": {
+                                "type": "string",
+                                "description": "Type of access token (e.g. Bearer)"
+                            }
+                        },
+                        "description": "Access token and its details"
+                    }
+                }
+            }
+        }
+    */
    const {
        body: {
            accessToken
@ -83,12 +129,14 @@ export const renewAccessToken = async (req: Request, res: Response) => {
        accessTokenTTL,
        accessTokenLastRenewedAt,
        accessTokenMaxTTL,
-        createdAt: accessTokenCreatedAt
+        createdAt: accessTokenCreatedAt,
+        accessTokenNumUses,
+        accessTokenNumUsesLimit
    } = identityAccessToken;

-    if (accessTokenTTL === accessTokenMaxTTL) throw UnauthorizedRequestError({
-        message: "Failed to renew non-renewable access token"
-    });
+    if (accessTokenNumUses >= accessTokenNumUsesLimit) {
+        throw BadRequestError({ message: "Unable to renew because access token number of uses limit reached" })
+    }

    // ttl check
    if (accessTokenTTL > 0) {
@ -141,6 +189,7 @@ export const renewAccessToken = async (req: Request, res: Response) => {
    return res.status(200).send({
        accessToken,
        expiresIn: identityAccessToken.accessTokenTTL,
+        accessTokenMaxTTL: identityAccessToken.accessTokenMaxTTL,
        tokenType: "Bearer"
    });
 }
@ -152,6 +201,57 @@ export const renewAccessToken = async (req: Request, res: Response) => {
 * @param res 
 */
 export const loginIdentityUniversalAuth = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Login with Universal Auth'
+        #swagger.description = 'Login with Universal Auth'
+        
+        #swagger.requestBody = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "clientId": {
+                                "type": "string",
+                                "description": "Client ID for identity to login with Universal Auth",
+                                "example": "..."
+                            },
+                            "clientSecret": {
+                                "type": "string",
+                                "description": "Client Secret for identity to login with Universal Auth",
+                                "example": "..."
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "accessToken": {
+                                "type": "string",
+                                "description": "Access token issued after successful login"
+                            },
+                            "expiresIn": {
+                                "type": "number",
+                                "description": "TTL of access token in seconds"
+                            },
+                            "tokenType": {
+                                "type": "string",
+                                "description": "Type of access token (e.g. Bearer)"
+                            }
+                        },
+                        "description": "Access token and its details"
+                    }
+                }
+            }
+        }
+    */
    const {
        body: {
            clientId,
@ -162,7 +262,7 @@ export const loginIdentityUniversalAuth = async (req: Request, res: Response) =>
    const identityUniversalAuth = await IdentityUniversalAuth.findOne({
        clientId
    }).populate<{ identity: IIdentity }>("identity");
-    
+
    if (!identityUniversalAuth) throw UnauthorizedRequestError();

    checkIPAgainstBlocklist({
@ -237,16 +337,16 @@ export const loginIdentityUniversalAuth = async (req: Request, res: Response) =>

    // increment usage count by 1
    await IdentityUniversalAuthClientSecret
-    .findByIdAndUpdate(
-        validatedClientSecretDatum._id,
-        {
-            clientSecretLastUsedAt: new Date(),
-            $inc: { clientSecretNumUses: 1 }
-        },
-        {
-            new: true
-        }
-    );
+        .findByIdAndUpdate(
+            validatedClientSecretDatum._id,
+            {
+                clientSecretLastUsedAt: new Date(),
+                $inc: { clientSecretNumUses: 1 }
+            },
+            {
+                new: true
+            }
+        );

    const identityAccessToken = await new IdentityAccessToken({
        identity: identityUniversalAuth.identity,
@ -300,11 +400,110 @@ export const loginIdentityUniversalAuth = async (req: Request, res: Response) =>
    return res.status(200).send({
        accessToken,
        expiresIn: identityUniversalAuth.accessTokenTTL,
-        tokenType: "Bearer"
+        accessTokenMaxTTL: identityUniversalAuth.accessTokenMaxTTL,
+        tokenType: "Bearer",
    });
 }

-export const addIdentityUniversalAuth = async (req: Request, res: Response) => {
+/**
+ * Attach identity universal auth method onto identity with id [identityId]
+ * @param req 
+ * @param res 
+ */
+export const attachIdentityUniversalAuth = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Attach Universal Auth configuration onto identity'
+        #swagger.description = 'Attach Universal Auth configuration onto identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+        
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity to attach Universal Auth onto",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+        
+        #swagger.requestBody = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "clientSecretTrustedIps": {
+                                type: "array",
+                                items: {
+                                    type: "object",
+                                    "properties": {
+                                        "ipAddress": {
+                                            type: "string",
+                                            description: "IP address to trust",
+                                            default: "0.0.0.0/0"
+                                        }
+                                    }
+                                },
+                                "description": "List of IPs or CIDR ranges that the Client Secret can be used from together with the Client ID to get back an access token. By default, Client Secrets are given the 0.0.0.0/0 entry representing all possible IPv4 addresses.",
+                                "example": "...",
+                                "default": [{ ipAddress: "0.0.0.0/0" }]
+                            },
+                            "accessTokenTTL": {
+                                "type": "number",
+                                "description": "The incremental lifetime for an acccess token in seconds; a value of 0 implies an infinite incremental lifetime.",
+                                "example": "...",
+                                "default": 100
+                            },
+                            "accessTokenMaxTTL": {
+                                "type": "number",
+                                "description": "The maximum lifetime for an acccess token in seconds; a value of 0 implies an infinite maximum lifetime.",
+                                "example": "...",
+                                "default": 2592000
+                            },
+                            "accessTokenNumUsesLimit": {
+                                "type": "number",
+                                "description": "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.",
+                                "example": "...",
+                                "default": 0
+                            },
+                            "accessTokenTrustedIps": {
+                                type: "array",
+                                items: {
+                                    type: "object",
+                                    "properties": {
+                                        "ipAddress": {
+                                            type: "string",
+                                            description: "IP address to trust",
+                                            default: "0.0.0.0/0"
+                                        }
+                                    }
+                                },
+                                "description": "List of IPs or CIDR ranges that access tokens can be used from. By default, each token is given the 0.0.0.0/0 entry representing all possible IPv4 addresses.",
+                                "example": "...",
+                                "default": [{ ipAddress: "0.0.0.0/0" }]
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "identityUniversalAuth": {
+                                $ref: '#/definitions/IdentityUniversalAuth'
+                            }
+                        },
+                        "description": "Details of attached Universal Auth"
+                    }
+                }
+            }
+        }
+    */
    const {
        params: { identityId },
        body: {
@ -328,7 +527,7 @@ export const addIdentityUniversalAuth = async (req: Request, res: Response) => {
    if (!identityMembershipOrg) throw ResourceNotFoundError({
        message: `Failed to find identity with id ${identityId}`
    });
-    
+
    if (identityMembershipOrg.identity?.authMethod) throw BadRequestError({
        message: "Failed to add universal auth to already-configured identity"
    });
@ -351,7 +550,7 @@ export const addIdentityUniversalAuth = async (req: Request, res: Response) => {

    // validate trusted ips
    const reformattedClientSecretTrustedIps = clientSecretTrustedIps.map((clientSecretTrustedIp) => {
-        if (!plan.ipAllowlisting && clientSecretTrustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+        if (!plan.ipAllowlisting && (clientSecretTrustedIp.ipAddress !== "0.0.0.0/0" && clientSecretTrustedIp.ipAddress !== "::/0")) return res.status(400).send({
            message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
        });

@ -365,7 +564,7 @@ export const addIdentityUniversalAuth = async (req: Request, res: Response) => {
    });

    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
-        if (!plan.ipAllowlisting && accessTokenTrustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+        if (!plan.ipAllowlisting && (accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" && accessTokenTrustedIp.ipAddress !== "::/0")) return res.status(400).send({
            message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
        });

@ -377,7 +576,7 @@ export const addIdentityUniversalAuth = async (req: Request, res: Response) => {

        return extractIPDetails(accessTokenTrustedIp.ipAddress);
    });
-    
+
    const identityUniversalAuth = await new IdentityUniversalAuth({
        identity: identityMembershipOrg.identity._id,
        clientId: crypto.randomUUID(),
@ -387,7 +586,7 @@ export const addIdentityUniversalAuth = async (req: Request, res: Response) => {
        accessTokenNumUsesLimit,
        accessTokenTrustedIps: reformattedAccessTokenTrustedIps,
    }).save();
-    
+
    await Identity.findByIdAndUpdate(
        identityMembershipOrg.identity._id,
        {
@ -415,7 +614,98 @@ export const addIdentityUniversalAuth = async (req: Request, res: Response) => {
    });
 }

+/**
+ * Update identity universal auth method on identity with id [identityId]
+ * @param req 
+ * @param res 
+ */
 export const updateIdentityUniversalAuth = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Update Universal Auth configuration on identity'
+        #swagger.description = 'Update Universal Auth configuration on identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+        
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity to update Universal Auth on",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+        
+        #swagger.requestBody = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "clientSecretTrustedIps": {
+                                type: "array",
+                                items: {
+                                    type: "object",
+                                    "properties": {
+                                        "ipAddress": {
+                                            type: "string",
+                                            description: "IP address to trust"
+                                        }
+                                    }
+                                },
+                                "description": "List of IPs or CIDR ranges that the Client Secret can be used from together with the Client ID to get back an access token. By default, Client Secrets are given the 0.0.0.0/0 entry representing all possible IPv4 addresses.",
+                                "example": "...",
+                            },
+                            "accessTokenTTL": {
+                                "type": "number",
+                                "description": "The incremental lifetime for an acccess token in seconds; a value of 0 implies an infinite incremental lifetime.",
+                                "example": "...",
+                            },
+                            "accessTokenMaxTTL": {
+                                "type": "number",
+                                "description": "The maximum lifetime for an acccess token in seconds; a value of 0 implies an infinite maximum lifetime.",
+                                "example": "...",
+                            },
+                            "accessTokenNumUsesLimit": {
+                                "type": "number",
+                                "description": "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.",
+                                "example": "...",
+                            },
+                            "accessTokenTrustedIps": {
+                                type: "array",
+                                items: {
+                                    type: "object",
+                                    "properties": {
+                                        "ipAddress": {
+                                            type: "string",
+                                            description: "IP address to trust"
+                                        }
+                                    }
+                                },
+                                "description": "List of IPs or CIDR ranges that access tokens can be used from. By default, each token is given the 0.0.0.0/0 entry representing all possible IPv4 addresses.",
+                                "example": "...",
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "identityUniversalAuth": {
+                                $ref: '#/definitions/IdentityUniversalAuth'
+                            }
+                        },
+                        "description": "Details of updated Universal Auth"
+                    }
+                }
+            }
+        }
+    */
    const {
        params: { identityId },
        body: {
@ -439,7 +729,7 @@ export const updateIdentityUniversalAuth = async (req: Request, res: Response) =
    if (!identityMembershipOrg) throw ResourceNotFoundError({
        message: `Failed to find identity with id ${identityId}`
    });
-    
+
    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.UNIVERSAL_AUTH) throw BadRequestError({
        message: "Failed to add universal auth to already-configured identity"
    });
@ -460,7 +750,7 @@ export const updateIdentityUniversalAuth = async (req: Request, res: Response) =
    let reformattedClientSecretTrustedIps;
    if (clientSecretTrustedIps) {
        reformattedClientSecretTrustedIps = clientSecretTrustedIps.map((clientSecretTrustedIp) => {
-            if (!plan.ipAllowlisting && clientSecretTrustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+            if (!plan.ipAllowlisting && (clientSecretTrustedIp.ipAddress !== "0.0.0.0/0" && clientSecretTrustedIp.ipAddress !== "::/0")) return res.status(400).send({
                message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
            });

@ -477,7 +767,7 @@ export const updateIdentityUniversalAuth = async (req: Request, res: Response) =
    let reformattedAccessTokenTrustedIps;
    if (accessTokenTrustedIps) {
        reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
-            if (!plan.ipAllowlisting && accessTokenTrustedIp.ipAddress !== "0.0.0.0/0") return res.status(400).send({
+            if (!plan.ipAllowlisting && (accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" && accessTokenTrustedIp.ipAddress !== "::/0")) return res.status(400).send({
                message: "Failed to add IP access range to service token due to plan restriction. Upgrade plan to add IP access range."
            });

@ -490,7 +780,7 @@ export const updateIdentityUniversalAuth = async (req: Request, res: Response) =
            return extractIPDetails(accessTokenTrustedIp.ipAddress);
        });
    }
-    
+
    const identityUniversalAuth = await IdentityUniversalAuth.findOneAndUpdate(
        {
            identity: identityMembershipOrg.identity._id,
@ -527,11 +817,47 @@ export const updateIdentityUniversalAuth = async (req: Request, res: Response) =
    });
 }

+/**
+ * Return identity universal auth method on identity with id [identityId]
+ * @param req 
+ * @param res 
+ */
 export const getIdentityUniversalAuth = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Retrieve Universal Auth configuration on identity'
+        #swagger.description = 'Retrieve Universal Auth configuration on identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+        
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity to retrieve Universal Auth on",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "identityUniversalAuth": {
+                                $ref: '#/definitions/IdentityUniversalAuth'
+                            }
+                        },
+                        "description": "Details of retrieved Universal Auth"
+                    }
+                }
+            }
+        }
+    */
    const {
        params: { identityId }
    } = await validateRequest(reqValidator.GetUniversalAuthForIdentityV1, req);
-    
+
    const identityMembershipOrg = await IdentityMembershipOrg
        .findOne({
            identity: new Types.ObjectId(identityId)
@ -558,7 +884,7 @@ export const getIdentityUniversalAuth = async (req: Request, res: Response) => {
    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.UNIVERSAL_AUTH) throw BadRequestError({
        message: "The identity does not have universal auth configured"
    });
-    
+
    const identityUniversalAuth = await IdentityUniversalAuth.findOne({
        identity: identityMembershipOrg.identity._id,
    });
@ -578,7 +904,77 @@ export const getIdentityUniversalAuth = async (req: Request, res: Response) => {
    });
 }

+
+/**
+ * Create client secret for identity universal auth method on identity with id [identityId]
+ * @param req 
+ * @param res 
+ */
 export const createUniversalAuthClientSecret = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Create Universal Auth Client Secret for identity'
+        #swagger.description = 'Create Universal Auth Client Secret for identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+        
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity to create Universal Auth Client Secret for",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+        
+        #swagger.requestBody = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "description": {
+                                "type": "string",
+                                "description": "A description for the Client Secret to create.",
+                                "example": "..."
+                            },
+                            "ttl": {
+                                "type": "number",
+                                "description": "The time-to-live for the Client Secret to create. By default, the TTL will be set to 0 which implies that the Client Secret will never expire; a value of 0 implies an infinite lifetime.",
+                                "example": "...",
+                                "default": 0
+                            },
+                            "numUsesLimit": {
+                                "type": "number",
+                                "description": "The maximum number of times that the Client Secret can be used together with the Client ID to get back an access token; a value of 0 implies infinite number of uses.",
+                                "example": "...",
+                                "default": 0
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "clientSecret": {
+                                "type": "string",
+                                "description": "The created Client Secret"
+                            },
+                            "clientSecretData": {
+                                $ref: '#/definitions/IdentityUniversalAuthClientSecretData'
+                            }
+                        },
+                        "description": "Details of the created Client Secret"
+                    }
+                }
+            }
+        }
+    */
    const {
        params: { identityId },
        body: {
@ -625,11 +1021,11 @@ export const createUniversalAuthClientSecret = async (req: Request, res: Respons

    const clientSecret = crypto.randomBytes(32).toString("hex");
    const clientSecretHash = await bcrypt.hash(clientSecret, await getSaltRounds());
-    
+
    const identityUniversalAuth = await IdentityUniversalAuth.findOne({
        identity: identityMembershipOrg.identity._id
    });
-    
+
    if (!identityUniversalAuth) throw ResourceNotFoundError();

    const identityUniversalAuthClientSecret = await new IdentityUniversalAuthClientSecret({
@ -661,11 +1057,50 @@ export const createUniversalAuthClientSecret = async (req: Request, res: Respons
    });
 }

-export const getUniversalAuthClientSecrets = async (req: Request, res: Response) => {
+/**
+ * Return list of client secret details for identity universal auth method on identity with id [identityId]
+ * @param req 
+ * @param res 
+ */
+export const getUniversalAuthClientSecretsDetails = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'List Universal Auth Client Secrets for identity'
+        #swagger.description = 'List Universal Auth Client Secrets for identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+        
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity for which to get Client Secrets for",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "clientSecretData": {
+                                type: "array",
+                                items: {
+                                    $ref: '#/definitions/IdentityUniversalAuthClientSecretData'
+                                }
+                            }
+                        },
+                        "description": "Details of the Client Secrets"
+                    }
+                }
+            }
+        }
+    */
    const {
        params: { identityId }
    } = await validateRequest(reqValidator.GetUniversalAuthClientSecretsV1, req);
-    
+
    const identityMembershipOrg = await IdentityMembershipOrg.findOne({
        identity: new Types.ObjectId(identityId)
    }).populate<{
@ -721,11 +1156,54 @@ export const getUniversalAuthClientSecrets = async (req: Request, res: Response)
    });
 }

+/**
+ * Revoke client secret for identity universal auth method on identity with id [identityId]
+ * @param req 
+ * @param res 
+ */
 export const revokeUniversalAuthClientSecret = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Revoke Universal Auth Client Secret for identity'
+        #swagger.description = 'Revoke Universal Auth Client Secret for identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+        
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity under which Client Secret was issued for",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+
+        #swagger.parameters['clientSecretId'] = {
+            "description": "ID of Client Secret to revoke",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "clientSecretData": {
+                                $ref: '#/definitions/IdentityUniversalAuthClientSecretData'
+                            }
+                        },
+                        "description": "Details of the revoked Client Secret"
+                    }
+                }
+            }
+        }
+    */
    const {
        params: { identityId, clientSecretId }
    } = await validateRequest(reqValidator.RevokeUniversalAuthClientSecretV1, req);
-    
+
    const identityMembershipOrg = await IdentityMembershipOrg
        .findOne({
            identity: new Types.ObjectId(identityId)
@ -773,7 +1251,7 @@ export const revokeUniversalAuthClientSecret = async (req: Request, res: Respons
    );

    if (!clientSecretData) throw ResourceNotFoundError();
-    
+
    await EEAuditLogService.createAuditLog(
        req.authData,
        {
--- a/backend/src/controllers/v2/organizationsController.ts
+++ b/backend/src/controllers/v2/organizationsController.ts
@ -1,9 +1,13 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { 
-  IdentityMembershipOrg,
-  Membership, 
+  IWorkspace,
+  Identity,
+  IdentityMembership,
+  IdentityMembershipOrg, 
+  Membership,
  MembershipOrg,
+  User,
  Workspace
 } from "../../models";
 import { Role } from "../../ee/models";
@ -33,11 +37,12 @@ import { ForbiddenError } from "@casl/ability";
 */
 export const getOrganizationMemberships = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Return organization memberships'
-    #swagger.description = 'Return organization memberships'
+    #swagger.summary = 'Return organization user memberships'
+    #swagger.description = 'Return organization user memberships'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['organizationId'] = {
@ -94,11 +99,12 @@ export const getOrganizationMemberships = async (req: Request, res: Response) =>
 */
 export const updateOrganizationMembership = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Update organization membership'
-    #swagger.description = 'Update organization membership'
+    #swagger.summary = 'Update organization user membership'
+    #swagger.description = 'Update organization user membership'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['organizationId'] = {
@ -214,11 +220,12 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
 */
 export const deleteOrganizationMembership = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Delete organization membership'
-    #swagger.description = 'Delete organization membership'
+    #swagger.summary = 'Delete organization user membership'
+    #swagger.description = 'Delete organization user membership'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['organizationId'] = {
@ -295,7 +302,8 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
    #swagger.description = 'Return projects in organization that user is part of'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['organizationId'] = {
@ -323,6 +331,7 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
        }
    }   
    */
+  
  const {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgWorkspacesv2, req);
@ -348,13 +357,27 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
    ).map((w) => w._id.toString())
  );

-  const workspaces = (
-    await Membership.find({
-      user: req.user._id
-    }).populate("workspace")
-  )
-    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
-    .map((m) => m.workspace);
+  let workspaces: IWorkspace[] = [];
+  
+  if (req.authData.authPayload instanceof Identity) {
+    workspaces = (
+      await IdentityMembership.find({
+        identity: req.authData.authPayload._id
+      }).populate<{ workspace: IWorkspace }>("workspace")
+    )
+      .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+      .map((m) => m.workspace);
+  }
+  
+  if (req.authData.authPayload instanceof User) {
+    workspaces = (
+      await Membership.find({
+        user: req.authData.authPayload._id
+      }).populate<{ workspace: IWorkspace }>("workspace")
+    )
+      .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+      .map((m) => m.workspace);
+  }

  return res.status(200).send({
    workspaces
@ -425,6 +448,40 @@ export const deleteOrganizationById = async (req: Request, res: Response) => {
 * @returns 
 */
 export const getOrganizationIdentityMemberships = async (req: Request, res: Response) => {
+   /*
+    #swagger.summary = 'Return organization identity memberships'
+    #swagger.description = 'Return organization identity memberships'
+
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+    
+    #swagger.parameters['organizationId'] = {
+        "description": "ID of organization",
+        "required": true,
+        "type": "string",
+        "in": "path"
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+              "schema": { 
+                "type": "object",
+                "properties": {
+                  "identityMemberships": {
+                    "type": "array",
+                    "items": {
+                      $ref: "#/components/schemas/IdentityMembershipOrg" 
+                    },
+                    "description": "Identity memberships of organization"
+                  }
+                }
+              }
+            }           
+        }
+    }
+  */
  const {
    params: { organizationId }
  } = await validateRequest(reqValidator.GetOrgIdentityMembershipsV2, req);
--- a/backend/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend/src/controllers/v2/serviceTokenDataController.ts
@ -13,7 +13,7 @@ import {
  ProjectPermissionSub,
  getAuthDataProjectPermissions
 } from "../../ee/services/ProjectRoleService";
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";
 import { Types } from "mongoose";

 /**
@ -86,6 +86,14 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
    ProjectPermissionSub.ServiceTokens
  );

+  scopes.forEach(({ environment, secretPath }) => {
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: secretPath })
+    );
+  })
+
+
  const secret = crypto.randomBytes(16).toString("hex");
  const secretHash = await bcrypt.hash(secret, await getSaltRounds());

--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -1,10 +1,10 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
-import { 
+import {
  IIdentity,
  IdentityMembership,
  IdentityMembershipOrg,
-  Key, 
+  Key,
  Membership,
  ServiceTokenData,
  Workspace
@ -182,11 +182,11 @@ export const getWorkspaceKey = async (req: Request, res: Response) => {
        "apiKeyAuth": []
    }]

-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
+  #swagger.parameters['workspaceId'] = {
+    "description": "ID of project",
+    "required": true,
+    "type": "string"
+  } 

    #swagger.responses[200] = {
        content: {
@ -211,7 +211,7 @@ export const getWorkspaceKey = async (req: Request, res: Response) => {
    receiver: req.user._id
  }).populate("sender", "+publicKey");

-  if (!key) throw new Error("Failed to find workspace key");
+  if (!key) throw new Error(`getWorkspaceKey: Failed to find workspace key [workspaceId=${workspaceId}] [receiver=${req.user._id}]`);

  await EEAuditLogService.createAuditLog(
    req.authData,
@ -249,33 +249,34 @@ export const getWorkspaceServiceTokenData = async (req: Request, res: Response)
 */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Return project memberships'
-    #swagger.description = 'Return project memberships'
+    #swagger.summary = 'Return project user memberships'
+    #swagger.description = 'Return project user memberships'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
+  #swagger.parameters['workspaceId'] = {
+    "description": "ID of project",
+    "required": true,
+    "type": "string"
+  } 

    #swagger.responses[200] = {
        content: {
            "application/json": {
                "schema": { 
                    "type": "object",
-					"properties": {
-						"memberships": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Membership" 
-							},
-							"description": "Memberships of project"
-						}
-					}
+          "properties": {
+            "memberships": {
+              "type": "array",
+              "items": {
+                $ref: "#/components/schemas/Membership" 
+              },
+              "description": "Memberships of project"
+            }
+          }
                }
            }           
        }
@ -312,26 +313,27 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
 */
 export const updateWorkspaceMembership = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Update project membership'
-    #swagger.description = 'Update project membership'
+    #swagger.summary = 'Update project user membership'
+    #swagger.description = 'Update project user membership'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
+  #swagger.parameters['workspaceId'] = {
+    "description": "ID of project",
+    "required": true,
+    "type": "string"
+  } 

-	#swagger.parameters['membershipId'] = {
-		"description": "ID of project membership to update",
-		"required": true,
-		"type": "string"
-	} 
+  #swagger.parameters['membershipId'] = {
+    "description": "ID of project membership to update",
+    "required": true,
+    "type": "string"
+  } 

-	#swagger.requestBody = {
+  #swagger.requestBody = {
      "required": true,
      "content": {
        "application/json": {
@ -340,7 +342,7 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
            "properties": {
                "role": {
                    "type": "string",
-                    "description": "Role of membership - either admin or member",
+                    "description": "Role to update to for project membership",
                }
            }
          }
@ -352,13 +354,13 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
        content: {
            "application/json": {
                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/Membership",
-							"description": "Updated membership"
-						}
-					}
+          "type": "object",
+          "properties": {
+            "membership": {
+              $ref: "#/components/schemas/Membership",
+              "description": "Updated membership"
+            }
+          }
                }
            }           
        }
@ -402,36 +404,37 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
 */
 export const deleteWorkspaceMembership = async (req: Request, res: Response) => {
  /* 
-    #swagger.summary = 'Delete project membership'
-    #swagger.description = 'Delete project membership'
+    #swagger.summary = 'Delete project user membership'
+    #swagger.description = 'Delete project user membership'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
+  #swagger.parameters['workspaceId'] = {
+    "description": "ID of project",
+    "required": true,
+    "type": "string"
+  } 

-	#swagger.parameters['membershipId'] = {
-		"description": "ID of project membership to delete",
-		"required": true,
-		"type": "string"
-	} 
+  #swagger.parameters['membershipId'] = {
+    "description": "ID of project membership to delete",
+    "required": true,
+    "type": "string"
+  } 

    #swagger.responses[200] = {
        content: {
            "application/json": {
                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/Membership",
-							"description": "Deleted membership"
-						}
-					}
+          "type": "object",
+          "properties": {
+            "membership": {
+              $ref: "#/components/schemas/Membership",
+              "description": "Deleted membership"
+            }
+          }
                }
            }           
        }
@ -511,14 +514,14 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
 * @param req 
 * @param res 
 */
- export const addIdentityToWorkspace = async (req: Request, res: Response) => {
+export const addIdentityToWorkspace = async (req: Request, res: Response) => {
  const {
    params: { workspaceId, identityId },
    body: {
      role
    }
  } = await validateRequest(reqValidator.AddIdentityToWorkspaceV2, req);
-  
+
  const { permission } = await getAuthDataProjectPermissions({
    authData: req.authData,
    workspaceId: new Types.ObjectId(workspaceId)
@ -538,7 +541,7 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
    message: `Identity with id ${identityId} already exists in project with id ${workspaceId}`
  });

-  
+
  const workspace = await Workspace.findById(workspaceId);
  if (!workspace) throw ResourceNotFoundError();

@ -550,16 +553,16 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
  if (!identityMembershipOrg) throw ResourceNotFoundError({
    message: `Failed to find identity with id ${identityId}`
  });
-  
+
  if (!identityMembershipOrg.organization.equals(workspace.organization)) throw BadRequestError({
    message: "Failed to add identity to project in another organization"
  });

  const rolePermission = await getWorkspaceRolePermissions(role, workspaceId);
  const isAsPrivilegedAsIntendedRole = isAtLeastAsPrivilegedWorkspace(permission, rolePermission);
-  
+
  if (!isAsPrivilegedAsIntendedRole) throw ForbiddenRequestError({
-      message: "Failed to add identity to project with more privileged role"
+    message: "Failed to add identity to project with more privileged role"
  });

  let customRole;
@ -571,18 +574,18 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
        isOrgRole: false,
        workspace: new Types.ObjectId(workspaceId)
      });
-      
+
      if (!customRole) throw BadRequestError({ message: "Role not found" });
    }
  }
-  
+
  identityMembership = await new IdentityMembership({
    identity: identityMembershipOrg.identity,
    workspace: new Types.ObjectId(workspaceId),
    role: customRole ? CUSTOM : role,
    customRole
  }).save();
-  
+
  return res.status(200).send({
    identityMembership
  });
@ -595,13 +598,66 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
 * @param res 
 */
 export const updateIdentityWorkspaceRole = async (req: Request, res: Response) => {
+   /* 
+    #swagger.summary = 'Update project identity membership'
+    #swagger.description = 'Update project identity membership'
+    
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['identityId'] = {
+		"description": "ID of identity whose membership to update in project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role to update to for identity project membership",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+          "application/json": {
+            "schema": { 
+              "type": "object",
+              "properties": {
+                "identityMembership": {
+                  $ref: "#/components/schemas/IdentityMembership",
+                  "description": "Updated identity membership"
+                }
+              }
+            }
+          }           
+        }
+    }   
+    */
  const {
    params: { workspaceId, identityId },
    body: {
      role
    }
  } = await validateRequest(reqValidator.UpdateIdentityWorkspaceRoleV2, req);
-  
+
  const { permission } = await getAuthDataProjectPermissions({
    authData: req.authData,
    workspaceId: new Types.ObjectId(workspaceId)
@ -611,7 +667,7 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
    ProjectPermissionActions.Edit,
    ProjectPermissionSub.Identity
  );
-  
+
  let identityMembership = await IdentityMembership
    .findOne({
      identity: new Types.ObjectId(identityId),
@ -625,21 +681,21 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
  if (!identityMembership) throw BadRequestError({
    message: `Identity with id ${identityId} does not exist in project with id ${workspaceId}`
  });
-  
+
  const identityRolePermission = await getWorkspaceRolePermissions(
-    identityMembership?.customRole?.slug ?? identityMembership.role, 
+    identityMembership?.customRole?.slug ?? identityMembership.role,
    identityMembership.workspace.toString()
  );
  const isAsPrivilegedAsIdentity = isAtLeastAsPrivilegedWorkspace(permission, identityRolePermission);
  if (!isAsPrivilegedAsIdentity) throw ForbiddenRequestError({
-      message: "Failed to update role of more privileged identity"
+    message: "Failed to update role of more privileged identity"
  });

  const rolePermission = await getWorkspaceRolePermissions(role, workspaceId);
  const isAsPrivilegedAsIntendedRole = isAtLeastAsPrivilegedWorkspace(permission, rolePermission);
-  
+
  if (!isAsPrivilegedAsIntendedRole) throw ForbiddenRequestError({
-      message: "Failed to update identity to a more privileged role"
+    message: "Failed to update identity to a more privileged role"
  });

  let customRole;
@ -651,11 +707,11 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
        isOrgRole: false,
        workspace: new Types.ObjectId(workspaceId)
      });
-      
+
      if (!customRole) throw BadRequestError({ message: "Role not found" });
    }
  }
-  
+
  identityMembership = await IdentityMembership.findOneAndUpdate(
    {
      identity: identityMembership.identity._id,
@ -676,16 +732,52 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
 }

 /**
- * Delete identity with id [identityId] to workspace
+ * Delete identity with id [identityId] from workspace
 * with id [workspaceId]
 * @param req 
 * @param res 
 */
 export const deleteIdentityFromWorkspace = async (req: Request, res: Response) => {
+   /* 
+    #swagger.summary = 'Delete project identity membership'
+    #swagger.description = 'Delete project identity membership'
+    
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['identityId'] = {
+		"description": "ID of identity whose membership to delete in project",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+          "application/json": {
+            "schema": { 
+              "type": "object",
+              "properties": {
+                "identityMembership": {
+                  $ref: "#/components/schemas/IdentityMembership",
+                  "description": "Deleted identity membership"
+                }
+              }
+            }
+          }           
+        }
+    }   
+    */
  const {
    params: { workspaceId, identityId }
  } = await validateRequest(reqValidator.DeleteIdentityFromWorkspaceV2, req);
-  
+
  const { permission } = await getAuthDataProjectPermissions({
    authData: req.authData,
    workspaceId: new Types.ObjectId(workspaceId)
@ -695,7 +787,7 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
    ProjectPermissionActions.Delete,
    ProjectPermissionSub.Identity
  );
-  
+
  const identityMembership = await IdentityMembership
    .findOne({
      identity: new Types.ObjectId(identityId),
@ -705,20 +797,20 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
      identity: IIdentity,
      customRole: IRole
    }>("identity customRole");
-  
+
  if (!identityMembership) throw ResourceNotFoundError({
    message: `Identity with id ${identityId} does not exist in project with id ${workspaceId}`
  });
-  
+
  const identityRolePermission = await getWorkspaceRolePermissions(
-    identityMembership?.customRole?.slug ?? identityMembership.role, 
+    identityMembership?.customRole?.slug ?? identityMembership.role,
    identityMembership.workspace.toString()
  );
  const isAsPrivilegedAsIdentity = isAtLeastAsPrivilegedWorkspace(permission, identityRolePermission);
  if (!isAsPrivilegedAsIdentity) throw ForbiddenRequestError({
-      message: "Failed to remove more privileged identity from project"
+    message: "Failed to remove more privileged identity from project"
  });
-  
+
  await IdentityMembership.findByIdAndDelete(identityMembership._id);

  return res.status(200).send({
@ -733,10 +825,44 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
 * @returns 
 */
 export const getWorkspaceIdentityMemberships = async (req: Request, res: Response) => {
+   /*
+    #swagger.summary = 'Return project identity memberships'
+    #swagger.description = 'Return project identity memberships'
+
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+    
+    #swagger.parameters['workspaceId'] = {
+        "description": "ID of project",
+        "required": true,
+        "type": "string",
+        "in": "path"
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+              "schema": { 
+                "type": "object",
+                "properties": {
+                  "identityMemberships": {
+                    "type": "array",
+                    "items": {
+                      $ref: "#/components/schemas/IdentityMembership" 
+                    },
+                    "description": "Identity memberships of project"
+                  }
+                }
+              }
+            }           
+        }
+    }
+  */
  const {
    params: { workspaceId }
  } = await validateRequest(reqValidator.GetWorkspaceIdentityMembersV2, req);
-  
+
  const { permission } = await getAuthDataProjectPermissions({
    authData: req.authData,
    workspaceId: new Types.ObjectId(workspaceId)
--- a/backend/src/controllers/v3/secretsController.ts
+++ b/backend/src/controllers/v3/secretsController.ts
@ -348,7 +348,7 @@ export const getSecretByNameRaw = async (req: Request, res: Response) => {
    }
  */
  const {
-    query: { secretPath, environment, workspaceId, type, include_imports },
+    query: { secretPath, environment, workspaceId, type, include_imports, version },
    params: { secretName }
  } = await validateRequest(reqValidator.GetSecretByNameRawV3, req);

@ -371,7 +371,8 @@ export const getSecretByNameRaw = async (req: Request, res: Response) => {
    type,
    secretPath,
    authData: req.authData,
-    include_imports
+    include_imports,
+    version
  });

  const key = await BotService.getWorkspaceKeyWithBot({
@ -865,7 +866,7 @@ export const getSecrets = async (req: Request, res: Response) => {
 */
 export const getSecretByName = async (req: Request, res: Response) => {
  const {
-    query: { secretPath, environment, workspaceId, type, include_imports },
+    query: { secretPath, environment, workspaceId, type, include_imports, version },
    params: { secretName }
  } = await validateRequest(reqValidator.GetSecretByNameV3, req);

@ -888,7 +889,8 @@ export const getSecretByName = async (req: Request, res: Response) => {
    type,
    secretPath,
    authData: req.authData,
-    include_imports
+    include_imports,
+    version
  });

  return res.status(200).send({
--- a/backend/src/controllers/v3/signupController.ts
+++ b/backend/src/controllers/v3/signupController.ts
@ -101,14 +101,15 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
      salt,
      verifier
    });
-
+    
    if (!user) throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null

-    const hasSamlEnabled = user.authMethods.some((authMethod: AuthMethod) =>
-      [AuthMethod.OKTA_SAML, AuthMethod.AZURE_SAML, AuthMethod.JUMPCLOUD_SAML].includes(authMethod)
+    // this might need to consider LDAP
+    const hasOrgAuthMethodEnabled = user.authMethods.some((authMethod: AuthMethod) =>
+      [AuthMethod.OKTA_SAML, AuthMethod.AZURE_SAML, AuthMethod.JUMPCLOUD_SAML, AuthMethod.LDAP].includes(authMethod)
    );

-    if (!hasSamlEnabled) {
+    if (!hasOrgAuthMethodEnabled) {
      // TODO: modify this part
      // initialize default organization and workspace
      await initializeDefaultOrg({
--- a/backend/src/ee/controllers/v1/identitiesController.ts
+++ b/backend/src/ee/controllers/v1/identitiesController.ts
@ -42,6 +42,58 @@ import { ForbiddenError } from "@casl/ability";
 * @returns 
 */
 export const createIdentity = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Create identity'
+        #swagger.description = 'Create identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+        
+        #swagger.requestBody = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "name": {
+                                "type": "string",
+                                "description": "Name of entity to create",
+                                "example": "development"
+                            },
+                            "organizationId": {
+                                "type": "string",
+                                "description": "ID of organization where to create identity",
+                                "example": "dev-environment"
+                            },
+                            "role": {
+                                "type": "string",
+                                "description": "Role to assume for organization membership",
+                                "example": "no-access"
+                            }
+                        },
+                        "required": ["name", "organizationId", "role"]
+                    }
+                }
+            }
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "identity": {
+                                $ref: '#/definitions/Identity'
+                            }
+                        },
+                        "description": "Details of the created identity"
+                    }
+                }
+            }
+        }
+    */
    const {
        body: {
            name,
@ -120,6 +172,59 @@ export const createIdentity = async (req: Request, res: Response) => {
 * @returns 
 */
 export const updateIdentity = async (req: Request, res: Response) => {
+    /*
+        #swagger.summary = 'Update identity'
+        #swagger.description = 'Update identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity to update",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+        
+        #swagger.requestBody = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "name": {
+                                "type": "string",
+                                "description": "Name of entity to update to",
+                                "example": "development"
+                            },
+                            "role": {
+                                "type": "string",
+                                "description": "Role to update to for organization membership",
+                                "example": "no-access"
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "identity": {
+                                $ref: '#/definitions/Identity'
+                            }
+                        },
+                        "description": "Details of the updated identity"
+                    }
+                }
+            }
+        }
+    */
    const {
        params: { identityId  },
        body: {
@ -242,6 +347,37 @@ export const createIdentity = async (req: Request, res: Response) => {
 * @returns 
 */
 export const deleteIdentity = async (req: Request, res: Response) => {
+     /*
+        #swagger.summary = 'Delete identity'
+        #swagger.description = 'Delete identity'
+
+        #swagger.security = [{
+            "bearerAuth": []
+        }]
+
+        #swagger.parameters['identityId'] = {
+            "description": "ID of identity",
+            "required": true,
+            "type": "string",
+            "in": "path"
+        }
+
+        #swagger.responses[200] = {
+            content: {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "identity": {
+                                $ref: '#/definitions/Identity'
+                            }
+                        },
+                        "description": "Details of the deleted identity"
+                    }
+                }
+            }
+        }
+    */
    const {
        params: { identityId }
    } = await validateRequest(reqValidator.DeleteIdentityV1, req);
--- a/backend/src/ee/controllers/v1/secretApprovalRequestsController.ts
+++ b/backend/src/ee/controllers/v1/secretApprovalRequestsController.ts
@ -17,12 +17,12 @@ export const getSecretApprovalRequestCount = async (req: Request, res: Response)
  } = await validateRequest(reqValidator.getSecretApprovalRequestCount, req);

  if (!(req.authData.authPayload instanceof User)) return;
-  
+
  const membership = await Membership.findOne({
    user: req.authData.authPayload._id,
    workspace: new Types.ObjectId(workspaceId)
  });
-  
+
  if (!membership) throw UnauthorizedRequestError();

  const approvalRequestCount = await SecretApprovalRequest.aggregate([
@ -73,12 +73,12 @@ export const getSecretApprovalRequests = async (req: Request, res: Response) =>
  } = await validateRequest(reqValidator.getSecretApprovalRequests, req);

  if (!(req.authData.authPayload instanceof User)) return;
-  
+
  const membership = await Membership.findOne({
    user: req.authData.authPayload._id,
    workspace: new Types.ObjectId(workspaceId)
  });
-  
+
  if (!membership) throw UnauthorizedRequestError();

  const query = {
@ -168,13 +168,13 @@ export const getSecretApprovalRequestDetails = async (req: Request, res: Respons
    user: req.authData.authPayload._id,
    workspace: secretApprovalRequest.workspace
  });
-  
+
  if (!membership) throw UnauthorizedRequestError();

  // allow to fetch only if its admin or is the committer or approver
  if (
    membership.role !== "admin" &&
-    secretApprovalRequest.committer !== membership.id &&
+    !secretApprovalRequest.committer.equals(membership.id) &&
    !secretApprovalRequest.policy.approvers.find(
      (approverId) => approverId.toString() === membership._id.toString()
    )
@ -215,7 +215,7 @@ export const updateSecretApprovalReviewStatus = async (req: Request, res: Respon
    user: req.authData.authPayload._id,
    workspace: secretApprovalRequest.workspace
  });
-  
+
  if (!membership) throw UnauthorizedRequestError();

  if (
@ -257,7 +257,7 @@ export const mergeSecretApprovalRequest = async (req: Request, res: Response) =>
    user: req.authData.authPayload._id,
    workspace: secretApprovalRequest.workspace
  });
-  
+
  if (!membership) throw UnauthorizedRequestError();

  if (
@ -307,7 +307,7 @@ export const updateSecretApprovalRequestStatus = async (req: Request, res: Respo
    user: req.authData.authPayload._id,
    workspace: secretApprovalRequest.workspace
  });
-  
+
  if (!membership) throw UnauthorizedRequestError();

  if (
--- a/backend/src/ee/controllers/v1/workspaceController.ts
+++ b/backend/src/ee/controllers/v1/workspaceController.ts
@ -62,15 +62,30 @@ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) =
    #swagger.description = 'Return project secret snapshots ids'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
+		"description": "ID of project where to get secret snapshots for",
 		"required": true,
 		"type": "string"
 	} 

+	#swagger.parameters['environment'] = {
+      "description": "Slug of environment where to get secret snapshots for",
+      "required": true,
+      "type": "string",
+      "in": "query"
+  }
+
+  #swagger.parameters['directory'] = {
+      "description": "Path where to get secret snapshots for like / or /foo/bar. Default is /",
+      "required": false,
+      "type": "string",
+      "in": "query"
+  }
+
 	#swagger.parameters['offset'] = {
 		"description": "Number of secret snapshots to skip",
 		"required": false,
@ -195,11 +210,12 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
    #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
    
    #swagger.security = [{
-        "apiKeyAuth": []
+        "apiKeyAuth": [],
+        "bearerAuth": []
    }]

 	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
+		"description": "ID of project where to roll back",
 		"required": true,
 		"type": "string"
 	} 
@ -211,6 +227,14 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
          "schema": {
            "type": "object",
            "properties": {
+                "environment": {
+                  "type": "string",
+                  "description": "Slug of environment where to roll back"
+                },
+                "directory": {
+                  "type": "string",
+                  "description": "Path where to roll back for like / or /foo/bar. Default is /"
+                },
                "version": {
                    "type": "integer",
                    "description": "Version of secret snapshot to roll back to",
--- a/backend/src/ee/helpers/organizations.ts
+++ b/backend/src/ee/helpers/organizations.ts
@ -1,5 +1,6 @@
 import { Types } from "mongoose";
 import {
+    LDAPConfig,
    SSOConfig
 } from "../models";
 import {
@ -61,4 +62,53 @@ export const getSSOConfigHelper = async ({
        issuer,
        cert
    });
+}
+
+export const getLdapConfigHelper = async ({
+    organizationId
+}: {
+    organizationId: Types.ObjectId;
+}) => {
+    
+    const ldapConfig = await LDAPConfig.findOne({
+        organization: organizationId
+    });
+    
+    if (!ldapConfig) throw new Error("Failed to find organization LDAP data");
+    
+    const key = await BotOrgService.getSymmetricKey(
+        ldapConfig.organization
+    );
+    
+    const bindDN = client.decryptSymmetric(
+        ldapConfig.encryptedBindDN,
+        key,
+        ldapConfig.bindDNIV,
+        ldapConfig.bindDNTag
+    );
+
+    const bindPass = client.decryptSymmetric(
+        ldapConfig.encryptedBindPass,
+        key,
+        ldapConfig.bindPassIV,
+        ldapConfig.bindPassTag
+    );
+
+    const caCert = client.decryptSymmetric(
+        ldapConfig.encryptedCACert,
+        key,
+        ldapConfig.caCertIV,
+        ldapConfig.caCertTag
+    );
+    
+    return ({
+        _id: ldapConfig._id,
+        organization: ldapConfig.organization,
+        isActive: ldapConfig.isActive,
+        url: ldapConfig.url,
+        bindDN,
+        bindPass,
+        searchBase: ldapConfig.searchBase,
+        caCert
+    });
 }
--- a/backend/src/ee/models/auditLog/enums.ts
+++ b/backend/src/ee/models/auditLog/enums.ts
@ -8,7 +8,10 @@ export enum UserAgentType {
  WEB = "web",
  CLI = "cli",
  K8_OPERATOR = "k8-operator",
-  OTHER = "other"
+  TERRAFORM = "terraform",
+  OTHER = "other",
+  PYTHON_SDK = "InfisicalPythonSDK",
+  NODE_SDK = "InfisicalNodeSDK"
 }

 export enum EventType {
--- a/backend/src/ee/models/index.ts
+++ b/backend/src/ee/models/index.ts
@ -3,10 +3,11 @@ export * from "./secretVersion";
 export * from "./folderVersion";
 export * from "./role";
 export * from "./ssoConfig";
+export * from "./ldapConfig";
 export * from "./trustedIp";
 export * from "./auditLog";
 export * from  "./gitRisks";
 export * from  "./gitAppOrganizationInstallation";
 export * from  "./gitAppInstallationSession";
 export * from "./secretApprovalPolicy";
-export * from "./secretApprovalRequest";
+export * from "./secretApprovalRequest";
--- a/backend/src/ee/models/ldapConfig.ts
+++ b/backend/src/ee/models/ldapConfig.ts
@ -0,0 +1,79 @@
+import { Schema, Types, model } from "mongoose";
+
+export interface ILDAPConfig {
+    organization: Types.ObjectId;
+    isActive: boolean;
+    url: string;
+    encryptedBindDN: string;
+    bindDNIV: string;
+    bindDNTag: string;
+    encryptedBindPass: string;
+    bindPassIV: string;
+    bindPassTag: string;
+    searchBase: string;
+    encryptedCACert: string;
+    caCertIV: string;
+    caCertTag: string;
+}
+
+const ldapConfigSchema = new Schema<ILDAPConfig>(
+    {
+        organization: {
+            type: Schema.Types.ObjectId,
+            ref: "Organization"
+        },
+        isActive: {
+            type: Boolean,
+            required: true
+        },
+        url: {
+            type: String,
+            required: true
+        },
+        encryptedBindDN: {
+            type: String,
+            required: true
+        },
+        bindDNIV: {
+            type: String,
+            required: true
+        },
+        bindDNTag: {
+            type: String,
+            required: true
+        },
+        encryptedBindPass: {
+            type: String,
+            required: true
+        },
+        bindPassIV: {
+            type: String,
+            required: true
+        },
+        bindPassTag: {
+            type: String,
+            required: true
+        },
+        searchBase: {
+            type: String,
+            required: true
+        },
+        encryptedCACert: {
+            type: String,
+            required: true
+        },
+        caCertIV: {
+            type: String,
+            required: true
+        },
+        caCertTag: {
+            type: String,
+            required: true
+        },
+    },
+    {
+        timestamps: true
+    }
+);
+
+export const LDAPConfig = model<ILDAPConfig>("LDAPConfig", ldapConfigSchema);
--- a/backend/src/ee/routes/v1/workspace.ts
+++ b/backend/src/ee/routes/v1/workspace.ts
@ -7,7 +7,7 @@ import { workspaceController } from "../../controllers/v1";
 router.get(
  "/:workspaceId/secret-snapshots",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.getWorkspaceSecretSnapshots
 );
@ -23,7 +23,7 @@ router.get(
 router.post(
  "/:workspaceId/secret-snapshots/rollback",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.rollbackWorkspaceSecretSnapshot
 );
@ -31,7 +31,7 @@ router.post(
 router.get(
  "/:workspaceId/audit-logs",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.getWorkspaceAuditLogs
 );
--- a/backend/src/helpers/bot.ts
+++ b/backend/src/helpers/bot.ts
@ -13,7 +13,7 @@ import {
  SECRET_SHARED
 } from "../variables";
 import { client, getEncryptionKey, getRootEncryptionKey } from "../config";
-import { InternalServerError } from "../utils/errors";
+import { BotNotFoundError, InternalServerError } from "../utils/errors";
 import { Folder } from "../models";
 import { getFolderByPath } from "../services/FolderService";
 import { getAllImportedSecrets } from "../services/SecretImportService";
@ -223,7 +223,7 @@ export const getKey = async ({ workspaceId }: { workspaceId: Types.ObjectId }) =
    workspace: workspaceId
  }).populate<{ sender: IUser }>("sender", "publicKey");

-  if (!botKey) throw new Error("Failed to find bot key");
+  if (!botKey) throw BotNotFoundError({ message: `getKey: Failed to find bot key for [workspaceId=${workspaceId}]` })

  const bot = await Bot.findOne({
    workspace: workspaceId
--- a/backend/src/helpers/rateLimiter.ts
+++ b/backend/src/helpers/rateLimiter.ts
@ -10,7 +10,7 @@ export const apiLimiter = rateLimit({
  //   errorHandler: console.error.bind(null, 'rate-limit-mongo')
  // }),
  windowMs: 60 * 1000,
-  max: 350,
+  max: 480,
  standardHeaders: true,
  legacyHeaders: false,
  skip: (request) => {
@ -30,7 +30,7 @@ const authLimit = rateLimit({
  //   collectionName: "expressRateRecords-authLimit",
  // }),
  windowMs: 60 * 1000,
-  max: 100,
+  max: 300,
  standardHeaders: true,
  legacyHeaders: false,
  keyGenerator: (req, res) => {
@ -46,8 +46,8 @@ export const passwordLimiter = rateLimit({
  //   errorHandler: console.error.bind(null, 'rate-limit-mongo'),
  //   collectionName: "expressRateRecords-passwordLimiter",
  // }),
-  windowMs: 60 * 60 * 1000,
-  max: 10,
+  windowMs: 60 * 1000,
+  max: 300,
  standardHeaders: true,
  legacyHeaders: false,
  keyGenerator: (req, res) => {
--- a/backend/src/helpers/secrets.ts
+++ b/backend/src/helpers/secrets.ts
@ -579,7 +579,9 @@ export const getSecretsHelper = async ({
          event: "secrets pulled",
          distinctId: await TelemetryService.getDistinctId({ authData }),
          properties: {
-            numberOfSecrets: shouldRecordK8Event ? approximateForNoneCapturedEvents : secrets.length,
+            numberOfSecrets: shouldRecordK8Event
+              ? approximateForNoneCapturedEvents
+              : secrets.length,
            environment,
            workspaceId,
            folderId,
@ -611,42 +613,86 @@ export const getSecretHelper = async ({
  type,
  authData,
  secretPath = "/",
-  include_imports = true
+  include_imports = true,
+  version
 }: GetSecretParams) => {
  const secretBlindIndex = await generateSecretBlindIndexHelper({
    secretName,
    workspaceId: new Types.ObjectId(workspaceId)
  });
  let secret: ISecret | null | undefined = null;
+
  // if using service token filter towards the folderId by secretpath

  const folderId = await getFolderIdFromServiceToken(workspaceId, environment, secretPath);

  // try getting personal secret first (if exists)
-  secret = await Secret.findOne({
-    secretBlindIndex,
-    workspace: new Types.ObjectId(workspaceId),
-    environment,
-    folder: folderId,
-    type: type ?? SECRET_PERSONAL,
-    ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {})
-  }).lean();
-
-  if (!secret) {
-    // case: failed to find personal secret matching criteria
-    // -> find shared secret matching criteria
+  if (version === undefined) {
    secret = await Secret.findOne({
      secretBlindIndex,
      workspace: new Types.ObjectId(workspaceId),
      environment,
      folder: folderId,
-      type: SECRET_SHARED
+      type: type ?? SECRET_PERSONAL,
+      ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {})
    }).lean();
+  } else {
+    const secretVersion = await SecretVersion.findOne({
+      secretBlindIndex,
+      workspace: new Types.ObjectId(workspaceId),
+      environment,
+      folder: folderId,
+      type: type ?? SECRET_PERSONAL,
+      version
+    }).lean();
+
+    if (secretVersion) {
+      secret = await new Secret({
+        ...secretVersion,
+        _id: secretVersion?.secret
+      });
+    }
+  }
+
+  if (!secret) {
+    // case: failed to find personal secret matching criteria
+    // -> find shared secret matching criteria
+    if (version === undefined) {
+      secret = await Secret.findOne({
+        secretBlindIndex,
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        folder: folderId,
+        type: SECRET_SHARED
+      }).lean();
+    } else {
+      const secretVersion = await SecretVersion.findOne({
+        secretBlindIndex,
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        folder: folderId,
+        type: SECRET_SHARED,
+        version
+      }).lean();
+
+      if (secretVersion) {
+        secret = await new Secret({
+          ...secretVersion,
+          _id: secretVersion?.secret
+        });
+      }
+    }
  }

  if (!secret && include_imports) {
    // if still no secret found search in imported secret and retreive
-    secret = await getAnImportedSecret(secretName, workspaceId.toString(), environment, folderId);
+    secret = await getAnImportedSecret(
+      secretName,
+      workspaceId.toString(),
+      environment,
+      folderId,
+      version
+    );
  }

  if (!secret) throw SecretNotFoundError();
@ -1141,11 +1187,12 @@ const recursivelyExpandSecret = async (
        const secRefKey = entities[entities.length - 1];

        const val = await fetchCrossEnv(secRefEnv, secRefPath, secRefKey);
-        interpolatedValue = interpolatedValue.replaceAll(interpolationSyntax, val);
+        if (val !== undefined) {
+          interpolatedValue = interpolatedValue.replaceAll(interpolationSyntax, val);
+        }
      }
    }
  }
-
  expandedSec[key] = interpolatedValue;
  return interpolatedValue;
 };
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@ -42,6 +42,7 @@ import {
  integration as v1IntegrationRouter,
  inviteOrg as v1InviteOrgRouter,
  key as v1KeyRouter,
+  ldap as v1LDAPRouter,
  membershipOrg as v1MembershipOrgRouter,
  membership as v1MembershipRouter,
  organization as v1OrganizationRouter,
@ -237,6 +238,7 @@ const main = async () => {
  app.use("/api/v1/roles", v1RoleRouter);
  app.use("/api/v1/secret-approvals", v1SecretApprovalPolicyRouter);
  app.use("/api/v1/sso", v1SSORouter);
+  app.use("/api/v1/ldap", v1LDAPRouter);
  app.use("/api/v1/secret-approval-requests", v1SecretApprovalRequestRouter);

  // v2 routes (improvements)
--- a/backend/src/interfaces/services/SecretService/index.ts
+++ b/backend/src/interfaces/services/SecretService/index.ts
@ -38,6 +38,7 @@ export interface GetSecretParams {
  type?: "shared" | "personal";
  authData: AuthData;
  include_imports?: boolean;
+  version?: number;
 }

 export interface UpdateSecretParams {
--- a/backend/src/models/identityAccessToken.ts
+++ b/backend/src/models/identityAccessToken.ts
@ -53,13 +53,13 @@ const identityAccessTokenSchema = new Schema(
        accessTokenTTL: { // seconds
            // incremental lifetime
            type: Number,
-            default: 7200,
+            default: 2592000, // 30 days
            required: true
        },
        accessTokenMaxTTL: { // seconds
            // max lifetime
            type: Number,
-            default: 7200,
+            default: 2592000, // 30 days 
            required: true
        },
        accessTokenTrustedIps: {
--- a/backend/src/models/user.ts
+++ b/backend/src/models/user.ts
@ -7,7 +7,8 @@ export enum AuthMethod {
  GITLAB = "gitlab",
  OKTA_SAML = "okta-saml",
  AZURE_SAML = "azure-saml",
-  JUMPCLOUD_SAML = "jumpcloud-saml"
+  JUMPCLOUD_SAML = "jumpcloud-saml",
+  LDAP = "ldap"
 }

 export interface IUser extends Document {
@ -55,7 +56,7 @@ const userSchema = new Schema<IUser>(
    },
    email: {
      type: String,
-      required: true,
+      required: false,
      unique: true
    },
    firstName: {
--- a/backend/src/routes/v1/index.ts
+++ b/backend/src/routes/v1/index.ts
@ -2,6 +2,7 @@ import signup from "./signup";
 import bot from "./bot";
 import auth from "./auth";
 import universalAuth from "./universalAuth";
+import ldap from "./ldap";
 import user from "./user";
 import userAction from "./userAction";
 import organization from "./organization";
@ -43,5 +44,6 @@ export {
  webhooks,
  secretImps,
  sso,
+  ldap,
  admin
 };
--- a/backend/src/routes/v1/integrationAuth.ts
+++ b/backend/src/routes/v1/integrationAuth.ts
@ -156,12 +156,20 @@ router.get(
  integrationAuthController.getIntegrationAuthTeamCityBuildConfigs
 );

+router.delete(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  integrationAuthController.deleteIntegrationAuths
+);
+
 router.delete(
  "/:integrationAuthId",
  requireAuth({
    acceptedAuthModes: [AuthMode.JWT]
  }),
-  integrationAuthController.deleteIntegrationAuth
+  integrationAuthController.deleteIntegrationAuthById
 );

 export default router;
--- a/backend/src/routes/v1/ldap.ts
+++ b/backend/src/routes/v1/ldap.ts
@ -0,0 +1,41 @@
+import express from "express";
+const router = express.Router();
+import passport from "passport";
+import { requireAuth } from "../../middleware";
+import { ldapController } from "../../controllers/v1";
+import { AuthMode } from "../../variables";
+
+router.post(
+    "/login",
+    passport.authenticate("ldapauth", {
+        session: false
+    }) as any,
+    ldapController.redirectLDAP
+);
+
+router.get(
+  "/config",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  ldapController.getLDAPConfig
+);
+
+router.post(
+  "/config",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  ldapController.createLDAPConfig
+);
+
+router.patch(
+  "/config",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  ldapController.updateLDAPConfig
+);
+
+
+export default router;
--- a/backend/src/routes/v1/secretImps.ts
+++ b/backend/src/routes/v1/secretImps.ts
@ -7,7 +7,7 @@ import { AuthMode } from "../../variables";
 router.post(
  "/",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  secretImpsController.createSecretImp
 );
@ -15,7 +15,7 @@ router.post(
 router.put(
  "/:id",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  secretImpsController.updateSecretImport
 );
@ -23,7 +23,7 @@ router.put(
 router.delete(
  "/:id",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  secretImpsController.deleteSecretImport
 );
@ -31,7 +31,7 @@ router.delete(
 router.get(
  "/",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  secretImpsController.getSecretImports
 );
--- a/backend/src/routes/v1/secretsFolder.ts
+++ b/backend/src/routes/v1/secretsFolder.ts
@ -12,7 +12,7 @@ import { AuthMode } from "../../variables";
 router.post(
  "/",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  createFolder
 );
@ -20,7 +20,7 @@ router.post(
 router.patch(
  "/:folderName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  updateFolderById
 );
@ -28,7 +28,7 @@ router.patch(
 router.delete(
  "/:folderName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  deleteFolder
 );
@ -36,7 +36,7 @@ router.delete(
 router.get(
  "/",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  getFolders
 );
--- a/backend/src/routes/v1/universalAuth.ts
+++ b/backend/src/routes/v1/universalAuth.ts
@ -18,15 +18,15 @@ router.post(
 router.post(
    "/universal-auth/identities/:identityId",
    requireAuth({
-    acceptedAuthModes: [AuthMode.JWT]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
    }),
-    universalAuthController.addIdentityUniversalAuth
+    universalAuthController.attachIdentityUniversalAuth
 );

 router.patch(
    "/universal-auth/identities/:identityId",
    requireAuth({
-    acceptedAuthModes: [AuthMode.JWT]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
    }),
    universalAuthController.updateIdentityUniversalAuth
 );
@ -34,7 +34,7 @@ router.patch(
 router.get(
    "/universal-auth/identities/:identityId",
    requireAuth({
-    acceptedAuthModes: [AuthMode.JWT]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
    }),
    universalAuthController.getIdentityUniversalAuth
 );
@ -42,7 +42,7 @@ router.get(
 router.post(
    "/universal-auth/identities/:identityId/client-secrets",
    requireAuth({
-    acceptedAuthModes: [AuthMode.JWT]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
    }),
    universalAuthController.createUniversalAuthClientSecret
 );
@ -50,15 +50,15 @@ router.post(
 router.get(
    "/universal-auth/identities/:identityId/client-secrets",
    requireAuth({
-    acceptedAuthModes: [AuthMode.JWT]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
    }),
-    universalAuthController.getUniversalAuthClientSecrets
+    universalAuthController.getUniversalAuthClientSecretsDetails
 );

 router.post(
    "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
    requireAuth({
-    acceptedAuthModes: [AuthMode.JWT]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
    }),
    universalAuthController.revokeUniversalAuthClientSecret
 );
--- a/backend/src/routes/v2/environment.ts
+++ b/backend/src/routes/v2/environment.ts
@ -7,7 +7,7 @@ import { AuthMode } from "../../variables";
 router.post(
  "/:workspaceId/environments",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  environmentController.createWorkspaceEnvironment
 );
@ -15,7 +15,7 @@ router.post(
 router.put(
  "/:workspaceId/environments",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  environmentController.renameWorkspaceEnvironment
 );
@ -23,7 +23,7 @@ router.put(
 router.patch(
  "/:workspaceId/environments",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  environmentController.reorderWorkspaceEnvironments
 );
@ -31,7 +31,7 @@ router.patch(
 router.delete(
  "/:workspaceId/environments",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  environmentController.deleteWorkspaceEnvironment
 );
--- a/backend/src/routes/v2/organizations.ts
+++ b/backend/src/routes/v2/organizations.ts
@ -9,7 +9,7 @@ import { organizationsController } from "../../controllers/v2";
 router.get(
  "/:organizationId/memberships",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  organizationsController.getOrganizationMemberships
 );
@ -17,7 +17,7 @@ router.get(
 router.patch(
  "/:organizationId/memberships/:membershipId",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  organizationsController.updateOrganizationMembership
 );
@ -25,7 +25,7 @@ router.patch(
 router.delete(
  "/:organizationId/memberships/:membershipId",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  organizationsController.deleteOrganizationMembership
 );
@ -33,7 +33,7 @@ router.delete(
 router.get(
  "/:organizationId/workspaces",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  organizationsController.getOrganizationWorkspaces
 );
--- a/backend/src/routes/v2/workspace.ts
+++ b/backend/src/routes/v2/workspace.ts
@ -62,7 +62,7 @@ router.get(
  // new - TODO: rewire dashboard to this route
  "/:workspaceId/memberships",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.getWorkspaceMemberships
 );
@ -71,7 +71,7 @@ router.patch(
  // TODO - rewire dashboard to this route
  "/:workspaceId/memberships/:membershipId",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.updateWorkspaceMembership
 );
@ -80,7 +80,7 @@ router.delete(
  // TODO - rewire dashboard to this route
  "/:workspaceId/memberships/:membershipId",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.deleteWorkspaceMembership
 );
@ -96,7 +96,7 @@ router.patch(
 router.post(
  "/:workspaceId/identity-memberships/:identityId",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.addIdentityToWorkspace
 );
@ -104,7 +104,7 @@ router.post(
 router.patch(
  "/:workspaceId/identity-memberships/:identityId",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.updateIdentityWorkspaceRole
 );
@ -112,7 +112,7 @@ router.patch(
 router.delete(
  "/:workspaceId/identity-memberships/:identityId",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.deleteIdentityFromWorkspace
 );
@ -120,7 +120,7 @@ router.delete(
 router.get(
  "/:workspaceId/identity-memberships",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]
  }),
  workspaceController.getWorkspaceIdentityMemberships
 );
--- a/backend/src/services/SecretImportService.ts
+++ b/backend/src/services/SecretImportService.ts
@ -1,5 +1,6 @@
 import { Types } from "mongoose";
 import { generateSecretBlindIndexHelper } from "../helpers";
+import { SecretVersion } from "../ee/models";
 import { Folder, ISecret, Secret, SecretImport } from "../models";
 import { getFolderByPath } from "./FolderService";

@ -9,7 +10,8 @@ export const getAnImportedSecret = async (
  secretName: string,
  workspaceId: string,
  environment: string,
-  folderId = "root"
+  folderId = "root",
+  version?: number
 ) => {
  const secretBlindIndex = await generateSecretBlindIndexHelper({
    secretName,
@ -48,10 +50,26 @@ export const getAnImportedSecret = async (
  });
  if (importedSecByFid.length === 0) return;

-  const secret = await Secret.findOne({
-    workspace: workspaceId,
-    secretBlindIndex
-  }).or(importedSecByFid.map(({ environment, folderId }) => ({ environment, folder: folderId }))).lean()
+  let secret;
+  if (version === undefined) {
+    secret = await Secret.findOne({
+      workspace: workspaceId,
+      secretBlindIndex
+    }).or(importedSecByFid.map(({ environment, folderId }) => ({ environment, folder: folderId }))).lean()
+  } else {
+    const secretVersion = await SecretVersion.findOne({
+      workspace: workspaceId,
+      secretBlindIndex,
+      version
+    }).or(importedSecByFid.map(({ environment, folderId }) => ({ environment, folder: folderId }))).lean();
+    
+    if (secretVersion) {
+      secret = await new Secret({
+        ...secretVersion,
+        _id: secretVersion.secret,
+      });
+    }
+  }

  return secret;
 };
--- a/backend/src/services/TelemetryService.ts
+++ b/backend/src/services/TelemetryService.ts
@ -8,12 +8,12 @@ import {
  getTelemetryEnabled,
 } from "../config";
 import {
+  Identity,
  ServiceTokenData,
-  User,
+  User
 } from "../models";
 import {
  AccountNotFoundError,
-  BadRequestError,
 } from "../utils/errors";

 class Telemetry {
@ -22,7 +22,7 @@ class Telemetry {
   */
  static logTelemetryMessage = async () => {

-    if(!(await getTelemetryEnabled())){
+    if (!(await getTelemetryEnabled())) {
      [
        "To improve, Infisical collects telemetry data about general usage.",
        "This helps us understand how the product is doing and guide our product development to create the best possible platform; it also helps us demonstrate growth as we support Infisical as open-source software.",
@ -42,8 +42,8 @@ class Telemetry {
      postHogClient = new PostHog(await getPostHogProjectApiKey(), {
        host: await getPostHogHost(),
      });
-    } 
-    
+    }
+
    return postHogClient;
  }

@ -52,6 +52,7 @@ class Telemetry {
  }: {
    authData: AuthData;
  }) => {
+
    let distinctId = "";
    if (authData.authPayload instanceof User) {
      distinctId = authData.authPayload.email;
@ -59,14 +60,14 @@ class Telemetry {
      if (authData.authPayload.user) {
        const user = await User.findById(authData.authPayload.user, "email");
        if (!user) throw AccountNotFoundError();
-        distinctId = user.email; 
+        distinctId = user.email;
      }
+    } else if (authData.authPayload instanceof Identity) {
+      distinctId = `identity-${authData.authPayload._id.toString()}`
+    } else {
+      distinctId = "unknown-auth-data"
    }
-    
-    if (distinctId === "") throw BadRequestError({
-      message: "Failed to obtain distinct id for logging telemetry",
-    });
-    
+
    return distinctId;
  }
 }
--- a/backend/src/types/express/index.d.ts
+++ b/backend/src/types/express/index.d.ts
@ -40,6 +40,7 @@ declare global {
 			requestData: {
 				[key: string]: string
 			};
+			organizationId: string;
 		}
 	}
 }
--- a/backend/src/utils/authn/passport/index.ts
+++ b/backend/src/utils/authn/passport/index.ts
@ -2,3 +2,4 @@ export { initializeGoogleStrategy } from "./google";
 export { initializeGitHubStrategy } from "./github";
 export { initializeGitLabStrategy } from "./gitlab";
 export { initializeSamlStrategy } from "./saml";
+export { initializeLdapStrategy } from "./ldap";
--- a/backend/src/utils/authn/passport/ldap.ts
+++ b/backend/src/utils/authn/passport/ldap.ts
@ -0,0 +1,141 @@
+import { Types } from "mongoose";
+import {
+    AuthMethod,
+    MembershipOrg,
+    Organization,
+    User
+} from "../../../models";
+import passport from "passport";
+import { OrganizationNotFoundError } from "../../errors";
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const LdapStrategy = require("passport-ldapauth");
+import { getAuthSecret, getJwtProviderAuthLifetime } from "../../../config";
+import { createToken } from "../../../helpers/auth";
+import {
+    ACCEPTED, 
+    AuthTokenType,
+    MEMBER
+} from "../../../variables";
+import { getLdapConfigHelper } from "../../../ee/helpers/organizations";
+
+const getLDAPConfiguration = (req: any, callback: any) => {
+    const {
+        organizationId
+    } = req.body as {
+        organizationId: string;
+    };
+    
+    req.organizationId = organizationId;
+    
+    const boot = async () => {
+        const ldapConfig = await getLdapConfigHelper({
+            organizationId: new Types.ObjectId(organizationId)
+        });
+        
+        // example
+        // var opts = {
+        //     server: {
+        //         // url: 'ldaps://openldap:636', // connection over SSL/TLS
+        //         url: 'ldap://openldap:389',
+        //         bindDN: 'cn=admin,dc=acme,dc=com',
+        //         bindCredentials: 'admin',
+        //         searchBase: 'ou=people,dc=acme,dc=com',
+        //         searchFilter: '(uid={{username}})',
+        //         searchAttributes: ['uid', 'givenName', 'sn'], // optional, defaults to all (get username too)
+        //         // tlsOptions: {
+        //         //     ca: [caCert]
+        //         // }
+        //     },
+        //     passReqToCallback: true
+        // };
+
+        const opts = {
+            server: {
+                url: ldapConfig.url,
+                bindDN: ldapConfig.bindDN,
+                bindCredentials: ldapConfig.bindPass,
+                searchBase: ldapConfig.searchBase,
+                searchFilter: "(uid={{username}})",
+                searchAttributes: ["uid", "givenName", "sn"],
+                ...(ldapConfig.caCert !== "" ? {
+                        tlsOptions: {
+                            ca: [ldapConfig.caCert]
+                        }
+                    } : {}
+                )
+            },
+            passReqToCallback: true
+        };
+        
+        callback(null, opts);
+    }
+    
+    process.nextTick(async () => {
+        await boot();
+    });
+};
+
+export const initializeLdapStrategy = async () => {
+    passport.use(new LdapStrategy(getLDAPConfiguration,
+        async (req: any, user: any, done: any) => {
+            
+            const organization = await Organization.findById(req.organizationId);
+            if (!organization) return done(OrganizationNotFoundError());
+            
+            const ldapUsername = user.uid;
+            const firstName = user.givenName;
+            const lastName = user.sn;
+            const ldapEmail = `ldap-${ldapUsername}-${organization._id.toString()}@ldap.com`;
+
+            try {
+                let user = await User.findOne({
+                    email: ldapEmail
+                }).select("+publicKey");
+                
+                if (!user) {
+                    user = await new User({
+                        email: ldapEmail,
+                        authMethods: [AuthMethod.LDAP],
+                        firstName,
+                        lastName,
+                        organization
+                    }).save();
+                    
+                    await new MembershipOrg({
+                        user: user._id,
+                        organization: organization._id,
+                        role: MEMBER,
+                        status: ACCEPTED
+                    }).save();
+                }
+                
+                const isUserCompleted = !!user.publicKey;
+                const providerAuthToken = createToken({
+                    payload: {
+                    authTokenType: AuthTokenType.PROVIDER_TOKEN,
+                    userId: user._id.toString(),
+                    email: user.email,
+                    firstName,
+                    lastName,
+                    organizationName: organization?.name,
+                    organizationId: organization?._id,
+                    authMethod: AuthMethod.LDAP,
+                    isUserCompleted,
+                    ...(req.body.RelayState ? {
+                        callbackPort: JSON.parse(req.body.RelayState).callbackPort as string
+                    } : {})
+                    },
+                    expiresIn: await getJwtProviderAuthLifetime(),
+                    secret: await getAuthSecret(),
+                });
+                
+                req.isUserCompleted = isUserCompleted;
+                req.providerAuthToken = providerAuthToken;
+                
+                return done(null, user);
+            } catch (err) {
+                return done(null, false);
+            }
+        }
+    ));
+}
--- a/backend/src/utils/authn/passport/saml.ts
+++ b/backend/src/utils/authn/passport/saml.ts
@ -75,7 +75,7 @@ export const initializeSamlStrategy = async () => {
          const organization = await Organization.findById(req.ssoConfig.organization);
          
          if (!organization) return done(OrganizationNotFoundError());
-    
+          
          const email = profile.email;
          const firstName = profile.firstName;
          const lastName = profile.lastName;
@ -154,6 +154,7 @@ export const initializeSamlStrategy = async () => {
              firstName,
              lastName,
              organizationName: organization?.name,
+              organizationId: organization?._id,
              authMethod: req.ssoConfig.authProvider,
              isUserCompleted,
              ...(req.body.RelayState ? {
--- a/backend/src/utils/posthog.ts
+++ b/backend/src/utils/posthog.ts
@ -7,8 +7,14 @@ export const getUserAgentType = function (userAgent: string | undefined) {
    return UserAgentType.CLI;
  } else if (userAgent == UserAgentType.K8_OPERATOR) {
    return UserAgentType.K8_OPERATOR;
+  } else if (userAgent == UserAgentType.TERRAFORM) {
+    return UserAgentType.TERRAFORM;
  } else if (userAgent.toLowerCase().includes("mozilla")) {
    return UserAgentType.WEB;
+  } else if (userAgent.includes(UserAgentType.NODE_SDK)) {
+    return UserAgentType.NODE_SDK;
+  } else if (userAgent.includes(UserAgentType.PYTHON_SDK)) {
+    return UserAgentType.PYTHON_SDK;
  } else {
    return UserAgentType.OTHER;
  }
--- a/backend/src/utils/setup/index.ts
+++ b/backend/src/utils/setup/index.ts
@ -30,6 +30,7 @@ import {
  initializeGitHubStrategy,
  initializeGitLabStrategy,
  initializeGoogleStrategy,
+  initializeLdapStrategy,
  initializeSamlStrategy
 } from "../authn/passport";
 import { logger } from "../logging";
@ -67,6 +68,7 @@ export const setup = async () => {
  await initializeGitHubStrategy();
  await initializeGitLabStrategy();
  await initializeSamlStrategy();
+  await initializeLdapStrategy();

  // re-encrypt any data previously encrypted under server hex 128-bit ENCRYPTION_KEY
  // to base64 256-bit ROOT_ENCRYPTION_KEY
--- a/backend/src/validation/auth.ts
+++ b/backend/src/validation/auth.ts
@ -108,16 +108,20 @@ export const AddUniversalAuthToIdentityV1 = z.object({
      })
      .array()
      .min(1)
-      .default([{ ipAddress: "0.0.0.0/0" }]),
+      .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
    accessTokenTrustedIps: z
      .object({
        ipAddress: z.string().trim(),
      })
      .array()
      .min(1)
-      .default([{ ipAddress: "0.0.0.0/0" }]),
-    accessTokenTTL: z.number().int().min(0).default(7200),
-    accessTokenMaxTTL: z.number().int().min(0).default(0),
+      .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+    accessTokenTTL: z.number().int().min(1).refine(value => value !== 0, {
+      message: "accessTokenTTL must have a non zero number",
+    }).default(2592000),
+    accessTokenMaxTTL: z.number().int().refine(value => value !== 0, {
+      message: "accessTokenMaxTTL must have a non zero number",
+    }).default(2592000), // 30 days
    accessTokenNumUsesLimit: z.number().int().min(0).default(0)
  })
 });
@ -143,7 +147,9 @@ export const UpdateUniversalAuthToIdentityV1 = z.object({
      .optional(),
    accessTokenTTL: z.number().int().min(0).optional(),
    accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-    accessTokenMaxTTL: z.number().int().min(0).default(0),
+    accessTokenMaxTTL: z.number().int().refine(value => value !== 0, {
+      message: "accessTokenMaxTTL must have a non zero number",
+    }).optional(),
  }),
 });

--- a/backend/src/validation/index.ts
+++ b/backend/src/validation/index.ts
@ -10,3 +10,4 @@ export * from "./secrets";
 export * from "./serviceTokenData";
 export * from "./identities";
 export * from "./apiKeyDataV3";
+export * from "./ldap";
--- a/backend/src/validation/integrationAuth.ts
+++ b/backend/src/validation/integrationAuth.ts
@ -192,6 +192,13 @@ export const GetIntegrationAuthNorthflankSecretGroupsV1 = z.object({
  })
 });

+export const DeleteIntegrationAuthsV1 = z.object({
+  query: z.object({
+    integration: z.string().trim(),
+    workspaceId: z.string().trim()
+  })
+});
+
 export const DeleteIntegrationAuthV1 = z.object({
  params: z.object({
    integrationAuthId: z.string().trim()
--- a/backend/src/validation/ldap.ts
+++ b/backend/src/validation/ldap.ts
@ -0,0 +1,29 @@
+import { z } from "zod";
+
+export const GetLdapConfigv1 = z.object({
+    query: z.object({ organizationId: z.string().trim() })
+});
+
+export const CreateLdapConfigv1 = z.object({
+    body: z.object({
+        organizationId: z.string().trim(),
+        isActive: z.boolean(),
+        url: z.string().trim(),
+        bindDN: z.string().trim(),
+        bindPass: z.string().trim(),
+        searchBase: z.string().trim(),
+        caCert: z.string().trim().default("")
+    })
+});
+
+export const UpdateLdapConfigv1 = z.object({
+    body: z.object({
+        organizationId: z.string().trim(),
+        isActive: z.boolean().optional(),
+        url: z.string().trim().optional(),
+        bindDN: z.string().trim().optional(),
+        bindPass: z.string().trim().optional(),
+        searchBase: z.string().trim().optional(),
+        caCert: z.string().trim().optional()
+    })
+});
--- a/backend/src/validation/secrets.ts
+++ b/backend/src/validation/secrets.ts
@ -246,7 +246,15 @@ export const GetSecretByNameRawV3 = z.object({
    include_imports: z
      .enum(["true", "false"])
      .default("true")
-      .transform((value) => value === "true")
+      .transform((value) => value === "true"),
+    version: z
+      .string()
+      .trim()
+      .optional()
+      .transform((value) => value === undefined ? undefined : parseInt(value, 10))
+      .refine((value) => value === undefined || !isNaN(value), {
+        message: "Version must be a number",
+      })
  })
 });

@ -318,7 +326,15 @@ export const GetSecretByNameV3 = z.object({
    include_imports: z
      .enum(["true", "false"])
      .default("true")
-      .transform((value) => value === "true")
+      .transform((value) => value === "true"),
+    version: z
+      .string()
+      .trim()
+      .optional()
+      .transform((value) => value === undefined ? undefined : parseInt(value, 10))
+      .refine((value) => value === undefined || !isNaN(value), {
+        message: "Version must be a number",
+      })
  }),
  params: z.object({
    secretName: z.string().trim()
@ -429,6 +445,9 @@ export const UpdateSecretByNameBatchV3 = z.object({
        secretValueCiphertext: z.string().trim(),
        secretValueIV: z.string().trim(),
        secretValueTag: z.string().trim(),
+        secretKeyCiphertext: z.string().trim(),
+        secretKeyIV: z.string().trim(),
+        secretKeyTag: z.string().trim(),
        secretCommentCiphertext: z.string().trim().optional(),
        secretCommentIV: z.string().trim().optional(),
        secretCommentTag: z.string().trim().optional(),
--- a/backend/src/validation/serviceTokenData.ts
+++ b/backend/src/validation/serviceTokenData.ts
@ -158,7 +158,7 @@ export const CreateServiceTokenV2 = z.object({
    encryptedKey: z.string().trim(),
    iv: z.string().trim(),
    tag: z.string().trim(),
-    expiresIn: z.number(),
+    expiresIn: z.number().nullable().optional(),
    permissions: z.enum(["read", "write"]).array()
  })
 });
--- a/backend/swagger/index.ts
+++ b/backend/swagger/index.ts
@ -30,7 +30,7 @@ const generateOpenAPISpec = async () => {
        type: "http",
        scheme: "bearer",
        bearerFormat: "JWT",
-        description: "A service token in Infisical"
+        description: "An access token in Infisical"
      },
      apiKeyAuth: {
        type: "apiKey",
@ -52,6 +52,41 @@ const generateOpenAPISpec = async () => {
        updatedAt: "2023-01-13T14:16:12.210Z",
        createdAt: "2023-01-13T14:16:12.210Z"
      },
+      Identity: {
+        _id: "",
+        name: "Machine 1",
+        authMethod: "universal-auth"
+      },
+      IdentityUniversalAuth: {
+        _id: "",
+        identity: "",
+        clientId: "...",
+        clientSecretTrustedIps: [{
+          ipAddress: "0.0.0.0",
+          type: "ipv4",
+          prefix: "0"
+        }],
+        accessTokenTTL: 7200,
+        accessTokenMaxTTL: 2592000,
+        accessTokenNumUsesLimit: 0,
+        accessTokenTrustedIps: [{
+          ipAddress: "0.0.0.0",
+          type: "ipv4",
+          prefix: "0"
+        }]
+      },
+      IdentityUniversalAuthClientSecretData: {
+        _id: "",
+        identityUniversalAuth: "",
+        isClientSecretRevoked: false,
+        description: "",
+        clientSecretPrefix: "abc",
+        clientSecretNumUses: 0,
+        clientSecretNumUsesLimit: 0,
+        clientSecretTTL: 0,
+        createdAt: "2023-01-13T14:16:12.210Z",
+        updatedAt: "2023-01-13T14:16:12.210Z"
+      },
      Membership: {
        user: {
          _id: "",
@ -79,6 +114,25 @@ const generateOpenAPISpec = async () => {
        role: "owner",
        status: "accepted"
      },
+      IdentityMembership: {
+        identity: {
+          _id: "",
+          name: "Machine 1",
+          authMethod: "universal-auth"
+        },
+        workspace: "",
+        role: "member"
+      },
+      IdentityMembershipOrg: {
+        identity: {
+          _id: "",
+          name: "Machine 1",
+          authMethod: "universal-auth"
+        },
+        organization: "",
+        role: "member",
+        status: "accepted"
+      },
      Organization: {
        _id: "",
        name: "Acme Corp.",
--- a/cli/agent-config.yaml
+++ b/cli/agent-config.yaml
@ -0,0 +1,15 @@
+infisical:
+  address: "http://localhost:8080"
+auth:
+  type: "universal-auth"
+  config:
+    client-id: "./client-id"
+    client-secret: "./client-secret"
+    remove_client_secret_on_read: false
+sinks:
+  - type: "file"
+    config:
+      path: "access-token"
+templates:
+  - source-path: my-dot-ev-secret-template
+    destination-path: my-dot-env.env
--- a/cli/docker/Dockerfile
+++ b/cli/docker/Dockerfile
@ -1,4 +0,0 @@
-FROM alpine
-RUN apk add --no-cache tini
-COPY infisical /bin/infisical
-ENTRYPOINT ["/sbin/tini", "--", "/bin/infisical"]
--- a/cli/docker/alpine
+++ b/cli/docker/alpine
@ -0,0 +1,9 @@
+FROM alpine
+RUN apk add --no-cache tini
+
+## Upgrade OpenSSL libraries to mitigate known vulnerabilities as the current Alpine image has not been patched yet.
+RUN apk update && apk upgrade --no-cache libcrypto3 libssl3
+
+
+COPY infisical /bin/infisical
+ENTRYPOINT ["/sbin/tini", "--", "/bin/infisical"]
--- a/cli/example-agent-config.yaml
+++ b/cli/example-agent-config.yaml
@ -1,17 +0,0 @@
-infisical:
-  address: "http://localhost:8080"
-auth:
-  type: "token"
-  config:
-    token-path: "./role-id"
-sinks:
-  - type: "file"
-    config:
-      path: "/Users/maidulislam/Desktop/test/infisical-token"
-  - type: "file"
-    config:
-      path: "access-token"
-  - type: "file"
-    config:
-      path: "maiduls-access-token"
-templates:
--- a/cli/go.mod
+++ b/cli/go.mod
@ -21,8 +21,9 @@ require (
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.8.1
-	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
-	golang.org/x/term v0.11.0
+	golang.org/x/crypto v0.14.0
+	golang.org/x/term v0.13.0
+	gopkg.in/yaml.v2 v2.4.0
 )

 require (
@ -56,18 +57,17 @@ require (
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
 	go.mongodb.org/mongo-driver v1.10.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.11.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

 require (
 	github.com/fatih/color v1.13.0
-	github.com/go-resty/resty/v2 v2.7.0
+	github.com/go-resty/resty/v2 v2.10.0
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jedib0t/go-pretty v4.3.0+incompatible
 	github.com/manifoldco/promptui v0.9.0
--- a/cli/go.sum
+++ b/cli/go.sum
@ -105,8 +105,8 @@ github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02E
 github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
-github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY=
-github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I=
+github.com/go-resty/resty/v2 v2.10.0 h1:Qla4W/+TMmv0fOeeRqzEpXPLfTUnR5HZ1+lGs+CkiCo=
+github.com/go-resty/resty/v2 v2.10.0/go.mod h1:iiP/OpA0CkcL3IGt1O0+/SIItFUbkkyw5BGXiVdTu+A=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@ -354,6 +354,7 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
@ -376,9 +377,11 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -414,6 +417,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -451,10 +456,12 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -477,8 +484,10 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -528,11 +537,18 @@ golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
-golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -542,11 +558,15 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@ -599,6 +619,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/cli/packages/api/api.go
+++ b/cli/packages/api/api.go
@ -425,24 +425,44 @@ func CallCreateServiceToken(httpClient *resty.Client, request CreateServiceToken
 	return createServiceTokenResponse, nil
 }

-func CallServiceTokenV3Refresh(httpClient *resty.Client, request ServiceTokenV3RefreshTokenRequest) (ServiceTokenV3RefreshTokenResponse, error) {
-	var serviceTokenV3RefreshTokenResponse ServiceTokenV3RefreshTokenResponse
+func CallUniversalAuthLogin(httpClient *resty.Client, request UniversalAuthLoginRequest) (UniversalAuthLoginResponse, error) {
+	var universalAuthLoginResponse UniversalAuthLoginResponse
 	response, err := httpClient.
 		R().
-		SetResult(&serviceTokenV3RefreshTokenResponse).
+		SetResult(&universalAuthLoginResponse).
 		SetHeader("User-Agent", USER_AGENT).
 		SetBody(request).
-		Post(fmt.Sprintf("%v/v3/service-token/me/token", config.INFISICAL_URL))
+		Post(fmt.Sprintf("%v/v1/auth/universal-auth/login/", config.INFISICAL_URL))

 	if err != nil {
-		return ServiceTokenV3RefreshTokenResponse{}, fmt.Errorf("CallServiceTokenV3Refresh: Unable to complete api request [err=%s]", err)
+		return UniversalAuthLoginResponse{}, fmt.Errorf("CallUniversalAuthLogin: Unable to complete api request [err=%s]", err)
 	}

 	if response.IsError() {
-		return ServiceTokenV3RefreshTokenResponse{}, fmt.Errorf("CallServiceTokenV3Refresh: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
+		return UniversalAuthLoginResponse{}, fmt.Errorf("CallUniversalAuthLogin: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
 	}

-	return serviceTokenV3RefreshTokenResponse, nil
+	return universalAuthLoginResponse, nil
+}
+
+func CallUniversalAuthRefreshAccessToken(httpClient *resty.Client, request UniversalAuthRefreshRequest) (UniversalAuthRefreshResponse, error) {
+	var universalAuthRefreshResponse UniversalAuthRefreshResponse
+	response, err := httpClient.
+		R().
+		SetResult(&universalAuthRefreshResponse).
+		SetHeader("User-Agent", USER_AGENT).
+		SetBody(request).
+		Post(fmt.Sprintf("%v/v1/auth/token/renew", config.INFISICAL_URL))
+
+	if err != nil {
+		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallUniversalAuthRefreshAccessToken: Unable to complete api request [err=%s]", err)
+	}
+
+	if response.IsError() {
+		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallUniversalAuthRefreshAccessToken: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
+	}
+
+	return universalAuthRefreshResponse, nil
 }

 func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Request) (GetRawSecretsV3Response, error) {
@ -454,6 +474,7 @@ func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Reques
 		SetBody(request).
 		SetQueryParam("workspaceId", request.WorkspaceId).
 		SetQueryParam("environment", request.Environment).
+		SetQueryParam("secretPath", request.SecretPath).
 		SetQueryParam("include_imports", "false").
 		Get(fmt.Sprintf("%v/v3/secrets/raw", config.INFISICAL_URL))

@ -461,12 +482,12 @@ func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Reques
 		return GetRawSecretsV3Response{}, fmt.Errorf("CallGetRawSecretsV3: Unable to complete api request [err=%w]", err)
 	}

-	if response.IsError() && strings.Contains(response.String(), "Failed to find bot key") {
+	if response.IsError() && strings.Contains(response.String(), "bot_not_found_error") {
 		return GetRawSecretsV3Response{}, fmt.Errorf("project with id %s is a legacy project type, please navigate to project settings and disable end to end encryption then try again", request.WorkspaceId)
 	}

 	if response.IsError() {
-		return GetRawSecretsV3Response{}, fmt.Errorf("CallGetRawSecretsV3: Unsuccessful response [%v %v] [status-code=%v]", response.Request.Method, response.Request.URL, response.StatusCode())
+		return GetRawSecretsV3Response{}, fmt.Errorf("CallGetRawSecretsV3: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
 	}

 	return getRawSecretsV3Response, nil
--- a/cli/packages/api/model.go
+++ b/cli/packages/api/model.go
@ -463,14 +463,27 @@ type CreateServiceTokenResponse struct {
 	ServiceTokenData ServiceTokenData `json:"serviceTokenData"`
 }

-type ServiceTokenV3RefreshTokenRequest struct {
-	RefreshToken string `json:"refresh_token"`
+type UniversalAuthLoginRequest struct {
+	ClientSecret string `json:"clientSecret"`
+	ClientId     string `json:"clientId"`
 }
-type ServiceTokenV3RefreshTokenResponse struct {
-	RefreshToken string `json:"refresh_token"`
-	AccessToken  string `json:"access_token"`
-	ExpiresIn    int    `json:"expires_in"`
-	TokenType    string `json:"token_type"`
+
+type UniversalAuthLoginResponse struct {
+	AccessToken       string `json:"accessToken"`
+	AccessTokenTTL    int    `json:"expiresIn"`
+	TokenType         string `json:"tokenType"`
+	AccessTokenMaxTTL int    `json:"accessTokenMaxTTL"`
+}
+
+type UniversalAuthRefreshRequest struct {
+	AccessToken string `json:"accessToken"`
+}
+
+type UniversalAuthRefreshResponse struct {
+	AccessToken       string `json:"accessToken"`
+	AccessTokenTTL    int    `json:"expiresIn"`
+	TokenType         string `json:"tokenType"`
+	AccessTokenMaxTTL int    `json:"accessTokenMaxTTL"`
 }

 type GetRawSecretsV3Request struct {
--- a/cli/packages/cmd/agent.go
+++ b/cli/packages/cmd/agent.go
@ -5,12 +5,14 @@ package cmd

 import (
 	"bytes"
-	"errors"
+	"encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"os/signal"
+	"path"
 	"strings"
+	"sync"
 	"syscall"
 	"text/template"
 	"time"
@ -36,7 +38,8 @@ type Config struct {
 }

 type InfisicalConfig struct {
-	Address string `yaml:"address"`
+	Address       string `yaml:"address"`
+	ExitAfterAuth bool   `yaml:"exit-after-auth"`
 }

 type AuthConfig struct {
@ -44,8 +47,10 @@ type AuthConfig struct {
 	Config interface{} `yaml:"config"`
 }

-type TokenAuthConfig struct {
-	TokenPath string `yaml:"token-path"`
+type UniversalAuth struct {
+	ClientIDPath             string `yaml:"client-id"`
+	ClientSecretPath         string `yaml:"client-secret"`
+	RemoveClientSecretOnRead bool   `yaml:"remove_client_secret_on_read"`
 }

 type OAuthConfig struct {
@ -63,8 +68,9 @@ type SinkDetails struct {
 }

 type Template struct {
-	SourcePath      string `yaml:"source-path"`
-	DestinationPath string `yaml:"destination-path"`
+	SourcePath            string `yaml:"source-path"`
+	Base64TemplateContent string `yaml:"base64-template-content"`
+	DestinationPath       string `yaml:"destination-path"`
 }

 func ReadFile(filePath string) ([]byte, error) {
@ -104,12 +110,7 @@ func appendAPIEndpoint(address string) string {
 	return address + "/api"
 }

-func ParseAgentConfig(filePath string) (*Config, error) {
-	data, err := ioutil.ReadFile(filePath)
-	if err != nil {
-		return nil, err
-	}
-
+func ParseAgentConfig(configFile []byte) (*Config, error) {
 	var rawConfig struct {
 		Infisical InfisicalConfig `yaml:"infisical"`
 		Auth      struct {
@ -120,7 +121,7 @@ func ParseAgentConfig(filePath string) (*Config, error) {
 		Templates []Template `yaml:"templates"`
 	}

-	if err := yaml.Unmarshal(data, &rawConfig); err != nil {
+	if err := yaml.Unmarshal(configFile, &rawConfig); err != nil {
 		return nil, err
 	}

@ -149,11 +150,12 @@ func ParseAgentConfig(filePath string) (*Config, error) {
 	}

 	switch rawConfig.Auth.Type {
-	case "token":
-		var tokenConfig TokenAuthConfig
+	case "universal-auth":
+		var tokenConfig UniversalAuth
 		if err := yaml.Unmarshal(configBytes, &tokenConfig); err != nil {
 			return nil, err
 		}
+
 		config.Auth.Config = tokenConfig
 	case "oauth": // aws, gcp, k8s service account, etc
 		var oauthConfig OAuthConfig
@ -186,7 +188,9 @@ func ProcessTemplate(templatePath string, data interface{}, accessToken string)
 		"secret": secretFunction,
 	}

-	tmpl, err := template.New(templatePath).Funcs(funcs).ParseFiles(templatePath)
+	templateName := path.Base(templatePath)
+
+	tmpl, err := template.New(templateName).Funcs(funcs).ParseFiles(templatePath)
 	if err != nil {
 		return nil, err
 	}
@ -199,59 +203,278 @@ func ProcessTemplate(templatePath string, data interface{}, accessToken string)
 	return &buf, nil
 }

-func refreshTokenAndProcessTemplate(refreshToken string, config *Config, errChan chan error) {
-	for {
-		httpClient := resty.New()
-		httpClient.SetRetryCount(10000).
-			SetRetryMaxWaitTime(20 * time.Second).
-			SetRetryWaitTime(5 * time.Second)
-
-		tokenResponse, err := api.CallServiceTokenV3Refresh(httpClient, api.ServiceTokenV3RefreshTokenRequest{RefreshToken: refreshToken})
-		if err != nil {
-			errChan <- fmt.Errorf("unable to complete renewal because [%s]", err)
-		}
-
-		for _, sinkFile := range config.Sinks {
-			if sinkFile.Type == "file" {
-				err = ioutil.WriteFile(sinkFile.Config.Path, []byte(tokenResponse.AccessToken), 0644)
-				if err != nil {
-					errChan <- err
-					return
-				}
-			} else {
-				errChan <- errors.New("unsupported sink type. Only 'file' type is supported")
-				return
-			}
-		}
-
-		refreshToken = tokenResponse.RefreshToken
-		nextRefreshCycle := time.Duration(tokenResponse.ExpiresIn-5) * time.Second // when the next access refresh will happen
-
-		d, err := time.ParseDuration(nextRefreshCycle.String())
-		if err != nil {
-			errChan <- fmt.Errorf("unable to parse refresh time because %s", err)
-			return
-		}
-
-		log.Info().Msgf("token refreshed and saved to selected path; next cycle will occur in %s", d.String())
-
-		for _, secretTemplate := range config.Templates {
-			processedTemplate, err := ProcessTemplate(secretTemplate.SourcePath, nil, tokenResponse.AccessToken)
-			if err != nil {
-				errChan <- err
-				return
-			}
-
-			if err := WriteBytesToFile(processedTemplate, secretTemplate.DestinationPath); err != nil {
-				errChan <- err
-				return
-			}
-
-			log.Info().Msgf("secret template at path %s has been rendered and saved to path %s", secretTemplate.SourcePath, secretTemplate.DestinationPath)
-		}
-
-		time.Sleep(nextRefreshCycle)
+func ProcessBase64Template(encodedTemplate string, data interface{}, accessToken string) (*bytes.Buffer, error) {
+	// custom template function to fetch secrets from Infisical
+	decoded, err := base64.StdEncoding.DecodeString(encodedTemplate)
+	if err != nil {
+		return nil, err
 	}
+
+	templateString := string(decoded)
+
+	secretFunction := secretTemplateFunction(accessToken)
+	funcs := template.FuncMap{
+		"secret": secretFunction,
+	}
+
+	templateName := "base64Template"
+
+	tmpl, err := template.New(templateName).Funcs(funcs).Parse(templateString)
+	if err != nil {
+		return nil, err
+	}
+
+	var buf bytes.Buffer
+	if err := tmpl.Execute(&buf, data); err != nil {
+		return nil, err
+	}
+
+	return &buf, nil
+}
+
+type TokenManager struct {
+	accessToken                    string
+	accessTokenTTL                 time.Duration
+	accessTokenMaxTTL              time.Duration
+	accessTokenFetchedTime         time.Time
+	accessTokenRefreshedTime       time.Time
+	mutex                          sync.Mutex
+	filePaths                      []Sink // Store file paths if needed
+	templates                      []Template
+	clientIdPath                   string
+	clientSecretPath               string
+	newAccessTokenNotificationChan chan bool
+	removeClientSecretOnRead       bool
+	cachedClientSecret             string
+	exitAfterAuth                  bool
+}
+
+func NewTokenManager(fileDeposits []Sink, templates []Template, clientIdPath string, clientSecretPath string, newAccessTokenNotificationChan chan bool, removeClientSecretOnRead bool, exitAfterAuth bool) *TokenManager {
+	return &TokenManager{filePaths: fileDeposits, templates: templates, clientIdPath: clientIdPath, clientSecretPath: clientSecretPath, newAccessTokenNotificationChan: newAccessTokenNotificationChan, removeClientSecretOnRead: removeClientSecretOnRead, exitAfterAuth: exitAfterAuth}
+}
+
+func (tm *TokenManager) SetToken(token string, accessTokenTTL time.Duration, accessTokenMaxTTL time.Duration) {
+	tm.mutex.Lock()
+	defer tm.mutex.Unlock()
+
+	tm.accessToken = token
+	tm.accessTokenTTL = accessTokenTTL
+	tm.accessTokenMaxTTL = accessTokenMaxTTL
+
+	tm.newAccessTokenNotificationChan <- true
+}
+
+func (tm *TokenManager) GetToken() string {
+	tm.mutex.Lock()
+	defer tm.mutex.Unlock()
+
+	return tm.accessToken
+}
+
+// Fetches a new access token using client credentials
+func (tm *TokenManager) FetchNewAccessToken() error {
+	clientID := os.Getenv("INFISICAL_UNIVERSAL_AUTH_CLIENT_ID")
+	if clientID == "" {
+		clientIDAsByte, err := ReadFile(tm.clientIdPath)
+		if err != nil {
+			return fmt.Errorf("unable to read client id from file path '%s' due to error: %v", tm.clientIdPath, err)
+		}
+		clientID = string(clientIDAsByte)
+	}
+
+	clientSecret := os.Getenv("INFISICAL_UNIVERSAL_CLIENT_SECRET")
+	if clientSecret == "" {
+		clientSecretAsByte, err := ReadFile(tm.clientSecretPath)
+		if err != nil {
+			if len(tm.cachedClientSecret) == 0 {
+				return fmt.Errorf("unable to read client secret from file and no cached client secret found: %v", err)
+			} else {
+				clientSecretAsByte = []byte(tm.cachedClientSecret)
+			}
+		}
+		clientSecret = string(clientSecretAsByte)
+	}
+
+	// remove client secret after first read
+	if tm.removeClientSecretOnRead {
+		os.Remove(tm.clientSecretPath)
+	}
+
+	// save as cache in memory
+	tm.cachedClientSecret = clientSecret
+
+	err, loginResponse := universalAuthLogin(clientID, clientSecret)
+	if err != nil {
+		return err
+	}
+
+	accessTokenTTL := time.Duration(loginResponse.AccessTokenTTL * int(time.Second))
+	accessTokenMaxTTL := time.Duration(loginResponse.AccessTokenMaxTTL * int(time.Second))
+
+	if accessTokenTTL <= time.Duration(5)*time.Second {
+		util.PrintErrorMessageAndExit("At this this, agent does not support refresh of tokens with 5 seconds or less ttl. Please increase access token ttl and try again")
+	}
+
+	tm.accessTokenFetchedTime = time.Now()
+	tm.SetToken(loginResponse.AccessToken, accessTokenTTL, accessTokenMaxTTL)
+
+	return nil
+}
+
+// Refreshes the existing access token
+func (tm *TokenManager) RefreshAccessToken() error {
+	httpClient := resty.New()
+	httpClient.SetRetryCount(10000).
+		SetRetryMaxWaitTime(20 * time.Second).
+		SetRetryWaitTime(5 * time.Second)
+
+	accessToken := tm.GetToken()
+	response, err := api.CallUniversalAuthRefreshAccessToken(httpClient, api.UniversalAuthRefreshRequest{AccessToken: accessToken})
+	if err != nil {
+		return err
+	}
+
+	accessTokenTTL := time.Duration(response.AccessTokenTTL * int(time.Second))
+	accessTokenMaxTTL := time.Duration(response.AccessTokenMaxTTL * int(time.Second))
+	tm.accessTokenRefreshedTime = time.Now()
+
+	tm.SetToken(response.AccessToken, accessTokenTTL, accessTokenMaxTTL)
+
+	return nil
+}
+
+func (tm *TokenManager) ManageTokenLifecycle() {
+	for {
+		accessTokenMaxTTLExpiresInTime := tm.accessTokenFetchedTime.Add(tm.accessTokenMaxTTL - (5 * time.Second))
+		accessTokenRefreshedTime := tm.accessTokenRefreshedTime
+
+		if accessTokenRefreshedTime.IsZero() {
+			accessTokenRefreshedTime = tm.accessTokenFetchedTime
+		}
+
+		nextAccessTokenExpiresInTime := accessTokenRefreshedTime.Add(tm.accessTokenTTL - (5 * time.Second))
+
+		if tm.accessTokenFetchedTime.IsZero() && tm.accessTokenRefreshedTime.IsZero() {
+			// case: init login to get access token
+			log.Info().Msg("attempting to authenticate...")
+			err := tm.FetchNewAccessToken()
+			if err != nil {
+				log.Error().Msgf("unable to authenticate because %v. Will retry in 30 seconds", err)
+
+				// wait a bit before trying again
+				time.Sleep((30 * time.Second))
+				continue
+			}
+		} else if time.Now().After(accessTokenMaxTTLExpiresInTime) {
+			log.Info().Msgf("token has reached max ttl, attempting to re authenticate...")
+			err := tm.FetchNewAccessToken()
+			if err != nil {
+				log.Error().Msgf("unable to authenticate because %v. Will retry in 30 seconds", err)
+
+				// wait a bit before trying again
+				time.Sleep((30 * time.Second))
+				continue
+			}
+		} else {
+			log.Info().Msgf("attempting to refresh existing token...")
+			err := tm.RefreshAccessToken()
+			if err != nil {
+				log.Error().Msgf("unable to refresh token because %v. Will retry in 30 seconds", err)
+
+				// wait a bit before trying again
+				time.Sleep((30 * time.Second))
+				continue
+			}
+		}
+
+		if tm.exitAfterAuth {
+			time.Sleep(25 * time.Second)
+			os.Exit(0)
+		}
+
+		if accessTokenRefreshedTime.IsZero() {
+			accessTokenRefreshedTime = tm.accessTokenFetchedTime
+		} else {
+			accessTokenRefreshedTime = tm.accessTokenRefreshedTime
+		}
+
+		nextAccessTokenExpiresInTime = accessTokenRefreshedTime.Add(tm.accessTokenTTL - (5 * time.Second))
+		accessTokenMaxTTLExpiresInTime = tm.accessTokenFetchedTime.Add(tm.accessTokenMaxTTL - (5 * time.Second))
+
+		if nextAccessTokenExpiresInTime.After(accessTokenMaxTTLExpiresInTime) {
+			// case: Refreshed so close that the next refresh would occur beyond max ttl (this is because currently, token renew tries to add +access-token-ttl amount of time)
+			// example: access token ttl is 11 sec and max ttl is 30 sec. So it will start with 11 seconds, then 22 seconds but the next time you call refresh it would try to extend it to 33 but max ttl only allows 30, so the token will be valid until 30 before we need to reauth
+			time.Sleep(tm.accessTokenTTL - nextAccessTokenExpiresInTime.Sub(accessTokenMaxTTLExpiresInTime))
+		} else {
+			time.Sleep(tm.accessTokenTTL - (5 * time.Second))
+		}
+	}
+}
+
+func (tm *TokenManager) WriteTokenToFiles() {
+	token := tm.GetToken()
+	for _, sinkFile := range tm.filePaths {
+		if sinkFile.Type == "file" {
+			err := ioutil.WriteFile(sinkFile.Config.Path, []byte(token), 0644)
+			if err != nil {
+				log.Error().Msgf("unable to write file sink to path '%s' because %v", sinkFile.Config.Path, err)
+			}
+
+			log.Info().Msgf("new access token saved to file at path '%s'", sinkFile.Config.Path)
+
+		} else {
+			log.Error().Msg("unsupported sink type. Only 'file' type is supported")
+		}
+	}
+}
+
+func (tm *TokenManager) FetchSecrets() {
+	log.Info().Msgf("template engine started...")
+	for {
+		token := tm.GetToken()
+		if token != "" {
+			for _, secretTemplate := range tm.templates {
+				var processedTemplate *bytes.Buffer
+				var err error
+				if secretTemplate.SourcePath != "" {
+					processedTemplate, err = ProcessTemplate(secretTemplate.SourcePath, nil, token)
+				} else {
+					processedTemplate, err = ProcessBase64Template(secretTemplate.Base64TemplateContent, nil, token)
+				}
+
+				if err != nil {
+					log.Error().Msgf("template engine: unable to render secrets because %s. Will try again on next cycle", err)
+
+					continue
+				}
+
+				if err := WriteBytesToFile(processedTemplate, secretTemplate.DestinationPath); err != nil {
+					log.Error().Msgf("template engine: unable to write secrets to path because %s. Will try again on next cycle", err)
+
+					continue
+				}
+
+				log.Info().Msgf("template engine: secret template at path %s has been rendered and saved to path %s", secretTemplate.SourcePath, secretTemplate.DestinationPath)
+			}
+
+			// fetch new secrets every 5 minutes (TODO: add PubSub in the future )
+			time.Sleep(5 * time.Minute)
+		}
+	}
+}
+
+func universalAuthLogin(clientId string, clientSecret string) (error, api.UniversalAuthLoginResponse) {
+	httpClient := resty.New()
+	httpClient.SetRetryCount(10000).
+		SetRetryMaxWaitTime(20 * time.Second).
+		SetRetryWaitTime(5 * time.Second)
+
+	tokenResponse, err := api.CallUniversalAuthLogin(httpClient, api.UniversalAuthLoginRequest{ClientId: clientId, ClientSecret: clientSecret})
+	if err != nil {
+		return err, api.UniversalAuthLoginResponse{}
+	}
+
+	return nil, tokenResponse
 }

 // runCmd represents the run command
@ -260,7 +483,7 @@ var agentCmd = &cobra.Command{
 	infisical agent
 	`,
 	Use:                   "agent",
-	Short:                 "Used to launch a client daemon that streamlines authentication and secret retrieval processes in some environments",
+	Short:                 "Used to launch a client daemon that streamlines authentication and secret retrieval processes in various environments",
 	DisableFlagsInUseLine: true,
 	Run: func(cmd *cobra.Command, args []string) {

@ -271,47 +494,67 @@ var agentCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag config")
 		}

-		if !FileExists(configPath) {
-			log.Error().Msgf("Unable to locate %s. The provided agent config file path is either missing or incorrect", configPath)
+		var agentConfigInBytes []byte
+
+		agentConfigInBase64 := os.Getenv("INFISICAL_AGENT_CONFIG_BASE64")
+
+		if agentConfigInBase64 == "" {
+			data, err := ioutil.ReadFile(configPath)
+			if err != nil {
+				if !FileExists(configPath) {
+					log.Error().Msgf("Unable to locate %s. The provided agent config file path is either missing or incorrect", configPath)
+					return
+				}
+			}
+			agentConfigInBytes = data
+		}
+
+		if agentConfigInBase64 != "" {
+			decodedAgentConfig, err := base64.StdEncoding.DecodeString(agentConfigInBase64)
+			if err != nil {
+				log.Error().Msgf("Unable to decode base64 config file because %v", err)
+				return
+			}
+
+			agentConfigInBytes = decodedAgentConfig
+		}
+
+		if !FileExists(configPath) && agentConfigInBase64 == "" {
+			log.Error().Msgf("No agent config file provided. Please provide a agent config file", configPath)
 			return
 		}

-		agentConfig, err := ParseAgentConfig(configPath)
+		agentConfig, err := ParseAgentConfig(agentConfigInBytes)
 		if err != nil {
 			log.Error().Msgf("Unable to prase %s because %v. Please ensure that is follows the Infisical Agent config structure", configPath, err)
 			return
 		}

-		errChan := make(chan error)
-		sigChan := make(chan os.Signal, 1)
-
-		signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
-
-		switch configAuthType := agentConfig.Auth.Config.(type) {
-		case TokenAuthConfig:
-			content, err := ReadFile(configAuthType.TokenPath)
-			if err != nil {
-				log.Error().Msgf("unable to read initial token from file path %s because %v", configAuthType.TokenPath, err)
-				return
-			}
-
-			refreshToken := string(content)
-			go refreshTokenAndProcessTemplate(refreshToken, agentConfig, errChan)
-
-		case OAuthConfig:
-			// future auth types
-		default:
-			log.Error().Msgf("unknown auth config type. Only 'file' type is supported")
-			return
+		if agentConfig.Auth.Type != "universal-auth" {
+			util.PrintErrorMessageAndExit("Only auth type of 'universal-auth' is supported at this time")
 		}

-		select {
-		case err := <-errChan:
-			log.Fatal().Msgf("agent stopped due to error: %v", err)
-			os.Exit(1)
-		case <-sigChan:
-			log.Info().Msg("agent is gracefully shutting...")
-			os.Exit(1)
+		configUniversalAuthType := agentConfig.Auth.Config.(UniversalAuth)
+
+		tokenRefreshNotifier := make(chan bool)
+		sigChan := make(chan os.Signal, 1)
+		signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
+
+		filePaths := agentConfig.Sinks
+		tm := NewTokenManager(filePaths, agentConfig.Templates, configUniversalAuthType.ClientIDPath, configUniversalAuthType.ClientSecretPath, tokenRefreshNotifier, configUniversalAuthType.RemoveClientSecretOnRead, agentConfig.Infisical.ExitAfterAuth)
+
+		go tm.ManageTokenLifecycle()
+		go tm.FetchSecrets()
+
+		for {
+			select {
+			case <-tokenRefreshNotifier:
+				go tm.WriteTokenToFiles()
+			case <-sigChan:
+				log.Info().Msg("agent is gracefully shutting...")
+				// TODO: check if we are in the middle of writing files to disk
+				os.Exit(1)
+			}
 		}

 	},
--- a/cli/packages/cmd/export.go
+++ b/cli/packages/cmd/export.go
@ -11,7 +11,6 @@ import (

 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
-	"github.com/posthog/posthog-go"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
@ -75,7 +74,7 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

-		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, WorkspaceId: projectId, SecretsPath: secretsPath})
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, WorkspaceId: projectId, SecretsPath: secretsPath}, "")
 		if err != nil {
 			util.HandleError(err, "Unable to fetch secrets")
 		}
@ -88,7 +87,7 @@ var exportCmd = &cobra.Command{

 		var output string
 		if shouldExpandSecrets {
-			substitutions := util.ExpandSecrets(secrets, infisicalToken)
+			substitutions := util.ExpandSecrets(secrets, infisicalToken, "")
 			output, err = formatEnvs(substitutions, format)
 			if err != nil {
 				util.HandleError(err)
@ -102,7 +101,7 @@ var exportCmd = &cobra.Command{

 		fmt.Print(output)

-		Telemetry.CaptureEvent("cli-command:export", posthog.NewProperties().Set("secretsCount", len(secrets)).Set("version", util.CLI_VERSION))
+		// Telemetry.CaptureEvent("cli-command:export", posthog.NewProperties().Set("secretsCount", len(secrets)).Set("version", util.CLI_VERSION))
 	},
 }

--- a/cli/packages/cmd/run.go
+++ b/cli/packages/cmd/run.go
@ -67,6 +67,11 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

+		projectConfigDir, err := cmd.Flags().GetString("project-config-dir")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
 		secretOverriding, err := cmd.Flags().GetBool("secret-overriding")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
@ -92,7 +97,7 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

-		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: includeImports})
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: includeImports}, projectConfigDir)

 		if err != nil {
 			util.HandleError(err, "Could not fetch secrets", "If you are using a service token to fetch secrets, please ensure it is valid")
@ -105,7 +110,7 @@ var runCmd = &cobra.Command{
 		}

 		if shouldExpandSecrets {
-			secrets = util.ExpandSecrets(secrets, infisicalToken)
+			secrets = util.ExpandSecrets(secrets, infisicalToken, projectConfigDir)
 		}

 		secretsByKey := getSecretsByKeys(secrets)
@ -198,13 +203,15 @@ func init() {
 	runCmd.Flags().StringP("command", "c", "", "chained commands to execute (e.g. \"npm install && npm run dev; echo ...\")")
 	runCmd.Flags().StringP("tags", "t", "", "filter secrets by tag slugs ")
 	runCmd.Flags().String("path", "/", "get secrets within a folder path")
+	runCmd.Flags().String("project-config-dir", "", "explicitly set the directory where the .infisical.json resides")
 }

 // Will execute a single command and pass in the given secrets into the process
 func executeSingleCommandWithEnvs(args []string, secretsCount int, env []string) error {
 	command := args[0]
 	argsForCommand := args[1:]
-	color.Green("Injecting %v Infisical secrets into your application process", secretsCount)
+
+	log.Info().Msgf(color.GreenString("Injecting %v Infisical secrets into your application process", secretsCount))

 	cmd := exec.Command(command, argsForCommand...)
 	cmd.Stdin = os.Stdin
@ -232,7 +239,7 @@ func executeMultipleCommandWithEnvs(fullCommand string, secretsCount int, env []
 	cmd.Stderr = os.Stderr
 	cmd.Env = env

-	color.Green("Injecting %v Infisical secrets into your application process", secretsCount)
+	log.Info().Msgf(color.GreenString("Injecting %v Infisical secrets into your application process", secretsCount))
 	log.Debug().Msgf("executing command: %s %s %s \n", shell[0], shell[1], fullCommand)

 	return execCmd(cmd)
--- a/cli/packages/cmd/secrets.go
+++ b/cli/packages/cmd/secrets.go
@ -68,7 +68,7 @@ var secretsCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

-		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: includeImports})
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: includeImports}, "")
 		if err != nil {
 			util.HandleError(err)
 		}
@ -80,7 +80,7 @@ var secretsCmd = &cobra.Command{
 		}

 		if shouldExpandSecrets {
-			secrets = util.ExpandSecrets(secrets, infisicalToken)
+			secrets = util.ExpandSecrets(secrets, infisicalToken, "")
 		}

 		visualize.PrintAllSecretDetails(secrets)
@ -169,7 +169,7 @@ var secretsSetCmd = &cobra.Command{
 		plainTextEncryptionKey := crypto.DecryptAsymmetric(encryptedWorkspaceKey, encryptedWorkspaceKeyNonce, encryptedWorkspaceKeySenderPublicKey, currentUsersPrivateKey)

 		// pull current secrets
-		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, SecretsPath: secretsPath})
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, SecretsPath: secretsPath}, "")
 		if err != nil {
 			util.HandleError(err, "unable to retrieve secrets")
 		}
@ -406,7 +406,7 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse path flag")
 	}

-	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath})
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath}, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}
@ -455,7 +455,7 @@ func generateExampleEnv(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}

-	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath})
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath}, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}
--- a/cli/packages/util/check-for-update.go
+++ b/cli/packages/util/check-for-update.go
@ -11,7 +11,6 @@ import (
 	"os/exec"
 	"runtime"
 	"strings"
-	"time"

 	"github.com/fatih/color"
 	"github.com/rs/zerolog/log"
@ -21,16 +20,16 @@ func CheckForUpdate() {
 	if checkEnv := os.Getenv("INFISICAL_DISABLE_UPDATE_CHECK"); checkEnv != "" {
 		return
 	}
-	latestVersion, publishedDate, err := getLatestTag("Infisical", "infisical")
+	latestVersion, _, err := getLatestTag("Infisical", "infisical")
 	if err != nil {
 		log.Debug().Err(err)
 		// do nothing and continue
 		return
 	}

-	daysSinceRelease, _ := daysSinceDate(publishedDate)
+	// daysSinceRelease, _ := daysSinceDate(publishedDate)

-	if latestVersion != CLI_VERSION && daysSinceRelease > 2 {
+	if latestVersion != CLI_VERSION {
 		yellow := color.New(color.FgYellow).SprintFunc()
 		blue := color.New(color.FgCyan).SprintFunc()
 		black := color.New(color.FgBlack).SprintFunc()
@ -151,15 +150,15 @@ func IsRunningInDocker() bool {
 	return strings.Contains(string(cgroup), "docker")
 }

-func daysSinceDate(dateString string) (int, error) {
-	layout := "2006-01-02T15:04:05Z"
-	parsedDate, err := time.Parse(layout, dateString)
-	if err != nil {
-		return 0, err
-	}
+// func daysSinceDate(dateString string) (int, error) {
+// 	layout := "2006-01-02T15:04:05Z"
+// 	parsedDate, err := time.Parse(layout, dateString)
+// 	if err != nil {
+// 		return 0, err
+// 	}

-	currentTime := time.Now()
-	difference := currentTime.Sub(parsedDate)
-	days := int(difference.Hours() / 24)
-	return days, nil
-}
+// 	currentTime := time.Now()
+// 	difference := currentTime.Sub(parsedDate)
+// 	days := int(difference.Hours() / 24)
+// 	return days, nil
+// }
--- a/cli/packages/util/config.go
+++ b/cli/packages/util/config.go
@ -113,6 +113,28 @@ func GetWorkSpaceFromFile() (models.WorkspaceConfigFile, error) {
 	return workspaceConfigFile, nil
 }

+func GetWorkSpaceFromFilePath(configFileDir string) (models.WorkspaceConfigFile, error) {
+	configFilePath := filepath.Join(configFileDir, ".infisical.json")
+
+	_, configFileStatusError := os.Stat(configFilePath)
+	if os.IsNotExist(configFileStatusError) {
+		return models.WorkspaceConfigFile{}, fmt.Errorf("file %s does not exist", configFilePath)
+	}
+
+	configFileAsBytes, err := os.ReadFile(configFilePath)
+	if err != nil {
+		return models.WorkspaceConfigFile{}, err
+	}
+
+	var workspaceConfigFile models.WorkspaceConfigFile
+	err = json.Unmarshal(configFileAsBytes, &workspaceConfigFile)
+	if err != nil {
+		return models.WorkspaceConfigFile{}, err
+	}
+
+	return workspaceConfigFile, nil
+}
+
 // FindWorkspaceConfigFile searches for a .infisical.json file in the current directory and all parent directories.
 func FindWorkspaceConfigFile() (string, error) {
 	dir, err := os.Getwd()
--- a/cli/packages/util/helper.go
+++ b/cli/packages/util/helper.go
@ -105,6 +105,17 @@ func RequireLocalWorkspaceFile() {
 	}
 }

+func ValidateWorkspaceFile(projectConfigFilePath string) {
+	workspaceFilePath, err := GetWorkSpaceFromFilePath(projectConfigFilePath)
+	if err != nil {
+		PrintErrorMessageAndExit(fmt.Sprintf("error reading your project config %v", err))
+	}
+
+	if workspaceFilePath.WorkspaceId == "" {
+		PrintErrorMessageAndExit("Your project id is missing in your local config file. Please add it or run again [infisical init]")
+	}
+}
+
 func GetHashFromStringList(list []string) string {
 	hash := sha256.New()

--- a/cli/packages/util/secrets.go
+++ b/cli/packages/util/secrets.go
@ -168,7 +168,7 @@ func GetPlainTextSecretsViaMachineIdentity(accessToken string, workspaceId strin
 		getSecretsRequest.SecretPath = secretsPath
 	}

-	rawSecrets, err := api.CallGetRawSecretsV3(httpClient, api.GetRawSecretsV3Request{WorkspaceId: workspaceId, SecretPath: environmentName, Environment: environmentName})
+	rawSecrets, err := api.CallGetRawSecretsV3(httpClient, api.GetRawSecretsV3Request{WorkspaceId: workspaceId, SecretPath: secretsPath, Environment: environmentName})
 	if err != nil {
 		return nil, err
 	}
@ -220,7 +220,7 @@ func InjectImportedSecret(plainTextWorkspaceKey []byte, secrets []models.SingleE
 	return secrets, nil
 }

-func GetAllEnvironmentVariables(params models.GetAllSecretsParameters) ([]models.SingleEnvironmentVariable, error) {
+func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectConfigFilePath string) ([]models.SingleEnvironmentVariable, error) {
 	var infisicalToken string
 	if params.InfisicalToken == "" {
 		infisicalToken = os.Getenv(INFISICAL_TOKEN_NAME)
@ -236,7 +236,13 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters) ([]models
 	if infisicalToken == "" {
 		if isConnected {
 			log.Debug().Msg("GetAllEnvironmentVariables: Connected to internet, checking logged in creds")
-			RequireLocalWorkspaceFile()
+
+			if projectConfigFilePath == "" {
+				RequireLocalWorkspaceFile()
+			} else {
+				ValidateWorkspaceFile(projectConfigFilePath)
+			}
+
 			RequireLogin()
 		}

@ -251,13 +257,26 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters) ([]models
 			PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
 		}

-		workspaceFile, err := GetWorkSpaceFromFile()
-		if err != nil {
-			return nil, err
+		var infisicalDotJson models.WorkspaceConfigFile
+
+		if projectConfigFilePath == "" {
+			projectConfig, err := GetWorkSpaceFromFile()
+			if err != nil {
+				return nil, err
+			}
+
+			infisicalDotJson = projectConfig
+		} else {
+			projectConfig, err := GetWorkSpaceFromFilePath(projectConfigFilePath)
+			if err != nil {
+				return nil, err
+			}
+
+			infisicalDotJson = projectConfig
 		}

 		if params.WorkspaceId != "" {
-			workspaceFile.WorkspaceId = params.WorkspaceId
+			infisicalDotJson.WorkspaceId = params.WorkspaceId
 		}

 		// // Verify environment
@ -266,18 +285,18 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters) ([]models
 		// 	return nil, fmt.Errorf("unable to validate environment name because [err=%s]", err)
 		// }

-		secretsToReturn, errorToReturn = GetPlainTextSecretsViaJTW(loggedInUserDetails.UserCredentials.JTWToken, loggedInUserDetails.UserCredentials.PrivateKey, workspaceFile.WorkspaceId,
+		secretsToReturn, errorToReturn = GetPlainTextSecretsViaJTW(loggedInUserDetails.UserCredentials.JTWToken, loggedInUserDetails.UserCredentials.PrivateKey, infisicalDotJson.WorkspaceId,
 			params.Environment, params.TagSlugs, params.SecretsPath, params.IncludeImport)
 		log.Debug().Msgf("GetAllEnvironmentVariables: Trying to fetch secrets JTW token [err=%s]", errorToReturn)

 		backupSecretsEncryptionKey := []byte(loggedInUserDetails.UserCredentials.PrivateKey)[0:32]
 		if errorToReturn == nil {
-			WriteBackupSecrets(workspaceFile.WorkspaceId, params.Environment, backupSecretsEncryptionKey, secretsToReturn)
+			WriteBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, backupSecretsEncryptionKey, secretsToReturn)
 		}

 		// only attempt to serve cached secrets if no internet connection and if at least one secret cached
 		if !isConnected {
-			backedSecrets, err := ReadBackupSecrets(workspaceFile.WorkspaceId, params.Environment, backupSecretsEncryptionKey)
+			backedSecrets, err := ReadBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, backupSecretsEncryptionKey)
 			if len(backedSecrets) > 0 {
 				PrintWarning("Unable to fetch latest secret(s) due to connection error, serving secrets from last successful fetch. For more info, run with --debug")
 				secretsToReturn = backedSecrets
@ -421,7 +440,7 @@ func getSecretsByKeys(secrets []models.SingleEnvironmentVariable) map[string]mod
 	return secretMapByName
 }

-func ExpandSecrets(secrets []models.SingleEnvironmentVariable, infisicalToken string) []models.SingleEnvironmentVariable {
+func ExpandSecrets(secrets []models.SingleEnvironmentVariable, infisicalToken string, projectConfigPathDir string) []models.SingleEnvironmentVariable {
 	expandedSecs := make(map[string]string)
 	interpolatedSecs := make(map[string]string)
 	// map[env.secret-path][keyname]Secret
@ -454,7 +473,7 @@ func ExpandSecrets(secrets []models.SingleEnvironmentVariable, infisicalToken st

 			if crossRefSec, ok := crossEnvRefSecs[uniqKey]; !ok {
 				// if not in cross reference cache, fetch it from server
-				refSecs, err := GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: env, InfisicalToken: infisicalToken, SecretsPath: secPath})
+				refSecs, err := GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: env, InfisicalToken: infisicalToken, SecretsPath: secPath}, projectConfigPathDir)
 				if err != nil {
 					HandleError(err, fmt.Sprintf("Could not fetch secrets in environment: %s secret-path: %s", env, secPath), "If you are using a service token to fetch secrets, please ensure it is valid")
 				}
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@ -124,12 +124,43 @@ services:
      - "8085:8081"
    networks:
      - infisical-dev
+  
+  openldap: # note: more advanced configuration is available
+    image: osixia/openldap:1.5.0
+    restart: always
+    environment:
+      LDAP_ORGANISATION: Acme
+      LDAP_DOMAIN: acme.com
+      LDAP_ADMIN_PASSWORD: admin
+    ports:
+      - 389:389
+      - 636:636
+    volumes:
+      - ldap_data:/var/lib/ldap
+      - ldap_config:/etc/ldap/slapd.d
+    networks:
+      - infisical-dev
+
+  phpldapadmin: # username: cn=admin,dc=acme,dc=com, pass is admin
+    image: osixia/phpldapadmin:latest
+    restart: always
+    environment:
+      - PHPLDAPADMIN_LDAP_HOSTS=openldap
+      - PHPLDAPADMIN_HTTPS=false
+    ports:
+      - 6433:80
+    depends_on:
+      - openldap
+    networks:
+      - infisical-dev

 volumes:
  mongo-data:
    driver: local
  redis_data:
    driver: local
+  ldap_data:
+  ldap_config:

 networks:
  infisical-dev:
--- a/docs/api-reference/endpoints/environments/create.mdx
+++ b/docs/api-reference/endpoints/environments/create.mdx
@ -1,4 +1,4 @@
 ---
 title: "Create"
-openapi: "POST /api/v1/workspace/{workspaceId}/environments"
+openapi: "POST /api/v2/workspace/{workspaceId}/environments"
 ---
--- a/docs/api-reference/endpoints/identities/create.mdx
+++ b/docs/api-reference/endpoints/identities/create.mdx
@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/identities/"
+---
--- a/docs/api-reference/endpoints/identities/delete.mdx
+++ b/docs/api-reference/endpoints/identities/delete.mdx
@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/identities/{identityId}"
+---
--- a/docs/api-reference/endpoints/identities/update.mdx
+++ b/docs/api-reference/endpoints/identities/update.mdx
@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/identities/{identityId}"
+---
--- a/docs/api-reference/endpoints/organizations/delete-membership.mdx
+++ b/docs/api-reference/endpoints/organizations/delete-membership.mdx
@ -1,4 +1,4 @@
 ---
-title: "Delete Membership"
+title: "Delete User Membership"
 openapi: "DELETE /api/v2/organizations/{organizationId}/memberships/{membershipId}"
 ---
--- a/docs/api-reference/endpoints/organizations/list-identity-memberships.mdx
+++ b/docs/api-reference/endpoints/organizations/list-identity-memberships.mdx
@ -0,0 +1,4 @@
+---
+title: "List Identity Memberships"
+openapi: "GET /api/v2/organizations/{organizationId}/identity-memberships"
+---
--- a/docs/api-reference/endpoints/organizations/memberships.mdx
+++ b/docs/api-reference/endpoints/organizations/memberships.mdx
@ -1,4 +1,4 @@
 ---
-title: "Get Memberships"
+title: "Get User Memberships"
 openapi: "GET /api/v2/organizations/{organizationId}/memberships"
 ---
--- a/docs/api-reference/endpoints/organizations/update-membership.mdx
+++ b/docs/api-reference/endpoints/organizations/update-membership.mdx
@ -1,4 +1,4 @@
 ---
-title: "Update Membership"
+title: "Update User Membership"
 openapi: "PATCH /api/v2/organizations/{organizationId}/memberships/{membershipId}"
 ---
--- a/docs/api-reference/endpoints/organizations/workspaces.mdx
+++ b/docs/api-reference/endpoints/organizations/workspaces.mdx
@ -1,4 +1,4 @@
 ---
 title: "Get Projects"
 openapi: "GET /api/v2/organizations/{organizationId}/workspaces"
---
+---
--- a/docs/api-reference/endpoints/service-tokens/get.mdx
+++ b/docs/api-reference/endpoints/service-tokens/get.mdx
@ -2,3 +2,9 @@
 title: "Get"
 openapi: "GET /api/v2/service-token/"
 ---
+
+<Warning>
+    This endpoint will be deprecated in the near future with the removal of service tokens in Q1/Q2 2024.
+
+    We recommend switching to using [identities](/documentation/platform/identities/overview) if your client supports it.
+</Warning>
--- a/docs/api-reference/endpoints/universal-auth/attach.mdx
+++ b/docs/api-reference/endpoints/universal-auth/attach.mdx
@ -0,0 +1,4 @@
+---
+title: "Attach"
+openapi: "POST /api/v1/auth/universal-auth/identities/{identityId}"
+---
--- a/docs/api-reference/endpoints/universal-auth/create-client-secret.mdx
+++ b/docs/api-reference/endpoints/universal-auth/create-client-secret.mdx
@ -0,0 +1,4 @@
+---
+title: "Create Client Secret"
+openapi: "POST /api/v1/auth/universal-auth/identities/{identityId}/client-secrets"
+---
--- a/docs/api-reference/endpoints/universal-auth/list-client-secrets.mdx
+++ b/docs/api-reference/endpoints/universal-auth/list-client-secrets.mdx
@ -0,0 +1,4 @@
+---
+title: "List Client Secrets"
+openapi: "GET /api/v1/auth/universal-auth/identities/{identityId}/client-secrets"
+---
--- a/docs/api-reference/endpoints/universal-auth/login.mdx
+++ b/docs/api-reference/endpoints/universal-auth/login.mdx
@ -0,0 +1,4 @@
+---
+title: "Login"
+openapi: "POST /api/v1/auth/universal-auth/login"
+---
--- a/docs/api-reference/endpoints/universal-auth/renew-access-token.mdx
+++ b/docs/api-reference/endpoints/universal-auth/renew-access-token.mdx
@ -0,0 +1,4 @@
+---
+title: "Renew Access Token"
+openapi: "POST /api/v1/auth/token/renew"
+---
--- a/docs/api-reference/endpoints/universal-auth/retrieve.mdx
+++ b/docs/api-reference/endpoints/universal-auth/retrieve.mdx
@ -0,0 +1,4 @@
+---
+title: "Retrieve"
+openapi: "GET /api/v1/auth/universal-auth/identities/{identityId}"
+---
--- a/docs/api-reference/endpoints/universal-auth/revoke-client-secret.mdx
+++ b/docs/api-reference/endpoints/universal-auth/revoke-client-secret.mdx
@ -0,0 +1,4 @@
+---
+title: "Revoke Client Secret"
+openapi: "POST /api/v1/auth/universal-auth/identities/{identityId}/client-secrets/{clientSecretId}/revoke"
+---
--- a/docs/api-reference/endpoints/universal-auth/update.mdx
+++ b/docs/api-reference/endpoints/universal-auth/update.mdx
@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/auth/universal-auth/identities/{identityId}"
+---
--- a/docs/api-reference/endpoints/users/me.mdx
+++ b/docs/api-reference/endpoints/users/me.mdx
@ -2,3 +2,9 @@
 title: "Get My User"
 openapi: "GET /api/v2/users/me"
 ---
+
+<Warning>
+    This endpoint will be deprecated in the near future in Q1/Q2 2024.
+
+    We recommend switching to using [identities](/documentation/platform/identities/overview).
+</Warning>
--- a/docs/api-reference/endpoints/users/my-organizations.mdx
+++ b/docs/api-reference/endpoints/users/my-organizations.mdx
@ -2,3 +2,9 @@
 title: "Get My Organizations"
 openapi: "GET /api/v2/users/me/organizations"
 ---
+
+<Warning>
+    This endpoint will be deprecated in the near future in Q1/Q2 2024.
+
+    We recommend switching to using [identities](/documentation/platform/identities/overview).
+</Warning>
--- a/docs/api-reference/endpoints/workspaces/delete-identity-membership.mdx
+++ b/docs/api-reference/endpoints/workspaces/delete-identity-membership.mdx
@ -0,0 +1,4 @@
+---
+title: "Delete Identity Membership"
+openapi: "DELETE /api/v2/workspace/{workspaceId}/identity-memberships/{identityId}"
+---
--- a/docs/api-reference/endpoints/workspaces/delete-membership.mdx
+++ b/docs/api-reference/endpoints/workspaces/delete-membership.mdx
@ -1,4 +1,4 @@
 ---
-title: "Delete Membership"
+title: "Delete User Membership"
 openapi: "DELETE /api/v2/workspace/{workspaceId}/memberships/{membershipId}"
 ---
--- a/docs/api-reference/endpoints/workspaces/list-identity-memberships.mdx
+++ b/docs/api-reference/endpoints/workspaces/list-identity-memberships.mdx
@ -0,0 +1,4 @@
+---
+title: "List Identity Memberships"
+openapi: "GET /api/v2/workspace/{workspaceId}/identity-memberships"
+---
--- a/docs/api-reference/endpoints/workspaces/memberships.mdx
+++ b/docs/api-reference/endpoints/workspaces/memberships.mdx
@ -1,4 +1,4 @@
 ---
-title: "Get Memberships"
+title: "Get User Memberships"
 openapi: "GET /api/v2/workspace/{workspaceId}/memberships"
 ---
--- a/docs/api-reference/endpoints/workspaces/update-identity-membership.mdx
+++ b/docs/api-reference/endpoints/workspaces/update-identity-membership.mdx
@ -0,0 +1,4 @@
+---
+title: "Update Identity Membership"
+openapi: "PATCH /api/v2/workspace/{workspaceId}/identity-memberships/{identityId}"
+---
--- a/docs/api-reference/endpoints/workspaces/update-membership.mdx
+++ b/docs/api-reference/endpoints/workspaces/update-membership.mdx
@ -1,4 +1,4 @@
 ---
-title: "Update Membership"
+title: "Update User Membership"
 openapi: "PATCH /api/v2/workspace/{workspaceId}/memberships/{membershipId}"
 ---
--- a/docs/api-reference/endpoints/workspaces/workspace-key.mdx
+++ b/docs/api-reference/endpoints/workspaces/workspace-key.mdx
@ -2,3 +2,8 @@
 title: "Get Key"
 openapi: "GET /api/v2/workspace/{workspaceId}/encrypted-key"
 ---
+<Warning>
+    This endpoint will be deprecated in the near future in Q1/Q2 2024.
+
+    We recommend using Infisical in non-E2EE mode going forward.
+</Warning>
--- a/docs/api-reference/overview/authentication.mdx
+++ b/docs/api-reference/overview/authentication.mdx
@ -3,29 +3,34 @@ title: "Authentication"
 description: "How to authenticate with the Infisical Public API"
 ---

-The Public API accepts multiple modes of authentication being via [Infisical Token](/documentation/platform/token) or API Key.
+You can authenticate with the Infisical API using [Identities](/documentation/platform/identities/overview) paired with authentication modes such as [Universal Auth](/documentation/platform/identities/universal-auth).

- [Infisical Token](/documentation/platform/token): Provides short-lived, scoped CRUD access to the secrets of a specific project and environment.
- API Key: Provides full access to all endpoints representing the user without ability to encrypt/decrypt secrets for **E2EE** endpoints.
+To interact with the Infisical API, you will need to obtain an access token. Follow the step by [step guide](/documentation/platform/identities/universal-auth) to get an access token via Universal Auth.

-<Tabs>
-    <Tab title="Infisical Token">
-        The Infisical Token mode uses an Infisical Token to authenticate with the API.

-        To authenticate requests with Infisical using the Infisical Token, you must include your Infisical Token in the `Authorization` header of HTTP requests made to the platform with the value `Bearer <infisical_token>`.
+**FAQ**

-        You can obtain an Infisical Token in Project Settings > Service Tokens.
+<AccordionGroup>
+<Accordion title="What happened to the Service Token and API Key authentication modes?">
+    The Service Token and API Key authentication modes are being deprecated out in favor of [Identities](/documentation/platform/identity).
+    We expect to make a deprecation notice in the coming months alongside a larger deprecation initiative planned for Q1/Q2 2024.

-        ![token add](../../images/project-token-add.png)
-    </Tab>
-    <Tab title="API Key">
-        The API key mode uses an API key to authenticate with the API.
-
-        To authenticate requests with Infisical using the API Key, you must include an API key in the `X-API-KEY` header of HTTP requests made to the platform. 
-
-        You can obtain an API key in User Settings > API Keys
-
-        ![API key dashboard](../../images/api-key-dashboard.png)
-        ![API key in personal settings](../../images/api-key-settings.png)
-    </Tab>
-</Tabs>
+    With identities, we're improving significantly over the shortcomings of Service Tokens and API Keys. Amongst many differences, identities provide broader access over the Infisical API, utilizes the same role-based
+    permission system used by users, and comes with ample more configurable security measures.
+</Accordion>
+<Accordion title="Why can I not create, read, update, or delete an identity?">
+  There are a few reasons for why this might happen:
+  
+  - You have insufficient organization permissions to create, read, update, delete identities.
+  - The identity you are trying to read, update, or delete is more privileged than yourself.
+  - The role you are trying to create an identity for or update an identity to is more privileged than yours.
+</Accordion>
+<Accordion title="Why is the Infisical API rejecting my identity credentials?">
+  There are a few reasons for why this might happen:
+  
+  - The client secret or access token has expired.
+  - The identity is insufficently permissioned to interact with the resources you wish to access.
+  - You are attempting to access a `/raw` secrets endpoint that requires your project to disable E2EE.
+  - The client secret/access token is being used from an untrusted IP.
+</Accordion>
+</AccordionGroup>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tuan Dang	066bcdcf98	Scaffolding LDAP MVP	2024-01-13 21:21:40 +07:00
Maidul Islam	cfa0a2044e	Merge pull request #1304 from Infisical/add-project-config-flag-for-workspace add project-config-dir flag for run command	2024-01-11 17:21:03 -05:00
Maidul Islam	134b503c28	remove log	2024-01-11 17:19:39 -05:00
Maidul Islam	efcbf1aa88	add project-config-dir flag for run command	2024-01-11 16:39:02 -05:00
vmatsiiako	284c18db07	Merge pull request #1303 from Infisical/daniel/sdk-seo-improvements (Docs): SDK SEO Improvements & links to packages/repos	2024-01-11 10:53:08 -08:00
Daniel Hougaard	1410a44610	SEO Improvements and links to packages/repos	2024-01-11 22:34:11 +04:00
vmatsiiako	f9f12eafdf	Update saml docs	2024-01-10 15:02:10 -08:00
Maidul Islam	11470a5a0e	Merge pull request #1300 from Infisical/daniel/project-docs-secret-reminders (Docs): Personal overrides and secret reminders awareness	2024-01-10 17:43:16 -05:00
Daniel Hougaard	9fe2190115	Update project.mdx	2024-01-11 02:40:37 +04:00
Maidul Islam	9e2bd31833	Merge pull request #1298 from Infisical/daniel/csharp-docs (Docs): .NET SDK documentation & updates existing SDK docs	2024-01-10 16:28:40 -05:00
Daniel Hougaard	e88b0ad3c4	Update python.mdx	2024-01-11 01:25:10 +04:00
Daniel Hougaard	74644fd8bb	Added cryptography docs and fixed formatting	2024-01-11 01:12:38 +04:00
Daniel Hougaard	2069ac1554	Added CSharp and removed unfinished SDK's	2024-01-11 01:12:26 +04:00
Daniel Hougaard	5a2516e0a7	Removed unsupported languages to remove clutter	2024-01-11 01:12:17 +04:00
Daniel Hougaard	b52bc3bed7	Added CSharp docs	2024-01-11 01:12:05 +04:00
Maidul Islam	4a153e5658	Merge pull request #1295 from akhilmhdh/fix/sec-interpolation-undefined fix(secret-reference): fixed undefined if value not found	2024-01-10 09:59:09 -05:00
Akhil Mohan	7324822be5	fix(secret-reference): fixed undefined if value not found	2024-01-10 11:45:46 +05:30
Maidul Islam	766f301aea	patch agent config by env	2024-01-09 14:30:29 -05:00
Maidul Islam	b815e3eb56	Merge pull request #1291 from Infisical/daniel/fix-sdk-contribution-image (Fix): Image in SDK contribution guide not loading	2024-01-08 14:56:27 -05:00
Daniel Hougaard	31231cfcca	Update developing.mdx	2024-01-08 23:30:10 +04:00
Maidul Islam	ee772e4a77	allow reading universal auth creds from env in agent	2024-01-07 17:00:42 -05:00
Maidul Islam	7bc29c5981	Merge pull request #1285 from Infisical/query-by-secret-version Add version query param to GET secret raw and regular endpoints	2024-01-07 16:07:49 -05:00
Maidul Islam	e9a89930da	Merge pull request #1284 from Infisical/multi-integration-auth Enable new integration auth credential for each new integration	2024-01-07 14:49:04 -05:00
BlackMagiq	b85499859c	Merge pull request #1286 from Infisical/identities-ipv6 Add IPv6 consideration to default universal auth IP allowlist	2024-01-07 16:37:06 +01:00
Tuan Dang	7f17194c0f	Add IPv6 consideration to default identities IP allowlist	2024-01-07 16:32:25 +01:00
Tuan Dang	1e1ad450d2	Add version query param to GET secret endpoint	2024-01-07 14:25:33 +01:00
Tuan Dang	5287b322d8	Enable new integration auth for each new integration	2024-01-07 12:49:59 +01:00
Maidul Islam	45d96be1ff	added base64 support for config and templates	2024-01-06 23:43:04 -05:00
Maidul Islam	12840bfdbd	add exit after auth setting	2024-01-06 17:17:21 -05:00
BlackMagiq	fef5369738	Merge pull request #1283 from Infisical/identity-apis Update various identities items	2024-01-06 17:11:01 +01:00
Tuan Dang	c94b7d63f6	Update various identities items	2024-01-06 17:04:44 +01:00
BlackMagiq	485ddc5c50	Merge pull request #1282 from Infisical/patch-railway Fix client-side railway integration issue	2024-01-06 16:14:16 +01:00
Tuan Dang	edd9c66e49	Remove commented print statements	2024-01-06 16:11:22 +01:00
Tuan Dang	0a3b85534b	Fix client-side railway integration issue	2024-01-06 16:09:15 +01:00
Maidul Islam	ec2cc5162e	Merge pull request #1279 from Infisical/daniel/sdk-contribution-guide Contribution guide refactor & SDK contribution guide	2024-01-05 20:26:17 -05:00
Daniel Hougaard	7ce472957c	Fixed quality	2024-01-06 04:04:09 +04:00
Daniel Hougaard	8529e0da3d	Update developing.mdx	2024-01-06 03:41:31 +04:00
Daniel Hougaard	e5a5433f10	Update developing.mdx	2024-01-06 03:00:14 +04:00
Daniel Hougaard	ee6e518ff8	Update link to contribution guide	2024-01-06 02:58:26 +04:00
Daniel Hougaard	15a7222505	Update mint.json	2024-01-06 02:58:16 +04:00
Daniel Hougaard	25d482cc62	Create sdk-flow.png	2024-01-06 02:58:12 +04:00
Daniel Hougaard	785a2bec6a	Added SDK guide	2024-01-06 02:58:08 +04:00
Daniel Hougaard	449466f326	Restructure	2024-01-06 02:58:02 +04:00
Daniel Hougaard	4131e9c3f1	Added getting started section	2024-01-06 02:57:53 +04:00
Daniel Hougaard	310595256f	Restructured existing guide	2024-01-06 02:57:21 +04:00
Maidul Islam	1737880e58	Merge pull request #1251 from Infisical/snyk-fix-b96b562a611b0789d0a73c522a261f22 [Snyk] Security upgrade probot from 12.3.1 to 12.3.3	2024-01-05 11:20:43 -05:00
Maidul Islam	b72483f5f2	Merge pull request #1275 from Emiliaaah/fix-agent-secret-path fix(cli): secret-path directive for agent	2024-01-05 10:39:39 -05:00
Daniel Hougaard	ee14bda706	Merge pull request #1272 from rlaisqls/error-message-typos Fix error message typos	2024-01-05 18:18:20 +04:00
Emilia	e56463d52b	fix(cli): secret-path directive for agent	2024-01-05 15:05:57 +01:00
Maidul Islam	ebd3d7c7c4	Merge pull request #1274 from Infisical/fix-vercel-preview-env Fix: Vercel integration preview environment client side error	2024-01-04 10:18:25 -05:00
Daniel Hougaard	9ecbfe201b	Update create.tsx	2024-01-04 17:42:31 +04:00
Maidul Islam	ba2a03897f	update secret import create notif	2024-01-04 01:55:34 -05:00
Maidul Islam	304f14c0ed	update service token create notif	2024-01-04 01:52:03 -05:00
Maidul Islam	51e5c25e16	update imports/service token crud	2024-01-04 00:55:03 -05:00
Maidul Islam	0f6490b1e7	move cli to bin folder	2024-01-03 20:17:34 -05:00
Maidul Islam	f894e48fcb	remove unused import	2024-01-02 13:55:01 -05:00
Maidul Islam	37cfa22619	add back macos build	2024-01-02 13:47:15 -05:00
Maidul Islam	94557344b7	wrap cli into a docker image	2024-01-02 13:43:55 -05:00
Tuan Dang	d5063018eb	Added identities, universal auth, agent to changelog	2024-01-02 10:05:43 +01:00
Maidul Islam	51d68505d3	Merge pull request #1268 from Infisical/posthog-revamp removed posthog cli export events	2023-12-29 15:18:59 -05:00
rlaisqls	ade27ad072	Fix typos	2023-12-29 13:26:08 +09:00
Maidul Islam	683c512bce	Merge pull request #1266 from Infisical/ui-improvements ui and docs improvements	2023-12-25 14:33:47 -05:00
Vladyslav Matsiiako	43ff28b5fb	added terraform useragent	2023-12-24 17:13:29 -08:00
Vladyslav Matsiiako	ce41855e84	added sdk useragent and channel	2023-12-24 16:58:48 -08:00
Vladyslav Matsiiako	d24461b17c	removed posthog cli export events	2023-12-24 15:49:18 -08:00
Vladyslav Matsiiako	1797e56f9f	fixed sdk guides	2023-12-24 13:30:59 -08:00
Daniel Hougaard	74f3ca5356	Merge pull request #1267 from Infisical/sdk/docs-update-2 Sdk/docs update 2	2023-12-24 21:57:52 +04:00
Daniel Hougaard	db27beaf0b	Update overview.mdx	2023-12-24 21:54:57 +04:00
Daniel Hougaard	d6e55f51f2	Updated Python docs	2023-12-24 21:36:47 +04:00
Daniel Hougaard	e9b5996567	Updated node caching docs	2023-12-24 21:36:40 +04:00
Daniel Hougaard	094fe73917	Updated Java caching docs	2023-12-24 21:36:31 +04:00
Daniel Hougaard	dc3f85e92e	Re-added an updated FAQ	2023-12-24 17:11:20 +04:00
Daniel Hougaard	c463256058	Updated Python docs	2023-12-24 17:11:08 +04:00
Daniel Hougaard	8df22302fd	Updated Node docs	2023-12-24 17:11:03 +04:00
Daniel Hougaard	f37fa2bbf5	Updated Java docs	2023-12-24 17:10:54 +04:00
Vladyslav Matsiiako	597c9d6f2a	fix docs sdk errors	2023-12-23 17:17:10 -08:00
Vladyslav Matsiiako	24d2eea930	ui and docs improvements	2023-12-23 16:06:00 -08:00
Maidul Islam	382cb910af	tps	2023-12-23 17:31:34 -05:00
vmatsiiako	6725475575	Merge pull request #1264 from Infisical/sdk/docs-update SDK documentation update	2023-12-23 09:30:35 -08:00
Daniel Hougaard	026864951b	Updated links	2023-12-23 15:55:20 +04:00
Daniel Hougaard	287ed05ab7	Removed FAQ for now	2023-12-23 15:50:14 +04:00
Daniel Hougaard	37b036e614	Update overview.mdx	2023-12-23 15:49:03 +04:00
Daniel Hougaard	024914c168	Update python.mdx	2023-12-23 15:48:24 +04:00
Daniel Hougaard	19e8b6d37b	Update node.mdx	2023-12-23 15:48:21 +04:00
Daniel Hougaard	b6d648f1f3	Added Java docs	2023-12-23 15:48:14 +04:00
Daniel Hougaard	a514a62a29	Fixed typos	2023-12-23 15:48:02 +04:00
Daniel Hougaard	2f24956651	Updated coming soon description	2023-12-23 15:47:16 +04:00
Daniel Hougaard	13d058025c	Formatting and link changes	2023-12-23 15:29:24 +04:00
Daniel Hougaard	8ccaa7f29b	Updated python docs	2023-12-23 15:29:17 +04:00
Daniel Hougaard	b83964051c	Added required to required fields	2023-12-23 15:29:08 +04:00
Daniel Hougaard	0a2b078bdc	Update node.mdx	2023-12-23 15:12:39 +04:00
Daniel Hougaard	40d16fa996	Updated Node.js docs	2023-12-23 15:10:30 +04:00
vmatsiiako	a3739cfe50	Update overview.mdx	2023-12-21 22:24:53 -08:00
vmatsiiako	a73623258e	Update kubernetes-helm.mdx	2023-12-21 17:47:49 -08:00
BlackMagiq	6da39f41a6	Merge pull request #1263 from Infisical/restyle-self-hosting-docs Restyle self-hosting docs for Docker / Docker Compose	2023-12-20 19:53:21 +07:00
Tuan Dang	69bbbfcfd8	Restyle self-hosting docs for Docker / Docker Compose	2023-12-20 19:52:17 +07:00
BlackMagiq	c9d58ec77d	Merge pull request #1262 from Infisical/self-hosting-railway Add self-hosting docs for Railway	2023-12-20 17:06:54 +07:00
Tuan Dang	cb364186d8	Add self-hosting docs for Railway	2023-12-20 17:05:28 +07:00
BlackMagiq	918afe05b6	Merge pull request #1261 from Infisical/self-hosting-aws-lightsail Finish self-hosting docs for AWS Lightsail	2023-12-20 15:56:05 +07:00
Tuan Dang	e822820151	Finish self-hosting docs for AWS Lightsail	2023-12-20 15:42:02 +07:00
Maidul Islam	b5ac49eefe	Merge pull request #1258 from akhilmhdh/feat/token-expire-null fix: made expire optional on service token creation	2023-12-19 09:35:16 -05:00
BlackMagiq	b21d1a0ed2	Merge pull request #1259 from Infisical/self-hosting-azure-app-service Add self-hosting docs for Azure App Service	2023-12-19 21:01:06 +07:00
Tuan Dang	70f1122362	Add self-hosting docs for Azure App Service	2023-12-19 20:57:08 +07:00
Akhil Mohan	ea03db8a2c	fix: made expire optional on service token creation	2023-12-19 15:46:03 +05:30
BlackMagiq	38d9abca17	Merge pull request #1257 from Infisical/self-hosting-azure-container-instances Add self-hosting docs for Azure Container Instances	2023-12-19 15:21:01 +07:00
Tuan Dang	5bed2580c3	Add self-hosting docs for Azure Container Instances	2023-12-19 15:19:24 +07:00
Maidul Islam	d0b899897b	Merge pull request #1256 from Infisical/add-crd-owner add crd owner	2023-12-18 19:26:26 -05:00
Maidul Islam	1861dc85de	add crd owner	2023-12-18 19:25:23 -05:00
BlackMagiq	bc6bf33674	Merge pull request #1253 from Infisical/self-hosting-gcp-cloud-run Add docs for deploying Infisical with GCP Cloud Run	2023-12-18 16:54:00 +07:00
Tuan Dang	44fd35baf5	Add docs for deploying Infisical with GCP Cloud Run	2023-12-18 16:52:28 +07:00
BlackMagiq	8ddfee4c36	Merge pull request #1252 from Infisical/self-hosting-flyio Add self-hosting docs for Fly.io	2023-12-18 12:11:32 +07:00
Tuan Dang	4d0bff4377	Add self-hosting docs for Fly.io	2023-12-18 12:10:18 +07:00
snyk-bot	c7b2489d0b	fix: backend/package.json & backend/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-PROBOT-6129524	2023-12-17 14:48:29 +00:00
Maidul Islam	68eb0f8dd9	throw bad request when max uses reached	2023-12-15 15:40:20 -05:00
Maidul Islam	5941e8e836	Merge pull request #1248 from akhilmhdh/fix/secret-approval-patch fix: secret approval loading failed for commiter on approval	2023-12-15 09:29:41 -05:00
Akhil Mohan	80e50d13ec	fix: secret approval loading failed for commiter on approval	2023-12-15 18:10:54 +05:30
BlackMagiq	99c8dda4e1	Merge pull request #1247 from Infisical/sso-docs Update SSO docs to use Mintlify steps	2023-12-15 13:58:31 +07:00
Tuan Dang	14c8e3fa3b	Update SSO docs to use Mintlify steps	2023-12-15 13:54:28 +07:00
Maidul Islam	7aa3cb53a2	Merge pull request #1246 from Infisical/patch-5 extract base from template source path	2023-12-14 15:19:39 -05:00
Maidul Islam	567309e848	extract base from template source path	2023-12-14 15:17:14 -05:00
BlackMagiq	f264340903	Merge pull request #1245 from Infisical/saml-org-redirect Update redirect to org after SAML SSO	2023-12-14 23:12:31 +07:00
Tuan Dang	51b788cc5b	Update redirect to org after SSO	2023-12-14 23:07:22 +07:00
BlackMagiq	8e0f424249	Merge pull request #1244 from Infisical/integrations-docs Add Mintlify steps to integration pages	2023-12-14 12:08:39 +07:00
Tuan Dang	f3767d3963	Add Mintlify steps to integration pages	2023-12-14 11:35:50 +07:00
Maidul Islam	51cbfdbc46	update uni auth doc image paths	2023-12-13 19:32:16 -05:00
Maidul Islam	f5a580eb72	fix broken link to uni auth	2023-12-13 19:15:06 -05:00
Maidul Islam	460ebf3296	patch getDistinctId	2023-12-13 19:12:02 -05:00
Maidul Islam	7f7f11c970	Merge pull request #1243 from Infisical/patch-4 parse bot not found in agent	2023-12-13 18:25:27 -05:00
Maidul Islam	f799e224a0	use RequestError instead of Error for bot	2023-12-13 18:22:29 -05:00
Maidul Islam	8a87277fe6	parse bot not found in agent	2023-12-13 18:07:39 -05:00
Maidul Islam	32805c726a	add docs for uni auth in agent	2023-12-13 17:27:30 -05:00
Maidul Islam	6c4a6d31e4	Merge pull request #1229 from Infisical/identities-docs Update Identities Documentation + related API Reference Items	2023-12-13 16:57:13 -05:00
Maidul Islam	e7b89b645f	Merge branch 'main' into identities-docs	2023-12-13 16:56:35 -05:00
Maidul Islam	b60cf2eb07	make minor updates to auth docs	2023-12-13 16:52:57 -05:00
Maidul Islam	cf5a79995f	revert defaults to 30 days	2023-12-13 16:52:23 -05:00
Maidul Islam	c51f09fd3a	Merge pull request #1241 from Infisical/patch-3 sync package.lock frontend	2023-12-13 14:45:48 -05:00
Maidul Islam	f9444c5205	sync package.lock frontend	2023-12-13 14:31:10 -05:00
Maidul Islam	7dd0943b2d	remove sleep from template engine agent	2023-12-13 14:19:30 -05:00
Maidul Islam	31a9f032b3	Merge pull request #1236 from akhilmhdh/feat/bring-back-secret-index feat: brought back secret indexing popup in overview page	2023-12-13 12:59:37 -05:00
Maidul Islam	9c55d1906d	Merge pull request #1239 from Infisical/workspace-key-log add workspace id and receiver to getWorkspaceKey error	2023-12-13 11:28:14 -05:00
Maidul Islam	ff54a20ace	add workspace id and receiver to getWorkspaceKey error	2023-12-13 11:22:10 -05:00
Akhil Mohan	8bf7eba07b	fix: show popup only for admins	2023-12-13 11:55:44 +05:30
Maidul Islam	bb75ea550a	prevent access token ttl=0	2023-12-12 22:17:46 -05:00
Maidul Islam	344f7276d2	update agent command description	2023-12-12 21:55:41 -05:00
Maidul Islam	c375662411	Merge pull request #1238 from Infisical/add-universal-auth-to-agent add universal auth to agent	2023-12-12 20:36:16 -05:00
Maidul Islam	cc4ad1df4b	update docs for agent	2023-12-12 20:24:17 -05:00
Maidul Islam	c92c0f7288	add universal auth to agent	2023-12-12 19:36:48 -05:00
Maidul Islam	fbe0cf006f	add max ttl to renew and login api responses	2023-12-12 19:35:45 -05:00
Akhil Mohan	d2f959558e	fix: resolved recursion issue in select	2023-12-12 22:29:38 +05:30
Akhil Mohan	e50c89e326	feat: brought back secret indexing popup in overview page	2023-12-12 21:03:47 +05:30
Tuan Dang	6cda14328b	Update getting started guide for fetching secrets via API	2023-12-12 17:59:56 +07:00
Tuan Dang	b551ee50e7	Fix merge conflicts	2023-12-12 15:50:14 +07:00
Tuan Dang	93aeacc6b6	Add API reference docs for identity / universal auth endpoints	2023-12-12 13:42:17 +07:00
Maidul Islam	f940f8b79d	remove unused methods in cli	2023-12-11 16:52:47 -05:00
Maidul Islam	72ac2c04b8	Merge pull request #1228 from rawkode/fix/injecting-breaks-env fix: "Injecting..." status string can be omitted by log levels	2023-12-11 16:41:58 -05:00
Maidul Islam	bb3d591f21	remove cli update notification delay	2023-12-11 15:14:49 -05:00
Maidul Islam	763ce1b206	Merge pull request #1230 from Infisical/non-zero-max-ttl non-zero-max-ttl	2023-12-11 14:39:18 -05:00
Maidul Islam	1f97ac5192	non-zero-max-ttl	2023-12-11 14:21:51 -05:00
Tuan Dang	5f29562fad	Update existing endpoints in API reference to support Identities, update Identities docs	2023-12-11 20:01:32 +07:00
Maidul Islam	f3e8ef1537	Merge pull request #1192 from Infisical/stv3-org-roles Add Identities + Universal Auth Authentication Method	2023-12-10 16:57:39 -05:00
David Flanagan	544d37bbc4	fix: "Injecting..." status stirng can be omitted by log levels When using `infisical run`, I am often running another command that needs to be processed or consumed by another; such as: infisical run -- supabase status -o env The Injecting string was being printed directly to stdout and stopping such scripting from being successful, without further adding tail -n+2. This change defaults the output to the INFO logging level, which means the behaviour is the exact same for everything; however those who wish can omit this output with -l error\|fatal	2023-12-10 16:13:38 +00:00
vmatsiiako	aabd896c37	Updated changelog	2023-12-09 16:58:16 -08:00
Maidul Islam	b87f51a044	Update Chart.yaml	2023-12-08 17:26:19 -05:00
Maidul Islam	1233d9c1a0	Merge pull request #1223 from Infisical/patch-k8s-dependency-vulnerability update resty + patch kube-proxy	2023-12-08 17:25:55 -05:00
Maidul Islam	ff0b4d7f2b	Merge pull request #1225 from Infisical/upgrade-axios Address axios vulnerability	2023-12-08 17:25:19 -05:00
Maidul Islam	ef61bc6a40	upgrade axios	2023-12-08 16:26:42 -05:00
Maidul Islam	13ee8c4e13	Merge pull request #1224 from Infisical/resolve-x/net-vulnerability Update Resty	2023-12-08 16:01:06 -05:00
Maidul Islam	6ea9fc7134	update resty	2023-12-08 15:49:48 -05:00
Maidul Islam	00e1742a30	Merge branch 'main' into patch-k8s-dependency-vulnerability	2023-12-08 15:36:45 -05:00
Maidul Islam	5055b5402c	update kube proxy for helm	2023-12-08 15:35:54 -05:00
Maidul Islam	ff9418c0c7	patch: loop variable deployment captured by func literal	2023-12-08 15:35:22 -05:00
Maidul Islam	d03921eef3	update resty + patch kube-proxy	2023-12-08 15:17:01 -05:00
Maidul Islam	602afdefc3	Merge pull request #1221 from Infisical/k8s-doc-update-secret-type add docs for k8 secret type and label propagation	2023-12-07 20:12:53 -05:00
Maidul Islam	5eb505326b	add docs for k8 secret type and label propagation	2023-12-07 20:10:11 -05:00
Maidul Islam	fcf4153d87	Update Chart.yaml	2023-12-07 19:34:08 -05:00
Maidul Islam	097282c5e1	Merge pull request #1182 from Allex1/secret Make secret type field configurable	2023-12-07 19:31:39 -05:00
Maidul Islam	0eeef9a66c	revert managed secret name	2023-12-07 19:30:43 -05:00
Maidul Islam	df0bec8a68	update chart version	2023-12-07 19:28:57 -05:00
Maidul Islam	13014b5345	create separate struct for managed secret + propagate lables/annotations	2023-12-07 19:26:48 -05:00
Maidul Islam	66d0cae066	Merge pull request #1220 from akhilmhdh/fix/update-secret-approval fix(secret-approval): resolved update failure in secret approval mode	2023-12-07 13:19:34 -05:00
Akhil Mohan	8e82222fc5	fix(secret-approval): resolved update failure in secret approval mode and number not increasing on frontend	2023-12-07 23:48:00 +05:30
Maidul Islam	f822bcd10f	Merge pull request #1218 from ntimo/patch-1 Fixed 'SMTP_PASSWORD' default value	2023-12-07 11:54:44 -05:00
Timo	c51f8c5838	Fixed 'SMTP_PASSWORD' default value	2023-12-06 21:41:34 +01:00
Alex Birca	377a79f17d	Make secret type field configurable	2023-12-05 10:13:20 +02:00
vmatsiiako	2a768a7bc4	Update postgres.mdx	2023-12-04 16:18:50 -08:00